“What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?”
The question raises “what could the affects be...?” The follow essay discussion will endeavour to capture some hopefully useful points for readers. It is not exhaustive list but intended to be illustrative of what may happen.
Removing the SIM card and handset from the evidence and exhibit bag, the examiner, following anti-static procedures, should normally inspect the SIM card first for any signs of damage.
In this case, the photo shows sustained visible damage to
the outer SIM contact pads; as consequence this could mean damage to internal
components and connections? It is not unknown for suspects to try and damage
their cards with external power sources to make access to SIM memory
impossible.
Inserting a faulty SIM card into a handset may have an adverse
effect on the handset’s SIM controller circuit with respect to the sensitive
EMI filter. If the handset has a bad reaction to the inserted SIM card it could
be the case the exhibit SIM card caused contamination damage by causing the EMI
filter to breakdown, preventing the handset reading this and any other SIM cards
until repaired.
This is good example of a case where photographic
records and contemporaneous note taking is very important. The decision not to
use this damaged SIM card with the exhibit handset at all would be wise. The
SIM card would need to be tested to see if any data can be recovered from it
using an external SIM reading software. There may be a chance to create a clone
test card from it.
The examiner should be following the correct Laboratory SOPs
which may direct him/her to make a clone test card from the exhibit SIM card.
This clone test card ‘might be used’, subject to approval from the investigating
officer, to be inserted into the exhibit handset. This is in cases where extracting
and harvesting data in an image file (e.g. .bin or raw file) following the removal
of the memory chip or using JTAG points on the handset’s printed circuit board
(PCB) are not options available to the examiner.
As mentioned in Contaminating Evidence ONE feedback received
from queries raised by the Lab Manager to the client regarding seizure
procedure, chain of custody and any other examination/s should hopefully confirm
one way or other whether there is any connection between the handset and SIM
card. If there is, and subject to authorisation, the examiner might use the
cloned test card in the handset.
In the alternative, for whatever reason, should the examiner
insert the exhibit SIM card into the exhibit handset this action requires an
understanding of the following:
(i)
handset processes and procedures during power
off?
(ii)
inserted SIM card processes and procedures
during handset power down?
(iii)
events happening at power on for handset and SIM
card?
Depending on make/model of handset, its profiling and initialising
processes, on power this can potentially affect data held on the SIM card and
data held in the internal memory of the handset.
SIM cards follow a fairly, precise procedure for boot-up
until the SIM Toolkit stack initialises and then depending upon make/model of
handset dynamic changes can occur with allocated, but not activated services in
EFSST. If the SIM card is not connected with the handset then exchanges causing
data changes take place between the SIM card and handset. This is, by all means,
not the only potential data changes that can occur with SIM cards and analysis
should be considered for the following:
(iv)
EFHPLMN (Home PLMN - check for update timer)
(v)
EFLOCI (Location Information)
(vi)
EFBCCH (Broadcast Control Channel)
(vii)
EFKc (GSM Ciphering key Kc)
(viii)
EFKcGPRS (GPRS Ciphering key KcGPRS)
(ix)
Check DF ProSe
(x)
EFCPBCCH (CPBCCH Information)
(xi)
EFPSLOCI (Packet Switched location information)
(xii)
EFNETPAR (Network Parameters)
(xiii)
EFOPLMNwACT (Operator controlled PLMN selector
with Access Technology)
(xiv)
Proactive SIM
(xv)
EFSST (SIM Service Table)
(xvi)
And so on
Also of interest is what is happening to the
handset data due to internal functions? For instance, inserting a SIM card that
has not been previously used with the handset can block access to phonebooks,
messages and so on due to internal security policies. Moreover, when powering
on a handset the examiner has no clue whether the handset user as set a policy ‘auto-delete’
messages, which may be triggered.
There is also some debate where a handset is switched ON but
within a radio-damping field or chamber to prevent connection to the network
what happens to data under these circumstances? The thought that all radio context details is
lost on power down may have security requirements but what is retained in the
handset is largely left down to the handset manufacturers. Of interest, some UEs
having stored some NAS (mobility management) information e.g., old security
context, GUTI, IMSI, timer values etc. may still be stored for assist quick
speed to link to network as opposed to drawing stored data from the SIM card. This
may occur where the user selects Flight Mode and suspends all radio activity,
again depending upon make/model of handset. Inserting a SIM card not used in
the handset previously, the handset initialisation procedure will call the data
from EFNETPAR file and record that into temporary memory. That information wasn’t
there previously; that may be considered contamination.
SUMMARY TWO
Due to so much activity that is invisible to the
examiner when handsets are switched ON with a SIM card inserted requires the examiner
(using strict Laboratory SOPS) to follow the SOPS procedures and NOT insert the
exhibit SIM card into the exhibit handset using subjective guesswork.
No comments:
Post a Comment