Last SIM Details

Has anyone else run any tests using LSD.exe free tool?

This program is from lastsimdetails.blogspot.co.uk/.

The concept behind this tool is very good and it is a great credit to the authors to allow free distribution of LSD.exe.

Screen dump for LSD.exe v1.2.0 - Samsung D500 flash file

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- HELP About
- Able to parse .bin and .pm data files.
 - Regex customiser allows you to define country and network parameters to eliminate false positives
 - Generic network search allows you to search for all Mobile Network Codes (MNC), however using this method may bring back more false positives
 - Advanced view provides the user with all IMSI matches and offsets within the data file
 - The summary view counts recurrences of IMSIs in order to display unique values

 Limitations
 -Limited testing has been performed on live data. Please verify your results
 This program was designed and developed by Jason Nicolaou and Daniel Roe.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There are in fact three Option tests that can be can be applied and not two as offered by the menu:

 1. Make no option selection at all
 2. Generic search
 3. Samsung mode

All return search data depending upon the flash file being read.

The authors have explicitly stated the limitations of the program. I emailed and left messages at the authors website but have not received any replies.

 =====================================================
 IMSI UK prefix *9 = (T) telecommunications / 234 = MCC United Kingdom / MNC = xxx
 =====================================================
 *This is different from TE.118 prefix 89 in use as Mobile Industry Identifier (MII) ISO/IEC 7812-1

The program's GUI search window, above, returns (along with other details) values e.g.

Offset: 3962356 IMSI: MCC/MNC/Subscriber detail = 234919011221080

HxD (used for examination of the raw flash file), below, the offset identifies

e.g. reverse nibble: 29 43 19 09 11 22 01 08

Screen dump for HxD.exe - Samsung D500 flash file

OBSERVATIONS
LSD.exe searches the flash file and performs translation. The translation (top of page) was obtained using Option: Generic search.

LSD.exe returns the MNC as "unknown" - verified.
LSD.exe returns known MNC also - verified

From flash file library stocks selection was made using two old Samsung models D500 and D600 to see if LSD.exe would work with older flash files. LSD.exe did work and false-positives were obtained as the authors point out.

LSD.exe also revealed that when comparisons were made between D500 and D600 there were repetition of identical IMSIs found in both D500/D600 one example being (which I have anonymised):

 - 2341007xxxxxxxx

The fact the D500 flash file and the D600 flash file were apparently not connected in any way introduced the proposition are the results positive-positive or false-positive.

Furthermore, if positive-positive are correct then the authors statement that the tool should be used for intelligence purposes lives up to that expectation.

EF-FPLMN

EF-FPLMN

There are many ways you may wish to approach examining a SIM Card elementary file (EF) and to the university students that wrote and asked for some ideas here are some observations. I would recommend, assuming you have access to SIM reading tools, that it is useful to target a particular EF in the GSM standard GSM11.11. Importantly, as there have been numerous versions and revisions of GSM11.11 it is an essential task to check the various versions and revisions taking account of any changes to the technical requirements for the EF: for instance

a) access conditions
b) content
c) coding
d) etc

To illustrate some of the points raised by this blog discussion I have selected the SIM forbidden list found in elementary file (EF) FPLMN (Forbidden PLMNs) 7F20:6F7B (7F21:6F7B). PLMNs MCC/MNC populated in this EF are those that the MS shall not camp on and provide a location update. 

ETS GSM11.11 v4.21.1 December 1999

GSM 11.11 v8.14.0 June 2007

Of course, when reading the conditions laid out in the standards it is also essential to appreciate the conditions under which a PLMN (MCC/MNC) may be updated into this EF. Trial test conditions should relate to 'automatic' update and update caused by 'manual' selection of a Forbidden PLMN. These are not simple tasks as one might imagine. There is the radio environment to consider? Which PLMNs are forbidden? Is roaming required? The coding of the data? ....and so on. So for an elementary file that largely gets overlooked during examination and ignored in evidence, an analysis of exactly the tasks this EF performs in the SIM module is quite surprising when considering its impact on the MS. That is from the perspective that its evidence could be considered when placing an MS within an PLMN's radio coverage and the follow on potential inference of a geographical location. EF-FPLMN adds an intriguing prospects to be considered, beyond handset and SIM analysis, and that is it can be used in cell site analysis and call record analysis, too.

Extracted and Harvested Data
It is inescapable, thus unavoidable, that validating data that has been extracted and harvested cannot be performed based upon using one tool. Moreover, tools vary in the way they present harvested data and will require the examiner to pay particular attention to ensure the output data (although presented in various arrangements) should be identical. If parity isn't possible then analysis of the tools should be undertaken. It is worth mentioning at this juncture, so as to avoid unduly raising concerns, many tools once released into the marketplace do not allow users to update the product. Changes to SIM techncial specifications or new services or new/change to operators may simply not be included in a tool. 

SIMSpy Trace file Output (Text file)

Other tools present data in varying layouts within the program:

SIM Explorer

 

SIMCON

SIMCOM

USIM Detective

In conclusion, students asked for some observations and I hope the above may help. Care should be taken when reading the binary not to corrupt content in the EF; to consider the use of reverse-nibble; writing scripts; APDU/PDU and so on, in addition to the automatic and manual tests to be conducted. Moreover, any discovery could also extend to the use of EF-FPLMN to cell site analysis and call record analysis.