Sim Forensics: Part 2

Wed, 06/15/2011 - 2:58pm
John J. Barbara

The previous column included a partial listing of the data or information that may reside on a SIM card, all of which could have potential probative value in an investigation. This data or digital evidence is scattered throughout the Elementary Files (EF). Although a thorough discussion of all the potential evidence that could be on a SIM card is beyond the scope of this column, some of that information will be discussed in this and a future column.

A. Service Related Information

Every SIM card is uniquely identified by its Integrated Circuit Card ID (ICCID) which is comprised of either nineteen or twenty digits. It is normally printed on the SIM card itself. The numbering of ICCIDs is based upon ITU-T recommendation E.118. A nineteen digit ICCID includes the Issuer Identification Number (IIN), the Individual Account Identification, and a single “Check Digit” that is used for error detection. Twenty digit ICCIDs have an additional “Checksum” digit. One example of the interpretation of a hypothetical nineteen digit ICCID (89 310 410 10 654378930 1) is shown below.

  • Issuer Identification Number (IIN) - is variable in length up to a maximum of 7 digits:

-The first two digits are fixed and are the Industry Identifier. “89” refers to the Telecommunications Industry.

-The next two or three digits refer to the Mobile Country Code (MCC) as defined by ITU-T recommendation E.164. “310” refers to the United States.

-The next one to four digits refer to the Mobile Network Code (MNC). This is a fixed number for a country or world zone. “410” refers to the operator, AT&T Mobility.

-The next two digits, “10,” pertain to the Home Location Register.

  • Individual Account Information - is variable in length:

-The next nine digits, “654378930” represent the individual account identification number. Every number under one IIN has the same number of digits.

  • Check Digit – the last digit, “1,” is computed from the other 18 digits using the Luhn algorithm.

The International Mobile Subscriber Identity (IMSI) is a fifteen digit code that is used to uniquely identify an individual subscriber on a GSM network. It is stored in the EF(IMSI). IMSI conforms to ITU E.212 and consists of three components, the Mobile Country Code (MCC), the Mobile Network Code (MNC), and the Mobile Subscriber Identity Number (MSIN). An example of interpreting a hypothetical fifteen digit IMSI (302 720 123456789) is shown below:

  • MCC - the first three digits identify the country. “302” refers to Canada.
  • MNC- the next two digits (European Standard) or three digits (North American Standard) identify the operator. “720” refers to Rogers Communications.
  • MSIN - the next nine digits “123456789,” identifies the mobile unit within a carrier’s GSM network.

More than one definition exists for MSISDN. The most common is Mobile Subscriber Integrated Services Digital Network Number. Another definition is Mobile Station International Subscriber Directory Number. The MSISDN can be thought of as a SIM card’s unique telephone number (i.e., the telephone number of the GSM phone). It is stored in the EF(MSISDN). The MSISDN numbering format conforms to ITU-T E.164 and consists of three components, a Country Code (CC), the National Destination Code (NDC), and the Subscriber Number (SN). An example of the MSISDN format is shown below:

  • CC: can be up to 3 digits.
  • NDC: usually 2 or 3 digits.
  • SN: can be up to a maximum 10 digits.

Together, the MSISDN and IMSI are used to identify the mobile subscriber. While an IMSI is uniquely associated with a SIM, a SIM can have different MSISDNs associated with it. Also, the MSISDN is an optional EF and it can be updated by the subscriber.

B. Call Information
1. ADN

Abbreviated Dialing Numbers (ADNs) are stored in the EF(ADN) and are usually generated by the subscriber. Essentially, they are shortcuts for the subscriber’s commonly called numbers. Since ADNs cannot be changed or viewed by the provider, they can be attributed to the user of the phone. How these are described could be helpful in an investigation to link the phone to a suspect.

2. LND
The Last Number Dialed (LND) is stored in EF(LND). What is generally maintained is a listing of the most recent calls. However, SIMs are normally limited in the number of entries they can maintain. If necessary to store additional digits from ADN and LDN, the EF(EXT1) may be used. Depending upon the phone, it is also conceivable that the information may be stored in the handset and not on the SIM. Any numbers that may be present can provide valuable information to an investigator.

C. Messaging Information
Text messaging or Short Message Service (SMS) is an extremely popular method of communication between individuals. Not surprisingly, there are many instances of SMS providing probative information for investigators in criminal proceedings. The maximum size of an SMS is limited to either 160 characters (Latin alphabet) or 70 characters (for other alphabets). Longer messages are broken down by the sending phone and reassembled by the receiving phone. Normally when one user sends a message to another, it is temporarily stored in the Short Message Service Center (SMSC) which handles the SMS for the network. The SMSC provides a “store and forward” functionality. If the recipient’s phone is active, the message is forwarded. If it is not active (switched off), the message is temporarily stored and is only forwarded when the phone becomes active again. In addition to sending an SMS from phone to phone, they can also be sent via a VoIP application such as Skype, from an instant messaging client such as ICQ, or from a Web based application running within a browser.

A SIM’s capacity to store SMS varies. They can also be stored in the phone’s internal memory. The EF(SMS) stores not only the text message, but other useful investigative information about the message, such as the time it was sent, the sender’s phone number, and so forth. Although text messages can be deleted, initially they will still reside on the SIM. The space occupied by the deleted message is marked as free space and becomes available for another message. This is somewhat analogous to what occurs when a file is deleted on a computer. When a new text message is received, it takes the available free space, overwriting the previously deleted message and any unused portion of that free space.

(This discussion will continue in the next Digital Forensic Insider column.)

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. He can be reached at


Share this Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.