Difference between pages "Sim Filesystem" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Information)
 
(See Also)
 
Line 1: Line 1:
''Under Construction''
+
{{expand}}
  
The [[SIM Card]] is the basic memory device inside of many mobile phones in use today. This small piece of hardware has been key to solving many cases in the world of [[SIM Card Forensics]]. However, without the proper knowledge of the SIM card's filesystem, the user will be missing out on all the valuable information the [[SIM Card]] holds.
+
== Cache files ==
 +
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
 +
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
== Getting Started ==
+
=== File types ===
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
[[File:What_you_need.jpg|250px|thumb|Items you'll need]]
+
==== Examples ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
This is a list of items to get you started on reading SIM Cards and their information:
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
# [[Windows]] operating system
+
=== File header ===
# [[SIMCon]]
+
*TODO*
#* Program used to read SIM Cards
+
# [[SIM Cards]]
+
# SIM Card Reader
+
  
== Quick Guide for SIMCon ==
+
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
  
# Make sure the SIM Card Reader with SIM Card is connected
+
=== File header ===
# Open [[SIMCon]]
+
*TODO*
# Click File > Read SIM or Click [[File:Simcon.png]] in the upper left corner of [[SIMCon]]
+
# Click OK when the next dialog box pops up
+
#* '''Note''', some SIM cards are locked. This is where the PIN needs to be entered if known.
+
#* If the PIN is unknown, the SIM cannot be read.
+
# Click OK again when the next dialog box pops up
+
  
== Definitions ==
+
== Data stream ==
 +
See: [[gzip]]
  
=== MF ===
+
== See Also ==
* Only '''one''' MF
+
* [[Google Chrome]]
* The Master File (MF)
+
* [[gzip]]
* Root of the SIM Card file system
+
* Equivalent to the root directory or "/" in the Linux filesystem
+
  
=== DF ===
+
== External Links ==
* Dedicated Files (DF)
+
* Equivalent to a folder in a Windows/Linux filesystem
+
* Usually three DF's
+
** DF_GSM / DF_DCS1800 / DF_TELECOM
+
  
==== DF_DCS1800 / DF_GSM ====
+
[[Category:File Formats]]
* Contains network related information
+
* Specifying data in DF_GSM writes only to DF_GSM on the SIM
+
* The SIM is expected to mirror GSM and DCS1800
+
 
+
==== DF_TELECOM ====
+
* Contains the service related information
+
 
+
=== EF ===
+
* Elementary Files (EF)
+
* Holds one to many records
+
* Represent the leaf node of the filesystem
+
* EF's sit below the DF's in the filesystem hierarchy
+
 
+
=== PLMN ===
+
* Public Land Mobile Network
+
** A PLMN is a network that is established and operated by an administration or by a recognized operating agency (ROA) for the specific purpose of providing land mobile telecommunications services to the public. [http://en.wikipedia.org/wiki/Public_land_mobile_network]
+
 
+
=== LAI ===
+
* Location Area Identity
+
** Each location area of a public land mobile network (PLMN) has its own unique identifier which is known as Location Area Identity (LAI). [http://en.wikipedia.org/wiki/Location_Area_Identity]
+
 
+
== Information ==
+
 
+
=== EF_ICCID ===
+
 
+
This displays the ID or Card Identity of the SIM Card, this can also be found on the SIM card itself.
+
 
+
[[File:Ef_iccid.png|350px|thumb|EF_ICCID]]
+
 
+
=== DF_GSM ===
+
 
+
==== EF_IMSI ====
+
 
+
[[File:Ef_imsi.png|350px|thumb|EF_IMSI]]
+
 
+
* International Mobile Subscriber Identity (IMSI)[http://en.wikipedia.org/wiki/IMSI]
+
* 310  -  260  -  653235860
+
* MCC  -  MNC  -  MSIN
+
** MCC[http://en.wikipedia.org/wiki/List_of_mobile_country_codes] (3 Digits)
+
*** Mobile Country Code
+
** MNC[http://en.wikipedia.org/wiki/Mobile_Network_Code] (2 Digits EU / 3 Digits NA)
+
*** Mobile Network Code
+
** MSIN[http://en.wikipedia.org/wiki/MSIN] (Remaining Digits)
+
*** Mobile Subscription Identification Number
+
*** Within the network's customer base
+
 
+
==== EF_PLMNSEL ====
+
[[File:Plmnsel.png|350px|thumb|EF_PLMNSEL]]
+
* List of all PLMN's (see [[Sim_Filesystem#PLMN]])
+
 
+
==== EF_LOCI ====
+
* Location Information
+
** Contains Location Area Identity (see [[Sim_Filesystem#LAI]])
+
*** LAI Network Code (see [[Sim_Filesystem#PLMN]] / [[Sim_Filesystem#LAI]])
+
 
+
[[File:Ef_loci.png|350px|thumb|EF_LOCI]]
+
 
+
=== DF_TELECOM ===
+
 
+
==== EF_ADN ====
+
[[File:EF_adn.png|350px|thumb|EF_ADN]]
+

Revision as of 13:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links