Showing posts with label forensics. Show all posts
Showing posts with label forensics. Show all posts

Saturday, September 29, 2018

What Information Can Be Pulled Off A Mobile Device SIM Card?

I recently taught a mobile forensics course and asked my students to identify what kind of information that can be retrieved from a mobile device SIM card.  Here’s a list of some of the retrievable information students listed:

 Integrated Circuit Card Identifier (ICCID) – this is the number that is printed on the SIM card itself.  It is nineteen or twenty digits long.

International Mobile Subscriber Identity (IMSI) – this is the number that identifies a SIM card user on a GSM network.  It is stored in the EF(IMSI).  It is a fifteen-digit number.  Three components that make up the IMSI are:
  • Mobile Country Code (MCC) – the first three digits identify the country.
  • Mobile Network Code (MNC) – the next two digits identifies the cell provider mobile unit in a GSM network.
  • Mobile Subscriber Identity Number (MSIN) – the next nine digits identifies the mobile unit in a GSM network.
Service Provider Name (SPN) – the mobile provider’s name.  This can be found from the ICCID.

Mobile Station International Subscriber Directory Number (MSISDN) – basically, the SIM card’s telephone number.  This number can vary from fifteen to sixteen digits long.  The MSISDN is stored in EF(MSISDN).  It is made up of three components:
  • Country Code (CC) – up to three digits
  • National Destination Code (NDC) – two or three digits
  • Subscriber Number (SN) – up to a max. of ten digits
Abbreviated Dialing Numbers (AND) – These numbers are shortcuts on the phone of the most frequently dialed phone numbers.  These are generated by the subscriber.  They are stored in the EF(AND) file.

Last Number Dialed (LND) – This is a listing of the most recent calls and can be found in the EF(LND).

Short Message Service (SMS) – Short messages sent to other phones with a maximum length of either 160 or 70 characters.  These messages can be found in the EF(SMS) file.  These messages show not only the message but also the time the message was sent, the sender and receiver’s phone number, etc.

Language Preference (LP) – the preferred language of the subscriber.

Card Holder Verification (CHV1 and CHV2) – allows access to files after the user’s verification of PIN 1(CHV1) or PIN 2(CHV2).

Ciphering Key (Kc) – a 64-bit ciphering key used for encryption and decryption of data on an over-the-air channel.  It is generated by the Mobile Station from a random challenge by the GSM network.

Fixed Dialing Numbers (FDN) – phone numbers added to a list and the SIM restricts outgoing calls only to those numbers listed.

Location Area Identity (LAI) – The LAI will be stored on the SIM card so that a phone knows what location it is in and able to receive service.  If a phone changes areas, then the new LAI is stored in the SIM.  This is great for investigators to be able to read a list of where the SIM card has been geographically.

Temporary Mobile Subscriber Identity (TMSI) – the SIM is assigned a TMSI by the Mobile Switching Center (MSC) whenever a phone is in the vicinity of a new MSC.  Information about the phone is stored in the Visitor Location Register (VLR) and the phone is given a TMSI which allows the subscriber to be uniquely identified.

Service Dialing Numbers (SDN) – Numbers that are installed by the service provider which cannot be changed or deleted by the user.  The SDNs are usually hidden.

Thanks to my Mobile Forensics class students!



Tuesday, April 29, 2008

Microsoft Computer Online Forensic Evidence Extractor (COFEE)

An article today in the Seattle Times describes a forensic device Microsoft started distributing last June to over 2000 officers in 15 countries. The device, referred to as a COFEE (Computer Online Forensic Evidence Extractor) is a USB thumb-drive loaded with software used in forensic investigations. According to the Seattle Times article:

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Microsoft COFEEs have been distributed to over 2000 officers in 15 countries including Poland, the Philippines, Germany, New Zealand and the United States.