Digital Forensics

Focus On Small Digital Devices

George J. Proeller, D.CSIEEE Phoenix

OBJECTIVES

• Computer Crime• Overview Of Digital Forensics

– Description And History – Uses – Basic Procedures– Analysis

• Small Scale Digital Devices (SSDD)–(Telephones/iPods/Other Devices–Tailored Forensics Processes

DESCRIPTION AND HISTORY

• Taking Relevant Information To Court

• 200 BC Archimedes

• 1800 Fingerprint

• Small Devices

Computers

Computer Crime

• Against A Computer/Network/IT Device– Network Intrusions– Malicious Code Attacks

• Facilitated Using Digital Devices– Pirating Of Intellectual Property– Bank Fraud– Drug Dealer - Records

• Digital Device Related– Child Pornography– Murder And Mayhem

It Hits Home• Retired Border Agent Guilty Of Child Porn Charges

(AP 3/10 2:55 pm)

• ‘Horrific’ Images Involved In Prescott Child Porn Case (AP) 3/19 10:54 am

• Fraud Scheme Lawyer, Phoenix Arizona, Computer Cyber Crime – If you … believe you may soon face criminal charges in

Arizona, you are encouraged to contact … criminal defense attorney to schedule a free initial consultation. You may have had contact with police and now suspect that you are under investigation for a computer crime (cyber crime)

Criminal Cases And Digital Forensics

• Scott Peterson– Timeline Of Use Of Computers

– Search For “Dump Sites”

• Michael Jackson (Child Molestation Trial)– Search of Internet History And Emails

• BTK Killer (Dennis Rader) Capture– Sent Computer Diskette To Local TV Station

DIGITAL FORENSICS USES

• Criminal– Trafficking In Contraband / Sexting– Network Intrusion– Connecting To A Crime (BTK/Scott Peterson)

• Civil– Improper Use Of Digital Assets– Compliance Issues– Employee Issues

• Violation Of Company Policy

• Other– Wife Takes Her Husband’s Laptop To

Forensics Expert For “General Review”

Challenges

• Storage – Mediums

– Capacities

• Forensic Tools

Digital Forensics ParadoxData

Highly Resilient– Highly Resilient

Easily Altered/Damaged/Lost

Digital Forensics Pathway

• Acquire

• Preserve

• Examine

• Analyze

• Report

4Th Amendment

• The Right Of The People To Be Secure In Their Persons, Houses, Papers, And Effects, Against Unreasonable Searches And Seizures, Shall Not Be Violated, And No Warrants Shall Issue, But Upon Probable Cause, Supported By Oath Or Affirmation, And Particularly Describing The Place To Be Searched, And The Persons Or Things To Be Seized.– Search Warrants Needed In Criminal Cases

– May Be Required In Corporate Cases

4th Amendment - 2

4th Amendment - 3

• Not Universal (Colombia, Peru, China et al)

• FISA

• Patriot Act– Uniting and Strengthening America by

• Providing

• Appropriate

• Tools

• Required to

• Intercept and

• Obstruct

• Terrorism Act of 2001

Acquiring

• First Contact With The Original Evidence.– Most Critical Time For Protecting The Originals.– Most Likely Time To Damage Or Change Evidence.– General Rules Must Be Followed To Preserve And Protect

Evidence During This Critical First Response Period.– First Point In Establishing Chain Of Custody.

• Problems – Location Not Always Obvious And Easy To:– Miss– Conceal – Damage

Digital Evidence

• Hard Disk Drives• CD/DVD/Tapes• Diskettes• Jump Drive

• Monitor???

• Cellular Telephones• Blackberry• iPod• PIMs

Inside The Computer

• Hard Disk Drive Holds– Documents

– Music

– Pictures

– Movies

– Passwords

– Emails

– Calendar

– Address Book

– Other

Digital Evidence

Acquisition Of Digital Evidence

• Training And Experience Required

• Fragile– Erase Without A Trace (e.g. Disk Wipe)

• Easily Altered– Accessing A File Changes It (Last Used)

• Simply Turning On/Off Can Alter Evidence – Turning On – Boots Computer - Changes Files

– Turning Off – May Initiate Password Protection

The Search!

• E-Mail

• Photos/Pictures

• Internet History

• Documents– Word

– PowerPoint

– Spreadsheets

• Internet Chat Logs

• Financial Data

• PDF Files

• Suspiciously Renamed Files

• Chat Logs– Yahoo Messenger

– AOL Chat

– MSN Messenger

• Internet Relay Chat

• Passwords

• Foreign Chat

Hiding The Evidence

• Deleting Files

• Deleting Internet History

• Formatting Drives

• Re-Partitioning Drives

• Physically Destroying– Hard Drives, CD/DVS &

Floppies

• Passwords

• Using On-Line E-Mail– Hotmail

– Google Mail (GMAIL)

– Yahoo Mail

• IPods

• Additional Hard Drives

• Other Storage Devices

Preserve

Chain Of Custody

Evidence Locker

Faraday Cages

Preserve - 2

• Start With Copy– Forensic Copy (Bit Copy)

Remember The Hash

Preservation

• Once Digital Evidence Is Seized Handle Carefully To Preserve And Protect The Evidence.– Everything Should Be Tagged.– No One Should Operate Or Preview Any Evidence

On Writable Media Without Proper Tools And Training.

– Forensically Sound Copies Of All Original Evidence Must Be Made Before Analysis.

– Records Must Be Kept.

Recovering The Evidence

• Find Deleted Files

• Un-Format Drives

• Rebuild Partitions

• Recover Passwords

• Find Hidden Files And Folders.

• Re-construct Web Pages.

• Locate Deleted Email

Examine

ORIGINAL FILES

Files Opened And Viewed

CHANGED

Files After Saving

Changed12/14/05

File System History

• DOS File System File Allocation Table (FAT) Never Designed To Handle A Storage Device With More Than 32767 Units Of Data. 32767 Is The Largest Number That Can Be Represented With 16 Bits.

• Data Is Written In Sectors Of 512 Bytes (Hard Drives, Floppy), Or 2048 Bytes (CD/DVD).

• This Set An Arbitrary Limit On Disk Storage Devices Of 512x32767 = 16mb.

• To Accommodate Larger Drives The Concept Of “Clusters” Was Invented. Clusters Are A Group Of Sectors Written As A Single Atomic Unit. The Larger The Drive Capacity The More Sectors Are Grouped Into Clusters.

With Clustering Came File Slack

• RAM Slack– When The File Is Shorter Than The Number Of Bytes In The

Clusters Allocated For The File, The File System Pads The Data Out To The End Of The Current Sector With “RAM Slack”.

– Ram Slack Is Random Data In Memory At The Time The File Is Written. It Can Contain Any Data Since The Last Boot Of The PC.

• Drive Slack– Data Left On The Drive From A Previous File.

– This Is Possible Because Deleting A File Only Removes It From The FAT, The Data Remains On The Drive Until The Sector It Occupies Is Overwritten By A Subsequent File.

Analysis

• Analysis Involves Recovering And Analyzing Evidence For Relevance To The Case.– Accepted Tools Should Be Used.

– Search And Analysis Must Be Within The Scope Of The Warrant.

– Bench Notes Should Be Kept By The Examiner

Analysis

• Metadata– Many Types Of Files Contain Metadata.

• Metadata Is Information Embedded In The File Itself That Contains Information About The File.

• Microsoft Office Documents– Computer Name– Total Edit Time– Number Of Editing Sessions.– Where Printed.– Number Of Times Saved.

• Digital Camera Pictures.– Make And Model Of Camera

• Dates, Times, Location

Picture Metadata

Internet History

Forensic Tools - 1010 Hex editor A fast, professional hex editor designed to edit any binary file ACARD SCSI to IDE adapters. SCIS cards, and CD duplicators. Many SCSI items.Access Data Password recovery, and FTK (Forensic Toolkit).Applog Program to view application history in WIN9x. Search the page for source code of

applog.AcoDisk CD Recovery. Recover CD data.ArrowKey: CD Burner software.Evidor Evidence collection tool from the makers of WINHEX.ExLife: enhances the MS Exchange Client, MS Windows Messaging and MS OutlookFilegrab From Ziff Davis. Prints output of the Windows Explorer or Find command.Forensic Computers: from forensic-computers.comFoundstone: free tools. Some useful for forensics. FTK Forensic Tool Kit from Access Data.

Forensic Tools - 2Blazemap: Multimedia software.

Books Source of investigative and forensic books.

Captain Nemo (access Linux/nd other file systems from Windows) and other disk data recovery tools.

Casemap: spreadsheet organizes facts, people/issues, documents & other tangible items.

Cables Cables from Cables America.

CD-R-Diagnostics: CD Diagnostic software.

CompuPic File viewer; graphics software.

Conversions Plus Data conversion software from

DataViz software. Capable of reading MAC formats.

Coroners Tool Kit TCT: a collection of after-the-fact Linux forensic tools.

Cygwin: A set of Unix utilities for Windows.

CPR Utilities from Toolsthatwork.com. Click on the Forensic link.

Data lifter, forensic and other software tools.

Digital Detective Excellent computer forensic site.

Digital Guards Intrusion detection tools.

Digital Intelligence DriveSpy software, and F.R.E.D forensic hardware.

DiskJockey File viewer.

Dr. Hardware: PC diagnostic and system information software.

Drive Duplicators from Corporate Systems Center. Has high end equipment.

DIBS Computer forensic equipment, training and services.

Forensics Tools - 3Graphic workshop: graphics manipulation and thumbnail software.

Hashkeeper: Hash data sets.

iLook Computer forensic tool; available to law enforcement only.

Irfanview: IrfanView is a graphic viewer for Windoze.

Toolsthatwork.com Click on the Forensic link.

Digital Guards Intrusion detection tools.

Drive Duplicators from Corporate Systems Center.

dtSearch Keyword indexer and search tool from DT Software

Emag conversion solutions for tape and other platforms.

Encase Computer forensic software from Guidance Software.

Encryption Encryption breaking software from Acess Data.

SMART Linux Computer forensic software from ASR Data.

Extreme power tools: from Radsoft.

Evidor evidence collection tool from WINHEX.

Wetstonetech.com Digital Forensics Software and Training

WINHEX An excellent hex editor.

Winternals NT and WIN9X software and Sysinternals NT and WIN9X software

Forensics Tools - 4Filegrab prints output of the Windows Explorer or Find command.

Forensic Tools and other useful information from Tucofs.

FTK Forensic Tool Kit from Access Data

iLook Law enforcement only forensic tool

ForensiX Linux, collects and analyzes digital evidence.

FTC Information on identity theft.

Hex Workshop Offers an excellent editor.

IMAGE MASTER Hand held disk imager.

IP IP lookups and domain information from The Virtual Librarian.

LC-TECH LCTechnology offers forensic software.

LogicCube Hardware disk duplication.

Mailbag assistant: E-mail organizer.

Metadata assistant: Views Microsoft Meta Data in docs/other files.

MIME and other software from PC WOrld.

Digital Intelligence DriveSpy software/F.R.E.D forensic hardware.

Forensic Recovery of Evidence Device

F. R. E. D.- IDE Drive Hardware Write Blocker- SATA Drive Hardware Write Blocker- SCSI Drive Write Blocker- USB Write Blocker- Firewire Write Blocker- MultiMedia/Memory Card Forensic Write Blocker- Floppy Write Protection

Forensics Tools - 5NeoWorx Internet traceroute and other software.

TCTUTILS Linux utilities made to supplement Coroners Tool Kit TCT.

NTI New Technologies Inc. for computer forensic software and training.

Ontrack Data recovery software.

Paraben.com. Has PDA forensic software and other internet and multimedia programs.

Powerquest Source for Partition Magic, Drive Image, Drive Copy and others.

Quick View File viewer from Inso.

Regdat: and other registry tools.

SnapBack Imaging software.

Sydex Source of Safeback.

Snagit Screen Capture program.One of the oldest and best.

System Commander Also Partition Commander; from V-Com.

SuprSCAB Forensic software.

Sydex Source of Safeback.

TCTUTILS Linux utilities made to supplement Coroners Tool Kit TCT

Textpipe: a text file manipulator.

Thumbs Plus File viewer.

Toolsthatwork.com hit the Forensic link.

VEDIT Excellent text/hex editor.Forensics Field Kit

How Computer Evidence is Used

• Verify Alibis

• Establish Relationships Between Defendant and Victim or Accomplices

• Establish Documentation of Events

• Establish Mitigating Circumstances

• Documents for use by Forensic Psychologists

• Document Time Lines

Presentation

• Court presentation for a jury must be simple and straightforward.– Timelines

– Emails

– Documents

– Pictures

Small Scale Digital Devices

SSDD

• Cellular Telephones

• Personal Information Managers/Personal Digital Assistants

• Software

Cell Phones Deployed (2007)Per 1000 People

# 1 United Arab Emirates: 1,709 # 2 Bahrain: 1,574 # 3 Macau: 1,569 # 4 Hong Kong: 1,511 # 5 Estonia: 1,506 # 6 Qatar: 1,393 # 7 Israel: 1,385# 8 Lithuania: 1,373# 9 Bulgaria: 1,351# 10 Italy: 1,341

# 18 Russia: 1,202

# 22 United Kingdom: 1,184

# 63 Korea, South: 886

# 72 United States: 846

# 73 Japan: 842

The iPhone

Forensic Example

Contents

• CPU

• EDGE Baseband Processor

• GSM Transceiver

• Amplifier

• Wireless

• I/O Controller

• Flash Memory

• Audio Processor

• Bluetooth

• Touchscreen

iPhone

• Mac OS X 10.5 (Leopard)– Mobile Build

• ARM Architecture– Advanced RISC Machine

• Hardware– Sensors: Accelerometer/Proximity Sensor– Touch Screen

• Radios– GSM, WiFi, Bluetooth

• Finger Friendly Controls• Signed Kernel

Signed Kernel

• Tamper Resistant

• iPhone and 3rd Party Software– Hacker Community (iPhone Dev Team)

– Unlocking/Jailbreaking• Jailbreaking process that allows iPhone and iPod

Touch users to run any code on their devices, as opposed to only that code authorized by Apple

iPhone Contained Information

• Keyboard Caches– Passwords, Usernames,

Search Terms … Typed Comms

• Screen Shots• Deleted Images• Deleted Address Book

Entries• Call History

– 100 Most Recent And Deleted

• Google Maps Images– Including Direction Lookups

• Browser Cache• Cached And Deleted E-mail

Messages• Deleted Voicemail

Recordings May Remain.• Pairing Records For Trust

Relationships With Desktop Computers

The Hierarchical File System

• Logical Blocks Of 512 Bytes In Allocation Blocks– One Or More Depending On The Volume Size

– Uses 16 Bit Value To Address Allocation Blocks• Limiting Number Of Allocation Blocks To 65,536.

Structures In An HFS Volume

• Logical Blocks 0 & 1 Are The Boot Blocks.

• Logical Block 2 Contains The Master Directory Block (MDB)– Duplicate MDB ,(Alternate Master Directory Block

(AMDB) Located At The Opposite End Of The Volume In The Second To Last Logical Block.

• Used By Disk Utilities And Only Updated When The Catalog File Or Extents Overflow File Grow In Size.

HFS - 2

• Logical Block 3 Starts The Volume Bitmap– Keeps Track Of Allocation Blocks In Use And Free

– Extent Overflow File Records Which Allocation Blocks Are Allocated To Which Files

• Records Bad Blocks To Prevent The File System From Trying To Allocate A Bad Block To A File.

HFS - 3

• Catalog File Records Files & Directories Stored In The Volume.– Four Types Of Records (Unique Catalog Node ID (CNID).

• A File Thread Record Stores File Name And Parent Directory CNID• A File Record Stores

– File Metadata Including CNID – The Size Of The File – Three Timestamps (File Was Created, Last Modified, Last Backed Up). – Also Two 16 Byte Fields Used By The Finder To Store File Attributes Including

Creator Code, Type Code, Window The File Should Appear In And Location Within The Window.

• A Directory Thread Record Stores Directory Name And Its Parent Directory CNID

• A Directory Record : Number Of Files Within The Directory, CNID Of The Directory, Three Timestamps (When The Directory Was Created, Last Modified, Last Backed Up) And Two 16 Byte Fields Used By The Finder

Forensics Needs

• Forensics Machine: Desktop Or Laptop– Windows Or Leopard

• iPhone Dock Connector/Cable• WiFi Connection On Forensics Machine• iTunes• Disk Space

– Media Partition/Digital Vault X 3

• Open SSH Package (Or Freeware)

View The Machine

• Version Of Firmware– Settings / General About

– Determines Your Jailbreak Attempt

• Note: If Passcoded Then Hack The Passcode.

Hacking The Passcode

Disk Layout

• Two Partitions On Solid State NAND Flash Drive.– 300 MB System (Root) Partition

• Houses OS And Preloaded Applications

• Read Only And Designed To Remain In A Factory State

– Rest Of Space Assigned To User (Media Partition)• Private/Var

• This Is Where To Look For Evidence

Loading Forensic Tools

• Changing Data You May Want To Present In Court Can Lessen Value

• Where To Load Forensic Tools?– The Factory Partition

– How?• Hack It

iPhone Communications Capability

• Serial Port– Apple File Connection (AFC) To Load iPhone

• Copy Files (iTunes)

• Send Firmware Commands (eg Enter Recovery Mode)

• 802.11

• Wi-Fi

• Bluetooth

Accessing The Iphone

• iTunes Is Jailed– Restrictions To Resources Accessible

• Upgrading The Firmware– Can Make Changes To The User Partition

– Only As A Last Resort• Use iTunes Update

Restore Mode/Evidence Integrity

• Restore Mode – Home/Power To Enter Restore Mode– Entering Restore Mode Halts Booting– Requests Connection To iTunes

• Restoring (ITunes)– If In-Process Allow To Complete– Destroys File System

• But Disk Is Not Wiped (Data Still Resident)

Cross-contamination On Sync

• iPods (Including iPhone) Like To Sync

• Can Change Address Book Etc…

• Disable iTunes Automatic Sync– Preferences/Sync Tab/

– Check Box “Disable Syncing …”

Recovery Kit

• Liberty+ Can Unlock The iPhone– Instructs Kernel To Boot An Unsigned Ram Disk

– Ram Disk Contains Payload Delivery System• Basic Unix Environment

• Netcat Tool

• Md5 Tool (Digests)

• The dd Discopy Tool To Access Disk Device

Stepping Along

• Download And Install Liberty+

• Doc iPhone To Launch iTunes

• Launch Liberty+ And Verify Connectivity– Liberty+/Ziphone To Detect iPhone

• Download And Install Forensic Tools Payload

• Disconnect/Reconnect iPhone– Initiate The Jailbreak

Circumventing Passcode Protection

• The iPhone Has Two Protections– SIM Lock

– OS Level Passcode

• Circumvention– SIM Lock Defeated By Replacing SIM Card

– OS Level Passcode Requires Bypass• Automated Vs Manual

• See YouTube “How To Bypass Iphone’s Passcode”

Auto Passcode Circumvention

• Power Down Holding Power Button

• When “Slide To Power Off” Appears … Do So

• Press/Immediately Release Power Button– Then Press/Hold Power & Home Buttons

• Hold Until Restore Logo Appears

• Device Enters Recovery Mode

• Dock Iphone And Launch Liberty+– Advanced Menu/Bypass Pass Code.

Recovery Toolkit

• PwnageModifies Boot Loader To Accept Any Firmware

– Install And Run

• Xpwn – Stage 1 Firmware– Upgrades Kernel (Defeats Signing Requirement)

• Xpwn – Stage 2 Firmware– Installs Forensic Tool Kit Payload

• Install Staged Firmware Upgrades

Forensic Recovery!

• Configure WiFi And SSH– Remember Level Of Integrity ..– Remember Your Own Security

• WEP Vs WPA

• SSH To The iPhone– dd And Netcat– SSH For Secure Channel – Netcat For Transmission

Data Carving

• Extracting Structured Data From Unstructured Data.– Note: The Recovered Data Is One Big File

• Contains Live And Deleted Data

• Foremost

• Scalpel

• FTK

Validating Images

• ImageMagick– Identify Tool To Scan For Readable Images.

– Software Suite To Create, Edit, And Compose Bitmap Images.

– Can Read, Convert And Write Images In Over 100 Formats Including DPX, EXR, GIF, JPEG, JPEG-2000, PDF, PhotoCDd, PNG, Postscript, SVG, And Tiff.

HFSExplorer – OSWalrus.com

• Mac OS X – Reads/writes FAT And FAT32

Formatted Drives. – Reads (Not Writes) NTFS

Formatted Drives.

• Windows Cannot Read Apple's HFS+ disk format.– USE HFSExplorer

• Install HFSxplorer and Java• Change File extension (.dmg)• Launch HFSEplorer• Open Disk Image

Graphical File Navigation

• Browse Scalpel Output Folder (Data Carving)• Images (Interest)

– iPhone Camera Photos– Synced Photos– Web Browser Photos– Google Maps– Snapshots Of Applications In State When Home

Pressed– Contacts In Dialer– Google Maps/Youtube “Lastviewed” Screenshots

Extracting Image Geotags

• Geographical Metadata In Media– Eg Long/Lat Embedded In A Camera Photo

SQLite Databases

• iPhone Has Multiple Databases– Contacts/Address Book

– E-mail Messages

– SMS (Short Message Service) Messages

– Other Personal Data

• SQLite is open source (.sqlitedb)– .db files use SQLite Browser

Important Databases

• Address Book Contacts/mobile/Library/AddressBook/AddressBook.sqlitedb

– ABPerson• Name, Organization,Dept

– ABRecent (Changes)

– ABMultiValue• Phone numbers, email addresses, URLs

Google Maps Data

• Used To track requests for directions/maps/mobile/Library/Caches/MapTiles/MapTiles.sqlitedb

/mobile/Library/Map/History.plist

Calendar/Call History/E-mail Database

• /mobile/Library/Calendar/Calendar.sqlitedb

• /mobile/Library/CallHistory/Call_History.db– Flags Field: Sent/Received

• /mobile/Library/Mail/Envelope Index– Note extension

– Mailboxes

– Messages

– Message_data

– Properties

– Pop_uids

– Threads

Notes/SMS Messages/Voicemail

• /mobile/Library/Notes/Notes.db

• /mobile/Library/SMS/SMS.db– Flags Field: Sent/Received

• /mobile/Library/Voicemail/Voicemail.db– Listen via media player supporting AMR Codec

More Lists

• /mobile/Library/Safari/Bookmarks.plist

• /mobile/Library/Safari/History.plist

• /mobile/Library/Safari/SuspendState.plist

Property Lists

• Describes Configurations, States, Other Data– Generally ASCII (Use Text Editor)– If Binary then convert to ASCII

• Lists/mobile/Library/Cookies/Cookies.plist/mobile/Library/Mail/Accounts.plist/mobile/Library/Maps/History.plist/mobile/Library/Safari/Bookmarks.plist/mobile/Library/Safari/Bookmarks.plist/mobile/Library/Safari/History.plist/mobile/Library/Safari/SuspendState.plist

SIM Card Forensics

• SIM-Subscriber Identity Module – UICC (Universal Integrated Circuit Card) smart card

contains • Account Information • Memory used to enable GSM cellular telephones. • One of the applications running on the smart card is the SIM

– Possible a given card could, in theory, contain multiple SIMs. » Could allow multiple phone numbers or accounts to be accessed

by a single UICC. » Seldom seen, though there is at least one "12-in-1" SIM card

being advertised at present.

– UICC cards once 16 - 64KB memory, now 1GB or more.

SIM Card Identification

• ICCID - internationally identifies card – Stored In The SIM Card And Can Also Be Engraved Or

Printed On The SIM Card• 18 Digits Plus “Check Digit” Used For Error Detection.

– 19 Digits Example 89 57 10 1207 00 320451 0• First Two Digits (89 In The Example) Telecom Id. • Next Two Digits (57 In The Example) Country Code (57-colombia). • Next Two Digits (10 In The Example) Network Code. • Next Four Digits (1207 In The Example) Month And Year Of

Manufacture. • Next Two Digits (00 In The Example) Switch Configuration Code. • Next Six Digits (320451 In The Example) Sim Number. • Last Digit Separated From The Rest Is The “Check Digit”.

SIM Card Location Area ID

• Cell Phone Device Operation Networks Divided Into Location Areas. – Each Has Its Own Unique Identification Number Creating The LAI

(Location Area Identity).• Phone Store’s This Number On Its SIM Card So It Knows

What Location It’s In And To Be Able To Receive Service. – If A Phone Changes To A New Location Area, It Stores The New

LAI In The SIM Card, Adding To A List Of All The Previous LAIS It Has Been In.

• Forensic Investigators Can Get A General Idea Of Where The SIM Card Has Been Geographically. – Tells Where The Phone (And Individual) Has Been.

SIM Security

• Can Be Protected With A PIN And A PUK. – Locks The Sim Card Until Correct Code Is Entered.

• Pin Entered Incorrectly 3 Times In A Row, The SIM Card Blocked (Unable To Make/Receive Calls/Texts)

• PUK Then Needed To Unblock– Can Come From The Network Provider or Phone Manual.

– If Entered 10 Times Incorrectly, The SIM Card Is Permanently Disabled And Must Be Exchanged.

SIM Forensics

• Phone Numbers Of Calls Made/Received • Contacts • SMS Details (Time/Date, Recipient, Etc.) • SMS Text (The Message Itself)

– The SIM File System Is Hierarchical In Nature Consisting Of 3 Parts:

• Master File (MF) - Root Of The File System That Contains – Dedicated File (DF) – Elementary Files (EF)

Data Acquisition

• International Mobile Subscriber Identity (IMSI): A unique identifying number that identifies the phone/subscription to the GSM network

• Mobile Country Code (MCC): three-digit code of SIM card's country of origin

• Mobile Network Code (MNC): two-digit code of SIM card's home network

• Mobile Subscriber Identification Number (MSIN): unique ten-digit identifying number that identifies the specific subscriber to the GSM network

• Mobile Subscriber International ISDN Number (MSISDN): identifies phone number

• Abbreviated Dialing Numbers (ADN): Telephone numbers stored in memory

• Last Dialed Numbers (LDN)

• Short Message Service (SMS): Text Messages

• Location Information (LOCI) and General Packet Radio Service (GPRS) location

• Integrated Circuit Card Identifier (ICCID)

• Service Provider Name (SPN)

Analysis

Conclusion

• "You Can See A Lot By Just Looking."