Difference between pages "SIM Card Forensics" and "Tsk-cp"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
== Procedures ==
+
Tsk-cp is a set of [[LibCarvPath]] aware versions of [[Sleuthkit]] tools, that are for use together with the
 +
normal versions of the other sleuthkit tools in the process of doing [[zero storage carving]].
  
Acquire [[SIM Card]] and analyze the following:
+
The tools are:
  
* ICCID - Integrated Circuit Card Identification
+
* mmls-cp : A CarvPath based version of mmls for listing a partitioned carvpath disk images as a list of partition carvpaths.
* MSISDN - Subscriber phone number
+
* dls-cp : A CarvPath based version of dls for listing all continuous unallocated fragments of a carvpath partition holding a filesystem as a list of unallocated block carvpaths.
* IMSI - International Mobile Subscriber Identity
+
* icat-cp : A CarvPath based version of icat that instead of copying out the data of an inode within a carvpath partition holding a filesystem as the carvpath of the file and the carvpath of the [[file slack]].
* LND - Last Dialed numbers
+
* [[LOCI]] - Location Information
+
* LAI - Location Area Identifier
+
* ADN - Abbreviated Dialing Numbers (Contacts)
+
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
+
* SMS - (Short Messages)
+
* SMSP - Text Message parameters
+
* SMSS - Text message status
+
* Phase - Phase ID
+
* SST - SIM Service table
+
* LP - Preferred languages variable
+
* SPN - Service Provider name
+
* EXT1 - Dialing Extension
+
* EXT2 - Dialing Extension
+
* GID1 - Groups
+
* GID2 - Groups
+
* CBMI - Preferred network messages
+
* PUCT - Calls per unit
+
* ACM - Accumulated Call Meter
+
* ACMmax - Call Limit
+
* HPLMNSP - HPLMN search period
+
* PLMNsel - PLMN selector
+
* FPLMN - Forbidden PLMNs
+
* CCP - Capability configuration parameter
+
* ACC - Access control class
+
* BCCH - Broadcast control channels
+
* Kc - Ciphering Key
+
  
 +
The carvpaths output by dls-cp can be used as the input of a CarvPath aware carving tool.
  
== Hardware ==
+
== See Also ==
 
+
* [[Open Computer Forensics Architecture]]
=== Serial ===
+
 
+
* [[MicroDrive 120]] with SmartCard Adapter
+
 
+
=== USB ===
+
 
+
* [[ACR 38T]]
+
 
+
== Software ==
+
 
+
Wiki Links
+
* [[ForensicSIM]]
+
* [[Paraben SIM Card Seizure]]
+
* [[SIMIS]]
+
 
+
External Links
+
* [http://www.simcon.no/ SIMcon]
+
* [http://www.quantaq.com/usimdetective.htm USIM Detective]
+
* [http://www.data-recovery-mobile-phone.com/ Pro Data Doctor]
+
* [http://www.becker-partner.de/index.php?id=17 Forensic Card Reader (FCR) - German]
+
* [http://www.txsystems.com/sim-manager.html SIM Manager]
+
* [http://vidstrom.net/otools/simquery/ SIMQuery]
+
* [http://users.net.yu/~dejan/ SimScan]
+
* [http://www.nobbi.com/download.htm SIMSpy]
+
* [http://vidstrom.net/stools/undeletesms/ UnDeleteSMS]
+
* [http://www.bkforensics.com/FCR.html Forensic SIM Card Reader]
+
* [http://www.brickhousesecurity.com/cellphone-spy-simcardreader.html Cell Phone SIM Card Spy]
+
* [http://www.mobile-t-mobile.com/mobile-network/SIM-card-reader.html SIM Card Reader]
+
* [http://www.download3000.com/download_46892.html Sim Card Reader Software]
+
* [http://www.freedownloadscenter.com/Utilities/Backup_and_Copy_Utilities/Sim_Card_Recovery.html Sim Card Recovery]
+
* [http://www.spytechs.com/phone-recorders/sims-card-reader.htm Sim Recovery Pro]
+
 
+
== Recovering SIM Card Data ==
+
 
+
* [[Damaged SIM Card Data Recovery]]
+
 
+
== Security ==
+
 
+
SIM cards can have their data protected by a PIN, or Personal Identification Number.  If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data.  If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key.  The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone.  Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered.  The PUK must be obtained from the SIM's network provider.  If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone.  In some cases the phone will request a PUK2 before it permanently locks the SIM card.
+
 
+
== See also ==
+
 
+
* [[SIM Cards]]
+
 
+
== References ==
+
 
+
E-evidence Info - http://www.e-evidence.info/cellular.html
+
Purdue Phone Phorensics Knowledge Base - http://mobileforensicsworld.com/p3/
+

Latest revision as of 01:31, 11 August 2012

Tsk-cp is a set of LibCarvPath aware versions of Sleuthkit tools, that are for use together with the normal versions of the other sleuthkit tools in the process of doing zero storage carving.

The tools are:

  • mmls-cp : A CarvPath based version of mmls for listing a partitioned carvpath disk images as a list of partition carvpaths.
  • dls-cp : A CarvPath based version of dls for listing all continuous unallocated fragments of a carvpath partition holding a filesystem as a list of unallocated block carvpaths.
  • icat-cp : A CarvPath based version of icat that instead of copying out the data of an inode within a carvpath partition holding a filesystem as the carvpath of the file and the carvpath of the file slack.

The carvpaths output by dls-cp can be used as the input of a CarvPath aware carving tool.

See Also