The main function of a SIM card is the identification of a user of a cellular phone on the network so that they can get access to its services.
The following types of data, which are valuable for an expert or investigator, can be found in the SIM card:
- Information related to the services provided by the mobile operator
- Phonebook and information about calls
- Information about messages exchanged
- Location information
Initially, SIM cards were almost the only source of data about the contacts of the mobile device owner, as the information about the phonebook, calls, and messages could be found only in their memory. Later, the storage of these data was relocated to the mobile devices memory and SIM cards began to be used only to identify subscribers in cellular networks. This is why some of the forensic tools developers, for the examination of mobile devices, decided not to include the SIM cards examination function in their products. However, today there are a lot of cheap phones (often, we call them "Chinese phones") with limited memory capacity. In these phones, part of the phone owners' data is stored in the SIM cards. This is why the forensic examination of SIM cards remains relevant.
SIM card is a regular smart card. It contains the following main components:
- Processor
- RAM
- ROM
- EEPROM
- A file system
- Controller I/O
In practice, we come across two kinds of SIM cards with six and eight contacts on the contact pads. This happens because the two contacts do not directly interact with the phone (smartphone) and their absence decreases the size of the area occupied by a SIM card when it is placed in the mobile device.
SIM cards can use three types of supply voltage (VCC): 5 V, 3.3 V, 1.8 V. Each card has a particular supply voltage.
There is an overvoltage protection in SIM cards. This is why when a 3.3 V supply voltage SIM card is placed in the card reader, that can operate only with 5 V supply voltage (old models), neither the information nor the SIM card can be damaged, and it will be impossible to work with this SIM card. As such, an expert may think that the SIM card is faulty. However, it is not so.
The forensic examination of a SIM card, before data extraction from the mobile device, where it is installed, is unreasonable. As the user's data stored in the memory of the mobile device, it can be reset or deleted during the process of removing the SIM card.
For analysis, a SIM card has to be removed from the mobile device and connected to the expert's computer via a specific device: a card reader.
Based on the previously mentioned information about SIM cards, we can figure out the main requirements to a card reader device with which it will be comfortable for an expert to examine SIM cards:
- The card reader device has to support smart cards with supply voltage of 5 V, 3.3 V, and 1.8 V.
- The card reader device has to support smart cards with six and eight contacts on the contact pads.
- The card reader device has to support Microsoft PC/SC protocol. Drivers for this kind of devices are pre-installed on all versions of the Windows operating systems. This is why there is no need to install additional drivers in order to connect such devices to the expert's computer.
The following image shows an example of such a card reader:
SIM cards reader produced by «ASR» company, model «ACR38T».
Despite the fact that there are card reader devices designed for reading data from SIM cards, card reader devices designed for reading data from the standard size cards (having the size of a bank card) can be used. To work comfortably with these devices, a blank card, to which the SIM card is adjusted with some small pieces of tape, is used.
This is a SIM card adjusted with a bank card looks.
TULP2G is a free tool developed by Netherlands Forensic Institute for forensic examination of SIM cards and cellular phones. Unfortunately, this program has not been updated for a long time. However, it can be used for very old cellular phones and SIM cards data acquisition and analysis.
On the TULP2G download page (https://sourceforge.net/projects/tulp2g/files/), select the TULP2G-installer-1.4.0.4.msi file and download it. At the time of writing this, the most up-to-date version is 1.4.0.4. When the download is finished, double-click on this file. The installation process of the program will be started.
- When the program is launched, click on the
Open Profile...button:
The main window of the TULP2G program
- In the opened window, you will find profiles, one of which has to be loaded in the program. Select the
TULP2G.Profile.SIM-Investigationprofile, and then click onOpen.
Data extraction profiles of TULP2G
- In the
Case/Investigation Settingswindow, fill in the fields:Case Name,Investigator Name, andInvestigation Name. This information will be used later in the preparation of the report by TULP2G.
The Case/Investigation Settings window
- In the next window,
TULP2G - SIM card;for theCommunication Plug-infield, set the value asPC/SC chip card communication [1.4.0.3]. For theProtocol Plug-infield, set the value asSIM/USIM chip card data extraction [1.4.0.7]. If the examined SIM card has PIN or PUK code, enter it by clicking on theConfigurebutton, which is located next to theProtocol Plug-infield.
Window TULP2G - SIM card.
Note
Reading data from the examined SIM card will not be possible if the PIN or PUK code are not entered.
- Click on the
Runbutton. The process of data extraction from the SIM card will begin. The progress of extraction can be seen in the progress bar.
The progress bar.
- When the data is extracted from the SIM card, you can conduct a new extraction or generate a report about the extraction that has been performed. To generate the report, go to the
Reporttab. In theReport Namefield, enter the name of the report; in theExport Plug-inandSelected Conversion Plug-in(s)fields, select plugins that will be used for the report generation. In theSelected Investigation(s)field, select those extractions for which you want to generate the report, and then click onRun.
The options window for the report generation
- When the report generation process is finished, there will be two files with formats HTML and XML. The HTML file can be opened with any web browser.
A fragment of the report
These files contain information (a phonebook, text messages, calls, and so on) that was extracted from the examined SIM card. It can be viewed and analyzed.
TULP2G extracts data from the SIM card that is installed in the card reader, which is connected to the expert's computer, and generates a report. During the verification process, MD5 and SHA1 hashes of the image and the source are being compared.
- The TULP2G project website: http://tulp2g.sourceforge.net
- The TULP2G download page: https://sourceforge.net/projects/tulp2g/files/
MOBILedit Forensic is a commercial forensic software by the company Compelson. It is updated regularly. This program can extract data from phones, smartphones, and SIM cards. As the program developers state, MOBILedit Forensic is a program that allows us to extract data from a phone or SIM card with a minimum number of steps. Also, this program has a unique function on which we will focus in another chapter.
On the MOBILedit download page (http://www.mobiledit.com/download-list/mobiledit-forensic), click on DOWNLOAD. When the downloading process is finished, double-click on the downloaded file of the program and install it. After the first run of the program, you need to enter the license key. If the license key is not entered, the program will work in the trial mode for 7 days.
There are two ways of extracting data from SIM cards with MOBILedit Forensic:
- Extracting data through wizard
- Extracting data through the main window of the MOBILedit Forensic program
In this book, we will focus on the data extraction from SIM card via the main window of the MOBILedit Forensic program.
When you run the program, the information about the connected card reader will appear in the upper left corner of the main window of the MOBILedit Forensic program.
A fragment of the main window
If you click on Connect, the MOBILedit Forensic Wizard will start, through which you can extract data from mobile devices and SIM cards.
Let's now see how to extract the data:
- Click on the image of the card reader. The information about
Answer on Reset(ART) andICCIDof the SIM card will be displayed. If this SIM card is locked, you will be asked to enter the PIN or PUK code.
Fragment of the main window with information about the SIM card
- After entering the PIN or PUK codes, the SIM card will be unlocked and the
Report Wizardoption will appear on the main window. The fact that the examined SIM card was unlocked is indicated by the displayedInternational Code (IMSI), access to which is possible only after entering the correct PIN code.
A fragment of the main window with information about the SIM card
- Click on the
Report Wizard; it will open theMOBILedit Forensic Wizardwindow, which will extract data from the SIM card and generate a report.
- Fill in the fields
Device Label, Device Name, Device Evidence Number, Owner Phone Number, Owner Name,andPhone Notes. Then click on theNextbutton.
Window MOBILedit Forensic Wizard
- The data will be extracted. The extraction status will be displayed in the
MOBILedit Forensic Wizardwindow.
- When the extraction is finished, click on the
Nextbutton. After that,MOBILedit Forensic Wizardwill display the following window:
The MOBILedit Forensic Wizard window
- Click on
New Case. In the opened window, fill in theLabel,Number,Name,E-mail,Phone Number, andNotesfields, and then click on theNextbutton.
The MOBILedit Forensic Wizard window
- In the next window of
MOBILedit Forensic Wizard, select the format in which the report will be generated and click on theFinishbutton.
Final window of MOBILedit Forensic Wizard
A forensic report about the extraction will be generated in the selected format.
MOBILedit Forensics extracts data from the SIM card installed in the card reader that is connected to the expert's computer and generates the report, taking the minimum number of steps. It is useful if there are a lot of mobile devices or SIM cards that have to be investigated, as it speeds up the process of data extraction.
- The MOBILedit Forensics website at http://www.mobiledit.com.
- The MOBILedit Forensics download page at http://www.mobiledit.com/download-list/mobiledit-forensic.
SIMCon is one of the best utilities for a forensic analysis of SIM cards. It had a low price and for government organizations, military, and police, it was provided free of charge. Besides its impressive functionality, SIMCon, from some SIM cards, can extract data protected by PIN code. For example, phonebook.
Despite the fact that the SIMCon project was closed several years ago, the program did not disappear. A new updated version of this program is called Sim Card Seizure. The distribution rights of the program belong to the company Paraben. Also, the functionality of SIMCon is implemented in another product from Paraben--E3: Electronic Evidence Examiner.
The SIMCon project does not have its own address on the internet now. However, the installation software can be found via search engines.You can also download a trial version of Sim Card Seizure from Paraben's website. The limitation of the trial version of Sim Card Seizure is that only the first 20 records of phonebook, calls, messages are displayed.
- Double-click on the program icon and connect the card reader with the SIM card. The program will open the
Enter PINinformation window as shown in the following screenshot:
- In this case, there is no need to enter the PIN code. Click on the
OKbutton to start the data extraction process. The status of the extraction process will be shown in theReading SIM...window:
- If the data is successfully extracted, you will be asked to fill in the
Investigator:,Date / Time:,Case:,Evidence Number:, andNotes:fields in theAcquisition Noteswindow. After filling in the fields, click on theOKbutton:
- Unlike TULP2G and MOBILedit Forensic, SIMCon allows you not only to extract data and generate a report but also to view the extracted data. The following screenshot shows a fragment of the SIMCon window in which we can see SMS messages, including deleted ones, which were extracted from the SIM card:
The Acquisition Notes window
At the bottom of the SIMCon main window, there is a section that displays detailed information about the selected record:
A section of the SIMCon main window with the detailed information about the selected record
The SIMCon program allows viewing the contents of each file. The following screenshot shows the contents of the elementary file (EF_ICCID):
SIMCon extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.
- The Sim Card Seizure program's website: https://www.paraben-sticks.com/sim-card-seizure.html
- The E3: Electronic Evidence Examiner program's website: https://www.paraben.com/products/e3-universal
Oxygen Forensic is one of the best programs for mobile forensics. This program has a function of SIM card analysis besides its other functions. The program is commercial, but there is a 30-day trial full version, which you can get on request. When the request is accepted, you will receive an email in which you will find a registry key and instructions for downloading the installation software.
Download the Oxygen Forensic (https://www.oxygen-forensic.com/en/). Install it with the help of prompts. Go through the menu path: Service|Enter Key. In the opened License window, enter the license key and click on the Save button. Restart the program.
In order to examine a SIM card, you need to remove it from a mobile device and then install it in the SIM card reader, which has to be connected to the expert's computer. As we mentioned earlier, Microsoft PC/SC drivers are pre-installed on the Windows operating systems meaning that there is no need to install anything else. Now let's see how to use Oxygen Forensic:
- In the Oxygen Forensic program, click on the
Connectdevice button that is located in the toolbar. It will startOxygen Forensic Extractor:
The main window of Oxygen Forensic Extractor
- In the main menu of
Oxygen Forensic Extractor,click on theUICC acquisitionoption. The next window will prompt you to select the connected card reader or it will display an error message:
A card reader connection error message
- If access to a SIM card data is limited by a PIN or PUK code, you will be prompted to enter the appropriate code. The number of available attempts to enter PIN and PUK codes is displayed in the program. If there were no attempts to unlock the SIM card, then there should be 3 attempts to enter the PIN code and 10 attempts to enter the PUK code. After 10 failed attempts to enter the PUK code, the SIM card will be blocked forever. The PUK code can be received from the communication provider through an authorized person.
The SIM card data extraction window
The SIM card data extraction window displays the following:
- Information about the card reader
- Information about the SIM card
- Fields for entering PIN and PUK codes
Enter the SIM card unlock code and click on the Next button.
- In the next window, you can specify additional information about the extraction that will be stored in the case. Also, in this window, you can select the options to save the extracted data from the device:
The Stored extracted physical dump of backup in the device image... option saves the main files from the SIM card.
The Complete UICC image option saves all files from the SIM card. The SIM card files' extraction process may take over 12 hours if you select this option.
The window for entering additional information about the case
- Click on the
Nextbutton. The process of extracting data from the investigated SIM card will start.
The following data can be extracted from the SIM card, including the deleted ones:
- General information about the SIM card
- Contacts
- Calls
- Messages
- Other information
When the process of data importing is finished, the final window of Oxygen Forensic Extractor with summary information about the import will be displayed. Click the Finish button to finish the data extraction.
The extracted data will be available for viewing and analysis.
- At the end of the extraction, the created case can be opened in the
Oxygen Forensicprogram.
Summarized information about the extraction
- Now click on
Messages category.An appropriate section with the extracted data can be viewed in respect of the case.
Viewing Messages section
- Return on the main screen of Oxygen Forensic. Click on
File browsercategory. In theFile browsersection, files that were extracted from the SIM card can be viewed. The analysis of these files contents can be done manually.
Viewing 2FE2 file contents
Oxygen Forensic extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.
Oxygen Forensic displays the names of files in hex and this can be inconvenient for an expert. The following table shows the correspondence between the standard files' names in hex view and their content:
File name | Description | File name | Description |
3F00 | MF | 6F05 | EF (LP) |
7F10 | DF (TELECOM) | 6F31 | EF (HPLMN) |
7F20 | DF (GSM) | 6F41 | EF (PUCT) |
7F21 | DF (DCS1800) | 6F78 | EF (ACC) |
2FE2 | EF (ICCID) | 6FAE | EF (PHASE) |
6F3A | EF (AND) | 6F07 | EF (IMSI) |
6F3C | EF (SMS) | 6F37 | EF (ACMmax) |
6F40 | EF (MSISDN) | 6F45 | EF (CBM) |
6F43 | EF (SMSS) | 6F7B | EF (FPLMN) |
6F4A | EF (EXT1) | 6F52 | EF (KcGPRS) |
6F3B | EF (FDN) | 6F20 | EF (Kc) |
6F3D | EF (CCP) | 6F38 | EF (SST) |
6F42 | EF (SIMSP) | 6F46 | EF (SPN) |
6F44 | EF (LND) | 6F7E | EF (LOCI) |
6F4B | EF (EXT2) | 6F53 | EF(LOCIGPRS) |
6F74 | EF (BCCH) | 6F30 | EF (PLMNcel) |
6FAD | EF (AD) | 6F54 | EF (SUME) |
