Mobile Forensics Cookbook

3.5 (2 reviews total)
By Igor Mikhaylov
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. SIM Card Acquisition and Analysis

About this book

Considering the emerging use of mobile phones, there is a growing need for mobile forensics. Mobile forensics focuses specifically on performing forensic examinations of mobile devices, which involves extracting, recovering and analyzing data for the purposes of information security, criminal and civil investigations, and internal investigations.

Mobile Forensics Cookbook starts by explaining SIM cards acquisition and analysis using modern forensics tools. You will discover the different software solutions that enable digital forensic examiners to quickly and easily acquire forensic images. You will also learn about forensics analysis and acquisition on Android, iOS, Windows Mobile, and BlackBerry devices. Next, you will understand the importance of cloud computing in the world of mobile forensics and understand different techniques available to extract data from the cloud. Going through the fundamentals of SQLite and Plists Forensics, you will learn how to extract forensic artifacts from these sources with appropriate tools.

By the end of this book, you will be well versed with the advanced mobile forensics techniques that will help you perform the complete forensic acquisition and analysis of user data stored in different devices.

Publication date:
December 2017
Publisher
Packt
Pages
302
ISBN
9781785282058

 

Chapter 1. SIM Card Acquisition and Analysis

In this chapter, we'll cover the following recipes:

  • SIM card acquisition and analysis with TULP2G
  • SIM card acquisition and analysis with MOBILedit Forensics
  • SIM card acquisition and analysis with SIMCon
  • SIM card acquisition and analysis with Oxygen Forensic
 

Introduction


The main function of a SIM card is the identification of a user of a cellular phone on the network so that they can get access to its services.

The following types of data, which are valuable for an expert or investigator, can be found in the SIM card:

  • Information related to the services provided by the mobile operator
  • Phonebook and information about calls
  • Information about messages exchanged
  • Location information

Initially, SIM cards were almost the only source of data about the contacts of the mobile device owner, as the information about the phonebook, calls, and messages could be found only in their memory. Later, the storage of these data was relocated to the mobile devices memory and SIM cards began to be used only to identify subscribers in cellular networks. This is why some of the forensic tools developers, for the examination of mobile devices, decided not to include the SIM cards examination function in their products. However, today there are a lot of cheap phones (often, we call them "Chinese phones") with limited memory capacity. In these phones, part of the phone owners' data is stored in the SIM cards. This is why the forensic examination of SIM cards remains relevant.

SIM card is a regular smart card. It contains the following main components:

  • Processor
  • RAM
  • ROM
  • EEPROM
  • A file system
  • Controller I/O

In practice, we come across two kinds of SIM cards with six and eight contacts on the contact pads. This happens because the two contacts do not directly interact with the phone (smartphone) and their absence decreases the size of the area occupied by a SIM card when it is placed in the mobile device.

SIM cards can use three types of supply voltage (VCC): 5 V, 3.3 V, 1.8 V. Each card has a particular supply voltage.

There is an overvoltage protection in SIM cards. This is why when a 3.3 V supply voltage SIM card is placed in the card reader, that can operate only with 5 V supply voltage (old models), neither the information nor the SIM card can be damaged, and it will be impossible to work with this SIM card. As such, an expert may think that the SIM card is faulty. However, it is not so.

The forensic examination of a SIM card, before data extraction from the mobile device, where it is installed, is unreasonable. As the user's data stored in the memory of the mobile device, it can be reset or deleted during the process of removing the SIM card.

For analysis, a SIM card has to be removed from the mobile device and connected to the expert's computer via a specific device: a card reader.

Based on the previously mentioned information about SIM cards, we can figure out the main requirements to a card reader device with which it will be comfortable for an expert to examine SIM cards:

  • The card reader device has to support smart cards with supply voltage of 5 V, 3.3 V, and 1.8 V.
  • The card reader device has to support smart cards with six and eight contacts on the contact pads.
  • The card reader device has to support Microsoft PC/SC protocol. Drivers for this kind of devices are pre-installed on all versions of the Windows operating systems. This is why there is no need to install additional drivers in order to connect such devices to the expert's computer.

The following image shows an example of such a card reader:

SIM cards reader produced by «ASR» company, model «ACR38T».

Despite the fact that there are card reader devices designed for reading data from SIM cards, card reader devices designed for reading data from the standard size cards (having the size of a bank card) can be used. To work comfortably with these devices, a blank card, to which the SIM card is adjusted with some small pieces of tape, is used.

This is a SIM card adjusted with a bank card looks.

 

SIM card acquisition and analysis with TULP2G


TULP2G is a free tool developed by Netherlands Forensic Institute for forensic examination of SIM cards and cellular phones. Unfortunately, this program has not been updated for a long time. However, it can be used for very old cellular phones and SIM cards data acquisition and analysis.

Getting ready

On the TULP2G download page (https://sourceforge.net/projects/tulp2g/files/), select the TULP2G-installer-1.4.0.4.msi file and download it. At the time of writing this, the most up-to-date version is 1.4.0.4. When the download is finished, double-click on this file. The installation process of the program will be started.

Note

If the installation of the TULP2G program is performed in the Windows XP operating system, you need to install Microsoft Net Framework 2.0 and Windows Installer 3.1 before the installation of the TULP2G. The programs mentioned previously can be downloaded from the Microsoft Corporation website.

How to do it...

  1. When the program is launched, click on the Open Profile... button:

The main window of the TULP2G program

  1. In the opened window, you will find profiles, one of which has to be loaded in the program. Select the TULP2G.Profile.SIM-Investigation profile, and then click on Open.

Data extraction profiles of TULP2G

  1. In the Case/Investigation Settings window, fill in the fields: Case Name, Investigator Name, and Investigation Name. This information will be used later in the preparation of the report by TULP2G.

The Case/Investigation Settings window

  1. In the next window, TULP2G - SIM card; for the Communication Plug-in field, set the value as PC/SC chip card communication [1.4.0.3]. For the Protocol Plug-in field, set the value as SIM/USIM chip card data extraction [1.4.0.7]. If the examined SIM card has PIN or PUK code, enter it by clicking on the Configure button, which is located next to the Protocol Plug-in field.

Window TULP2G - SIM card.

Note

Reading data from the examined SIM card will not be possible if the PIN or PUK code are not entered.

  1. Click on the Run button. The process of data extraction from the SIM card will begin. The progress of extraction can be seen in the progress bar.

The progress bar.

  1. When the data is extracted from the SIM card, you can conduct a new extraction or generate a report about the extraction that has been performed. To generate the report, go to the Report tab. In the Report Name field, enter the name of the report; in the Export Plug-in and Selected Conversion Plug-in(s) fields, select plugins that will be used for the report generation. In the Selected Investigation(s) field, select those extractions for which you want to generate the report, and then click on Run.

The options window for the report generation

  1. When the report generation process is finished, there will be two files with formats HTML and XML. The HTML file can be opened with any web browser.

A fragment of the report

These files contain information (a phonebook, text messages, calls, and so on) that was extracted from the examined SIM card. It can be viewed and analyzed.

How it works...

TULP2G extracts data from the SIM card that is installed in the card reader, which is connected to the expert's computer, and generates a report. During the verification process, MD5 and SHA1 hashes of the image and the source are being compared.

See also

 

SIM card acquisition and analysis with MOBILedit Forensics


MOBILedit Forensic is a commercial forensic software by the company Compelson. It is updated regularly. This program can extract data from phones, smartphones, and SIM cards. As the program developers state, MOBILedit Forensic is a program that allows us to extract data from a phone or SIM card with a minimum number of steps. Also, this program has a unique function on which we will focus in another chapter.

Getting ready

On the MOBILedit download page (http://www.mobiledit.com/download-list/mobiledit-forensic), click on DOWNLOAD. When the downloading process is finished, double-click on the downloaded file of the program and install it. After the first run of the program, you need to enter the license key. If the license key is not entered, the program will work in the trial mode for 7 days.

How to do it...

There are two ways of extracting data from SIM cards with MOBILedit Forensic:

  1. Extracting data through wizard
  2. Extracting data through the main window of the MOBILedit Forensic program

In this book, we will focus on the data extraction from SIM card via the main window of the MOBILedit Forensic program.

When you run the program, the information about the connected card reader will appear in the upper left corner of the main window of the MOBILedit Forensic program.

A fragment of the main window

If you click on Connect, the MOBILedit Forensic Wizard will start, through which you can extract data from mobile devices and SIM cards. Let's now see how to extract the data:

  1. Click on the image of the card reader. The information about Answer on Reset(ART) and ICCID of the SIM card will be displayed. If this SIM card is locked, you will be asked to enter the PIN or PUK code.

Fragment of the main window with information about the SIM card

  1. After entering the PIN or PUK codes, the SIM card will be unlocked and the Report Wizard option will appear on the main window. The fact that the examined SIM card was unlocked is indicated by the displayed International Code (IMSI), access to which is possible only after entering the correct PIN code.

 A fragment of the main window with information about the SIM card

  1. Click on the Report Wizard; it will open the MOBILedit Forensic Wizard window, which will extract data from the SIM card and generate a report.
  1. Fill in the fields Device Label, Device Name, Device Evidence Number, Owner Phone Number, Owner Name, and Phone Notes . Then click on the Next button.

Window MOBILedit Forensic Wizard

  1. The data will be extracted. The extraction status will be displayed in the MOBILedit Forensic Wizard window.
  1. When the extraction is finished, click on the Next button. After that, MOBILedit Forensic Wizard will display the following window:

The MOBILedit Forensic Wizard window

  1. Click on New Case. In the opened window, fill in the Label, Number, Name, E-mail, Phone Number, and Notes fields, and then click on the Next button.

The MOBILedit Forensic Wizard window   

  1. In the next window of MOBILedit Forensic Wizard, select the format in which the report will be generated and click on the Finish button.

Final window of MOBILedit Forensic Wizard

A forensic report about the extraction will be generated in the selected format.

How it works...

MOBILedit Forensics extracts data from the SIM card installed in the card reader that is connected to the expert's computer and generates the report, taking the minimum number of steps. It is useful if there are a lot of mobile devices or SIM cards that have to be investigated, as it speeds up the process of data extraction.

See also

 

SIM card acquisition and analysis with SIMCon


SIMCon is one of the best utilities for a forensic analysis of SIM cards. It had a low price and for government organizations, military, and police, it was provided free of charge. Besides its impressive functionality, SIMCon, from some SIM cards, can extract data protected by PIN code. For example, phonebook.

Despite the fact that the SIMCon project was closed several years ago, the program did not disappear. A new updated version of this program is called Sim Card Seizure. The distribution rights of the program belong to the company Paraben. Also, the functionality of SIMCon is implemented in another product from Paraben--E3: Electronic Evidence Examiner.

Getting ready

The SIMCon project does not have its own address on the internet now. However, the installation software can be found via search engines.You can also download a trial version of Sim Card Seizure from Paraben's website. The limitation of the trial version of Sim Card Seizure is that only the first 20 records of phonebook, calls, messages are displayed.

How to do it...

  1. Double-click on the program icon and connect the card reader with the SIM card. The program will open the Enter PIN information window as shown in the following screenshot:
  1. In this case, there is no need to enter the PIN code. Click on the OK button to start the data extraction process. The status of the extraction process will be shown in the Reading SIM... window:

  1. If the data is successfully extracted, you will be asked to fill in the Investigator:, Date / Time:, Case:, Evidence Number:, and Notes: fields in the Acquisition Notes window. After filling in the fields, click on the OK button:

  1. Unlike TULP2G and MOBILedit Forensic, SIMCon allows you not only to extract data and generate a report but also to view the extracted data. The following screenshot shows a fragment of the SIMCon window in which we can see SMS messages, including deleted ones, which were extracted from the SIM card:

The Acquisition Notes window

At the bottom of the SIMCon main window, there is a section that displays detailed information about the selected record:

A section of the SIMCon main window with the detailed information about the selected record

The SIMCon program allows viewing the contents of each file. The following screenshot shows the contents of the elementary file (EF_ICCID):

How it works...

SIMCon extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.

See also

 

SIM card acquisition and analysis with Oxygen Forensic


Oxygen Forensic is one of the best programs for mobile forensics. This program has a function of SIM card analysis besides its other functions. The program is commercial, but there is a 30-day trial full version, which you can get on request. When the request is accepted, you will receive an email in which you will find a registry key and instructions for downloading the installation software.

Getting ready

Download the Oxygen Forensic (https://www.oxygen-forensic.com/en/). Install it with the help of prompts. Go through the menu path: Service|Enter Key. In the opened License window, enter the license key and click on the Save button. Restart the program.

How to do it...

In order to examine a SIM card, you need to remove it from a mobile device and then install it in the SIM card reader, which has to be connected to the expert's computer. As we mentioned earlier, Microsoft PC/SC drivers are pre-installed on the Windows operating systems meaning that there is no need to install anything else. Now let's see how to use Oxygen Forensic: 

  1. In the Oxygen Forensic program, click on the Connect device button that is located in the toolbar. It will start Oxygen Forensic Extractor:

The main window of Oxygen Forensic Extractor

  1. In the main menu of Oxygen Forensic Extractor, click on the UICC acquisition option. The next window will prompt you to select the connected card reader or it will display an error message:

A card reader connection error message

  1. If access to a SIM card data is limited by a PIN or PUK code, you will be prompted to enter the appropriate code. The number of available attempts to enter PIN and PUK codes is displayed in the program. If there were no attempts to unlock the SIM card, then there should be 3 attempts to enter the PIN code and 10 attempts to enter the PUK code. After 10 failed attempts to enter the PUK code, the SIM card will be blocked forever. The PUK code can be received from the communication provider through an authorized person.

The SIM card data extraction window

The SIM card data extraction window displays the following:

  • Information about the card reader
  • Information about the SIM card
  • Fields for entering PIN and PUK codes

Enter the SIM card unlock code and click on the Next button.

  1. In the next window, you can specify additional information about the extraction that will be stored in the case. Also, in this window, you can select the options to save the extracted data from the device:

The Stored extracted physical dump of backup in the device image... option saves the main files from the SIM card.

The Complete UICC image option saves all files from the SIM card. The SIM card files' extraction process may take over 12 hours if you select this option.

The window for entering additional information about the case

  1. Click on the Next button. The process of extracting data from the investigated SIM card will start.

The following data can be extracted from the SIM card, including the deleted ones:

  • General information about the SIM card
  • Contacts
  • Calls
  • Messages
  • Other information

When the process of data importing is finished, the final window of Oxygen Forensic Extractor with summary information about the import will be displayed. Click the Finish button to finish the data extraction.

The extracted data will be available for viewing and analysis.

  1. At the end of the extraction, the created case can be opened in the Oxygen Forensic program.

Summarized information about the extraction

  1.  Now click on Messages category. An appropriate section with the extracted data can be viewed in respect of the case.

Viewing Messages section

  1. Return on the main screen of Oxygen Forensic. Click on File browser category. In the  File browser section, files that were extracted from the SIM card can be viewed. The analysis of these files contents can be done manually.

Viewing 2FE2 file contents

How it works...

Oxygen Forensic extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.

There's more...

Oxygen Forensic displays the names of files in hex and this can be inconvenient for an expert. The following table shows the correspondence between the standard files' names in hex view and their content:

File name

Description

File name

Description

3F00

MF

6F05

EF (LP)

7F10

DF (TELECOM)

6F31

EF (HPLMN)

7F20

DF (GSM)

6F41

EF (PUCT)

7F21

DF (DCS1800)

6F78

EF (ACC)

2FE2

EF (ICCID)

6FAE

EF (PHASE)

6F3A

EF (AND)

6F07

EF (IMSI)

6F3C

EF (SMS)

6F37

EF (ACMmax)

6F40

EF (MSISDN)

6F45

EF (CBM)

6F43

EF (SMSS)

6F7B

EF (FPLMN)

6F4A

EF (EXT1)

6F52

EF (KcGPRS)

6F3B

EF (FDN)

6F20

EF (Kc)

6F3D

EF (CCP)

6F38

EF (SST)

6F42

EF (SIMSP)

6F46

EF (SPN)

6F44

EF (LND)

6F7E

EF (LOCI)

6F4B

EF (EXT2)

6F53

EF(LOCIGPRS)

6F74

EF (BCCH)

6F30

EF (PLMNcel)

6FAD

EF (AD)

6F54

EF (SUME)        

See also

 

 

About the Author

  • Igor Mikhaylov

    Igor Mikhaylov has been working as a forensics expert for 21 years. During this time, he had attended a lot of seminars and training classes in top forensic companies (such as Guidance Software, AccessData, and Cellebrite) and forensic departments of government organizations in the Russian Federation. He has experience and skills in computer forensics, incident response, cellphones forensics, chip-off forensics, malware forensics, data recovery, digital images analysis, video forensics, big data, and other fields. He has worked on several thousand forensic cases. When he works on a forensic case, he examines evidence using in-depth, industry-leading tools and techniques. He uses forensic software and hardware from leaders in the forensics industry. He has written three tutorials on cellphone forensics and incident response for Russian-speaking forensics experts.

    He is the reviewer of Windows Forensics Cookbook by Oleg Skulkin and Scar de Courcier, Packt Publishing.

    Browse publications by this author

Latest Reviews

(2 reviews total)
the contents cover in this book are rather shallow, i wonder if this has to do with the reputation Packt has for creaming off an excessive amount from the authors
Everything was as expected
Mobile Forensics Cookbook
Unlock this book and the full library for $5 a month*
Start now