SIM - Card Forensics by Zentachain
SIM (Subscriber Identity Module) is a smart card that is used in mobile phones to store user data and network information that is required to activate the handset for use. The first SIM card was much larger than the ones we use now. As technology developed, the cell phone began to be short in size and so did the SIM card. But today we are using smartphones that use micro-SIM, which is smaller than mini-SIM. These SIM cards vary in size but all have the functionality for both the identification and authentication of the subscriber’s phone to its network and all contain storage for phone numbers, SMS, and other information, and allow for the creation of applications on the card itself.
SIM Card Structure and File Systems
A SIM card contains a processor and operating system with between 16 and 256 KB of persistent, electronically erasable, programmable read-only memory (EEPROM). It also contains RAM (random access memory) and ROM (read-only memory). RAM controls the program execution flow, and the ROM controls the operating system workflow, user authentication, data encryption algorithm, and other applications. The hierarchically organized file system of a SIM resides in persistent memory and stores data as phone number entries, names, text messages, and network service settings. Depending on the phone used, some information on the SIM may coexist in the memory of the phone.
SIM card contains some sensitive information about the subscriber. Data such as contact lists and messages can be stored in SIM. SIM cards themselves contain information, some of which are listed below and the important point is that all these data have forensic values.
Mobile network code (MNC) Mobile subscriber identification number (MSIN) Integrated circuit card identifier (ICCID) International mobile subscriber identity (IMSI) Last dialed numbers (LDN) Short message service (SMS) Service provider name (SPN) Mobile country code (MCC) Mobile station international subscriber directory number (MSISDN) Emergency call code Fixed dialing numbers (FDN) Own dialing number Cardholder verification (CHV1 and CHV2) Ciphering Key (Kc)
Tools for SIM Forensics
SIM card Forensics is an essential section of mobile device forensics. The information that a SIM card can provide can be crucial to an investigation. Obtaining a SIM card permits important pieces of information, which the suspect has dealt with over the phone to be investigated.
In general, some of this data can help an investigator determine:
• Phone numbers of calls made/received
• SMS details (time/date, recipient, etc.)
• SMS text (the message itself)
To perform a forensic investigation on a SIM card, it has to be removed from the cell phone and connected to a SIM card reader. The original data of the SIM card is preserved by the elimination of the write requests to the SIM during its analysis. Then the HASH value of the data can be calculated; hashing is used for checking the integrity of the data, that is, whether it has changed or not. There are lots of forensic tools available but not all tools are able to extract data from every type of cell phone and SIM card. We have listed some of these tools below.
Encase Smartphone Examiner: This tool is designed for collecting data from smartphones and tablets such as iPhone, iPad, etc. It can capture evidence from devices that use Apple iOS, HP Palm OS, Windows Mobile OS, Google Android OS. The evidence can be seamlessly integrated into EnCase Forensic.
SIMpull: SIMpull is a powerful tool, a SIM card acquisition application that allows you to acquire the entire contents of a SIM card. This capability also includes the retrieval of deleted SMS messages, a feature not available on many other commercial SIM card acquisition programs.
MOBILedit! Forensic: This tool can analyze phones via Bluetooth, IrDA, or cable connection; it analyzes SIMs through SIM readers and can read deleted messages from the SIM card.
pySIM: A SIM card management tool capable of creating, editing, deleting, and performing backup and restoring operations on the SIM phonebook and SMS records.
AccessData Mobile Phone Examiner (MPE) Plus: This tool supports many phones including iOS, Android, Blackberry, Windows Mobile, and Chinese devices, and can be purchased as hardware with a SIM card reader and data cables.