a.

Background of Mobile devices

A mobile device is a general term for any type of handheld computer. These
devices are designed to be extremely portable, and they can often fit in your
hand. Some mobile devices—like tablets, e-readers, and smartphones—are
powerful enough to do many of the same things you can do with a desktop or
laptop computer.

Number of mobile subscriptions worldwide 1993-2020

The total number of mobile subscriptions is estimated to have exceeded eight billion
for the first time in 2019, reaching 8.3 billion subscriptions. In 2020, this figure dropped
by approximately 50 million subscriptions to 8.15 billion.

More smartphones than people

With a global population of 7.8 billion as of 2021, the number of smartphone
subscriptions now significantly exceeds the number of people on the planet. This
comes off the back of an extraordinary period of growth. The penetration rate broke
100 in the United States in 2014, and has been over 100 in countries including the
United Kingdom (UK) and Australia for several years longer.
On other continents, such as Africa, the penetration rate has also increased
steadily. Cameroon, for example, increased by 123 percent from 2010 to 2020, with
95.1 mobile subscriptions per 100 residents as of 2020, and the rate exceeded 114 in
Kenya in 2020.

Moving towards 5G
5G subscriptions are forecast to increase worldwide from 2019 to 2025. The number of
5G mobile subscriptions worldwide is forecast to exceed 2.7 billion by 2025, with North
East Asia, North America, and Western Europe having the most 5G subscriptions.

Advantages of Mobile devices

Education
It is another major advantage of mobile phones. Mobile phones can be used to acquire
knowledge or information on various topics. For convenience, nowadays, most colleges,
institutions, and schools are offering online education with the proper study material
that can be in the form of images, photos, text, pdf, etc. In the corona pandemic, we
have seen that the students have taken online classes provided by their respective
institutions to ensure the safety and health of students.
Social media
In today's era, mobile phones are not only used for calling purposes. Smartphones are
said to be a gift for social media lovers. Social media apps like Twitter, Instagram, snap
chat, Facebook, etc., are at our fingertips at any time. We can edit and share our pictures
and posts on social media directly from our mobile phones. Mobile gives us the facility
to access social media at all times.

Most people use their mobile phones to scroll through their timeline of social media
platforms in their free time.

Feature Phone vs Smart Phone

 b. Overview of Digital Forensics

Branches of Digital Forensics

a. Computer Forensics

b. Network Forensics

c. Email Forensics

d. Cloud Forensics

e. Mobile Device Forensics

f. Social Media Forensics

d. Where can evidence be found?

e. SIM Card a vital piece of Mobile Forensics

* What is SIM Card?

*Importance of SiMCARD?

*Sizes of SIM Card

The first SIM cards were about the size of a credit card. As cell phones began to shrink in size, the
mini-SIM (about one-third the size of a credit card) was developed. Today an even smaller version,
the micro-SIM, is available. Each of these three iterations varies in physical size and the functionality
supported. Normally, a SIM card provides functionality for both the identification and authentication of
the subscriber’s phone to its network; contains storage for phone numbers, SMS, and other
information; and allows for the creation of applications on the card itself
SIM card – technology

 SIM Security
SIM cards have built in security features that are designed to make them tamper resistant, thereby
ensuring data security. A SIM card’s MF, DFs, and EFs all contain security attributes. One security
attribute, the access conditions, are constraints upon the execution of commands. They filter every
execution attempt, thus ensuring that only those with the proper authorization can access the
requested functionality controlled by the DFs or EFs. Access conditions can be thought of as somewhat
analogous to the user rights associated with the file/directory attributes found in computer operating
systems. There are different levels of access conditions associated with DF and EF files:

 Always (ALW): file access is allowed without restrictions and the command is executable upon
the file.
 Card Holder Verification 1 (CHV1): file access is allowed with the valid verification of the users
PIN1 (or PIN1 verification is disabled) and the command is executable upon the file.
 Card Holder Verification 2 (CHV2): file access is allowed with a valid verification of the user’s
PIN2 (or PIN2 verification is disabled) and the command is executable upon the file.
 Administrative (ADM): the administrative authority (i.e. the card issuer who provides the SIM
card to subscribers), is responsible for the allocation of these levels.
 Never (NEV): file access is prohibited and the command is never executable upon the file.

The SIM operating system controls access to an element of the file system based
on its access condition and the type of action being attempted. The operating
system allows only limited number of attempts, usually three, to enter the correct
CHV before further attempts are blocked. For unblocking, it requires a PUK code,
called the PIN unblocking key, which resets the CHV and attempt counter. If the
subscriber is known, then the unblock CHV1/CHV2 can be easily provided by the
service provider.

f. Physical and Logical Structure of a SIM Card

f. 1Physical Structure and Functions of a SIM

1. Vcc: It is the supply voltage pin of the SIM. It supports the 5V DC power.
To operate the SIM card, this Vcc pin must be supplied with 5V DC then
only the IC(Integrated Circuit) embedded within the SIM card will work.
2. RESET: It is the pin used to reset the SIM card signal and
communications. Upon using this pin will make the SIM in default mode
resetting all the current signals. The RESET pin is activated by the mobile
devices or the SIM card upon required. Generally, SIM users are given less
permission to use this function.
3. Clock: It provides the SIM with a clock signal for its processor. The clock
is derived or inherited from the mobile or the hardware.
4. GND/Ground: It is the common reference voltage. Normally we called
ground as the low voltage point. As SIM is a small electronic hardware
with Integrated Circuit, it also have the common reference point and
hence this pin is named as the ground. GND now complete the circuit for
the proper functioning of the SIM card.
5. Vpp: (Voltage programming power))
 Earlier, this pin is used to carry the extra voltage required to write or
erase the data in the memory of the SIM card but now it is not quite useful
as this work is done by the Vcc.

A SIM Card have six pads that also corresponds to the six SIM connectors.
SIM DATA - this is a digital data that being stored on a SIM memory
SIM Clock - this is a clock frequency signal that being synchronize to the digital data to create
data signal in order transfer or sends and receive data information.
SIM Reset - this is also a frequency signal that triggers or reset all synchronization process.
VSIM B+ Supply Voltage- This a power supply voltage used to activated the SIM circuit.
SIM Ground - a ground line voltage.The other one is not connected. In the layout the SIM
Interface Connector connected directly to SIM Control Circuit.
The SIM Control Circuit is the one the generates Clock frequency that triggers the SIM data
storage, once the SIM is now being triggered, it is then now sends data information to the
application processor to begin the process with.
The application processor is the one that gathered all data information from the SIM memory,
initiate and activate it, if all information is in desired status. Those three particular lines of signal
flows associated in the circuit shows how the synchronization is being applied. If one of those
lines being cut off the sending and receiving process will breakdown, and will result to SIM
problem issues. The Power Supply Voltage through the SIM is also remain stable otherwise a
lack of voltage will not activate the SIM to work. In mobile phones the SIM circuit is being
connected to the Power Management IC then feeds directly also to the Application Processor or
CPU.

f.2

SIM File System Structure

A SIM card contains a processor and operating system with between 16 and 256 KB of persistent,
electronically erasable, programmable read-only memory (EEPROM). It also contains RAM
(random access memory) and ROM (read-only memory). RAM controls the program execution flow
and the ROM controls the operating system work flow, user authentication, data encryption
algorithm, and other applications.

The hierarchically organized file system of a SIM resides in persistent memory and stores data as
names and phone number entries, text messages, and network service settings. Depending on the
phone used, some information on the SIM may coexist in the memory of the phone. Alternatively,
information may reside entirely in the memory of the phone instead of available memory on the
SIM.

The hierarchical file system resides in EEPROM. The file system consists of three types of files:
master file (MF), dedicated files, and elementary files. The master file is the root of the file system.
Dedicated files are the subordinate directories of master files. Elementary files contain various
types of data, structured as either a sequence of data bytes, a sequence of fixed-size records, or a
fixed set of fixed-size records used cyclically.
g. Sensitive Data on SIM

Potential evidence stored on mobile phones The range of information that can be obtained from mobile
phones is detailed in this section. Data on a mobile phone can be found in a number of locations: SIM
card, external storage card, and phone memory. In addition, the service provider also stores
communication-related information. The book primarily focuses on data acquired from the phone
memory. Mobile device data extraction tools recover data from the phone's memory. Even though data
recovered during a forensic acquisition depends on the mobile model, in general, the data in the next
set of bullet items is common across all models and useful as evidence. Note that most of the following
artifacts contain date and time stamps:

• Address Book: This stores contact names, numbers, e-mail addresses, and so on

• Call History: This contains dialed, received, missed calls, and call durations

• SMS: This contains sent and received text messages

• MMS: This contains media files such as sent and received photos and videos

• E-mail: This contains sent, drafted, and received e-mail messages

• Web browser history: This contains the history of websites that were visited

• Photos: This contains pictures that are captured using the mobile phone camera, those downloaded
from the Internet, and the ones transferred from other devices

• Videos: This contains videos that are captured using the mobile camera, those downloaded from the
Internet, and the ones transferred from other devices

Music: This contains music files downloaded from the Internet and those transferred from other devices
• Documents: This contains documents created using the device's applications, those downloaded from
the Internet, and the ones transferred from other devices

• Calendar: This contains calendar entries and appointments

• Network communication: This contains GPS locations

• Maps: This contains looked-up directions, and searched and downloaded maps • Social networking
data: This contains data stored by applications, such as Facebook, Twitter, LinkedIn, Google+, and
WhatsApp • Deleted data: This contains information deleted from the phone

Phone catalog and contacts • Incoming/outgoing/missed calls

• Incoming and outgoing text messages and MMS • Sound recordings/Vocal notes/Calling sounds

• Photographs, Video, Graphics, Workspace

• Calendar, Alarm clocks/Reminders, To-do lists • Written texts/memos • Emails stored in the phone •
Websites visited using the mobile phone

• Documents and fi les of any type

• User identifi ers (e.g. PIN)

• Device identifi ers (e.g. IMEI) • Catalog of networks used • Geographic information (e.g. from
embedded GPS receivers) • Words added to the predictive text system’s database • GPRS, WAP, and
Internet settings

Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data
residing in electronic or digital devices.

Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile
devices. Forensically sound is a term used extensively in the digital forensics community to qualify and
justify the use of particular forensic technology or methodology. The main principle for a sound forensic
examination of digital evidence is that the original evidence must not be modified. This is extremely
difficult with mobile devices. Some forensic tools require a communication vector with the mobile
device, thus standard write protection will not work during forensic acquisition. Other forensic
acquisition methods may involve removing a chip or installing a bootloader on the mobile device prior to
extracting data for forensic examination. In cases where the examination or data acquisition is not
possible without changing the configuration of the device, the procedure and the changes must be
tested, validated, and documented. Following proper methodology and guidelines is crucial in examining
mobile devices as it yields the most valuable data. As with any evidence gathering, not following the
proper procedure during the examination can result in loss or damage of evidence or render it
inadmissible in court.

SIM card Forensics is an essential section of Mobile device forensics. tНe information that a SIM card can
provide the forensic examiner can be crucial to an investigation. Obtaining a SIM card permits a plethora
of information, which the suspect has dealt with over the phone to be investigated.

Mobile phone forensics is the science of recovering digital evidence from a mobile phone under
forensically sound conditions using accepted methods.(NIST)

h. Evidential Value of SIM cards (Srivastava)

SIM cards can contain crucial information, for example, messages having login IDs and passwords
related to one’s bank accounts and social networking sites.

• SIM cards may also contain personal and professional messages, important contact information, call
logs, etc. • Deleted messages can also be recovered from SIM cards.

• Data in SIM cards are not destroyed by heat, flame dust, soil, moisture, stains, or magnetic
fieldsHence, environmental conditions have no effect on the data stored in SIM cards.

• Only after going through physical damage a SIM can be rendered unreadable, but scratches and
striations do not make the SIM card unreadable.

• SIM cards inflicted by stone, hammer or bitten by teeth that create compression marks on the metallic
circuit of the card become unreadable.
• Even SIM cards that have become unreadable can be read Dіer replacing the EEPROM chip into a new
SIM card or by connecting it to proper probes.

• People should be made aware that SIM cards should not be simply discarded without breaking it into
two pieces to make it nearly impossible by a stranger or a criminal to steal private data easily, barely by
using a SIM card reader.

• SIM cards are vital as forensic evidences as it contains location information and a list of all the
network towers it has recently

i. SIM Card Imaging

Digital evidence and then perform the analysis on the copy. For SIM cards this is important, as SIM card
storage is typically in the form of EEPROM, which has a limited number of read-write cycles. If an
investigator were to perform all the analysis on the physical device, it is possible that the device could
be permanently damaged. This would compromise the integrity of the evidence as well as undermine
the ability to complete the investigation. This section describes the design of an imaging tool for SIM
cards. The tool uses standard smart card readers to obtain data from SIM cards according to the
guidehnes identified in the previous section. Tools are available for acquiring data from SIM cards.
However, they do not meet the stringent forensic requirements for data acquisition. For example, the
sim_scan tool gathers most of the data from SIM cards. But it produces a simple text file rather than a
secure image file. Also, the program has severe compatibility issues: it only works with certain smart
card readers and is unstable with modern versions of Windows. The imaging tool described in this paper
was designed from the ground up to satisfy five requirements.

 Stability: The imaging tool should work on modern operating systems without terminating
unexpectedly.
 Completeness: The imaging tool should extract all the data from SIM cards without damaging
them. •
 Preservation: Evidence extraction techniques which are likely to damage the devices should be
avoided. For example, no attempts should be made to read files that are marked as protected.
These files are protected by numeric passwords. Attempting to guess a password too many
times can render a SIM card unusable.
 Compatibility: The tool should work with popular operating systems, smart cards and smart card
readers.
 Speed: Although speed is not a primary concern, the image extraction process should be fast
enough not to encumber investigations.

Once the make and model of the phone are known, available manuals can be retrieved and studied. The
manufacturer’s Web site is a good place to begin. Typing the model number into Google or another
search engine can also reveal a significant amount of information about the device. As mentioned
earlier, the device being acquired largely dictates the choice of forensic tools.

The following criteria have been suggested as a fundamental set of requirements for forensic tools
[Car02], and should be considered when a choice of tools is available: „ (NIST)
Usability – the ability to present data in a form that is useful to an investigator „

Comprehensive – the ability to present all data to an investigator so that both inculpatory and
exculpatory evidence can be identified „

Accuracy – the quality that the output of the tool has been verified and a margin of error ascertained „
Deterministic – the ability for the tool to produce the same output when given the same set of
instructions and input data „

Verifiable – the ability to ensure accuracy of the output by having access to intermediate translation and
presentation results

IMSI Number
An international mobile subscriber identity (IMSI) identifies a mobile station (MS) in the global system for
mobile communications (GSM) network uniquely. IMSIs are encoded in E.212 format, stored in the
subscriber identity module (SIM) card, HLR, and VLR, and transmitted over the wireless interface and
Mobile Application Part (MAP) interface.

MCC: It is short for mobile country code and is composed of three digits, for example, 460 for China.
MNC: It is short for mobile network code and is composed of two digits, for example, 00 for a carrier.
MSIN: It is short for mobile subscriber identification number and is a unique identification for an MS in a
PLMN.
NMSI: It is short for national mobile subscriber identification and is a unique identification for an MS in a
country.
A typical IMSI example is 460-00-4777770001.
The principles for IMSI allocation are as follows:

 An IMSI can contain up to 15 digits.

 MCCs are allocated uniformly worldwide, but NMSIs are allocated by carriers of different
countries.
 If more than one GSM PLMN exists in a country, a unique MNC must be allocated to each PLMN.
 For IMSI allocation, it is required that addressing in PLMNs of foreign countries be successful
after analysis of only MCC, or only MNC, or MCC+MNC.
The operations UpdateLocation, PurgeMS, and SendAuthenticationInfo must use IMSIs for addressing at
the first time. Generally, the operation RestoreData uses IMSIs for addressing. At present, all messages
related to supplementary service operations sent to the HLR use IMSIs for addressing.