ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Sim Filesystem" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Information)
 
 
Line 1: Line 1:
''Under Construction''
 
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
 
  
 +
== File Structure ==
 +
File systems are covered separately.
  
== Getting Started ==
+
== SSD ==
 +
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
  
[[File:What_you_need.jpg|250px|thumb|Items you need]]
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
  
This is a list of items to get you started on reading SIM Cards and their information:
+
  
# [[SIMCon]]
 
#* Program used to read SIM Cards
 
# [[SIM Cards]]
 
# SIM Card Reader
 
  
 +
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
  
== Quick Guide for SIMCon ==
+
== Registry ==  
 +
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
  
# Make sure SIM Read with SIM Card is plugged in
+
== Known keys of forensic interest ==
# Open [[SIMCon]]
+
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
# Click OK when the next dialog box pops up
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
  
== Definitions ==
+
'''SAM Registry'''
  
=== MF ===
+
SAM SAM\\Domains\\Account\\Users
* Only '''one''' MF
+
* The Master File (MF)
+
* Root of the SIM Card file system
+
* Equivalent to the root directory or "/" in the Linux filesystem
+
  
=== DF ===
+
SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
* Dedicated Files (DF)
+
* Equivalent to a folder in a Windows/Linux filesystem
+
* Usually three DF's
+
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
  
==== DF_DCS1800 / DF_GSM ====
 
* Contains network related information
 
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
 
* The SIM is expected to mirror GSM and DCS1800
 
  
==== DF_TELECOM ====
+
'''Security Registry'''
* Contains the service related information
+
  
=== EF ===
+
Security Policy\\PolAcDmSPolicy\\PolPrDmS
* Elementary Files (EF)
+
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
  
== Information ==
+
Security Policy\\PolAdtEv
  
=== EF_ICCID ===
+
Security Policy\\Secrets
 
+
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
 
+
[[File:Ef_iccid.png|thumb]]
+

Revision as of 17:16, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known keys of forensic interest

SAM Registry

SAM SAM\\Domains\\Account\\Users

SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

Security Policy\\PolAcDmSPolicy\\PolPrDmS

Security Policy\\PolAdtEv

Security Policy\\Secrets