ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "File Format Identification" and "SIM Card Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(References)
 
Line 1: Line 1:
File Format Identification is the process of figuring out the format of a sequence of bytes. Operating systems typically do this by file extension or by embedded MIME information. Forensic applications need to identify file types by content.
+
== Procedures ==
  
=Tools=
+
Acquire [[SIM Card]] and analyze the following:
==libmagic==
+
* Written in C.
+
* Rules in /usr/share/file/magic and compiled at runtime.
+
* Powers the Unix “file” command, but you can also call the library directly from a C program.
+
* http://sourceforge.net/projects/libmagic
+
  
==DROID==
+
* ICCID - Integrated Circuit Card Identification
* Writen in Java
+
* MSISDN - Subscriber phone number
* Developed by National Archives of the United Kingdom.
+
* IMSI - International Mobile Subscriber Identity
* http://droid.sourceforge.net
+
* LND - Last Dialed numbers
 +
* [[LOCI]] - Location Information
 +
* LAI - Location Area Identifier
 +
* ADN - Abbreviated Dialing Numbers (Contacts)
 +
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
 +
* SMS - (Short Messages)
 +
* SMSP - Text Message parameters
 +
* SMSS - Text message status
 +
* Phase - Phase ID
 +
* SST - SIM Service table
 +
* LP - Preferred languages variable
 +
* SPN - Service Provider name
 +
* EXT1 - Dialing Extension
 +
* EXT2 - Dialing Extension
 +
* GID1 - Groups
 +
* GID2 - Groups
 +
* CBMI - Preferred network messages
 +
* PUCT - Calls per unit
 +
* ACM - Accumulated Call Meter
 +
* ACMmax - Call Limit
 +
* HPLMNSP - HPLMN search period
 +
* PLMNsel - PLMN selector
 +
* FPLMN - Forbidden PLMNs
 +
* CCP - Capability configuration parameter
 +
* ACC - Access control class
 +
* BCCH - Broadcast control channels
 +
* Kc - Ciphering Key
  
==TrID==
 
* XML config file
 
* Closed source; free for non-commercial use
 
* http://mark0.net/soft-trid-e.html
 
  
==Forensic Innovations File Investigator TOOLS==
+
== Hardware ==
* Proprietary, but free trial available.
+
* Available as consumer applications and OEM API.
+
* Identifies 3,000+ file types, using multiple methods to maintain high accuracy.
+
* Extracts metadata for many of the supported file types.
+
* http://www.forensicinnovations.com/fitools.html
+
  
==Stellent/Oracle Outside-In==
+
=== Serial ===
* Proprietary but free demo.
+
* http://www.oracle.com/technology/products/content-management/oit/oit_all.html
+
  
==[[Forensic Assistant]]==
+
* [[MicroDrive 120]] with SmartCard Adapter
* Proprietary.
+
* Provides detection of password protected archives, some files of cryptographic programs, Pinch/Zeus binary reports, etc.
+
  
[[Category:Tools]]
+
=== USB ===
  
=Bibliography=
+
* [[ACR 38T]]
Current research papers on the file format identification problem. Most of these papers concern themselves with identifying file format of a few file sectors, rather than an entire file. '''Please note that this bibliography is in chronological order!'''
+
* [http://www.scmmicro.com/products-services/smart-card-readers-terminals/smart-card-reader/scr3311.html SCR3311]
 +
* [http://www.scmmicro.com/products-services/smart-card-readers-terminals/smart-card-reader/scr335.html SCR335]
 +
* [http://www.dekart.com/products/hardware/sim_card_reader/ Dekart SIM Card reader]
  
 +
== Software ==
  
;2001
+
Wiki Links
 +
* [[ForensicSIM]]
 +
* [[Paraben SIM Card Seizure]]
 +
* [[SIMiFOR]]
 +
* [[SIMIS]]
 +
* [[SIM Explorer]]
  
* Mason McDaniel, [[Media:Mcdaniel01.pdf|Automatic File Type Detection Algorithm]], Masters Thesis, James Madison University,2001
+
External Links
 +
* [http://www.forensicts.co.uk SIMiFOR]
 +
* [http://www.simcon.no/ SIMcon]
 +
* [http://www.quantaq.com/usimdetective.htm USIM Detective]
 +
* [http://www.dekart.com/products/card_management/sim_explorer/ SIM Explorer], [http://www.youtube.com/watch?v=P5dJS7g1o_c video demo of SIM Explorer]
 +
* [http://www.data-recovery-mobile-phone.com/ Pro Data Doctor]
 +
* [http://www.becker-partner.de/index.php?id=17 Forensic Card Reader (FCR) - German]
 +
* [http://www.txsystems.com/sim-manager.html SIM Manager]
 +
* [http://vidstrom.net/otools/simquery/ SIMQuery]
 +
* [http://users.net.yu/~dejan/ SimScan]
 +
* [http://www.nobbi.com/download.htm SIMSpy]
 +
* [http://vidstrom.net/stools/undeletesms/ UnDeleteSMS]
 +
* [http://www.bkforensics.com/FCR.html Forensic SIM Card Reader]
 +
* [http://www.dekart.com/products/card_management/sim_manager/ Dekart SIM Manager], [http://www.youtube.com/watch?v=VaBaqZiNW4U video tutorial on how to recover a deleted SMS]
 +
* [http://www.brickhousesecurity.com/cellphone-spy-simcardreader.html Cell Phone SIM Card Spy]
 +
* [http://www.mobile-t-mobile.com/mobile-network/SIM-card-reader.html SIM Card Reader]
 +
* [http://www.download3000.com/download_46892.html Sim Card Reader Software]
 +
* [http://www.freedownloadscenter.com/Utilities/Backup_and_Copy_Utilities/Sim_Card_Recovery.html Sim Card Recovery]
 +
* [http://www.spytechs.com/phone-recorders/sims-card-reader.htm Sim Recovery Pro]
  
; 2003
+
== Recovering SIM Card Data ==
  
* [http://www2.computer.org/portal/web/csdl/abs/proceedings/hicss/2003/1874/09/187490332a.pdf Content Based File Type Detection Algorithms], Mason McDaniel and M. Hossain Heydari, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, 2003.
+
* [[Damaged SIM Card Data Recovery]]
  
; 2005
+
== Security ==
  
* Fileprints: identifying file types by n-gram analysis, LiWei-Jen, Wang Ke, Stolfo SJ, Herzog B..,  IProceeding of the 2005 IEEE workshop on information assurance, 2005. ([http://www.itoc.usma.edu/workshop/2005/Papers/Follow%20ups/FilePrintPresentation-final.pdf Presentation Slides])  ([http://www1.cs.columbia.edu/ids/publications/FilePrintPaper-revised.pdf PDF])
+
SIM cards can have their data protected by a PIN, or Personal Identification Number.  If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data. If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key. The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone.  Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered. The PUK must be obtained from the SIM's network provider. If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone. In some cases the phone will request a PUK2 before it permanently locks the SIM card.
  
* Douglas J. Hickok, Daine Richard Lesniak, Michael C. Rowe, File Type Detection Technology,  2005 Midwest Instruction and Computing Symposium.([http://www.micsymposium.org/mics_2005/papers/paper7.pdf PDF])
+
== See also ==
  
; 2006
+
* [[SIM Cards]]
 +
* [http://www.youtube.com/watch?v=w_tcwmzUH6o Troubleshooting the installation of a PC/SC smart card reader (video tutorial)]
  
* Karresand Martin, Shahmehri Nahid [http://ieeexplore.ieee.org/iel5/10992/34632/01652088.pdf  File type identification of data fragments by their binary structure. ], Proceedings of the IEEE workshop on information assurance, pp.140–147, 2006.([http://www.itoc.usma.edu/workshop/2006/Program/Presentations/IAW2006-07-3.pdf Presentation Slides])
+
== External Links ==
 
+
* E-evidence Info - http://www.e-evidence.info/cellular.html
* Gregory A. Hall, Sliding Window Measurement for File Type Identification, Computer Forensics and Intrusion Analysis Group, ManTech Security and Mission Assurance, 2006. ([http://www.mantechcfia.com/SlidingWindowMeasurementforFileTypeIdentification.pdf PDF])
+
* Purdue Phone Phorensics Knowledge Base - http://mobileforensicsworld.com/p3/
 
+
* [http://www.forensicmag.com/articles/2011/04/sim-forensics-part-1 SIM Forensics: Part 1], by John J. Barbara, April 25, 2011
* FORSIGS; Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints, John Haggerty and Mark Taylor, IFIP TC11 International Information Security Conference, 2006, Sandton, South Africa.
+
* [http://www.forensicmag.com/articles/2011/06/sim-forensics-part-2 SIM Forensics: Part 2], by John J. Barbara, June 15, 2011
 
+
* [http://www.forensicmag.com/articles/2011/08/sim-forensics-part-3 SIM Forensics: Part 3], by John J. Barbara, August 5, 2011
* Martin Karresand , Nahid Shahmehri, "Oscar -- Using Byte Pairs to Find File Type and Camera Make of Data Fragments," Annual Workshop on Digital Forensics and Incident Analysis, Pontypridd, Wales, UK, pp.85-94, Springer-Verlag, 2006.
+
 
+
; 2007
+
 
+
* Karresand M., Shahmehri N., [http://dx.doi.org/10.1007/0-387-33406-8_35 Oscar: File Type Identification of Binary Data in Disk Clusters and RAM Pages], Proceedings of IFIP International Information Security Conference: Security and Privacy in Dynamic Environments (SEC2006), Springer, ISBN 0-387-33405-x, pp.413-424, Karlstad, Sweden, May 2006.
+
 
+
* Robert F. Erbacher and John Mulholland, "Identification and Localization of Data Types within Large-Scale File Systems," Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, WA, April 2007.
+
 
+
* Ryan M. Harris, "Using Artificial Neural Networks for Forensic File Type Identification," Master's Thesis, Purdue University, May 2007. ([https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2007-19.pdf PDF])
+
 
+
* Predicting the Types of File Fragments, William Calhoun, Drue Coles, DFRWS 2008. ([http://www.dfrws.org/2008/proceedings/p14-calhoun_pres.pdf Presentation Slides])  ([http://www.dfrws.org/2008/proceedings/p14-calhoun.pdf PDF])
+
 
+
* Sarah J. Moody and Robert F. Erbacher, [http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=04545366 SÁDI – Statistical Analysis for Data type Identification], 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering, 2008.
+
 
+
; 2008
+
 
+
* Mehdi Chehel Amirani, Mohsen Toorani, and Ali Asghar Beheshti Shirazi, [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4625611 A New Approach to Content-based File Type Detection], Proceedings of the 13th IEEE Symposium on Computers and Communications (ISCC'08), pp.1103-1108, July 2008.  ([http://arxiv.org/ftp/arxiv/papers/1002/1002.3174.pdf PDF])
+
 
+
; 2009
+
* Roussev, Vassil, and Garfinkel, Simson, "File Classification Fragment-The Case for Specialized Approaches," Systematic Approaches to Digital Forensics Engineering (IEEE/SADFE 2009), Oakland, California. ([http://simson.net/clips/academic/2009.SADFE.Fragments.pdf PDF])
+
 
+
* Irfan Ahmed, Kyung-suk Lhee, Hyunjung Shin and ManPyo Hong, [http://www.springerlink.com/content/g2655k2044615q75/ On Improving the Accuracy and Performance of Content-based File Type Identification], Proceedings of the 14th Australasian Conference on Information Security and Privacy (ACISP 2009), pp.44-59, LNCS (Springer), Brisbane, Australia, July 2009.
+
 
+
; 2010
+
*Irfan Ahmed, Kyung-suk Lhee, Hyunjung Shin and ManPyo Hong, [http://www.alphaminers.net/sub05/sub05_03.php?swf_pn=5&swf_sn=3&swf_pn2=3 Fast File-type Identification], Proceedings of the 25th ACM Symposium on Applied Computing (ACM SAC 2010), ACM, Sierre, Switzerland, March 2010.
+
[[Category:Bibliographies]]
+

Latest revision as of 07:51, 22 April 2014

Procedures

Acquire SIM Card and analyze the following:

  • ICCID - Integrated Circuit Card Identification
  • MSISDN - Subscriber phone number
  • IMSI - International Mobile Subscriber Identity
  • LND - Last Dialed numbers
  • LOCI - Location Information
  • LAI - Location Area Identifier
  • ADN - Abbreviated Dialing Numbers (Contacts)
  • FDN - Fixed Dialing Numbers (Provider entered Numbers)
  • SMS - (Short Messages)
  • SMSP - Text Message parameters
  • SMSS - Text message status
  • Phase - Phase ID
  • SST - SIM Service table
  • LP - Preferred languages variable
  • SPN - Service Provider name
  • EXT1 - Dialing Extension
  • EXT2 - Dialing Extension
  • GID1 - Groups
  • GID2 - Groups
  • CBMI - Preferred network messages
  • PUCT - Calls per unit
  • ACM - Accumulated Call Meter
  • ACMmax - Call Limit
  • HPLMNSP - HPLMN search period
  • PLMNsel - PLMN selector
  • FPLMN - Forbidden PLMNs
  • CCP - Capability configuration parameter
  • ACC - Access control class
  • BCCH - Broadcast control channels
  • Kc - Ciphering Key


Hardware

Serial

USB

Software

Wiki Links

External Links

Recovering SIM Card Data

Security

SIM cards can have their data protected by a PIN, or Personal Identification Number. If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered. Some phones provide the option of using a second PIN, or PIN2, to further protect data. If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key. The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone. Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered. The PUK must be obtained from the SIM's network provider. If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone. In some cases the phone will request a PUK2 before it permanently locks the SIM card.

See also

External Links