Practical Digital Forensics (Book 2023)

Practical Digital Forensics. Forensic Lab Setup, Evidence Analysis, and Structured Investigation Across Windows, Mobile, Browser, HDD, and Memory ISBN: 9789355511454

Table of Contents

1. Introduction to Digital Forensics

Introduction

Structure

Objectives

Defining digital forensics

Digital forensics goals

Defining cybercrime

Sources of cybercrime

Computers in cybercrimes

Digital forensics categories

Computer forensics

Mobile forensics

Network forensics

Database forensics

Forensic data analysis

Digital forensics users

Law enforcement

Civil ligation

Intelligence and counterintelligence

Digital forensics investigation types

Forensics readiness

Type of digital evidence

User-created data

Machine and network-created data

Locations of electronic evidence

Chain of custody

Examination process

Seizure

Acquisition

Analysis

Reporting

Conclusion

Multiple choice questions/questions

Learning Section

Answers

See in extra comments below

2. Essential Technical Concepts

Introduction

Structure

Objectives

Decimal (Base-10)

Binary

Hexadecimal (Base-16)

Hexadecimal (Base-64)

Character encoding schema

File carving

File structure

Digital file metadata

Timestamps decoder

Hash analysis

Calculate file hash

System memory

Types of computer memory storage

Primary storage

RAM

ROM

Secondary storage

Backup storage

HDD

Hard disk storage

SSD

DCO and HPA

Considerations for data recovery

File system

NTFS

FAT

Environment for computing

Cloud computing

Software as a service (SaaS)

Platform as a service (SaaS)

Infrastructure as a service (SaaS)

Windows versions

Internet protocol (IP) address

Getting an IP address

Conclusion

3. Hard Disks and File Systems

Introduction

Structure

Objectives

Hard disk and file systems

File systems

Hard disk

Hard disk forensics

Analyzing the registry files

Conclusion

4. Requirements for a Computer Forensics Lab

Introduction

Structure

Objectives

Digital Forensic Lab

Physical requirements

Environment controls

Digital forensic equipment

Forensic hardware

Office electrical equipment

Networked devices

Forensic workstation

Commercial digital forensic workstations

Forensic software applications

Commercial forensics tools

Open-source forensic tools

Linux distributions

Virtualization

Lab information management system (LIMS)

Lab policies and procedures

Documentation

Lab accreditation

Conclusion

5. Acquiring Digital Evidence

Introduction

Structure

Objectives

Raw format

Advanced forensic format

EnCase: Expert witness transfers

Other file formats

Validation of forensic imaging files

Live memory acquisition

Virtual memory: Swap space

Challenges acquiring RAM

Administration privilege

Live RAM capturer

Magnet RAM capture

FTK imager

Acquiring nonvolatile memory

Hard disk acquisition

Acquiring physical resources

Logical acquisition

Sparse acquisition

Capturing hard drives using FTK imager

Network acquisition

Limitations of a forensic tool

Conclusion

6. Analysis of Digital Evidence

Introduction

Structure

Objectives

Arsenal Image Mounter

OSFMount

Autopsy

Analyzing RAM forensic image

Memoryze

Redline

Volatility framework

Conclusion

7. Windows Forensic Analysis

Introduction

Structure

Timeline analysis tools

File recovery

Undeleting files

Recycle bin forensics

Data carving

Associated user account action

Windows registry analysis

Windows registry architecture

Acquiring windows registry

Registry examination

Windows registry program keys

USB device forensics

Most recently used list

Network analysis

Windows shutdown time

UserAssist forensics

Printer registry information

File format identification

Windows thumbnail forensics

Windows 10 forensics

Notification area database

Cortana forensics

Conclusion

8. Web Browser and E-mail Forensics

Introduction

Structure

Objectives

Web browser forensics

Google chrome browser forensics

Top sites and shortcuts

Login data

Web data

Bookmarks

Bookmarks.bak

Cache folder

Mozilla Firefox Browser Forensics

Microsoft Edge browser forensics

Other Web browser investigation tools

Conclusion

References

9. E-mail Forensics

Introduction

Structure

Objectives

E-mails around us

E-mail communication steps

E-mail protocols

Examine e-mail headers

Reveal header information

View Gmail headers

View Outlook mail header

View Mozilla Thunderbird headers

View Outlook mail client header

Analyzing e-mail headers

Determine the sender’s geolocation and time zone

Conclusion

10. Anti-Forensics Techniques and Report Writing

Introduction

Structure

Objectives

Anti-forensics techniques

Digital Steganography

Text Steganography

Image Steganography

Audio-video Steganography

Network Steganography

Metadata manipulation

Encryption techniques

Disk encryption using open-source tools

Anonymity techniques

Digital forensic reports

Conclusion

11. Hands-on Lab Practical

Introduction

Lab 1: FTK imager

Lab 2: Magnet RAM capture

Lab 3: Memory forensics

Lab 4: Malware analysis

Lab 5: data hiding—Steganography

Lab 6: Recovering deleted files

Lab 7: Finding key evidence

Lab 8: Analyzing the registry for evidence

Lab 9: Analyzing Windows pre-fetch files for evidence

Lab 10: Browser forensics

Lab 11: Extracting EXIF data from graphics files

Index

Device Access Platforms Visual Representation

Device Access Platforms Visual Representation

Back in 2016 I commented briefly about "Exploration - missing the micro-evidence" (https://trewmte.blogspot.com/2016/03/exploration-missing-micro-evidence.html) from which I have copied the image and pasted below.

Please bear in mind that when considering the 3 linked posts (below) with the architecture displayed in the image, it provides a relevant platform for you to visually start attributing where directory and elementary files will be found having first obtained the standard 3GPP TS 31.102 V18.1.0 (2023-06) which is freely available. 

USIM Expanded Directories and Files (https://trewmte.blogspot.com/2023/07/usim-expanded-directories-and-files.html)

USIM Expanded Capabilities Pt2 (https://trewmte.blogspot.com/2023/07/usim-expanded-capabilities-pt2.html)

USIM Expanded Capabilities Pt1 (https://trewmte.blogspot.com/2023/07/usim-expanded-capabilities-pt1.html)

Integrated embedded SIMs (eSIMs)

Integrated embedded SIMs (eSIMs)

As more and more devices and products are having eSIMS (embedded SIMs) integrated at the board and circuitry level keeping abreast of the latest specifications and standards are not always easy in a cloud and digital forensics or DFIR (Digital Forensics Incident Response) given we live in today's multi-tech society. 

The Machine-to-Machine (M2M) documents below will at least provide for you a list of the current versions of M2M Specifications.

Architecture Specifications

SGP.01 M2M eSIM Architecture

SGP.01 V4.3 Embedded SIM Remote Provisioning Architecture

Current versions of M2M Technical Specifications

SGP.02 eSIM Technical Specifications

SGP.02 V4.3 eSIM Technical Specification

Current versions of M2M Test Specifications

SGP.11 eSIM Test Specifications

SGP.11 v4.2.1  GP Test Suite SGP.11 v4.2.1

Current versions of M2M Compliance Specifications

SGP.16 M2M eSIM Compliance

SGP.16 v1.4 eSIM Compliance Specification

Current versions of M2M Security Evaluation of Integrated eUICC

SGP.08 GSMA Security Evaluation of Integrated eUICC

SGP.08 V1.1 Security Evaluation of Integrated eUICC

SGP.08 V1.2 Security Evaluation of Integrated eUICC based on PP-0084

Current versions of M2M Security Evaluation of Integrated eUICC based on PP-0117

SGP.18 GSMA Security Evaluation of Integrated eUICC based on PP-0117

SGP.18 V1.0 Security Evaluation of Integrated eUICC  Security Evaluation of Integrated eUICC based on PP-0117

Current versions of M2M GSMA eUICC Security Assurance Scheme

GSMA eUICC Security Assurance Specifications

SGP.06 V1.0 GSMA eUICC Security Assurance Principle

SGP.07 V1.0 GSMA eUICC Security Assurance Methodology

Current versions of M2M Protection Profile Specifications

SGP.05 M2M eSIM Protection Profile

SGP.05 V4.1 eSIM Protection Profile Specification

Current versions of M2M eUICC PKI Certificate Policy

SGP.14 eUICC PKI Certificate Policy V2.0

SGP.14 eUICC PKI Certificate Policy

USIM Expanded Directories and Files

 3GPP TS 31.102 V18.1.0 (2023-06)

3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Characteristics of the Universal Subscriber Identity Module (USIM) application (Release 18)

The expanded Directory Files (DFs) and Elementary Files (EFs) under the Master File (MF) take into account data and evidence that could be relevant to evidence in the areas of Mobile comms and content, IoT, WLAN, Satellite, Vehicle forensics, TV and so on.

Contents of the Files 24

Contents of the EFs at the MF level 24

Contents of files at the USIM ADF (Application DF) level 25

EFLI (Language Indication) 25

EFIMSI (IMSI) 25

EFKeys (Ciphering and Integrity Keys) 26

EFKeysPS (Ciphering and Integrity Keys for Packet Switched domain) 27

EFPLMNwAcT (User controlled PLMN selector with Access Technology) 27

EFHPPLMN (Higher Priority PLMN search period) 29

EFACMmax (ACM maximum value) 30

EFUST (USIM Service Table) 31

EFACM (Accumulated Call Meter) 35

EFGID1 (Group Identifier Level 1) 35

EFGID2 (Group Identifier Level 2) 36

EFSPN (Service Provider Name) 36

EFPUCT (Price per Unit and Currency Table) 37

EFCBMI (Cell Broadcast Message identifier selection) 38

EFACC (Access Control Class) 39

EFFPLMN (Forbidden PLMNs) 39

EFLOCI (Location Information) 40

EFAD (Administrative Data) 41

EFCBMID (Cell Broadcast Message Identifier for Data Download) 43

EFECC (Emergency Call Codes) 44

EFCBMIR (Cell Broadcast Message Identifier Range selection) 45

EFPSLOCI (Packet Switched location information) 45

EFFDN (Fixed Dialling Numbers) 47

EFSMS (Short messages) 47

EFMSISDN (MSISDN) 49

EFSMSP (Short message service parameters) 49

EFSMSS (SMS status) 51

EFSDN (Service Dialling Numbers) 51

EFEXT2 (Extension2) 52

EFEXT3 (Extension3) 52

EFSMSR (Short message status reports) 53

EFICI (Incoming Call Information) 53

EFOCI (Outgoing Call Information) 57

EFICT (Incoming Call Timer) 58

EFOCT (Outgoing Call Timer) 58

EFEXT5 (Extension5) 59

EFCCP2 (Capability Configuration Parameters 2) 59

EFeMLPP (enhanced Multi Level Precedence and Pre-emption) 60

EFAaeM (Automatic Answer for eMLPP Service) 61

EFHiddenkey (Key for hidden phone book entries) 62

EFBDN (Barred Dialling Numbers) 62

EFEXT4 (Extension4) 63

EFCMI (Comparison Method Information) 63

EFEST (Enabled Services Table) 64

EFACL (Access Point Name Control List) 64

EFDCK (Depersonalisation Control Keys) 65

EFCNL (Co-operative Network List) 65

EFSTART-HFN (Initialisation values for Hyperframe number) 67

EFTHRESHOLD (Maximum value of START) 67

EFOPLMNwACT (Operator controlled PLMN selector with Access Technology) 67

EFHPLMNwAcT (HPLMN selector with Access Technology) 68

EFARR (Access Rule Reference) 69

EFNETPAR (Network Parameters) 70

EFPNN (PLMN Network Name) 72

EFOPL (Operator PLMN List) 73

EFMBDN (Mailbox Dialling Numbers) 74

EFEXT6 (Extension6) 74

EFMBI (Mailbox Identifier) 75

EFMWIS (Message Waiting Indication Status) 75

EFCFIS (Call Forwarding Indication Status) 77

EFEXT7 (Extension7) 78

EFSPDI (Service Provider Display Information) 79

EFMMSN (MMS Notification) 79

EFEXT8 (Extension 8) 81

EFMMSICP (MMS Issuer Connectivity Parameters) 82

EFMMSUP (MMS User Preferences) 84

EFMMSUCP (MMS User Connectivity Parameters) 85

EFNIA (Network's Indication of Alerting) 85

EFVGCS (Voice Group Call Service) 86

EFVGCSS (Voice Group Call Service Status) 88

EFVBS (Voice Broadcast Service) 88

EFVBSS (Voice Broadcast Service Status) 90

EFVGCSCA (Voice Group Call Service Ciphering Algorithm) 91

EFVBSCA (Voice Broadcast Service Ciphering Algorithm) 92

EFGBABP (GBA Bootstrapping parameters) 92

EFMSK (MBMS Service Keys List) 93

EFMUK (MBMS User Key) 94

EFGBANL (GBA NAF List) 95

EFEHPLMN (Equivalent HPLMN) 96

EFEHPLMNPI (Equivalent HPLMN Presentation Indication) 96

EFLRPLMNSI (Last RPLMN Selection Indication) 97

EFNAFKCA (NAF Key Centre Address) 97

EFSPNI (Service Provider Name Icon) 98

EFPNNI (PLMN Network Name Icon) 99

EFNCP-IP (Network Connectivity Parameters for USIM IP connections) 99

EFEPSLOCI (EPS location information) 102

EFEPSNSC (EPS NAS Security Context) 105

EF UFC (USAT Facility Control) 106

EFNASCONFIG (Non Access Stratum Configuration) 107

EFUICCIARI (UICC IARI) 112

EFPWS (Public Warning System) 113

EFFDNURI (Fixed Dialling Numbers URI) 114

EFBDNURI (Barred Dialling Numbers URI) 114

EFSDNURI (Service Dialling Numbers URI) 115

EFIPS (IMEI(SV) Pairing Status) 117

EFIPD (IMEI(SV) of Pairing Device) 118

EFePDGId (Home ePDG Identifier) 119

EFePDGSelection (ePDG Selection Information) 120

EFePDGIdEm (Emergency ePDG Identifier) 122

EFePDGSelectionEm (ePDG Selection Information for Emergency Services) 122

EFFromPreferred (From Preferred) 122

EFIMSConfigData (IMS Configuration Data) 123

EFTVCONFIG (TV Configuration) 123

EF3GPPPSDATAOFF (3GPP PS Data Off) 125

EF3GPPPSDATAOFFservicelist (3GPP PS Data Off Service List) 126

EFXCAPConfigData (XCAP Configuration Data) 126

EFEARFCNList (EARFCN list for MTC/NB-IOT UEs) 127

EFMuDMiDConfigData (MuD and MiD Configuration Data) 128

EFOCST ("Operator controlled signal threshold per access technology") 128

DFs at the USIM ADF (Application DF) Level 130

Contents of DFs at the USIM ADF (Application DF) level 131

Contents of files at the DF SoLSA level 131

EFSAI (SoLSA Access Indicator) 131

EFSLL (SoLSA LSA List) 131

LSA Descriptor files 134

Contents of files at the DF PHONEBOOK level 135

EFPBR (Phone Book Reference file) 136

EFIAP (Index Administration Phone book) 138

EFADN (Abbreviated dialling numbers) 138

EFEXT1 (Extension1) 141

EFPBC (Phone Book Control) 143

EFGRP (Grouping file) 144

EFAAS (Additional number Alpha String) 144

EFGAS (Grouping information Alpha String) 145

EFANR (Additional Number) 145

EFSNE (Second Name Entry) 147

EFCCP1 (Capability Configuration Parameters 1) 148

Phone Book Synchronisation 148

EFUID (Unique Identifier) 148

EFPSC (Phone book Synchronisation Counter) 149

EFCC (Change Counter) 150

EFPUID (Previous Unique Identifier) 151

EFEMAIL (e-mail address) 151

Phonebook restrictions152

EFPURI (Phonebook URIs) 152

Contents of files at the DF GSM-ACCESS level (Files required for GSM Access) 153

EFKc (GSM Ciphering key Kc) 154

EFKcGPRS (GPRS Ciphering key KcGPRS)  154

EFCPBCCH (CPBCCH Information) 155

EFInvScan (Investigation Scan) 156

Contents of files at the MexE level 156

EFMexE-ST (MexE Service table) 157

EFORPK (Operator Root Public Key) 157

EFARPK (Administrator Root Public Key) 159

EFTPRPK (Third Party Root Public Key) 160

EFTKCDF (Trusted Key/Certificates Data Files) 160

Contents of files at the DF WLAN level 161

EFPseudo (Pseudonym) 161

EFUPLMNWLAN (User controlled PLMN selector for I-WLAN Access) 162

EFOPLMNWLAN (Operator controlled PLMN selector for I-WLAN Access) 162

EFUWSIDL (User controlled WLAN Specific Identifier List) 163

EFOWSIDL (Operator controlled WLAN Specific IdentifierList) 164

EFWRI (WLAN Reauthentication Identity) 164

EFHWSIDL (Home I-WLAN Specific Identifier List) 165

EFWEHPLMNPI (I-WLAN Equivalent HPLMN Presentation Indication) 166

EFWHPI (I-WLAN HPLMN Priority Indication) 166

EFWLRPLMN (I-WLAN Last Registered PLMN) 167

EFHPLMNDAI (HPLMN Direct Access Indicator) 167

Contents of files at the DF HNB level 168

EFACSGL (Allowed CSG Lists) 168

EFCSGT (CSG Type) 171

EFHNBN (Home NodeB Name) 173

EFOCSGL (Operator CSG Lists) 173

EFOCSGT (Operator CSG Type) 175

EFOHNBN (Operator Home NodeB Name) 176

Contents of files at the DF ProSe level 176

EFPROSE_MON (ProSe Monitoring Parameters) 176

EFPROSE_ANN (ProSe Announcing Parameters) 177

EFPROSEFUNC (HPLMN ProSe Function) 178

EFPROSE_RADIO_COM (ProSe Direct Communication Radio Parameters) 179

EFPROSE_RADIO_MON (ProSe Direct Discovery Monitoring Radio Parameters) 181

EFPROSE_RADIO_ANN (ProSe Direct Discovery Announcing Radio Parameters) 182

EFPROSE_POLICY (ProSe Policy Parameters) 183

EFPROSE_PLMN (ProSe PLMN Parameters) 185

EFPROSE_GC (ProSe Group Counter)  186

EFPST (ProSe Service Table) 188

EFPROSE_UIRC (ProSe UsageInformationReportingConfiguration) 188

EFPROSE_GM_DISCOVERY (ProSe Group Member Discovery Parameters) 192

EFPROSE_RELAY (ProSe Relay Parameters) 193

EFPROSE_RELAY_DISCOVERY (ProSe Relay Discovery Parameters) 194

Contents of files at the DF ACDC level 197

EFACDC_LIST (ACDC List) 197

EFACDC_OS_CONFIG (ACDC OS configuration) 198

Contents of files at the DF TV level 199

EFTVUSD (TV User Service Description) 199

Contents of files at the DF5GS level 200

EF5GS3GPPLOCI (5GS 3GPP location information) 201

EF5GSN3GPPLOCI (5GS non-3GPP location information) 202

EF5GS3GPPNSC (5GS 3GPP Access NAS Security Context)  203

EF5GSN3GPPNSC (5GS non-3GPP Access NAS Security Context) 206

EF5GAUTHKEYS (5G authentication keys) 206

EFUAC_AIC (UAC Access Identities Configuration) 208

EFSUCI_Calc_Info (Subscription Concealed Identifier Calculation Information EF) 209

EFOPL5G (5GS Operator PLMN List) 211

EFSUPI_NAI (SUPI as Network Access Identifier) 212

EFRouting_Indicator (Routing Indicator EF) 213

EFURSP (URSP) 214

EFTN3GPPSNN (Trusted non-3GPP Serving network names list) 215

EFCAG (Pre-configured CAG information list EF) 216

EFSOR-CMCI (Steering Of Roaming - Connected Mode Control Information) 217

EFDRI (Disaster roaming information EF) 218

EF5GSEDRX (5GS eDRX Parameters) 219

EF5GNSWO_CONF (5G Non-Seamless WLAN Offload configuration) 220

EFMCHPPLMN (Multiplier Coefficient for Higher Priority PLMN search) 221

EFKAUSF_DERIVATION (KAUSF derivation configuration) 222

Contents of files at the DF SNPN level 222

EFPWS_SNPN (Public Warning System in SNPNs)  222

EFNID (Network Identifier for SNPN) 223

Contents of files at the DF 5G ProSe level 224

EF5G_PROSE_ST (5G ProSe Service Table) 224

EF5G_PROSE_DD (5G ProSe configuration data for direct discovery) 224

EF5G_PROSE_DC (5G ProSe configuration data for direct communication)  228

EF5G_PROSE_U2NRU (5G ProSe configuration data for UE-to-network relay UE)  230

EF5G_PROSE_RU (5G ProSe configuration data for remote UE)  234

EF5G_PROSE_UIR (5G ProSe configuration data for usage information reporting) 237

Contents of files at the DF 5MBS UE pre-configuration level  239

EF5MBSUECONFIG (5MBS UE pre-configuration) 239

EF5MBSUSD (5MBS User Service Description) 242

Contents of Efs at the TELECOM level 242

EFADN (Abbreviated dialling numbers) 243

EFEXT1 (Extension1) 243

EFECCP (Extended Capability Configuration Parameter) 243

EFSUME (SetUpMenu Elements) 243

EFARR (Access Rule Reference) 243

EFICE_DN (In Case of Emergency – Dialling Number) 243

EFICE_FF (In Case of Emergency – Free Format) 244

EFRMA (Remote Management Actions) 245

EFPSISMSC (Public Service Identity of the SM-SC) 245

Contents of DFs at the TELECOM level 245

List of DFs at the TELECOM level 245

Contents of files at the DFGRAPHICS level 246

EFIMG (Image) 246

EFIIDF (Image Instance Data Files) 247

EFICE_graphics (In Case of Emergency – Graphics) 248

Contents of files at the DFPHONEBOOK under the DFTELECOM 249

Contents of files at the DFMULTIMEDIA level 249

EFMML (Multimedia Messages List) 249

EFMMDF (Multimedia Messages Data File) 251

Contents of files at the DFMCS level 252

EFMST (MCS Service Table) 252

EFMCS_ CONFIG (MCS configuration data) 253

Contents of files at the DFV2X level 254

V2X configuration data related files 254

EFVST (V2X Service Table) 254

EFV2X_CONFIG (V2X configuration data) 255

EFV2XP_PC5 (V2X data policy over PC5) 255

EFV2XP_Uu (V2X data policy over Uu) 257

USIM Expanded Capabilities Pt2

USIM Expanded Capabilities Pt2

3GPP TS 31.102 V18.1.0 (2023-06)

3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Characteristics of the Universal Subscriber Identity Module (USIM) application (Release 18)

The following abbreviations apply. It is worth noting that with 5G whilst you may know what the acronym "PIN" stands for, do you know what "PINE" means (not appearing below)?

3GPP 3rd Generation Partnership Project
5GCN 5G Core Network
AC Access Condition
ACDC Application specific Congestion control for Data Communication
ACL APN Control List
ADF Application Dedicated File
AID Application Identifier
AK Anonymity key
ALW ALWays
AMF Authentication Management Field
AoC Advice of Charge
APN Access Point Name
ASME Access Security Management Entity
ASN.1 Abstract Syntax Notation One
AuC Authentication Centre
AUTN Authentication token
BDN Barred Dialling Number
BER-TLV Basic Encoding Rule - TLV
B-TID Bootstrapping Transaction Identifier
CAG Closed Access Group
CCP Capability Configuration Parameter
CK Cipher key
CLI Calling Line Identifier
CNL Co-operative Network List
CPBCCH COMPACT Packet BCCH
CS Circuit switched
DCK Depersonalisation Control Keys
DF Dedicated File
DO Data Object
EC-GSM-IoT Extended coverage in GSM for IoT
DUCK Discovery User Confidentiality Key
DUIK Discovery User Integrity Key
DUSK Discovery User Scrambling Key
eDRX Extended Discontinuous Reception
EARFCN Evolved Absolute Radio Frequency Channel Number
EF Elementary File
EPC Evolved Packet Core
ePDG Evolved Packet Data Gateway
EPS Evolved Packet System
FCP File Control Parameters
FFS For Further Study
FQDN Full Qualified Domain Name
GCI Global Cable Identifier
GLI Global Line Identifier
GSM Global System for Mobile communications
HE Home Environment
HNB Home NodeB
HeNB Home eNodeB
IARI IMS Application Reference Identifier
ICC Integrated Circuit Card
ICE In Case of Emergency
ICI Incoming Call Information
ICT Incoming Call Timer
ID Identifier
Idi Identity of the initiator
Idr Identity of the responder
IEI Information Element Identifier
IK Integrity key
IMSI International Mobile Subscriber Identity
IOPS Isolated E-UTRAN Operation for Public Safety
K USIM Individual key
KC Cryptographic key used by the cipher A5
KSI Key Set Identifier
LI Language Indication
LSA Localised Service Areas
LSB Least Significant Bit
MAC Message authentication code
MAC-A MAC used for authentication and key agreement
MAC-I MAC used for data integrity of signalling messages
MBMS Multimedia Broadcast/Multicast Service
MCC Mobile Country Code
MCData Mission Critical Data
MCPTT Mission Critical Push To Talk
MCS Mission Critical Services
MCVideo Mission Critical Video
MexE Mobile Execution Environment
MF Master File
MGV-F MTK Generation and Validation Function
MICO Mobile Initiated Connection Only
MiD Multi-iDentity
MIKEY Multimedia Internet KEYing
MINT Minimization of Service Interruption
MM Multimedia Message
MMI Man Machine Interface
MMS Multimedia Messaging Service
MMSS MultiMode System Selection
MNC Mobile Network Code
MODE Indication packet switched/circuit switched mode
MSB Most Significant Bit
MSK MBMS Service Key
MTC Machine Type Communications
MTK MBMS Traffic Key
MuD Multi-Device
MUK MBMS User Key
NAI Network Access Identifier
NB-IoT Narrowband IoT
NEV NEVer
ngKSI Key Set Identifier in 5G
NG-RAN Next Generation Radio Access Network
NID Network Identifier for SNPN
NPI Numbering Plan Identifier
NSI Network Specific Identifier
NSWO Non-Seamless WLAN Offload
OCI Outgoing Call Information
OCST Operator Contolled Signal Threshold per Access Technology
OCT Outgoing Call Timer
PBID Phonebook Identifier
PGK ProSe Group Key
PIN Personal Identification Number
PL Preferred Languages
PS Packet switched
PSDK Public Safety Discovery Key
PS_DO PIN Status Data Object
PSM Power Saving Mode
PTK ProSe Traffic Key
RAND Random challenge
RANDMS Random challenge stored in the USIM
RES User response
RFU Reserved for Future Use
RLOS Restricted Local Operator Services
RST Reset
SDN Service dialling number
SE Security Environment
SENSE Signal level Enhanced Network SElection
SEQp Sequence number for MGV-F stored in the USIM
SFI Short EF Identifier
SGSN Serving GPRS Support Node
SN Serving Network
SNPN Standalone Non-Public Network
SoLSA Support of Localised Service Areas
SOR-CMCI Steering of roaming connected mode control information
SQN Sequence number
SRES Signed RESponse calculated by a USIM
SUCI Subscription Concealed Identifier
SUPI Subscription Permanent Identifier
SW Status Word
TLV Tag Length Value
TMGI Temporary Mobile Group Identity
TV Television
UAC Unified Access Control
URSP UE Route Selection Policy
USAT USIM Application Toolkit
USD User Service Description
USIM Universal Subscriber Identity Module
V2X Vehicle-to-Everything
VLR Visitor Location Register
WLAN Wireless Local Area Network
WSID WLAN Specific Identifier
XRES Expected user RESponse

USIM Expanded Capabilities Pt1

3GPP TS 31.102 V18.1.0 (2023-06)

3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Characteristics of the Universal Subscriber Identity Module (USIM) application (Release 18)

Updating past topics published here. EF-UST (148)

-Services EFUST (USIM Service Table)
Contents: Service n°1: Local Phone Book
Service n°2: Fixed Dialling Numbers (FDN)
Service n°3: Extension 2
Service n°4: Service Dialling Numbers (SDN)
Service n°5: Extension3
Service n°6: Barred Dialling Numbers (BDN)
Service n°7: Extension4
Service n°8: Outgoing Call Information (OCI and OCT)
Service n°9: Incoming Call Information (ICI and ICT)
Service n°10: Short Message Storage (SMS)
Service n°11: Short Message Status Reports (SMSR)
Service n°12: Short Message Service Parameters (SMSP)
Service n°13: Advice of Charge (AoC)
Service n°14: Capability Configuration Parameters 2 (CCP2)
Service n°15: Cell Broadcast Message Identifier
Service n°16: Cell Broadcast Message Identifier Ranges
Service n°17: Group Identifier Level 1
Service n°18: Group Identifier Level 2
Service n°19: Service Provider Name
Service n°20: User controlled PLMN selector with Access Technology
Service n°21: MSISDN
Service n°22: Image (IMG)
Service n°23: Support of Localised Service Areas (SoLSA)
Service n°24: Enhanced Multi-Level Precedence and Pre-emption Service
Service n°25: Automatic Answer for eMLPP
Service n°26: RFU
Service n°27: GSM Access
Service n°28: Data download via SMS-PP
Service n°29: Data download via SMS-CB
Service n°30: Call Control by USIM
Service n°31: MO-SMS Control by USIM
Service n°32: RUN AT COMMAND command
Service n°33: shall be set to '1'
Service n°34: Enabled Services Table
Service n°35: APN Control List (ACL)
Service n°36: Depersonalisation Control Keys
Service n°37: Co-operative Network List
Service n°38: GSM security context
Service n°39: CPBCCH Information
Service n°40: Investigation Scan
Service n°41: MexE
Service n°42: Operator controlled PLMN selector with Access Technology
Service n°43: HPLMN selector with Access Technology
Service n°44: Extension 5
Service n°45: PLMN Network Name
Service n°46: Operator PLMN List
Service n°47: Mailbox Dialling Numbers
Service n°48: Message Waiting Indication Status
Service n°49: Call Forwarding Indication Status
Service n°50: Reserved and shall be ignored
Service n°51: Service Provider Display Information
Service n°52 Multimedia Messaging Service (MMS)
Service n°53 Extension 8
Service n°54 Call control on GPRS by USIM
Service n°55 MMS User Connectivity Parameters
Service n°56 Network's indication of alerting in the MS (NIA)
Service n°57 VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°58 VBS Group Identifier List (EFVBS and EFVBSS)
Service n°59 Pseudonym
Service n°60 User Controlled PLMN selector for I-WLAN access
Service n°61 Operator Controlled PLMN selector for I-WLAN access
Service n°62 User controlled WSID list
Service n°63 Operator controlled WSID list
Service n°64 VGCS security
Service n°65 VBS security
Service n°66 WLAN Reauthentication Identity
Service n°67 Multimedia Messages Storage
Service n°68 Generic Bootstrapping Architecture (GBA)
Service n°69 MBMS security
Service n°70 Data download via USSD and USSD application mode
Service n°71 Equivalent HPLMN
Service n°72 Additional TERMINAL PROFILE after UICC activation
Service n°73 Equivalent HPLMN Presentation Indication
Service n°74 Last RPLMN Selection Indication
Service n°75 OMA BCAST Smart Card Profile
Service n°76 GBA-based Local Key Establishment Mechanism
Service n°77 Terminal Applications
Service n°78 Service Provider Name Icon
Service n°79 PLMN Network Name Icon
Service n°80 Connectivity Parameters for USIM IP connections
Service n°81 Home I-WLAN Specific Identifier List
Service n°82 I-WLAN Equivalent HPLMN Presentation Indication
Service n°83 I-WLAN HPLMN Priority Indication
Service n°84 I-WLAN Last Registered PLMN
Service n°85 EPS Mobility Management Information
Service n°86 Allowed CSG Lists and corresponding indications
Service n°87 Call control on EPS PDN connection by USIM
Service n°88 HPLMN Direct Access
Service n°89 eCall Data
Service n°90 Operator CSG Lists and corresponding indications
Service n°91 Support for SM-over-IP
Service n°92 Support of CSG Display Control
Service n°93 Communication Control for IMS by USIM
Service n°94 Extended Terminal Applications
Service n°95 Support of UICC access to IMS
Service n°96 Non-Access Stratum configuration by USIM
Service n°97 PWS configuration by USIM
Service n°98 RFU
Service n°99 URI support by UICC
Service n°100 Extended EARFCN support
Service n°101 ProSe
Service n°102 USAT Application Pairing
Service n°103 Media Type support
Service n°104 IMS call disconnection cause
Service n°105 URI support for MO SHORT MESSAGE CONTROL
Service n°106 ePDG configuration Information support
Service n°107 ePDG configuration Information configured
Service n°108 ACDC support
Service n°109 Mission Critical Services
Service n°110 ePDG configuration Information for Emergency Service support
Service n°111 ePDG configuration Information for Emergency Service configured
Service n°112 eCall Data over IMS
Service n°113 URI support for SMS-PP DOWNLOAD as defined in
Service n°114 From Preferred
Service n°115 IMS configuration data
Service n°116 TV configuration
Service n°117 3GPP PS Data Off
Service n°118 3GPP PS Data Off Service List
Service n°119 V2X
Service n°120 XCAP Configuration Data
Service n°121 EARFCN list for MTC/NB-IOT UEs
Service n°122 5GS Mobility Management Information
Service n°123 5G Security Parameters
Service n°124 Subscription identifier privacy support
Service n°125 SUCI calculation by the USIM
Service n°126 UAC Access Identities support
Service n°127 Control plane-based steering of UE in VPLMN
Service n°128 Call control on PDU Session by USIM
Service n°129 5GS Operator PLMN List
Service n°130 Support for SUPI of type NSI or GLI or GCI
Service n°131 3GPP PS Data Off separate Home and Roaming lists
Service n°132 Support for URSP by USIM
Service n°133 5G Security Parameters extended
Service n°134 MuD and MiD configuration data
Service n°135 Support for Trusted non-3GPP access networks by USIM
Service n°136 Support for multiple records of NAS security context storage for multiple registration
Service n°137 Pre-configured CAG information list
Service n°138 SOR-CMCI storage in USIM
Service n°139 5G ProSe
Service n°140 Storage of disaster roaming information in USIM
Service n°141 Pre-configured eDRX parameters
Service n°142 5G NSWO support
Service n°143 PWS configuration for SNPN in USIM
Service n°144 Multiplier Coefficient for Higher Priority PLMN search via NG-RAN satellite access
Service n°145 KAUSF derivation configuration
Service n°146 Network Identifier for SNPN (NID)
Service n°147 5MBS UE pre-configuration
Service n°148 UE configured for using "Operator controlled signal threshold per access technology

Cyber: Cyber Security for Consumer Internet of Things (IoT)

 

Still olden but golden, when it comes to IoT Connected Devices

I have briefly touched upon IoT (Internet of Things) at my blog previously:

Fast moving wireless world

https://trewmte.blogspot.com/2014/10/fast-moving-wireless-world.html

The Internet of Things (IoT)

https://trewmte.blogspot.com/2016/03/the-internet-of-things-iot.html

The Rise of (IoT) Domestic Appliance Forensic Examiners

https://trewmte.blogspot.com/2016/03/the-rise-of-iot-domestic-appliance.html

Smart Phones with Smart Homes

https://trewmte.blogspot.com/2016/06/smart-phones-with-smart-homes.html

eSIM - Observing Possible Outcomes Part 1

https://trewmte.blogspot.com/2019/12/esim-observing-possible-outcomes-part-1.html

I am adding update reference materials available on IoT and Cyber, if you haven't seen this info or weren't aware, which you might find useful.

ETSI in February 2019 released the first globally applicable standard for consumer IoT security:

etsi-releases-first-globally-applicable-standard-for-consumer-iot-security?jjj=1611490283528

This publicised event introduced the ETSI Stand ts_103645v010101 (2019)

CYBER; Cyber Security for Consumer Internet of Things

ts_103645v010101p.pdf

In 2020 ETSI updated the standard ts_103645v020102 with enhanced baseline requirements:

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements

ts_103645v020102p.pdf

The object of these standards is to improve security and privacy. A common default password for all products are to be scrubbed with a unique default password per device applied instead. Moreover, it should not be possible to enable the password set at default in the first place once user changed. Apparently, many IoT (consumer) products on the market may still not (even today) meet this password objectives or other more basic requirements that have been stated in this newly released standard. 

Measures vendor companies should understake range from adopting simple installation and user guidance with good documentation in support; good hardware/software security engineering practice; for personal privacy the standard sets out protection objectives for all sensitive personal data required to be stored securely - that is both on devices, themselves, and in any related services e.g. in the cloud. Any personal data should be encrypted and should be protected against attack; and with clear instructions how consumers can easily delete their personal data.

Whilst this standard provides consumers with confidence in their IoT product, it equally has been designed to allow vendors companies sufficient flexibility to enable them to innovate and find the best solution for security and privacy for their particular IoT products. Password protection, encryption, and safe deletion are some solutions. Others could be block-off network ports; close-off software not being used; avoidance of exploited data (OOR) by adoption of a validation approach; secure-boot mechanisms (hardward-based); with ease and secure device software updates (e.g. use- menu selection or autonomic/automated (e.g. ZTP etc)). These are possible solutions.

I did like that ETSI had included specific demands about disclosure in this standard for vendor companies to identify, act upon and promptly report vulnerabilities.

However, from a cyber aspect, the ETSI Technical Committee on Cybersecurity (TC CYBER) has overseen and published over 50 cyber standards, some of which are referenced below:

ETSI TS 103 744 V1.1.1 (2020-12)Published

CYBER; Quantum-safe Hybrid Key Exchanges

ETSI TS 103 523-1 V1.1.1 (2020-12)Published

CYBER; Middlebox Security Protocol; Part 1: MSP Framework and Template Requirements

ETSI TS 103 718 V1.1.1 (2020-10)Published

CYBER; External encodings for the Advanced Encryption Standard

ETSI TR 103 644 V1.2.1 (2020-09)Published

CYBER; Observations from the SUCCESS project regarding smart meter security

ETSI TS 103 485 V1.1.1 (2020-08)Published

CYBER; Mechanisms for privacy assurance and verification

ETSI TR 103 619 V1.1.1 (2020-07)Published

CYBER; Migration strategies and recommendations to Quantum Safe schemes

ETSI EN 303 645 V2.1.1 (2020-06)Published

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements

ETSI TS 103 645 V2.1.2 (2020-06)Published

CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements

ETSI TR 103 306 V1.4.1 (2020-03)Published

CYBER; Global Cyber Security Ecosystem

ETSI TR 103 644 V1.1.1 (2019-12)Published

CYBER; Increasing smart meter security

ETSI TR 103 618 V1.1.1 (2019-12)Published

CYBER; Quantum-Safe Identity-Based Encryption

ETSI TR 103 331 V1.2.1 (2019-09)Published

CYBER; Structured threat information sharing

ETSI TS 103 523-3 V1.3.1 (2019-08)Published

CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security

ETSI TS 103 523-3 V1.2.1 (2019-03)Published

CYBER; Middlebox Security Protocol; Part 3: Enterprise Transport Security

ETSI TS 103 645 V1.1.1 (2019-02)Published

CYBER; Cyber Security for Consumer Internet of Things

ETSI TR 103 370 V1.1.1 (2019-01)Published

CYBER; Practical introductory guide to Technical Standards for Privacy

ETSI TS 103 457 V1.1.1 (2018-10)Published

CYBER; Trusted Cross-Domain Interface: Interface to offload sensitive functions to a trusted domain

ETSI TR 103 642 V1.1.1 (2018-10)Published

CYBER; Security techniques for protecting software in a white box model

ETSI TS 103 523-3 V1.1.1 (2018-10)Published

CYBER; Middlebox Security Protocol; Part 3: Profile for enterprise network and data centre access control

ETSI TR 103 617 V1.1.1 (2018-09)Published

CYBER; Quantum-Safe Virtual Private Networks

ETSI TR 103 305-1 V3.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls

ETSI TR 103 305-2 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing

ETSI TR 103 305-3 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations

ETSI TR 103 305-5 V1.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 5: Privacy enhancement

ETSI TR 103 305-4 V2.1.1 (2018-09)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms

ETSI TR 103 306 V1.3.1 (2018-08)Published

CYBER; Global Cyber Security Ecosystem

ETSI TS 103 458 V1.1.1 (2018-06)Published

CYBER; Application of Attribute Based Encryption (ABE) for PII and personal data protection on IoT devices, WLAN, cloud and mobile services - High level requirements

ETSI TS 103 307 V1.3.1 (2018-04)Published

CYBER; Security Aspects for LI and RD Interfaces

ETSI TS 103 532 V1.1.1 (2018-03)Published

CYBER; Attribute Based Encryption for Attribute Based Access Control

ETSI TR 103 456 V1.1.1 (2017-10)Published

CYBER; Implementation of the Network and Information Security (NIS) Directive

ETSI TS 102 165-1 V5.2.3 (2017-10)Published

CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA)

ETSI TR 103 570 V1.1.1 (2017-10)Published

CYBER; Quantum-Safe Key Exchanges

ETSI TR 103 421 V1.1.1 (2017-04)Published

CYBER; Network Gateway Cyber Defence

ETSI TR 103 306 V1.2.1 (2017-03)Published

CYBER; Global Cyber Security Ecosystem

ETSI TS 103 307 V1.2.1 (2016-10)Published

CYBER; Security Aspects for LI and RD Interfaces

ETSI TR 103 305-2 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing

ETSI TR 103 305-3 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 3: Service Sector Implementations

ETSI TR 103 305-4 V1.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 4: Facilitation Mechanisms

ETSI TR 103 305-1 V2.1.1 (2016-08)Published

CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls

ETSI TR 103 331 V1.1.1 (2016-08)Published

CYBER; Structured threat information sharing

ETSI TR 103 304 V1.1.1 (2016-07)Published

CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services

ETSI TR 103 369 V1.1.1 (2016-07)Published

CYBER; Design requirements ecosystem

ETSI EG 203 310 V1.1.1 (2016-06)Published

CYBER; Quantum Computing Impact on security of ICT Systems; Recommendations on Business Continuity and Algorithm Selection

ETSI TS 103 307 V1.1.1 (2016-04)Published

CYBER; Security Aspects for LI and RD Interfaces

ETSI TR 103 303 V1.1.1 (2016-04)Published

CYBER; Protection measures for ICT in the context of Critical Infrastructure

ETSI TS 103 487 V1.1.1 (2016-04)Published

CYBER; Baseline security requirements regarding sensitive functions for NFV and related platforms

ETSI TR 103 308 V1.1.1 (2016-01)Published

CYBER; Security baseline regarding LI and RD for NFV and related platforms

ETSI TR 103 306 V1.1.1 (2015-11)Published

CYBER; Global Cyber Security Ecosystem

ETSI TR 103 309 V1.1.1 (2015-08)Published

CYBER; Secure by Default - platform security technology

ETSI TR 103 305 V1.1.1 (2015-05)Published

CYBER; Critical Security Controls for Effective Cyber Defence

CSA Location Determination Investigations - The continuing mission

Recalling that I have posted here at trewmte.blogspot and cellsiteanalysis.blospot over the years was to assist interpretation of data and testing for cell site anslysis and elements that can be used when conducting investigations, I have posted below a few of the weblinks to help this discussion along.

https://trewmte.blogspot.com/2014/07/csa-site-survey-method3mobility-models.html

http://trewmte.blogspot.com/2009/08/cell-site-analysis-csa-images-part-2.html

http://trewmte.blogspot.com/2008/11/mobile-phones-and-fringe-coverage.html

http://cellsiteanalysis.blogspot.com/

https://www.dropbox.com/s/g912o5dji9wkxfk/3G%20Networks%20position%20techniques.pdf

It is noteworthy the ITU in 2017 published a series of documents regarding call details record (CDR) and specified network data that could be captured in CDRs to assist a wide range of tasks to comprehend mobile phone movement caused by migration to determining trip travel and destination. These studies were conduct in Liberia, Sierra Leone and Republic of Guinea:

Liberia CDR reallocation D012A0000C93301PDFE.pdf

CDR Sierra Leone D012A0000CA3301PDFE.pdf

CDR Republic of Guinea D012A0000D03301PDFE.pdf

The reports identify how to obtain, collate, display overlay geodata/mapping and interpolation of the format specification that I rather think is highly useful to CSA investigations. The ITU source highlights CDRs capturing association with PoI, Trip Segmentation, Trajectory and Stay Points etc. I am simplifying in my summary what is undoubtedly more detailed discussion in these reports to show that 'time' and ‘location’ will be highly relevant. 

CSA has not been without the knowledge regarding peak-time call traffic, density of call traffic, tracking etc and these are used in call analysis and CSA. In these reports though the defining stay points captured in the call records add useful evidence such as travel, location, co-location (if relevant), association (if relevant), landmarks, so on and so forth.

Consideration of trip segmentation in the report states ""Trip segmentation: Extract stay points from anonymized CDR data, and divide move/stay segments. Figure 7.4 explains how stay points are extracted by applying parameters and thresholds to CDR data." In this regard the threshold parameters for stay points are specified as 'Minimum Time Duration 15 Minutes' and 'Maximum Distance 300 Meter'. To assist further here is a useful image with data from the ITU Liberia report:

To extrapolate such detail require Trip segmentation, Stay point reallocation, Route interpolation, Grid-based aggregation and Visualization and so on. To dig into the detail to assist interpretation:

"Stay point reallocation: Reallocate stay points (Trip OD) to surrounding points of interest (POIs) with a certain probability and fil gap between stay/move segments. POIs are regarded as surrounding a certain cell tower if they are closer to the cell tower location than to the others (Voronoi tessellation). The reallocation is necessary because CDR location data is based on cell tower location, which means that all users in the same area have the same location. Reallocation can make the distributing of people more realistic or likely because POIs can be considered places where people are likely to stay or visit, such as shopping areas, residential houses, villages, and to which people are reassigned rather than concentrating on cell tower locations. A new dataset of POIs was constructed for this process by collecting data from the distribution of buildings from open access Internet data (see Appendix 2). Figure 7.5 shows how POIs are distributed in a city. Areas in blue indicate building POIs with extracted stay points, where location information originally based on antenna location, are reallocated."

Lastly, the reports published in 2017 discussed relevance to 2G, 3G and 4G.

DoDM 8570 Baseline Certification

Crikey! Whilst DoDM 8570 requires at least one base line certificate this roadmap suggests if you want to take all these certificates it would run to n-years of your life just taking certs. 

Realistically, useful to see what certs can be taken to meet the requirements. Image from https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/