Difference between pages "Sim Filesystem" and "Bzip2"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Quick Guide for SIMCon)
 
m (Joachim Metz moved page Bz2 file to Bzip2)
 
Line 1: Line 1:
''Under Construction''
+
{{expand}}
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
+
The bzip2 (.bz2) file consists of a single bzip2 stream. The bzip2 stream consists of:
 +
* The stream header.
  
 +
The stream header is 4 bytes in size and contains:
 +
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 2
 +
| "BZ"
 +
| Signature (magic number)
 +
|-
 +
| 2
 +
| 1
 +
|
 +
| Version <br> 'h' for Bzip2 ('H'uffman coding), '0' for Bzip1 (deprecated)
 +
|-
 +
| 3
 +
| 1
 +
|
 +
| Block size <br> Value is defined in increments of 100 kB <br> '1'..'9' block-size 100 kB-900 kB (uncompressed) <br> <b>Note: currently assumed that kB should be kiB</b>
 +
|}
  
== Getting Started ==
+
* followed by zero or more compressed blocks
 +
<pre>
 +
.compressed_magic:48            = 0x314159265359 (BCD (pi))
 +
.crc:32                        = checksum for this block
 +
.randomised:1                  = 0=>normal, 1=>randomised (deprecated)
 +
.origPtr:24                    = starting pointer into BWT for after untransform
 +
.huffman_used_map:16            = bitmap, of ranges of 16 bytes, present/not present
 +
.huffman_used_bitmaps:0..256    = bitmap, of symbols used, present/not present (multiples of 16)
 +
.huffman_groups:3              = 2..6 number of different Huffman tables in use
 +
.selectors_used:15              = number of times that the Huffman tables are swapped (each 50 bytes)
 +
*.selector_list:1..6            = zero-terminated bit runs (0..62) of MTF'ed Huffman table (*selectors_used)
 +
.start_huffman_length:5        = 0..20 starting bit length for Huffman deltas
 +
*.delta_bit_length:1..40        = 0=>next symbol; 1=>alter length
 +
                                                { 1=>decrement length;  0=>increment length } (*(symbols+2)*groups)
 +
.contents:2..∞                  = Huffman encoded data stream until end of block
 +
</pre>
  
[[File:What_you_need.jpg|250px|thumb|Items you need]]
+
* immediately followed by an end-of-stream marker containing a 32-bit CRC for the uncompressed data.
 +
<pre>
 +
.eos_magic:48                  = 0x177245385090 (BCD sqrt(pi))
 +
.crc:32                        = checksum for whole stream
 +
.padding:0..7                  = align to whole byte
 +
</pre>
  
This is a list of items to get you started on reading SIM Cards and their information:
+
The compressed blocks are bit-aligned and no padding occurs.
  
# [[SIMCon]]
+
== See also ==
#* Program used to read SIM Cards
+
* [[gzip file]]
# [[SIM Cards]]
+
# SIM Card Reader
+
  
 +
== External Links ==
  
== Quick Guide for SIMCon ==
+
* [http://en.wikipedia.org/wiki/Bzip2 Wikipedia: bzip2]
  
# Make sure the SIM Card Reader with SIM Card is connected
+
[[Category:File Formats]]
# Open [[SIMCon]]
+
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
# Click OK when the next dialog box pops up
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
 
+
== Definitions ==
+
 
+
=== MF ===
+
* Only '''one''' MF
+
* The Master File (MF)
+
* Root of the SIM Card file system
+
* Equivalent to the root directory or "/" in the Linux filesystem
+
 
+
=== DF ===
+
* Dedicated Files (DF)
+
* Equivalent to a folder in a Windows/Linux filesystem
+
* Usually three DF's
+
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
 
+
==== DF_DCS1800 / DF_GSM ====
+
* Contains network related information
+
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
+
* The SIM is expected to mirror GSM and DCS1800
+
 
+
==== DF_TELECOM ====
+
* Contains the service related information
+
 
+
=== EF ===
+
* Elementary Files (EF)
+
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
 
+
== Information ==
+
 
+
=== EF_ICCID ===
+
 
+
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
 
+
[[File:Ef_iccid.png|350px|thumb]]
+
 
+
=== DF_GSM ===
+
 
+
==== EF_IMSI ====
+
 
+
[[File:Ef_imsi.png|350px|thumb]]
+
 
+
* International Mobile Subscriber Identity (IMSI)
+
* 310-260-653235860
+
* MCC-MNC-MSIN
+
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
+
*** Mobile Country Code
+
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
+
*** Mobile Network Code
+
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
+
*** Mobile Subscription Identification Number
+

Revision as of 07:33, 30 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The bzip2 (.bz2) file consists of a single bzip2 stream. The bzip2 stream consists of:

  • The stream header.

The stream header is 4 bytes in size and contains:

Offset Size Value Description
0 2 "BZ" Signature (magic number)
2 1 Version
'h' for Bzip2 ('H'uffman coding), '0' for Bzip1 (deprecated)
3 1 Block size
Value is defined in increments of 100 kB
'1'..'9' block-size 100 kB-900 kB (uncompressed)
Note: currently assumed that kB should be kiB
  • followed by zero or more compressed blocks
.compressed_magic:48            = 0x314159265359 (BCD (pi))
.crc:32                         = checksum for this block
.randomised:1                   = 0=>normal, 1=>randomised (deprecated)
.origPtr:24                     = starting pointer into BWT for after untransform
.huffman_used_map:16            = bitmap, of ranges of 16 bytes, present/not present
.huffman_used_bitmaps:0..256    = bitmap, of symbols used, present/not present (multiples of 16)
.huffman_groups:3               = 2..6 number of different Huffman tables in use
.selectors_used:15              = number of times that the Huffman tables are swapped (each 50 bytes)
*.selector_list:1..6            = zero-terminated bit runs (0..62) of MTF'ed Huffman table (*selectors_used)
.start_huffman_length:5         = 0..20 starting bit length for Huffman deltas
*.delta_bit_length:1..40        = 0=>next symbol; 1=>alter length
                                                { 1=>decrement length;  0=>increment length } (*(symbols+2)*groups)
.contents:2..∞                  = Huffman encoded data stream until end of block
  • immediately followed by an end-of-stream marker containing a 32-bit CRC for the uncompressed data.
.eos_magic:48                   = 0x177245385090 (BCD sqrt(pi))
.crc:32                         = checksum for whole stream
.padding:0..7                   = align to whole byte

The compressed blocks are bit-aligned and no padding occurs.

See also

External Links