Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Mobile Forensics Cookbook
Mobile Forensics Cookbook

Mobile Forensics Cookbook: Data acquisition, extraction, recovery techniques, and investigations using modern forensic tools

eBook
$24.99 $35.99
Paperback
$43.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Table of content icon View table of contents Preview book icon Preview Book

Mobile Forensics Cookbook

SIM Card Acquisition and Analysis

In this chapter, we'll cover the following recipes:

  • SIM card acquisition and analysis with TULP2G
  • SIM card acquisition and analysis with MOBILedit Forensics
  • SIM card acquisition and analysis with SIMCon
  • SIM card acquisition and analysis with Oxygen Forensic

Introduction

The main function of a SIM card is the identification of a user of a cellular phone on the network so that they can get access to its services.

The following types of data, which are valuable for an expert or investigator, can be found in the SIM card:

  • Information related to the services provided by the mobile operator
  • Phonebook and information about calls
  • Information about messages exchanged
  • Location information

Initially, SIM cards were almost the only source of data about the contacts of the mobile device owner, as the information about the phonebook, calls, and messages could be found only in their memory. Later, the storage of these data was relocated to the mobile devices memory and SIM cards began to be used only to identify subscribers in cellular networks. This is why some of the forensic tools developers, for the examination of mobile devices, decided not to include the SIM cards examination function in their products. However, today there are a lot of cheap phones (often, we call them "Chinese phones") with limited memory capacity. In these phones, part of the phone owners' data is stored in the SIM cards. This is why the forensic examination of SIM cards remains relevant.

SIM card is a regular smart card. It contains the following main components:

  • Processor
  • RAM
  • ROM
  • EEPROM
  • A file system
  • Controller I/O

In practice, we come across two kinds of SIM cards with six and eight contacts on the contact pads. This happens because the two contacts do not directly interact with the phone (smartphone) and their absence decreases the size of the area occupied by a SIM card when it is placed in the mobile device.

SIM cards can use three types of supply voltage (VCC): 5 V, 3.3 V, 1.8 V. Each card has a particular supply voltage.

There is an overvoltage protection in SIM cards. This is why when a 3.3 V supply voltage SIM card is placed in the card reader, that can operate only with 5 V supply voltage (old models), neither the information nor the SIM card can be damaged, and it will be impossible to work with this SIM card. As such, an expert may think that the SIM card is faulty. However, it is not so.

The forensic examination of a SIM card, before data extraction from the mobile device, where it is installed, is unreasonable. As the user's data stored in the memory of the mobile device, it can be reset or deleted during the process of removing the SIM card.

For analysis, a SIM card has to be removed from the mobile device and connected to the expert's computer via a specific device: a card reader.

Based on the previously mentioned information about SIM cards, we can figure out the main requirements to a card reader device with which it will be comfortable for an expert to examine SIM cards:

  • The card reader device has to support smart cards with supply voltage of 5 V, 3.3 V, and 1.8 V.
  • The card reader device has to support smart cards with six and eight contacts on the contact pads.
  • The card reader device has to support Microsoft PC/SC protocol. Drivers for this kind of devices are pre-installed on all versions of the Windows operating systems. This is why there is no need to install additional drivers in order to connect such devices to the expert's computer.

The following image shows an example of such a card reader:

SIM cards reader produced by «ASR» company, model «ACR38T».

Despite the fact that there are card reader devices designed for reading data from SIM cards, card reader devices designed for reading data from the standard size cards (having the size of a bank card) can be used. To work comfortably with these devices, a blank card, to which the SIM card is adjusted with some small pieces of tape, is used.


This is a SIM card adjusted with a bank card looks.

SIM card acquisition and analysis with TULP2G

TULP2G is a free tool developed by Netherlands Forensic Institute for forensic examination of SIM cards and cellular phones. Unfortunately, this program has not been updated for a long time. However, it can be used for very old cellular phones and SIM cards data acquisition and analysis.

Getting ready

On the TULP2G download page (https://sourceforge.net/projects/tulp2g/files/), select the TULP2G-installer-1.4.0.4.msi file and download it. At the time of writing this, the most up-to-date version is 1.4.0.4. When the download is finished, double-click on this file. The installation process of the program will be started.

If the installation of the TULP2G program is performed in the Windows XP operating system, you need to install Microsoft Net Framework 2.0 and Windows Installer 3.1 before the installation of the TULP2G. The programs mentioned previously can be downloaded from the Microsoft Corporation website.

How to do it...

  1. When the program is launched, click on the Open Profile... button:
The main window of the TULP2G program
  1. In the opened window, you will find profiles, one of which has to be loaded in the program. Select the TULP2G.Profile.SIM-Investigation profile, and then click on Open.
Data extraction profiles of TULP2G
  1. In the Case/Investigation Settings window, fill in the fields: Case Name, Investigator Name, and Investigation Name. This information will be used later in the preparation of the report by TULP2G.
The Case/Investigation Settings window
  1. In the next window, TULP2G - SIM card; for the Communication Plug-in field, set the value as PC/SC chip card communication [1.4.0.3]. For the Protocol Plug-in field, set the value as SIM/USIM chip card data extraction [1.4.0.7]. If the examined SIM card has PIN or PUK code, enter it by clicking on the Configure button, which is located next to the Protocol Plug-in field.
Window TULP2G - SIM card.
Reading data from the examined SIM card will not be possible if the PIN or PUK code are not entered.
  1. Click on the Run button. The process of data extraction from the SIM card will begin. The progress of extraction can be seen in the progress bar.
The progress bar.
  1. When the data is extracted from the SIM card, you can conduct a new extraction or generate a report about the extraction that has been performed. To generate the report, go to the Report tab. In the Report Name field, enter the name of the report; in the Export Plug-in and Selected Conversion Plug-in(s) fields, select plugins that will be used for the report generation. In the Selected Investigation(s) field, select those extractions for which you want to generate the report, and then click on Run.
The options window for the report generation
  1. When the report generation process is finished, there will be two files with formats HTML and XML. The HTML file can be opened with any web browser.
A fragment of the report

These files contain information (a phonebook, text messages, calls, and so on) that was extracted from the examined SIM card. It can be viewed and analyzed.

How it works...

TULP2G extracts data from the SIM card that is installed in the card reader, which is connected to the expert's computer, and generates a report. During the verification process, MD5 and SHA1 hashes of the image and the source are being compared.

See also

SIM card acquisition and analysis with MOBILedit Forensics

MOBILedit Forensic is a commercial forensic software by the company Compelson. It is updated regularly. This program can extract data from phones, smartphones, and SIM cards. As the program developers state, MOBILedit Forensic is a program that allows us to extract data from a phone or SIM card with a minimum number of steps. Also, this program has a unique function on which we will focus in another chapter.

Getting ready

On the MOBILedit download page (http://www.mobiledit.com/download-list/mobiledit-forensic), click on DOWNLOAD. When the downloading process is finished, double-click on the downloaded file of the program and install it. After the first run of the program, you need to enter the license key. If the license key is not entered, the program will work in the trial mode for 7 days.

How to do it...

There are two ways of extracting data from SIM cards with MOBILedit Forensic:

  1. Extracting data through wizard
  2. Extracting data through the main window of the MOBILedit Forensic program

In this book, we will focus on the data extraction from SIM card via the main window of the MOBILedit Forensic program.

When you run the program, the information about the connected card reader will appear in the upper left corner of the main window of the MOBILedit Forensic program.

A fragment of the main window

If you click on Connect, the MOBILedit Forensic Wizard will start, through which you can extract data from mobile devices and SIM cards.
Let's now see how to extract the data:

  1. Click on the image of the card reader. The information about Answer on Reset(ART) and ICCID of the SIM card will be displayed. If this SIM card is locked, you will be asked to enter the PIN or PUK code.
Fragment of the main window with information about the SIM card
  1. After entering the PIN or PUK codes, the SIM card will be unlocked and the Report Wizard option will appear on the main window. The fact that the examined SIM card was unlocked is indicated by the displayed International Code (IMSI), access to which is possible only after entering the correct PIN code.

 A fragment of the main window with information about the SIM card
  1. Click on the Report Wizard; it will open the MOBILedit Forensic Wizard window, which will extract data from the SIM card and generate a report.
  1. Fill in the fields Device Label, Device Name, Device Evidence Number, Owner Phone Number, Owner Name, and Phone Notes . Then click on the Next button.
Window MOBILedit Forensic Wizard
  1. The data will be extracted. The extraction status will be displayed in the MOBILedit Forensic Wizard window.
  1. When the extraction is finished, click on the Next button. After that, MOBILedit Forensic Wizard will display the following window:
The MOBILedit Forensic Wizard window
  1. Click on New Case. In the opened window, fill in the Label, Number, Name, E-mail, Phone Number, and Notes fields, and then click on the Next button.
The MOBILedit Forensic Wizard window   
  1. In the next window of MOBILedit Forensic Wizard, select the format in which the report will be generated and click on the Finish button.

A forensic report about the extraction will be generated in the selected format.

How it works...

MOBILedit Forensics extracts data from the SIM card installed in the card reader that is connected to the expert's computer and generates the report, taking the minimum number of steps. It is useful if there are a lot of mobile devices or SIM cards that have to be investigated, as it speeds up the process of data extraction.

See also

SIM card acquisition and analysis with SIMCon

SIMCon is one of the best utilities for a forensic analysis of SIM cards. It had a low price and for government organizations, military, and police, it was provided free of charge. Besides its impressive functionality, SIMCon, from some SIM cards, can extract data protected by PIN code. For example, phonebook.

Despite the fact that the SIMCon project was closed several years ago, the program did not disappear. A new updated version of this program is called Sim Card Seizure. The distribution rights of the program belong to the company Paraben. Also, the functionality of SIMCon is implemented in another product from Paraben--E3: Electronic Evidence Examiner.

Getting ready

The SIMCon project does not have its own address on the internet now. However, the installation software can be found via search engines.You can also download a trial version of Sim Card Seizure from Paraben's website. The limitation of the trial version of Sim Card Seizure is that only the first 20 records of phonebook, calls, messages are displayed.

How to do it...

  1. Double-click on the program icon and connect the card reader with the SIM card. The program will open the Enter PIN information window as shown in the following screenshot:
  1. In this case, there is no need to enter the PIN code. Click on the OK button to start the data extraction process. The status of the extraction process will be shown in the Reading SIM... window:
  1. If the data is successfully extracted, you will be asked to fill in the Investigator:, Date / Time:, Case:, Evidence Number:, and Notes: fields in the Acquisition Notes window. After filling in the fields, click on the OK button:
  1. Unlike TULP2G and MOBILedit Forensic, SIMCon allows you not only to extract data and generate a report but also to view the extracted data. The following screenshot shows a fragment of the SIMCon window in which we can see SMS messages, including deleted ones, which were extracted from the SIM card:
The Acquisition Notes window

At the bottom of the SIMCon main window, there is a section that displays detailed information about the selected record:

A section of the SIMCon main window with the detailed information about the selected record

The SIMCon program allows viewing the contents of each file. The following screenshot shows the contents of the elementary file (EF_ICCID):

How it works...

SIMCon extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.

See also

SIM card acquisition and analysis with Oxygen Forensic

Oxygen Forensic is one of the best programs for mobile forensics. This program has a function of SIM card analysis besides its other functions. The program is commercial, but there is a 30-day trial full version, which you can get on request. When the request is accepted, you will receive an email in which you will find a registry key and instructions for downloading the installation software.

Getting ready

Download the Oxygen Forensic (https://www.oxygen-forensic.com/en/). Install it with the help of prompts. Go through the menu path: Service|Enter Key. In the opened License window, enter the license key and click on the Save button. Restart the program.

How to do it...

In order to examine a SIM card, you need to remove it from a mobile device and then install it in the SIM card reader, which has to be connected to the expert's computer. As we mentioned earlier, Microsoft PC/SC drivers are pre-installed on the Windows operating systems meaning that there is no need to install anything else.
Now let's see how to use Oxygen Forensic: 

  1. In the Oxygen Forensic program, click on the Connect device button that is located in the toolbar. It will start Oxygen Forensic Extractor:
The main window of Oxygen Forensic Extractor
  1. In the main menu of Oxygen Forensic Extractor, click on the UICC acquisition option. The next window will prompt you to select the connected card reader or it will display an error message:
A card reader connection error message
  1. If access to a SIM card data is limited by a PIN or PUK code, you will be prompted to enter the appropriate code. The number of available attempts to enter PIN and PUK codes is displayed in the program. If there were no attempts to unlock the SIM card, then there should be 3 attempts to enter the PIN code and 10 attempts to enter the PUK code. After 10 failed attempts to enter the PUK code, the SIM card will be blocked forever. The PUK code can be received from the communication provider through an authorized person.
The SIM card data extraction window

The SIM card data extraction window displays the following:

  • Information about the card reader
  • Information about the SIM card
  • Fields for entering PIN and PUK codes

Enter the SIM card unlock code and click on the Next button.

  1. In the next window, you can specify additional information about the extraction that will be stored in the case. Also, in this window, you can select the options to save the extracted data from the device:

The Stored extracted physical dump of backup in the device image... option saves the main files from the SIM card.

The Complete UICC image option saves all files from the SIM card. The SIM card files' extraction process may take over 12 hours if you select this option.

The window for entering additional information about the case
  1. Click on the Next button. The process of extracting data from the investigated SIM card will start.

The following data can be extracted from the SIM card, including the deleted ones:

  • General information about the SIM card
  • Contacts
  • Calls
  • Messages
  • Other information

When the process of data importing is finished, the final window of Oxygen Forensic Extractor with summary information about the import will be displayed. Click the Finish button to finish the data extraction.

The extracted data will be available for viewing and analysis.

  1. At the end of the extraction, the created case can be opened in the Oxygen Forensic program.
Summarized information about the extraction
  1.  Now click on Messages category. An appropriate section with the extracted data can be viewed in respect of the case.
Viewing Messages section
  1. Return on the main screen of Oxygen Forensic. Click on File browser category. In the  File browser section, files that were extracted from the SIM card can be viewed. The analysis of these files contents can be done manually.
Viewing 2FE2 file contents

How it works...

Oxygen Forensic extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.

There's more...

Oxygen Forensic displays the names of files in hex and this can be inconvenient for an expert. The following table shows the correspondence between the standard files' names in hex view and their content:

File name
Description File name Description
3F00 MF 6F05 EF (LP)
7F10 DF (TELECOM) 6F31 EF (HPLMN)
7F20 DF (GSM) 6F41 EF (PUCT)
7F21 DF (DCS1800) 6F78 EF (ACC)
2FE2 EF (ICCID) 6FAE EF (PHASE)
6F3A EF (AND) 6F07 EF (IMSI)
6F3C EF (SMS) 6F37 EF (ACMmax)
6F40 EF (MSISDN) 6F45 EF (CBM)
6F43 EF (SMSS) 6F7B EF (FPLMN)
6F4A EF (EXT1) 6F52 EF (KcGPRS)
6F3B EF (FDN) 6F20 EF (Kc)
6F3D EF (CCP) 6F38 EF (SST)
6F42 EF (SIMSP) 6F46 EF (SPN)
6F44 EF (LND) 6F7E EF (LOCI)
6F4B EF (EXT2) 6F53 EF(LOCIGPRS)
6F74 EF (BCCH) 6F30 EF (PLMNcel)
6FAD EF (AD) 6F54 EF (SUME)        

See also

Left arrow icon Right arrow icon

Key benefits

  • •Acquire in-depth knowledge of mobile device acquisition using modern forensic tools
  • •Understand the importance of clouds for mobile forensics and learn how to extract data from them
  • •Discover advanced data extraction techniques that will help you to solve forensic tasks and challenges

Description

Considering the emerging use of mobile phones, there is a growing need for mobile forensics. Mobile forensics focuses specifically on performing forensic examinations of mobile devices, which involves extracting, recovering and analyzing data for the purposes of information security, criminal and civil investigations, and internal investigations. Mobile Forensics Cookbook starts by explaining SIM cards acquisition and analysis using modern forensics tools. You will discover the different software solutions that enable digital forensic examiners to quickly and easily acquire forensic images. You will also learn about forensics analysis and acquisition on Android, iOS, Windows Mobile, and BlackBerry devices. Next, you will understand the importance of cloud computing in the world of mobile forensics and understand different techniques available to extract data from the cloud. Going through the fundamentals of SQLite and Plists Forensics, you will learn how to extract forensic artifacts from these sources with appropriate tools. By the end of this book, you will be well versed with the advanced mobile forensics techniques that will help you perform the complete forensic acquisition and analysis of user data stored in different devices.

Who is this book for?

This book is aimed at practicing digital forensics analysts and information security professionals familiar with performing basic forensic investigations on mobile device operating systems namely Android, iOS, Windows, and Blackberry. It's also for those who need to broaden their skillset by adding more data extraction and recovery techniques.

What you will learn

  • •Retrieve mobile data using modern forensic tools
  • •Work with Oxygen Forensics for Android devices acquisition
  • •Perform a deep dive analysis of iOS, Android, Windows, and BlackBerry Phone file systems
  • •Understand the importance of cloud in mobile forensics and extract data from the cloud using different tools
  • •Learn the application of SQLite and Plists Forensics and parse data with digital forensics tools
  • •Perform forensic investigation on iOS, Android, Windows, and BlackBerry mobile devices
  • •Extract data both from working and damaged mobile devices using JTAG and Chip-off Techniques

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 15, 2017
Length: 302 pages
Edition : 1st
Language : English
ISBN-13 : 9781785289750
Category :
Concepts :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want

Product Details

Publication date : Dec 15, 2017
Length: 302 pages
Edition : 1st
Language : English
ISBN-13 : 9781785289750
Category :
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 141.97
Practical Mobile Forensics
$48.99
Mobile Forensics Cookbook
$43.99
Windows Forensics Cookbook
$48.99
Total $ 141.97 Stars icon

Table of Contents

11 Chapters
SIM Card Acquisition and Analysis Chevron down icon Chevron up icon
Android Device Acquisition Chevron down icon Chevron up icon
Apple Device Acquisition Chevron down icon Chevron up icon
Windows Phone and BlackBerry Acquisition Chevron down icon Chevron up icon
Clouds are Alternative Data Sources Chevron down icon Chevron up icon
SQLite Forensics Chevron down icon Chevron up icon
Understanding Plist Forensics Chevron down icon Chevron up icon
Analyzing Physical Dumps and Backups of Android Devices Chevron down icon Chevron up icon
iOS Forensics Chevron down icon Chevron up icon
Windows Phone and BlackBerry Forensics Chevron down icon Chevron up icon
JTAG and Chip-off Techniques Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Full star icon 5
(1 Ratings)
5 star 100%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Natasha Jun 19, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A true step-by-step, thorough "how-to" guide. Very pleased.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.