Another ultra-thin membrane device

Another ultra-thin membrane device

John Lorne, Technical Officer for South Manchester GMP, having read the discussion in the thread "Ultra-thin membrane changes (U)SIM card usage"**, wants to raise awareness that, during his examinations, John has had firsthand experience with another similar device and emailed some comments to the webblog, along with the images below, which he thought would be of interest to readers

.

John Lorne, Technical Officer:

"I have used one of these its named MT-SIM. They are for using one's phone on any network. It works by punching a small hole into your SIM and laying the contacts of the MT SIM onto the contacts of your SIM.

"The small hole is required as the chip on the MT SIM faces the opposite way (upwards and away from the SIM compartment) and is the same thickness.The MT SIM is not a solution for multi unlocking as it has to sit with its surrogate all the time (the MT SIM works by making the handset omit from asking the question on start up "what network are we on?") as soon as the MT SIM is seperate then the handset will revert to its network provider.

"I have tried this on a test phone for examination purposes and found it works and allows one to get into the handset. I lost my call history with this operation but I would've lost this in any case when I use my test SIMs (I use Motorola test SIM to bypass network issues, but in every case I lose call history, Focus 112 can recover this for me). In the end a colleague of mine asked could I unlock his daughter's phone to any network, it was a BB5 phone and at the time couldn't be unlocked in the more traditional way ie UFS/JAF box. I slid this in and it worked exactly as it said it would, so in some cases its actually quite advanced."

**http://trewmte.blogspot.com/2008/11/sim-dialer-iphone-unlocke.html

Ultra-thin membrane changes (U)SIM card usage

Ultra-thin membrane changes SIM card usage

Examiners may come across an ultra-thin (0.3mm) membrane that lays over the contacts of a SIM card. Called the V200 SIM Dialer, the membrane is "Prefix base programmable (For routing prefix and bypass prefix setting)". What does that mean? Well, it allows mobile phones installed with SIM Tool Kit menu (most up to date phones have them) and define access to the network. The point being, if you are looking for least-cost routing for calls or want to use a calling card, rather than have mobile network call charges, then this device makes that happen, apparently.

How does it do it? "Dial the desired number directly each time you call, SIM dialer V200 will automatically dial IP access in front of the dialed number". As the manufacturer promotes, using their device will not change your dialling habits and there is "No cutting, No pounching your SIM".

As the device has been programmed, and looking at the on-board chip, there should be a reader for it or one could be constructed. This throws me back to the old days of ponyprog and PIC basics. Of course, of equal importance is how does this device impact when examining the handset and SIM card? Will manual examination be the only course for examination or do the current handset and SIM readers detect changes this device makes to them? What evidence is there for call history or data usage? These are just a few of the questions to get examiners started.

It seems this programmable ultra-thin membrane is not limited to just SIM calls, but there is a USIM version (U-SIM V33G) that can be used to unlock iPhones. There is a video that is useful to watch so that examiners can at least comprehend how ultra-thin the membrane is and how it is installed:-
http://tw.youtube.com/watch?v=JQSNJxis7Ds

Please note, this is not a promotion or advert for these products, the information provided is to assist examiners with observations about these devices that may form part of their evidence.

Cloning Test SIM Cards

Cloning Test SIM Cards

.
Cloning test SIM cards can present problems if their use is not carefully monitored and can lead to loss of data from a device under test (DUT). There appears many different instances under which the loss of data can occur when using a cloning test SIM card. Some examples are:
.
- The inadequate level of notice and advice within the applications that create the clone test SIM card to precisely define that a particular Make/Model of handset has been tested using the cloning application before using with a partricular Make/Model or where the guide generally infers the application is usable with a particular Make.
.
- Whether the cloned test SIM card has been correctly recorded or not, before inserting it into the device under examination (DUT).
.
- The 'trial and error' approach being applied to evidential mobile phones leading to loss of data, where the written advice in the guide, when given, doesn't deal with the examination problem at hand.
.
Taking one example of a mobile phone examination problem relating to the Samsung D880.
.

.
This mobile phone is capable of having two SIM cards inserted, at the same time, in order to allow for two different subscriber accounts to be used separately by a user. To understand the difference compare the position when dealing with the traditional way of having to manually swop a SIM card with another in a device that is a single-inserted SIM card operating mobile phone.
.

Once the user has selected to use one of the two SIM Cards inserted, the option to switch to a particular SIM in normal user mode is via the 'SIM selection key' with visual Icons displayed on the device's screen confirming which SIM and subscription account is in use.

Problematical for the examiner using cloned test SIM cards is what is the safest method for examining a dual SIM card mobile phone. Looking at some options, what problems can arise for the examiner:

1) Take out one of the user SIM cards and produce a cloned test SIM card, whilst leaving the other user SIM card in place? Then insert the new clone test SIM card and then examine the phone? It is unlikely this could work well because an original user SIM card is still in place, thus the mobile phone could still register to the network etc. That is so, because the examiner doesn't know which SIM and subscription account was last used by the mobile phone. The notion of switching the mobile phone 'ON' prior to using a cloned Test SIM card to find out begs the question why is the examiner using cloned test SIM cards in the first place?

2) Take out both user SIM cards and produce two cloned test SIM cards, but insert only one test card and examine on that basis? This might work, provided of course the examiner has selected for access the right SIM slot and subscription account, which is a bit 'trial and error', 'hit and miss'? Moreover, assuming the above method had worked and the examiner safely selected the correct SIM slot/account - for example by taking the pragmatic step of recording which user SIM came out of which slot and replacing the correct cloned test SIM card into the slot - what happens when the second cloned test SIM card needs to be inserted? Using the SIM selection key to switch to another SIM card may not assist because there isn't a cloned test SIM card in the second slot for the device to read any details. Moreover, bearing in mind the device memory has noted only one SIM inserted the first time around what impact might now happen if a second cloned test SIM card is inserted? Will it allow access to the subscriber account user data on the device? Furthermore, what happens when switching over to the other cloned test SIM card?

3) Inevitably, the line of reasoning in this discussion is intended to bring the reader's attention to the option of putting both cloned test SIM cards into the appropriate SIM slots and examining further from that standpoint. But what happens then if the device does not give up its riches and enables the examiner to gain access to the user data? Turning to the cloned test SIM cards guides, what if they provide no assistance at all? What if the cloning application may not record properly to the cloned test SIM card or the data that it does record are insufficient for a particular make and model of mobile phone to function in the way it is expected?
.
In each of the above cases where loss of data might occur, that is to say e.g. where no call history or text messages are accesible, it may not be because the user has deleted them or the user has gone to settings to set a calendar event to delete texts or clear call history on a date and time, but may be because the cloned test SIM card may have removed access to them and the examiner may not be aware of that until either using a device reading program or conducting manual examination.
.
The presumption suggested that the examination and the tools used to recover data from a device were functioning properly and without flaw at the time of the examination arising from the mobile phone data being served in evidence, inferring that it is safe to rely on, may not meet the maxim omnia praesumuntur rite esse acta, as expressed by Lord Griffiths in the case of R .v. Shepherd [1993] AC380. That can be so because it has never simply been solely about whether the original device (exhibit) was working properly at the material time, but of equal significance whether in the obtaining and the processes used to obtain data that the evidence is safe to rely on. The latter requirement did not disappear in the wake of the repeal of section 69 Police and Criminal Evidence Act 1984. Nor did it disappear by the introduction of the Criminal Procedures and Investigations Act 1996, The Police Act 1997, The Regulation of Investigatory Powers Act 2000 and so on.
.
The purpose of raising this discussion (for examiners and students) about mobile phone forensic examination and tools it that discussions on these types of topics are not simply about providing answers and solutions to problems, but identifying potential questions that need to be adddressed before using cloned test SIM cards.
.
Lastly, I have not described every event dealing with the examination of a dual SIM card mobile phone or how Samsung D880 manages the operation and functionality of both SIM cards. By not referring to these matters it has helped simplify and refine the discussion to keep the important points to the fore.

CDS Regulations SI 2001 No.1437 & ECHR Article 6

CDS Regulations SI 2001 No.1437 & ECHR Article 6

.
Statutory Instrument 2001 No. 1437
The Criminal Defence Service (General) (No. 2) Regulations 2001
.
PART VI - MISCELLANEOUS
.
Authorisation of expenditure
19. - (1) Where it appears to the solicitor necessary for the proper conduct of proceedings in the Crown Court for costs to be incurred under the representation order by taking any of the following steps:
.
(a) obtaining a written report or opinion of one or more experts;
(b) employing a person to provide a written report or opinion (otherwise than as an expert);
(c) obtaining any transcripts or recordings; or
(d) performing an act which is either unusual in its nature or involves unusually large expenditure
he may apply to the Costs Committee for prior authority to do so.
.
(2) The Commission may authorise a person acting on behalf of the Costs Committee to grant prior authority in respect of any application made under paragraph (1).
.
(3) Where the Costs Committee or a person acting on its behalf authorises the taking of any step specified in paragraph (1), it shall also authorise the maximum to be paid in respect of that step.
.
.
.
ECHR Article 6 – Right to a fair trial
.
1. In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgment shall be pronounced publicly but the press and public may be excluded from all or part of the trial in the interests of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice.
.
2. Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law.
.
3. Everyone charged with a criminal offence has the following minimum rights:
a. to be informed promptly, in a language which he understands and in detail, of the nature and cause of the accusation against him; b. to have adequate time and facilities for the preparation of his defence; c. to defend himself in person or through legal assistance of his own choosing or, if he has not sufficient means to pay for legal assistance, to be given it free when the interests of justice so require; d. to examine or have examined witnesses against him and to obtain the attendance and examination of witnesses on his behalf under the same conditions as witnesses against him; e. to have the free assistance of an interpreter if he cannot understand or speak the language used in court.

Join MTEB Forum if your are in wireless / telecomms

Join MTEB Forum if your are in wireless / telecomms

.
If you work in forensics and/or examination devices, investigations or deal with evidence then the MTEB forum puts you in contact with other professionals when you need help with technical issues, technical discussions or generally want to stay up to date. Due to the make up of the forum members: experts, high level security, law enforcement and senior investigators requests to join are vetted.
.
.
Invitation to Join Mobile Telephone Examination Board
--------------------------------------------------------
The MTEB forum is dedicated to evidential standards, forensic examination and lawful interception dealing with mobile telephones/SIM/USIM/MMC, bluetooth, IrDA, USB, cell site analysis and mobile networks GSM, CDMA, 3G, 4G.
.
Link if you are NOT a LinkedIn member:

http://www.linkedin.com/groupInvitation?groupID=141739&sharedKey=35E59F107179

Link if you are a LinkedIn member:
http://www.linkedin.com/groupsDirectory?results=&sik=1216135556335

Looking back at the future of SIM in 2002

Looking back at the future of SIM in 2002

.

I have always thought looking to the future is important, but equally looking back at what we know or think might be happening, from an historical perspective, can help see what problems can occur in the future and also to note whether foreseeable problems have been addressed or not, over time.

.

I have selected a summary of issues discussed in training back in 2002, which are set out in the downloadable .pdf document "SIM - The Future as Viewed in 2002".

.

http://www.filebucket.net/files/2537_89xfv/SIM%20The%20Future%20As%20Viewed%20in%202002.pdf

.

For example, did you know or remember the slow down in SIM Card manufacturing in 2001? This is hard to believe when we think about the saturation levels of SIMs and handsets in the marketplace today.

.

What about SIM Application Toolkits, applets and the exciting development of Java Standard Edition for mobile phones (KJava and PJava)? Our concerns then were how these advancements were going to impact on mobile telephone and SIM examination. Remember at that time we saw problems and tried to anticipate how to combat problems, but we had no immediate solutions which invariable had to be produced in some instance "on-the-hoof", so to speak.

.

Cloning of SIM Cards had raised its head back in 1998 and devices were starting to appear on the market in 2000/01. The problems we faced then was knowing what to look for to deternmine whether a SIM was cloned or not? And then if the SIM was a clone what impact on evidence could/would it have?

.

What about SIM Cards with multiple IMSIs? Still an issue today as it was then in 2002. The problem being is that SIM readers do not have the capability to read more than one IMSI from a SIM Card at any one time. Consequently, invocation of an IMSI selection in EF-7F20 6F07 is not possible other than the SIM being placed in the handset and another IMSI being selected using the handset menu Network selection. Moreover, once that has been done the green button on the handset needs to be pushed and a location update (and an IMSI-attach) to the network is required, which cannot be performed in a faraday bag, radio dampening field or isolation chamber. The question arises when do you search for more than one IMSI recorded into a SIM? What cases warrant it? How many cases have been missed in the past where more than one IMSI resided in SIM but has gone undetected? Put simply, when should allocution take place?

.

There were a huge range of issues to be addressed then in early 2000, as there are now. When reading these brief discussion documents representing issues spoken about on my training courses, I hope they convey the message that plug and play (PnP) or universal plug and play (UPnP) systems used to extract and harvest data are simply not enough to satisfy the requirements for mobile telephone examination.

GSM Timers

GSM Timers

In the thread cell site anslysis call analysis <http://trewmte.blogspot.com/2006/12/cell-site-analysis-call-analysis.html> it highlighted the range of Cause Failures for mobile calls. The overview it provided can be quite helpful, but behind those Cause Failures there can be a range of Timers and some of them can be the reason a Cause Failure occurs (positive or negative outcome). For example we can see that timer T3216 (below) in essence relates to the failure of a Immediate Assignment Request, but the "root cause" of the failure can infact be due to SDCCH congestion or poor radio link, such as: interference, coverage restriction or radio path imbalance. Understanding the "Causes for the cessation or loss of mobile communication" requires more than knowing the Cause Code or Timer but all the "root cause" behind them.



The Timer table below provides a useful but not exhaustive list. It essential to keep monitoring the GSM and 3GPP standards. Finally, it is important to recognise that Timers have different durations dependent upon when the timer is applicable. For instance, for radio resources management the durations are often denoted in seconds and some timers are in milliseconds.



However, other timer durations (expiration) are used for internal operation for devices such as mobile telephone or SIM and can be in minutes and in some instances hours. An example of the latter can be the elementary file EFHPLMN (7F206F31) - see GSM11.11. The Timer is set in decimal-digit increments e.g. 01, 02, 03 and so on. Each increment represents a value of n-minutes which the standard GSM0211 refers to as 6 minutes, but commonly rapid updates can cause drain on the mobile telephone's battery it is understood that n-minutes can be 30-minutes. The maximum the timer can be set for is 8-hours. The timer value is network operator dependent, which means either timer method may be used.

Timers and counters for radio resource management

Timers on the mobile station side

T3122: This timer is used during random access, after the receipt of an IMMEDIATE ASSIGN REJECT message.Its value is given by the network in the IMMEDIATE ASSIGN REJECT message.



T3124: This timer is used in the seizure procedure during a hand-over, when the two cells are not synchronized.Its purpose is to detect the lack of answer from the network to the special signal. Its value is set to 675 ms if the channel type of the channel allocated in the HANDOVER COMMAND is an SDCCH (+ SACCH); otherwise its value is set to 320 ms.



T3126:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during an immediate assignment procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the immediate assignment procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T. The maximum value of this timer is 5 seconds.



T3128:This timer is started when the mobile station starts the uplink investigation procedure and the uplink is busy.It is stopped at receipt of the first UPLINK FREE message. At its expiry, the uplink investigation procedure is aborted. The value of this timer is set to 1 second.



T3130:This timer is started after sending the first UPLINK ACCESS message during a VGCS uplink access procedure.It is stopped at receipt of a VGCS ACCESS GRANT message.At its expiry, the uplink access procedure is aborted.The value of this timer is set to 5 seconds.



T3110:This timer is used to delay the channel deactivation after the receipt of a (full) CHANNEL RELEASE. Its purpose is to let some time for disconnection of the main signalling link. Its value is set to such that the DISC frame is sent twice in case of no answer from the network. (It should be chosen to obtain a good probability of normal termination (i.e. no time out of T3109) of the channel release procedure.)



T3134:This timer is used in the seizure procedure during an RR network commanded cell change order procedure. Its purpose is to detect the lack of answer from the network or the lack of availability of the target cell. Its value is set to 5 seconds.



T3142:The timer is used during packet access on CCCH, after the receipt of an IMMEDIATE ASSIGNMENT REJECT message. Its value is given by the network in the IMMEDIATE ASSIGNMENT REJECT message.



T3146:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during a packet access procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message during a packet access procedure, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the packet access procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T are defined in section 3.3.1.2. The maximum value of this timer is 5 seconds.



T3164:This timer is used during packet access using CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message. It is stopped at the transmission of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expire, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.



T3190:The timer is used during packet downlink assignment on CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message or of an PDCH ASSIGNMENT COMMAND message when in dedicated mode.It is stopped at the receipt of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expiry, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.



Timers on the network side

T3101:This timer is started when a channel is allocated with an IMMEDIATE ASSIGNMENT message. It is stopped when the MS has correctly seized the channels. Its value is network dependent. NOTE: It could be higher than the maximum time for a L2 establishment attempt.



T3103:This timer is started by the sending of a HANDOVER message and is normally stopped when the MS has correctly seized the new channel. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the HANDOVER COMMAND, plus the value of T3124, plus the maximum duration of an attempt to establish a data link in multiframe mode.)



T3105:This timer is used for the repetition of the PHYSICAL INFORMATION message during the hand-over procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.



T3107:This timer is started by the sending of an ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly seized the new channels. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the ASSIGNMENT COMMAND message plus twice the maximum duration of an attempt to establish a data link multiframe mode.



T3109:This timer is started when a lower layer failure is detected by the network, when it is not engaged in a RF procedure. It is also used in the channel release procedure. Its purpose is to release the channels in case of loss of communication. Its value is network dependent. NOTE: Its value should be large enough to ensure that the MS detects a radio link failure.



T3111:This timer is used to delay the channel deactivation after disconnection of the main signalling link. Its purpose is to let some time for possible repetition of the disconnection. Its value is equal to the value of T3110.



T3113:This timer is started when the network has sent a PAGING REQUEST message and is stopped when the network has received the PAGING RESPONSE message. Its value is network dependent. NOTE: The value could allow for repetitions of the Channel Request message and the requirements associated with T3101.



T3115:This timer is used for the repetition of the VGCS UPLINK GRANT message during the uplink access procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.



T3117:This timer is started by the sending of a PDCH ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly accessed the target TBF. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the PDCH ASSIGNMENT COMMAND message plus T3132 plus the maximum duration of an attempt to establish a data link in multiframe mode.



T3119:This timer is started by the sending of a RR-CELL CHANGE ORDER message and is normally stopped when the MS has correctly accessed the new cell. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent.NOTE: It could be higher than the maximum transmission time of the RR_CELL CHANGE ORDER, plus T3134, plus the maximum duration of an attempt to establish a data link in multiframe mode.



T3141:This timer is started when a temporary block flow is allocated with an IMMEDIATE ASSIGNMENT message during a packet access procedure. It is stopped when the mobile station has correctly seized the temporary block flow. Its value is network dependent.



More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com

3G USIM Phonebook

3G USIM Phonebook

Those familiar with the 3G USIM Phonebook (contacts) will know the relevance of examining this data area within USIM, thus the significance of Quantaq's announcement below. If, of course, you do not understand the relevance then coming on my USIM and USIM-D training course will open up the Phonebook (contacts) evidence and other important technical and evidential aspects of USIM, and yes you get trained in USIM-Detective, too. Send your request for training to trewmte [at] googlemail [dot] com or visit the training page at Quantaq's website.

Quantaq (www.quantaq.com) has introduced a major new release of USIM Detective (V2.0.0) - this version has support for the 3G USIM phonebook that is now appearing in many high end handsets.