Difference between pages "Sim Filesystem" and "Windows 7"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(EF_IMSI)
 
 
Line 1: Line 1:
''Under Construction''
 
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
 
  
 +
== File Structure ==
 +
File systems are covered separately.
  
== Getting Started ==
+
== SSD ==
 +
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
  
[[File:What_you_need.jpg|250px|thumb|Items you need]]
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
  
This is a list of items to get you started on reading SIM Cards and their information:
+
  
# [[SIMCon]]
 
#* Program used to read SIM Cards
 
# [[SIM Cards]]
 
# SIM Card Reader
 
  
 +
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
  
== Quick Guide for SIMCon ==
+
== Registry ==  
 +
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
  
# Make sure the SIM Card Reader with SIM Card is connected
+
== Known keys of forensic interest ==
# Open [[SIMCon]]
+
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
# Click OK when the next dialog box pops up
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
  
== Definitions ==
+
'''SAM Registry'''
  
=== MF ===
+
SAM SAM\\Domains\\Account\\Users
* Only '''one''' MF
+
* The Master File (MF)
+
* Root of the SIM Card file system
+
* Equivalent to the root directory or "/" in the Linux filesystem
+
  
=== DF ===
+
SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
* Dedicated Files (DF)
+
* Equivalent to a folder in a Windows/Linux filesystem
+
* Usually three DF's
+
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
  
==== DF_DCS1800 / DF_GSM ====
 
* Contains network related information
 
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
 
* The SIM is expected to mirror GSM and DCS1800
 
  
==== DF_TELECOM ====
+
'''Security Registry'''
* Contains the service related information
+
  
=== EF ===
+
Security Policy\\PolAcDmSPolicy\\PolPrDmS
* Elementary Files (EF)
+
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
  
== Information ==
+
Security Policy\\PolAdtEv
  
=== EF_ICCID ===
+
Security Policy\\Secrets
 
+
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
 
+
[[File:Ef_iccid.png|350px|thumb]]
+
 
+
=== DF_GSM ===
+
 
+
==== EF_IMSI ====
+
 
+
[[File:Ef_imsi.png|350px|thumb]]
+
 
+
* International Mobile Subscriber Identity (IMSI)[http://en.wikipedia.org/wiki/IMSI]
+
* 310-260-653235860
+
* MCC-MNC-MSIN
+
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
+
*** Mobile Country Code
+
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
+
*** Mobile Network Code
+
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
+
*** Mobile Subscription Identification Number
+

Revision as of 12:16, 12 September 2013


Contents

File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known keys of forensic interest

SAM Registry

SAM SAM\\Domains\\Account\\Users

SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

Security Policy\\PolAcDmSPolicy\\PolPrDmS

Security Policy\\PolAdtEv

Security Policy\\Secrets