Interesting tool and with script editing and writing too.
Mobile & Technology eDiscovery
Investigations, Practices and Procedures: Seizure-Forensic Examination-Evidence. Cellular and Satellite Telephones, Call Records-Billing Data, Cell Site Analysis. Telecomms. Computer and Network Analysis. GPS devices & Jammers.
Sunday, May 19, 2013
Monday, May 06, 2013
(U)SIM Examination (Physical) Pt2
(U)SIM Examination (Physical) Pt2
Before we can progress to consider various methods of (U)SIM physical examination there are more standards we need to be aware and there are reasons for that. Transitioning from GSM to 3GPP (*wcdma) standards required rewriting existing GSM standards to make the standards technology neutral to integrate GSM into future mobile developments under 3GPP global standards. Technology-wise, we know that GSM is a defined circuit-switched voice mobile communications system that has evolved with value-added data services (GPRS, HSCSD and EDGE). 3GPP (wcdma) as we know is a defined packet-switched technology and thus would be a pointless exercise to re-invent the wheel, so to speak, and introduce a new voice circuit-switched system and the matured installation base that went with it. That needs to be understood on many levels when dealing with mobile communications. Three examples of GSM and 3GPP working together:
(i) generally, we refer to Release 99 (R99) as a reference point whereby 3GPP could transition and re-write mobile communication technology standards with birthing-periods: GSM only before 3GPP Release 4 (Rel-4); GSM only (Rel-4 and later); 3GPP and beyond / GSM (R99 and later). This enabled manufacturers, developers and operators and service providers to conintue with GSM standards in a pure GSM environment or evolve to a 3GPP environment but in the knowledge access and inter-connectivity to GSM would continue:
(ii) introduction of 3GPP (*wcdma) would take time and thus should avoid, as best possible, disruption to existing moble services;
(iii) GSM user/subscriber base was still growing at that time and has now reached over 3-billion users, from which we can draw a conclusion that GSM's importance in its relationship with 3GPP should not be under-estimated.GSM is by no means the junior partner.
In the mobile examination environment, we, as examiners, are exposed to multitude and multiple-layers of technical and technology standards many of which impact on (U)SIM, and particuarly so if the technical and technology generates a mobile communication outcome associated to/with a user/subscriber.
(*) wcdma is one of a family of mobile technology standards under 3GPP and has been used for easy of reference.
The scope of the tests and the requirements set down in GSM1117 were reproduced under the approved and adopted standard 3GPP TS51.017. In Pt1( usim-examination-physical-pt1.html ) reference was made to GSM11.11, however the approved and adopted standard (and the counterpart to GSM11.11) is 3GPP TS51.011:
PHY: Physical characteristics - 3GPP TS 51.011 [1], clause 4.
ELEC: Electronic signals and transmission protocols - 3GPP TS 51.011 [1], clause 5.
AFS: Application and File structure - 3GPP TS 51.011 [1], clause 6.
SEC: Security features - 3GPP TS 51.011 [1], clause 7.
CMD: Description of the commands - 3GPP TS 51.011 [1], clause 9.
CEF: Contents of the elementary files - 3GPP TS 51.011 [1], clause 10.
APP: Application Protocol - 3GPP TS 51.011 [1], clause 11.
Whilst GSM11.17 standard is the starting point for ICC/SIM and 3GPP TS51.011 moved the technology to neutral ground to enable 3GPP to evolve 3G environment standards incorportating interconnectivity to and backward compatibility for ICC/UICC, the 3GPP evolution hasn't stopped there. There is, of course, 3GPP TS 31.120 the aim of which is to ensure interoperability between an UICC and a Terminal independently of the respective manufacturer, card issuer or operator. This is the expansion of the 3GPP domain going beyond specific limitations encumbent with a particular proprietory technology.
The run of standards doesn't end there. Attention and consideration should be given to:
ETSI standards
TS 102 230
TS 102 221
International standards
ISO/IEC 7816-pt1 to pt4
The standards referred to above are merely a starting point to identify the complexities involved in dealing with (U)SIM card and tasks involved in considering examination techniques that may not simply relate to recovery of data but other aspects and attributes of a card which may point to evidence. Readers should be prepared to delve into the standards above and release the huge number that haven't been mentioned. There are various analogies that may be used to imagine what I have in mind for this physical series, but I quite like the analogy about forensic vehicle tyre analysis. Evidentially, consideration is given to tyre size, tread, pressure, rubber, moulding, any wheel balacing and so on to assess a skid mark or tracks at the scene of a crime. It is equally possible to use an investigative and examination approach to SIM/USIM card materials, contacts, gold content, embossing etc to identify potential evidence.
Before we can progress to consider various methods of (U)SIM physical examination there are more standards we need to be aware and there are reasons for that. Transitioning from GSM to 3GPP (*wcdma) standards required rewriting existing GSM standards to make the standards technology neutral to integrate GSM into future mobile developments under 3GPP global standards. Technology-wise, we know that GSM is a defined circuit-switched voice mobile communications system that has evolved with value-added data services (GPRS, HSCSD and EDGE). 3GPP (wcdma) as we know is a defined packet-switched technology and thus would be a pointless exercise to re-invent the wheel, so to speak, and introduce a new voice circuit-switched system and the matured installation base that went with it. That needs to be understood on many levels when dealing with mobile communications. Three examples of GSM and 3GPP working together:
(i) generally, we refer to Release 99 (R99) as a reference point whereby 3GPP could transition and re-write mobile communication technology standards with birthing-periods: GSM only before 3GPP Release 4 (Rel-4); GSM only (Rel-4 and later); 3GPP and beyond / GSM (R99 and later). This enabled manufacturers, developers and operators and service providers to conintue with GSM standards in a pure GSM environment or evolve to a 3GPP environment but in the knowledge access and inter-connectivity to GSM would continue:
(ii) introduction of 3GPP (*wcdma) would take time and thus should avoid, as best possible, disruption to existing moble services;
(iii) GSM user/subscriber base was still growing at that time and has now reached over 3-billion users, from which we can draw a conclusion that GSM's importance in its relationship with 3GPP should not be under-estimated.GSM is by no means the junior partner.
In the mobile examination environment, we, as examiners, are exposed to multitude and multiple-layers of technical and technology standards many of which impact on (U)SIM, and particuarly so if the technical and technology generates a mobile communication outcome associated to/with a user/subscriber.
(*) wcdma is one of a family of mobile technology standards under 3GPP and has been used for easy of reference.
The scope of the tests and the requirements set down in GSM1117 were reproduced under the approved and adopted standard 3GPP TS51.017. In Pt1( usim-examination-physical-pt1.html ) reference was made to GSM11.11, however the approved and adopted standard (and the counterpart to GSM11.11) is 3GPP TS51.011:
PHY: Physical characteristics - 3GPP TS 51.011 [1], clause 4.
ELEC: Electronic signals and transmission protocols - 3GPP TS 51.011 [1], clause 5.
AFS: Application and File structure - 3GPP TS 51.011 [1], clause 6.
SEC: Security features - 3GPP TS 51.011 [1], clause 7.
CMD: Description of the commands - 3GPP TS 51.011 [1], clause 9.
CEF: Contents of the elementary files - 3GPP TS 51.011 [1], clause 10.
APP: Application Protocol - 3GPP TS 51.011 [1], clause 11.
Whilst GSM11.17 standard is the starting point for ICC/SIM and 3GPP TS51.011 moved the technology to neutral ground to enable 3GPP to evolve 3G environment standards incorportating interconnectivity to and backward compatibility for ICC/UICC, the 3GPP evolution hasn't stopped there. There is, of course, 3GPP TS 31.120 the aim of which is to ensure interoperability between an UICC and a Terminal independently of the respective manufacturer, card issuer or operator. This is the expansion of the 3GPP domain going beyond specific limitations encumbent with a particular proprietory technology.
The run of standards doesn't end there. Attention and consideration should be given to:
ETSI standards
TS 102 230
TS 102 221
International standards
ISO/IEC 7816-pt1 to pt4
The standards referred to above are merely a starting point to identify the complexities involved in dealing with (U)SIM card and tasks involved in considering examination techniques that may not simply relate to recovery of data but other aspects and attributes of a card which may point to evidence. Readers should be prepared to delve into the standards above and release the huge number that haven't been mentioned. There are various analogies that may be used to imagine what I have in mind for this physical series, but I quite like the analogy about forensic vehicle tyre analysis. Evidentially, consideration is given to tyre size, tread, pressure, rubber, moulding, any wheel balacing and so on to assess a skid mark or tracks at the scene of a crime. It is equally possible to use an investigative and examination approach to SIM/USIM card materials, contacts, gold content, embossing etc to identify potential evidence.
Monday, April 22, 2013
Tools and Methods for Water Damaged Phones
Tools and Methods for Water Damaged Phones
It's worth recording the links from a discussion that has been being going on about water damaged phones:Ultrasonic cleaning - http://www.ibreakityoufixit.com/shop/catalog/2
Vermiculite - http://www.cmmp-france.com/shawatecgb.html
Fingerprint Study - http://www.ucidiver.com/fingerprint_study.html
Solder Cleaning - www.tayloredge.com/reference/Science/solder_cleaning.pdf
Isopropyl alcohol - http://gorum.ca/clen-pcb.html
Non-forensic chip off - http://trewmte.blogspot.co.uk/2011/02/mobile-phone-chip-off.html
Reballing - www.emulation.com/pdf/102003BGA_Reballing_Instruction_Manual.pdf
Thermal Profiling - http://en.wikipedia.org/wiki/Thermal_profile
RSS - http://en.wikipedia.org/wiki/File:RSS_Components_of_a_Profile1.svg
Thermal Sensor Probes - http://www.thermometersuperstore.co.uk/acatalog/Probes.html
Updated subject matter:
Hydrophobic Coatings on Electronic Devices
I have been looking further into mobile phone
exposure to water to see whether there has been any research or
techniques or processes used in manufacturing to combat water damage /
corrosions etc. Hydrophobic Coatings appears to offer one solution.
More cell phones are damaged by water than by any other means, and this damage often requires the devices to be discarded. The number of damaged phones is also increasing because these phones are now taken almost everywhere. Chemical vapor deposition may be used to provide a solution to this problem. For example, the phones may be coated with a hydrophobic monolayer or multilayer of fluorosilanes. Bonding of the fluorosilane may be adopted for improvement purposes using a primary adhesion layer, which may be a different silane monolayer, e.g., an isocyanatosilane, and/or by introduction of hydroxyl groups via plasma treatment. The latter process is identified as typically rapid and economical and can be applied both on oxide and polymeric materials. The presence of OH groups can be assayed by XPS, ToF-SIMS and ATR-FTIR. The density of surface hydroxyl groups can be varied by changing the proportions of etch gases, the time and intensity of the plasma treatment, and the system base pressure. The hydrophobicity of the surface can be characterised by contact angle goniometry and XPS and ToF-SIMS analysis of fluorine. Resistance to abrasion can be tested with a Martindale abrasion tester.
These selection of applied treatments appear to reduce and slow down the water damage/corrosion and present improved chances of memory retention in unspoiled memory chips.
I see a relevance for knowing about treatments, such as the above, as it can help on many levels: as background prep knowledge, towards a recovered exhibit examination procedure, for use in advisory role as to why some water damaged phone exhibits could produce better results or capable of undergoing tests than others phones, and so on.
More cell phones are damaged by water than by any other means, and this damage often requires the devices to be discarded. The number of damaged phones is also increasing because these phones are now taken almost everywhere. Chemical vapor deposition may be used to provide a solution to this problem. For example, the phones may be coated with a hydrophobic monolayer or multilayer of fluorosilanes. Bonding of the fluorosilane may be adopted for improvement purposes using a primary adhesion layer, which may be a different silane monolayer, e.g., an isocyanatosilane, and/or by introduction of hydroxyl groups via plasma treatment. The latter process is identified as typically rapid and economical and can be applied both on oxide and polymeric materials. The presence of OH groups can be assayed by XPS, ToF-SIMS and ATR-FTIR. The density of surface hydroxyl groups can be varied by changing the proportions of etch gases, the time and intensity of the plasma treatment, and the system base pressure. The hydrophobicity of the surface can be characterised by contact angle goniometry and XPS and ToF-SIMS analysis of fluorine. Resistance to abrasion can be tested with a Martindale abrasion tester.
These selection of applied treatments appear to reduce and slow down the water damage/corrosion and present improved chances of memory retention in unspoiled memory chips.
I see a relevance for knowing about treatments, such as the above, as it can help on many levels: as background prep knowledge, towards a recovered exhibit examination procedure, for use in advisory role as to why some water damaged phone exhibits could produce better results or capable of undergoing tests than others phones, and so on.
Chip Off, JTAG, NAND and YAFFS2
Chip Off, JTAG, NAND and YAFFS2
An article and a presentation identifying practices and concepts. Both contain add-value content with respect to the subject matter
An article and a presentation identifying practices and concepts. Both contain add-value content with respect to the subject matter
Practitioner's view of Chip Off and JTAG
Raw NAND flash and the YAFFS2 file system
Sunday, April 21, 2013
Plug-in for mobile phones in iSync
Plug-in for mobile phones in iSync, how to use
All plug-ins can be downloaded for free.
Instructions for use
To install one of these plugins download, unzip and place the folder "PhonePlugins" in the "Library" folder (create the folder if it does not exist).
"Library" can refer either to the "Library" folder in the root of the disc (for all users), or to a specific user. In the first case the plug-in will be seen for all users in the latter only for the user for which it is installed.
The plug-in for iSync 10.5.x only work for OS X 10.5 or later.
Plug-in iSync for Motorola
ISync plug-in for Nokia phones (For Mac OS X 10.5)
ISync plug-in for Nokia For Mac OS X 10.5 or later
ISync plug-in for Sony Ericsson mobile Mac OS X 10.5
http://translate.google.co.uk/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Ffaqintosh.com%2Frisorse%2Fit%2Fothutil%2Fisync%2FiSyncLeo%2F&act=url
Instructions for use
To install one of these plugins download, unzip and place the folder "PhonePlugins" in the "Library" folder (create the folder if it does not exist).
"Library" can refer either to the "Library" folder in the root of the disc (for all users), or to a specific user. In the first case the plug-in will be seen for all users in the latter only for the user for which it is installed.
The plug-in for iSync 10.5.x only work for OS X 10.5 or later.
Plug-in iSync for Motorola
ISync plug-in for Nokia phones (For Mac OS X 10.5)
ISync plug-in for Nokia For Mac OS X 10.5 or later
ISync plug-in for Sony Ericsson mobile Mac OS X 10.5
http://translate.google.co.uk/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http%3A%2F%2Ffaqintosh.com%2Frisorse%2Fit%2Fothutil%2Fisync%2FiSyncLeo%2F&act=url
Mobile microprocessors
iPhone to Android
iPhone to Android
Interesting tool:
1 Transfer iPhone SMS and MMS with attachments to Android
2 Transfer SMS and MMS to Android from iTunes Backup
3 Extract picture, video, audio attachments from iPhone MMS to computer
4 Save iPhone SMS and MMS to local database on computer
5 Copy SMS and MMS from PC local database to Android
6 Export iPhone SMS and MMS to document files
7 Print out iPhone SMS and MMS in amazing threading mode
http://www.backuptrans.com/iphone-sms-mms-to-android-transfer.html
1 Transfer iPhone SMS and MMS with attachments to Android
2 Transfer SMS and MMS to Android from iTunes Backup
3 Extract picture, video, audio attachments from iPhone MMS to computer
4 Save iPhone SMS and MMS to local database on computer
5 Copy SMS and MMS from PC local database to Android
6 Export iPhone SMS and MMS to document files
7 Print out iPhone SMS and MMS in amazing threading mode
http://www.backuptrans.com/iphone-sms-mms-to-android-transfer.html
Labels:
android,
Contacts,
IPhone,
messages,
MMS,
phone numbers,
SMS,
threaded messages,
transfer stored data
Android Data Extractor Lite
Android Data Extractor Lite
The author of this tools states:
"This Python script dumps all important SQLite Databases from a connected Android smartphone to the local disk and analyzes these files in a forensically accurate workflow. If no smartphone is connected you can specify a local directory which contains the databases you want to analyze. Afterwards this script creates a clearly structured XML report.
If you connect a smartphone you need a rooted and insecure kernel or a custom recovery installed on the smartphone.
ADEL needs a predefined configuration for each device to work proper."
https://github.com/mspreitz/ADELhttps://github.com/mspreitz/ADEL/tree/master/xml
"This Python script dumps all important SQLite Databases from a connected Android smartphone to the local disk and analyzes these files in a forensically accurate workflow. If no smartphone is connected you can specify a local directory which contains the databases you want to analyze. Afterwards this script creates a clearly structured XML report.
If you connect a smartphone you need a rooted and insecure kernel or a custom recovery installed on the smartphone.
ADEL needs a predefined configuration for each device to work proper."
https://github.com/mspreitz/ADELhttps://github.com/mspreitz/ADEL/tree/master/xml
Labels:
ADEL,
Andoid,
python scripts,
smartphones,
XML report
Windows Memory Toolkit
MoonSols Windows Memory Toolkit
This toolkit collection comes in either a free
community edition or cost purchase professional edition. Useful to know
about and try these tools, particularly students with no budget or
budget limitations.
http://www.moonsols.com/windows-memory-toolkit/
http://www.moonsols.com/windows-memory-toolkit/
MBRWizard
MBRWizard
Here's an interesting tool and some links to discussions about variants of MBRWizards and download:
http://mbrwizard.com/http://systemexplorer.net/file-database/file/nbrtwizard-exe
http://mbrwizard.com/http://systemexplorer.net/file-database/file/nbrtwizard-exe
Labels:
bootable drive,
Master Boot Record,
MBRWizard,
USB,
windows
Intel® 64 and IA-32 Architectures Software Developer Manuals
Intel® 64 and IA-32 Architectures Software Developer Manuals
These manuals describe the architecture and programming environment of the Intel® 64 and IA-32 processors.
http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html
http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html
Labels:
architecture,
IA-32,
Intel64,
manuals,
processors,
Programming
Radare
Radare
Forensics students and researchers should enjoy this as Radare is a free and advanced command line hexadecimal editor
http://radare.nopcode.org/new/?doc
http://radare.nopcode.org/new/?doc
How to code debuggers
How to code debuggers
Coding low-level infrastructure like kernels,
compilers, and linkers can be very scary, and most programmers stay as
far away from them as they can. And the scariest of all are debuggers,
which rip apart warm flesh of innocent programs, and use the dark side
of the force to control them. Every decent Computer Science course
includes coding at least a toy compiler, most also toy interpretters,
virtual machines, and disassemblers, but how many people wrote even the
most toyish debugger ? (by debugger I mean any tool for low-level
analysis of running programs, whether it single steps, traces
execution, or does something else)
http://t-a-w.blogspot.co.uk/2007/03/how-to-code-debuggers.html
http://t-a-w.blogspot.co.uk/2007/03/how-to-code-debuggers.html
Labels:
code debuggers,
coding,
compilers,
disassemblers,
kernals,
linkers,
low-level,
programmers,
virtual machines
RCE Tools USB SPY v1.3
RCE Tools USB SPY v1.3
This spy tool is to copy all the Flash USB contents when the user attached it to the machine.
http://www.at4re.com/download.php?view.159
Other tools:
http://www.at4re.com/download.php?list.6
http://www.at4re.com/download.php?view.159
Other tools:
http://www.at4re.com/download.php?list.6
A Patch Analysis and Binary Diffing Tool
A Patch Analysis and Binary Diffing Tool
DarunGrim is a binary diffing tool. DarunGrim is a
free diffing tool which provides binary diffing functionality. Binary
diffing is a powerful technique to reverse-engineer patches released by
software vendors like Microsoft. Especially by analyzing security
patches you can dig into the details of the vulnerabilities it's fixing.
You can use that information to learn what causes software break. Also
that information can help you write some protection codes for those
specific vulnerabilities. It's also used to write 1-day exploits by
malware writers or security researchers.
http://www.darungrim.org/
http://www.darungrim.org/
Twitter Profile Extraction Tool
Twitter Profile Extraction Tool
A Ruby script that outputs a TSV file to backup
publicly available twitter profile containing user timeline including
the collapsed replies and other info.
View source: http://bazaar.launchpad.net/~ridders7855/warbler/trunk/view/head:/Warbler.rb
Download script: http://bazaar.launchpad.net/~ridders7855/warbler/trunk/download/head:/warbler.rb-20130405193447-u2ncptxun5s861m0-1/Warbler.rb
View source: http://bazaar.launchpad.net/~ridders7855/warbler/trunk/view/head:/Warbler.rb
Download script: http://bazaar.launchpad.net/~ridders7855/warbler/trunk/download/head:/warbler.rb-20130405193447-u2ncptxun5s861m0-1/Warbler.rb
Labels:
extraction tool,
Ruby Script,
TSV file,
Twitter profile
Saturday, April 20, 2013
Well done to Boston
Well done to Boston
I listened to President Barak Obama speech about the amazing work by the people of Boston, law enforcement and the security services to capture the culprits of those heinous bombings. The innocent men, women, children translates to family and loved ones caught up in a senseless act to prove what - no one knows?
"To Dear Boston
I wish you speed in your recovery in all aspects of your lives and, in my small way, congratulate you on your sterling resolve and determination to get through that nightmare."
A well wisher from England"
I listened to President Barak Obama speech about the amazing work by the people of Boston, law enforcement and the security services to capture the culprits of those heinous bombings. The innocent men, women, children translates to family and loved ones caught up in a senseless act to prove what - no one knows?
"To Dear Boston
I wish you speed in your recovery in all aspects of your lives and, in my small way, congratulate you on your sterling resolve and determination to get through that nightmare."
A well wisher from England"
Labels:
Boston,
congratulations,
President Barak Obama,
well wisher.
Thursday, April 18, 2013
Judge fines himself
What exemplary conduct by Judge Raymond Voet and respect to him for practising what he preaches.
Judge imposes fine on self for cell phone mishap
Judge Raymond Voet holds self in contempt of court, pays $25 fine
http://www.sentinel-standard.com/article/20130412/NEWS/130419815/1002/NEWS
Judge imposes fine on self for cell phone mishap
Judge Raymond Voet holds self in contempt of court, pays $25 fine
http://www.sentinel-standard.com/article/20130412/NEWS/130419815/1002/NEWS
Saturday, March 30, 2013
(U)SIM Examination (Physical) Pt1
(U)SIM Examination (Physical) Pt1
We begin with GSM as this is the original starting place where examiners first learned about subscriber identity modules (SIM). There are many ways to learn about SIM: using a SIM reader tool is one way, receiving instruction during training that concentrates on the types of user and network data that can be harvested by examiners. An education and training process can equally include a training module or modules on the physical aspects of a card and identify, for the examiner, material parts of the SIM, the known routes to understanding electrical aspects, processing aspects, storage geometry and memory mapping, so on and so forth. The thinking here is analogous to the way in which there is an expectation that a computer examiner would understand HDD disc geometry, clusters and sectors, BIOS etc even before entering into the search and study of the 'content' that may be recorded on the disc. It is or should be the same for (U)SIM.
The SIM Card can be seen as a composition of at least three constituent parts:
- The physical card (the storage carrier).
- An integrated circuit card micro-processing chip (the operating system and content storage device).
- The subscriber identity module; an area of physical memory allocated at manufacturing for pre-market and post-market recording by the mobile network operator and SIM user.
- A fourth constituent part could be a Card with an etched antenna for RFID/NFC for use by (US)SIM (but this part is not included or discussed at this stage).
- etc
To enable test and inspection of these constituent parts GSM approved and adopted GSM11.17 to assist manufacturers, operators and service providers help formalise and uniform the test and inspection procedures rather than have a mish-mash of randomly selected tests for SIM cards submitted for use in GSM. The former is highly desirable as the goal of GSM has always be about interconnection-compatiblity and interconnection backward-compatibility. By way of illustration, a GSM SIM Card Phase 1 should still be able to be inserted into a GSM Phase 2+ mobile device and allow communications to take place, unless the operator or device manufacturer has declared and stated otherwise.
From an examiner's viewpoint we would desire to know how those three constituent parts translate to the work we do? Some examples are set out below
Physical Card
Due to the form factors used in GSM we can make assessment to determine the supply chain and manufacturer of the card itself. We look at the card to see if has been cut down for use and any attempts of anonymity by removal of the SIM Serial Number (SSN) compared to manufacture polarisation techniques. Later 3G/LTE USIM Cards have undergone some changes since GSM's inception; the latter will be dealt at a later date.
Image courtesy of wikipedia - http://en.wikipedia.org/wiki/Subscriber_Identity_Module
ICC Chip
Manufacturer and technical specification are important to determine a range of potential evidence, including release into the marketplace and technological and electronic capability. Clearly the geometry and memory mapping are important. There are various techniques to deal with a card with a damaged chip. One example is called 'acid-etching' used to gain access to the physical chip itself by removal of the outer protective coverings used in the manufacturing process.

Image courtesy of wikipedia - http://en.wikipedia.org/wiki/Subscriber_Identity_Module
Physical Memory
Determining geometry and memory mapping forms part of the testing and inspection process set out in GSM1117. We can use these procedures to formulate a forensic analysis programme, similar to the way in which computer forensic examiners seek to determine specifically data discovered and recovered from a particular memory location on the HDD and define the data from its binary and encoded states and any formatting that may be applicable to the data. That being so, would it be out of the question in SIM examination terms for the EFBCCH file to be formatted as .bmp? Below are a set of powerpoint slides I have prepared so that examiners can comprehend procedures approved and adopted for test and inspection for GSM SIM Cards. Later on when we 3G/LTE (U)SIM this GSM starting point assists formulate how to identify differences between the various (U)SIM/LTE cards but equally identify expansion of technology services and content so the examination limit or avoid omissions during the investigative/evidential process.

We begin with GSM as this is the original starting place where examiners first learned about subscriber identity modules (SIM). There are many ways to learn about SIM: using a SIM reader tool is one way, receiving instruction during training that concentrates on the types of user and network data that can be harvested by examiners. An education and training process can equally include a training module or modules on the physical aspects of a card and identify, for the examiner, material parts of the SIM, the known routes to understanding electrical aspects, processing aspects, storage geometry and memory mapping, so on and so forth. The thinking here is analogous to the way in which there is an expectation that a computer examiner would understand HDD disc geometry, clusters and sectors, BIOS etc even before entering into the search and study of the 'content' that may be recorded on the disc. It is or should be the same for (U)SIM.
The SIM Card can be seen as a composition of at least three constituent parts:
- The physical card (the storage carrier).
- An integrated circuit card micro-processing chip (the operating system and content storage device).
- The subscriber identity module; an area of physical memory allocated at manufacturing for pre-market and post-market recording by the mobile network operator and SIM user.
- A fourth constituent part could be a Card with an etched antenna for RFID/NFC for use by (US)SIM (but this part is not included or discussed at this stage).
- etc
To enable test and inspection of these constituent parts GSM approved and adopted GSM11.17 to assist manufacturers, operators and service providers help formalise and uniform the test and inspection procedures rather than have a mish-mash of randomly selected tests for SIM cards submitted for use in GSM. The former is highly desirable as the goal of GSM has always be about interconnection-compatiblity and interconnection backward-compatibility. By way of illustration, a GSM SIM Card Phase 1 should still be able to be inserted into a GSM Phase 2+ mobile device and allow communications to take place, unless the operator or device manufacturer has declared and stated otherwise.
From an examiner's viewpoint we would desire to know how those three constituent parts translate to the work we do? Some examples are set out below
Physical Card
Due to the form factors used in GSM we can make assessment to determine the supply chain and manufacturer of the card itself. We look at the card to see if has been cut down for use and any attempts of anonymity by removal of the SIM Serial Number (SSN) compared to manufacture polarisation techniques. Later 3G/LTE USIM Cards have undergone some changes since GSM's inception; the latter will be dealt at a later date.
Image courtesy of wikipedia - http://en.wikipedia.org/wiki/Subscriber_Identity_Module
ICC Chip
Manufacturer and technical specification are important to determine a range of potential evidence, including release into the marketplace and technological and electronic capability. Clearly the geometry and memory mapping are important. There are various techniques to deal with a card with a damaged chip. One example is called 'acid-etching' used to gain access to the physical chip itself by removal of the outer protective coverings used in the manufacturing process.
Image courtesy of wikipedia - http://en.wikipedia.org/wiki/Subscriber_Identity_Module
Physical Memory
Determining geometry and memory mapping forms part of the testing and inspection process set out in GSM1117. We can use these procedures to formulate a forensic analysis programme, similar to the way in which computer forensic examiners seek to determine specifically data discovered and recovered from a particular memory location on the HDD and define the data from its binary and encoded states and any formatting that may be applicable to the data. That being so, would it be out of the question in SIM examination terms for the EFBCCH file to be formatted as .bmp? Below are a set of powerpoint slides I have prepared so that examiners can comprehend procedures approved and adopted for test and inspection for GSM SIM Cards. Later on when we 3G/LTE (U)SIM this GSM starting point assists formulate how to identify differences between the various (U)SIM/LTE cards but equally identify expansion of technology services and content so the examination limit or avoid omissions during the investigative/evidential process.
Subscribe to:
Posts (Atom)