Sunday, May 14, 2017

Contaminating Evidence SIX

The original question (in Part ONE) I believe was asked by someone starting out in mobile forensics. I tend to find it is easier to start with the 2G technology [SIM Application CLA (0xA0) / 2G context], which is still predominant in certain countries; although market research shows 2G falls below 30% globally by 2020.

Furthermore, law enforcement and security still seize and find 2G SIM cards (globally speaking) associated with criminal activity - drug dealing, SIMboxing, trafficking, etc. - so any observations to assist examination may help improve outcomes, assist generate "quality in work" but without expending large quantities of capital.

Equally, with 3G and 4G SIM cards the examiner can still SELECT and ReadBinary etc. re: GSM Access. Also, it is helpful to let examiners see basic script commands and responses as the basic commands can still be issued under [USIM Application CLA (0x00)]:

SelectUSIMApplication
Select 6F07
ReadBinary


To make the following a little more interesting than merely showing a screen image of USIM Application returning the SIM Card's IMSI, does the mobile network IMSI match the network to which the IMSI was last latched?


For privacy and security purposes the IMSI has been obscured, however it is confirmed the IMSI for this discussion is a subscriber to the EE network. As an examiner you may consider looking to the last network and location the subscriber was camped.

SelectUSIMApplication
Select 6F7E (e.g. location area)
ReadBinary




SelectUSIMApplication
Select 6F73 (packet switched location area)
ReadBinary



Observations, at first instance: the LOCI and PSLOCI screens reveal that the subscriber's account has been latched to the T-Mobile network; not EE or Orange network. Who would provide feedback to the investigating office on what that means? Both of these screens show "updated" for location and routing area, yet the P-TMSI Signature Value has been unchanged FFFFFF. What significance, if any, would that import into interpreting the data?

The key point of using commands and getting responses can assist an examiner refine searches made to (U)SIM and the (U)ICC and also respond to "time-is-of-the-essence" requests in cases of device seizure at the point a trafficker is stopped and searched. Combining precise information searches can help examiner's do this.


Moreover, with enhanced scripting and script variables we can do so much more and a matter that will be considered in another blog discussion post/s soon regarding examination, evidence and validation:

==========
ContinueOnBadStatus
Select 3F00
Select 7F20
Select 6F07
If (GoodStatus = True)
{
 ReadBinary
 If (GoodStatus = True)
 Pass
}
Fail
===========
===========
Select 3F00
Select 7F10
Select 6F3A
Set $recNum = 1
While ($recNum <= $totalRecords)
{
 ReadRecord $recNum
 Increment $recNum
}
===========
===========
$count
$recordNumber
$data
$alphatag
$bitmask
===========


The tool USIM Commander is a SIM evaluation and programming tool available from Quantaq Ltd and can be found here: http://www.quantaq.com/products/simtools/

Hope you find this helpful.


Contaminating Evidence ONE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-one.html
Contaminating Evidence TWO - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-two.html
Contaminating Evidence THREE  - http://trewmte.blogspot.co.uk/2017/04/contaminating-evidence-
three.html
Contaminating Evidence FOUR - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-four.html 

Contaminating Evidence FIVE - http://trewmte.blogspot.co.uk/2017/05/contaminating-evidence-five.html

No comments: