SIM Card Forensics 1

Running head: SIM CARD FORENSICS WITH SIMCON SOFTWARE

SIM Card Forensics with SIMCon Software Package

Timothy D. Huser

PurdueUniversity, West Lafayette

Abstract

The analysis of subscriber identity module (SIM) cards is becoming a mainstay in the forensic investigation of many Global System for Mobile Communications (GSM) devices. One piece of software that is utilized in recovering meaningful data from such SIM cards is the SIMCon software package. This software is able to read the data from a SIM card and then parse the data into an investigator friendly format for simplified viewing. However, there are many instances in which the software is not successful at reading the card or incorrectly parses information from the source. These fallacies are prevalent in software version 1.1 and have been proven though the analysis of over 60 SIM cards.

SIM Card Forensics with SIMCon Software Package

Developed in the late 1990’s SIMCon was created as a solution to the inability to read the contents of various SIM cards which contain information which could be extremely useful for various reasons including the apprehension of forensic evidence from the SIM media. Some abilities of the software are acquisition of: Abbreviated Dialing Numbers (AND), Last Dialed Numbers (LDN), Short Message Service (SMS), Public Land Mobile Network (PLMN) selector, Forbidden PLMNs, Location Information (LOCI), General Packet Radio Service (GPRS) location, International Mobile Subscriber Identity (IMSI), Integrated Circuit Card Identifier (ICCID), Mobile Subscriber ISDN (MSISDN), Service Provider Name (SPN), Phase Identification, SIM Service Table (SST), Language Preference (LP) and some various other attributes (Ayers, Jansen, Cilleros, & Daniellou, 2005). This information is typically retrieved from the card very accurately and completely. However in some cases this software is unable to retrieve certain data that it is supposed to retrieve and/or it is incapable of correctly parsing this information into the GUI.

In order to further investigate the lacking abilities of SIMCon to accurately represent the data on a given SIM card, a set of over sixty SIM cards from random service providers were processed using a PC-SC compatible USB SIM card reader and the SIMCon Software. After these cards were imaged and saved in .sim format (SIMCon file format), the cards file system’s were then viewed in SIMCon in order to determine the data that could be captured.

Although overall the data recovered from the cards was mostly in tact, there were quite a few cards which contained erroneous information which came in the form of random non-Latin characters represented in both the SMS and FDN of the cards. There were many instances in which the content view of SIMCon was falsely representing the data which was actually on the card. This could be verified by opening the Hexadecimal (HEX) view of the particular message or contact entry. A prime example of this was when the contact entry in the content view was represented as “MOMù£èìΣW5”. Notice the characters MOM followed by random characters, which is another issue that will be addressed later. The hexadecimal view clearly shows different values for the entry which were “MOMÿÿÿÿÿÿÿÿÿÿÿÿÿ. . W5ÿÿÿÿÿÿÿGRANDMA ANGIEÿ”. Notice the obvious characters “GRANDMA ANGIE” that are present at the end of the sequence, these characters should have been picked up by SIMCon and displayed in the content view. This brings up doubts about the software’s ability to be accurate in representing forensic data to investigators; especially those who are either not experienced enough, or working too quickly to take the time to further analyze the card’s data by viewing the hexadecimal representation(Willassen, n.d.).

Another issue regarding the accuracy of the data recovered with the SIMCon software was the regular occurrence of seemingly random non-Latin characters in both the content and hexadecimal views when viewing certain cards. While trying to make a logical decision to why this would happen, there was no evidence found to represent that this occurred only in cards from certain carriers. Although there were about sixty SIM cards analyzed, this is far from the amount needed to prove that such a trend actually exists.

There are two possible logical explanations as to why these characters would show up. One seems to actually be in the software’s decoding of the hexadecimal data on the card. Complications of this conversion could possibly occur due to the different ways SIM card’s alphanumeric data can be encoded. Originally the middle-European GSM network used only a 7-bit code derived from the basic ASCII code. However as GSM spread worldwide it was concluded that more characters, such as the major characters of all living languages, should be able to be represented on GSM phones. Thus, there was a movement towards a 16-bit code known as UCS-2 which is now the standard in GSM text encoding (Rankl & Effing, 2003, p. 741-762).Although this is a valid possibility for the misrepresentation of data, it is unlikely due to the fact that almost all SIM cards use the UCS-2 method of encoding today. The second reason is not as well proven, but rather a programming error on the part of SIMCon creators. While enquiring about these strange occurrences in the program to its creator Svein Willassen, M.Sc. it was stated by Willassen that this was most likely due to an error in the programming which caused this to happen when multiple cards where read within one session of running the software. This could have very well been the case as almost all sixty of the cards were read within a single session of the program. Willassen also commented that this complication was most likely resolved in the latest revision of his software.

Overall SIMCon has proven very effective in retrieving a vast amount of forensic data, especially in areas other than Fixed Dialing Numbers and Short Messaging Service. However the fact remains that FDN and SMS are some of the most useful resources to a forensic investigator who is analyzing a SIM. The complications with the software covered are enough to render SIMCon software as one that an investigator must be very careful if using. One must take extra caution to check both the content and hexadecimal views to insure that no evidence is missed. Also for whatever reason causes the presence of random characters, this cannot be ignored. One can only hope that version 1.2 of SIMCon will be cured of these issues as proposed by Willassen.

References

Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. (2005, October). Cell phoneforensic tools: An overview and analysis [Electronic version]. NationalInstitute of Standardsand Technology Interagency Report, 26-33.

Rankl, W., & Effing, W. (2003). Smart cards in Telecommunications. In K. Cox(Trans.), Smart card handbook (3rd ed., pp. 741-762). West Sussex: Wiley.

Willassen, S. (n.d.). SIMCon (Version 1.1) [Computer software]. InsideOutForensics.