Expert Witness: SIM Card Data Retrieval – The Essentials

by

Ross Patel

At the heart of every mobile telephone is the Subscriber Identity Module (SIM), a small fingernail sized chip, responsible for service with a telecom network provider.

Digital Evidence From SIM Cards:

Despite limited memory capacity, the SIM contains a wealth of information that, when considered in context, can greatly aid lawyers in their case preparations:

Stored telephone numbers/contacts.

Listings of Last Dialled Numbers .

Text messages received, sent, drafted or deleted.

General location information from last use.

References to overseas network providers that have been used.

[youtube]http://www.youtube.com/watch?v=nMvARy0lBLE[/youtube]

Common Questions:

Q: Could the SIM card have been cloned?

A: SIM cards produced after June 2002 employ the COMPv2 algorithm which provides a number of technical and security safeguards to prevent unauthorised modification. Despite media reports, the cloning of modern SIM cards is an extremely rare practice.

Q: Can my PIN code be cracked?

A: SIM card information can be locked using a four digit Personal Identification Number . RIPA contains provisions to force disclosure of passwords, however, it is usually easier to request a Phone Unlock Key (PUK), enabling PIN settings to over- ridden, from the Data Protection Officer (DPO) at the relevant network provider.

Q: PAYG SIMs are untraceable!

A: With Pay As You Go (PAYG) there is no formal contract with a network provider (e.g. Orange) to enable a customer look-up, however, Call Data Records (CDRs) are still available from the network provider, providing information as to patterns of communication, calls to/from, time/dates etc. By mapping this information to known acquaintances of the defendant, considering the evidence in the context of other material (such as messages recovered from the telephone handset) and undertaking Cell Site Analyses (CSAs)3 it is possible to prove/disprove ownership of a handset.

Q: Does the SIM reveal who I ve been in touch with?

A: Even without the disclosure of Call Data Records (CDRs) from the network provider, the SIM provides a plethora of useful information relating to contacts in the form of Last Numbers Dialled (LND) and sections of the Contacts Directory . Numbers that haven t been saved may still show up in the LND.

Q: Can a telephone handset be uniquely identified?

A: Mobile phone handsets are assigned unique 15-digit numbers, known as the International Mobile Equipment Identifier (IMEI), which is passed to the network provider before communication services can be utilised. This serial number allows specific handsets that have been stolen or blacklisted to be blocked from a network irrespective of what SIM card is inserted. Defences suggesting that a given handset has been found and is not owned by the suspect are unlikely to hold water if Call Data Records (CDRs) show a pattern of usage that indicate the owners identity.

Q: What about sending anonymous texts?

A: They are not really that anonymous… If they are being sent via an internet service, there is typically a log retained by the site provider as to the computer IP address that sent the specific message this can ultimately be tied by to an Internet Service Provider (ISP), and in turn a specific subscriber. If anonymous texts have been sent from a mobile telephone typically a PAYG handset/SIM the uniquely assigned International Mobile Subscriber Identifier (IMSI) code embedded in the SIM can be used in concert with CDRs to provide compelling evidence as to the sender identity.

Q: Can deleted text messages & numbers be recovered?

Data content (especially multimedia formats) is primarily stored on the handset or on a removable memory stick. The general rule of thumb is that any data that has been deleted can be recovered, however, if it has been over-written it does make the process more complex and the chances of success reduce with every over-write.

Q: Is possession of multiple SIM cards indicative of wrongdoing?

Not at all – many individuals are discovering that they can benefit greatly from the free text and talk allowances granted on mobile phone contracts by having two or more SIMs (typically with different network providers). Adapters are available to connect multiple SIMs to a handset simultaneously.

Did you know?

The SIM card will often contain a reference to the last network base station that it communicated with before being disconnected from the telecoms network.

If the SIM card has been used overseas, it is possible to retrieve a reference code from the card that will indicate which national/regional network provider was used.

Language preferences can be stored on SIM cards useful intelligence for investigators which can open up new avenues of enquiry.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can

find an expert witness

and view the

company profile

at

X-Pro UK

, the innovative expert witness directory.

Article Source:

Expert Witness: SIM Card Data Retrieval – The Essentials