Announcement by the UK Ministry of Defence
Next week we will salute the "great and righteous cause" of the Allied troops on D-Day, 80 years on. Major commemorative events will be held on 5 and 6 June in Portsmouth and Normandy:
Sunday, June 02, 2024
Sunday, August 06, 2023
Practical Digital Forensics (Book 2023)
Practical Digital Forensics. Forensic Lab Setup, Evidence Analysis, and Structured Investigation Across Windows, Mobile, Browser, HDD, and Memory ISBN: 9789355511454
Table of Contents
1. Introduction to Digital Forensics
Introduction
Structure
Objectives
Defining digital forensics
Digital forensics goals
Defining cybercrime
Sources of cybercrime
Computers in cybercrimes
Digital forensics categories
Computer forensics
Mobile forensics
Network forensics
Database forensics
Forensic data analysis
Digital forensics users
Law enforcement
Civil ligation
Intelligence and counterintelligence
Digital forensics investigation types
Forensics readiness
Type of digital evidence
User-created data
Machine and network-created data
Locations of electronic evidence
Chain of custody
Examination process
Seizure
Acquisition
Analysis
Reporting
Conclusion
Multiple choice questions/questions
Learning Section
Answers
See in extra comments below
2. Essential Technical Concepts
Introduction
Structure
Objectives
Decimal (Base-10)
Binary
Hexadecimal (Base-16)
Hexadecimal (Base-64)
Character encoding schema
File carving
File structure
Digital file metadata
Timestamps decoder
Hash analysis
Calculate file hash
System memory
Types of computer memory storage
Primary storage
RAM
ROM
Secondary storage
Backup storage
HDD
Hard disk storage
SSD
DCO and HPA
Considerations for data recovery
File system
NTFS
FAT
Environment for computing
Cloud computing
Software as a service (SaaS)
Platform as a service (SaaS)
Infrastructure as a service (SaaS)
Windows versions
Internet protocol (IP) address
Getting an IP address
Conclusion
3. Hard Disks and File Systems
Introduction
Structure
Objectives
Hard disk and file systems
File systems
Hard disk
Hard disk forensics
Analyzing the registry files
Conclusion
4. Requirements for a Computer Forensics Lab
Introduction
Structure
Objectives
Digital Forensic Lab
Physical requirements
Environment controls
Digital forensic equipment
Forensic hardware
Office electrical equipment
Networked devices
Forensic workstation
Commercial digital forensic workstations
Forensic software applications
Commercial forensics tools
Open-source forensic tools
Linux distributions
Virtualization
Lab information management system (LIMS)
Lab policies and procedures
Documentation
Lab accreditation
Conclusion
5. Acquiring Digital Evidence
Introduction
Structure
Objectives
Raw format
Advanced forensic format
EnCase: Expert witness transfers
Other file formats
Validation of forensic imaging files
Live memory acquisition
Virtual memory: Swap space
Challenges acquiring RAM
Administration privilege
Live RAM capturer
Magnet RAM capture
FTK imager
Acquiring nonvolatile memory
Hard disk acquisition
Acquiring physical resources
Logical acquisition
Sparse acquisition
Capturing hard drives using FTK imager
Network acquisition
Limitations of a forensic tool
Conclusion
6. Analysis of Digital Evidence
Introduction
Structure
Objectives
Arsenal Image Mounter
OSFMount
Autopsy
Analyzing RAM forensic image
Memoryze
Redline
Volatility framework
Conclusion
7. Windows Forensic Analysis
Introduction
Structure
Timeline analysis tools
File recovery
Undeleting files
Recycle bin forensics
Data carving
Associated user account action
Windows registry analysis
Windows registry architecture
Acquiring windows registry
Registry examination
Windows registry program keys
USB device forensics
Most recently used list
Network analysis
Windows shutdown time
UserAssist forensics
Printer registry information
File format identification
Windows thumbnail forensics
Windows 10 forensics
Notification area database
Cortana forensics
Conclusion
8. Web Browser and E-mail Forensics
Introduction
Structure
Objectives
Web browser forensics
Google chrome browser forensics
Top sites and shortcuts
Login data
Web data
Bookmarks
Bookmarks.bak
Cache folder
Mozilla Firefox Browser Forensics
Microsoft Edge browser forensics
Other Web browser investigation tools
Conclusion
References
9. E-mail Forensics
Introduction
Structure
Objectives
E-mails around us
E-mail communication steps
E-mail protocols
Examine e-mail headers
Reveal header information
View Gmail headers
View Outlook mail header
View Mozilla Thunderbird headers
View Outlook mail client header
Analyzing e-mail headers
Determine the sender’s geolocation and time zone
Conclusion
10. Anti-Forensics Techniques and Report Writing
Introduction
Structure
Objectives
Anti-forensics techniques
Digital Steganography
Text Steganography
Image Steganography
Audio-video Steganography
Network Steganography
Metadata manipulation
Encryption techniques
Disk encryption using open-source tools
Anonymity techniques
Digital forensic reports
Conclusion
11. Hands-on Lab Practical
Introduction
Lab 1: FTK imager
Lab 2: Magnet RAM capture
Lab 3: Memory forensics
Lab 4: Malware analysis
Lab 5: data hiding—Steganography
Lab 6: Recovering deleted files
Lab 7: Finding key evidence
Lab 8: Analyzing the registry for evidence
Lab 9: Analyzing Windows pre-fetch files for evidence
Lab 10: Browser forensics
Lab 11: Extracting EXIF data from graphics files
Index
Sunday, July 02, 2023
Device Access Platforms Visual Representation
Device Access Platforms Visual Representation
Back in 2016 I commented briefly about "Exploration - missing the micro-evidence" (https://trewmte.blogspot.com/2016/03/exploration-missing-micro-evidence.html) from which I have copied the image and pasted below.
Please bear in mind that when considering the 3 linked posts (below) with the architecture displayed in the image, it provides a relevant platform for you to visually start attributing where directory and elementary files will be found having first obtained the standard 3GPP TS 31.102 V18.1.0 (2023-06) which is freely available.
USIM Expanded Directories and Files (https://trewmte.blogspot.com/2023/07/usim-expanded-directories-and-files.html)
USIM Expanded Capabilities Pt2 (https://trewmte.blogspot.com/2023/07/usim-expanded-capabilities-pt2.html)
USIM Expanded Capabilities Pt1 (https://trewmte.blogspot.com/2023/07/usim-expanded-capabilities-pt1.html)
Integrated embedded SIMs (eSIMs)
Integrated embedded SIMs (eSIMs)
As more and more devices and products are having eSIMS (embedded SIMs) integrated at the board and circuitry level keeping abreast of the latest specifications and standards are not always easy in a cloud and digital forensics or DFIR (Digital Forensics Incident Response) given we live in today's multi-tech society.
The Machine-to-Machine (M2M) documents below will at least provide for you a list of the current versions of M2M Specifications.
Architecture Specifications
SGP.01 M2M eSIM Architecture
SGP.01 V4.3 Embedded SIM Remote Provisioning Architecture
Current versions of M2M Technical Specifications
SGP.02 eSIM Technical Specifications
SGP.02 V4.3 eSIM Technical Specification
Current versions of M2M Test Specifications
SGP.11 eSIM Test Specifications
SGP.11 v4.2.1 GP Test Suite SGP.11 v4.2.1
Current versions of M2M Compliance Specifications
SGP.16 M2M eSIM Compliance
SGP.16 v1.4 eSIM Compliance Specification
Current versions of M2M Security Evaluation of Integrated eUICC
SGP.08 GSMA Security Evaluation of Integrated eUICC
SGP.08 V1.1 Security Evaluation of Integrated eUICC
SGP.08 V1.2 Security Evaluation of Integrated eUICC based on PP-0084
Current versions of M2M Security Evaluation of Integrated eUICC based on PP-0117
SGP.18 GSMA Security Evaluation of Integrated eUICC based on PP-0117
SGP.18 V1.0 Security Evaluation of Integrated eUICC Security Evaluation of Integrated eUICC based on PP-0117
Current versions of M2M GSMA eUICC Security Assurance Scheme
GSMA eUICC Security Assurance Specifications
SGP.06 V1.0 GSMA eUICC Security Assurance Principle
SGP.07 V1.0 GSMA eUICC Security Assurance Methodology
Current versions of M2M Protection Profile Specifications
SGP.05 M2M eSIM Protection Profile
SGP.05 V4.1 eSIM Protection Profile Specification
Current versions of M2M eUICC PKI Certificate Policy
SGP.14 eUICC PKI Certificate Policy V2.0
SGP.14 eUICC PKI Certificate Policy
USIM Expanded Directories and Files
3GPP TS 31.102 V18.1.0 (2023-06)
3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Characteristics of the Universal Subscriber Identity Module (USIM) application (Release 18)
The expanded Directory Files (DFs) and Elementary Files (EFs) under the Master File (MF) take into account data and evidence that could be relevant to evidence in the areas of Mobile comms and content, IoT, WLAN, Satellite, Vehicle forensics, TV and so on.
Contents of the Files 24
Contents of the EFs at the MF level 24
Contents of files at the USIM ADF (Application DF) level 25
EFLI (Language Indication) 25
EFIMSI (IMSI) 25
EFKeys (Ciphering and Integrity Keys) 26
EFKeysPS (Ciphering and Integrity Keys for Packet Switched domain) 27
EFPLMNwAcT (User controlled PLMN selector with Access Technology) 27
EFHPPLMN (Higher Priority PLMN search period) 29
EFACMmax (ACM maximum value) 30
EFUST (USIM Service Table) 31
EFACM (Accumulated Call Meter) 35
EFGID1 (Group Identifier Level 1) 35
EFGID2 (Group Identifier Level 2) 36
EFSPN (Service Provider Name) 36
EFPUCT (Price per Unit and Currency Table) 37
EFCBMI (Cell Broadcast Message identifier selection) 38
EFACC (Access Control Class) 39
EFFPLMN (Forbidden PLMNs) 39
EFLOCI (Location Information) 40
EFAD (Administrative Data) 41
EFCBMID (Cell Broadcast Message Identifier for Data Download) 43
EFECC (Emergency Call Codes) 44
EFCBMIR (Cell Broadcast Message Identifier Range selection) 45
EFPSLOCI (Packet Switched location information) 45
EFFDN (Fixed Dialling Numbers) 47
EFSMS (Short messages) 47
EFMSISDN (MSISDN) 49
EFSMSP (Short message service parameters) 49
EFSMSS (SMS status) 51
EFSDN (Service Dialling Numbers) 51
EFEXT2 (Extension2) 52
EFEXT3 (Extension3) 52
EFSMSR (Short message status reports) 53
EFICI (Incoming Call Information) 53
EFOCI (Outgoing Call Information) 57
EFICT (Incoming Call Timer) 58
EFOCT (Outgoing Call Timer) 58
EFEXT5 (Extension5) 59
EFCCP2 (Capability Configuration Parameters 2) 59
EFeMLPP (enhanced Multi Level Precedence and Pre-emption) 60
EFAaeM (Automatic Answer for eMLPP Service) 61
EFHiddenkey (Key for hidden phone book entries) 62
EFBDN (Barred Dialling Numbers) 62
EFEXT4 (Extension4) 63
EFCMI (Comparison Method Information) 63
EFEST (Enabled Services Table) 64
EFACL (Access Point Name Control List) 64
EFDCK (Depersonalisation Control Keys) 65
EFCNL (Co-operative Network List) 65
EFSTART-HFN (Initialisation values for Hyperframe number) 67
EFTHRESHOLD (Maximum value of START) 67
EFOPLMNwACT (Operator controlled PLMN selector with Access Technology) 67
EFHPLMNwAcT (HPLMN selector with Access Technology) 68
EFARR (Access Rule Reference) 69
EFNETPAR (Network Parameters) 70
EFPNN (PLMN Network Name) 72
EFOPL (Operator PLMN List) 73
EFMBDN (Mailbox Dialling Numbers) 74
EFEXT6 (Extension6) 74
EFMBI (Mailbox Identifier) 75
EFMWIS (Message Waiting Indication Status) 75
EFCFIS (Call Forwarding Indication Status) 77
EFEXT7 (Extension7) 78
EFSPDI (Service Provider Display Information) 79
EFMMSN (MMS Notification) 79
EFEXT8 (Extension 8) 81
EFMMSICP (MMS Issuer Connectivity Parameters) 82
EFMMSUP (MMS User Preferences) 84
EFMMSUCP (MMS User Connectivity Parameters) 85
EFNIA (Network's Indication of Alerting) 85
EFVGCS (Voice Group Call Service) 86
EFVGCSS (Voice Group Call Service Status) 88
EFVBS (Voice Broadcast Service) 88
EFVBSS (Voice Broadcast Service Status) 90
EFVGCSCA (Voice Group Call Service Ciphering Algorithm) 91
EFVBSCA (Voice Broadcast Service Ciphering Algorithm) 92
EFGBABP (GBA Bootstrapping parameters) 92
EFMSK (MBMS Service Keys List) 93
EFMUK (MBMS User Key) 94
EFGBANL (GBA NAF List) 95
EFEHPLMN (Equivalent HPLMN) 96
EFEHPLMNPI (Equivalent HPLMN Presentation Indication) 96
EFLRPLMNSI (Last RPLMN Selection Indication) 97
EFNAFKCA (NAF Key Centre Address) 97
EFSPNI (Service Provider Name Icon) 98
EFPNNI (PLMN Network Name Icon) 99
EFNCP-IP (Network Connectivity Parameters for USIM IP connections) 99
EFEPSLOCI (EPS location information) 102
EFEPSNSC (EPS NAS Security Context) 105
EF UFC (USAT Facility Control) 106
EFNASCONFIG (Non Access Stratum Configuration) 107
EFUICCIARI (UICC IARI) 112
EFPWS (Public Warning System) 113
EFFDNURI (Fixed Dialling Numbers URI) 114
EFBDNURI (Barred Dialling Numbers URI) 114
EFSDNURI (Service Dialling Numbers URI) 115
EFIPS (IMEI(SV) Pairing Status) 117
EFIPD (IMEI(SV) of Pairing Device) 118
EFePDGId (Home ePDG Identifier) 119
EFePDGSelection (ePDG Selection Information) 120
EFePDGIdEm (Emergency ePDG Identifier) 122
EFePDGSelectionEm (ePDG Selection Information for Emergency Services) 122
EFFromPreferred (From Preferred) 122
EFIMSConfigData (IMS Configuration Data) 123
EFTVCONFIG (TV Configuration) 123
EF3GPPPSDATAOFF (3GPP PS Data Off) 125
EF3GPPPSDATAOFFservicelist (3GPP PS Data Off Service List) 126
EFXCAPConfigData (XCAP Configuration Data) 126
EFEARFCNList (EARFCN list for MTC/NB-IOT UEs) 127
EFMuDMiDConfigData (MuD and MiD Configuration Data) 128
EFOCST ("Operator controlled signal threshold per access technology") 128
DFs at the USIM ADF (Application DF) Level 130
Contents of DFs at the USIM ADF (Application DF) level 131
Contents of files at the DF SoLSA level 131
EFSAI (SoLSA Access Indicator) 131
EFSLL (SoLSA LSA List) 131
LSA Descriptor files 134
Contents of files at the DF PHONEBOOK level 135
EFPBR (Phone Book Reference file) 136
EFIAP (Index Administration Phone book) 138
EFADN (Abbreviated dialling numbers) 138
EFEXT1 (Extension1) 141
EFPBC (Phone Book Control) 143
EFGRP (Grouping file) 144
EFAAS (Additional number Alpha String) 144
EFGAS (Grouping information Alpha String) 145
EFANR (Additional Number) 145
EFSNE (Second Name Entry) 147
EFCCP1 (Capability Configuration Parameters 1) 148
Phone Book Synchronisation 148
EFUID (Unique Identifier) 148
EFPSC (Phone book Synchronisation Counter) 149
EFCC (Change Counter) 150
EFPUID (Previous Unique Identifier) 151
EFEMAIL (e-mail address) 151
Phonebook restrictions152
EFPURI (Phonebook URIs) 152
Contents of files at the DF GSM-ACCESS level (Files required for GSM Access) 153
EFKc (GSM Ciphering key Kc) 154
EFKcGPRS (GPRS Ciphering key KcGPRS) 154
EFCPBCCH (CPBCCH Information) 155
EFInvScan (Investigation Scan) 156
Contents of files at the MexE level 156
EFMexE-ST (MexE Service table) 157
EFORPK (Operator Root Public Key) 157
EFARPK (Administrator Root Public Key) 159
EFTPRPK (Third Party Root Public Key) 160
EFTKCDF (Trusted Key/Certificates Data Files) 160
Contents of files at the DF WLAN level 161
EFPseudo (Pseudonym) 161
EFUPLMNWLAN (User controlled PLMN selector for I-WLAN Access) 162
EFOPLMNWLAN (Operator controlled PLMN selector for I-WLAN Access) 162
EFUWSIDL (User controlled WLAN Specific Identifier List) 163
EFOWSIDL (Operator controlled WLAN Specific IdentifierList) 164
EFWRI (WLAN Reauthentication Identity) 164
EFHWSIDL (Home I-WLAN Specific Identifier List) 165
EFWEHPLMNPI (I-WLAN Equivalent HPLMN Presentation Indication) 166
EFWHPI (I-WLAN HPLMN Priority Indication) 166
EFWLRPLMN (I-WLAN Last Registered PLMN) 167
EFHPLMNDAI (HPLMN Direct Access Indicator) 167
Contents of files at the DF HNB level 168
EFACSGL (Allowed CSG Lists) 168
EFCSGT (CSG Type) 171
EFHNBN (Home NodeB Name) 173
EFOCSGL (Operator CSG Lists) 173
EFOCSGT (Operator CSG Type) 175
EFOHNBN (Operator Home NodeB Name) 176
Contents of files at the DF ProSe level 176
EFPROSE_MON (ProSe Monitoring Parameters) 176
EFPROSE_ANN (ProSe Announcing Parameters) 177
EFPROSEFUNC (HPLMN ProSe Function) 178
EFPROSE_RADIO_COM (ProSe Direct Communication Radio Parameters) 179
EFPROSE_RADIO_MON (ProSe Direct Discovery Monitoring Radio Parameters) 181
EFPROSE_RADIO_ANN (ProSe Direct Discovery Announcing Radio Parameters) 182
EFPROSE_POLICY (ProSe Policy Parameters) 183
EFPROSE_PLMN (ProSe PLMN Parameters) 185
EFPROSE_GC (ProSe Group Counter) 186
EFPST (ProSe Service Table) 188
EFPROSE_UIRC (ProSe UsageInformationReportingConfiguration) 188
EFPROSE_GM_DISCOVERY (ProSe Group Member Discovery Parameters) 192
EFPROSE_RELAY (ProSe Relay Parameters) 193
EFPROSE_RELAY_DISCOVERY (ProSe Relay Discovery Parameters) 194
Contents of files at the DF ACDC level 197
EFACDC_LIST (ACDC List) 197
EFACDC_OS_CONFIG (ACDC OS configuration) 198
Contents of files at the DF TV level 199
EFTVUSD (TV User Service Description) 199
Contents of files at the DF5GS level 200
EF5GS3GPPLOCI (5GS 3GPP location information) 201
EF5GSN3GPPLOCI (5GS non-3GPP location information) 202
EF5GS3GPPNSC (5GS 3GPP Access NAS Security Context) 203
EF5GSN3GPPNSC (5GS non-3GPP Access NAS Security Context) 206
EF5GAUTHKEYS (5G authentication keys) 206
EFUAC_AIC (UAC Access Identities Configuration) 208
EFSUCI_Calc_Info (Subscription Concealed Identifier Calculation Information EF) 209
EFOPL5G (5GS Operator PLMN List) 211
EFSUPI_NAI (SUPI as Network Access Identifier) 212
EFRouting_Indicator (Routing Indicator EF) 213
EFURSP (URSP) 214
EFTN3GPPSNN (Trusted non-3GPP Serving network names list) 215
EFCAG (Pre-configured CAG information list EF) 216
EFSOR-CMCI (Steering Of Roaming - Connected Mode Control Information) 217
EFDRI (Disaster roaming information EF) 218
EF5GSEDRX (5GS eDRX Parameters) 219
EF5GNSWO_CONF (5G Non-Seamless WLAN Offload configuration) 220
EFMCHPPLMN (Multiplier Coefficient for Higher Priority PLMN search) 221
EFKAUSF_DERIVATION (KAUSF derivation configuration) 222
Contents of files at the DF SNPN level 222
EFPWS_SNPN (Public Warning System in SNPNs) 222
EFNID (Network Identifier for SNPN) 223
Contents of files at the DF 5G ProSe level 224
EF5G_PROSE_ST (5G ProSe Service Table) 224
EF5G_PROSE_DD (5G ProSe configuration data for direct discovery) 224
EF5G_PROSE_DC (5G ProSe configuration data for direct communication) 228
EF5G_PROSE_U2NRU (5G ProSe configuration data for UE-to-network relay UE) 230
EF5G_PROSE_RU (5G ProSe configuration data for remote UE) 234
EF5G_PROSE_UIR (5G ProSe configuration data for usage information reporting) 237
Contents of files at the DF 5MBS UE pre-configuration level 239
EF5MBSUECONFIG (5MBS UE pre-configuration) 239
EF5MBSUSD (5MBS User Service Description) 242
Contents of Efs at the TELECOM level 242
EFADN (Abbreviated dialling numbers) 243
EFEXT1 (Extension1) 243
EFECCP (Extended Capability Configuration Parameter) 243
EFSUME (SetUpMenu Elements) 243
EFARR (Access Rule Reference) 243
EFICE_DN (In Case of Emergency – Dialling Number) 243
EFICE_FF (In Case of Emergency – Free Format) 244
EFRMA (Remote Management Actions) 245
EFPSISMSC (Public Service Identity of the SM-SC) 245
Contents of DFs at the TELECOM level 245
List of DFs at the TELECOM level 245
Contents of files at the DFGRAPHICS level 246
EFIMG (Image) 246
EFIIDF (Image Instance Data Files) 247
EFICE_graphics (In Case of Emergency – Graphics) 248
Contents of files at the DFPHONEBOOK under the DFTELECOM 249
Contents of files at the DFMULTIMEDIA level 249
EFMML (Multimedia Messages List) 249
EFMMDF (Multimedia Messages Data File) 251
Contents of files at the DFMCS level 252
EFMST (MCS Service Table) 252
EFMCS_ CONFIG (MCS configuration data) 253
Contents of files at the DFV2X level 254
V2X configuration data related files 254
EFVST (V2X Service Table) 254
EFV2X_CONFIG (V2X configuration data) 255
EFV2XP_PC5 (V2X data policy over PC5) 255
EFV2XP_Uu (V2X data policy over Uu) 257
USIM Expanded Capabilities Pt2
USIM Expanded Capabilities Pt2
3GPP TS 31.102 V18.1.0 (2023-06)
The following abbreviations apply. It is worth noting that with 5G whilst you may know what the acronym "PIN" stands for, do you know what "PINE" means (not appearing below)?
3GPP 3rd Generation Partnership Project
5GCN 5G Core Network
AC Access Condition
ACDC Application specific Congestion control for Data Communication
ACL APN Control List
ADF Application Dedicated File
AID Application Identifier
AK Anonymity key
ALW ALWays
AMF Authentication Management Field
AoC Advice of Charge
APN Access Point Name
ASME Access Security Management Entity
ASN.1 Abstract Syntax Notation One
AuC Authentication Centre
AUTN Authentication token
BDN Barred Dialling Number
BER-TLV Basic Encoding Rule - TLV
B-TID Bootstrapping Transaction Identifier
CAG Closed Access Group
CCP Capability Configuration Parameter
CK Cipher key
CLI Calling Line Identifier
CNL Co-operative Network List
CPBCCH COMPACT Packet BCCH
CS Circuit switched
DCK Depersonalisation Control Keys
DF Dedicated File
DO Data Object
EC-GSM-IoT Extended coverage in GSM for IoT
DUCK Discovery User Confidentiality Key
DUIK Discovery User Integrity Key
DUSK Discovery User Scrambling Key
eDRX Extended Discontinuous Reception
EARFCN Evolved Absolute Radio Frequency Channel Number
EF Elementary File
EPC Evolved Packet Core
ePDG Evolved Packet Data Gateway
EPS Evolved Packet System
FCP File Control Parameters
FFS For Further Study
FQDN Full Qualified Domain Name
GCI Global Cable Identifier
GLI Global Line Identifier
GSM Global System for Mobile communications
HE Home Environment
HNB Home NodeB
HeNB Home eNodeB
IARI IMS Application Reference Identifier
ICC Integrated Circuit Card
ICE In Case of Emergency
ICI Incoming Call Information
ICT Incoming Call Timer
ID Identifier
Idi Identity of the initiator
Idr Identity of the responder
IEI Information Element Identifier
IK Integrity key
IMSI International Mobile Subscriber Identity
IOPS Isolated E-UTRAN Operation for Public Safety
K USIM Individual key
KC Cryptographic key used by the cipher A5
KSI Key Set Identifier
LI Language Indication
LSA Localised Service Areas
LSB Least Significant Bit
MAC Message authentication code
MAC-A MAC used for authentication and key agreement
MAC-I MAC used for data integrity of signalling messages
MBMS Multimedia Broadcast/Multicast Service
MCC Mobile Country Code
MCData Mission Critical Data
MCPTT Mission Critical Push To Talk
MCS Mission Critical Services
MCVideo Mission Critical Video
MexE Mobile Execution Environment
MF Master File
MGV-F MTK Generation and Validation Function
MICO Mobile Initiated Connection Only
MiD Multi-iDentity
MIKEY Multimedia Internet KEYing
MINT Minimization of Service Interruption
MM Multimedia Message
MMI Man Machine Interface
MMS Multimedia Messaging Service
MMSS MultiMode System Selection
MNC Mobile Network Code
MODE Indication packet switched/circuit switched mode
MSB Most Significant Bit
MSK MBMS Service Key
MTC Machine Type Communications
MTK MBMS Traffic Key
MuD Multi-Device
MUK MBMS User Key
NAI Network Access Identifier
NB-IoT Narrowband IoT
NEV NEVer
ngKSI Key Set Identifier in 5G
NG-RAN Next Generation Radio Access Network
NID Network Identifier for SNPN
NPI Numbering Plan Identifier
NSI Network Specific Identifier
NSWO Non-Seamless WLAN Offload
OCI Outgoing Call Information
OCST Operator Contolled Signal Threshold per Access Technology
OCT Outgoing Call Timer
PBID Phonebook Identifier
PGK ProSe Group Key
PIN Personal Identification Number
PL Preferred Languages
PS Packet switched
PSDK Public Safety Discovery Key
PS_DO PIN Status Data Object
PSM Power Saving Mode
PTK ProSe Traffic Key
RAND Random challenge
RANDMS Random challenge stored in the USIM
RES User response
RFU Reserved for Future Use
RLOS Restricted Local Operator Services
RST Reset
SDN Service dialling number
SE Security Environment
SENSE Signal level Enhanced Network SElection
SEQp Sequence number for MGV-F stored in the USIM
SFI Short EF Identifier
SGSN Serving GPRS Support Node
SN Serving Network
SNPN Standalone Non-Public Network
SoLSA Support of Localised Service Areas
SOR-CMCI Steering of roaming connected mode control information
SQN Sequence number
SRES Signed RESponse calculated by a USIM
SUCI Subscription Concealed Identifier
SUPI Subscription Permanent Identifier
SW Status Word
TLV Tag Length Value
TMGI Temporary Mobile Group Identity
TV Television
UAC Unified Access Control
URSP UE Route Selection Policy
USAT USIM Application Toolkit
USD User Service Description
USIM Universal Subscriber Identity Module
V2X Vehicle-to-Everything
VLR Visitor Location Register
WLAN Wireless Local Area Network
WSID WLAN Specific Identifier
XRES Expected user RESponse
USIM Expanded Capabilities Pt1
3GPP TS 31.102 V18.1.0 (2023-06)
3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Characteristics of the Universal Subscriber Identity Module (USIM) application (Release 18)Updating past topics published here. EF-UST (148)
-Services EFUST (USIM Service Table)
Contents: Service n°1: Local Phone Book
Service n°2: Fixed Dialling Numbers (FDN)
Service n°3: Extension 2
Service n°4: Service Dialling Numbers (SDN)
Service n°5: Extension3
Service n°6: Barred Dialling Numbers (BDN)
Service n°7: Extension4
Service n°8: Outgoing Call Information (OCI and OCT)
Service n°9: Incoming Call Information (ICI and ICT)
Service n°10: Short Message Storage (SMS)
Service n°11: Short Message Status Reports (SMSR)
Service n°12: Short Message Service Parameters (SMSP)
Service n°13: Advice of Charge (AoC)
Service n°14: Capability Configuration Parameters 2 (CCP2)
Service n°15: Cell Broadcast Message Identifier
Service n°16: Cell Broadcast Message Identifier Ranges
Service n°17: Group Identifier Level 1
Service n°18: Group Identifier Level 2
Service n°19: Service Provider Name
Service n°20: User controlled PLMN selector with Access Technology
Service n°21: MSISDN
Service n°22: Image (IMG)
Service n°23: Support of Localised Service Areas (SoLSA)
Service n°24: Enhanced Multi-Level Precedence and Pre-emption Service
Service n°25: Automatic Answer for eMLPP
Service n°26: RFU
Service n°27: GSM Access
Service n°28: Data download via SMS-PP
Service n°29: Data download via SMS-CB
Service n°30: Call Control by USIM
Service n°31: MO-SMS Control by USIM
Service n°32: RUN AT COMMAND command
Service n°33: shall be set to '1'
Service n°34: Enabled Services Table
Service n°35: APN Control List (ACL)
Service n°36: Depersonalisation Control Keys
Service n°37: Co-operative Network List
Service n°38: GSM security context
Service n°39: CPBCCH Information
Service n°40: Investigation Scan
Service n°41: MexE
Service n°42: Operator controlled PLMN selector with Access Technology
Service n°43: HPLMN selector with Access Technology
Service n°44: Extension 5
Service n°45: PLMN Network Name
Service n°46: Operator PLMN List
Service n°47: Mailbox Dialling Numbers
Service n°48: Message Waiting Indication Status
Service n°49: Call Forwarding Indication Status
Service n°50: Reserved and shall be ignored
Service n°51: Service Provider Display Information
Service n°52 Multimedia Messaging Service (MMS)
Service n°53 Extension 8
Service n°54 Call control on GPRS by USIM
Service n°55 MMS User Connectivity Parameters
Service n°56 Network's indication of alerting in the MS (NIA)
Service n°57 VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°58 VBS Group Identifier List (EFVBS and EFVBSS)
Service n°59 Pseudonym
Service n°60 User Controlled PLMN selector for I-WLAN access
Service n°61 Operator Controlled PLMN selector for I-WLAN access
Service n°62 User controlled WSID list
Service n°63 Operator controlled WSID list
Service n°64 VGCS security
Service n°65 VBS security
Service n°66 WLAN Reauthentication Identity
Service n°67 Multimedia Messages Storage
Service n°68 Generic Bootstrapping Architecture (GBA)
Service n°69 MBMS security
Service n°70 Data download via USSD and USSD application mode
Service n°71 Equivalent HPLMN
Service n°72 Additional TERMINAL PROFILE after UICC activation
Service n°73 Equivalent HPLMN Presentation Indication
Service n°74 Last RPLMN Selection Indication
Service n°75 OMA BCAST Smart Card Profile
Service n°76 GBA-based Local Key Establishment Mechanism
Service n°77 Terminal Applications
Service n°78 Service Provider Name Icon
Service n°79 PLMN Network Name Icon
Service n°80 Connectivity Parameters for USIM IP connections
Service n°81 Home I-WLAN Specific Identifier List
Service n°82 I-WLAN Equivalent HPLMN Presentation Indication
Service n°83 I-WLAN HPLMN Priority Indication
Service n°84 I-WLAN Last Registered PLMN
Service n°85 EPS Mobility Management Information
Service n°86 Allowed CSG Lists and corresponding indications
Service n°87 Call control on EPS PDN connection by USIM
Service n°88 HPLMN Direct Access
Service n°89 eCall Data
Service n°90 Operator CSG Lists and corresponding indications
Service n°91 Support for SM-over-IP
Service n°92 Support of CSG Display Control
Service n°93 Communication Control for IMS by USIM
Service n°94 Extended Terminal Applications
Service n°95 Support of UICC access to IMS
Service n°96 Non-Access Stratum configuration by USIM
Service n°97 PWS configuration by USIM
Service n°98 RFU
Service n°99 URI support by UICC
Service n°100 Extended EARFCN support
Service n°101 ProSe
Service n°102 USAT Application Pairing
Service n°103 Media Type support
Service n°104 IMS call disconnection cause
Service n°105 URI support for MO SHORT MESSAGE CONTROL
Service n°106 ePDG configuration Information support
Service n°107 ePDG configuration Information configured
Service n°108 ACDC support
Service n°109 Mission Critical Services
Service n°110 ePDG configuration Information for Emergency Service support
Service n°111 ePDG configuration Information for Emergency Service configured
Service n°112 eCall Data over IMS
Service n°113 URI support for SMS-PP DOWNLOAD as defined in
Service n°114 From Preferred
Service n°115 IMS configuration data
Service n°116 TV configuration
Service n°117 3GPP PS Data Off
Service n°118 3GPP PS Data Off Service List
Service n°119 V2X
Service n°120 XCAP Configuration Data
Service n°121 EARFCN list for MTC/NB-IOT UEs
Service n°122 5GS Mobility Management Information
Service n°123 5G Security Parameters
Service n°124 Subscription identifier privacy support
Service n°125 SUCI calculation by the USIM
Service n°126 UAC Access Identities support
Service n°127 Control plane-based steering of UE in VPLMN
Service n°128 Call control on PDU Session by USIM
Service n°129 5GS Operator PLMN List
Service n°130 Support for SUPI of type NSI or GLI or GCI
Service n°131 3GPP PS Data Off separate Home and Roaming lists
Service n°132 Support for URSP by USIM
Service n°133 5G Security Parameters extended
Service n°134 MuD and MiD configuration data
Service n°135 Support for Trusted non-3GPP access networks by USIM
Service n°136 Support for multiple records of NAS security context storage for multiple registration
Service n°137 Pre-configured CAG information list
Service n°138 SOR-CMCI storage in USIM
Service n°139 5G ProSe
Service n°140 Storage of disaster roaming information in USIM
Service n°141 Pre-configured eDRX parameters
Service n°142 5G NSWO support
Service n°143 PWS configuration for SNPN in USIM
Service n°144 Multiplier Coefficient for Higher Priority PLMN search via NG-RAN satellite access
Service n°145 KAUSF derivation configuration
Service n°146 Network Identifier for SNPN (NID)
Service n°147 5MBS UE pre-configuration
Service n°148 UE configured for using "Operator controlled signal threshold per access technology
Sunday, January 24, 2021
Cyber: Cyber Security for Consumer Internet of Things (IoT)
Still olden but golden, when it comes to IoT Connected Devices
I have briefly touched upon IoT (Internet of Things) at my blog previously:
Fast moving wireless world
https://trewmte.blogspot.com/2014/10/fast-moving-wireless-world.html
The Internet of Things (IoT)
https://trewmte.blogspot.com/2016/03/the-internet-of-things-iot.html
The Rise of (IoT) Domestic Appliance Forensic Examiners
https://trewmte.blogspot.com/2016/03/the-rise-of-iot-domestic-appliance.html
Smart Phones with Smart Homes
https://trewmte.blogspot.com/2016/06/smart-phones-with-smart-homes.html
eSIM - Observing Possible Outcomes Part 1
https://trewmte.blogspot.com/2019/12/esim-observing-possible-outcomes-part-1.html
I am adding update reference materials available on IoT and Cyber, if you haven't seen this info or weren't aware, which you might find useful.
ETSI in February 2019 released the first globally applicable standard for consumer IoT security:
etsi-releases-first-globally-applicable-standard-for-consumer-iot-security?jjj=1611490283528
This publicised event introduced the ETSI Stand ts_103645v010101 (2019)
CYBER; Cyber Security for Consumer Internet of Things
In 2020 ETSI updated the standard ts_103645v020102 with enhanced baseline requirements:
CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
The object of these standards is to improve security and privacy. A common default password for all products are to be scrubbed with a unique default password per device applied instead. Moreover, it should not be possible to enable the password set at default in the first place once user changed. Apparently, many IoT (consumer) products on the market may still not (even today) meet this password objectives or other more basic requirements that have been stated in this newly released standard.
Measures vendor companies should understake range from adopting simple installation and user guidance with good documentation in support; good hardware/software security engineering practice; for personal privacy the standard sets out protection objectives for all sensitive personal data required to be stored securely - that is both on devices, themselves, and in any related services e.g. in the cloud. Any personal data should be encrypted and should be protected against attack; and with clear instructions how consumers can easily delete their personal data.
Whilst this standard provides consumers with confidence in their IoT product, it equally has been designed to allow vendors companies sufficient flexibility to enable them to innovate and find the best solution for security and privacy for their particular IoT products. Password protection, encryption, and safe deletion are some solutions. Others could be block-off network ports; close-off software not being used; avoidance of exploited data (OOR) by adoption of a validation approach; secure-boot mechanisms (hardward-based); with ease and secure device software updates (e.g. use- menu selection or autonomic/automated (e.g. ZTP etc)). These are possible solutions.
I did like that ETSI had included specific demands about disclosure in this standard for vendor companies to identify, act upon and promptly report vulnerabilities.
However, from a cyber aspect, the ETSI Technical Committee on Cybersecurity (TC CYBER) has overseen and published over 50 cyber standards, some of which are referenced below:
ETSI TS 103 744 V1.1.1 (2020-12)Published
CYBER; Quantum-safe Hybrid Key Exchanges
ETSI TS 103 523-1 V1.1.1 (2020-12)Published
CYBER; Middlebox Security Protocol; Part 1: MSP Framework and Template Requirements
ETSI TS 103 718 V1.1.1 (2020-10)Published
CYBER; External encodings for the Advanced Encryption Standard
ETSI TR 103 644 V1.2.1 (2020-09)Published
CYBER; Observations from the SUCCESS project regarding smart meter security
ETSI TS 103 485 V1.1.1 (2020-08)Published
CYBER; Mechanisms for privacy assurance and verification
ETSI TR 103 619 V1.1.1 (2020-07)Published
CYBER; Migration strategies and recommendations to Quantum Safe schemes
ETSI EN 303 645 V2.1.1 (2020-06)Published
CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
ETSI TS 103 645 V2.1.2 (2020-06)Published
CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements
ETSI TR 103 306 V1.4.1 (2020-03)Published
CYBER; Global Cyber Security Ecosystem
ETSI TR 103 644 V1.1.1 (2019-12)Published
CYBER; Increasing smart meter security
ETSI TR 103 618 V1.1.1 (2019-12)Published
CYBER; Quantum-Safe Identity-Based Encryption
ETSI TR 103 331 V1.2.1 (2019-09)Published
CYBER; Structured threat information sharing
ETSI TS 103 523-3 V1.3.1 (2019-08)Published
CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security
ETSI TS 103 523-3 V1.2.1 (2019-03)Published
CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security
ETSI TS 103 645 V1.1.1 (2019-02)Published
CYBER; Cyber Security for Consumer Internet of Things
ETSI TR 103 370 V1.1.1 (2019-01)Published
CYBER; Practical introductory guide to Technical Standards for Privacy
ETSI TS 103 457 V1.1.1 (2018-10)Published
CYBER; Trusted Cross-Domain Interface: Interface to offload sensitive functions to a trusted domain
ETSI TR 103 642 V1.1.1 (2018-10)Published
CYBER; Security techniques for protecting software in a white box model
ETSI TS 103 523-3 V1.1.1 (2018-10)Published
CYBER; Middlebox Security Protocol; Part 3: Profile for enterprise network and data centre access control
ETSI TR 103 617 V1.1.1 (2018-09)Published
CYBER; Quantum-Safe Virtual Private Networks
ETSI TR 103 305-1 V3.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls
ETSI TR 103 305-2 V2.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing
ETSI TR 103 305-3 V2.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations
ETSI TR 103 305-5 V1.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 5: Privacy enhancement
ETSI TR 103 305-4 V2.1.1 (2018-09)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms
ETSI TR 103 306 V1.3.1 (2018-08)Published
CYBER; Global Cyber Security Ecosystem
ETSI TS 103 458 V1.1.1 (2018-06)Published
CYBER; Application of Attribute Based Encryption (ABE) for PII and personal data protection on IoT devices, WLAN, cloud and mobile services - High level requirements
ETSI TS 103 307 V1.3.1 (2018-04)Published
CYBER; Security Aspects for LI and RD Interfaces
ETSI TS 103 532 V1.1.1 (2018-03)Published
CYBER; Attribute Based Encryption for Attribute Based Access Control
ETSI TR 103 456 V1.1.1 (2017-10)Published
CYBER; Implementation of the Network and Information Security (NIS) Directive
ETSI TS 102 165-1 V5.2.3 (2017-10)Published
CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA)
ETSI TR 103 570 V1.1.1 (2017-10)Published
CYBER; Quantum-Safe Key Exchanges
ETSI TR 103 421 V1.1.1 (2017-04)Published
CYBER; Network Gateway Cyber Defence
ETSI TR 103 306 V1.2.1 (2017-03)Published
CYBER; Global Cyber Security Ecosystem
ETSI TS 103 307 V1.2.1 (2016-10)Published
CYBER; Security Aspects for LI and RD Interfaces
ETSI TR 103 305-2 V1.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing
ETSI TR 103 305-3 V1.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations
ETSI TR 103 305-4 V1.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms
ETSI TR 103 305-1 V2.1.1 (2016-08)Published
CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls
ETSI TR 103 331 V1.1.1 (2016-08)Published
CYBER; Structured threat information sharing
ETSI TR 103 304 V1.1.1 (2016-07)Published
CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services
ETSI TR 103 369 V1.1.1 (2016-07)Published
CYBER; Design requirements ecosystem
ETSI EG 203 310 V1.1.1 (2016-06)Published
CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection
ETSI TS 103 307 V1.1.1 (2016-04)Published
CYBER; Security Aspects for LI and RD Interfaces
ETSI TR 103 303 V1.1.1 (2016-04)Published
CYBER; Protection measures for ICT in the context of Critical Infrastructure
ETSI TS 103 487 V1.1.1 (2016-04)Published
CYBER; Baseline security requirements regarding sensitive functions for NFV and related platforms
ETSI TR 103 308 V1.1.1 (2016-01)Published
CYBER; Security baseline regarding LI and RD for NFV and related platforms
ETSI TR 103 306 V1.1.1 (2015-11)Published
CYBER; Global Cyber Security Ecosystem
ETSI TR 103 309 V1.1.1 (2015-08)Published
CYBER; Secure by Default - platform security technology
ETSI TR 103 305 V1.1.1 (2015-05)Published
CYBER; Critical Security Controls for Effective Cyber Defence
Friday, January 01, 2021
CSA Location Determination Investigations - The continuing mission
Recalling that I have posted here at trewmte.blogspot and cellsiteanalysis.blospot over the years was to assist interpretation of data and testing for cell site anslysis and elements that can be used when conducting investigations, I have posted below a few of the weblinks to help this discussion along.
https://trewmte.blogspot.com/2014/07/csa-site-survey-method3mobility-models.html
http://trewmte.blogspot.com/2009/08/cell-site-analysis-csa-images-part-2.html
http://trewmte.blogspot.com/2008/11/mobile-phones-and-fringe-coverage.html
http://cellsiteanalysis.blogspot.com/
https://www.dropbox.com/s/g912o5dji9wkxfk/3G%20Networks%20position%20techniques.pdf
It is noteworthy the ITU in 2017 published a series of documents regarding call details record (CDR) and specified network data that could be captured in CDRs to assist a wide range of tasks to comprehend mobile phone movement caused by migration to determining trip travel and destination. These studies were conduct in Liberia, Sierra Leone and Republic of Guinea:
Liberia CDR reallocation D012A0000C93301PDFE.pdf
CDR Sierra Leone D012A0000CA3301PDFE.pdf
CDR Republic of Guinea D012A0000D03301PDFE.pdf
The reports identify how to obtain, collate, display overlay geodata/mapping and interpolation of the format specification that I rather think is highly useful to CSA investigations. The ITU source highlights CDRs capturing association with PoI, Trip Segmentation, Trajectory and Stay Points etc. I am simplifying in my summary what is undoubtedly more detailed discussion in these reports to show that 'time' and ‘location’ will be highly relevant.
CSA has not been without the knowledge regarding peak-time call traffic, density of call traffic, tracking etc and these are used in call analysis and CSA. In these reports though the defining stay points captured in the call records add useful evidence such as travel, location, co-location (if relevant), association (if relevant), landmarks, so on and so forth.
Consideration of trip segmentation in the report states ""Trip segmentation: Extract stay points from anonymized CDR data, and divide move/stay segments. Figure 7.4 explains how stay points are extracted by applying parameters and thresholds to CDR data." In this regard the threshold parameters for stay points are specified as 'Minimum Time Duration 15 Minutes' and 'Maximum Distance 300 Meter'. To assist further here is a useful image with data from the ITU Liberia report:
To extrapolate such detail require Trip segmentation, Stay point reallocation, Route interpolation, Grid-based aggregation and Visualization and so on. To dig into the detail to assist interpretation:
"Stay point reallocation: Reallocate stay points (Trip OD) to surrounding points of interest (POIs) with a certain probability and fil gap between stay/move segments. POIs are regarded as surrounding a certain cell tower if they are closer to the cell tower location than to the others (Voronoi tessellation). The reallocation is necessary because CDR location data is based on cell tower location, which means that all users in the same area have the same location. Reallocation can make the distributing of people more realistic or likely because POIs can be considered places where people are likely to stay or visit, such as shopping areas, residential houses, villages, and to which people are reassigned rather than concentrating on cell tower locations. A new dataset of POIs was constructed for this process by collecting data from the distribution of buildings from open access Internet data (see Appendix 2). Figure 7.5 shows how POIs are distributed in a city. Areas in blue indicate building POIs with extracted stay points, where location information originally based on antenna location, are reallocated."
Lastly, the reports published in 2017 discussed relevance to 2G, 3G and 4G.
Subscribe to:
Posts (Atom)