The main function of a SIM card is the identification of a user of a cellular phone on the network so that they can get access to its services.

The following types of data, which are valuable for an expert or investigator, can be found in the SIM card:

• Information related to the services provided by the mobile operator
• Phonebook and information about calls
• Information about messages exchanged
• Location information

Initially, SIM cards were almost the only source of data about the contacts of the mobile device owner, as the information about the phonebook, calls, and messages could be found only in their memory. Later, the storage of these data was relocated to the mobile devices memory and SIM cards began to be used only to identify subscribers in cellular networks. This is why some of the forensic tools developers, for the examination of mobile devices, decided not to include the SIM cards examination function in their products. However, today there are a lot of cheap phones (often, we call them "Chinese phones") with limited memory capacity. In these phones, part of the phone owners' data is stored in the SIM cards. This is why the forensic examination of SIM cards remains relevant.

SIM card is a regular smart card. It contains the following main components:

• Processor
• RAM
• ROM
• EEPROM
• A file system
• Controller I/O

In practice, we come across two kinds of SIM cards with six and eight contacts on the contact pads. This happens because the two contacts do not directly interact with the phone (smartphone) and their absence decreases the size of the area occupied by a SIM card when it is placed in the mobile device.

SIM cards can use three types of supply voltage (VCC): 5 V, 3.3 V, 1.8 V. Each card has a particular supply voltage.

There is an overvoltage protection in SIM cards. This is why when a 3.3 V supply voltage SIM card is placed in the card reader, that can operate only with 5 V supply voltage (old models), neither the information nor the SIM card can be damaged, and it will be impossible to work with this SIM card. As such, an expert may think that the SIM card is faulty. However, it is not so.

The forensic examination of a SIM card, before data extraction from the mobile device, where it is installed, is unreasonable. As the user's data stored in the memory of the mobile device, it can be reset or deleted during the process of removing the SIM card.

For analysis, a SIM card has to be removed from the mobile device and connected to the expert's computer via a specific device: a card reader.

Based on the previously mentioned information about SIM cards, we can figure out the main requirements to a card reader device with which it will be comfortable for an expert to examine SIM cards:

• The card reader device has to support smart cards with supply voltage of 5 V, 3.3 V, and 1.8 V.
• The card reader device has to support smart cards with six and eight contacts on the contact pads.
• The card reader device has to support Microsoft PC/SC protocol. Drivers for this kind of devices are pre-installed on all versions of the Windows operating systems. This is why there is no need to install additional drivers in order to connect such devices to the expert's computer.

The following image shows an example of such a card reader:

Despite the fact that there are card reader devices designed for reading data from SIM cards, card reader devices designed for reading data from the standard size cards (having the size of a bank card) can be used. To work comfortably with these devices, a blank card, to which the SIM card is adjusted with some small pieces of tape, is used.

TULP2G is a free tool developed by Netherlands Forensic Institute for forensic examination of SIM cards and cellular phones. Unfortunately, this program has not been updated for a long time. However, it can be used for very old cellular phones and SIM cards data acquisition and analysis.

On the TULP2G download page (https://sourceforge.net/projects/tulp2g/files/), select the TULP2G-installer-1.4.0.4.msi file and download it. At the time of writing this, the most up-to-date version is 1.4.0.4. When the download is finished, double-click on this file. The installation process of the program will be started.

1. When the program is launched, click on the Open Profile... button:

2. In the opened window, you will find profiles, one of which has to be loaded in the program. Select the TULP2G.Profile.SIM-Investigation profile, and then click on Open.

3. In the Case/Investigation Settings window, fill in the fields: Case Name, Investigator Name, and Investigation Name. This information will be used later in the preparation of the report by TULP2G.

4. In the next window, TULP2G - SIM card; for the Communication Plug-in field, set the value as PC/SC chip card communication [1.4.0.3]. For the Protocol Plug-in field, set the value as SIM/USIM chip card data extraction [1.4.0.7]. If the examined SIM card has PIN or PUK code, enter it by clicking on the Configure button, which is located next to the Protocol Plug-in field.

5. Click on the Run button. The process of data extraction from the SIM card will begin. The progress of extraction can be seen in the progress bar.

6. When the data is extracted from the SIM card, you can conduct a new extraction or generate a report about the extraction that has been performed. To generate the report, go to the Report tab. In the Report Name field, enter the name of the report; in the Export Plug-in and Selected Conversion Plug-in(s) fields, select plugins that will be used for the report generation. In the Selected Investigation(s) field, select those extractions for which you want to generate the report, and then click on Run.

7. When the report generation process is finished, there will be two files with formats HTML and XML. The HTML file can be opened with any web browser.

These files contain information (a phonebook, text messages, calls, and so on) that was extracted from the examined SIM card. It can be viewed and analyzed.

TULP2G extracts data from the SIM card that is installed in the card reader, which is connected to the expert's computer, and generates a report. During the verification process, MD5 and SHA1 hashes of the image and the source are being compared.

• The TULP2G project website: http://tulp2g.sourceforge.net
• The TULP2G download page: https://sourceforge.net/projects/tulp2g/files/

MOBILedit Forensic is a commercial forensic software by the company Compelson. It is updated regularly. This program can extract data from phones, smartphones, and SIM cards. As the program developers state, MOBILedit Forensic is a program that allows us to extract data from a phone or SIM card with a minimum number of steps. Also, this program has a unique function on which we will focus in another chapter.

On the MOBILedit download page (http://www.mobiledit.com/download-list/mobiledit-forensic), click on DOWNLOAD. When the downloading process is finished, double-click on the downloaded file of the program and install it. After the first run of the program, you need to enter the license key. If the license key is not entered, the program will work in the trial mode for 7 days.

There are two ways of extracting data from SIM cards with MOBILedit Forensic:

1. Extracting data through wizard
2. Extracting data through the main window of the MOBILedit Forensic program

In this book, we will focus on the data extraction from SIM card via the main window of the MOBILedit Forensic program.

When you run the program, the information about the connected card reader will appear in the upper left corner of the main window of the MOBILedit Forensic program.

If you click on Connect, the MOBILedit Forensic Wizard will start, through which you can extract data from mobile devices and SIM cards.
Let's now see how to extract the data:

1. Click on the image of the card reader. The information about Answer on Reset(ART) and ICCID of the SIM card will be displayed. If this SIM card is locked, you will be asked to enter the PIN or PUK code.

2. After entering the PIN or PUK codes, the SIM card will be unlocked and the Report Wizard option will appear on the main window. The fact that the examined SIM card was unlocked is indicated by the displayed International Code (IMSI), access to which is possible only after entering the correct PIN code.

 A fragment of the main window with information about the SIM card

3. Click on the Report Wizard; it will open the MOBILedit Forensic Wizard window, which will extract data from the SIM card and generate a report.

4. Fill in the fields Device Label, Device Name, Device Evidence Number, Owner Phone Number, Owner Name, and Phone Notes . Then click on the Next button.

5. The data will be extracted. The extraction status will be displayed in the MOBILedit Forensic Wizard window.

6. When the extraction is finished, click on the Next button. After that, MOBILedit Forensic Wizard will display the following window:

7. Click on New Case. In the opened window, fill in the Label, Number, Name, E-mail, Phone Number, and Notes fields, and then click on the Next button.

8. In the next window of MOBILedit Forensic Wizard, select the format in which the report will be generated and click on the Finish button.

A forensic report about the extraction will be generated in the selected format.

MOBILedit Forensics extracts data from the SIM card installed in the card reader that is connected to the expert's computer and generates the report, taking the minimum number of steps. It is useful if there are a lot of mobile devices or SIM cards that have to be investigated, as it speeds up the process of data extraction.

• The MOBILedit Forensics website at http://www.mobiledit.com.
• The MOBILedit Forensics download page at http://www.mobiledit.com/download-list/mobiledit-forensic.

SIMCon is one of the best utilities for a forensic analysis of SIM cards. It had a low price and for government organizations, military, and police, it was provided free of charge. Besides its impressive functionality, SIMCon, from some SIM cards, can extract data protected by PIN code. For example, phonebook.

Despite the fact that the SIMCon project was closed several years ago, the program did not disappear. A new updated version of this program is called Sim Card Seizure. The distribution rights of the program belong to the company Paraben. Also, the functionality of SIMCon is implemented in another product from Paraben--E3: Electronic Evidence Examiner.

The SIMCon project does not have its own address on the internet now. However, the installation software can be found via search engines.You can also download a trial version of Sim Card Seizure from Paraben's website. The limitation of the trial version of Sim Card Seizure is that only the first 20 records of phonebook, calls, messages are displayed.

1. Double-click on the program icon and connect the card reader with the SIM card. The program will open the Enter PIN information window as shown in the following screenshot:

2. In this case, there is no need to enter the PIN code. Click on the OK button to start the data extraction process. The status of the extraction process will be shown in the Reading SIM... window:

3. If the data is successfully extracted, you will be asked to fill in the Investigator:, Date / Time:, Case:, Evidence Number:, and Notes: fields in the Acquisition Notes window. After filling in the fields, click on the OK button:

4. Unlike TULP2G and MOBILedit Forensic, SIMCon allows you not only to extract data and generate a report but also to view the extracted data. The following screenshot shows a fragment of the SIMCon window in which we can see SMS messages, including deleted ones, which were extracted from the SIM card:

At the bottom of the SIMCon main window, there is a section that displays detailed information about the selected record:

The SIMCon program allows viewing the contents of each file. The following screenshot shows the contents of the elementary file (EF_ICCID):

SIMCon extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.

• The Sim Card Seizure program's website: https://www.paraben-sticks.com/sim-card-seizure.html
  
• The E3: Electronic Evidence Examiner program's website: https://www.paraben.com/products/e3-universal

Oxygen Forensic is one of the best programs for mobile forensics. This program has a function of SIM card analysis besides its other functions. The program is commercial, but there is a 30-day trial full version, which you can get on request. When the request is accepted, you will receive an email in which you will find a registry key and instructions for downloading the installation software.

Download the Oxygen Forensic (https://www.oxygen-forensic.com/en/). Install it with the help of prompts. Go through the menu path: Service|Enter Key. In the opened License window, enter the license key and click on the Save button. Restart the program.

In order to examine a SIM card, you need to remove it from a mobile device and then install it in the SIM card reader, which has to be connected to the expert's computer. As we mentioned earlier, Microsoft PC/SC drivers are pre-installed on the Windows operating systems meaning that there is no need to install anything else.
Now let's see how to use Oxygen Forensic: 

1. In the Oxygen Forensic program, click on the Connect device button that is located in the toolbar. It will start Oxygen Forensic Extractor:

2. In the main menu of Oxygen Forensic Extractor, click on the UICC acquisition option. The next window will prompt you to select the connected card reader or it will display an error message:

3. If access to a SIM card data is limited by a PIN or PUK code, you will be prompted to enter the appropriate code. The number of available attempts to enter PIN and PUK codes is displayed in the program. If there were no attempts to unlock the SIM card, then there should be 3 attempts to enter the PIN code and 10 attempts to enter the PUK code. After 10 failed attempts to enter the PUK code, the SIM card will be blocked forever. The PUK code can be received from the communication provider through an authorized person.

The SIM card data extraction window displays the following:

• Information about the card reader
• Information about the SIM card
• Fields for entering PIN and PUK codes

Enter the SIM card unlock code and click on the Next button.

4. In the next window, you can specify additional information about the extraction that will be stored in the case. Also, in this window, you can select the options to save the extracted data from the device:

The Stored extracted physical dump of backup in the device image... option saves the main files from the SIM card.

The Complete UICC image option saves all files from the SIM card. The SIM card files' extraction process may take over 12 hours if you select this option.

5. Click on the Next button. The process of extracting data from the investigated SIM card will start.

The following data can be extracted from the SIM card, including the deleted ones:

• General information about the SIM card
• Contacts
• Calls
• Messages
• Other information

When the process of data importing is finished, the final window of Oxygen Forensic Extractor with summary information about the import will be displayed. Click the Finish button to finish the data extraction.

The extracted data will be available for viewing and analysis.

6. At the end of the extraction, the created case can be opened in the Oxygen Forensic program.

7.  Now click on Messages category. An appropriate section with the extracted data can be viewed in respect of the case.

8. Return on the main screen of Oxygen Forensic. Click on File browser category. In the  File browser section, files that were extracted from the SIM card can be viewed. The analysis of these files contents can be done manually.

Oxygen Forensic extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.

Oxygen Forensic displays the names of files in hex and this can be inconvenient for an expert. The following table shows the correspondence between the standard files' names in hex view and their content:

• The Oxygen Forensic program's website at https://www.oxygen-forensic.com/en/.