sim card forensics: digital evidence

Annual ADFSL Conference on Digital Forensics, Security and Law 2016 Proceedings

May 26th, 9:00 AM

SIM Card Forensics: Digital Evidence SIM Card Forensics: Digital Evidence

Nada Ibrahim Zayed University, College of Technological Innovation

Nuha Al Naqbi Zayed University, College of Technological Innovation

Farkhund Iqbal Zayed University, College of Technological Innovation, [email protected]

Omar AlFandi Zayed University, College of Technological Innovation, [email protected]

(c)ADFSL

Follow this and additional works at: https://commons.erau.edu/adfsl

Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense and Security

Studies Commons, Forensic Science and Technology Commons, Information Security Commons,

National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, and

the Social Control, Law, Crime, and Deviance Commons

Scholarly Commons Citation Scholarly Commons Citation Ibrahim, Nada; Al Naqbi, Nuha; Iqbal, Farkhund; and AlFandi, Omar, "SIM Card Forensics: Digital Evidence" (2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 3. https://commons.erau.edu/adfsl/2016/thursday/3

This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].

http://commons.erau.edu/

http://commons.erau.edu/

https://commons.erau.edu/adfsl

https://commons.erau.edu/adfsl/2016

https://commons.erau.edu/adfsl/2016

https://commons.erau.edu/adfsl?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Fthursday%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1320?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Fthursday%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages










https://commons.erau.edu/adfsl/2016/thursday/3?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Fthursday%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

/creativecommons.org/licenses/by-nc-nd/4.0/

/creativecommons.org/licenses/by-nc-nd/4.0/

Forensic Investigation of SIM Card CDFSL Proceedings 2016

© 2016 ADFSL 19

FORENSIC INVESTIGATION OF SIM CARDNada Ibrahim, Nuha Al Naqbi, Farkhund Iqbal and Omar AlFandi

Zayed UniversityCollege of Technological Innovation

Abu Dhabi, P.O. Box 144534{M80006330, M80004910, Farkhund.Iqbal, Omar.AlFandi}@zu.ac.ae

ABSTRACTWith the rapid evolution of the smartphone industry, mobile device forensics has become essentialin cybercrime investigation. Currently, evidence forensically-retrieved from a mobile device is in theform of call logs, contacts, and SMSs; a mobile forensic investigator should also be aware of thevast amount of user data and network information that are stored in the mobile SIM card such asICCID, IMSI, and ADN. The aim of this study is to test various forensic tools to effectively gathercritical evidence stored on the SIM card. In the first set of experiments, we compare the selectedforensic tools in terms of retrieving specific data; in the second set, genuine user data from eightdifferent SIM cards is extracted and analyzed. The experimental results on a real-life datasetsupport the effectiveness of the SIM card forensics approach presented in this paper.Keywords: SIM card, Digital Forensics, Forensic tools, ICCID, IMSI

INTRODUCTIONRegardless of its role in crime (direct orindirect), data within a mobile phone remainscrucial. A wealth of information is stored oncell phones that includes, but is not limited to,call history, text messages, email messages,web pages, and photos. Mobile phone forensics,the most challenging digital forensics field,should be enriched with SIM card forensics.

Most of the existing research is focused onsearching for the following key evidence in amobile telephone:

Calls made, including numbersdialed, dates, and times.

Calls received, including numbersreceived, dates, and times.

Data stored within addressbook/phone book.

SMS details.

Pictures/video clips on the phone ormemory card.

The SIM (Subscriber Identity Module) is asmart card that is used in mobile phones tostore user data and network information thatis required to activate the handset for use. SIMcard demand has been growing worldwide on ayearly basis (ABIResearch, 2015) and isexpected to break the record of 5.4 billionshipments for the year 2015 alone. Given thiswidespread usage, a massive amount ofinformation is available for forensicinvestigators.

Since the introduction of UMTS, betterknown as 3G technologies, USIM cards arefavored. While SIM cards provide networkaccess, the tiny computer within a USIMenables it to handle several mini-applicationsand video calls if it is supported by thenetwork and the handset. Integrated algorithmusers are protected from unauthorized access

ADFSL Conference Proceedings 2016 Forensic Investigation of SIM Card

Page 220 © 2016 ADFSL

to their phone lines. Furthermore, dataexchanges are encrypted with stronger keysthan those provided by SIMs. Additionally, aUSIM’s phonebook is much bigger, with theability to store thousands of richer contactsthat might contain email addresses, photos,and several additional phone numbers.

SIM card forensics provide valuableinformation about contacts, SMSs, call logs,and much more. There are commercial andopen-source tools that can assist aninvestigator in extracting relevant evidencefrom SIM cards.

The CDR, or ‘call detailed records’ in aSIM card, led to the arrest of the suspectSameer Vishnu Gaikwak in the murder ofGovind Pansare in Kolhapur earlier this year.The records proved that the phone was activeat the time of the murder and led the police todiscover another 23 mobile phones used by thesuspect due to his frequent SIM card change.(Indian Express September 2015).1

In another case, the fraudsters used cellphone information to illegally transfer bankfunds. The scammer managed to transfer fundsfrom an online bank account of the originalpost-paid subscriber through a “SIM-swap”promotion where an existing SIM card wasreplaced with a new one. This replacementallowed the fraudster to take over the victim’smobile number and use it for fraudulentactivities (Manila Times, July 2015)2

In our research we aim to contribute to thefield of SIM card forensics through:

1 http://indianexpress.com/article/india/india-others/suspects-sim-card-was-active-at-spot-of-pansare-murder-police/

2 http://www.manilatimes.net/nbi-probes-sim-card-swap-scam/199564/

Exploring the amount ofinformation extracted from SIMcards;

Investigating whether theextractable SIM card evidence istool dependent;

Evaluating the contribution ofobtained evidence to SIM cardforensics;

Investigating whether SIM cardsfrom different GSM ServiceProviders offer different evidentiarydata;

A smartphone might be the key to anentire investigation; thus, an investigator’stask in uncovering evidence will be muchharder if it is not supported with the necessaryknowledge. Our motivation emerged from thefact that SIM card forensics is a new field withminor literature as far as we know. We intendthe analysis of our results to contribute to themobile forensic field with the essentialknowledge needed to make informed decisionsbased on the tools’ actual capabilities. We alsobelieve that the analysis of the retrieved datawill play a crucial role in proving suspectsguilty or not.

The remainder of the paper is organized asfollows: Background information andfundamental concepts needed to understandSIM forensics are discussed in Section 2;literature review is presented in Section 3.Experimental tools and setup are explained inSection 4; experimental results are discussed inSection 5, followed by the conclusion andfuture work in Section 6.

BACKGROUNDINFORMATION

The introduction of the Global System forMobile Communications (GSM) standard fortransmitting text, voice, and data services


© 2016 ADFSL Page 221

through cellular networks marked atelecommunication revolution that affected allaspects of our lives. Ever since the EuropeanTelecommunications Standards Institute(ETSI) released their GSM 11.11 Specificationsof the SIM-ME interface in the 1990s, theindustry has experienced a radical growth. Itwas initiated by the recommendation to splitthe Mobile Station (i.e., Cellular Phone) intotwo components: a removable SubscriberIdentity Module (SIM), which contains allnetwork related subscriber information, and aMobile Equipment (ME) that is the remainingpart of the Mobile Station, i.e., the mobilehandset (ETSI, 1994).

As the name implies, a SIM card holds theidentity of the subscriber, which enables usersto be registered in the telecommunicationnetwork. In addition to identification andauthentication, the SIM card can also store thesubscriber’s contacts, messages, calls, locationinformation, and other subscriber-specific data.The components of a SIM card, as exploredthoroughly by Savoldi and Gubian (2007),include a central processor unit (CPU) and anoperating system (OS) with electronicallyerasable programmable read-only memory(EEPROM). It also contains a Random AccessMemory (RAM) that controls the programexecution flow. Moreover, it includes a Read-Only Memory (ROM) which controls theoperating system workflow, userauthentication, data encryption algorithm, andother applications. The SIM card file system isorganized in a hierarchal tree structure andresides in the EEPROM for storing data suchas names and phone number entries, textmessages, and network service settings.

The anatomy of the file system—asdemonstrated in Figure 1—includes three typesof files: Master File (MF), Dedicated Files(DF), and Elementary Files (EF). The MasterFile is the root of the file system. Dedicatedfiles are the child directories of the master files

such as the DF (DCS1800) and DF (GSM),which contain network-related information,and DF (Telecom), which holds service/carrier-related information. Furthermore, elementaryfiles contain the actual data in various types,structured as either a sequence of data bytes, asequence of fixed-size records, or a fixed set offixed-size records used cyclically. It isimportant to note that all the files haveheaders, but only EFs contain data (Savoldiand Gubian, 2007).

Figure 1. SIM Card File System Hierarchy

SIM cards have certain physical dimensionsthat follow the ISO/IEC 7816 standard,managed jointly by the InternationalOrganization for Standardization (ISO) andthe International Electrotechnical Commission(IEC). This standard is structured in 15 parts,in which parts 1 and 2 specify in detail thephysical characteristics of the identificationIntegrated Circuit Cards (ICC, SIM Cards is aparticular type of ICC) along with contacts,location, and dimensions. Manufacturersadopted the ISO/IEC 7816 standard andcreated SIM cards in the following sizes (Singh,2015): Full Size, Mini, Micro, and Nano SIMs.Full-size SIM cards were the first cardsproduced and are the size of a credit card.Shrinking in size over the years, the Mini SIM



was introduced and was about 1/3 the size ofthe previous Full-size SIM card. Smallerversions exist now, and they are the Micro-SIMand Nano-SIMs.

SIM cards can also be embedded intodevices (i.e., Embedded Universal IntegratedCircuit Card [eUICC]), which can be fuseddirectly onto a circuit board for machine-to-machine (M2M) applications. Irrespective ofsize, SIM cards possess the same internalcomponents and file system hierarchydescribed earlier (Singh, 2015).

To help readers understand terminologiesof the data found, we list below somedefinitions that were extracted and rephrasedfrom the Third Generation Partnership Project(3GPP) Technical Specifications. 3GPP (GSM)TS 11.11.

ICCID: up to twenty digits long, thisIntegrated Circuit Card Identifier uniquelyidentifies a SIM card and is mainly dividedinto two parts: the Issuer IdentificationNumber (IIN) and the Account IdentificationNumber (AIN). The Issuer identification isinterpreted as follows: The first two digits arereserved for the Major Industry Identifier(MII) (i.e., 89 for the SIM telecommunicationsindustry), followed by a two-digit CountryCode, in addition to a three-digit IssuerIdentifier Number. The Account IdentificationNumber includes four digits for themanufacturing month/year, two digits for theConfiguration Code, six-digits for theIndividual SIM Number, and finally achecksum digit for error-detection.

IMSI: A fifteen-digit long number, theInternational Mobile Subscriber Identifier isprimarily used for signaling and messagingover a GSM network. Similar to the ICCID,the IMSI is structured as follows: three-digitsfor the Mobile County Code (MCC), plus twoto three digits for the Mobile Network Code(MNC), and the rest is an allocated sequential

serial number that pinpoints the MobileSubscriber Identity Number (MSIN).

MSISDN: with a maximum of fifteendigits, the Mobile Station InternationalSubscriber Directory Number is assigned for asubscriber to receive calls but is not signaled toor from a device. A subscriber can havemultiple MSISDNs, and each one refers to thefull subscriber phone number, including thecountry code. In general, MSISDN consists of aCountry Code (CC – up to three-digits), theNational Destination Code (NDC – up to 3digits), and the Subscriber Number (SN – upto 10 digits), with a maximum of 15-digitstotal. MSIDSN is an optional elementary file(i.e., Optional EF does not need to be storedon the SIM card itself), which differentiates itfrom both ICCID and IMSI (which aremandatory fields). Own Dialing Number is asimilar service that allows mobile users toinquire about their telephone numbers bydialing a specific numeric code.

SPN and SDN (Service Provider Nameand Service Dialing Numbers, respectively) arealso optional elementary files that convey thename of the GSM Network Service Providerand the unique services it provides (i.e.,customer care number). As per the standard, ifa network provider chooses a field to be ofvariable length, then remaining digits shouldbe set to hexadecimal digit “F.”

TMSI: Temporary Mobile SubscriberIdentity. As the name implies, this is atemporary identifier that is exchanged betweenthe mobile phone and the local networknearby. The TMSI is automatically updatedwhen the subscriber moves betweengeographical locations to avoid signal fade,thus providing the mobility freedom supportedby GSM cellular networks.

ADN: Abbreviated Dialing Numbers refersto the contacts list saved by the subscriber onthe SIM card. LND (Last Numbers Dialed), on



the other hand, is associated with the mostrecent number the subscriber called. Limitedby the number of contacts it can contain dueto its small capacity, a SIM can storeadditional digits from ADN and LND into thedialing extensions EXT1 and EXT2 elementaryfields. FDN, Fixed Dialing Numbers, issimilarly related to those fields in the sameway because it contains a phonebook that canonly be accessed once a specific mode isactivated. A possible scenario in which thismight be applicable is in the case of a companySIM card that restricts outgoing calls to onlythose numbers previously configured in orderto refrain staff from using the company’s assetsfor personal calls. The parameters above arealso combined in a Capability ConfigurationParameters (CCP) along with the associatedmobile equipment and subscriber configuration(Markantonakis, 2007).

SMS: Short Message Service allowssubscribers to communicate via messages thatare sent and received through the cellularnetwork. SMS data is considered forensicallyvaluable information as it contains not onlythe message text exchanged but also the time,date, sender’s phone number, and the messagestatus (i.e., read, unread, sent, etc.). Deletedmessages are even more valuable as it mightindicate a suspicious content worth examining.When a message is deleted, the data itcontains is not automatically erased; yet, itsreference is marked as free space until newdata can overwrite it. SMSs can be stored onthe SIM card itself or on the MobileEquipment (ME). Due to the SIM’s limitedstorage size, many manufacturers design theirmobile phone handsets to automatically usetheir own internal storage memory instead ofSIM cards (i.e., iPhone). Others’ models differ,and it depends on the phone software and usersettings to explicitly indicate which storage touse. SMS, SMSP, and SMSS (Short MessagesService, Short Message Service Parameters,

and Short Message Service Status,respectively) are elementary files that containShort Message Service information such as theaddress of the operator’s short messageswitching center, lifetime/timeout of messages,and coding format (Willassen, 2005).

Location information can be found bythoroughly examining the LOCI, LAI, LAC,RAC, and RAI voice and data communicationfields. Location Information (LOCI) includesthe Location Area Identifier (LAI), which iscomprised of the Mobile Country Code (MCC),Mobile Network Code (MNC), and theLocation Area Code (LAC) along with theRouting Area Code (RAC) and the RoutingArea Information (RAI).

Built-in security features can be found inSIM cards, and these fields are established bythe use of Card Holder Verification (CHV1)and (CHV2). These two fields restrict fileaccess to those users with valid verificationPIN codes (Personal Identification Numbers).Other features control various mobile users’access to the GSM Network, and this isachieved by assigning a specific ACC (AccessControl Class) to each group. Encryption isalso utilized to avoid tampering and ensuredata security by the use of a Ciphering Key(Kc) to authenticate the SIM on the mobilenetwork and a Ciphering Key SequenceNumber (Boudriga, 2009).

Other information related to the GSMcellular network configuration residing in theSIM card includes, for instance, PhaseIdentifier. GSM Services were delivered inphases where Phase 1 introduced SIM cards,ciphering, voice telephony, internationalroaming, call forwarding, and SMS services.Further features were added at later stages(i.e., call waiting) based on services that wereoffered by the previous stage. Using the SIMService Table (SST) elementary file, one canidentify which services are allocated andactivated in the SIM and which are not (i.e.,



SMS, FDN, and, and so on). Other settingssuch as language preferences for menuinteraction are set using the PreferredLanguages Variable (PL). The SIM card canalso contain two Group Identifiers (GID1) and(GID2). The GSM Service Provider is the onlyentity to modify these two fields in order toidentify a group of SIM cards for particularapplications and associations. Emergency CallCode is another service-provider specific andcan be defined to set up an emergency call, forinstance, to 999 in the event of threats. HigherPriority PLMN Search Period (HPLMN) isalso configured by the Service Provider andstates how often the mobile equipollent shouldsearch for the home network (range is between6 minutes to 8 hours). Set by the serviceprovider, Preferred Network List (PLMN)allows subscribers to select a network from apre-configured list to connect to while roamingabroad. Forbidden Networks (FPLMN), on thecontrary, are those networks to which a phoneis not permitted to connect. A broadcastcontrol channel (BCCH) is a pattern thatcontains system information messages of theidentity and configuration of the basetransceiver station in the GSM cellularstandard. Cell Broadcast Message Identifier(CBMI) specifies the content of the cellbroadcast messages a subscriber would receiveby the Service Provider partners (preferrednetworks). In addition to the previousparameters, Service Providers also set theAccumulated Call Meter (ACM) to managesubscriber cell phone expenses before reachinga certain maximum (ACMmax). Using a Priceper Unit and Currency Table (PUCT), thecosts can be calculated in a currency chosen bythe subscriber (Bidgoli, 2010).

LITERATURE REVIEWSIM Forensics is still in its infancy due to theextensive in-depth knowledge and expertiserequired; hence, previous research efforts arelimited to the best of the authors’ knowledge.

There have been, some pioneering attemptsthat have paved the way for SIM Forensicswhich are summarized below.

Using the GSM 11.11 TechnicalSpecification, Willassen (2003) focused on thesubscriber’s sensitive information that can beextracted from a SIM card. He identified 21extractable items and demonstrated how theGSM mobile telephone system can play asignificant role in forensics examination.

Highlighting the challenges in the field ofdigital forensics, Savoldi and Gubian (2007)provided a proof-of-concept with regards to thepossibility of data hiding in a SIM/USIM cardthrough various techniques that are widespreaddue to the absence of a nonstandard part inthe SIM/USIM image memory. Cilardo,Mazzocca, and Coppolino proposed a unifiedarchitecture, “TrustedSIM,” inherently relyingon a subscriber’s identification module (SIM)as its core component. This, according tothem, was due to the tamper-resistant domainand flexible multiplication environment thatcould manage users’ security profiles.

Given the above potential data that couldbe transformed into forensically-soundevidence, general forensic examination toolswere used to extract and recover these data.Jansen and Ayers (2006) demonstrated thatsome of these tools, however, may yieldinaccurate results because they were notspecifically designed for SIM Card Forensics.This inefficiency may also be referred to aprogramming error, utilization of an incorrectprotocol, or an out of date specification thatmight lead to improper functionality. Casadeiet al (2006), on the other hand, tried toexperiment with an open-source SIM-specificforensic tool instead of commercial andproprietary restricted software. The researcherspresented their SIMbrush tool analysis throughconducting an experiment to extract allobservable memory and non-standard files ofthe SIM Card.



TOOLS ANDEXPERIMENTAL

SETUPThe setup for the experiment required thearrangement of a mobile device and a SIMcard reader. We prepared two mobile devices,an Apple iPhone 4s and a Samsung GalaxySIII that included an Etisalat and DU SIMcards, respectively, in addition to an externalSIM card reader. The selection of two differentservice providers was made to investigate thedifference—if any—between the various serviceproviders.

To complete the setup for the experiment,data creation was required on both mobiles,such as saving user data (i.e., contacts) to theSIM card. For the iPhone, this was not directlypossible because by default, iPhone does notsupport saving to the SIM card. The authorshave to manually move the SIM card toanother mobile device that supports thisfeature (a Nokia device). The authorsadditionally set up various social mediaaccounts, i.e., Facebook, Instagram, Dropbox,etc., and created dummy user data on them.

For our experiments, we planned to exploreboth commercial and open source tools. Thefollowing tools were chosen for comparison dueto their support of SIM card forensicinvestigations:

EnCase Forensics: From Guidancesoftware, EnCase is a tool widely used in thedigital forensics field. EnCase’s SmartphoneExaminer module collects information fromdifferent smart devices, SIM card readers, orthrough device backups.

MOBILedit: a mobile forensic tool thatnot only provides viewing, searching, orretrieval from a phone; but also retrievesinformation such as IMEI, OS, and firmware,SIM card details such as IMSI, ICCID, andlocation area information.

Mobile Phone Examiner: MPE fromAccessData includes an enhanced smart deviceacquisition and analysis capabilities. With theintegration of nFIELD, it provides forensicmobile device data collections that supportboth USIM and SIM acquisition with reportingabilities.

Oxygen Forensic Suite: Oxygen isdeveloped by Oxygen Software Company andperforms digital forensic analysis ofsmartphones through the use of proprietaryprotocols.

Paraben SIM Card Seizure: SIM CardSeizure is a tool from Paraben Cooperationthat performs a forensic SIM card acquisitionand analysis with the ability to recover deletedtext messages from SIM cards.

pySIM: From TULP2G, pySIM is an openforensic software framework for extractionand decoding of data stored within electronicdevices.

SIMBrush: Is an open-source tool whichcan be used to extract all observable memoryfrom SIM/USIM cards.

SIMScan: Is an open-source toolkit usedto recover SIM card information bydownloading the binary contents of individualfiles and storing them as individual files.

UFED Cellebrite: UFED provides accessto mobile data and exposes every segment of adevice’s memory using advanced logical, filesystem, and physical extractions. It alsoprovides in-depth decoding, analysis, andreporting features.

USIMdetective: From QuantaqSolutions, USIMDetective is a forensic tool thathas been specifically designed to manage thecomplex data storage mechanisms found insmart cards.

XRY: Is a comprehensive digital forensicsexamination tool used for mobile devices. With



its ability to grab mobile information, XRYalso retrieves specific SIM card information.XRY Viewer is an easy-to-use tool for viewingand accessing retrieved data.

Different tools provide different acquisitiontechniques, and with respect to the above-mentioned tools, some of them acquire SIMcard information through phone acquisitionslike EnCase, MOBILedit, Oxygen, and UFED,while others provide the acquisition of SIMcards through a SIM card reader like Encase,SIM card seizure, SIM Manager,USIMDetective, and XRY.Table 1Forensic Tools

Tool Version

Encase Forensics 7.09.03.40

UFED Cellebrite 4.1.2.49

Oxygen Forensic 7.4.0.121

Paraben (SIM Card Seizure) 4.0

Dekart (SIM Manager) 3.3

Quanta (USIMdetective) V3.0.4

The following table summarizes the mainspecifications of the mobile phones used:

Table 2Smartphones Used

iOS Android

Device iPhone 4s Galaxy SIII

Version 8.4.1 4.3

Model MD 258AE/A GT-I9300

EXPERIMENTRESULTS ANDDISCUSSION

Open source software were not available fortesting either due to discontinuation of thesoftware itself (i.e., SIMBrush) or unobtainabledownload links that led to invalid ownerwebsites (i.e., SIMScan). The authors wereable to download pySIM, but faced an error, asit only provided a connection through serial

socket communication, which is no longer validin new mobile devices.

UFED logical analyzer provided anunexpected error when the authors tried totest it with the iPhone 4s. Alternatively,UFED did not support logical acquisition toAndroid devices, which limited the ability toperform an acquisition to the Samsung GalaxySIII mobile phone.

The results provided by EnCase withregards to Apple iPhone 4s were availablethrough iTunes backup analysis only. Thisoption was not available for the Androiddevice, as EnCase was unable to read theSamsung Android backup.

Although MOBILedit was able to connectand read both phones, no data was retrievedfrom either mobile device; however, and thismight be because it was a trial version.

Both MPE & nFIELD trial versions weredownloaded; nevertheless the authorsexperienced difficulty in running theseprograms due to licensing errors thatprevented the downloaded trial versions fromrunning.

While any recovered information that wasstored and retrieved from a SIM card is ofevidentiary value, not all tools have theability to retrieve or extract all of the requiredinformation. The results of the first part of thisexperiment display a comparison of the useabletools and their ability to extract pre-definedcriteria set by the authors; we focused on 40items of various possible extractable SIM cardinformation based on the Third GenerationPartnership Project (3GPP) TechnicalSpecifications (GSM) TS 11.11.

The best tools that were able to extract thehighest number of items included Paraben SIMCard Seizure, Quantaq USIMDetective, andXRY, respectively. Both SIM Card Seizure andUSIMDetective were able to list all the items



in its report despite the fact that some of theseitems did not contain any data value. As forXRY, only fields with data were displayed,which drives us to inquire whether it is atool/version limitation. Only fields thatcontained data were reported in XRY, while inSIM Card Seizure, all the fields in thecomparison criteria were displayed along withadditional extra fields. It was also clearlyreported that there was no data to bedisplayed in that criteria. This could be dueto service provider SIM card configuration,which led us to another area of research, andthat is to investigate more SIM cards fromdifferent providers for comparison.

Furthermore, Paraban and USIMDetectivedisplayed the SIM card file system hierarchy ina clear, simple view that made it easier tolocate and further examine each master fileand its sub-items. The latter provided anadditional HEX format view for the extracteddata that could provide a further examinationand verification means. XRY, on the otherhand, provided two tabs with informationabout the logical acquisition of SIM and USIM(other tools presented the extracted data inone view). The obtained content for both SIMand USIM were identical except for an addedevidence about the Cyphering key.

Figure 2. Paraban SIM Card Seizure

Figure 3. USIMDetective

Figure 4. XRY

With the least amount of informationretrieved, EnCase, Oxygen, and Dekart SIMManger come at the end of the comparison.EnCase was only able to read the iTunesbackup, and this was not a valid option for theAndroid backup. EnCase comes with an extramodule for mobile phones acquisition that wasnot available to the authors at the time ofconducting this experiment for the phone/SIMcard acquisition.

Oxygen was able to get basic informationabout the SIM card. It differed thoughbetween both phones as it was able to displayits own dialing number in iPhone 4s and not inSamsung SIII. While Oxygen was able to



display SIM contacts on both phones, therewas no visual indication that those contactswere saved on the SIM cards. The authorsreached this conclusion as they saved thosecontacts in both SIMs intentionally for testingand experiment purposes.

With the ability to write to the SIM andthe possibility of changing the PIN code, dataextracted from Dekart SIM Manager would notbe forensically sound. Reset of the PIN code isa debatable question as it might be required incase of accessing a locked SIM. Although theauthors did not manipulate any evidence data,writing to the SIM will lead to contaminationresulting in inadmissible evidence. This featurecan also be misused by suspects to forge thedata.

Figure 5. Dekart SIM Manager

Table 3 Overview of the assessmentbetween the tools through the variousacquisitions that were conducted either to themobile devices or to the SIM cards.



Table 340 Evidentiary information and tools capability to extract them.

SN SIM CardInformation

ToolXRY Paraben Oxygen Dekart USIM Det. EnCase

Etisalat DU Etisalat DU 4S SIII Etisalat DU 4S SIII 4S SIII

1 ICCID - - - x - xx2 SPN - - - - x - xx3 MCC - - - x - xx4 MNC - - - x - xx5 MSIN - - - - x - xx6 MSISDN * - x xx7 IMSI - - - - x - xx8 LDN * * - - - - x - xx9 LOCI - - - - x - xx

10 LAI - - - - x - xx11 ADN x xx12 FDN * * - - x - xx13 SMS * * - - x - xx14 SMSP - - - - x - xx15 SMSS * * - - - - x - xx16 Phase - - - - x - xx17 SST * * - - - - x - xx18 LP * - - - - x - xx19 CHV 1 & 2 * * - - - - - x - xx20 EXT1 * * - - - - x - xx21 EXT2 * * - - - - x - xx22 GID1 - - - - x - xx23 GID2 - - - - x - xx24 CBMI * * - - - - x - xx25 PUCT * * - - - - x - xx26 ACM * * - - - - x - xx27 ACMmax * * - - - - x - xx28 HPLMNSP * * - - - - x - xx29 PLMNsel - - x - xx30 FPLMN * * - - x - xx31 CCP * * - - - - x - xx32 ACC * * - - - - x - xx33 BCCH * * - - - - - x - xx34 Kc - - - - x - xx35 Kc Seq. # * * - - - - x - xx36 Emergency Call Code * * - - - - - x - xx37 Own Dialing Number - - - x xx38 TMSI - - - - x - xx39 RIA - - - - - x - xx40 SDN * * - - - - x - xx* Please refer to the discussion section.

x USIMDetective was unable to read DU SIM card information, displaying an error that this card does not seem to support 2G or 3G modecommunication.

xx EnCase was unable to read Android backup



In the second part of this experiment, theauthors were eager to pursue actual data thatSIM cards might contain (again with referenceto the 40 criteria items previously chosen). Forthis purpose, the authors used the XRY tool toextract actual data from 8 different SIM cards.

The cards were accessed logically using thetool and its reader and the following segmentswere extracted:

ICCID: 899711221269641028778 9 9 7 1 1 2 2 1 2 6 9 6 4 1 0 2 8 7 7

89 is interpreted as the MajorIndustry Identifier(Telecommunicationsadministrations and privateoperating agencies)

971 as the Country Code (i.e.,United Arab Emirates)

12 is the Issuer Identifier and thatis Etisalat.

212696410287 is the IndividualAccount Identification numberincluding the month/year ofmanufacturing, Configuration code,and SIM number.

7 is the Checksum calculated fromthe other 19 digits.

The ICCID is engraved on the SIM itself touniquely identify the chip internationally andcannot be changed or updated later, whichmakes it a reliable data source from a forensicpoint of view. Also, using the Issuer Identifier,investigators could contact the service provideridentified by the ICCID to get the logs of acertain suspect/victim after getting a searchwarrant for further analysis.

For the International Mobile SubscriberIdentifier (IMSI), it is interpreted as follows:

IMSI: 4240214454348574 2 4 0 2 1 4 4 5 4 3 4 8 5 7

424 reflects the Mobile CountryCode, in this case, the United ArabEmirates.

02 refers to the Mobile NetworkCode, which is the EmiratesTelecommunications Corporation(Etisalat).

The remainder of the digits signifythe Mobile Subscriber IdentificationNumber (1445434857).

Both the ICCID and IMSI can be used toidentify a specific subscriber and are of greatforensic value since examiners can approachmobile network providers and obtain all datarecords of a potential suspect/victim (i.e.,subscriber).

The Mobile Station InternationalSubscriber Directory Number (MSISDN) wasextracted as well, and it contains the followinginfo:

MSISDN: +9715056828819 7 1 5 0 5 6 8 2 8 8 1

971 represents the Country Code(United Arab Emirates)

50 identifies the NationalDestination Code (Mobile Phone byEtisalat)

5682881 refers to the SubscriberNumber

It is noteworthy to know that other thanthe ICCID, the information contained withinthe SIM can be modified later (i.e., MSISDN)and hence, the reliability of such evidence issometimes questioned in a court of law.

Abbreviated Dialing Numbers (ADN) areof significant importance since they may link



an unidentified phone to a suspect/victim orpinpoint possible connections and relations ofthe mobile owner. Some modern mobilephones, however (specifically the iPhone 4Stested in this experiment) rely on the MobileEquipment (ME) storage to save thesenumbers instead of the SIM Card itself.

Similarly, SMS data is crucial in forensicinvestigations but, unfortunately, none of theSIM cards tested in this experiment revealedany SMSs stored on the SIM card itself. Theauthors speculate that this is due to the mobilephone manufacturers’ default settings thatprevent saving SMS data into the SIM cardsand utilize the phone internal memory instead.

On the other hand, location information(i.e., Local Area Code: 7D97) can be used byforensic examiners to locate where the phonewas last operating and geographically indicatewhere a suspect has been or where an eventoccurred.

Forensic examiners should not neglect thepossibility of combining the above informationextracted from SIM cards with other evidencecollected from the mobile phone and the crimescene itself and construct the case accordingly.

We were able to extract the belowinformation from all SIM cards. The wealth ofinformation varied between various networkproviders, which proves that the amount ofSIM card information can also be reliant onthe service provider.

Integrated Circuit Card Identifier(ICCID)

International Mobile SubscriberIdentifier (IMSI)

Mobile Station InternationalSubscriber Directory Number(MSISDN) “Own Dialing Num”

Temporary Mobile SubscriberIdentity (TMSI)

Short Message Service Parameters(SMSP)

Last Network (LAI-MCC/MNC) &Routing Area Network (RAI-MCC/MNC)

Last Area Code (LAI-LOC) &Routing Area Location (RAI-LAC)

Ciphering Key (Kc)

Abbreviated Dialing Numbers(AND)

Service Provider Specific Fields

CONCLUSION ANDFUTURE WORK

SIM card forensics is a promising area that canprovide investigators with a plethora ofevidentiary data, given that they have theright knowledge and tools to extract it in aforensically-sound manner. Currently, over-the-counter tools are generally built to aidexaminers in analyzing the mobile phone as awhole unit, neglecting the fact that some vitalinformation is often left out in smaller modules(i.e., the Subscriber Identity Module). Some ofthe tools used in this paper’s experiment didyield vital information regarding thesubscriber, but further development is neededto ensure the reliability of the informationgathered. Having knowledge of the tools’strengths and limitations helps investigatorsdevelop an in-depth expertise on the right toolto use in different situations. Forensicexaminers are advised not to rely solely on onetool and to opt instead to cross-validatefindings.

SIM card forensics provides a vast area ofpossible future work to be conducted, forexample, either verification of the extracteddata against the real data from the variousnetwork providers, a deep extensive searchwithin the SIM card file system, or inspection



of extracted data against retrieved user datafrom various applications and exploring if anyof these applications embed any of the SIMdata.



REFERENCES

ABI Research: SIM Card Shipments to Reacha Record 5.4 Billion in 2015, but DecliningASPs Force a Shift in Vendor Strategy(2015). Retrieved September 9th, 2015from: https://www.abiresearch.om/press/sim-card-shipments-to-reach-a-record-54-billion-in/,

Bidgoli, H. (2010). The Handbook ofTechnology Management, Supply ChainManagement, Marketing and Advertising,and Global Management (Vol. 2). JohnWiley & Sons.

Boudriga, N. (2009). Security of mobilecommunications..

Casadei, F., Savoldi, A., & Gubian, P. (2006).Forensics and SIM cards: An Overview.International Journal of Digital Evidence,5(1), 1-21.

Cilardo, A.; Mazzocca, N.; Coppolino, L.,"TrustedSIM: Towards Unified MobileSecurity," in Ubiquitous Intelligence andComputing, 2013 IEEE 10th InternationalConference on and 10th InternationalConference on Autonomic and TrustedComputing (UIC/ATC), pp.563-568, 18-21Dec. 2013URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6726260&isnumber=6726171

European Telecommunications StandardsInstitute (1994): Specification of theSubscriber Identity Module - MobileEquipment (SIM - ME) interface TS 11.11.Retrieved September 23rd, 2015 fromhttp://www.3gpp.org/specifications.

ISO/IEC 7816: Identification cards -Integratedcircuit cards-Part 1: Cards with contacts

— Physical characteristics. RetrievedSeptember 10th, 2015 from:https://www.iso.org/obp/ui/#iso:std:iso-iec:7816:-1:ed-2:v1:en

Jansen, W., & Ayers, R. (2006). Forensicsoftware tools for cell phone subscriberidentity modules. In Proceedings of theConference on Digital Forensics, Securityand Law (pp. 93-106).

Markantonakis, K. (Ed.). (2007). Smart cards,tokens, security and applications. SpringerScience & Business Media.

Savoldi, A., & Gubian, P. (2007). Sim andusim filesystem: A forensics perspective. InProceedings of the 2007 ACM symposiumon Applied computing (pp. 181-187). ACM.

Savoldi, A.; Gubian, P., "Data Hiding inSIM/USIM Cards: A StenographicApproach," in Systematic Approaches toDigital Forensic Engineering, 2007. SADFE2007. Second International Workshoppp.86-100, 10-12 April 2007.

Singh V., Chauhan S. and Khan G. (2015).Forensic Analysis of SIM Cards for DataAcquisition. AJMS, 3(1), 24-28

Willassen, S. (2003). Forensics and the GSMmobile telephone system. InternationalJournal of Digital Evidence, 2(1), 1-17.

Willassen, S. (2005). Forensic analysis ofmobile phone internal memory. InAdvances in Digital Forensics (pp. 191-204). Springer US.

sim card forensics: digital evidence

Documents