Difference between pages "Sim Filesystem" and "Gzip"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Information)
 
 
Line 1: Line 1:
''Under Construction''
+
{{expand}}
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
+
== File format ==
 +
The gzip file (.gz) format consists of:
 +
* a file header
 +
* optional headers
 +
** extra fields
 +
** original file name
 +
** comment
 +
** header checksum
 +
* compressed data (commonly used compression method DEFLATE, without zlib header)
 +
* a file footer
  
 +
{| class="wikitable"
 +
! align="left"| Characteristics
 +
! Description
 +
|-
 +
| Byte order
 +
| little-endian
 +
|-
 +
| Date and time values
 +
| Filetime in UTC
 +
|-
 +
| Character strings
 +
| ISO 8859-1 (LATIN-1)
 +
|}
  
== Getting Started ==
+
=== File header ===
 +
The file header is 10 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 2
 +
| 0x1f 0x8b
 +
| Signature (or identification byte 1 and 2)
 +
|-
 +
| 2
 +
| 1
 +
|
 +
| Compression Method
 +
|-
 +
| 3
 +
| 1
 +
|
 +
| Flags
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Last modification time <br> Contains a POSIX timestamp.
 +
|-
 +
| 8
 +
| 1
 +
|
 +
| Compression flags (or extra flags)
 +
|-
 +
| 9
 +
| 1
 +
|
 +
| Operating system <br> Value that indicates on which operating system the gzip file was created.
 +
|}
  
[[File:What_you_need.jpg|250px|thumb|Items you'll need]]
+
==== Compression method ====
  
This is a list of items to get you started on reading SIM Cards and their information:
+
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0 - 7
 +
|
 +
| Reserved
 +
|-
 +
| 8
 +
| deflate
 +
| deflate compressed data
 +
|}
  
# [[Windows]] operating system
+
==== Flags ====
# [[SIMCon]]
+
#* Program used to read SIM Cards
+
# [[SIM Cards]]
+
# SIM Card Reader
+
  
== Quick Guide for SIMCon ==
+
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x01
 +
| FTEXT
 +
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
 +
|-
 +
| 0x02
 +
| FHCRC
 +
| The file contains a header checksum (CRC-16)
 +
|-
 +
| 0x04
 +
| FEXTRA
 +
| The file contains extra fields
 +
|-
 +
| 0x08
 +
| FNAME
 +
| The file contains an original file name string
 +
|-
 +
| 0x10
 +
| FCOMMENT
 +
| The file contains comment
 +
|-
 +
| 0x20
 +
|
 +
| Reserved
 +
|-
 +
| 0x40
 +
|
 +
| Reserved
 +
|-
 +
| 0x80
 +
|
 +
| Reserved
 +
|}
  
# Make sure the SIM Card Reader with SIM Card is connected
+
<b>Notes:</b>
# Open [[SIMCon]]
+
* Reserved flags bits must be zero.
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
* The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.
# Click OK when the next dialog box pops up
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
  
== Definitions ==
+
==== Compression flags ====
 +
This value contains flags specific to the compression method.
  
=== MF ===
+
===== Compression flags - deflate =====
* Only '''one''' MF
+
If compression method value is 8 (deflate) the following compression flags can be used:
* The Master File (MF)
+
{| class="wikitable"
* Root of the SIM Card file system
+
! align="left"| Value
* Equivalent to the root directory or "/" in the Linux filesystem
+
! Identifier
 +
! Description
 +
|-
 +
| 0x02
 +
|
 +
| compressor used maximum compression, slowest algorithm
 +
|-
 +
| 0x04
 +
|
 +
| compressor used fastest algorithm
 +
|}
  
=== DF ===
+
==== Operating System ====
* Dedicated Files (DF)
+
{| class="wikitable"
* Equivalent to a folder in a Windows/Linux filesystem
+
! align="left"| Value
* Usually three DF's
+
! Identifier
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
! Description
 +
|-
 +
| 0
 +
|
 +
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
 +
|-
 +
| 1
 +
|
 +
| Amiga
 +
|-
 +
| 2
 +
|
 +
| VMS (or OpenVMS)
 +
|-
 +
| 3
 +
|
 +
| Unix
 +
|-
 +
| 4
 +
|
 +
| VM/CMS
 +
|-
 +
| 5
 +
|
 +
| Atari TOS
 +
|-
 +
| 6
 +
|
 +
| HPFS filesystem (OS/2, NT)
 +
|-
 +
| 7
 +
|
 +
| Macintosh
 +
|-
 +
| 8
 +
|
 +
| Z-System
 +
|-
 +
| 9
 +
|
 +
| CP/M
 +
|-
 +
| 10
 +
|
 +
| TOPS-20
 +
|-
 +
| 11
 +
|
 +
| NTFS filesystem (NT)
 +
|-
 +
| 12
 +
|
 +
| QDOS
 +
|-
 +
| 13
 +
|
 +
| Acorn RISCOS
 +
|-
 +
| 255
 +
|
 +
| unknown
 +
|}
  
==== DF_DCS1800 / DF_GSM ====
+
=== Optional headers ===
* Contains network related information
+
==== Extra fields ====
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
+
This value is present in the file if the FEXTRA flag is set in the file header flags.
* The SIM is expected to mirror GSM and DCS1800
+
  
==== DF_TELECOM ====
+
The extra field are variable of size and contains:
* Contains the service related information
+
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Extra field data size <br> Value in bytes.
 +
|-
 +
| 2
 +
| ...
 +
|
 +
| Extra field data
 +
|}
  
=== EF ===
+
==== Original file name ====
* Elementary Files (EF)
+
This value is present in the file if the FNAME flag is set in the file header flags.
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
  
=== PLMN ===
+
This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.
* Public Land Mobile Network
+
** A PLMN is a network that is established and operated by an administration or by a recognized operating agency (ROA) for the specific purpose of providing land mobile telecommunications services to the public. [http://en.wikipedia.org/wiki/Public_land_mobile_network]
+
  
== Information ==
+
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.
  
=== EF_ICCID ===
+
==== Comment ====
 +
This value is present in the file if the FCOMMENT flag is set in the file header flags.
  
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.
  
[[File:Ef_iccid.png|350px|thumb|EF_ICCID]]
+
==== Header checksum ====
 +
The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.
  
=== DF_GSM ===
+
=== File footer ===
 +
The file footer is 8 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Checksum (CRC-32)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed data size <br> Value in bytes.
 +
|}
  
==== EF_IMSI ====
+
== See Also ==
 +
* [[bzip2]]
 +
* [[tar]]
  
[[File:Ef_imsi.png|350px|thumb|EF_IMSI]]
+
== External Links ==
  
* International Mobile Subscriber Identity (IMSI)[http://en.wikipedia.org/wiki/IMSI]
+
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
* 310  -  260  -  653235860
+
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
* MCC  -  MNC  -  MSIN
+
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
+
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
*** Mobile Country Code
+
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
+
*** Mobile Network Code
+
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
+
*** Mobile Subscription Identification Number
+
*** Within the network's customer base
+
  
==== EF_PLMNSEL ====
+
[[Category:File Formats]]
[[File:Plmnsel.png|350px|thumb|EF_PLMNSEL]]
+

Revision as of 02:29, 1 December 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

File format

The gzip file (.gz) format consists of:

  • a file header
  • optional headers
    • extra fields
    • original file name
    • comment
    • header checksum
  • compressed data (commonly used compression method DEFLATE, without zlib header)
  • a file footer
Characteristics Description
Byte order little-endian
Date and time values Filetime in UTC
Character strings ISO 8859-1 (LATIN-1)

File header

The file header is 10 bytes in size and contains:

Offset Size Value Description
0 2 0x1f 0x8b Signature (or identification byte 1 and 2)
2 1 Compression Method
3 1 Flags
4 4 Last modification time
Contains a POSIX timestamp.
8 1 Compression flags (or extra flags)
9 1 Operating system
Value that indicates on which operating system the gzip file was created.

Compression method

Value Identifier Description
0 - 7 Reserved
8 deflate deflate compressed data

Flags

Value Identifier Description
0x01 FTEXT If set the uncompressed data needs to be treated as text instead of binary data.
This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
0x02 FHCRC The file contains a header checksum (CRC-16)
0x04 FEXTRA The file contains extra fields
0x08 FNAME The file contains an original file name string
0x10 FCOMMENT The file contains comment
0x20 Reserved
0x40 Reserved
0x80 Reserved

Notes:

  • Reserved flags bits must be zero.
  • The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.

Compression flags

This value contains flags specific to the compression method.

Compression flags - deflate

If compression method value is 8 (deflate) the following compression flags can be used:

Value Identifier Description
0x02 compressor used maximum compression, slowest algorithm
0x04 compressor used fastest algorithm

Operating System

Value Identifier Description
0 FAT filesystem (MS-DOS, OS/2, NT/Win32)
1 Amiga
2 VMS (or OpenVMS)
3 Unix
4 VM/CMS
5 Atari TOS
6 HPFS filesystem (OS/2, NT)
7 Macintosh
8 Z-System
9 CP/M
10 TOPS-20
11 NTFS filesystem (NT)
12 QDOS
13 Acorn RISCOS
255 unknown

Optional headers

Extra fields

This value is present in the file if the FEXTRA flag is set in the file header flags.

The extra field are variable of size and contains:

Offset Size Value Description
0 2 Extra field data size
Value in bytes.
2 ... Extra field data

Original file name

This value is present in the file if the FNAME flag is set in the file header flags.

This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.

Comment

This value is present in the file if the FCOMMENT flag is set in the file header flags.

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.

Header checksum

The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.

File footer

The file footer is 8 bytes in size and contains:

Offset Size Value Description
0 4 Checksum (CRC-32)
4 4 Uncompressed data size
Value in bytes.

See Also

External Links