Thursday, May 18, 2017

Study into Carving Validation

At the LinkedIn Group "Institute for Digital Forensics" ( https://www.linkedin.com/groups/2436720 ) we are pleased to announce Dr Graeme Horsman PhD, BSc (Hons), MJur (Dur), PGCertHE, SFHEA from the Faculty of Computer Science University of Sunderland has joined the Group and wants to seek assistance from practitioners, in-house test and examination departments and laboratories regarding thoughts on testing in terms of the tools that are used. This is in terms of strategies etc., given the importance (albeit it has always been important) with ISO standards etc. Do IDF members have their own "test data and strategy that they roll out on new software/releases"? This is in relation to potential value of an automated test data generator for known good content from which to evaluate parsing/carving algorithms. This would be with respect to "carving validation" so test data would be geared towards such algorithms. Dr Horsman would appreciate as much feedback as possible and wants to engage in discussions to facilitate this study.

Access to content and discussions is open to LinkedIn members who request and are approved for membership to the Group "Institute for Digital Forensics.

Sunday, May 14, 2017

Contaminating Evidence SIX

The original question (in Part ONE) I believe was asked by someone starting out in mobile forensics. I tend to find it is easier to start with the 2G technology [SIM Application CLA (0xA0) / 2G context], which is still predominant in certain countries; although market research shows 2G falls below 30% globally by 2020.

Furthermore, law enforcement and security still seize and find 2G SIM cards (globally speaking) associated with criminal activity - drug dealing, SIMboxing, trafficking, etc. - so any observations to assist examination may help improve outcomes, assist generate "quality in work" but without expending large quantities of capital.

Equally, with 3G and 4G SIM cards the examiner can still SELECT and ReadBinary etc. re: GSM Access. Also, it is helpful to let examiners see basic script commands and responses as the basic commands can still be issued under [USIM Application CLA (0x00)]:

SelectUSIMApplication
Select 6F07
ReadBinary


To make the following a little more interesting than merely showing a screen image of USIM Application returning the SIM Card's IMSI, does the mobile network IMSI match the network to which the IMSI was last latched?


For privacy and security purposes the IMSI has been obscured, however it is confirmed the IMSI for this discussion is a subscriber to the EE network. As an examiner you may consider looking to the last network and location the subscriber was camped.

SelectUSIMApplication
Select 6F7E (e.g. location area)
ReadBinary




SelectUSIMApplication
Select 6F73 (packet switched location area)
ReadBinary



Observations, at first instance: the LOCI and PSLOCI screens reveal that the subscriber's account has been latched to the T-Mobile network; not EE or Orange network. Who would provide feedback to the investigating office on what that means? Both of these screens show "updated" for location and routing area, yet the P-TMSI Signature Value has been unchanged FFFFFF. What significance, if any, would that import into interpreting the data?

The key point of using commands and getting responses can assist an examiner refine searches made to (U)SIM and the (U)ICC and also respond to "time-is-of-the-essence" requests in cases of device seizure at the point a trafficker is stopped and searched. Combining precise information searches can help examiner's do this.


Moreover, with enhanced scripting and script variables we can do so much more and a matter that will be considered in another blog discussion post/s soon regarding examination, evidence and validation:

==========
ContinueOnBadStatus
Select 3F00
Select 7F20
Select 6F07
If (GoodStatus = True)
{
 ReadBinary
 If (GoodStatus = True)
 Pass
}
Fail
===========
===========
Select 3F00
Select 7F10
Select 6F3A
Set $recNum = 1
While ($recNum <= $totalRecords)
{
 ReadRecord $recNum
 Increment $recNum
}
===========
===========
$count
$recordNumber
$data
$alphatag
$bitmask
===========


The tool USIM Commander is a SIM evaluation and programming tool available from Quantaq Ltd and can be found here: http://www.quantaq.com/products/simtools/

Hope you find this helpful.


Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html
Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html
Contaminating Evidence THREE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-
three.html
Contaminating Evidence FOUR - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-four.html 

Contaminating Evidence FIVE - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-five.html

Thursday, May 11, 2017

Contaminating Evidence FIVE

To refresh, these discussions (links at foot of this article) originated because someone asked a question e.g. should I put a seized damaged SIM card into a seized mobile phone (handset), where both items have been found placed into the same Exhibit bag? The discussions have been to highlight helpful observations about what can be involved and learning the lesson to keep a damaged SIM card separate from the handset and conduct tests independently from combined forensic suites; hence the need for Test A Damaged SIM Card SOP.

Yes, you can run a test single APDU (application protocol data unit) command to select particular data from a SIM card, as you can run a script containing multiple test APDU commands. For example, what follows is an example of multiple APDU command to SELECT and GET RESPONSE  from the SIM card requesting the SIM's IMSI (international mobile subscriber identity). Invariably, investigating officers and security may only require just that little piece of information; and whether extracted and harvested from a working SIM or a damaged SIM. Where a damaged SIM Card is involved it wont be clear at the initial examination stage whether (a) the SIM will respond to any test or fully-blown image? and (b) if it does, could there be only chance to retrieve any data from it (the card)?

APDU Commands
We know that the standards identify commands as follows and therefore these would most likely assist the examiner when reading the SOP. Remember in part FOUR it referred to the SOP should assist examiners by identifying the short form title and clause. So here is one exercise you can do now. Go and download ETSI GSM11.11 (Release R1999) and 3GPP TS 31.102 latest release and identify the short form title and clauses relevant to the APDU commands below:

- Select
- VerifyCHV
- ReadBinary
- ReadRecord
- UpdateBinary
- UpdateRecord
- Status

Test APDU - IMSI Request
The next step is to select and chosen the statements needed to issue commands for the SIM card to reveal the IMSI:

- 2GMode
- Select 3F00
- Select 7F20
- Select 6F07
- ReadBinary
 


USIM Commander GUI Image


The IMSI has been doctored in the above image for privacy and security reasons. However, the three windows panes above illustrate how to validate commands issued to a damaged SIM card. The left pane shows the commands. the top right pane shows the status and harvested data of the commands issued. And the bottom right pane confirms the translated APDU trace and the Raw APDU trace. Thus proving the process and procedure the examiner adopted and applied during testing. This information can then be logged into the examiner's Contemporaneous Notes. 

Training and Discovery
Before jumping into conducting the tests, training and exposure to different types of SIM cards and their conditions should be the first priority. Even the best APDU scripters make mistakes. The screen images that follow illustrate mistake and correction (can you find the mistake?) and following that the importance of the learning curve an examiner needs, which is only possible base upon discovery using training SIM cards to see what might be revealed.
 
 
 
Examiner need to be encouraged to extend search investigation beyond the template. The images below, identifies CHV1 and CHV2 discovery might reveal. This discovery helps examiners to uncover if unknown CHV1 and CHV2 can be revealed.




 
Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html
Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html
Contaminating Evidence THREE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-

three.html
Contaminating Evidence FOUR - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-four.html 

Wednesday, May 10, 2017

Contaminating Evidence FOUR

In the last discussion it referred to APDU (application protocol data unit) - the communications unit between the SIM card reader and the SIM card. It also mentioned that APDU are set out in the Standards. There is some more information on this you may find helpful. The Test A Damaged SIM Card SOP could include a removal of doubt (ROD)technique. The purpose of this ROD technique assists the examiner's comprehension from the outset of the 5-Ws rule of thumb:

Who - the examiner
What - testing across the interface
Where - between the DUT and the Test Tool
When - as directed by the laboratory Good Practice Guide (GPG)
Why - to avoid contamination of evidence

To aid that process the SOP could reference the procedure with the inclusion of the relevant standard numbering and title, also directing the reader to a specific clause. It is irrelevant for the purposes of testing to ask an examiner to remember something s/he was taught some time back. A permanent record in a document of direction and advice instructing the examiner is needed. Practices and procedures should not be left to guesswork. As the old adage states " it is not knowledge you need to hold-on to in your head as this is recorded in books; it is the skills and experiences you should remember." A permanent record, then, is a reference book. The skills and experiences developed through use and discovery are those essential requirements to maintain and evolve the SOP, which when recorded then goes on to become knowledge.

ISO/IEC 7816

In Part ONE it referred to ISO/IEC 7816-1. That is because it is the starting point that identifies other 7618-parts. Here we need to look at ISO/IEC7816-3. The above image show the specific section to be discussed. But for the sake of manner and form let us use a page within the SOP identifying Standards and Text applicable to it (the SOP and its procedures and tests therein):

Standard Title:
============
INTERNATIONAL STANDARD ISO/IEC 7816-3 Third edition 2006-11-01
Identification cards — Integrated circuit cards — Part 3: Cards with contacts — Electrical interface and transmission protocols

============

However a short form identity for the relevant Standard and clause/s are required. This is placed at the end of paragraph following the written procedure or test (otherwise any procedure and test would be verbosely overloaded with repetition of a Title like the above).

Short Form Identity:
=============
(ISO7816-3 (cl12.1.1)) 
=============

Note that apart from going to a separate document (e.g. relevant Standard and clause) everything that an examiner should require should be in the SOP. The reasoning behind that has many responses but to highlight: (a) avoids an examiner reading wrong, incorrect or out of date material; (b) excessive amounts of information can confuse; (c) examiners will be testing, but prior to tests and following tests contemporaneous notes should be made which could be excessively lengthy if the SOP references are not used....and so on.

It can also be helpful to produce GUI screen images and samples of APDU so that the examiner is equally guided to know what to look for in any trace file output for validation purposes.

USIM Detective


Dependent upon the (U)SIM/(U)ICC hardware reader and software (system) used it is important that the examiner does not end up using another system to perform the tests. If a different system is used a new SOP should be created for every system in use. If support is needed for that then an example can be given here. The above screen image shows the ADPU commands and responses in the USIM Detective trace file. However, Simspy2 trace file output is different:

Simspy2

  
This might suggest the commands and responses that are output should still be identical? No, not all commands and responses will be identical. Worse still, if the examiner starts quoting one system in a report and the data used is in fact from another system. An example of this is Simspy2 and USIM Detective both issue commands and responses that can acquire different data. Both issue commands to fetch data from memory locations that are not specified in the standards. This does not suggest they are wrong, merely they offer different traced evidence.

Unless each Lab produces its own system then the market forces of commercially or freely available systems will be the pool from which systems are obtained. The more tools the better, but budgets can dictate a system to be used, although in reality obtaining free software should not present a problem. Purchasing a commercial system, it should be possible to fully scrutinised data captured and that the system has the back-up evidence to produce a trace file output containing the commands and responses where validation is needed.

Validation requires confirmed interpretation of commands issued and as mention in previous discussion seeking guidance from the standards can save an awful lot of time and assists avoiding guesswork:

GSM11.11



Lastly, but still relevant to Test A Damaged SIM Card SOP, it should be made clear in the SOP that the standard referred to identifies the "interface" as referenced in the standard. In this discussion ISO7816-3 confirms the "electrical interface" and the transmission protocols used. However, as (U)SIM cards emerge with additional capabilities in the (U)SIM or at the (U)ICC level it is important to record additional interfaces significant to the method and process evidence is captured:



Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html

Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html

Contaminating Evidence THREE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-three.html

Sunday, April 23, 2017

Contaminating Evidence THREE

Parts ONE and TWO can be found here for those who haven't followed the discussion so far:

Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html

Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html

I have received enquiries asking for references how to test a damaged SIM card is working or not? This is not a case of simply sticking the damaged SIM cards into a SIM reader and using software to see what content is returned from various data files.

Lab Managers, Section Leaders and Examiners need to define the aims and objectives for testing damaged SIM cards. This should be on the basis of the Test A Damaged SIM Card SOP. The use of general statements in these discussions are not aimed to tell you what to do or how to write your examination processes and procedures. It offers, hopefully, helpful suggestions on basic materials needed to develop and evolve SOP. The following materials could serve as a foundation template with which to prepare and guide the preparation of headings and descriptions; themselves used to define how tests should be conducted.

Avoiding a discussion about how to top and tail a SOP document, nor discuss the merits of aims and ambitions, Do's and Don't (so to speak) and so on, the focus will highlight the relevance of "interface". The first question to ask is who's interface? There are a few to deal with when examining a damaged SIM card:

1) The hardware interface of the damaged SIM card
2) The software interface of the damaged SIM card
3) The probes of hardware of the examining tool
4) The software of the examining tool

Because there are many internal communications entities on a SIM card it can be thought of in terms as having it own mini-network. Here is an image of communications network where at certain points interception is required to deal with e.g. cyber attacks.




We can see network elements as being defined as entities of the network and we need to get to those entities to discover what is inside (content). We therefore require defining the object identifiers for 'path-to-content', so perhaps creating an identifier tree that illustrates the reference points of interest can help you do that?

Unlike a full communications network, which it is not realistic to attempt to obtain an image compared to a device; the SIM card's mini-network in a device can be imaged. Identifying elements and entities in the SIM card's mini-network examiners can look to the following standards:

ISO/IEC 7816-1
GSM 11.11; 11.12; 11.14; 11.17; 11.18
3GPP 31.120;31.121
ETSI TS.102230

To illustrate how the standards can be used to create a standard operating procedure (SOP) in the photo below I have identified physical, electrical, electronic and logical elements to be considered by combing the details taking the test reference identifiers in GSM 11.17 and overlaid them to GSM 11.11 reference points.  These are known as the SIM test groups.



Germane and relevant is the interface processes and procedures chosen have a 'forensic' requirement that the device's content should not be altered by our actions (so to speak). "Human Intervention and Tools (HIT) need to demonstrate that their interaction with the device does not change any data. All tests carried out using an examination tool should also be carried out on the basis of understanding any limitations of the tool."

So when it comes to testing the damaged SIM card we have background knowledge, but does that mean we have to create new software utilities and hardware for testing to see if the card can be imaged using a SIM card reading software? There is a huge range of physical hardware readers out there that are compliant with the Standard's physical, etc. interface requirements. To support that proposition examiners can use hardware such as SCR331 etc. Moreover, there is the utility PC/SC diagnostic tool. I chose this utility because it was available back in 2002-2003 and a popular tool for testing GSM SIM cards.

The purpose of using a test utility on the damaged SIM card is that you do not want to run a fully blown image process on the damaged card because you do not know the extent of the damage inside to its micro-computer electronic circuits (do you think that should be stated in your SOP?). PC/SC diagnostic tool enables testing only the boot-up of the card and to return its ATR (answer-to-reset) and other system parameters.  As the test does not penetrate the Master File (MF) and elementary files (EF) the tool only works with the shell and wont read and return content such as the EFICCID or EFIMSI and so on.

When conducting a test read of the damaged card the results returned will need to be saved. PC/SC diagnostic tool provides for saving the test report. Identifying the name of the report is optional, but when training it is perhaps a good idea to get into the practice of identifying the report from the SIM Serial Number (SSN) recorded on the face of the card. In the photo below I have simply used filename ICCID so as not to identify a test card or a case exhibit.



The initial report that is saved will be a plaintext .txt file. To prevent loss or alteration of that file convert the .txt file to a working document (.pdf).


Examiners essentially need to be aware how the test tool works. It writes APDU (application protocol data unit) - the communications unit between the SIM card reader and the SIM card. The APDU are set out in the Standards.

When preparing your damaged SIM card SOP some key information to have considered and confirmed are:

a) Does the tool permanently write to the card?
b) If so, and working at the shell, where would that be discovered, if at all?
c) Can a write blocker be used?
d) What can be learned from the ATR and parameters?    

If the test results obtained are good this detail can be used in the decision-making process whether or not to create a cloned test card. Remember to enter a caveat in the SOP and to the client that internal damage cannot be seen and therefore any image extracted thereafter might only be on a one-shot basis.

Remember: photographs and well documented contemporaneous notes are essential here. Make the effort to record details so that you don't have to struggle trying to remember what the device was like or what you did.

Thursday, April 20, 2017

Contaminating Evidence TWO

The goal of these essay discussions is to provide responses to the potential proposition that could arise in the theoretical question.  Part One can be found here: http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html


“What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?”
The question raises “what could the affects be...?” The follow essay discussion will endeavour to capture some hopefully useful points for readers. It is not exhaustive list but intended to be illustrative of what may happen.

Removing the SIM card and handset from the evidence and exhibit bag, the examiner, following anti-static procedures, should normally inspect the SIM card first for any signs of damage.

 
In this case, the photo shows sustained visible damage to the outer SIM contact pads; as consequence this could mean damage to internal components and connections? It is not unknown for suspects to try and damage their cards with external power sources to make access to SIM memory impossible.
 
Inserting a faulty SIM card into a handset may have an adverse effect on the handset’s SIM controller circuit with respect to the sensitive EMI filter. If the handset has a bad reaction to the inserted SIM card it could be the case the exhibit SIM card caused contamination damage by causing the EMI filter to breakdown, preventing the handset reading this and any other SIM cards until repaired.   
This is good example of a case where photographic records and contemporaneous note taking is very important. The decision not to use this damaged SIM card with the exhibit handset at all would be wise. The SIM card would need to be tested to see if any data can be recovered from it using an external SIM reading software. There may be a chance to create a clone test card from it.
 
The examiner should be following the correct Laboratory SOPs which may direct him/her to make a clone test card from the exhibit SIM card. This clone test card ‘might be used’, subject to approval from the investigating officer, to be inserted into the exhibit handset. This is in cases where extracting and harvesting data in an image file (e.g. .bin or raw file) following the removal of the memory chip or using JTAG points on the handset’s printed circuit board (PCB) are not options available to the examiner.
As mentioned in Contaminating Evidence ONE feedback received from queries raised by the Lab Manager to the client regarding seizure procedure, chain of custody and any other examination/s should hopefully confirm one way or other whether there is any connection between the handset and SIM card. If there is, and subject to authorisation, the examiner might use the cloned test card in the handset.
In the alternative, for whatever reason, should the examiner insert the exhibit SIM card into the exhibit handset this action requires an understanding of the following:
(i)                  handset processes and procedures during power off?
(ii)                inserted SIM card processes and procedures during handset power down?
(iii)               events happening at power on for handset and SIM card?
Depending on make/model of handset, its profiling and initialising processes, on power this can potentially affect data held on the SIM card and data held in the internal memory of the handset.
SIM cards follow a fairly, precise procedure for boot-up until the SIM Toolkit stack initialises and then depending upon make/model of handset dynamic changes can occur with allocated, but not activated services in EFSST. If the SIM card is not connected with the handset then exchanges causing data changes take place between the SIM card and handset. This is, by all means, not the only potential data changes that can occur with SIM cards and analysis should be considered for the following:
(iv)               EFHPLMN (Home PLMN - check for update timer)
(v)                EFLOCI (Location Information)
(vi)               EFBCCH (Broadcast Control Channel)
(vii)             EFKc (GSM Ciphering key Kc)
(viii)           EFKcGPRS (GPRS Ciphering key KcGPRS)
(ix)               Check DF ProSe
(x)                 EFCPBCCH (CPBCCH Information)
(xi)               EFPSLOCI (Packet Switched location information)
(xii)             EFNETPAR (Network Parameters)
(xiii)            EFOPLMNwACT (Operator controlled PLMN selector with Access Technology)
(xiv)            Proactive SIM
(xv)             EFSST (SIM Service Table)
(xvi)            And so on
Also of interest is what is happening to the handset data due to internal functions? For instance, inserting a SIM card that has not been previously used with the handset can block access to phonebooks, messages and so on due to internal security policies. Moreover, when powering on a handset the examiner has no clue whether the handset user as set a policy ‘auto-delete’ messages, which may be triggered.
 
There is also some debate where a handset is switched ON but within a radio-damping field or chamber to prevent connection to the network what happens to data under these circumstances?  The thought that all radio context details is lost on power down may have security requirements but what is retained in the handset is largely left down to the handset manufacturers. Of interest, some UEs having stored some NAS (mobility management) information e.g., old security context, GUTI, IMSI, timer values etc. may still be stored for assist quick speed to link to network as opposed to drawing stored data from the SIM card. This may occur where the user selects Flight Mode and suspends all radio activity, again depending upon make/model of handset. Inserting a SIM card not used in the handset previously, the handset initialisation procedure will call the data from EFNETPAR file and record that into temporary memory. That information wasn’t there previously; that may be considered contamination.
 
SUMMARY TWO
Due to so much activity that is invisible to the examiner when handsets are switched ON with a SIM card inserted requires the examiner (using strict Laboratory SOPS) to follow the SOPS procedures and NOT insert the exhibit SIM card into the exhibit handset using subjective guesswork.
 

 

Contaminating Evidence ONE

The theoretical question highlighted below was originally posted on a forum to provide work material for students. Recently the same question was resurrected again by a student seeking a response to the question for a test paper?

“What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?”

As there had been no response at the forum to provide possible answers to the question above I thought I would discuss issues that could arise.

My first doubt with the question, having read it, is that it could lead to an impression that tick sheet (multiple-choice) responses would be sufficient to answer the question. In my view that would be wrong, because unless the multiple-choice options had been meticulously researched and condensed to a single accurate word, it is possible the person passing the test could believe his/her knowledge was sufficient to handle evidence when in fact that may not be so.
I formed the opinion that this question is better suited to an essay-style response to flesh-out possibilities the question raises and identify the knowledge possessed by the person taking the test. Such a test may produce a failure in knowledge, but not failure of the person taking the test; trial and error enhances the experience of the person who then has an opportunity to research the areas of failure.
PREAMBLE
The question raises potential material concerns about the way the item has been ‘seized’ and, so to speak, ‘bagged’ (evidence/exhibit bag). The competency and skillsets of those involved in the seizure may come under scrutiny. The SIO (senior investigating officer) or SO (senior officer) may need to look at the scheduling of the investigating and seizing team despatched to site: Scene of Crime (SoC), Warrant to Search, etc. Who was the seizing officer? What training have they received? Does s/he understand the principles of avoiding contamination and/or cross-contamination?  What if the seizure occurred due to stop and search? Would the rules be different then?  No, the rules of seizure wouldn’t be different merely the understanding of the person conducting the seizure how to implement them.
So, what might be the concerns? The question omits to identify
(a)    comments in the seizure log, contemporaneous witness statement and/or photographs of found items at site?
(b)    whether the handset has SIM/s (don’t forget dual-SIM handsets) already inserted?
(c)     whether the handset battery is connected or loose in the bag?
(d)    if the is battery still connected is the handset switched ON/OFF when seized?
(e)    if switched ON, what network ICONs etc., were visible?
(f)      did the seizing officer switch ON/OFF the handset or was the handset allowed to drain the battery’s charge naturally?
(g)    if the battery is loose in bag, did the seizing officer remove battery or was it found that way?
(h)    if battery removed from handset does it reveal the SIM slot/s are empty or in use in the battery well?
(i)    does the handset have a SIM slot on the side of the handset and is the SIM slot gate open or closed?
At this stage in the discussion you may think the above questions are enough? Well they are not. The evidence/exhibit bag should not be opened by the examiner and further considerations on the mind of the examiner might be to ascertain if possible whether an immediate link can be seen between the handset and loose SIM card in the evidence/exhibit bag?
(j)    logo on handset and SIM card; is there a connection?
(k)     SIM Serial Number (SSN); check out mobile operator ID?
(l)    SIM form factor; size 1FF, 2FF, 3FF, 4FF or ID-1, plug-in size, micro-card, nano-card?
(m)    make/model of handset; which SIM form factor does it use?
(n)      if battery is loose in bag; is the battery even associated with the handset?
Yet a further potential point to raise is whether the Lab Manager or Section Leader immediately grasp the significance of the contents in evidence/exhibit bag?
(o)    at goods-inwards point of delivery?
(p)    was the person delivering the evidence able to provide supporting details?
(q)      if not, have enquiries be made to the client for supporting details?
(r)      has the evidence/exhibit bag just been handed over to the examiner to get on with it?
The chain of custody (from hand-to-hand) also requires discussion in this essay, which started out looking where seizure began through to delivery to the examiner. Examiners may find there is an elliptical procedure needed to be adhered to where initial seizure is faultless and alteration has occurred down the line.
Prior to receipt of the evidence/exhibit bag and its contents it is quite possible the exhibits themselves have been previously examined. This is in case of being subjected to the analysis of:
(s)    fingerprinting
(t)      DNA
(u)  drugs
(v)    GSR
Could it be the case (during these process (s)-(v)) the items that were separately seized have accidently now been co-located in the same evidence/exhibit bag? Problematical where evidence has been cross-contaminated is that it may cause a miscarriage to any effective results obtained during examination processes and procedures. Moreover, it might give weight to a confession through false belief the items belonged together. That may happen long before any test of admissibility of the evidence begins.
Lastly, an examiner should check in-house Standard Operating Procedures (SOPs), such as:
(w)    Any Laboratory General and Standard SOPS
(x)    Any General Guidance on Mobile Phone Examination SOPS
(y)    SIMLESS HANDSET Examination SOPS
(z)     Any other consideration SOPS
 
SUMMARY ONE
This essay discussion has been an exercise into possible implications arising from the conditions set out in a proposed theoretical question.
It may not be immediately obvious but prior to delving into examinations based upon ‘if’ or ‘if not’ scenarios establishing the seizure procedure and chain of custody are safe to rely on (at first instance) might be necessary? This might require checking
(#1) seizure and bagging
(#2) transport and quarantine
(#3) previous examinations
(#4) goods inwards to testing laboratory
Such an approach could be underpinned by establishing principles stated in the Laboratory’s SOPS and escalated for consideration to management prior to opening the evidence/exhibit bag and commencing any inspection and examination of the items inside.
This essay discussion is not complete because a second analysis and summary is required to deal with the potential implications of inserting the loose SIM card into the handset inside the evidence/exhibit bag. This is dealt with in Contaminated Evidence TWO which can be found here: http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html