Wednesday, December 01, 2010

Tutorial Pt1 - Creating an Elementary File

Tutorial Pt1 - Creating an Elementary File

When examining ICC (SIM)/ UICC ((U)SIM) Cards data is commonly extracted and harvested from particular elemenary files (EFs) as specified in GSM11.11/3GPP 31.102. The particular EFs referred to are:

Transparent EF: an unformatted data field; containing a sequence of bytes that can be accessed individually or in variable length.
 Linear Fixed EF: Formatted data field with records that all have a constant length  

Cyclic EF:  Formated data field derived from a linear data field with constant length


From these EFs the data commonly acquired are identities and records such as IMSI, Phonebook, SMS, Location Information etc, to name but a few. The structure and type of content allocated to unformatted and formatted EFs  above, has remained fairly constant with ETSI, GSM and 3GPP standards.

Evidentially, of course, examiners are often focussed on merely obtaining the content of a particular EF with reliance placed entirely upon the SIM/USIM reading tool to process that objective. Due to limitation in applied attendance time (and whatever the causes might be for that) means the examiner rarely scratch the surface to comprehend the coding of the commands that are issued when selecting an EF etc (and the subject will be discussed in a later tutorial). However, prior to selecting an EF there is important information that needs to be known about how elementary files and their life cycles are created in the first place and their associated file templates. This tutorial therefore provides a brief looks at what is involved in creating an EF and some help hints for examiners relevant to forensics. 

Why would this be of interest to examiners? Without a created EF there would be no EF to select in the first plus thus ultimately no data to be extracted and harvested. Where examiners are dealing with illicit data couriers (the cybercrime paradigm, industrial espionage, terrorist data etc) these intelligent bandits are demonstrating that they are as competent to a degree that is can be said to be equal to or more advanced than examiners and naturally they to outwit and seek to hide information in elemetary files that avoids detection by standard evidence SIM/USIM reading tools.  So both these point represent reasons for examiners understanding how EFs are created and what can be revealed from knowing the templates and coding of the commands for that purpose.

It should be understood that technical advancements and technology evolution have not been without their impact on ICC/UICC and therefore when starting out it is important that examiners have awareness about the evolving standards that should be considered and effort that should be made to comprehend the instructions in them. The standard I have choosen for this tutorial is TS 102 222 Administrative Commands for telecommunication applications as this is the standard that defines creating EFs on ICC and for UICC, too.
Reference to ICC/UICC is intended to mean elementary files that are created etc on them and not the OS, physical or some logical aspects of ICC/UICC.  

To start with the two versions of the same standard for this discussion have been used and are identified below. I should point out there are over 26 different versions of this particular ETSI Standard.

TS 102 222 V3.0.0_60 May 2000 and TS 102 222 07.01.00_60 February 2007 

TS 102 222 V3.0.0_60 May 2000

 TS 102 222 07.01.00_60 February 2007

The first point to note is the inclusion of additional elements in the later version of the standard and the re-ordering of the template. This example will hopefully and immediately illustrate why SIM/USIM readers obtain different bits, nibbles and bytes in the hex string and content of SIMs/USIMs. Or said another way, the omission to extract and harvest data from SIMs/USIMs

The second point to be learned from the finding above should lead examiners to question: which adopted standard is the format of the EF recorded on the ICC/UICC under examination?  The only way you will know that is to identify the template to which the EF has been coded. Each brand name manufacturer has there own tools to obtain the coded template information but there are several application vendors out there that also produce third party software.

Prior to obtaining software examiners need to have some indication how template data can be illustratring for coding purposes, which shall be dealt with in the next tutorial.

No comments: