Difference between pages "File Format Identification" and "SIM Card Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(References)
 
Line 1: Line 1:
File Format Identification is the process of figuring out the format of a sequence of bytes. Operating systems typically do this by file extension or by embedded MIME information. Forensic applications need to identify file types by content.
+
== Procedures ==
  
=Tools=
+
Acquire [[SIM Card]] and analyze the following:
==libmagic==
+
* Written in C.
+
* Rules in /usr/share/file/magic and compiled at runtime.
+
* Powers the Unix “file” command, but you can also call the library directly from a C program.
+
* http://sourceforge.net/projects/libmagic
+
  
==DROID==
+
* ICCID - Integrated Circuit Card Identification
* Writen in Java
+
* MSISDN - Subscriber phone number
* Developed by National Archives of the United Kingdom.
+
* IMSI - International Mobile Subscriber Identity
* http://droid.sourceforge.net
+
* LND - Last Dialed numbers
 +
* [[LOCI]] - Location Information
 +
* LAI - Location Area Identifier
 +
* ADN - Abbreviated Dialing Numbers (Contacts)
 +
* FDN - Fixed Dialing Numbers (Provider entered Numbers)
 +
* SMS - (Short Messages)
 +
* SMSP - Text Message parameters
 +
* SMSS - Text message status
 +
* Phase - Phase ID
 +
* SST - SIM Service table
 +
* LP - Preferred languages variable
 +
* SPN - Service Provider name
 +
* EXT1 - Dialing Extension
 +
* EXT2 - Dialing Extension
 +
* GID1 - Groups
 +
* GID2 - Groups
 +
* CBMI - Preferred network messages
 +
* PUCT - Calls per unit
 +
* ACM - Accumulated Call Meter
 +
* ACMmax - Call Limit
 +
* HPLMNSP - HPLMN search period
 +
* PLMNsel - PLMN selector
 +
* FPLMN - Forbidden PLMNs
 +
* CCP - Capability configuration parameter
 +
* ACC - Access control class
 +
* BCCH - Broadcast control channels
 +
* Kc - Ciphering Key
  
==TrID==
 
* XML config file
 
* Closed source; free for non-commercial use
 
* http://mark0.net/soft-trid-e.html
 
  
==Forensic Innovations File Investigator TOOLS==
+
== Hardware ==
* Proprietary, but free trial available.
+
* Available as consumer applications and OEM API.
+
* Identifies 3,000+ file types, using multiple methods to maintain high accuracy.
+
* Extracts metadata for many of the supported file types.
+
* http://www.forensicinnovations.com/fitools.html
+
  
==Stellent/Oracle Outside-In==
+
=== Serial ===
* Proprietary but free demo.
+
* http://www.oracle.com/technology/products/content-management/oit/oit_all.html
+
  
==[[Forensic Assistant]]==
+
* [[MicroDrive 120]] with SmartCard Adapter
* Proprietary.
+
* Provides detection of password protected archives, some files of cryptographic programs, Pinch/Zeus binary reports, etc.
+
  
[[Category:Tools]]
+
=== USB ===
  
=Bibliography=
+
* [[ACR 38T]]
Current research papers on the file format identification problem. Most of these papers concern themselves with identifying file format of a few file sectors, rather than an entire file. '''Please note that this bibliography is in chronological order!'''
+
* [http://www.scmmicro.com/products-services/smart-card-readers-terminals/smart-card-reader/scr3311.html SCR3311]
 +
* [http://www.scmmicro.com/products-services/smart-card-readers-terminals/smart-card-reader/scr335.html SCR335]
 +
* [http://www.dekart.com/products/hardware/sim_card_reader/ Dekart SIM Card reader]
  
 +
== Software ==
  
;2001
+
Wiki Links
 +
* [[ForensicSIM]]
 +
* [[Paraben SIM Card Seizure]]
 +
* [[SIMiFOR]]
 +
* [[SIMIS]]
 +
* [[SIM Explorer]]
  
* Mason McDaniel, [[Media:Mcdaniel01.pdf|Automatic File Type Detection Algorithm]], Masters Thesis, James Madison University,2001
+
External Links
 +
* [http://www.forensicts.co.uk SIMiFOR]
 +
* [http://www.simcon.no/ SIMcon]
 +
* [http://www.quantaq.com/usimdetective.htm USIM Detective]
 +
* [http://www.dekart.com/products/card_management/sim_explorer/ SIM Explorer], [http://www.youtube.com/watch?v=P5dJS7g1o_c video demo of SIM Explorer]
 +
* [http://www.data-recovery-mobile-phone.com/ Pro Data Doctor]
 +
* [http://www.becker-partner.de/index.php?id=17 Forensic Card Reader (FCR) - German]
 +
* [http://www.txsystems.com/sim-manager.html SIM Manager]
 +
* [http://vidstrom.net/otools/simquery/ SIMQuery]
 +
* [http://users.net.yu/~dejan/ SimScan]
 +
* [http://www.nobbi.com/download.htm SIMSpy]
 +
* [http://vidstrom.net/stools/undeletesms/ UnDeleteSMS]
 +
* [http://www.bkforensics.com/FCR.html Forensic SIM Card Reader]
 +
* [http://www.dekart.com/products/card_management/sim_manager/ Dekart SIM Manager], [http://www.youtube.com/watch?v=VaBaqZiNW4U video tutorial on how to recover a deleted SMS]
 +
* [http://www.brickhousesecurity.com/cellphone-spy-simcardreader.html Cell Phone SIM Card Spy]
 +
* [http://www.mobile-t-mobile.com/mobile-network/SIM-card-reader.html SIM Card Reader]
 +
* [http://www.download3000.com/download_46892.html Sim Card Reader Software]
 +
* [http://www.freedownloadscenter.com/Utilities/Backup_and_Copy_Utilities/Sim_Card_Recovery.html Sim Card Recovery]
 +
* [http://www.spytechs.com/phone-recorders/sims-card-reader.htm Sim Recovery Pro]
  
; 2003
+
== Recovering SIM Card Data ==
  
* [http://www2.computer.org/portal/web/csdl/abs/proceedings/hicss/2003/1874/09/187490332a.pdf Content Based File Type Detection Algorithms], Mason McDaniel and M. Hossain Heydari, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9, 2003.
+
* [[Damaged SIM Card Data Recovery]]
  
; 2005
+
== Security ==
  
* Fileprints: identifying file types by n-gram analysis, LiWei-Jen, Wang Ke, Stolfo SJ, Herzog B..,  IProceeding of the 2005 IEEE workshop on information assurance, 2005. ([http://www.itoc.usma.edu/workshop/2005/Papers/Follow%20ups/FilePrintPresentation-final.pdf Presentation Slides])  ([http://www1.cs.columbia.edu/ids/publications/FilePrintPaper-revised.pdf PDF])
+
SIM cards can have their data protected by a PIN, or Personal Identification Number.  If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered.  Some phones provide the option of using a second PIN, or PIN2, to further protect data. If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key. The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone.  Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered. The PUK must be obtained from the SIM's network provider. If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone. In some cases the phone will request a PUK2 before it permanently locks the SIM card.
  
* Douglas J. Hickok, Daine Richard Lesniak, Michael C. Rowe, File Type Detection Technology,  2005 Midwest Instruction and Computing Symposium.([http://www.micsymposium.org/mics_2005/papers/paper7.pdf PDF])
+
== See also ==
  
; 2006
+
* [[SIM Cards]]
 +
* [http://www.youtube.com/watch?v=w_tcwmzUH6o Troubleshooting the installation of a PC/SC smart card reader (video tutorial)]
  
* Karresand Martin, Shahmehri Nahid [http://ieeexplore.ieee.org/iel5/10992/34632/01652088.pdf  File type identification of data fragments by their binary structure. ], Proceedings of the IEEE workshop on information assurance, pp.140–147, 2006.([http://www.itoc.usma.edu/workshop/2006/Program/Presentations/IAW2006-07-3.pdf Presentation Slides])
+
== External Links ==
 
+
* E-evidence Info - http://www.e-evidence.info/cellular.html
* Gregory A. Hall, Sliding Window Measurement for File Type Identification, Computer Forensics and Intrusion Analysis Group, ManTech Security and Mission Assurance, 2006. ([http://www.mantechcfia.com/SlidingWindowMeasurementforFileTypeIdentification.pdf PDF])
+
* Purdue Phone Phorensics Knowledge Base - http://mobileforensicsworld.com/p3/
 
+
* [http://www.forensicmag.com/articles/2011/04/sim-forensics-part-1 SIM Forensics: Part 1], by John J. Barbara, April 25, 2011
* FORSIGS; Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints, John Haggerty and Mark Taylor, IFIP TC11 International Information Security Conference, 2006, Sandton, South Africa.
+
* [http://www.forensicmag.com/articles/2011/06/sim-forensics-part-2 SIM Forensics: Part 2], by John J. Barbara, June 15, 2011
 
+
* [http://www.forensicmag.com/articles/2011/08/sim-forensics-part-3 SIM Forensics: Part 3], by John J. Barbara, August 5, 2011
* Martin Karresand , Nahid Shahmehri, "Oscar -- Using Byte Pairs to Find File Type and Camera Make of Data Fragments," Annual Workshop on Digital Forensics and Incident Analysis, Pontypridd, Wales, UK, pp.85-94, Springer-Verlag, 2006.
+
 
+
; 2007
+
 
+
* Karresand M., Shahmehri N., [http://dx.doi.org/10.1007/0-387-33406-8_35 Oscar: File Type Identification of Binary Data in Disk Clusters and RAM Pages], Proceedings of IFIP International Information Security Conference: Security and Privacy in Dynamic Environments (SEC2006), Springer, ISBN 0-387-33405-x, pp.413-424, Karlstad, Sweden, May 2006.
+
 
+
* Robert F. Erbacher and John Mulholland, "Identification and Localization of Data Types within Large-Scale File Systems," Proceedings of the 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, WA, April 2007.
+
 
+
* Ryan M. Harris, "Using Artificial Neural Networks for Forensic File Type Identification," Master's Thesis, Purdue University, May 2007. ([https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2007-19.pdf PDF])
+
 
+
* Predicting the Types of File Fragments, William Calhoun, Drue Coles, DFRWS 2008. ([http://www.dfrws.org/2008/proceedings/p14-calhoun_pres.pdf Presentation Slides])  ([http://www.dfrws.org/2008/proceedings/p14-calhoun.pdf PDF])
+
 
+
* Sarah J. Moody and Robert F. Erbacher, [http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=04545366 SÁDI – Statistical Analysis for Data type Identification], 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering, 2008.
+
 
+
; 2008
+
 
+
* Mehdi Chehel Amirani, Mohsen Toorani, and Ali Asghar Beheshti Shirazi, [http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4625611 A New Approach to Content-based File Type Detection], Proceedings of the 13th IEEE Symposium on Computers and Communications (ISCC'08), pp.1103-1108, July 2008.  ([http://arxiv.org/ftp/arxiv/papers/1002/1002.3174.pdf PDF])
+
 
+
; 2009
+
* Roussev, Vassil, and Garfinkel, Simson, "File Classification Fragment-The Case for Specialized Approaches," Systematic Approaches to Digital Forensics Engineering (IEEE/SADFE 2009), Oakland, California. ([http://simson.net/clips/academic/2009.SADFE.Fragments.pdf PDF])
+
 
+
* Irfan Ahmed, Kyung-suk Lhee, Hyunjung Shin and ManPyo Hong, [http://www.springerlink.com/content/g2655k2044615q75/ On Improving the Accuracy and Performance of Content-based File Type Identification], Proceedings of the 14th Australasian Conference on Information Security and Privacy (ACISP 2009), pp.44-59, LNCS (Springer), Brisbane, Australia, July 2009.
+
 
+
; 2010
+
*Irfan Ahmed, Kyung-suk Lhee, Hyunjung Shin and ManPyo Hong, [http://www.alphaminers.net/sub05/sub05_03.php?swf_pn=5&swf_sn=3&swf_pn2=3 Fast File-type Identification], Proceedings of the 25th ACM Symposium on Applied Computing (ACM SAC 2010), ACM, Sierre, Switzerland, March 2010.
+
[[Category:Bibliographies]]
+

Latest revision as of 03:51, 22 April 2014

Procedures

Acquire SIM Card and analyze the following:

  • ICCID - Integrated Circuit Card Identification
  • MSISDN - Subscriber phone number
  • IMSI - International Mobile Subscriber Identity
  • LND - Last Dialed numbers
  • LOCI - Location Information
  • LAI - Location Area Identifier
  • ADN - Abbreviated Dialing Numbers (Contacts)
  • FDN - Fixed Dialing Numbers (Provider entered Numbers)
  • SMS - (Short Messages)
  • SMSP - Text Message parameters
  • SMSS - Text message status
  • Phase - Phase ID
  • SST - SIM Service table
  • LP - Preferred languages variable
  • SPN - Service Provider name
  • EXT1 - Dialing Extension
  • EXT2 - Dialing Extension
  • GID1 - Groups
  • GID2 - Groups
  • CBMI - Preferred network messages
  • PUCT - Calls per unit
  • ACM - Accumulated Call Meter
  • ACMmax - Call Limit
  • HPLMNSP - HPLMN search period
  • PLMNsel - PLMN selector
  • FPLMN - Forbidden PLMNs
  • CCP - Capability configuration parameter
  • ACC - Access control class
  • BCCH - Broadcast control channels
  • Kc - Ciphering Key


Hardware

Serial

USB

Software

Wiki Links

External Links

Recovering SIM Card Data

Security

SIM cards can have their data protected by a PIN, or Personal Identification Number. If a user has enabled the PIN on their SIM card, the SIM will remain locked until the PIN is properly entered. Some phones provide the option of using a second PIN, or PIN2, to further protect data. If a user incorrectly enters their PIN number multiple times, the phone may request a PUK, or Personal Unblocking Key. The number of times a PIN must be incorrectly entered before the phone requests the PUK will vary from phone to phone. Once a phone requests a PUK, the SIM will remain locked until the PUK is correctly entered. The PUK must be obtained from the SIM's network provider. If a PUK is incorrectly entered 10 times the SIM will become permanently locked and the user must purchase a new SIM card in order to use the phone. In some cases the phone will request a PUK2 before it permanently locks the SIM card.

See also

External Links