Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
WEAR LEVELING--WRITE TO DIFFERENT PLACE ON SOLID STATE MEDIA EV TIME SO N WEAR OUT
GARBAGE COLLECTION---IN SOLID STATE MEDIA ALL BITS INITIALLY SET TO 1 SO A WRITE JUST CLEAR
SOME TO ZERO
WEAR LEVELING CAUSES SAME SMS TEXT TO APPEAR MANY PLACES IN MEDIA
GARB CLCTN IS PROGRAMMED INTO FIRMWARE AND NEVER KNOW WHEN IT WILL HAPPEN, SO IT MAY
EXIST IN PHYS EXTRACTION ON DAY 1 BUT BE ABSENT IN PHYS ACQUISIT ON DAY 2 CUZ THERE WAS
GARB COLCECT IN BETWEEN 2 ACQUISITIONS
DAy1, VID 3, STARTING AT 41:20 ALLEN THE ENGLISH GUY IS INAUDIBE EXCEPT MAYBE IF I USE
HEADPHONES
Vid 4
SIM [Subscriber Identity Module] Cards: [V4 --4:30]-has a cpu, stores data -- in its own right its a
computer
Back in 1985 the only place you could store data on a phone was on the SIM, and you still can even
though now much more data is stored elsewhere
SIMS & Salsa by Lee Reiber [now works for Oxygen] Actual Terminology is UICC Universal Integrated
Circuit Card, SIM is actually an application that runs on the UICC; can contain SMS, phone #s, location
information, Subscriber Information. If examine new GSM Android phone with no support in your
toolset, passcode on phone; can still extract the data from the SIM card, even if you can’t get data
internal to the phone. Some SIMs don't have passcode. There are 3 files on that SIM that have
valuable forensic info and you can get the subscriber info, get a search warrant [legal service] and get
that subscribers phone log records from their carrier.
May have multiple partitions: GSM, USIM, CSIM [Technically incorrect, they are not partitions, they are
applications. SIM gives backwards compatibility on 2G networks and the USIM gives on the 3G and
beyond [typically the info in SIM and USIM are identical, but sometimes not].
ICCID-is the id of the UICC/SIM, cant always get it from the card; nowadays ICCID is frequently stamped
on outside--starts w digits "89"
**on a GSM network each # should be unique and oft with unique encryption key**IMSI-International
Mobile Subscriber Identity [DECODE-mobile country code, [MNC ]mobile network code [EG at&t], rest of
digits are unique acct identifier]
Telephone number is used to route calls from one network to another; eg I am an ATT customer and Im
calling brian a Sprint customer -- when I call brian the system knows the number im calling is a sprint#,
when the call hits the Sprint, gateway, it looks up its table of subscribers via the IMSI and they use the
IMSI number to locate brian, not his telephone #. Sometimes you will get a report that has the ICCID
and IMSI but not telephone #. This is because the actual telephone # is not that important for the
communication; with phone # portability, when you get a new phone, they pull out a new SIM and
associate your tel # to it at the store. The MSISDN is technically the full international dialing code, but
you will hear people referring to non international ph #s as the MSISDN. You can expect to be cross
examined on this stuff in court.
The IMSI is so important the networks don't want to reveal it on the network so they replace it with the
TIMSI [Temporary Mobile Subscriber Identity] once you are authenticated to the network [tmt-sort of
like using the hash of your pw instead of the pw itself?] TIMSI usu doesn't come up in court, cause its
just a temporary mapping after authentication. Sometimes you will recover a TMSI/TIMSY from a SIM
card dump.
mobile country code, mobile network code, and individual subscriber ID, the mobile country code [not
same as international dialing #] f
Internat dialing # for uk is 44, but its MCC is [230?] for USA the dialing code is 01, but MCC is 310.
There are wesite like www.mcc-mnc.com so you dont need to memorize [ I went there and for UK it was
234/44.
There is an algorithm and an encryption key that is encoded into the SIM card and its held by the
network in an authentication center, so they know that info. When you authenticate to the network a
"rand" [random #] send it to the SIM card, which encrypts it with the encryption key and sends it back as
a signed "srand" [signed randomly generated#] At the authentication center the same is done and if the
results are the same then you are authenticated to the network, but if not the same you are dropped.
designed so they don't have to send encryption keys over the air interface,
There is a unique ICCID assoc w sim card-sometimes stamped on outside, but n always, its stored
internally starts with "89" [code for telephony equipment] but may display as "98" in field test mode
due to nibble reversal [TMT?like little endian?]--on vanessa's iPhone it is displayed next to the word
"content"
from the sim you get the IMSI ident the person-sibsriber
iPhone -- type *3001#12345#*[then press dial button] puts iPhone in "field test mode" and give you a
screen showing:
"SIM Info" is reading the sim card and show the content of the ef files
there is a similar procedure on an android phone and if you google "field test mode" on android you can
get that magic series of digits to type
EF-LOCI = fffffffff1300026 --location based on the cell tower [referred to as a "mast" in UK/england]
EF-GPRS/PS-LOCI = d63 "general packet radio system" [the data channel] [location based on the
switching
"EF" in the beginning of the string indicates the info is coming from an Elementary files at the
base/leaves of the file system tree on the SIM card
even if the SIM is locked with a PIN, you can still get the ICCID # [would not get the IMSI if its locked and
you dont have the PIN]
If asked on the witness stand "what is a SIM Card," a good quick answer is "its a smart card that allows
the phone to authenicate to the mobile network"
if you want to sound like a more technically astute expert, you can say, "although everyone refers to the
as 'SIM Cards,' technically, it is a UICC, "universal integrated circuit card" and the "subscriber identity
module" is an application that runs on this card. It contains encryption key that allow the
communications between the phone and the cell tower to be encrypted, providing some level of
security if the data is intercepted [not military grade security]
If your use cellbrite/FTK to spit out an automated report, make sure you can explain everything on the
report without getting flustered, because a Defense atty may cross ex you on it.
If there's something in the auto report be sure you can explain it; it's better to take it out than to leave it
in and not be able to explain it without getting flustered on the witness stand.
One thing you can do is have a well proof-read glossary at the beginning or end of the report, which you
can refer to refresh your recolletion.
Be careful about using location information off of SIM cards, it will normally mean that the card was at
that location at some point, but details depend on how the phone was disconnected from the network.
Normally the way it works is that when you are in a particular location and power down the phone
normally, the phone writes the location of the last cell tower it was connected to to the SIM card [it idea
being that it will speed up the authenication process when you power up the phone again] If the power
is cut off by say, pulling the battery suddenly, the last tower location may not be written to the SIM [like
pulling the chord fr back of cptr]
Nowadays with smart phones most of the info is stored not on SIM, but in the internal memory of the
phone
Card sizes originally SIMs were as big as a crdeit card, and that has been referred to as the "standard"
size, but nowadays many refer to the "mini" form factor as the "standard" size.
mini and micro cards have the same size electronics, but the electronics on the Nano size are smaller.
You can actually get a SIM card cutter to conver a Mini to a Micro form factor.
SIM is an application that runs on the UICC and USIM runs on it also [USIM is for 3g and beyond], you
can actually have both the SIM and USIM applications running on the same UICC.
Some phones have 2 SIM card slots some even have 4 UICC slots
The gold SIM contact have to facing down and the clipped corner is facing you.
There are typically 6 contacts for a SIM card, [there are 8 for a micro-SD card]
There is only 1 read write contact, all 6 must have contact to read from it.
Start Video 5
o CDMA — Key Network ID is theMEID/ESN (from the Handset)value to get Authenticated onCDMA
network.
0 GSM — Key Value is the IMSI values (from the SIM) to authenticate to the network. The ICCID give
the handset the phone number and are used for key derivation.
- To prevent data from being deleted, we can copy some of the data from a SIM card (Clone) and
create a Radio Isolation Card (RIC) or a Cellular Network Isolation Card (CNIC).
- Once inserted, the Mobile Device is isolated from the cellular network!
Safety SIM = Radio Isolation card = Cellbrite uses a term "clone" which is a misnomer, because it actually
only copies 2 files off the SIM, the --ICCID#- and the IMSI#, none of the other data is not copied during
the "cloning" procedure. Its important to isolate the phone so suspect doesn't wipe it remotely, and
the wipe can be instantaneous on iPhone because typically the data is encrypted and the phone has a
stored encryption key to make it readable, if the suspect remotely destroys this key, the phone is as
good as wiped.
-- Each Mobile Device Foreniscs tool manufacturer has their own name for this Card
-- Required for the SIM to complete handshake to get on a cellular network for std. communication.
--ICC-ID
--IMSI
Cant recover fileslack for an SMS, ie if an sms is deleted and the new one that take that space is only half
as long, can you get the slack of the old msg? ans NO cuz the rest is filled with 1s ie FFFFFFF. Every
time you send a sms text you send 176 bytes, even if the text msg it is something short like "Hi" -- after
the 2 byte msg there will be 174 bytes of padding, so you can't recover a longer msg that previously
occupied that slot, cuz the padding overwrites it.
SLIDE 11 ICC-ID
Integrated Circuit Card Identifier (ICC-ID)
-Comprised of 5 parts:
--Industry Code, MCC, MNC, Subscriber Number and a Check Digit
-Printed on the SIM Card and [stored data MAY differ from what is printed]
2 types of networks GSM (S/N= IMEI) and CDMA (S/N = ESN & MEID, newer cuz ran out of ESN#s)
Review UICC ICCID [universal integrated circuit card identifier ]GSM network phones MUST have a sim
card
Holland, [vodaphone] is a small country with only 1 gateway switch, it has 3 other local switches; every
call that comes in is checked at the main gateway [lookup on home location register –with location info
for customers w/I the country] that’s where they get the imsi from and drop the dialing #; they then use
the IMSI to track the call – if I am a vodaphone holland customer, and I turn on my phone, I register to a
cell tower within a certain switch area which has a visitor location register, and it records details about
everyone in that switch area.and periodically the VLR will update the HomeLR –if I travel across the
country I get disconnected from one switch area, and get connected to another switch area.
Visitor location registers are to do with international roaming; they are not;
Tel# porting eg leave sprint and go to ATT but keep same Tel# your number is still assoc w sprint and will
be rerouted to ATT after hitting spring HLR, if you subsequently go to Tmobile the call will still 1st go to
Sprint HLR and then rerout to Tmobile instead of ATT. People using burner phones may have
important contacts on a sim in burner phone. Nowadays with regular people using smartphones, you
usu don’t get usefull things off a sim card but for crooks using burners sims can have important info.
USIM has more info than a SIM cuz USIM has more data storage. Remember SIM used to only be in
GSM phones but then 4g networks came and now cdma phones have SIM cards. Most places in world
don’t have CDMA, but in US Verizon is a big CDMA carrier.
[SIM exercise] Doesn’t like cloning; a few yrs ago, cloning a SIM was a criminal offense, because it was
a way to free ride off of another person’s phone plan. [used to be a common offense in the UK] But
this type of cloning is different from creating a radio isolation card, which does not copy the
authentication data& encryption keys, etc, law enforcement just creates a RIC ICCID and IMSI get
dropped on the new card all the classes are recreated into that container..There are different classes of
SIMs that are used to decide who gets to use a network if it is overloaded such as during an emergency,
apparently a class 1 SIM will get highest priority and usually emergency personnel have those, the
people with lowest priority tend to be the prepaid customers.