Day 2: SIM Cards + Handsets

Question 1

1. What is A SIM Card?

Answer 1

A small computer found inside a phone with its own storage which provides access to a provider’s network.

Question 2

2. What information can a SIM card store?

Answer 2

Contacts, SMS messages and call logs.

Question 3

What is the difference between SIM and USIM.

Answer 3

• SIM released in 1991. USIM released in 1998.
• USIM has larger storage.
• USIm contact entries typically have more detail (allow for multiple numbers/emails).

Question 4

Can we physically extract data from a SIM card?

Answer 4

No - We can only logically read it.

Question 5

Can we create an image of a SIM

Answer 5

No. We can only image SD cards.

Question 6

Name the form factors of an insertable SIM card

Answer 6

• SIM (1FF)
• mini-SIM (2FF)
• micro-SIM (3FF)
• nano-SIM (4FF)

Question 7

Identify the components of the SIM file system.

Answer 7

• Master File (MF): The root of the files.
• Dedicated File (DF): Equivalent of a SIM directory.
• Elementary File (EF): Equivalent of a SIM file.

Question 8

What is an embedded SIM (eSIM)?

Answer 8

A SIM card is a physical chip that is soldered onto the PCB of the mobile device. It cannot be inserted or removed like a standard card. It is set up and configured through the phone itself.

Question 9

Name the two identifiers that a SIM card uses.

Answer 9

Integrated Circuit Card Identifier (ICCID)

International Mobile Subscriber Identity (IMSI)

Question 10

1. What does the ICCID do?
2. How long is an ICCID identifier?
3. Can an ICCID always be retrieved during a logical read?
4. Can an ICCID be edited?
5. Name the components of the following ICCID identifer:

89 44 11 006479304397 1

Answer 10

1. It is a globally unique ID for identifying the SIM card itself.
2. 19 or 20 digits.
3. Yes!
4. No! Therefore it is considered reliable when extracted off a device.
5. 89 44 11 006479304397 1

89 = Standard telecommunications code.

44 = Country of origin code.

11 = Network provider identifier.

006479304397 = Individual Account Identification Number

1 = Check digit (Validated by Luhn algorithm).

Question 11

1. What does an International Mobile Subscriber Identity Do?
2. How long is an IMSI?
3. Is an IMSI always accessible?
4. Can an IMSI be edited?
5. Describe the components of the following IMSI identifier:

234 10 3943614733

Answer 11

1. The IMSI uniquely identifies every user of a network.
2. 15 digits.
3. No! It’s PIN protected! You need a valid PIN to get in or a PUK from the network provider to reset the PIN!
4. No! It is considered reliable!
5. 234 = Mobile country code (MCC)
   10 = Mobile Network Code (MNC)
   3943614733 = Mobile Station Identification Number (MSIN)

Question 12

Can you recover a deleted contact from a SIM?

Answer 12

No!

Question 13

Can you recover a deleted SMS message from a SIM

Answer 13

Yes! They are not erased!

Question 14

What happens when a message goes over the character limit for SMS messages on a SIM card?

Answer 14

Any text over the character limit is sent as an additional SMS/SMSs

Question 15

What is the difference between SIM and USIM call logs?

Answer 15

SIM has no date, time or duration data available.

USIM tracks made, missed and received calls with date, time and duration data.

Question 16

1. What is the Mobile Station International Subscriber Identifier (MSISID) for?
2. How long is the MSISID?
3. Is the MSISID reliable?
4. Where can we validate the MSISID? What information do we need to do this?

Answer 16

1. It uniquely identifies each device within a network provider’s GSM network. It links the user, their device and the network together.
2. 11 digits.
3. No! It can be changed!
4. We can verify the MSISID against the network provider. We will need to provide them with the ICCID and IMSI to do this.

Question 17

How long is a SIM PIN code?

Answer 17

4-8 digits.

Question 18

How many attempts do you get to correctly enter a SIM PIN?

Answer 18

3 guesses.

Question 19

What is the purpose of the Personal Unblocking Key (PUK) and who has access to it?

Answer 19

To reset a SIM PIN password in the event it is forgotten and the user is locked out. Network providers will hold this.

Question 20

How long is a PUK key?

Answer 20

8 digits exactly.

Question 21

How many attempts is a user permitted for PUK key entry?

Answer 21

10. The card is disabled when this limit is exceeded.

Question 22

Why would we clone a SIM?

Answer 22

A device we want to perform an examination on requires a SIM to operate. However a fully functioning SIM means we can’t have network isolation. Instead, we satisfy both by providing a non-functional SIM which does not send or receive data, but which tricks the phone into believing it is the same SIM by using the same ICCID and IMSI. Use of the same values is important as we don’t want to lose the call logs!

Question 23

What does an International Mobile Equipment Identifier (IMEI) do?

Answer 23

It uniquely identifies the mobile handset.

Question 24

The number of IMEI’s on a device corresponds to:

Answer 24

The number of SIM cards installable on the device.

Question 25

How many digits is an IMEI?

Answer 25

15

Question 26

Break down the following IMEI code into its components?

35230001 578604 7

Answer 26

3523001 = Type Allocation Code (TAC). This includes make, model and country of origin.

578604 = Serial Number (SNR)

7 = Check digit (Luhn Algorithm)

Question 27

Is an IMEI reliable?

Answer 27

No! It can be reprogrammed. Double check with the network provider if in any doubt!

Question 28

What are the interfaces for a logical extraction of a handset?

Answer 28

• Cable.
• Bluetooth.
• WiFi.
• Infrared.

Question 29

1. Does the interface for a logical read affect the speed of the transfer?
2. Does the interface for a logical read affect the amount of data recovered?

Answer 29

1. Yes. Cable is typically fastest.
2. Yes. Some may extract more or less than each other!

Question 30

What is the chipset within the device?

Answer 30

It’s the PVB board, processor and mounted chip components (I.e WiFi, storage, GPS, sensors) that allow the phone to function.

Question 31

How can we use a chipset profile to help us logically read data from a device?

Answer 31

Some tools use generic chipset read profiles which can sometimes retrieve data when all other avenues have failed.

Question 32

What considerations need to be made when attempting to extract data from modern smartphones?

Answer 32

• Security is advanced (PINs, Biometrics, Passwords). We may not always have direct access in.
• The amount of data stored on a phone these days is huge. There might be a lot to extract + long waits if the device has storage of around 500Gb - 1TB.
• Smartphone connectivity is significant. Network isolation should be achieved to avoid violating ACPO principle 1 (remote wipe or interception). We should be competent enough to do this and log when we isolate to satisfy ACPO 2 and 3.
• Encryption is common in new devices which renders physical reads impossible if no decryption key can be found.

Question 33

Order these in order of most data retrieved from extraction (Least to most):

Physical
Logical,
Full File System,

Answer 33

Logical
Full File System
Physical.

Question 34

How can an IMEI be recovered (3 answers)

Answer 34

• Dial *#06# on a device
• Via logical extraction.
• Check the app settings.