Difference between pages "SIM Cards" and "Chip-Off BlackBerry Curve 9320"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Added what service providers use sim cards in the US)
 
(Created page with "== Tear Down == <ol start="1"> <li>Remove the back panel.</li> </ol> {| border="1" cellpadding="2" |- | 300px |- |} <ol start="2"> ...")
 
Line 1: Line 1:
[[Image:Simpic.jpg|thumb|A typical SIM card.]]
+
== Tear Down ==
  
== SIM-Subscriber Identity Module ==
+
<ol start="1">
 +
<li>Remove the back panel.</li>
 +
</ol>
  
The UICC (Universal Integrated Circuit Card) is a smart card which contains account information and memory that is used to enable GSM cellular telephones.  One of the applications running on the smart card is the SIM, or Subscriber Identity Module. In common parlance the term "UICC" is not used an the phrase "SIM" is used to describe the smart card itself.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:1-bb9320-BackPanelRemoved.jpg| 300px ]]
 +
|-
 +
|}
  
Because the SIM is just one of several applications running on the smart card, a given card could, in theory, contain multiple SIMs. This would allow multiple phone numbers or accounts to be accessed by a single UICC. This is seldom seen, though there is at least one "12-in-1" SIM card being advertised at present.
+
<ol start="2">
 +
<li>Remove the SIM and SD Memory Card.</li>
 +
</ol>
  
Early versions of the UICC used full-size smart cards (85mm x 54mm x 0.76mm).  The card has since been shrunk to the standard size of 25mm x 15mm x 0.76mm.
+
<ol start="3">
 +
<li>Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.</li>
 +
</ol>
  
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:2-bb9320-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
Although UICC cards traditionally held just 16 to 64KB of memory, the recent trend has been to produce SIM cards with larger storage capacities, ranging from 512MB up to [http://www.m-systems.com/site/en-US/ M-Systems'] 1GB SIM Card slated for release in late 2006.
+
<ol start="4">
 +
<li>Remove the screen protector using a shim, guitar pick, or prying tool.</li>
 +
</ol>
  
== SIM Security ==
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:3-bb9320-ScreenRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
Information inside the UICC can be protected with a PIN and a PUK.
+
<ol start="5">
 +
<li>Remove 2 torx-5 screws.</li>
 +
</ol>
  
The PIN (Personal Identification Number) is a code that locks access to the SIM. Not all SIMs have PINs; if a SIM has a PIN, the PIN must be entered to unlock the SIM.
+
{| border="1" cellpadding="2"
PUK (Personal Unlocking Code) codes are provided by the network provider to unlock a code.  If the PUK is incorrectly put in 10 times the SIM card will be permanently locked.
+
|-
 +
| [[File:4-bb9320-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
== SIM Forensics ==
+
<ol start="6">
 +
<li>Use the shim to detach the outer bezel/keyboard from the device.</li>
 +
</ol>
  
The data that a SIM card can provide the forensics examiner can be invaluable to an investigation. Acquiring a SIM card allows a large amount of information that the suspect has dealt with over the phone to be investigated.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:5-bb9320-TopPlate.jpg| 300px ]] 5-1-bb9320-TopPlate.jpg| 300px ]]
 +
|-
 +
|}
  
In general, some of this data can help an investigator determine:
+
<ol start="7">
* Phone numbers of calls made/received
+
<li>Remove 4 additional torx-6 screws. The main board will now easily be separated from the back plate</li>
* Contacts
+
</ol>
* [[SMS]] details (time/date, recipient, etc.)
+
* SMS text (the message itself)
+
* Picture (if there is a camera)
+
  
There are many software solutions that can help the examiner to acquire the information from the SIM card. Several products include 3GForensics SIMIS [http://www.3gforensics.co.uk/products.htm], Inside Out's [http://simcon.no/ SIMCon], or SIM Content Controller, and Paraben Forensics' [http://www.paraben-forensics.com/catalog/product_info.php?products_id=289 SIM Card Seizure].
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:6-bb9320-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
The SIM file system is hierarchical in nature consisting of 3 parts:
+
<ol start="8">
*Master File (MF) - root of the file system that contains
+
<li>Peel off the vendor sticker.</li>
DF’s and EF’s
+
</ol>
*Dedicated File (DF)
+
{| border="1" cellpadding="2"
*Elementary Files (EF)
+
|-
 +
| [[File:7-bb9320-VendorPlate.jpg| 300px ]]
 +
|-
 +
|}
  
 +
<ol start="9">
 +
<li>Remove the plastic cover protecting the track pad ribbon cable, and disconnect the track pad.</li>
 +
</ol>
  
=== Data Acquisition ===
+
<ol start="10">
 +
<li>Remove the final torx-4 screw located beneath the plastic protector, to remove the plastic keyboard overlay.</li>
 +
</ol>
  
These software titles can extract such technical data from the SIM card as:
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:8-bb9320-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
* '''International Mobile Subscriber Identity (IMSI)''': A unique identifying number that identifies the phone/subscription to the [[GSM]] network
+
<ol start="11">
* '''Mobile Country Code (MCC)''': A three-digit code that represents the SIM card's country of origin
+
<li>Disconnect the ribbon cable connected to the LCD. Then using a pick separate the display from the main board.</li>
* '''Mobile Network Code (MNC)''': A two-digit code that represents the SIM card's home network
+
</ol>
* '''Mobile Subscriber Identification Number (MSIN)''': A unique ten-digit identifying number that identifies the specific subscriber to the GSM network
+
* '''Mobile Subscriber International ISDN Number (MSISDN)''': A number that identifies the phone number used by the headset
+
* '''Abbreviated Dialing Numbers (ADN)''': Telephone numbers stored in sims memory
+
* '''Last Dialed Numbers (LDN)'''
+
* '''Short Message Service (SMS)''': Text Messages
+
* '''Public Land Mobile Network (PLMN) selector'''
+
* '''Forbidden PLMNs'''
+
* '''Location Information (LOCI)'''
+
* '''General Packet Radio Service (GPRS) location'''
+
* '''Integrated Circuit Card Identifier (ICCID)'''
+
* '''Service Provider Name (SPN)'''
+
* '''Phase Identification'''
+
* '''SIM Service Table (SST)'''
+
* '''Language Preference (LP)'''
+
* '''Card Holder Verification (CHV1) and (CHV2)'''
+
* '''Broadcast Control Channels (BCCH)'''
+
* '''Ciphering Key (Kc)'''
+
* '''Ciphering Key Sequence Number'''
+
* '''Emergency Call Code'''
+
* '''Fixed Dialing Numbers (FDN)'''
+
* '''Forbidden PLMNs'''
+
* '''Local Area Identitity (LAI)'''
+
* '''Own Dialing Number'''
+
* '''Temporary Mobile Subscriber Identity (TMSI)'''
+
* '''Routing Area Identifier (RIA) netowrk code'''
+
* '''Service Dialing Numbers (SDNs)'''
+
* '''Service Provider Name'''
+
* '''Depersonalizatoin Keys'''
+
  
This information can be used to contact the service provider to obtain even more information than is stored on the SIM card.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:9-bb9320-ScreenRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
== USIM-Universal Subscriber Identity Module ==
+
<ol start="12">
 +
<li>The tear down is now complete</li>
 +
</ol>
  
A Universal Subscriber Identity Module is an application for UMTS mobile telephony running on a UICC smart card which is inserted in a 3G mobile phone. There is a common misconception to call the UICC card itself a USIM, but the USIM is merely a logical entity on the physical card.
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:9-1-bb9320-TearDownComplete.jpg| 300px ]]
 +
|-
 +
|}
  
It stores user subscriber information, authentication information and provides storage space for text messages and phone book contacts. The phone book on a UICC has been greatly enhanced.
+
eMMC Removal
  
For authentication purposes, the USIM stores a long-term preshared secret key K, which is shared with the Authentication Center (AuC) in the network. The USIM also verifies a sequence number that must be within a range using a window mechanism to avoid replay attacks, and is in charge of generating the session keys CK and IK to be used in the confidentiality and integrity algorithms of the KASUMI block cipher in Universal Mobile Telecommunications System (UMTS).
+
<ol start="1">
 +
<li>The eMMC is located beneath the heat shield directly above the Micro SD card slot.</li>
 +
</ol>
  
In Mobile Financial Services, USIM seems to be a mandetory Security Element for user authentication, authorization and stored credentials. With the integration of NFC Handset and USIM, users will be able to make proximity payments where the NFS handset enables contactless payment and USIM enables independent security element.
+
{| border="1" cellpadding="2"
This is the evolution of the SIM for 3G devices. It can allow for multiple phone numbers to be assigned to the USIM, thus giving more than one phone number to a device.
+
|-
 +
| [[File:10-bb9320-EMMC-Location.jpg| 300px ]]
 +
|-
 +
|}
  
== Service Provider Data ==
+
<ol start="2">
 +
<li>Place the main board in a stand or holder and position it approximately 2 1/2" - 3" inches away from a heat gun or device the blows super hot air.</li>
 +
</ol>
  
Some additional information the service provider might store:
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:11-bb9320-HeatShield.jpg| 300px ]]
 +
|-
 +
|}
  
* A customer database
+
<ol start="3">
* [[Call Detail Record]]s (CDR)
+
<li>Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.</li>
* [[Home Location Register]] (HLR)
+
</ol>
  
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:12-bb9320-HeatShield.jpg| 300px ]] 13-bb9320-HeatShieldRemoved.jpg| 300px ]]
 +
|-
 +
|}
  
== Service Providers that use SIM Cards in the United States ==
+
<ol start="4">
* T-Mobile
+
<li>Continue working under the high heat. With the 9315/9320's I've worked on the eMMC has been ready to lift off of the main board using tweezers immediately after removing the heat shield.</li>
* Cingular/AT&T
+
</ol>
  
== Sim Card Text Encoding ==
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:14-bb9320-EMMC-Removed.jpg| 300px ]]
 +
|-
 +
|}
  
Originally the middle-European [[GSM]] network used only a 7-bit code derived from the basic [[ASCII]] code. However as GSM spread worldwide it was concluded that more characters, such as the major characters of all living languages, should be able to be represented on GSM phones. Thus, there was a movement towards a 16-bit code known as [[UCS-2]] which is now the standard in GSM text encoding. This change in encoding can make it more difficult to accurately obtain data form [[SIM cards]] of the older generation which use the 7-bit encoding. This encoding is used to compress the hexadecimal size of certain elements of the SIMs data, particularly in [[SMS]] and [[Abbreviated Dialing Numbers]].
+
<ol start="5">
 +
<li>Using liquid flux, or flux paste and a soldering iron clean the pads on the eMMC in preparation for a read</li>
 +
</ol>
  
== References ==
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:15-bb9320-EMMC-Cleanup.jpg| 300px ]]
 +
| [[File:16-bb9320-EMMC-Clean.jpg| 300px ]]
 +
|-
 +
|}
  
* [http://www.simcon.no/ SIMCon]
+
<ol start="6">
* [http://www.sectorforensics.co.uk/sim-examination.shtml Sector Forensics]
+
<li>The eMMC is now ready to read using the appropriate adapter/programmer and software.</li>
* [http://www.utica.edu/academic/institutes/ecii/ijde/articles.cfm?action=issue&id=5 IJDE Spring 2003 Volume 2, Issue 1 ]: [http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858-BFF6-C537-7CF86A78D6DE746D.pdf Forensics and the GSM Mobile Telephone System] (PDF)
+
</ol>
* http://en.wikipedia.org/wiki/Subscriber_Identity_Module
+
 
 +
At the time of this writing (2013OCT29) the eMMC that was removed in this example was read using an UP828 programmer via the "VBGA169E" adapter. The resulting image was then parsed via the CelleBrite Physical Analyzer (V. 3.8.5.108).

Revision as of 13:26, 30 October 2013

Tear Down

  1. Remove the back panel.
1-bb9320-BackPanelRemoved.jpg
  1. Remove the SIM and SD Memory Card.
  1. Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.
2-bb9320-ScrewRemoval.jpg
  1. Remove the screen protector using a shim, guitar pick, or prying tool.
3-bb9320-ScreenRemoval.jpg
  1. Remove 2 torx-5 screws.
4-bb9320-ScrewRemoval.jpg
  1. Use the shim to detach the outer bezel/keyboard from the device.
5-bb9320-TopPlate.jpg 5-1-bb9320-TopPlate.jpg| 300px ]]
  1. Remove 4 additional torx-6 screws. The main board will now easily be separated from the back plate
6-bb9320-ScrewRemoval.jpg
  1. Peel off the vendor sticker.
7-bb9320-VendorPlate.jpg
  1. Remove the plastic cover protecting the track pad ribbon cable, and disconnect the track pad.
  1. Remove the final torx-4 screw located beneath the plastic protector, to remove the plastic keyboard overlay.
8-bb9320-ScrewRemoval.jpg
  1. Disconnect the ribbon cable connected to the LCD. Then using a pick separate the display from the main board.
9-bb9320-ScreenRemoval.jpg
  1. The tear down is now complete
9-1-bb9320-TearDownComplete.jpg

eMMC Removal

  1. The eMMC is located beneath the heat shield directly above the Micro SD card slot.
10-bb9320-EMMC-Location.jpg
  1. Place the main board in a stand or holder and position it approximately 2 1/2" - 3" inches away from a heat gun or device the blows super hot air.
11-bb9320-HeatShield.jpg
  1. Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.
12-bb9320-HeatShield.jpg 13-bb9320-HeatShieldRemoved.jpg| 300px ]]
  1. Continue working under the high heat. With the 9315/9320's I've worked on the eMMC has been ready to lift off of the main board using tweezers immediately after removing the heat shield.
14-bb9320-EMMC-Removed.jpg
  1. Using liquid flux, or flux paste and a soldering iron clean the pads on the eMMC in preparation for a read
15-bb9320-EMMC-Cleanup.jpg 16-bb9320-EMMC-Clean.jpg
  1. The eMMC is now ready to read using the appropriate adapter/programmer and software.

At the time of this writing (2013OCT29) the eMMC that was removed in this example was read using an UP828 programmer via the "VBGA169E" adapter. The resulting image was then parsed via the CelleBrite Physical Analyzer (V. 3.8.5.108).