Difference between pages "Network forensics" and "SIM Card Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Flow-Based Systems)
 
(Software)
 
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
+
== Procedures ==
  
There are both open source and proprietary network forensics systems available.
+
Acquire [[SIM Card]] and analyze the following:
  
== Open Source Network Forensics ==
+
* ICCID - Integrated Circuit Card Identification
 +
* MSISDN - Subscriber phone number
 +
* IMSI - International Mobile Subscriber Identity
 +
* LND - Last Dialed numbers
 +
* [[LOCI]] - Location Information
 +
* LAI - Location Area Identifier
 +
* ADN - Abbreviated Dialing Numbers (Contacts)
 +
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
 +
* SMS - (Short Messages)
 +
* SMSP - Text Message parameters
 +
* SMSS - Text message status
 +
* Phase - Phase ID
 +
* SST - SIM Service table
 +
* LP - Preferred languages variable
 +
* SPN - Service Provider name
 +
* EXT1 - Dialing Extension
 +
* EXT2 - Dialing Extension
 +
* GID1 - Groups
 +
* GID2 - Groups
 +
* CBMI - Preferred network messages
 +
* PUCT - Calls per unit
 +
* ACM - Accumulated Call Meter
 +
* ACMmax - Call Limit
 +
* HPLMNSP - HPLMN search period
 +
* PLMNsel - PLMN selector
 +
* FPLMN - Forbidden PLMNs
 +
* CCP - Capability configuration parameter
 +
* ACC - Access control class
 +
* BCCH - Broadcast control channels
 +
* Kc - Ciphering Key
  
* [[Snort]]
 
* [[OSSEC]]
 
  
== Commercial Network Forensics ==
+
== Hardware ==
===Deep-Analysis Systems===
+
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Simple to us Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
+
* ManTech International Corporation [http://www.netwitness.com/ NetWitness]
+
* NIKSUN's [[NetDetector]]
+
* PacketMotion [http://www.packetmotion.com/]
+
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
+
  
 +
=== Serial ===
  
===Flow-Based Systems===
+
* [[MicroDrive 120]] with SmartCard Adapter
* Arbor Networks
+
* GraniteEdge Networks http://www.graniteedgenetworks.com/
+
* Lancope http://www.lancope.com/
+
* Mazu Networks http://www.mazunetworks.com/
+
  
===Hybrid Systems===
+
=== USB ===
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
+
* Q1 Labs  http://www.q1labs.com/
+
  
== Tips and Tricks ==
+
* [[ACR 38T]]
  
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
+
== Software ==
 +
 
 +
Wiki Links
 +
* [[ForensicSIM]]
 +
* [[Paraben SIM Card Seizure]]
 +
* [[SIMIS]]
 +
 
 +
External Links
 +
* [http://www.simcon.no/ SIMcon]
 +
* [http://www.quantaq.com/usimdetective.htm USIM Detective]
 +
* [http://www.data-recovery-mobile-phone.com/ Pro Data Doctor]
 +
* [http://www.becker-partner.de/index.php?id=17 Forensic Card Reader (FCR) - German]
 +
* [http://www.txsystems.com/sim-manager.html SIM Manager]
 +
* [http://vidstrom.net/otools/simquery/ SIMQuery]
 +
* [http://users.net.yu/~dejan/ SimScan]
 +
* [http://www.nobbi.com/download.htm SIMSpy]
 +
* [http://vidstrom.net/stools/undeletesms/ UnDeleteSMS]
 +
 
 +
== Recovering SIM Card Data ==
 +
 
 +
* [[Damaged SIM Card Data Recovery]]
 +
 
 +
== Security ==
 +
 
 +
SIM cards can have their data protected by a PIN, or Personal Identification Number. If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data.  If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key.  The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone.  Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered.  The PUK must be obtained from the SIM's network provider.  If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone.  In some cases the phone will request a PUK2 before it permanently locks the SIM card.

Revision as of 08:55, 24 September 2008

Procedures

Acquire SIM Card and analyze the following:

  • ICCID - Integrated Circuit Card Identification
  • MSISDN - Subscriber phone number
  • IMSI - International Mobile Subscriber Identity
  • LND - Last Dialed numbers
  • LOCI - Location Information
  • LAI - Location Area Identifier
  • ADN - Abbreviated Dialing Numbers (Contacts)
  • FDN - Fixed Dialing Numbers (Provider entered Numbers)
  • SMS - (Short Messages)
  • SMSP - Text Message parameters
  • SMSS - Text message status
  • Phase - Phase ID
  • SST - SIM Service table
  • LP - Preferred languages variable
  • SPN - Service Provider name
  • EXT1 - Dialing Extension
  • EXT2 - Dialing Extension
  • GID1 - Groups
  • GID2 - Groups
  • CBMI - Preferred network messages
  • PUCT - Calls per unit
  • ACM - Accumulated Call Meter
  • ACMmax - Call Limit
  • HPLMNSP - HPLMN search period
  • PLMNsel - PLMN selector
  • FPLMN - Forbidden PLMNs
  • CCP - Capability configuration parameter
  • ACC - Access control class
  • BCCH - Broadcast control channels
  • Kc - Ciphering Key


Hardware

Serial

USB

Software

Wiki Links

External Links

Recovering SIM Card Data

Security

SIM cards can have their data protected by a PIN, or Personal Identification Number. If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered. Some phones provide the option of using a second PIN, or PIN2, to further protect data. If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key. The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone. Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered. The PUK must be obtained from the SIM's network provider. If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone. In some cases the phone will request a PUK2 before it permanently locks the SIM card.