SIM Forensics: Part 3
The system architecture of a GSM cellular network is very complex. It can generally be divided into three broad parts: the Mobile Station (the cell phone and its SIM), the Base Station Subsystem (which is responsible for handling traffic and signaling between the phone and the Network Switching Subsystem), and the Network Switching Subsystem (which performs the switching of calls between the mobile users and the Public Switched Telephone Network). Phones connect to a GSM network by searching for “cells” within their immediate location. GSM networks have several different “cell” sizes, and depending upon which is being implemented, the coverage area will vary. Regardless of the coverage, a cell phone’s location information could be of significant forensic value.
A. LOCATION INFORMATION
A SIM card contains the LOCI (Location Information) Elemental File which can be found under the GSM Dedicated File (see April/May 2011 Digital Forensic Insider column for information regarding the SIM Card File System). This file contains the Temporary Mobile Subscriber Identity (TMSI), TMSI TIME, Location Area Information/Local Area Identifier (LAI), and the Location Update Status.
1.Temporary Mobile Subscriber Identity (TMSI):
In addition to allowing mobile phones to communicate with each other, the Network Switching Subsystem (NSS) also acts somewhat as a telephone exchange. However, it has additional functionality to deal with the roaming ability of cell phones. A key component of the NSS is the Mobile services Switching Center (MSC) which provides functionality such as registration, location updating, and call routing. When a subscriber roams into the jurisdiction of an MSC, information about the cell phone is stored in a temporary database called the Visitor Location Register (VLR). Since each Base Station in the GSM network is served by one VLR, a subscriber cannot be present in more than one VLR at a time. The VLR assigns the TMSI which ensures privacy since it prohibits tracing of the identity of the subscriber should anyone attempt to intercept the link. The TMSI is assigned for the duration that the subscriber is within the jurisdiction of a particular MSC and combined with the current location area, allows a subscriber to be uniquely identified.
2. Location Area Information/Local Area Identifier (LAI)
The LAI for voice communications is structured hierarchically and uniquely identifies a Location Area (LA) within a GSM network. It consists of three components:
- Mobile Country Code (MCC): consists of three decimal places and is used to identify the country of origin of the SIM card.
- Mobile Network Code (MNC): consists of two decimal places and is used in conjunction with the MCC to identify the SIM card’s network provider.
- Location Area Code (LAC): consists of a maximum of five decimal places.
GSM networks are divided into LAs which are comprised of one or more radio cells. Each of the LAs is uniquely identified within the network by its Location Area Code (LAC). These numbers are stored on the SIM card, thus providing the handset with its location. This also serves as a unique reference for the location of the subscriber as well since the LAI is required before the handset can receive an incoming call. When the subscriber roams into a new LA, the handset also stores the new LAI on the SIM card, adding it to a list of the previous LAIs. After being powered off and then powered back on, the handset will search the list of its stored LAIs until it finds the one it is currently located in, thereby allowing service to resume. Analyzing the SIM card can provide the geographical location(s) where the SIM card, the phone, and the owner of the phone (suspect) may have been.
B. FORENSIC TOOL OVERVIEW
To analyze a SIM card, it is normally removed from the handset and inserted into an appropriate reader. Command directives, called Application Protocol Data Units (APDUs), are sent to the SIM by the tool to extract potential probative evidence that may be present in the SIM file system. The original data on the SIM card is normally preserved by the elimination of write requests to the SIM during its analysis. Extracted data integrity can be maintained by the tool calculating the hash value(s) of the data from the files created and re-verifying as necessary to demonstrate that they remain unchanged. Some SIM tools extract and preserve data better than others. As with any forensic tool, examiners need to thoroughly research those that are available to determine which one(s) meet their needs. Most examiners are aware (or should be) that no one tool will be able to extract all the data from every different type of cell phone or SIM card. Listed below are some tools that examiners commonly use. (Disclaimer: the summarized, edited information is presented alphabetically and should not be interpreted as a competitive ranking. This information was obtained from the cited Web sites and should not be considered as endorsements by Forensic Magazine or the author nor should it be construed that these are the only tools available):
- AccessData Mobile Phone Examiner (MPE) Plus: integrates seamlessly with Forensic Toolkit. Enables advanced reporting to detail phone data [such as] call history, contacts, messages, photos, voice recordings, video files, calendar, tasks, and notes. MPE supports more than 2,500 phones and can be purchased with hardware to include a SIM reader and phone cables. (http://accessdata.com/products/computer-forensics/mobile-phone-examiner).
- Cellebrite (UFED): the UFED family of products is able to extract and analyze data from more than 3,000 phones including smartphones and GPS devices. UFED devices have a built-in SIM reader that allows the device to obtain data such as call logs, phonebooks, SMS, IMSI, and the ICCID. SIM card cloning is also supported. (http://www.cellebrite.com/forensic-products/forensic-products.html?loc=seg).
- EnCase Smartphone Examiner: designed to forensically collect data from smartphone and tablet devices, such as the iPhone and iPad. It can capture evidence from devices that use the Apple iOS, HP Palm OS,Windows Mobile OS, Google Android OS, or RIM Blackberry OS. Can acquire data from Blackberry and iTunes backup files as well as a multitude of SD cards. The evidence can be seamlessly integrated into EnCase Forensic. (http://www.guidancesoftware.com/encase-smartphoneexaminer. htm).
- Data Pilot Secure View Kit: provides both a software and hardware solution which [enables] logical data extraction of the content stored in the mobile phone. Kit includes a universal cable set supporting Motorola (including iDen), Nokia, Samsung, LG, Sanyo, Audiovox, and Sony Ericsson phones. Can acquire cell phone data via USB, Bluetooth, IrDA, or a SIM card reader. (http://www.datapilot.com/productdetail/253/supphones/Notempty).
- MOBILedit! Forensic: analyzes phones via Bluetooth, IrDA, or cable connection; analyzes SIMs through SIM readers and can read deleted messages from the SIM card. (http://www.mobiledit.com/mef-features.htm).
- Paraben’s SIM-Card Seizure: can recover deleted SMS/text messages and perform comprehensive analysis of SIM card data. SIM Card Seizure includes the software as well as a Forensic SIM Card Reader. SIM Card Seizure has Unicode support to read multiple languages such as Arabic, Chinese, and Russian. (http://www.paraben.com/sim-card-seizure.html).
- pySIM: a SIM card management tool capable of creating, editing, deleting, [and performing] backup and restore operations on the SIM Phonebook and SMS records. (http://simreader.sourceforge.net/).
- SIMBrush: can be used to extract all observable memory (the ones that can be explored by means of standard APIs) from SIM/USIM cards compatible with T_0 protocol. Capable of acquiring standard and non-standard files present [on] every SIM card. The output of the program is an XML file representing the SIM/USIM card file system. (http://sites.google.com/site/savolabs/Home/tools).
- Teel Technologies’ SIMIS for SIM/USIM/R-UIM: engineered in accordance with ACPO guidelines to ensure that no data on the SIM is modified during the read process. SIMIS reports are digitally signed with both MD5 and SHA 256 hashes to ensure integrity. A full audit trail is included in the analysis. The SIMIS Mobile Handheld Reader enables users to collect data from multiple SIM cards for on-site analysis or later review using SIMIS PC software. (http://teeltech.com/tt3/simis.asp).
- SIMQuery: a command line tool that retrieves the ICCID and IMSI from a GSM SIM card. A smart card reader that is compatible with the Windows smart card subsystem is needed along with a Plug-in (GSM SIM card size) to ID-1 (ordinary smart card size) adapter card so the SIM card fits into the reader. (http://vidstrom.net/otools/simquery/).
- UndeleteSMS: a command line tool that recovers deleted SMS messages from a GSM SIM card; has the same requirements as the SIMQuery tool. (http://vidstrom.net/stools/undeletesms/).
- XRY Logical & Complete Package with SIM id-Cloner: performs both logical and physical extractions from a device [cell phone]. Specifically designed to assist in the forensic recovery of data from GSM SIM Cards and also provide a 100% secure environment. SIM id-Cloner will allow the creation of a replica of the SIM card found within a mobile device so examiners can enable the operating system without the risk of it making a network connection and changing the data held on the device. (http://www.msab.com/xry/what-is-xry).
John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital& Multimedia Forensic Evidence” published by Humana Press. He can be reached at firstname.lastname@example.org.