Oxygen Forensic is one of the best programs for mobile forensics. This program has a function of SIM card analysis besides its other functions. The program is commercial, but there is a 30-day trial full version, which you can get on request. When the request is accepted, you will receive an email in which you will find a registry key and instructions for downloading the installation software.
Download the Oxygen Forensic (https://www.oxygen-forensic.com/en/). Install it with the help of prompts. Go through the menu path: Service|Enter Key. In the opened License window, enter the license key and click on the Save button. Restart the program.
In order to examine a SIM card, you need to remove it from a mobile device and then install it in the SIM card reader, which has to be connected to the expert's computer. As we mentioned earlier, Microsoft PC/SC drivers are pre-installed on the Windows operating systems meaning that there is no need to install anything else. Now let's see how to use Oxygen Forensic:
- In the Oxygen Forensic program, click on the
Connectdevice button that is located in the toolbar. It will startOxygen Forensic Extractor:
The main window of Oxygen Forensic Extractor
- In the main menu of
Oxygen Forensic Extractor,click on theUICC acquisitionoption. The next window will prompt you to select the connected card reader or it will display an error message:
A card reader connection error message
- If access to a SIM card data is limited by a PIN or PUK code, you will be prompted to enter the appropriate code. The number of available attempts to enter PIN and PUK codes is displayed in the program. If there were no attempts to unlock the SIM card, then there should be 3 attempts to enter the PIN code and 10 attempts to enter the PUK code. After 10 failed attempts to enter the PUK code, the SIM card will be blocked forever. The PUK code can be received from the communication provider through an authorized person.
The SIM card data extraction window
The SIM card data extraction window displays the following:
- Information about the card reader
- Information about the SIM card
- Fields for entering PIN and PUK codes
Enter the SIM card unlock code and click on the Next button.
- In the next window, you can specify additional information about the extraction that will be stored in the case. Also, in this window, you can select the options to save the extracted data from the device:
The Stored extracted physical dump of backup in the device image... option saves the main files from the SIM card.
The Complete UICC image option saves all files from the SIM card. The SIM card files' extraction process may take over 12 hours if you select this option.
The window for entering additional information about the case
- Click on the
Nextbutton. The process of extracting data from the investigated SIM card will start.
The following data can be extracted from the SIM card, including the deleted ones:
- General information about the SIM card
- Contacts
- Calls
- Messages
- Other information
When the process of data importing is finished, the final window of Oxygen Forensic Extractor with summary information about the import will be displayed. Click the Finish button to finish the data extraction.
The extracted data will be available for viewing and analysis.
- At the end of the extraction, the created case can be opened in the
Oxygen Forensicprogram.
Summarized information about the extraction
- Now click on
Messages category.An appropriate section with the extracted data can be viewed in respect of the case.
Viewing Messages section
- Return on the main screen of Oxygen Forensic. Click on
File browsercategory. In theFile browsersection, files that were extracted from the SIM card can be viewed. The analysis of these files contents can be done manually.
Viewing 2FE2 file contents
Oxygen Forensic extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.
Oxygen Forensic displays the names of files in hex and this can be inconvenient for an expert. The following table shows the correspondence between the standard files' names in hex view and their content:
File name | Description | File name | Description |
3F00 | MF | 6F05 | EF (LP) |
7F10 | DF (TELECOM) | 6F31 | EF (HPLMN) |
7F20 | DF (GSM) | 6F41 | EF (PUCT) |
7F21 | DF (DCS1800) | 6F78 | EF (ACC) |
2FE2 | EF (ICCID) | 6FAE | EF (PHASE) |
6F3A | EF (AND) | 6F07 | EF (IMSI) |
6F3C | EF (SMS) | 6F37 | EF (ACMmax) |
6F40 | EF (MSISDN) | 6F45 | EF (CBM) |
6F43 | EF (SMSS) | 6F7B | EF (FPLMN) |
6F4A | EF (EXT1) | 6F52 | EF (KcGPRS) |
6F3B | EF (FDN) | 6F20 | EF (Kc) |
6F3D | EF (CCP) | 6F38 | EF (SST) |
6F42 | EF (SIMSP) | 6F46 | EF (SPN) |
6F44 | EF (LND) | 6F7E | EF (LOCI) |
6F4B | EF (EXT2) | 6F53 | EF(LOCIGPRS) |
6F74 | EF (BCCH) | 6F30 | EF (PLMNcel) |
6FAD | EF (AD) | 6F54 | EF (SUME) |
