Difference between pages "SIM Card Forensics" and "Research Topics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Software)
 
 
Line 1: Line 1:
== Procedures ==
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.
  
Acquire [[SIM Card]] and analyze the following:
+
==Disk Forensics==
 +
===Stream Forensics===
 +
Process the entire disk with one pass, or at most two, to minimize seek time. 
  
* ICCID - Integrated Circuit Card Identification
+
===Evidence Falsification===
* MSISDN - Subscriber phone number
+
Automatically detect falsified digital evidence.
* IMSI - International Mobile Subscriber Identity
+
* LND - Last Dialed numbers
+
* LOCI -
+
* LAI -
+
* LOCI - Location information
+
* ADN - Abbreviated Dialing Numbers (Contacts)
+
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
+
* SMS - (Short Messages)
+
* SMSP - Text Message parameters
+
* SMSS - Text message status
+
* Phase - Phase ID
+
* SST - SIM Service table
+
* LP - Preferred languages variable
+
* SPN - Service Provider name
+
* EXT1 - Dialing Extension
+
* EXT2 - Dialing Extension
+
* GID1 - Groups
+
* GID2 - Groups
+
* CBMI - Preferred network messages
+
* PUCT - Calls per unit
+
* ACM - Accumulated Call Meter
+
* ACMmax - Call Limit
+
* HPLMNSP - HPLMN search period
+
* PLMNsel - PLMN selector
+
* FPLMN - Forbidden PLMNs
+
* CCP - Capability configuration parameter
+
* ACC - Access control class
+
* BCCH - Broadcast control channels
+
* Kc - Ciphering Key
+
  
 +
===Sanitization===
 +
Detect and diagnose sanitization attempts.
  
== Hardware ==
 
  
=== Serial ===
+
===[[AFF]] Enhancement===
 +
* Replace the AFF "BADFLAG" approach for indicating bad data with a bad sector bitmap.
  
* [[MicroDrive 120]] with SmartCard Adapter
+
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
  
=== USB ===
+
* Improve the data recovery features of aimage.
  
* [[ACR 38T]]
+
* Replace AFF's current table-of-contents system with one based on B+ Trees.
  
== Software ==
+
==Timeline Analysis==
 +
Write a new timeline viewer that supports:
 +
* Logfile fusion (with offsets)
 +
* Logfile correlation
  
* [[ForensicSIM]]
 
* [[Quantaq USIMdetective]]
 
* [[Paraben SIM Card Seizure]]
 
* [[SIMIS]]
 
  
== Security ==
+
==Carving==
 +
===JPEG Validator===
 +
Create a JPEG decompresser that supports restarts and checkpointing for use in high-speed carving.
  
SIM cards can have their data protected by a PIN, or Personal Identification Number.  If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data.  If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key. The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone. Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered. The PUK must be obtained from the SIM's network provider.  If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone.  In some cases the phone will request a PUK2 before it permanently locks the SIM card.
+
 
 +
==Cell Phone Exploitation==
 +
===Imaging===
 +
Develop a tool for imaging the contents of a cell phone memory
 +
===Interpretation===
 +
* Develop a tool for reassembling information in a cell phone memory
 +
 
 +
 
 +
==Corpora Development==
 +
===Realistic Disk Corpora===
 +
There is need for realistic corpora that can be freely redistributed but do not contain any confidential personally identifiable information (PII).
 +
 
 +
These disk images may be either of an external drive or of a system boot drive. The drive images should have signs of ''wear'' --- that is, they should have resident files, deleted files, partially overwritten files, contiguous files, and fragmented files.
 +
 
 +
From DFRWS 2005
 +
Frank Adelstein (ATC-NY), Yun Gao and Golden G. Richard III (University of New Orleans): Automatically Creating Realistic Targets for Digital Forensics Investigation http://www.dfrws.org/2005/program.shtml
 +
 
 +
===Realistic Network Traffic===
 +
Generating realistic network traffic requires constructing a test network and either recording interactions within the network or with an external network.

Revision as of 19:08, 12 November 2008

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.

Disk Forensics

Stream Forensics

Process the entire disk with one pass, or at most two, to minimize seek time.

Evidence Falsification

Automatically detect falsified digital evidence.

Sanitization

Detect and diagnose sanitization attempts.


AFF Enhancement

  • Replace the AFF "BADFLAG" approach for indicating bad data with a bad sector bitmap.
  • Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
  • Improve the data recovery features of aimage.
  • Replace AFF's current table-of-contents system with one based on B+ Trees.

Timeline Analysis

Write a new timeline viewer that supports:

  • Logfile fusion (with offsets)
  • Logfile correlation


Carving

JPEG Validator

Create a JPEG decompresser that supports restarts and checkpointing for use in high-speed carving.


Cell Phone Exploitation

Imaging

Develop a tool for imaging the contents of a cell phone memory

Interpretation

  • Develop a tool for reassembling information in a cell phone memory


Corpora Development

Realistic Disk Corpora

There is need for realistic corpora that can be freely redistributed but do not contain any confidential personally identifiable information (PII).

These disk images may be either of an external drive or of a system boot drive. The drive images should have signs of wear --- that is, they should have resident files, deleted files, partially overwritten files, contiguous files, and fragmented files.

From DFRWS 2005 Frank Adelstein (ATC-NY), Yun Gao and Golden G. Richard III (University of New Orleans): Automatically Creating Realistic Targets for Digital Forensics Investigation http://www.dfrws.org/2005/program.shtml

Realistic Network Traffic

Generating realistic network traffic requires constructing a test network and either recording interactions within the network or with an external network.