ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Sim Filesystem" and "Bzip2"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Quick Guide for SIMCon)
 
m (Joachim Metz moved page Bz2 file to Bzip2)
 
Line 1: Line 1:
''Under Construction''
+
{{expand}}
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
+
The bzip2 (.bz2) file consists of a single bzip2 stream. The bzip2 stream consists of:
 +
* The stream header.
  
 +
The stream header is 4 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 2
 +
| "BZ"
 +
| Signature (magic number)
 +
|-
 +
| 2
 +
| 1
 +
|
 +
| Version <br> 'h' for Bzip2 ('H'uffman coding), '0' for Bzip1 (deprecated)
 +
|-
 +
| 3
 +
| 1
 +
|
 +
| Block size <br> Value is defined in increments of 100 kB <br> '1'..'9' block-size 100 kB-900 kB (uncompressed) <br> <b>Note: currently assumed that kB should be kiB</b>
 +
|}
  
== Getting Started ==
+
* followed by zero or more compressed blocks
 +
<pre>
 +
.compressed_magic:48            = 0x314159265359 (BCD (pi))
 +
.crc:32                        = checksum for this block
 +
.randomised:1                  = 0=>normal, 1=>randomised (deprecated)
 +
.origPtr:24                    = starting pointer into BWT for after untransform
 +
.huffman_used_map:16            = bitmap, of ranges of 16 bytes, present/not present
 +
.huffman_used_bitmaps:0..256    = bitmap, of symbols used, present/not present (multiples of 16)
 +
.huffman_groups:3              = 2..6 number of different Huffman tables in use
 +
.selectors_used:15              = number of times that the Huffman tables are swapped (each 50 bytes)
 +
*.selector_list:1..6            = zero-terminated bit runs (0..62) of MTF'ed Huffman table (*selectors_used)
 +
.start_huffman_length:5        = 0..20 starting bit length for Huffman deltas
 +
*.delta_bit_length:1..40        = 0=>next symbol; 1=>alter length
 +
                                                { 1=>decrement length;  0=>increment length } (*(symbols+2)*groups)
 +
.contents:2..∞                  = Huffman encoded data stream until end of block
 +
</pre>
  
[[File:What_you_need.jpg|250px|thumb|Items you need]]
+
* immediately followed by an end-of-stream marker containing a 32-bit CRC for the uncompressed data.
 +
<pre>
 +
.eos_magic:48                  = 0x177245385090 (BCD sqrt(pi))
 +
.crc:32                        = checksum for whole stream
 +
.padding:0..7                  = align to whole byte
 +
</pre>
  
This is a list of items to get you started on reading SIM Cards and their information:
+
The compressed blocks are bit-aligned and no padding occurs.
  
# [[SIMCon]]
+
== See also ==
#* Program used to read SIM Cards
+
* [[gzip file]]
# [[SIM Cards]]
+
# SIM Card Reader
+
  
 +
== External Links ==
  
== Quick Guide for SIMCon ==
+
* [http://en.wikipedia.org/wiki/Bzip2 Wikipedia: bzip2]
  
# Make sure the SIM Card Reader with SIM Card is connected
+
[[Category:File Formats]]
# Open [[SIMCon]]
+
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
# Click OK when the next dialog box pops up
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
 
+
== Definitions ==
+
 
+
=== MF ===
+
* Only '''one''' MF
+
* The Master File (MF)
+
* Root of the SIM Card file system
+
* Equivalent to the root directory or "/" in the Linux filesystem
+
 
+
=== DF ===
+
* Dedicated Files (DF)
+
* Equivalent to a folder in a Windows/Linux filesystem
+
* Usually three DF's
+
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
 
+
==== DF_DCS1800 / DF_GSM ====
+
* Contains network related information
+
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
+
* The SIM is expected to mirror GSM and DCS1800
+
 
+
==== DF_TELECOM ====
+
* Contains the service related information
+
 
+
=== EF ===
+
* Elementary Files (EF)
+
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
 
+
== Information ==
+
 
+
=== EF_ICCID ===
+
 
+
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
 
+
[[File:Ef_iccid.png|350px|thumb]]
+
 
+
=== DF_GSM ===
+
 
+
==== EF_IMSI ====
+
 
+
[[File:Ef_imsi.png|350px|thumb]]
+
 
+
* International Mobile Subscriber Identity (IMSI)
+
* 310-260-653235860
+
* MCC-MNC-MSIN
+
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
+
*** Mobile Country Code
+
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
+
*** Mobile Network Code
+
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
+
*** Mobile Subscription Identification Number
+

Revision as of 12:33, 30 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The bzip2 (.bz2) file consists of a single bzip2 stream. The bzip2 stream consists of:

  • The stream header.

The stream header is 4 bytes in size and contains:

Offset Size Value Description
0 2 "BZ" Signature (magic number)
2 1 Version
'h' for Bzip2 ('H'uffman coding), '0' for Bzip1 (deprecated)
3 1 Block size
Value is defined in increments of 100 kB
'1'..'9' block-size 100 kB-900 kB (uncompressed)
Note: currently assumed that kB should be kiB
  • followed by zero or more compressed blocks
.compressed_magic:48            = 0x314159265359 (BCD (pi))
.crc:32                         = checksum for this block
.randomised:1                   = 0=>normal, 1=>randomised (deprecated)
.origPtr:24                     = starting pointer into BWT for after untransform
.huffman_used_map:16            = bitmap, of ranges of 16 bytes, present/not present
.huffman_used_bitmaps:0..256    = bitmap, of symbols used, present/not present (multiples of 16)
.huffman_groups:3               = 2..6 number of different Huffman tables in use
.selectors_used:15              = number of times that the Huffman tables are swapped (each 50 bytes)
*.selector_list:1..6            = zero-terminated bit runs (0..62) of MTF'ed Huffman table (*selectors_used)
.start_huffman_length:5         = 0..20 starting bit length for Huffman deltas
*.delta_bit_length:1..40        = 0=>next symbol; 1=>alter length
                                                { 1=>decrement length;  0=>increment length } (*(symbols+2)*groups)
.contents:2..∞                  = Huffman encoded data stream until end of block
  • immediately followed by an end-of-stream marker containing a 32-bit CRC for the uncompressed data.
.eos_magic:48                   = 0x177245385090 (BCD sqrt(pi))
.crc:32                         = checksum for whole stream
.padding:0..7                   = align to whole byte

The compressed blocks are bit-aligned and no padding occurs.

See also

External Links