Saturday, March 30, 2013

(U)SIM Examination (Physical) Pt1

(U)SIM Examination (Physical) Pt1

We begin with GSM as this is the original starting place where examiners first learned about subscriber identity modules (SIM). There are many ways to learn about SIM: using a SIM reader tool is one way, receiving instruction during training that concentrates on the types of user and network data that can be harvested by examiners. An education and training process can equally include a training module or modules on the physical aspects of a card and identify, for the examiner, material parts of the SIM, the known routes to understanding electrical aspects, processing aspects, storage geometry and memory mapping, so on and so forth. The thinking here is analogous to the way in which there is an expectation that a computer examiner would understand HDD disc geometry, clusters and sectors, BIOS etc even before entering into the search and study of the 'content' that may be recorded on the disc. It is or should be the same for (U)SIM.

The SIM Card can be seen as a composition of at least three constituent parts:

- The physical card (the storage carrier).
- An integrated circuit card micro-processing chip (the operating system and content storage device).
- The subscriber identity module; an area of physical memory allocated at manufacturing for pre-market and post-market recording by the mobile network operator and SIM user.
 -  A fourth constituent part could be a Card with an etched antenna for RFID/NFC for use by (US)SIM (but this part is not included or discussed at this stage).
- etc

To enable test and inspection of these constituent parts GSM approved and adopted GSM11.17 to assist manufacturers, operators and service providers help formalise and uniform the test and inspection procedures rather than have a mish-mash of randomly selected tests for SIM cards submitted for use in GSM. The former is highly desirable as the goal of GSM has always be about interconnection-compatiblity and interconnection backward-compatibility. By way of illustration, a GSM SIM Card Phase 1 should still be able to be inserted into a GSM Phase 2+ mobile device and allow communications to take place, unless the operator or device manufacturer has declared and stated otherwise.

From an examiner's viewpoint we would desire to know how those three constituent parts translate to the work we do? Some examples are set out below

Physical Card
Due to the form factors used in GSM we can make assessment to determine the supply chain and manufacturer of the card itself. We look at the card to see if has been cut down for use and any attempts of anonymity by removal of the SIM Serial Number (SSN) compared to manufacture polarisation techniques. Later 3G/LTE USIM Cards have undergone some changes since GSM's inception; the latter will be dealt at a later date.

 Image courtesy of wikipedia -

ICC Chip
Manufacturer and technical specification are important to determine a range of potential evidence, including release into the marketplace and technological and electronic capability. Clearly the geometry and memory mapping are important. There are various techniques to deal with a card with a damaged chip. One example is called 'acid-etching' used to gain access to the physical chip itself by removal of the outer protective coverings used in the manufacturing process. 

  Image courtesy of wikipedia -

Physical Memory
Determining geometry and memory mapping forms part of the testing and inspection process set out in GSM1117. We can use these procedures to formulate a forensic analysis programme, similar to the way in which computer forensic examiners seek to determine specifically data discovered and recovered from a particular memory location on the HDD and define the data from its binary and encoded states and any formatting that may be applicable to the data. That being so, would it be out of the question in SIM examination terms for the EFBCCH file to be formatted as .bmp?  Below are a set of powerpoint slides I have prepared so that examiners can comprehend procedures approved and adopted for test and inspection for GSM SIM Cards. Later on when we 3G/LTE (U)SIM this GSM starting point assists formulate how to identify differences between the various (U)SIM/LTE cards but equally identify expansion of technology services and content so the examination limit or avoid omissions during the investigative/evidential process.      

No comments: