SIM Forensics: Part 3

Published on Forensic Magazine (http://www.forensicmag.com)

SIM Forensics: Part 3

John J. Barbara

The system architecture of a GSM cellular network

is very complex. It can generally be divided into three broad parts: the Mobile
Station (the cell phone and its SIM), the Base Station Subsystem (which is
responsible for handling traffic and signaling between the phone and the Network
Switching Subsystem), and the Network Switching Subsystem (which performs the
switching of calls between the mobile users and the Public Switched Telephone
Network). Phones connect to a GSM network by searching for cells within their
immediate location. GSM networks have several different cell sizes, and
depending upon which is being implemented, the coverage area will vary.
Regardless of the coverage, a cell phones location information could be of
significant forensic value.
A. LOCATION INFORMATION
A SIM card contains the LOCI (Location Information) Elemental File which can be
found under the GSM Dedicated File (see April/May 2011 Digital Forensic Insider
column for information regarding the SIM Card File System). This file contains the
Temporary Mobile Subscriber Identity (TMSI), TMSI TIME, Location Area
Information/Local Area Identifier (LAI), and the Location Update Status.
1.Temporary Mobile Subscriber Identity (TMSI):
In addition to allowing mobile phones to communicate with each other, the Network
Switching Subsystem (NSS) also acts somewhat as a telephone exchange. However,
it has additional functionality to deal with the roaming ability of cell phones. A key
component of the NSS is the Mobile services Switching Center (MSC) which provides
functionality such as registration, location updating, and call routing. When a
subscriber roams into the jurisdiction of an MSC, information about the cell phone is
stored in a temporary database called the Visitor Location Register (VLR). Since
each Base Station in the GSM network is served by one VLR, a subscriber cannot be
present in more than one VLR at a time. The VLR assigns the TMSI which ensures
privacy since it prohibits tracing of the identity of the subscriber should anyone
attempt to intercept the link. The TMSI is assigned for the duration that the
subscriber is within the jurisdiction of a particular MSC and combined with the
current location area, allows a subscriber to be uniquely identified.
2. Location Area Information/Local Area Identifier (LAI)
The LAI for voice communications is structured hierarchically and uniquely identifies
Page 1 of 4

SIM Forensics: Part 3

Published on Forensic Magazine (http://www.forensicmag.com)
a Location Area (LA) within a GSM network. It consists of three components:

Mobile Country Code (MCC): consists of three decimal places and is used to
identify the country of origin of the SIM card.
Mobile Network Code (MNC): consists of two decimal places and is used in
conjunction with the MCC to identify the SIM cards network provider.
Location Area Code (LAC): consists of a maximum of five decimal places.
GSM networks are divided into LAs which are comprised of one or more radio cells.
Each of the LAs is uniquely identified within the network by its Location Area Code
(LAC). These numbers are stored on the SIM card, thus providing the handset with
its location. This also serves as a unique reference for the location of the subscriber
as well since the LAI is required before the handset can receive an incoming call.
When the subscriber roams into a new LA, the handset also stores the new LAI on
the SIM card, adding it to a list of the previous LAIs. After being powered off and
then powered back on, the handset will search the list of its stored LAIs until it finds
the one it is currently located in, thereby allowing service to resume. Analyzing the
SIM card can provide the geographical location(s) where the SIM card, the phone,
and the owner of the phone (suspect) may have been.
B. FORENSIC TOOL OVERVIEW
To analyze a SIM card, it is normally removed from the handset and inserted into an
appropriate reader. Command directives, called Application Protocol Data Units
(APDUs), are sent to the SIM by the tool to extract potential probative evidence that
may be present in the SIM file system. The original data on the SIM card is normally
preserved by the elimination of write requests to the SIM during its analysis.
Extracted data integrity can be maintained by the tool calculating the hash value(s)
of the data from the files created and re-verifying as necessary to demonstrate that
they remain unchanged. Some SIM tools extract and preserve data better than
others. As with any forensic tool, examiners need to thoroughly research those that
are available to determine which one(s) meet their needs. Most examiners are
aware (or should be) that no one tool will be able to extract all the data from every
different type of cell phone or SIM card. Listed below are some tools that examiners
commonly use. (Disclaimer: the summarized, edited information is presented
alphabetically and should not be interpreted as a competitive ranking. This
information was obtained from the cited Web sites and should not be considered as
endorsements by Forensic Magazine or the author nor should it be construed that
these are the only tools available):

AccessData Mobile Phone Examiner (MPE) Plus: integrates seamlessly

with Forensic Toolkit. Enables advanced reporting to detail phone data [such
as] call history, contacts, messages, photos, voice recordings, video files,
calendar, tasks, and notes. MPE supports more than 2,500 phones and can
be purchased with hardware to include a SIM reader and phone cables.
(http://accessdata.com/products/computer-forensics/mobile-phone-examiner
[1]).
Cellebrite (UFED): the UFED family of products is able to extract and
Page 2 of 4

SIM Forensics: Part 3

Published on Forensic Magazine (http://www.forensicmag.com)
analyze data from more than 3,000 phones including smartphones and GPS
devices. UFED devices have a built-in SIM reader that allows the device to
obtain data such as call logs, phonebooks, SMS, IMSI, and the ICCID. SIM
card cloning is also supported.
(http://www.cellebrite.com/forensic-products/forensic-products.html?loc=seg
[2]).
EnCase Smartphone Examiner: designed to forensically collect data from
smartphone and tablet devices, such as the iPhone and iPad. It can capture
evidence from devices that use the Apple iOS, HP Palm OS,Windows Mobile
OS, Google Android OS, or RIM Blackberry OS. Can acquire data from
Blackberry and iTunes backup files as well as a multitude of SD cards. The
evidence can be seamlessly integrated into EnCase Forensic.
(http://www.guidancesoftware.com/encase-smartphoneexaminer. htm [3]).
Data Pilot Secure View Kit: provides both a software and hardware
solution which [enables] logical data extraction of the content stored in the
mobile phone. Kit includes a universal cable set supporting Motorola
(including iDen), Nokia, Samsung, LG, Sanyo, Audiovox, and Sony Ericsson
phones. Can acquire cell phone data via USB, Bluetooth, IrDA, or a SIM card
reader. (http://www.datapilot.com/productdetail/253/supphones/Notempty
[4]).
MOBILedit! Forensic: analyzes phones via Bluetooth, IrDA, or cable
connection; analyzes SIMs through SIM readers and can read deleted
messages from the SIM card. (http://www.mobiledit.com/mef-features.htm
[5]).
Parabens SIM-Card Seizure: can recover deleted SMS/text messages
and perform comprehensive analysis of SIM card data. SIM Card Seizure
includes the software as well as a Forensic SIM Card Reader. SIM Card
Seizure has Unicode support to read multiple languages such as Arabic,
Chinese, and Russian. (http://www.paraben.com/sim-card-seizure.html [6]).
pySIM: a SIM card management tool capable of creating, editing, deleting,
[and performing] backup and restore operations on the SIM Phonebook and
SMS records. (http://simreader.sourceforge.net/ [7]).
SIMBrush: can be used to extract all observable memory (the ones that
can be explored by means of standard APIs) from SIM/USIM cards
compatible with T_0 protocol. Capable of acquiring standard and nonstandard files present [on] every SIM card. The output of the program is an
XML file representing the SIM/USIM card file system.
(http://sites.google.com/site/savolabs/Home/tools [8]).
Teel Technologies SIMIS for SIM/USIM/R-UIM: engineered in
accordance with ACPO guidelines to ensure that no data on the SIM is
modified during the read process. SIMIS reports are digitally signed with
both MD5 and SHA 256 hashes to ensure integrity. A full audit trail is
included in the analysis. The SIMIS Mobile Handheld Reader enables users to
collect data from multiple SIM cards for on-site analysis or later review using
SIMIS PC software. (http://teeltech.com/tt3/simis.asp [9]).
SIMQuery: a command line tool that retrieves the ICCID and IMSI from a
GSM SIM card. A smart card reader that is compatible with the Windows
smart card subsystem is needed along with a Plug-in (GSM SIM card size) to
ID-1 (ordinary smart card size) adapter card so the SIM card fits into the
Page 3 of 4

SIM Forensics: Part 3

Published on Forensic Magazine (http://www.forensicmag.com)
reader. (http://vidstrom.net/otools/simquery/ [10]).
UndeleteSMS: a command line tool that recovers deleted SMS messages
from a GSM SIM card; has the same requirements as the SIMQuery tool.
(http://vidstrom.net/stools/undeletesms/ [11]).
XRY Logical & Complete Package with SIM id-Cloner: performs both
logical and physical extractions from a device [cell phone]. Specifically
designed to assist in the forensic recovery of data from GSM SIM Cards and
also provide a 100% secure environment. SIM id-Cloner will allow the
creation of a replica of the SIM card found within a mobile device so
examiners can enable the operating system without the risk of it making a
network connection and changing the data held on the device.
(http://www.msab.com/xry/what-is-xry [12]).
John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting
services for companies and laboratories seeking digital forensics accreditation. An
ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic
disciplines including Digital Evidence. John is the General Editor for the Handbook
of Digital& Multimedia Forensic Evidence published by Humana Press. He can be
reached at jjb@digforcon.com [13].

Source URL (retrieved on 01/06/2016 - 8:51am):

http://www.forensicmag.com/articles/2011/08/sim-forensics-part-3
Links:
[1] http://accessdata.com/products/computer-forensics/mobile-phone-examiner
[2] http://www.cellebrite.com/forensic-products/forensic-products.html?loc=seg
[3] http://www.guidancesoftware.com/encase-smartphoneexaminer. htm
[4] http://www.datapilot.com/productdetail/253/supphones/Notempty
[5] http://www.mobiledit.com/mef-features.htm
[6] http://www.paraben.com/sim-card-seizure.html
[7] http://simreader.sourceforge.net/
[8] http://sites.google.com/site/savolabs/Home/tools
[9] http://teeltech.com/tt3/simis.asp
[10] http://vidstrom.net/otools/simquery/
[11] http://vidstrom.net/stools/undeletesms/
[12] http://www.msab.com/xry/what-is-xry
[13] mailto:jjb@digforcon.com

Page 4 of 4