Difference between pages "SIM Card Forensics" and "GIF"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Software)
 
 
Line 1: Line 1:
== Procedures ==
+
The '''Graphics Interchange Format''' ('''GIF''') (SM) format is a lossless [[image format]].  GIF images use internal [[LZW]] compression to reduce file size.  CompuServe created this format, which is a bitmap image format allowing 256 different colors to be selected from a 24-bit color palette (RGB).  GIF also allows for animations by sequencing through multiple GIF image data inside a single file.
  
Acquire [[SIM Card]] and analyze the following:
+
"The Graphics Interchange Format(c) is the Copyright property of CompuServe Incorporated. GIF(sm) is a Service Mark property of CompuServe Incorporated."
  
* ICCID - Integrated Circuit Card Identification
+
== Format ==
* MSISDN - Subscriber phone number
+
* IMSI - International Mobile Subscriber Identity
+
* LND - Last Dialed numbers
+
* [[LOCI]] - Location Information
+
* LAI - Location Area Identifier
+
* ADN - Abbreviated Dialing Numbers (Contacts)
+
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
+
* SMS - (Short Messages)
+
* SMSP - Text Message parameters
+
* SMSS - Text message status
+
* Phase - Phase ID
+
* SST - SIM Service table
+
* LP - Preferred languages variable
+
* SPN - Service Provider name
+
* EXT1 - Dialing Extension
+
* EXT2 - Dialing Extension
+
* GID1 - Groups
+
* GID2 - Groups
+
* CBMI - Preferred network messages
+
* PUCT - Calls per unit
+
* ACM - Accumulated Call Meter
+
* ACMmax - Call Limit
+
* HPLMNSP - HPLMN search period
+
* PLMNsel - PLMN selector
+
* FPLMN - Forbidden PLMNs
+
* CCP - Capability configuration parameter
+
* ACC - Access control class
+
* BCCH - Broadcast control channels
+
* Kc - Ciphering Key
+
  
 +
GIF files consist of a [[header]], image data, optional [[metadata]], and a [[footer]]. The header consists of a signature and a version, each 3 bytes long.  The signature is <tt>47 49 46</tt> (hex) / <tt>GIF</tt> (text).  The versions are either <tt>38 37 61</tt> or <tt>38 39 61</tt> (hex) / <tt>87a</tt> or <tt>89a</tt> (text) respectively.  The footer or trailer (as identified in the format specification) is usually <tt>3B</tt> (hex).
  
== Hardware ==
+
Common file extensions are .gif and .GIF
  
=== Serial ===
+
== Metadata ==
  
* [[MicroDrive 120]] with SmartCard Adapter
+
GIF89a files can contain [[metadata]] in [[text]] format.  GIF metadata is contained in sections identified as a Comment Extension, a Plain Text Extension, and an Application Extension.  All extension sections begin with the Extension Introducer <tt>21</tt> (hex).
  
=== USB ===
+
Comment Extensions are optional and more than one may be present.  They were designed to allow including comments about the graphic, credits, descriptions or other types of non-control/non-graphic data.  The beginning of this block has the Extension Introducer and a Comment Label <tt>FE</tt> (hex).  Comment data has a sequence of sub-blocks between 1 and 255 bytes in length, with the size in a byte before the data.  Comment Extensions should appear either before or after the control and graphic data blocks.
  
* [[ACR 38T]]
+
Plain Text Extensions are optional and more than one may be present. They were designed to allow rendering of textual data as a graphic. The beginning of this block has the Extension Introducer and a Comment Label <tt>01</tt> (hex). Plain text data has a sequence of sub-blocks between 1 and 255 bytes in length, with the size in a byte before the data.
* [http://www.scmmicro.com/products-services/smart-card-readers-terminals/smart-card-reader/scr3311.html SCR3311]
+
* [http://www.scmmicro.com/products-services/smart-card-readers-terminals/smart-card-reader/scr335.html SCR335]
+
* [http://www.dekart.com/products/hardware/sim_card_reader/ Dekart SIM Card reader]
+
  
== Software ==
+
Application Extensions are optional. They were designed to allow applications to insert application specific data inside a GIF. The beginning of this block has the Extension Introducer and an Application Extension Label <tt>FF</tt> (hex). 
  
Wiki Links
+
== Externals Links ==
* [[ForensicSIM]]
+
* [[Paraben SIM Card Seizure]]
+
* [[SIMiFOR]]
+
* [[SIMIS]]
+
* [[SIM Explorer]]
+
  
External Links
+
* [http://en.wikipedia.org/wiki/GIF Wikipedia: GIF]
* [http://www.forensicts.co.uk SIMiFOR]
+
* [http://www.w3.org/Graphics/GIF/spec-gif89a.txt W3.Org: GRAPHICS INTERCHANGE FORMAT SPECIFICATION]
* [http://www.simcon.no/ SIMcon]
+
* [http://www.quantaq.com/usimdetective.htm USIM Detective]
+
* [http://www.dekart.com/products/card_management/sim_explorer/ SIM Explorer], [http://www.youtube.com/watch?v=P5dJS7g1o_c video demo of SIM Explorer]
+
* [http://www.data-recovery-mobile-phone.com/ Pro Data Doctor]
+
* [http://www.becker-partner.de/index.php?id=17 Forensic Card Reader (FCR) - German]
+
* [http://www.txsystems.com/sim-manager.html SIM Manager]
+
* [http://vidstrom.net/otools/simquery/ SIMQuery]
+
* [http://users.net.yu/~dejan/ SimScan]
+
* [http://www.nobbi.com/download.htm SIMSpy]
+
* [http://vidstrom.net/stools/undeletesms/ UnDeleteSMS]
+
* [http://www.bkforensics.com/FCR.html Forensic SIM Card Reader]
+
* [http://www.dekart.com/products/card_management/sim_manager/ Dekart SIM Manager], [http://www.youtube.com/watch?v=VaBaqZiNW4U video tutorial on how to recover a deleted SMS]
+
* [http://www.brickhousesecurity.com/cellphone-spy-simcardreader.html Cell Phone SIM Card Spy]
+
* [http://www.mobile-t-mobile.com/mobile-network/SIM-card-reader.html SIM Card Reader]
+
* [http://www.download3000.com/download_46892.html Sim Card Reader Software]
+
* [http://www.freedownloadscenter.com/Utilities/Backup_and_Copy_Utilities/Sim_Card_Recovery.html Sim Card Recovery]
+
* [http://www.spytechs.com/phone-recorders/sims-card-reader.htm Sim Recovery Pro]
+
  
== Recovering SIM Card Data ==
+
[[Category:File Formats]]
 
+
* [[Damaged SIM Card Data Recovery]]
+
 
+
== Security ==
+
 
+
SIM cards can have their data protected by a PIN, or Personal Identification Number.  If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data.  If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key.  The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone.  Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered.  The PUK must be obtained from the SIM's network provider.  If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone.  In some cases the phone will request a PUK2 before it permanently locks the SIM card.
+
 
+
== See also ==
+
 
+
* [[SIM Cards]]
+
* [http://www.youtube.com/watch?v=w_tcwmzUH6o Troubleshooting the installation of a PC/SC smart card reader (video tutorial)]
+
 
+
== References ==
+
 
+
E-evidence Info - http://www.e-evidence.info/cellular.html
+
Purdue Phone Phorensics Knowledge Base - http://mobileforensicsworld.com/p3/
+

Revision as of 16:43, 23 January 2007

The Graphics Interchange Format (GIF) (SM) format is a lossless image format. GIF images use internal LZW compression to reduce file size. CompuServe created this format, which is a bitmap image format allowing 256 different colors to be selected from a 24-bit color palette (RGB). GIF also allows for animations by sequencing through multiple GIF image data inside a single file.

"The Graphics Interchange Format(c) is the Copyright property of CompuServe Incorporated. GIF(sm) is a Service Mark property of CompuServe Incorporated."

Format

GIF files consist of a header, image data, optional metadata, and a footer. The header consists of a signature and a version, each 3 bytes long. The signature is 47 49 46 (hex) / GIF (text). The versions are either 38 37 61 or 38 39 61 (hex) / 87a or 89a (text) respectively. The footer or trailer (as identified in the format specification) is usually 3B (hex).

Common file extensions are .gif and .GIF

Metadata

GIF89a files can contain metadata in text format. GIF metadata is contained in sections identified as a Comment Extension, a Plain Text Extension, and an Application Extension. All extension sections begin with the Extension Introducer 21 (hex).

Comment Extensions are optional and more than one may be present. They were designed to allow including comments about the graphic, credits, descriptions or other types of non-control/non-graphic data. The beginning of this block has the Extension Introducer and a Comment Label FE (hex). Comment data has a sequence of sub-blocks between 1 and 255 bytes in length, with the size in a byte before the data. Comment Extensions should appear either before or after the control and graphic data blocks.

Plain Text Extensions are optional and more than one may be present. They were designed to allow rendering of textual data as a graphic. The beginning of this block has the Extension Introducer and a Comment Label 01 (hex). Plain text data has a sequence of sub-blocks between 1 and 255 bytes in length, with the size in a byte before the data.

Application Extensions are optional. They were designed to allow applications to insert application specific data inside a GIF. The beginning of this block has the Extension Introducer and an Application Extension Label FF (hex).

Externals Links