SIM Card Forensics

NII confidential

Ravi Sharma
 SIM Card Forensics

The SIM (subscriber identity module) is a fundamental component of cellular phones. It also known as
an integrated circuit card (ICC), which is a microcontroller-based access module. It is a physical entity
and can be either a subscriber identity module (SIM) or a universal integrated circuit card (UICC). A
SIM can be removed from a cellular handset and inserted into another; it allows users to port identity,
personal information, and service between devices. All cell phones are expected to incorporate some
type of identity module eventually, in part because of this useful property.

Basically, the ICC deployed for 2G networks was called a SIM and the UICC smart card running the
universal subscriber identity module(USIM) application. The UICC card accepts only 3G universal
mobile telecommunications service (UMTS) commands. USIMs are enhanced versions of present-day
SIMs, containing backward-compatible information. A USIM has a unique feature in that it allows one
phone to have multiple numbers. If the SIM and USIM application are running on the same UICC, then
they cannot be working simultaneously.
But today we are using smartphones that use micro-SIM, which is smaller than mini-SIM. These SIM
cards vary in size but all have the functionality for both the identification and authentication of the
subscriber’s phone to its network and all contain storage for phone numbers, SMS, and other
information, and allow for the creation of applications on the card itself.

NII confidential
SIM Structure and File Systems:

The SIM circuit is part of the function of a Universal Integrated Circuit Card (UICC) physical smart
card, which is usually made of PVC with embedded contacts and semiconductors. "SIM cards" are
designed to be transferable between different mobile devices. The first UICC smart cards were the size
of credit and bank cards; the development of physically smaller mobile devices has prompted the

NII confidential
development of smaller SIM cards, where the size of the plastic carrier is reduced while keeping
electrical contacts the same.
A SIM card contains its unique serial number (ICCID), international mobile subscriber identity (IMSI)
number, security authentication and ciphering information, temporary information related to the local
network, a list of the services the user has access to, and two passwords: a personal identification
number (PIN) for ordinary use, and a personal unblocking code (PUK) for PIN unlocking.
A SIM card contains a processor and operating system with between 16 and 256 KB of persistent,
electronically erasable, programmable read-only memory (EEPROM). It also contains RAM (random
access memory) and ROM (read-only memory). RAM controls the program execution flow and the
ROM controls the operating system work flow, user authentication, data encryption algorithm, and other
applications. The hierarchically organized file system of a SIM resides in persistent memory and stores
data as names and phone number entries, text messages, and network service settings. Depending on
the phone used, some information on the SIM may coexist in the memory of the phone. Alternatively,
information may reside entirely in the memory of the phone instead of available memory on the SIM.

The SIM memory structure is composed of directories that can be said to be roughly analogous
to the directories of a traditional computer hard disk drive. These directories are spelled out in
detail in GSM 11.11 and 11.14. The file system may be comprised of the following basic forms:
a master file (MF), a directory file (DF) and an elementary file (EF).

The Master File

The Master File or MF is the root of the file system. It is analogous to the root directory or “/”
in the Linux file system; there is only one MF. An MF may contain one Dedicated File (DF)
or many DFs and it may or may not contain one or many Elementary Files (EF).
The master file can be identified by the 2-byte file identifier (and indeed any file can be
identified by this 2-byte sequence) of 3F00. This identifier is reserved only for the MF. It should
be noted that there is one EF directly beneath the MF in the hierarchy. This EF identified by

NII confidential
the marker EFMF1 in the graphic above is the Integrated Circuit Card Identity (EF ICCID). This
EF contains the unique serial number of each individual SIM card and can be used to
personalize the ME to the SIM. The use of the EF ICCID is open to the individual manufacturer
and operator. The EF ICCID is the electronic version of the SIM Serial number recorded on the
face of the SIM card body. The SIM Serial Number and EF ICCID can be used by an examiner
to identify the origin of the SIM where evidence was obtained.
Dedicated Files
The term Dedicated File is perhaps a bit confusing since the Dedicated File is more akin to a
container or a sub directory rather than an actual file in the traditional sense. A dedicated file
can also be identified by a two-byte identifier. This identifier is assigned by the DF or the MF
that contains it. The DF can also be referenced by a name that is between one and sixteen
bytes long. The naming conventions for the DF name can be found in the ISO 7816-5
specification. Two Dedicated Files of interest are the DFGSM and the DFTELECOM.

The DFTELECOM contains more common telecom service features and can be used for other
telecom applications in multipurpose SIMs. The phonebook EF which falls under this
directory is an example of a more general telecom application. The DFTELECOM file can be
identified by the 2-byte identifier of 7F10. The DFGSM contains applications for the GSM900
and GSM1800 MHz respectively. This directory contains EFs that are exclusive to GSM
networks. The DFGSM file can by identified by the 2-byte identifier of 7F20.

Elementary Files
Elementary Files (EF) sit below the Dedicated Files in the file system hierarchy (with the
exception of the aforementioned EFICCID). These are the files that contain the actual data.
An analogy to familiar computer file system terminology would be to say that the EF
represents the leaf node of the file system.
Each directory has assigned elementary files that are designed to hold data for a specific
use.

NII confidential
The EF may hold only one record of information or it may hold many, where a record
may be defined as a small unit of information stored on a SIM and consisting of a string
of variable size
There are a number of reasons that make SIM card forensics an interesting topic; here
are a few of them:

Popularity: almost everyone has a SIM card, some of us use several of them on a daily basis;
thus there is a lot to gain by possessing some knowledge on the subject.

Difference: extracting data from SIM cards is done with methods that differ from those that
correspond to magnetic storage or flash memory; thus this is appealing to one’s curiosity.

Challenge: SIM cards are designed to withstand unauthorized attempts of accessing their
contents; what’s the first thing that you do when someone gives you a new gadget and explicitly
says “do not disassemble it”? Not disassembling it is probably the last thing that comes to mind.

As you know all the data on the card are stored in files; you will run into such terminology:
MF – master file (the root directory), DF – directory file, EF – elementary file. File names are
hexadecimal numbers such as 0x6F3A or 0x6F3C, they also have human-readable names such
as EF ADN (elementary file “abbreviated dialing numbers”, where the phonebook is kept) or
EF SMS (elementary file SMS). The hierarchy of the file system is defined in the
aforementioned specifications, if you study it you will find out that, for example, the
phonebook is stored in 0x3F007F106F3A in a 2G SIM card. The specifications also explain
the format of the data; with that knowledge you can transform the raw data into something
meaningful.

In fact, this is what mobile phones and SIM card management applications do – they send
certain commands to the card, read the response, interpret it according to the predefined rules,
and then display the results in a human-readable form, such that we see a person’s name or
phone number instead of a bunch of ones and zeroes.

NII confidential
Where on the SIM would I hide my data if I were a bad guy?

There are several ways to answer this question.

Deleted SMS: if you read the specification carefully, you will realize that the standard states
that when a message is erased, it is only marked as such, leaving the rest of its contents intact.
When a new SMS is received, it will be written to the records that are available, and when all
of them are in use, the phone will begin overwriting the ones that were marked as “erased”.
Records marked as unused are not going to be displayed by the phone, but you can easily
retrieve them by reading the raw data of EF SMS (after providing a valid PIN1, of course). If
the first byte is 0x00, the record is free, if it is 0x07 – it is in use. Look for records that begin
with 0x00 and see what is stored in the remaining bytes.

Beyond the end: text data are stored on the SIM card using a special encoding. If you review
the specifications, you will see that unused bytes must be set to 0xFF. For example, if the
address-book file has enough room for 50 letters in each name, but only the first 10 letters are
used, the remaining space will be padded with 0xFF bytes. The phone “knows” that too, so
when it displays your phone-book, it reads each record until it bumps into the first 0xFF byte
and discards the remainder. You normally expect that once you find the first 0xFF, there will
be nothing but other 0xFF bytes beyond it. However, there is no force in the universe that
prevents me from writing some actual data beyond the “end marker” – that data will not be
visible when viewed via a phone’s interface, but it will be visible to those who look at the raw
data of the record.

Orphaned phone-book records: this method can be used on 3G USIM cards, as they have a
more complicated phone-book structure that allows not only the storage of a name and a
number, but also an email, a secondary name and a secondary number (among other things).
These attributes are not stored in a single file, instead they are distributed among a group of
files. However, they are visualized as a unified set of attributes corresponding to a person, so a
user doesn’t know what happens under the hood.

These files are correlated using a table that gives you information such as “entry #5 in EF ADN
is linked to entry #89 in EF EMAIL”; when the phone reads the SIM cards, it figures out how
to correlate these records and displays everything on the same screen. If, e.g., you delete an

NII confidential
email address, the phone will not only remove the record from EF EMAIL, but it will also
update the “correlation table”, such that it doesn’t say that there is an email entry that is linked
to one from EF ADN. Of course, there is no force in the universe that prevents me from deleting
the link in the “correlation table”, but leaving the record in EF EMAIL intact. Effectively, I
have created an orphaned record – it is physically on the card, but there is no phone-book entry
that points to it, thus it will not be displayed in the phone’s GUI, yet it will be readable by those
who know where to look.
Security in SIM: -

SIM cards have built-in security features. The three file types, MF, DF, and EF, contain the security
attributes. These security features filter every execution and allow only those with proper authorization
to access the requested functionality. There is different level of access conditions in DF and EF files.
They are:

Always—This condition allows to access files without any restrictions.

Card holder verification 1 (CHV1)—This condition allows access to files after successful
verification of the user’s PIN or if PIN verification is disabled.
Card holder verification 2 (CHV2)—This condition allows access to files after successful
verification of the user’s PIN2 or if the PIN2 verification is disabled.

Administrative (ADM)—The card issuer who provides SIM to the subscriber can access only after
prescribed requirements for administrative access are fulfilled.
Never (NEV)—Access of the file over the SIM/ME interface is forbidden.
The SIM operating system controls access to an element of the file system based on its access
condition and the type of action being attempted. The operating system allows only limited number
of attempts, usually three, to enter the correct CHV before further attempts are blocked. For
unblocking, it requires a PUK code, called the PIN unblocking key, which resets the CHV and
attempt counter. If the subscriber is known, then the unblock CHV1/CHV2 can be easily provided

NII confidential
by the service provider.
Sensitive Data in SIM or Data of Forensic value:

The SIM card contains sensitive information about the subscriber. Data such as contact lists and
messages can be stored in SIM. SIM cards themselves contain a repository of data and information,
some of which is listed below:

• Integrated circuit card identifier (ICCID)

• International mobile subscriber identity (IMSI)
• Service provider name (SPN)
• Mobile country code (MCC)
• Mobile network code (MNC)
• Mobile subscriber identification number (MSIN)
• Mobile station international subscriber directory number (MSISDN)
• Abbreviated dialing numbers (ADN)
• Last dialed numbers (LDN)
• Short message service (SMS)

NII confidential
• Language preference (LP)
• Card holder verification (CHV1 and CHV2)
• Ciphering key (Kc)
• Ciphering key sequence number
• Emergency call code
• Fixed dialing numbers (FDN)
• Local area identity (LAI)
 • Own dialing number
• Temporary mobile subscriber identity (TMSI)
• Routing area identifier (RIA) network code
• Service dialing numbers (SDNs)
These data have forensics value and can be scattered from EF files. Now we will discuss some of these
data.

A. Service Related Information

ICCID: The integrated circuit card identification is a unique numeric identifier for the SIM that
can be up to 20 digits long. It consists of an industry identifier prefix (89 for telecommunications),
followed by a country code, an issuer identifier number, and an individual account identification
number.
Twenty-digit ICCIDs have an additional “checksum” digit. One example of the interpretation of a
hypothetical nineteen digit ICCID (89 310 410 10 654378930 1) is shown below.

• Issuer identification number (IIN) is variable in length up to a maximum of seven digits:

➢ The first two digits are fixed and make up the Industry Identifier. “89” refers to the
telecommunications industry.
➢ The next two or three digits refer to the mobile country code (MCC) as defined by ITU-T
Recommendation E.164. “310” refers to the United States.
➢ The next one to four digits refer to the mobile network code (MNC). This is a fixed number
for a country or world zone. “410” refers to the operator, AT&T Mobility.
➢ The next two digits, “10,” pertain to the home location register.
• Individual account information is variable in length:
➢ The next nine digits, “654378930,” represent the individual account identification number.
Every number under one IIN has the same number of digits.
• Check digit—the last digit, “1,” is computed from the other 18 digits using the Luhn
algorithm.

NII confidential
IMSI: The international mobile subscriber identity is a unique 15-digit number provided to the
subscriber. It has a similar structure to ICCID and consists of the MCC, MNC, and MSIN. An example
of interpreting a hypothetical 15-digit IMSI (302 720 123456789) is shown below:

MCC—The first three digits identify the country. “302” refers to Canada.
MNC—The next two (European Standard) or three digits (North American Standard) identify the
operator. “720” refers to Rogers Communications.
MSIN—The next nine digits, “123456789,” identify the mobile unit within a carrier’s GSM network
MSISDN—The Mobile Station International Subscriber Directory Number is intended to convey the
telephone number assigned to the subscriber for receiving calls on the phone. An example of the
MSISDN format is shown below:
CC can be up to 3 digits.
NDC usually 2 or 3 digits.
SN can be up to a maximum 10 digits.

B. Phonebook and Call Information:

1. Abbreviated dialing numbers (ADN)—Any number and name dialed by the subscriber is saved
by the ADN EF. The type of number and numbering plan identification is also maintained under
this. This function works on the subscriber’s commonly dialed numbers. The ADN cannot be
changed by the service provider and they can be attributed to the user of the phone. Most SIMs
provide 100 slots for ADN entries.
2. Fixed dialing numbers (FDN)—The FDN EF works similar to the ADN because it involves
contact numbers and names. With this function, the user doesn’t have to dial numbers; by pressing
any number pad of the phone, he can access to the contact number.
3. Last number dialed (LND)—The LND EF contains the number most recently dialed by the
subscriber. The number and name associated with that number is stored in this entry. Depending
upon the phone, it is also conceivable that the information may be stored in the handset and not on
the SIM. Any numbers that may be present can provide valuable information to an investigator.

NII confidential
 XML Phonebook Entry

C. Messaging Information—Messaging is a communication medium by which text is entered on

one cell phone and delivered via the mobile phone network. The short message service contains
texts and associated parameters for the message. SMS entries contain other information besides the
text itself, such as the time an incoming message was sent, as recorded by the mobile phone
network, the sender’s phone number, the SMS center address, and the status of the entry. An SMS
is limited to either 160 characters (Latin alphabet) or 70 characters (for other alphabets). Longer
messages are broken down by the sending phone and reassembled by the receiving phone.

Tools for SIM Forensics

To perform forensic investigation on a SIM card, it has to be removed from the cell phone and connect

to a SIM card reader. The original data of SIM card is preserved by the elimination of write requests to

the SIM during its analysis. Then we calculate the HASH value of the data; hashing is used for checking

the integrity of the data, that is, whether it has changed or not. There are lots of forensic tools are

NII confidential
available but all tools are not able to extract data from every type of cell phone and SIM card. Now we

will discuss about some famous tools:

1.Encase Smartphone Examiner:

This tool is specifically designed for gathering data from smartphones and tablets such as iPhone, iPad,

etc. It can capture evidence from devices that use the Apple iOS, HP Palm OS, Windows Mobile OS,

Google Android OS, or RIM Blackberry OS. It can acquire data from Blackberry and iTunes backup
files as well as a multitude of SD cards. The evidence can be seamlessly integrated into EnCase

Forensic.

2.MOBILedit! Forensic:
This tool can analyze phones via Bluetooth, IrDA, or cable connection; it analyzes SIMs through
SIM readers and can read deleted messages from the SIM card.

NII confidential
3.pySIM:
A SIM card management tool capable of creating, editing, deleting, and performing backup
and restore operations on the SIM phonebook and SMS records.

4.AccessData Mobile Phone Examiner (MPE) Plus:

This tool supports for than 7000 phones including iOS , Android , Blackberry, Windows
Mobile, and Chinese devices and can be purchased as hardware with a SIM card reader and
data cables. File systems are immediately viewable and can be parsed in MPE+ to locate
lock code, EXIF, and any data contained in the mobile phone’s file system.

NII confidential
5.SIMpull:
SIMpull is a powerful tool, a SIM card acquisition application that allows you to acquire
the entire contents of a SIM card. This capability includes the retrieval of deleted SMS
messages, a feature not available on many other commercial SIM card acquisition
programs. SIMpull first determines if the card is either a GSM SIM or 3G USIM, then
performs a logical acquisition of all files defined in either ETSI TS 151.011 (GSM) or ETSI
TS 131.102 (USIM) standards.

As can be seen in above figure, by using the SIMpull application we can see the information
of SMS such as a SMS text and its length, the SMS sender’s number information, service
center information, etc.

References: -

NII confidential
http://www.forensicswiki.org/wiki/SIM_Cards

https://0xicf.wordpress.com/2014/10/13/understanding-sim-card-forensics/

http://www.mobiledit.com/forensic