Difference between pages "Carver 2.0 Planning Page" and "Sim Filesystem"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(clarifying a few of .FUF's questions, my own)
 
(Getting Started)
 
Line 1: Line 1:
This page is for planning Carver 2.0.
+
''Under Construction''
  
= License =
+
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
  
BSD (afflib is BSD-4, Sleuthkit has various sublicenses [[User:RB|RB]])
 
  
= OS =
+
== Getting Started ==
  
Linux/FreeBSD/MacOS (shouldn't this just match what the underlying afflib & sleuthkit cover? [[User:RB|RB]])
+
[[File:What_you_need.jpg|250px|thumb|Items you'll need]]
  
= Requirements =
+
This is a list of items to get you started on reading SIM Cards and their information:
* AFF and EWF file images supported from scratch.
+
* File system aware layer.
+
** By default, files are not carved. (clarify: only identified? [[User:RB|RB]])
+
* Plug-in architecture for identification/validation.
+
** Can handle config files,like Revit07, to enter different file formats used by the carver.
+
* Ship with validators for:
+
** JPEG
+
** PNG
+
** GIF
+
** MSOLE
+
** ZIP
+
** TAR (gz/bz2)
+
* Simple fragment recovery carving using gap carving.
+
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
+
* Autonomous operation (some mode of operation should be completely non-interactive, requiring no human intervention to complete [[User:RB|RB]])
+
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
+
** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
+
* Parallelizable.
+
* Configuration:
+
** Capability to parse some existing carvers' configuration files, either on-the-fly or as a one-way converter.
+
** Disengage internal configuration structure from configuration files, create parsers that present the expected structure
+
**  Either extend Scalpel/Foremost syntaxes for extended features or use a tertiary syntax
+
* Can output audit.txt file.
+
* Easy integration into ascription software.
+
  
= Ideas =
+
# [[Windows]] operating system
* Use as much TSK if possible. Don't carry your own FS implementation the way photorec does.
+
# [[SIMCon]][http://www.simcon.no/]
* Extracting/carving data from [[Thumbs.db]]? I've used [[foremost]] for it with some success. [[Vinetto]] has some critical bugs :( [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
#* Program used to read SIM Cards
* Carving data structures. For example, extract all TCP headers from image by defining TCP header structure and some fields (e.g. source port > 1024, dest port = 80). This will extract all data matching the pattern and write a file with other fields. Another example is carving INFO2 structures and URL activity records from index.dat
+
# [[SIM Cards]]
** This has the opportunity to be extended to the concept of "point at blob FOO and interpret it as BAR"
+
# SIM Card Reader
  
.FUF opined:
+
== Quick Guide for SIMCon ==
The main idea is to allow users to define structures, for example (in pascal-like form):
+
  
<pre>
+
# Make sure the SIM Card Reader with SIM Card is connected
Field1: Byte = 123;
+
# Open [[SIMCon]]
SomeTextLength: DWORD;
+
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
SomeText: string[SomeTextLength];
+
# Click OK when the next dialog box pops up
Field4: Char = 'r';
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
...
+
#* If the PIN is unknown, the SIM cannot be read.
</pre>
+
# Click OK again when the next dialog box pops up
  
This will produce something like this:
+
== Definitions ==
<pre>
+
Field1 = 123
+
SomeTextLength = 5
+
SomeText = 'abcd1'
+
Field4 = 'r'
+
</pre>
+
  
(In text or raw forms.)
+
=== MF ===
 +
* Only '''one''' MF
 +
* The Master File (MF)
 +
* Root of the SIM Card file system
 +
* Equivalent to the root directory or "/" in the Linux filesystem
  
Opinions?
+
=== DF ===
 +
* Dedicated Files (DF)
 +
* Equivalent to a folder in a Windows/Linux filesystem
 +
* Usually three DF's
 +
** DF_GSM / DF_DCS1800 / DF_TELECOM
  
[[User:.FUF|.FUF]] 20:51, 28 October 2008 (UTC)
+
==== DF_DCS1800 / DF_GSM ====
 +
* Contains network related information
 +
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
 +
* The SIM is expected to mirror GSM and DCS1800
  
Opinion: Simple pattern identification like that may not suffice, I think Simson's original intent was not only to identify but to allow for validation routines (plugins, as the original wording was).  As such, the format syntax would need to implement a large chunk of some programming language in order to be sufficiently flexible. [[User:RB|RB]]
+
==== DF_TELECOM ====
 +
* Contains the service related information
  
= Supported File Systems =
+
=== EF ===
 +
* Elementary Files (EF)
 +
* Holds one to many records
 +
* Represent the leaf node of the filesystem
 +
* EF's sit below the DF's in the filesystem hierarchy
  
Build a large list of supported filesystems. File carving programs ignore the filesystem, but this doesn't mean that they support all of them. Do we support Reiser4 with tail packing? Or exFAT? Or NTFS with compression? Document this. [[User:.FUF|.FUF]] 19:18, 28 October 2008 (UTC)
+
=== PLMN ===
 +
* Public Land Mobile Network
 +
** A PLMN is a network that is established and operated by an administration or by a recognized operating agency (ROA) for the specific purpose of providing land mobile telecommunications services to the public. [http://en.wikipedia.org/wiki/Public_land_mobile_network]
  
* As noted above, TSK should be utilized as much as possible, particularly the filesystem-aware portion. If we want to identify filesystems outside of its supported set, it would be more worth our time to work on implementing them there than in the carver itself.  [[User:RB|RB]]
+
=== LAI ===
 +
* Location Area Identity
 +
** Each location area of a public land mobile network (PLMN) has its own unique identifier which is known as Location Area Identity (LAI). [http://en.wikipedia.org/wiki/Location_Area_Identity]
 +
 
 +
== Filesystem ==
 +
 
 +
=== EF_ICCID ===
 +
 
 +
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
 +
 
 +
[[File:Ef_iccid.png|350px|thumb|left|EF_ICCID]]
 +
 
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
----
 +
 
 +
=== DF_GSM ===
 +
 
 +
==== EF_IMSI ====
 +
 
 +
* International Mobile Subscriber Identity (IMSI)[http://en.wikipedia.org/wiki/IMSI]
 +
* 310 -  260  -  653235860
 +
* MCC  -  MNC  -  MSIN
 +
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
 +
*** Mobile Country Code
 +
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
 +
*** Mobile Network Code
 +
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
 +
*** Mobile Subscription Identification Number
 +
*** Within the network's customer base
 +
 
 +
[[File:Ef_imsi.png|350px|thumb|left|EF_IMSI]]
 +
 
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
----
 +
 
 +
==== EF_PLMNSEL ====
 +
 
 +
* List of all PLMN's (see [[Sim_Filesystem#PLMN]])
 +
 
 +
[[File:Plmnsel.png|350px|thumb|left|EF_PLMNSEL]]
 +
 
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
----
 +
 
 +
==== EF_LOCI ====
 +
* Location Information
 +
** Contains Location Area Identity (see [[Sim_Filesystem#LAI]])
 +
*** LAI Network Code (see [[Sim_Filesystem#PLMN]] / [[Sim_Filesystem#LAI]])
 +
 
 +
[[File:Ef_loci.png|350px|thumb|left|EF_LOCI]]
 +
 
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
----
 +
 
 +
=== DF_TELECOM ===
 +
 
 +
==== EF_ADN ====
 +
 
 +
 
 +
[[File:EF_adn.png|350px|thumb|left|EF_ADN]]
 +
 
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
<br />
 +
----

Revision as of 12:13, 12 April 2011

Under Construction

The SIM Card is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of SIM Card Forensics. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the SIM Card holds.


Getting Started

Items you'll need

This is a list of items to get you started on reading SIM Cards and their information:

  1. Windows operating system
  2. SIMCon[1]
    • Program used to read SIM Cards
  3. SIM Cards
  4. SIM Card Reader

Quick Guide for SIMCon

  1. Make sure the SIM Card Reader with SIM Card is connected
  2. Open SIMCon
  3. Click File > Read SIM or Click Simcon.png in the upper left corner of SIMCon
  4. Click OK when the next dialog box pops up
    • Note, some SIM cards are locked. This is where the PIN needs to be entered if known.
    • If the PIN is unknown, the SIM cannot be read.
  5. Click OK again when the next dialog box pops up

Definitions

MF

  • Only one MF
  • The Master File (MF)
  • Root of the SIM Card file system
  • Equivalent to the root directory or "/" in the Linux filesystem

DF

  • Dedicated Files (DF)
  • Equivalent to a folder in a Windows/Linux filesystem
  • Usually three DF's
    • DF_GSM / DF_DCS1800 / DF_TELECOM

DF_DCS1800 / DF_GSM

  • Contains network related information
  • Specifying data in DF_GSM writes only to DF_GSM on the SIM
  • The SIM is expected to mirror GSM and DCS1800

DF_TELECOM

  • Contains the service related information

EF

  • Elementary Files (EF)
  • Holds one to many records
  • Represent the leaf node of the filesystem
  • EF's sit below the DF's in the filesystem hierarchy

PLMN

  • Public Land Mobile Network
    • A PLMN is a network that is established and operated by an administration or by a recognized operating agency (ROA) for the specific purpose of providing land mobile telecommunications services to the public. [2]

LAI

  • Location Area Identity
    • Each location area of a public land mobile network (PLMN) has its own unique identifier which is known as Location Area Identity (LAI). [3]

Filesystem

EF_ICCID

This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.

EF_ICCID











DF_GSM

EF_IMSI

  • International Mobile Subscriber Identity (IMSI)[4]
  • 310 - 260 - 653235860
  • MCC - MNC - MSIN
    • MCC[5] (3 Digits)
      • Mobile Country Code
    • MNC[6] (2 Digits EU / 3 Digits NA)
      • Mobile Network Code
    • MSIN[7] (Remaining Digits)
      • Mobile Subscription Identification Number
      • Within the network's customer base
EF_IMSI











EF_PLMNSEL

EF_PLMNSEL











EF_LOCI

EF_LOCI











DF_TELECOM

EF_ADN

EF_ADN