Articles
Now Reading
SIM cards Forensic Analysis with Oxygen Software
0

SIM cards Forensic Analysis with Oxygen Software

The main function of the SIM card is the identification of a user of a cellular phone on the network so that he can access its services.

 

The following types of data can be found in the SIM card, which are of interest to the expert or investigator:

  • information related to the services provided by the mobile operator;
  • Phonebook, calls;
  • Messages;
  • Locations

 

Initially, SIM cards were almost the only source of data about the contacts of the owner of the mobile device. Information about calls and messages could only detect the phone book in their memory. Subsequently, the storage of this data was moved to the memory of mobile devices and SIM cards began to be used only to identify subscribers in cellular networks. That’s why some of the developers of forensic solutions, for the study of mobile devices, refused to implement the functionality for the study of SIM cards in their products. However, today users use a lot of cheap phones (often we call them “Chinese phones”), with a limited amount of memory. In such phones, a part of the owner’s data is stored in SIM cards. Therefore, forensic research of SIM cards continues to remain relevant.

 

A SIM card is an ordinary smart card. It contains the following main components:

  • processor;
  • RAM;
  • ROM;
  • EEPROM;
  • a file system;
  • a controller I/O.

In practice, there are SIM cards with both eight and six contacts on contact pads. This happens because the two contacts are not directly involved in working with the phone (smartphone). And their absence leads to a decrease in the size of the area occupied by the SIM card, when it is placed in a mobile device.

 

SIM cards can use three supply voltages (Vcc): 5V, 3.3V, 1.8V. Each card has a certain supply voltage.

 

In the SIM cards is implemented protection against overvoltage. Therefore, if you install a SIM card that supports a 3.3V power supply in a card reader that can only work with a 5V supply voltage (old models), then the information or the card itself will not be damaged, but it will be impossible to work with such a card . At the same time, the expert will feel that the SIM card in question is faulty. Although in fact, this is not so.

 

Before extracting data from the mobile device, itself, where a SIM card is installed, it is not practical to conduct forensic research. Since, when the SIM card is removed, the user data stored in the memory of the mobile device can be deleted.

 

For analysis, the SIM card must be removed from the mobile device and connected to the expert’s computer, using special equipment – a card reader.

You can develop the basic requirements for a card reader based on the above information about SIM cards, which will be comfortable for the expert to work with during forensic studies of SIM cards.

1) The card reader must support smart cards having supply voltages: 5V, 3.3V, 1.8V.

2) The card reader must support smart cards with eight and six pins on the site.

3) The card reader must support the ‘Microsoft PC / SC’ protocol. Drivers for such devices are included in all versions of the operating systems of the ‘Windоws’ family. Therefore, to interface such devices with an expert computer, additional drivers will not be needed.

An example of such a card reagent is shown in FIG. 1

Figure 1. SIM reader from ASR, model “ACR38T”.

 

Despite the fact that there are card readers designed to read directly from SIM cards, you can use card readers designed to work with cards of standard size (having the size of a bank card). For comfortable work with such devices a card-blank is used, on which, with the aid of pieces of adhesive tape, the SIM card is attached.

Figure 2. Appearance of the card-blank with the SIM card on it.

 

In order to investigate the SIM card, it is necessary to remove it from the mobile device. Install in a SIM card reader that connects to an expert computer. As mentioned earlier, the drivers for the ‘Microsoft PC / SC’ devices are part of the Windows’ family and therefore do not require an additional installation.

In Oxygen Software, click the ‘Connect device’ button located on the toolbar. This will launch Oxygen Software Extractor.

Figure 3. The main window ‘Oxygen Software Extractor’.

In the main menu of Oxygen Software Extractor, click on the ‘UICC acquisition’ option. The next window will prompt you to select the connected card reader, or an error message is displayed.

Figure 4. A card reader connection error message.

Figure 5. The card reader selection window.

If access to SIM card data is locked to PIN or PUK code, you will be prompted to enter the appropriate code. The number of available attempts to enter PIN and PUK codes is displayed in the program. If attempts to unlock the SIM card have not previously been applied, 3 attempts to enter the PIN code and 10 attempts to enter the PUK code are available for entering the codes. After 10 incorrect attempts to enter PUK code, the card is permanently blocked. The PUK code can be obtained from the communication operator by a person having the appropriate authority.

Figure 6. The SIM card data extraction window.

The SIM card data extraction window displays:

  • information about the card reader;
  • information about the SIM card;
  • PIN and PUK code entry fields.

 

Enter the SIM card unlock code and click the ‘Next’ button.

 

In the next window, you can specify additional information about the extracted output that will be stored in the file. Also, in this window, you can select the options to save the extracted data from the device:

The option ‘Stored extended physical dump of backup in the device image …’ saves the main files from the SIM card.

 

Option ‘Complete UICC image.’ Saves all files from the SIM card. If you select this option, the process of extracting files from the SIM card can take more than 12 hours.

Figure 7. The window for entering additional information about the case.

Click the ‘Next’ button. The process of extracting data from the SIM card under investigation will start.

Figure 8. Displaying the process of retrieving data.

The following data can be extracted from the SIM card, including deleted ones:

  • Device Information of the SIM card;
  • Contacts;
  • Calls;
  • Messages;
  • other information.

At the end of the extraction, the created case can be opened in the program Oxygen Software.

 

 

Conclusion

The basics of SIM cards forensics of analysis are discussed in the article. An example of extracting data from a SIM card using Oxygen Software is given.

 

Authors:

Igor Mikhaylov & Oleg Skulkin

Leave a Response