Difference between pages "Cell phones" and "SIM Cards"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(USIM)
 
Line 1: Line 1:
'''Cell phones''' or '''mobile phones''' are an important target for [[forensic investigator]]s.
+
[[Image:Simpic.jpg|thumb|A typical SIM card.]]
  
== Technologies ==
+
== SIM-Subscriber Identity Module ==
+
* [[CDMA]]
+
* [[TDMA]]
+
* [[GSM]]
+
* [[iDEN]]
+
* [[EDGE]]
+
* [[GPRS]]
+
* [[UMTS]]
+
  
== Hardware ==
+
The UICC (Universal Integrated Circuit Card) is a smart card which contains account information and memory that is used to enable GSM cellular telephones.  One of the applications running on the smart card is the SIM, or Subscriber Identity Module. In common parlance the term "UICC" is not used an the phrase "SIM" is used to describe the smart card itself.
  
* [[RIM BlackBerry]]
+
Because the SIM is just one of several applications running on the smart card, a given card could, in theory, contain multiple SIMs. This would allow multiple phone numbers or accounts to be accessed by a single UICC. This is seldom seen, though there is at least one "12-in-1" SIM card being advertised at present.
* [[T-Mobile Sidekick  ]]
+
* [[SIM Cards]]
+
  
== Operating Systems ==
+
Early versions of the UICC used full-size smart cards (85mm x 54mm).  The card has since been shrunk to the standard size of 25mm x 15mm.
  
* [[Microsoft PocketPC]]
 
* [[Microsoft Windows Mobile]]
 
* [[Palm]]
 
* [[RIM BlackBerry]]
 
* [[Symbian]]
 
* [[Linux]]
 
  
== Forensics ==
+
Although UICC cards traditionally held just 16 to 64KB of memory, the recent trend has been to produce SIM cards with larger storage capacities, ranging from 512MB up to [http://www.m-systems.com/site/en-US/ M-Systems'] 1GB SIM Card slated for release in late 2006.
  
'''Procedures'''
+
== SIM Security ==
  
* [[Cell Phone Forensics]]
+
Information inside the UICC can be protected with a PIN and a PUK.
* [[SIM Card Forensics]]
+
* [[External Memory Card Forensics]]
+
* [[BlackBerry Forensics]]
+
  
== Tools ==
+
The PIN (Personal Identification Number) is a code that locks access to the SIM. Not all SIMs have PINs; if a SIM has a PIN, the PIN must be entered to unlock the SIM.
 +
PUK (Personal Unlocking Code) codes are provided by the network provider to unlock a code.  If the PUK is incorrectly put in 10 times the SIM card will be permanently locked.
  
'''Flashers'''
+
== SIM Forensics ==
* [[UFS Tornado]]
+
  
'''Hardware'''
+
The data that a SIM card can provide the forensics examiner can be invaluable to an investigation. Acquiring a SIM card allows a large amount of information that the suspect has dealt with over the phone to be investigated.
* [[Azimuth RadioProof™ Enclosures]]
+
* [[Cellebrite UFED]]
+
* [[LogiCube CellDEK]]
+
* [[LogiCube CellDEK TEK]]
+
* [[MicroSystemation RoadWarrior]]
+
* [[Network Security Solutions Secure Tents]]
+
* [[Network Security Solutions Seizure Bags for Cell Phones/PDAs/Laptops]]
+
* [[Paraben CSI Stick]]
+
* [[Paraben Device Seizure Toolbox]]
+
* [[Paraben Handheld First Responder Kit]]
+
* [[Paraben StrongHold Bag]]
+
* [[Radio Frequency (RF) Jammers]]
+
* [[Radio Tactics Acesso]]
+
* [[Radio Tactics Apollo]]
+
* [[Radio Tactics Athena]]
+
* [[SIM Card Readers]]
+
  
'''Software'''
+
In general, some of this data can help an investigator determine:
* [[BitPIM]]
+
* Phone numbers of calls made/received
* [[BK Forensics Cell Phone Analyzer]]
+
* Contacts
* [[FloAt's Mobile Agent]]
+
* [[SMS]] details (time/date, recipient, etc.)
* [[ForensicMobile]]
+
* SMS text (the message itself)
* [[ForensicSIM]]
+
 
* [[Guidance Software Neutrino]]
+
There are many software solutions that can help the examiner to acquire the information from the SIM card. Several products include 3GForensics SIMIS [http://www.3gforensics.co.uk/products.htm], Inside Out's [http://simcon.no/ SIMCon], or SIM Content Controller, and Paraben Forensics' [http://www.paraben-forensics.com/catalog/product_info.php?products_id=289 SIM Card Seizure].
* [[iDEN Companion Pro]]
+
 
* [[iDEN Media Downloader]]
+
=== Data Acquisition ===
* [[iDEN Phonebook Manager]]
+
 
* [[MicroSystemation .XRY]]
+
These software titles can extract such technical data from the SIM card as:
* [[MOBILedit!]]
+
 
* [[Oxygen PM II]]
+
* '''International Mobile Subscriber Identity (IMSI)''': A unique identifying number that identifies the phone/subscription to the [[GSM]] network
* [[Paraben Device Seizure]]
+
* '''Mobile Country Code (MCC)''': A three-digit code that represents the SIM card's country of origin
* [[Paraben SIM Seizure]]
+
* '''Mobile Network Code (MNC)''': A two-digit code that represents the SIM card's home network
* [[Pandora's Box]]
+
* '''Mobile Subscriber Identification Number (MSIN)''': A unique ten-digit identifying number that identifies the specific subscriber to the GSM network
* [[Quantaq USIMdetective]]
+
* '''Mobile Subscriber International ISDN Number (MSISDN)''': A number that identifies the phone number used by the headset
* [[Quantaq USIMcommander]]
+
* '''Abbreviated Dialing Numbers (ADN)''':Telephone numbers stored in sims memory
* [[Quantaq USIMdetective]]
+
* '''Last Dialed Numbers (LDN)'''
* [[Quantaq USIMexplorer]]
+
* '''Short Message Service (SMS)''':Text Messages
* [[Quantaq USIMprofiler]]
+
* '''Public Land Mobile Network (PLMN) selector'''
* [[Quantaq USIMregistrar]]
+
* '''Forbidden PLMNs, Location Information (LOCI)'''
* [[Susteen Secure View]]
+
* '''General Packet Radio Service (GPRS) location'''
* [[TULP2G]]
+
* '''Integrated Circuit Card Identifier (ICCID)'''
* [[WOLF]]
+
* '''Service Provider Name (SPN)'''
 +
* '''Phase Identification'''
 +
* '''SIM Service Table (SST)'''
 +
* '''Language Preference (LP)'''
 +
* '''Card Holder Verification (CHV1) and (CHV2)'''
 +
* '''Broadcast Control Channels (BCCH)'''
 +
* '''Ciphering Key (Kc)'''
 +
* '''Ciphering Key Sequence Number'''
 +
* '''Emergency Call Code'''
 +
* '''Fixed Dialing Numbers (FDN)'''
 +
* '''Forbidden PLMNs'''
 +
* '''Local Area Identitity (LAI)'''
 +
* '''Own Dialing Number'''
 +
* '''Temporary Mobile Subscriber Identity (TMSI)'''
 +
* '''Routing Area Identifier (RIA) netowrk code'''
 +
* '''Service Dialing Numbers (SDNs)'''
 +
* '''Service Provider Name'''
 +
* '''Depersonalizatoin Keys'''
 +
 
 +
This information can be used to contact the service provider to obtain even more information than is stored on the SIM card.
 +
== USIM ==
 +
This is the evolution of the SIM for 3G devices. It can allow for multiple phone numbers to be assigned to the USIM, thus giving more than one phone number to a device.
 +
 
 +
== Service Provider Data ==
 +
 
 +
Some additional information the service provider might store:
 +
 
 +
* A customer database
 +
* [[Call Detail Record]]s (CDR)
 +
* [[Home Location Register]] (HLR)
 +
 
 +
== Sim Card Text Encoding ==
 +
 
 +
Originally the middle-European [[GSM]] network used only a 7-bit code derived from the basic [[ASCII]] code. However as GSM spread worldwide it was concluded that more characters, such as the major characters of all living languages, should be able to be represented on GSM phones. Thus, there was a movement towards a 16-bit code known as [[UCS-2]] which is now the standard in GSM text encoding. This change in encoding can make it more difficult to accurately obtain data form [[SIM cards]] of the older generation which use the 7-bit encoding. This encoding is used to compress the hexadecimal size of certain elements of the SIMs data, particularly in [[SMS]] and [[Abbreviated Dialing Numbers]].
 +
 
 +
== References ==
 +
 
 +
* [http://www.simcon.no/ SIMCon]
 +
* [http://www.sectorforensics.co.uk/sim-examination.shtml Sector Forensics]
 +
* [http://www.utica.edu/academic/institutes/ecii/ijde/articles.cfm?action=issue&id=5  IJDE Spring 2003 Volume 2, Issue 1 ]: [http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858-BFF6-C537-7CF86A78D6DE746D.pdf Forensics and the GSM Mobile Telephone System] (PDF)
 +
* http://en.wikipedia.org/wiki/Subscriber_Identity_Module

Revision as of 11:22, 23 September 2008

A typical SIM card.

Contents

SIM-Subscriber Identity Module

The UICC (Universal Integrated Circuit Card) is a smart card which contains account information and memory that is used to enable GSM cellular telephones. One of the applications running on the smart card is the SIM, or Subscriber Identity Module. In common parlance the term "UICC" is not used an the phrase "SIM" is used to describe the smart card itself.

Because the SIM is just one of several applications running on the smart card, a given card could, in theory, contain multiple SIMs. This would allow multiple phone numbers or accounts to be accessed by a single UICC. This is seldom seen, though there is at least one "12-in-1" SIM card being advertised at present.

Early versions of the UICC used full-size smart cards (85mm x 54mm). The card has since been shrunk to the standard size of 25mm x 15mm.


Although UICC cards traditionally held just 16 to 64KB of memory, the recent trend has been to produce SIM cards with larger storage capacities, ranging from 512MB up to M-Systems' 1GB SIM Card slated for release in late 2006.

SIM Security

Information inside the UICC can be protected with a PIN and a PUK.

The PIN (Personal Identification Number) is a code that locks access to the SIM. Not all SIMs have PINs; if a SIM has a PIN, the PIN must be entered to unlock the SIM. PUK (Personal Unlocking Code) codes are provided by the network provider to unlock a code. If the PUK is incorrectly put in 10 times the SIM card will be permanently locked.

SIM Forensics

The data that a SIM card can provide the forensics examiner can be invaluable to an investigation. Acquiring a SIM card allows a large amount of information that the suspect has dealt with over the phone to be investigated.

In general, some of this data can help an investigator determine:

  • Phone numbers of calls made/received
  • Contacts
  • SMS details (time/date, recipient, etc.)
  • SMS text (the message itself)

There are many software solutions that can help the examiner to acquire the information from the SIM card. Several products include 3GForensics SIMIS [1], Inside Out's SIMCon, or SIM Content Controller, and Paraben Forensics' SIM Card Seizure.

Data Acquisition

These software titles can extract such technical data from the SIM card as:

  • International Mobile Subscriber Identity (IMSI): A unique identifying number that identifies the phone/subscription to the GSM network
  • Mobile Country Code (MCC): A three-digit code that represents the SIM card's country of origin
  • Mobile Network Code (MNC): A two-digit code that represents the SIM card's home network
  • Mobile Subscriber Identification Number (MSIN): A unique ten-digit identifying number that identifies the specific subscriber to the GSM network
  • Mobile Subscriber International ISDN Number (MSISDN): A number that identifies the phone number used by the headset
  • Abbreviated Dialing Numbers (ADN):Telephone numbers stored in sims memory
  • Last Dialed Numbers (LDN)
  • Short Message Service (SMS):Text Messages
  • Public Land Mobile Network (PLMN) selector
  • Forbidden PLMNs, Location Information (LOCI)
  • General Packet Radio Service (GPRS) location
  • Integrated Circuit Card Identifier (ICCID)
  • Service Provider Name (SPN)
  • Phase Identification
  • SIM Service Table (SST)
  • Language Preference (LP)
  • Card Holder Verification (CHV1) and (CHV2)
  • Broadcast Control Channels (BCCH)
  • Ciphering Key (Kc)
  • Ciphering Key Sequence Number
  • Emergency Call Code
  • Fixed Dialing Numbers (FDN)
  • Forbidden PLMNs
  • Local Area Identitity (LAI)
  • Own Dialing Number
  • Temporary Mobile Subscriber Identity (TMSI)
  • Routing Area Identifier (RIA) netowrk code
  • Service Dialing Numbers (SDNs)
  • Service Provider Name
  • Depersonalizatoin Keys

This information can be used to contact the service provider to obtain even more information than is stored on the SIM card.

USIM

This is the evolution of the SIM for 3G devices. It can allow for multiple phone numbers to be assigned to the USIM, thus giving more than one phone number to a device.

Service Provider Data

Some additional information the service provider might store:

Sim Card Text Encoding

Originally the middle-European GSM network used only a 7-bit code derived from the basic ASCII code. However as GSM spread worldwide it was concluded that more characters, such as the major characters of all living languages, should be able to be represented on GSM phones. Thus, there was a movement towards a 16-bit code known as UCS-2 which is now the standard in GSM text encoding. This change in encoding can make it more difficult to accurately obtain data form SIM cards of the older generation which use the 7-bit encoding. This encoding is used to compress the hexadecimal size of certain elements of the SIMs data, particularly in SMS and Abbreviated Dialing Numbers.

References