FEATURE PHONE IS A DUMB PHONE AS OPPOSED TO A SMART PHONE

WEAR LEVELING--WRITE TO DIFFERENT PLACE ON SOLID STATE MEDIA EV TIME SO N WEAR OUT

GARBAGE COLLECTION---IN SOLID STATE MEDIA ALL BITS INITIALLY SET TO 1 SO A WRITE JUST CLEAR
SOME TO ZERO

WEAR LEVELING CAUSES SAME SMS TEXT TO APPEAR MANY PLACES IN MEDIA

GARB CLCTN IS PROGRAMMED INTO FIRMWARE AND NEVER KNOW WHEN IT WILL HAPPEN, SO IT MAY
EXIST IN PHYS EXTRACTION ON DAY 1 BUT BE ABSENT IN PHYS ACQUISIT ON DAY 2 CUZ THERE WAS
GARB COLCECT IN BETWEEN 2 ACQUISITIONS

GARB COLCT RESET A WHOLE BLOCK FULL OF PAGES TO "1"

WEAR LEVELING GOOO FOR FOREN

GARB COLECTION BAD FOR FOREN

GSM MORE POPular WorldWide / CDMA USA MoST POPular

2-06# / *# TO GET IMEI

DAy1, VID 3, STARTING AT 41:20 ALLEN THE ENGLISH GUY IS INAUDIBE EXCEPT MAYBE IF I USE
HEADPHONES

cs: STANDS FOR SERVICE SWITCHING ITS THE PH #

Vid 4

LTE = long term evolution = gsm std

MEI MOBILE EQP IDENTIFIER

CDMA --> ESN[ran out of #s, so] --> MEID

GSM --> IMEI [used by the network to bar stolen phones

Search Warrants sometimes find the box or the receipt

SIM [Subscriber Identity Module] Cards: [V4 --4:30]-has a cpu, stores data -- in its own right its a
computer

Back in 1985 the only place you could store data on a phone was on the SIM, and you still can even
though now much more data is stored elsewhere

SIMS & Salsa by Lee Reiber [now works for Oxygen] Actual Terminology is UICC Universal Integrated
Circuit Card, SIM is actually an application that runs on the UICC; can contain SMS, phone #s, location
information, Subscriber Information. If examine new GSM Android phone with no support in your
toolset, passcode on phone; can still extract the data from the SIM card, even if you can’t get data
internal to the phone. Some SIMs don't have passcode. There are 3 files on that SIM that have
valuable forensic info and you can get the subscriber info, get a search warrant [legal service] and get
that subscribers phone log records from their carrier.

May have multiple partitions: GSM, USIM, CSIM [Technically incorrect, they are not partitions, they are
applications. SIM gives backwards compatibility on 2G networks and the USIM gives on the 3G and
beyond [typically the info in SIM and USIM are identical, but sometimes not].

ICCID-is the id of the UICC/SIM, cant always get it from the card; nowadays ICCID is frequently stamped
on outside--starts w digits "89"

**on a GSM network each # should be unique and oft with unique encryption key**IMSI-International
Mobile Subscriber Identity [DECODE-mobile country code, [MNC ]mobile network code [EG at&t], rest of
digits are unique acct identifier]

Telephone number is used to route calls from one network to another; eg I am an ATT customer and Im
calling brian a Sprint customer -- when I call brian the system knows the number im calling is a sprint#,
when the call hits the Sprint, gateway, it looks up its table of subscribers via the IMSI and they use the
IMSI number to locate brian, not his telephone #. Sometimes you will get a report that has the ICCID
and IMSI but not telephone #. This is because the actual telephone # is not that important for the
communication; with phone # portability, when you get a new phone, they pull out a new SIM and
associate your tel # to it at the store. The MSISDN is technically the full international dialing code, but
you will hear people referring to non international ph #s as the MSISDN. You can expect to be cross
examined on this stuff in court.

The IMSI is so important the networks don't want to reveal it on the network so they replace it with the
TIMSI [Temporary Mobile Subscriber Identity] once you are authenticated to the network [tmt-sort of
like using the hash of your pw instead of the pw itself?] TIMSI usu doesn't come up in court, cause its
just a temporary mapping after authentication. Sometimes you will recover a TMSI/TIMSY from a SIM
card dump.

mobile country code, mobile network code, and individual subscriber ID, the mobile country code [not
same as international dialing #] f

Internat dialing # for uk is 44, but its MCC is [230?] for USA the dialing code is 01, but MCC is 310.
There are wesite like www.mcc-mnc.com so you dont need to memorize [ I went there and for UK it was
234/44.

The process of authenticating to a network with a SIM card is as follows:

There is an algorithm and an encryption key that is encoded into the SIM card and its held by the
network in an authentication center, so they know that info. When you authenticate to the network a
"rand" [random #] send it to the SIM card, which encrypts it with the encryption key and sends it back as
a signed "srand" [signed randomly generated#] At the authentication center the same is done and if the
results are the same then you are authenticated to the network, but if not the same you are dropped.

designed so they don't have to send encryption keys over the air interface,

The calls themselves are encrypted, but not military grade.

There is a unique ICCID assoc w sim card-sometimes stamped on outside, but n always, its stored
internally starts with "89" [code for telephony equipment] but may display as "98" in field test mode
due to nibble reversal [TMT?like little endian?]--on vanessa's iPhone it is displayed next to the word
"content"

from the sim you get the IMSI ident the person-sibsriber

IMEI - identifies equip/handset

iPhone -- type *3001#12345#*[then press dial button] puts iPhone in "field test mode" and give you a
screen showing:

"SIM Info" is reading the sim card and show the content of the ef files

there is a similar procedure on an android phone and if you google "field test mode" on android you can
get that magic series of digits to type

ef_fplmn --means plain land mobile network

EF-LOCI = fffffffff1300026 --location based on the cell tower [referred to as a "mast" in UK/england]

EF-GPRS/PS-LOCI = d63 "general packet radio system" [the data channel] [location based on the
switching

"EF" in the beginning of the string indicates the info is coming from an Elementary files at the
base/leaves of the file system tree on the SIM card

even if the SIM is locked with a PIN, you can still get the ICCID # [would not get the IMSI if its locked and
you dont have the PIN]

If asked on the witness stand "what is a SIM Card," a good quick answer is "its a smart card that allows
the phone to authenicate to the mobile network"

if you want to sound like a more technically astute expert, you can say, "although everyone refers to the
as 'SIM Cards,' technically, it is a UICC, "universal integrated circuit card" and the "subscriber identity
module" is an application that runs on this card. It contains encryption key that allow the
communications between the phone and the cell tower to be encrypted, providing some level of
security if the data is intercepted [not military grade security]
If your use cellbrite/FTK to spit out an automated report, make sure you can explain everything on the
report without getting flustered, because a Defense atty may cross ex you on it.

If there's something in the auto report be sure you can explain it; it's better to take it out than to leave it
in and not be able to explain it without getting flustered on the witness stand.

One thing you can do is have a well proof-read glossary at the beginning or end of the report, which you
can refer to refresh your recolletion.

Be careful about using location information off of SIM cards, it will normally mean that the card was at
that location at some point, but details depend on how the phone was disconnected from the network.
Normally the way it works is that when you are in a particular location and power down the phone
normally, the phone writes the location of the last cell tower it was connected to to the SIM card [it idea
being that it will speed up the authenication process when you power up the phone again] If the power
is cut off by say, pulling the battery suddenly, the last tower location may not be written to the SIM [like
pulling the chord fr back of cptr]

The "ADN" like like an address book stored on the SIM.

Nowadays with smart phones most of the info is stored not on SIM, but in the internal memory of the
phone

Card sizes originally SIMs were as big as a crdeit card, and that has been referred to as the "standard"
size, but nowadays many refer to the "mini" form factor as the "standard" size.

mini and micro cards have the same size electronics, but the electronics on the Nano size are smaller.

You can actually get a SIM card cutter to conver a Mini to a Micro form factor.

SIM is an application that runs on the UICC and USIM runs on it also [USIM is for 3g and beyond], you
can actually have both the SIM and USIM applications running on the same UICC.

Some phones have 2 SIM card slots some even have 4 UICC slots

The gold SIM contact have to facing down and the clipped corner is facing you.

There are typically 6 contacts for a SIM card, [there are 8 for a micro-SD card]

There is only 1 read write contact, all 6 must have contact to read from it.

End of Day 1 Video 4

Start Video 5

SLIDE 1: CDMA vs. GSM

o CDMA — Key Network ID is theMEID/ESN (from the Handset)value to get Authenticated onCDMA
network.
0 GSM — Key Value is the IMSI values (from the SIM) to authenticate to the network. The ICCID give
the handset the phone number and are used for key derivation.

CDMA has a MDN-mobile directory number[telephone# to make it ring]-MIN-Mobile Identification

Number [when they are 1st purchased the #s are usu same but if you, switch to a different carrier and
get a new ph#, then MDN will change and so they'll be 2 dif #s]

SLIDE 2: SIM Card Isolation

- To prevent data from being deleted, we can copy some of the data from a SIM card (Clone) and
create a Radio Isolation Card (RIC) or a Cellular Network Isolation Card (CNIC).

- Once inserted, the Mobile Device is isolated from the cellular network!

Safety SIM = Radio Isolation card = Cellbrite uses a term "clone" which is a misnomer, because it actually
only copies 2 files off the SIM, the --ICCID#- and the IMSI#, none of the other data is not copied during
the "cloning" procedure. Its important to isolate the phone so suspect doesn't wipe it remotely, and
the wipe can be instantaneous on iPhone because typically the data is encrypted and the phone has a
stored encryption key to make it readable, if the suspect remotely destroys this key, the phone is as
good as wiped.

SLIDE 3 SIM Card Isolation

-- Each Mobile Device Foreniscs tool manufacturer has their own name for this Card

-- Should WIPE prior to writing data to a card.

-- Cards are reusable (up to 10,000 times)

SLIDE 4: SIM Card Isolation

Data that is NOT copied includes:

--Ki — 128bit key unique to each SIM

--KC — 64bit key (Temporary Session Key)

-- Protected memory space

-- Required for the SIM to complete handshake to get on a cellular network for std. communication.

SLIDE 5: SIM Card Isolation

Data that IS copied includes:

--ICC-ID

--IMSI
Cant recover fileslack for an SMS, ie if an sms is deleted and the new one that take that space is only half
as long, can you get the slack of the old msg? ans NO cuz the rest is filled with 1s ie FFFFFFF. Every
time you send a sms text you send 176 bytes, even if the text msg it is something short like "Hi" -- after
the 2 byte msg there will be 174 bytes of padding, so you can't recover a longer msg that previously
occupied that slot, cuz the padding overwrites it.

SLIDE 6: SIM Card Protection

-To protect a SIM Card, there are PIN’s and PUK’s
- PIN’s are generally set by the user and are 4 numeric digits.
- Once set as active, the user is required to enter the PIN after each power up and locking of the
Mobile Device.

SLIDE 7: SIM Card Protection

-PIN authentication is usually set to 3 attempts. After the 3rd, the PUK will be required to be
entered.
-PUK’s can be obtained via warrant from the carrier or may be printed in the user
documentation/card.

SLIDE 8: SIM Card Protection

- PIN authentication is usually set to 3 attempts. After the 3rd, the PUK will be required to be entered.
- PUK’s can be obtained via warrant from the carrier or may be printed in the user
documentation/card.

SLIDE9: SIM Card Protection

-After 3 failed PIN’s you are given 10 PUK attempts. After 10 failed PUK entry attempts, the SIM is
unusable.
-If the PUK is entered correctly, the SIM is unlocked.
-We can create a RIC/CNIC from a PIN or PUK locked SIM!
The customer can put a personal pin [typically 4 digits] on his SIM card, but the carrier can override the
customer's PIN with a PUK (PIN unblocking key) After 3 attempts on the PIN, you can try the PUK; after
10 failed attempts on the PUK you are SOL. Police can obtain PUK with warrant/legal service to carrier.
PUK is often written on the back of the plastic sheet that SIM was originally attached to [original
packaging]. So sometimes when exercising a warrant, the officers can find the original packaging and
get the PUK from that.

SLIDE 10: Q: Ask the class...

T/F:-When presented with several SIM cards and a single Mobile Device, inserting in any SIM is
acceptable.
T/F Why/Why Not?
FALSE: Don’t comingle evidence by inserting several SIM found with a phone at scene.
SLIDE 11: Several SIM Cards
-Inserting a “foreign” SIM into a Mobile Device may WIPE data (e.g., Call Logs)!
-Best to do some intelligence to identify the correct SIM or create a RIC.
- Some devices store lists of previously inserted SIM’s!
Recommended that if you have a powered off device, it is recommended to 1st extract the contents of
the SIM card, then 2nd create a Radio Isolation card, insert that and then do the full extraction with the
UFED. Not removing the SIM and going straight to extraction with UFED can change the read/write
flag on the SIM card from unread to read.

SLIDE 11 ICC-ID
Integrated Circuit Card Identifier (ICC-ID)
-Comprised of 5 parts:
--Industry Code, MCC, MNC, Subscriber Number and a Check Digit
-Printed on the SIM Card and [stored data MAY differ from what is printed]

SLIDE 12: ICC-ID

89 91 10 1200 00 320451 0
-First 2 are the industry (Telelcom)
-Next 2 refer to Country Code
(91=India).
-Next 2 refer to network code.
English dude: There is some confusion arising from canada’s use of ICCID
Normally starts off 89 [somtime this is reversed and it reads “98”]
A USA phone will be 89 01…(“01” is the international dialing code not the mobile country code, which
is used by some countries [e.g. Canada which shares the 01 dialing code with the US] to distinguish their
phones from US phones.the mobile country code for canada equates to the international dialing code
for Greece, so don’t get the 2 confused...) However in 99% of phones it’s the industry code of 89 and
then the international dialing #.
THERE IS A WEB SITE THAT WILL TRANSLATE THE ICC-ID FOR YOU

SLIDE 13: ICC-ID Cont.

89 91 10 1200 00 320451
-Next 4 digits refer to month/Year of Manufacture (Dec 2000).
-Next 2 refers to the switch configuration code (00)
-Next 6 refer to the SIM Number (320451)
-Last is a Check Digit (0)

SLIDE 14: IMSI [INTERNAT MOBILE SUBSCRIBER IDENTITY]

International mobile Subscriber Identity (IMSI)
Used with GSM and LTE networking

SLIDE 15: IMSI Analysis

. Example: 310 260 566789844
. 310 — United States (MCC=Mobile Country Code)
. 260 — T-Mobile (MNC)=Mobile Network Code
. 566789844 - Mobile Subscriber Identification Number (MSIN)
If doing legal service give the entire IMSI # to the mobile service provider

SLIDE 16: ATT/Cingular ICCID to IMSI

1. Read the ICC-ID
(Tool of your choice)
89310170105648759231
2. Copy 9 digits before check bit!
[8931017070 564875923 1
-This is the Subscriber Number: 564875923

SLIDE 17: ATT/Cingular ICCID to IMSI

3. Derive the MCC (310) US and MNC (a re) T-Mobile
WWW.numbringplans.com
3. Create your new IMSI!
3102‘ 1398895685

SLIDE 18: Ask the class...

-Can you create a RIC (RADIO ISOLATION CARD)/CNIC from a PIN/PUK locked SIM? Why/Why Not?
Ans: Yes but, only get the iccid# not imsi#

2 types of networks GSM (S/N= IMEI) and CDMA (S/N = ESN & MEID, newer cuz ran out of ESN#s)

Review UICC ICCID [universal integrated circuit card identifier ]GSM network phones MUST have a sim
card

Holland, [vodaphone] is a small country with only 1 gateway switch, it has 3 other local switches; every
call that comes in is checked at the main gateway [lookup on home location register –with location info
for customers w/I the country] that’s where they get the imsi from and drop the dialing #; they then use
the IMSI to track the call – if I am a vodaphone holland customer, and I turn on my phone, I register to a
cell tower within a certain switch area which has a visitor location register, and it records details about
everyone in that switch area.and periodically the VLR will update the HomeLR –if I travel across the
country I get disconnected from one switch area, and get connected to another switch area.

Visitor location registers are to do with international roaming; they are not;

Tel# porting eg leave sprint and go to ATT but keep same Tel# your number is still assoc w sprint and will
be rerouted to ATT after hitting spring HLR, if you subsequently go to Tmobile the call will still 1st go to
Sprint HLR and then rerout to Tmobile instead of ATT. People using burner phones may have
important contacts on a sim in burner phone. Nowadays with regular people using smartphones, you
usu don’t get usefull things off a sim card but for crooks using burners sims can have important info.

USIM has more info than a SIM cuz USIM has more data storage. Remember SIM used to only be in
GSM phones but then 4g networks came and now cdma phones have SIM cards. Most places in world
don’t have CDMA, but in US Verizon is a big CDMA carrier.

[SIM exercise] Doesn’t like cloning; a few yrs ago, cloning a SIM was a criminal offense, because it was
a way to free ride off of another person’s phone plan. [used to be a common offense in the UK] But
this type of cloning is different from creating a radio isolation card, which does not copy the
authentication data& encryption keys, etc, law enforcement just creates a RIC ICCID and IMSI get
dropped on the new card all the classes are recreated into that container..There are different classes of
SIMs that are used to decide who gets to use a network if it is overloaded such as during an emergency,
apparently a class 1 SIM will get highest priority and usually emergency personnel have those, the
people with lowest priority tend to be the prepaid customers.