Computer Systems Forensic Analysis

Forensic value of phones

Phones, especially smartphones, have a huge potential to provide evidence.

  • are part of our everyday life:

    • screen checks/day and h/day usage of smartphones.

    • they store a huge amount of diverse information:

      • logs of calls, messages, GPS, network connections contents of messages, emails, multimedia (photos and video), social networks, etc…

  • sales of smartphones surpassed PCs by the end of 2011.

Phones' data locations

Where is data located on phones?

  • data can be physically stored in 3 different locations:

    • handset, memory card, and SIM card.

  • some types of data may be found in more than one location:

    • contacts on SIM and handset.

    • pictures on the handset and memory card.

Acquiring data from phones

Retrieval approach:

  • Examine every area (handset, memory card, and SIM) independently.

    • to be sure of capturing all the information you can.

Can data be stored anywhere else?

  • Service providers → require additional legal procedures.

  • Cloud services → might require additional legal procedures.

  • Handset backups → more common in iOS devices.

SIM cards

Disambiguation.

  • UICC (Universal Integrated Circuit Card) – is the technical name of the physical part of the smart card.

  • SIM (Subscriber Identity Module) – is a logical module stored inside the smart card.

    • in the early stages a SIM consisted of the hardware and the software.

A given card can contain multiple SIMs. This would allow multiple phone numbers or accounts to be accessed by a single UICC.

Universal Integrated Circuit Card (UICC)

How many sizes/formats exist?

Embedded UICC (also known as eSIM).

  • permanently embedding into devices used in machine-to-machine (M2M) applications.

  • not replaceable by a regular user.

  • 2 formats MFF1 and MFF2, both have the same size.

    • MFF1 is socketable (replaceable with special tools).

    • MFF2 is soldered.

Main characteristics:

  • processor.

  • storage.

    • memory to store text-based user data e. g. SMS, contacts, and calls.

    • traditionally held just 16 to 64 KB, but some have 1 GB.

UICC are also known as "SIM cards".

  • mandatory in GSM networks.

  • standardized by 3GPP.

Integrated Circuit Card Identifier (ICCID)

  • uniquely identifies the card.

  • 19 or 20 digits in length.

  • often printed on the outside (may be abbreviated).

  • always stored digitally in the card.

ICCID identifies the issuing service provider and country.

Subscriber Identity Module (SIM)

Role of the SIM.

  • Authentication - the mobile network uses a challenge/response security mechanism to allow access to the network.

  • Accountability - the SIM contains a unique reference number that identifies the card and the subscriber to ensure that associated costs are allocated correctly.

GSM types

USIM - Universal Subscriber Identity Module.

  • for 3G and newer networks.

  • compared with SIM:

    • higher security, bigger and improved phonebook, can run small applications.

Multi-application cards have 2 partitions: SIM + USIM.

International Mobile Subscriber Identity (IMSI)

IMSI:

  • uniquely identifies the subscriber.

  • stored digitally on the card.

  • cannot be changed in a normal card.

  • can also identify the issuing service provider and country.

  • usually not known by the owner.

  • composed by:

    • Mobile Country Code (MCC).

    • Mobile Network Code (MNC).

    • Mobile Subscription Identification Number (MSIN).

Mobile Station International Subscriber Directory Number

MSISDN:

  • like the IMSI, the DSISDN is also an important number for identifying a mobile subscriber.

  • used for routing calls to the subscriber.

  • it is the number normally dialed to connect a call to the mobile phone.

  • The ITU-T recommendation E.164 limits the maximum length of an MSISDN to 15 digits. 1-3 digits are reserved for country code.

MSISDN = Country Code + Subscriber Number.

PreviousMemory AcquisitionNextInternational Mobile Equipment Identifier

Last updated