Tutorial Pt1 - Creating an Elementary File

Tutorial Pt1 - Creating an Elementary File

When examining ICC (SIM)/ UICC ((U)SIM) Cards data is commonly extracted and harvested from particular elemenary files (EFs) as specified in GSM11.11/3GPP 31.102. The particular EFs referred to are:

Transparent EF: an unformatted data field; containing a sequence of bytes that can be accessed individually or in variable length.

 

 Linear Fixed EF: Formatted data field with records that all have a constant length  

Cyclic EF:  Formated data field derived from a linear data field with constant length

 

From these EFs the data commonly acquired are identities and records such as IMSI, Phonebook, SMS, Location Information etc, to name but a few. The structure and type of content allocated to unformatted and formatted EFs  above, has remained fairly constant with ETSI, GSM and 3GPP standards.

Evidentially, of course, examiners are often focussed on merely obtaining the content of a particular EF with reliance placed entirely upon the SIM/USIM reading tool to process that objective. Due to limitation in applied attendance time (and whatever the causes might be for that) means the examiner rarely scratch the surface to comprehend the coding of the commands that are issued when selecting an EF etc (and the subject will be discussed in a later tutorial). However, prior to selecting an EF there is important information that needs to be known about how elementary files and their life cycles are created in the first place and their associated file templates. This tutorial therefore provides a brief looks at what is involved in creating an EF and some help hints for examiners relevant to forensics. 

Why would this be of interest to examiners? Without a created EF there would be no EF to select in the first plus thus ultimately no data to be extracted and harvested. Where examiners are dealing with illicit data couriers (the cybercrime paradigm, industrial espionage, terrorist data etc) these intelligent bandits are demonstrating that they are as competent to a degree that is can be said to be equal to or more advanced than examiners and naturally they to outwit and seek to hide information in elemetary files that avoids detection by standard evidence SIM/USIM reading tools.  So both these point represent reasons for examiners understanding how EFs are created and what can be revealed from knowing the templates and coding of the commands for that purpose.

It should be understood that technical advancements and technology evolution have not been without their impact on ICC/UICC and therefore when starting out it is important that examiners have awareness about the evolving standards that should be considered and effort that should be made to comprehend the instructions in them. The standard I have choosen for this tutorial is TS 102 222 Administrative Commands for telecommunication applications as this is the standard that defines creating EFs on ICC and for UICC, too.

Reference to ICC/UICC is intended to mean elementary files that are created etc on them and not the OS, physical or some logical aspects of ICC/UICC.  

To start with the two versions of the same standard for this discussion have been used and are identified below. I should point out there are over 26 different versions of this particular ETSI Standard.

TS 102 222 V3.0.0_60 May 2000 and TS 102 222 07.01.00_60 February 2007 

TS 102 222 V3.0.0_60 May 2000

 

 TS 102 222 07.01.00_60 February 2007

The first point to note is the inclusion of additional elements in the later version of the standard and the re-ordering of the template. This example will hopefully and immediately illustrate why SIM/USIM readers obtain different bits, nibbles and bytes in the hex string and content of SIMs/USIMs. Or said another way, the omission to extract and harvest data from SIMs/USIMs

The second point to be learned from the finding above should lead examiners to question: which adopted standard is the format of the EF recorded on the ICC/UICC under examination?  The only way you will know that is to identify the template to which the EF has been coded. Each brand name manufacturer has there own tools to obtain the coded template information but there are several application vendors out there that also produce third party software.

Prior to obtaining software examiners need to have some indication how template data can be illustratring for coding purposes, which shall be dealt with in the next tutorial.

Quad-SIM (4 in 1)

Quad-SIM (4 in 1)

Wonder how we will handle the examination of this beast? Which profile will need to be read first? Will the handset have different profiles? Will each SIM have its own password?  There are so many question this news story raises. Previous experience has shown care is needed with handling the examination of handsets containing two (dual) SIMs (http://sim2usim.blogspot.com/2008/11/cloning-test-sim-cards.html).


Spreadtrum Announces the World’s First Single Chip Quad-SIM Standby Solution
The SC6600L6 allows four GSM SIM cards simultaneously running on standby mode with only one set of baseband and RF. It integrates a processor engine and controller for supporting quadruple SIM cards and has an improved graphic user interface for Quad-SIM. The product supports different multi-SIM options, including dual SIM, triple SIM, and Quad-SIM in a single set of baseband and RF chip, provides more choices to handset designers and meets need of users from different regions.

http://www.spreadtrum.com/eng/showNews.asp?name=1&ID=306

Smart Card Hacking

Smart Card Hacking

Back in 2002 I wrote about SIM Card Cloning for examiners to demonstrate the state of the market place, where software and hardware was being openly promoted that researchers could obtain and what might an examiner be exposed to when examining a cloned SIM Card. A copy of that report can be downloaded here:

SIM Card Cloning
http://www.4shared.com/document/GMz_Gqcc/Special_Edition_2002_SIM_Cloni.html

In 1998 I circulated  a report (UPD5-1 Vol1 - FEN98) on Smart Card Hacking to members of the British Association of Criminal Experts (BACE). The archive report has been scanned page by page and put into acrobat.pdf format and can now be downloaded here:


Smart Card Hacking
http://www.4shared.com/file/kq5NGzns/UPD5-1_Vol1_-_FEN98.html

The smart card hacking report has an interesting description for classification of the various levels of criminal activity in addition to techniques of smart card hacking. This particular report was the one that inspired me to write about SIM Card Cloning for exmainers. Once again thanks and respect to Ross Anderson and Markus Kuhn.

It is important to consult the laws of the country you are in when dealing with research for cloning SIM Cards. This blog article does not promote or advocate anyone to break the law by cloning or attempting to clone SIM cards for the purposes of obtaining services or breaching property rights belonging to respective particular network operators etc.

Poppies and Heroes

Poppies and Heroes

.

Under one Flag

.

http://www.poppy.org.uk/

.

http://www.helpforheroes.org.uk/

Four Blogs

Four Blogs

I have four open webblogs that are active:

http://trewmte.blogspot.com
http://cellsiteanalysis.blogspot.com
http://sim2usim.blogspot.com
http://forensicmobex.blogspot.com

The focus of these webblogs involves dealing with all forms of forensics and evidence relevant to mobile communications in the open arena that may impact now or in the future relevant to:

- Advancing forensic evidence and analysis by challenging methodology and entrenchment in out of date concepts
- Balanced technical evidence for fair trials

I have been developing new materials for the blogs that will be gradually rolled out over the next six months.

SMS 25 Years Old Today

SMS 25 Years Old Today

Today, SMS (short message service) text messaging cellebrates its birthday. The service was technically created in 1985, however the use of this communications technological advantage containing the message "Happy Christmas" sent in the UK over the Vodafone network was not seen until the first was message was transmitted on 3rd December 1992.

The ubiquitous use of SMS generated global revenues, researched has shown, over $150 billion for 2009 and is forecast to reach $233 billion by the end of 2014, according to Sheri Wells of SMS Media Group.

SMS texting is used by the rich and famous, film stars, singers to the general populus and it is hard to think of anywhere in the world that hasn't used the SMS service. But there are Countries that do not have SMS currently. Do you know the names of those countries and what are their population sizes?

5-Billion Mobile Subscriptions forecast by Q4-2010

Mobile market forecasts all predict the heavily reliance on GSM/3G/LTE and Mobile WiMax etc over the next 15 years. This is something I have been predicting for the last 10 years. Naturally, mobile forensics will need to play its part and hence the reason for the MTEB educational programme for students and experienced individuals.

Worldwide Mobile Subscriptions Forecast To Exceed Five Billion By 4Q-2010

Singapore -- ABI Research forecasts over five billion mobile subscriptions by the end of 2010, with an approximate 4.8 billion connections having been reached by the end of the year's first quarter. Much of this growth will be registered in developing markets in Africa and the Asia-Pacific region.

Africa remains the fastest growing mobile market with a YoY growth of over 22%. Mobile penetration in Asia-Pacific will rise significantly to 65% by the end of 2010. "This unprecedented growth is driven by India and Indonesia, which have together added over 150 million subscriptions in the past four quarters," comments ABI Research analyst Bhavya Khanna. "Falling monthly tariffs and ultra-low-cost mobile handsets have democratised the reach and use of the mobile phone, and aggressive rollouts by mobile operators in these countries will see the current rate of subscriber addition maintained for some time to come."

At the other end of the spectrum, developed countries in North America and Europe continue to add subscriptions despite already having crossed the 100% penetration threshold. Driving this growth in subscriptions are new mobile devices and the ‘third screen' - including netbooks, tablet computers, USB dongles and e-book readers. "The success of Apple's iPad 3G shows that even operators in saturated markets can add subscriptions by introducing innovative and user-friendly devices," says vice president of forecasting Jake Saunders.

In addition, the introduction of 4G data networks such as WiMAX and LTE will see more consumers ditch their cables and access the Internet through mobile broadband connections. Operators such as Clearwire in the United States and Yota in Russia have seen consumers turn to their networks as fast and mobile alternatives to fixed-line broadband.

For more information visit www.abiresearch.com.

SOURCE: ABI Research

Gold Wafer SIM Cards

Gold Wafer SIM Cards

A snippet of information I recently noted that was interesting related to the recyclicable gold used in SIM Cards. It is said that although the thickness of gold is measured in microns, a generalised (perhaps inaccurate) comparison that has been made is that it would take the gold leaf removed from at least 500,000 recycled SIM Cards to make one gold ring. Thought provoking comparison perhaps, but it tells us nothing about the real weight of the gold used for each SIM Card and nothing about the gold's purity either.

So don't give up work just yet.

3G USIM 2G SIM Service Numbers

3G USIM 2G SIM Service Numbers

3G USIM (2010-04)
Service n°1: Local Phone Book
Service n°2: Fixed Dialling Numbers (FDN)
Service n°3: Extension 2
Service n°4: Service Dialling Numbers (SDN)
Service n°5: Extension3
Service n°6: Barred Dialling Numbers (BDN)
Service n°7: Extension4
Service n°8: Outgoing Call Information (OCI and OCT)
Service n°9: Incoming Call Information (ICI and ICT)
Service n°10: Short Message Storage (SMS)
Service n°11: Short Message Status Reports (SMSR)
Service n°12: Short Message Service Parameters (SMSP)
Service n°13: Advice of Charge (AoC)
Service n°14: Capability Configuration Parameters 2 (CCP2)
Service n°15: Cell Broadcast Message Identifier
Service n°16: Cell Broadcast Message Identifier Ranges
Service n°17: Group Identifier Level 1
Service n°18: Group Identifier Level 2
Service n°19: Service Provider Name
Service n°20: User controlled PLMN selector with Access Technology
Service n°21: MSISDN
Service n°22: Image (IMG)
Service n°23: Support of Localised Service Areas (SoLSA)
Service n°24: Enhanced Multi Level Precedence and Pre emption Service
Service n°25: Automatic Answer for eMLPP
Service n°26: RFU
Service n°27: GSM Access
Service n°28: Data download via SMS-PP
Service n°29: Data download via SMS CB
Service n°30: Call Control by USIM
Service n°31: MO-SMS Control by USIM
Service n°32: RUN AT COMMAND command
Service n°33: shall be set to '1'
Service n°34: Enabled Services Table
Service n°35: APN Control List (ACL)
Service n°36: Depersonalisation Control Keys
Service n°37: Co-operative Network List
Service n°38: GSM security context
Service n°39: CPBCCH Information
Service n°40: Investigation Scan
Service n°41: MExE
Service n°42: Operator controlled PLMN selector with Access Technology
Service n°43: HPLMN selector with Access Technology
Service n°44: Extension 5
Service n°45: PLMN Network Name
Service n°46: Operator PLMN List
Service n°47: Mailbox Dialling Numbers
Service n°48: Message Waiting Indication Status
Service n°49: Call Forwarding Indication Status
Service n°50: Reserved and shall be ignored
Service n°51: Service Provider Display Information
Service n°52 Multimedia Messaging Service (MMS)
Service n°53 Extension 8
Service n°54 Call control on GPRS by USIM
Service n°55 MMS User Connectivity Parameters
Service n°56 Network's indication of alerting in the MS (NIA)
Service n°57 VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°58 VBS Group Identifier List (EFVBS and EFVBSS)
Service n°59 Pseudonym
Service n°60 User Controlled PLMN selector for I-WLAN access
Service n°61 Operator Controlled PLMN selector for I-WLAN access
Service n°62 User controlled WSID list
Service n°63 Operator controlled WSID list
Service n°64 VGCS security
Service n°65 VBS security
Service n°66 WLAN Reauthentication Identity
Service n°67 Multimedia Messages Storage
Service n°68 Generic Bootstrapping Architecture (GBA)
Service n°69 MBMS security
Service n°70 Data download via USSD and USSD application mode
Service n°71 Equivalent HPLMN
Service n°72 Additional TERMINAL PROFILE after UICC activation
Service n°73 Equivalent HPLMN Presentation Indication
Service n°74 Last RPLMN Selection Indication
Service n°75 OMA BCAST Smart Card Profile
Service n°76 GBA-based Local Key Establishment Mechanism
Service n°77 Terminal Applications
Service n°78 Service Provider Name Icon
Service n°79 PLMN Network Name Icon
Service n°80 Connectivity Parameters for USIM IP connections
Service n°81 Home I-WLAN Specific Identifier List
Service n°82 I-WLAN Equivalent HPLMN Presentation Indication
Service n°83 I-WLAN HPLMN Priority Indication
Service n°84 I-WLAN Last Registered PLMN
Service n°85 EPS Mobility Management Information
Service n°86 Allowed CSG Lists and corresponding indications
Service n°87 Call control on EPS PDN connection by USIM
Service n°88 HPLMN Direct Access
Service n°89 eCall Data
Service n°90 Operator CSG Lists and corresponding indications

------------------------------------------------------------------

2G SIM (2007-06)
Service n°1 : CHV1 disable function
Service n°2 : Abbreviated Dialling Numbers (ADN)
Service n°3 : Fixed Dialling Numbers (FDN)
Service n°4 : Short Message Storage (SMS)
Service n°5 : Advice of Charge (AoC)
Service n°6 : Capability Configuration Parameters (CCP)
Service n°7 : PLMN selector
Service n°8 : RFU
Service n°9 : MSISDN
Service n°10: Extension1
Service n°11: Extension2
Service n°12: SMS Parameters
Service n°13: Last Number Dialled (LND)
Service n°14: Cell Broadcast Message Identifier
Service n°15: Group Identifier Level 1
Service n°16: Group Identifier Level 2
Service n°17: Service Provider Name
Service n°18: Service Dialling Numbers (SDN)
Service n°19: Extension3
Service n°20: RFU
Service n°21: VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°22: VBS Group Identifier List (EFVBS and EFVBSS)
Service n°23: enhanced Multi-Level Precedence and Pre-emption Service
Service n°24: Automatic Answer for eMLPP
Service n°25: Data download via SMS-CB
Service n°26: Data download via SMS-PP
Service n°27: Menu selection
Service n°28: Call control
Service n°29: Proactive SIM
Service n°30: Cell Broadcast Message Identifier Ranges
Service n°31: Barred Dialling Numbers (BDN)
Service n°32: Extension4
Service n°33: De-personalization Control Keys
Service n°34: Co-operative Network List
Service n°35: Short Message Status Reports
Service n°36: Network's indication of alerting in the MS
Service n°37: Mobile Originated Short Message control by SIM
Service n°38: GPRS
Service n°39: Image (IMG)
Service n°40: SoLSA (Support of Local Service Area)
Service n°41: USSD string data object supported in Call Control
Service n°42: RUN AT COMMAND command
Service n°43: User controlled PLMN Selector with Access Technology
Service n 44: Operator controlled PLMN Selector with Access Technology
Service n 45 HPLMN Selector with Access Technology
Service n 46: CPBCCH Information
Service n 47: Investigation Scan
Service n°48: Extended Capability Configuration Parameters
Service n°49: MExE
Service n°50 Reserved and shall be ignored

MTEdipl Diplomas

MTEdipl Diplomas

.

For registered students and those going through the process of registering for the Diplomas for the start of the September 2010 intake:
.
Three Months Notice (June/July/August) Advanced reading to help you prepare for the distance learning and self study. The following book comes highly recommended and will help you with setting your objectives particularly for the research and study modules for each Diploma.
.
LITERATURE:
Skills for Success, The Personal Development Planning Handbook
Author: Stella Cottrell Paperback: 312 pages
Publisher: Palgrave Macmillan (2 May 2003)
Language English ISBN-10: 1403911320
.
Amazon link:
http://www.amazon.co.uk/Skills-Success-Personal-Development-Planning/dp/1403911320

Diplomas: MTEdipl Syllabus and Student Handbook

Diplomas: MTEdipl Syllabus and Student Handbook

The distance learning and self-study Diplomas: Mobile Telephone Evidence (MTEdipl) Syllabus and Student Handbook is now available for download:


http://www.4shared.com/document/7XHHJ1Ru/MTEdipl_Cata20.html

Mobile Telephone Examination Charges

Mobile Telephone Examination Charges

Given the changing economic climate I have now assembled a team of examiners, and with flexible charges starting from:

£15.00 per hour

With more complex handsets upto £80.00 per hour.

MTEB-Examiners - for all your mobile telephone examination needs.

Genuine enquiries to: MTEBmembers@gmail.com

Google says PC will be irrelevant in 3 years

Google says PC will be irrelevant in 3 years

Interesting article in The Register:



http://www.theregister.co.uk/2010/03/05/google_says_pc_will_be_irrelevant_in_three_years/



I can see where Google is coming from because I have similar thoughts about how mobile phones and SIM/USIM cards, as devices, are making significant inroads to provide functions and features traditionally provided by computers. This is another area that is forcing change on the work we do and why I believe we cannot afford to rest on any laurels we think we may have in our field of distinction and move as quickly as is reasonably practicable to do so to generate Certified/Validated tools.

MNO & VMNO SIM Cards

MNO & VMNO SIM Cards

.

.
If everyone can email to me (trewmte@gmail.com) a photo image of any MNO or VMNO SIMs complete in ISO Card (ID-1 card) then it could be helpful when dealing with examinations.
.
This is thread also posted at:
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4516
.
The image below is a Lyca Mobile SIM Card but embossed on the ID-1 card are the Mobile Telephone Number (MTN) and PUK Code on the front of the card. It would appear from other SIM examiners that I have spoken to that the MTN and PUK Code are commonly found on VMNO SIM Cards. Maybe MNOs ought to think about giving the PUK up front, too, as there appears no objection to the VMNOs doing it.

Location Area Codes (LAC)

Location Area Codes (LAC)

The desire to create databases containing MCC/MNC/LAC/CellID may seem a good idea but might produce inaccurate or erroenous results depending upon the way in which the information is used. It is known that LACs (and CellIDs for that matter) change and therefore a database becomes out of data fairly quickly.

LACs change for various reasons. Commonly LAC Dimensioning can be implemented due to heavy paging load or many LACs under one BSC causing frequent Location Updates are just two examples. The outcome of Dimensioning can require reprogramming BSC (GSM) / RNC(WCDMA) for each cell. Moreover, reprogramming at the MSC. On some occasions re-parenting at the MSC maybe required that requires re-programming LACs. Cell shapes, size and traffic capacity can change from the material time.

Unlike MCCs and MNCs, LACs are not published. LAC identifiers can by assigned by the network operator. It is essential as with all broadcast data to understand what the data mean and the data relevance to mobile telephone evidence.

Location Area Code (LAC) which is a fixed length code (of 2 octets) identifying a location area within a GSM PLMN. This part of the location area identification can be coded using a full hexadecimal representation except for the following reserved hexadecimal values:

0000, and FFFE

These reserved values are used in some special cases when no valid LAI exists in the MS.

The Location Area Identification is a type 3 information element with 6 octets length.
....8......7......6......5......4......3......2......1....
+-----------------------------------------------+
│ ...Location Area Identification IEI..│ octet 1
+-----------------------------------------------│
│ ....MCC digit 2 │ MCC digit 1..... │ octet 2
+-----------------------+-----------------------│
│ .....MNC digit 3 │ MCC digit 3.....│ octet 3
+-----------------------+-----------------------│
│ ...MNC digit 2 │ MNC digit 1...│ octet 4
+-----------------------------------------------│
│ .......................LAC......................│ octet 5
+-----------------------------------------------│
│ ............LAC (continued)............│ octet 6
+-----------------------------------------------+
Figure 10.5.3: Location Area Identification information element


Table 10.5.3: Location Area Identification information element
+----------------------------------------------------------------------+
MCC, Mobile country code (octet 2 and 3)
The MCC field is coded as in CCITT Rec. E212, Annex A.

If the LAI is deleted the MCC and MNC shall take the
value from the deleted LAI.

In abnormal cases, the MCC stored in the mobile
station can contain elements not in the set
{0, 1 ... 9}. In such cases the mobile station should
transmit the stored values using full hexadecimal
encoding. When receiving such an MCC, the network
shall treat the LAI as deleted.

MNC, Mobile network code (octet 3 bits 5 to 8, octet 4)
The coding of this field is the responsibility of each
administration but BCD coding shall be used. The MNC
shall consist of 2 or 3 digits. For PCS 1900 for NA, Federal
regulation mandates that a 3-digit MNC shall be used.
However a network operator may decide to use only two
digits in the MNC in the LAI over the radio interface. In this
case, bits 5 to 8 of octet 3 shall be coded as "1111".
Mobile equipment shall accept LAI coded in such a way.

Note 1: In earlier versions of this protocol, the possibility to use a one digit MNC in LAI was provided on the radio interface. However as this was not used this possibility has been deleted.

Note 2: In earlier versions of this protocol, bits 5 to 8 of octet 3 were coded as "1111". Mobile equipment compliant with these earlier versions of the protocol may be unable to understand the 3-digit MNC format of the LAI, and therefore unable to register on a network broadcasting the LAI in this format.

In abnormal cases, the MNC stored in the mobile
station can have
- digit 1 or 2 not in the set {0, 1 ... 9}, or
- digit 3 not in the set {0, 1 ...9, F} hex.
In such cases the mobile station
shall transmit the stored values using full hexadecimal
encoding. When receiving such an MNC, the
network shall treat the LAI as deleted.

The same handling shall apply for the network, if a
3-digit MNC is sent by the mobile station to a network using
only a 2-digit MNC.

LAC, Location area code (octet 5 and 6)
In the LAC field bit 8 of octet 5 is the most
significant bit and bit 1 of octet 6 the least
significant bit.

The coding of the location area code is the
responsibility of each administration except that
two values are used to mark the LAC, and hence the
LAI, as deleted. Coding using full hexadecimal
representation may be used. The location area code
consists of 2 octets.

If a LAI has to be deleted then all bits of the
location area code shall be set to one with the
exception of the least significant bit which shall be
set to zero. If a SIM is inserted in a Mobile Equipment
with the location area code containing all zeros, then
the Mobile Equipment shall recognise this LAC as part
of a deleted LAI
+-----------------------------------------------------+

More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com