Difference between pages "SIM Card Forensics" and "The Sleuth Kit How-To"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m (New page: To find which file maps to a given sector number on the first partition of a Windows volume: ifind -o63 -d <sector-number> <disk-image> This returns an inode number. ffind -o63 <disk...)
 
Line 1: Line 1:
== Procedures ==
+
To find which file maps to a given sector number on the first partition of a Windows volume:
  
Acquire [[SIM Card]] and analyze the following:
+
  ifind -o63 -d <sector-number> <disk-image>
 +
This returns an inode number.
  
* ICCID - Integrated Circuit Card Identification
+
  ffind -o63 <disk-image> <inode-number>
* MSISDN - Subscriber phone number  
+
* IMSI - International Mobile Subscriber Identity
+
* LND - Last Dialed numbers
+
* [[LOCI]] - Location Information
+
* LAI - Location Area Identifier
+
* ADN - Abbreviated Dialing Numbers (Contacts)
+
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
+
* SMS - (Short Messages)
+
* SMSP - Text Message parameters
+
* SMSS - Text message status
+
* Phase - Phase ID
+
* SST - SIM Service table
+
* LP - Preferred languages variable
+
* SPN - Service Provider name
+
* EXT1 - Dialing Extension
+
* EXT2 - Dialing Extension
+
* GID1 - Groups
+
* GID2 - Groups
+
* CBMI - Preferred network messages
+
* PUCT - Calls per unit
+
* ACM - Accumulated Call Meter
+
* ACMmax - Call Limit
+
* HPLMNSP - HPLMN search period
+
* PLMNsel - PLMN selector
+
* FPLMN - Forbidden PLMNs
+
* CCP - Capability configuration parameter
+
* ACC - Access control class
+
* BCCH - Broadcast control channels
+
* Kc - Ciphering Key
+
  
 +
For example, if we want to find which file maps to sector 1249 of the file image.iso, use:
 +
  $ ifind -o63 -d 1249 image.iso
 +
  6
 +
  $ ffind -o63 image.iso 6
 +
  /TCLAIM.TXT
  
== Hardware ==
+
You can print out the contents of the file with the icat command:
  
=== Serial ===
+
<pre>
 
+
$ icat -o63 image.iso  6
* [[MicroDrive 120]] with SmartCard Adapter
+
�����������������������������������������������������������������������������ͻ
 
+
� ������������    �����������  ��              ��      ��������  ���    ��� �
=== USB ===
+
�      ��        ��      ��  ��            ����        ��      ����  ���� �
 
+
�      ��        ��          ��            ��  ��      ��      �� �� �� �� �
* [[ACR 38T]]
+
�      ��        ��          ��          ��    ��      ��      ��  ���  �� �
 
+
�      ��        ��          ��          ��      ��    ��      ��      �� �
== Software ==
+
�      ��        ��          ��          ��      ��    ��      ��      �� �
 
+
�      ��        ��          ��          ����������    ��      ��      �� �
* [[ForensicSIM]]
+
�      ��        ��      ��  ��          ��      ��    ��      ��      �� �
* [[Quantaq USIMdetective]]
+
�      ��        �����������  ����������� ��      ��  ��������  ��      �� �
* [[Paraben SIM Card Seizure]]
+
�                                                                            �
* [[SIMIS]]
+
�����������������������������������������������������������������������������ͼ
 
+
</pre>
== Security ==
+
 
+
SIM cards can have their data protected by a PIN, or Personal Identification Number.  If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data.  If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key.  The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone.  Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered.  The PUK must be obtained from the SIM's network provider.  If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone.  In some cases the phone will request a PUK2 before it permanently locks the SIM card.
+

Revision as of 15:40, 10 December 2008

To find which file maps to a given sector number on the first partition of a Windows volume:

 ifind -o63 -d <sector-number> <disk-image>

This returns an inode number.

 ffind -o63 <disk-image> <inode-number>

For example, if we want to find which file maps to sector 1249 of the file image.iso, use:

 $ ifind -o63 -d 1249 image.iso
 6
 $ ffind -o63 image.iso 6
 /TCLAIM.TXT

You can print out the contents of the file with the icat command:

$ icat -o63 image.iso  6
�����������������������������������������������������������������������������ͻ
� ������������    �����������  ��              ��      ��������   ���     ��� �
�      ��         ��       ��  ��             ����        ��      ����   ���� �
�      ��         ��           ��            ��  ��       ��      �� �� �� �� �
�      ��         ��           ��           ��    ��      ��      ��  ���  �� �
�      ��         ��           ��          ��      ��     ��      ��       �� �
�      ��         ��           ��          ��      ��     ��      ��       �� �
�      ��         ��           ��          ����������     ��      ��       �� �
�      ��         ��       ��  ��          ��      ��     ��      ��       �� �
�      ��         �����������  ����������� ��      ��  ��������   ��       �� �
�                                                                             �
�����������������������������������������������������������������������������ͼ