Difference between pages "SIM Card Forensics" and "SANS Investigative Forensic Toolkit Workstation"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m
 
Line 1: Line 1:
== Procedures ==
+
'''The SANS SIFT Workstation''' is a [[VMware]] Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with [[Encase | Expert Witness Format]] (E01), Advanced Forensic Format ([[AFF]]), and raw (dd) evidence formats.
  
Acquire [[SIM Card]] and analyze the following:
+
== Overview ==
  
* ICCID - Integrated Circuit Card Identification
+
SIFT Workstation is based on Fedora.
* MSISDN - Subscriber phone number
+
* IMSI - International Mobile Subscriber Identity
+
* LND - Last Dialed numbers
+
* [[LOCI]] - Location Information
+
* LAI - Location Area Identifier
+
* ADN - Abbreviated Dialing Numbers (Contacts)
+
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
+
* SMS - (Short Messages)
+
* SMSP - Text Message parameters
+
* SMSS - Text message status
+
* Phase - Phase ID
+
* SST - SIM Service table
+
* LP - Preferred languages variable
+
* SPN - Service Provider name
+
* EXT1 - Dialing Extension
+
* EXT2 - Dialing Extension
+
* GID1 - Groups
+
* GID2 - Groups
+
* CBMI - Preferred network messages
+
* PUCT - Calls per unit
+
* ACM - Accumulated Call Meter
+
* ACMmax - Call Limit
+
* HPLMNSP - HPLMN search period
+
* PLMNsel - PLMN selector
+
* FPLMN - Forbidden PLMNs
+
* CCP - Capability configuration parameter
+
* ACC - Access control class
+
* BCCH - Broadcast control channels
+
* Kc - Ciphering Key
+
  
 +
Software Includes:
  
== Hardware ==
+
# [[The Sleuth Kit]]
 +
# [[ssdeep]] & [[md5deep]]
 +
# [[Foremost]]/[[Scalpel]]
 +
# [[Wireshark]]
 +
# HexEditor
 +
# [[Vinetto]] ([[thumbs.db]] examination)
 +
# Pasco
 +
# Rifiuti
 +
# [[Volatility Framework]]
 +
# DFLabs PTK (GUI Front-End for [[Sleuthkit]])
 +
# [[Autopsy]] (GUI Front-End for [[Sleuthkit]])
  
=== Serial ===
+
The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local windows operation system.
  
* [[MicroDrive 120]] with SmartCard Adapter
+
== Links ==
  
=== USB ===
+
* [http://forensics.sans.org/community/downloads/ Computer Forensics and e-Discovery downloads]
 
+
[[Category:VMWare Appliances]]
* [[ACR 38T]]
+
 
+
== Software ==
+
 
+
Wiki Links
+
* [[ForensicSIM]]
+
* [[Paraben SIM Card Seizure]]
+
* [[SIMIS]]
+
 
+
External Links
+
* [http://www.simcon.no/ SIMcon]
+
* [http://www.quantaq.com/usimdetective.htm USIM Detective]
+
* [http://www.data-recovery-mobile-phone.com/ Pro Data Doctor]
+
* [http://www.becker-partner.de/index.php?id=17 Forensic Card Reader (FCR) - German]
+
* [http://www.txsystems.com/sim-manager.html SIM Manager]
+
* [http://vidstrom.net/otools/simquery/ SIMQuery]
+
* [http://users.net.yu/~dejan/ SimScan]
+
* [http://www.nobbi.com/download.htm SIMSpy]
+
* [http://vidstrom.net/stools/undeletesms/ UnDeleteSMS]
+
* [http://www.bkforensics.com/FCR.html Forensic SIM Card Reader]
+
 
+
== Recovering SIM Card Data ==
+
 
+
* [[Damaged SIM Card Data Recovery]]
+
 
+
== Security ==
+
 
+
SIM cards can have their data protected by a PIN, or Personal Identification Number.  If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data.  If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key.  The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone.  Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered.  The PUK must be obtained from the SIM's network provider.  If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone.  In some cases the phone will request a PUK2 before it permanently locks the SIM card.
+
 
+
 
+
== References ==
+
 
+
E-evidence Info - http://www.e-evidence.info/cellular.html
+
Purdue Phone Phorensics Knowledge Base - http://mobileforensicsworld.com/p3/
+

Revision as of 18:29, 3 October 2011

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

Overview

SIFT Workstation is based on Fedora.

Software Includes:

  1. The Sleuth Kit
  2. ssdeep & md5deep
  3. Foremost/Scalpel
  4. Wireshark
  5. HexEditor
  6. Vinetto (thumbs.db examination)
  7. Pasco
  8. Rifiuti
  9. Volatility Framework
  10. DFLabs PTK (GUI Front-End for Sleuthkit)
  11. Autopsy (GUI Front-End for Sleuthkit)

The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local windows operation system.

Links