On GSM, LTE and 5G phones, there is at least a Subscriber Identity Module (SIM) card slot, which may be located under the battery. The SIM card may be branded with the name of the network to which the SIM is registered.
Also located on the SIM card is the Integrated Circuit Card Identification (ICCID), which is an 18- to 20-digit number (10 bytes) that uniquely identifies each SIM card. The ICCID number is tied to the International Mobile Subscriber Identity (IMSI), which is typically a 15-digit number (56 bits) consisting of three parts, including the Mobile Country Code (MCC; 3 digits), Mobile Network Code (MNC; generally 3 digits in India, Malaysia, a lot of the Caribbean and South America, and several other countries; may be 2 digits as well),1 and Mobile Station Identification Number (MSIN; 9 digits in the U.S. and Canada, and 10 digits elsewhere), which are stored electronically within the SIM. The IMSI can be obtained either through analysis of the SIM or from the carrier.2, 3
References:
[1] https://for585.com/b-imd (Wikipedia entry for Mobile Country Code)
[2] https://for585.com/shafik
[3] https://for585.com/c3jki (Images)
The Universal Integrated Circuit Card (UICC) is the smart card that runs applications for devices to function. For example, the SIM is simply an application running on a UICC. As you know, multiple applications can run on a single device or SIM. It is not common, but more than one SIM can reside on a UICC. These are often referred to as SIM stackers. Most individuals never use the term UICC, but instead simply refer to the card as a SIM. SIM cards can range in size from 16 KB to 1+ GB.
SIM (Subscriber Identity Module) cards are smart cards used by Network Service Providers (NSPs) to authenticate the user to a network. A variety of mobile device technologies use SIM cards in different manners. For example, GSM phones won’t power on for specific handsets unless the device can function due to the use of Wi-Fi when the device is missing the SIM card.
Universal Mobile Telecommunications System (UMTS), otherwise nicknamed "world phones", featuring 3G, 4G, and LTE requires a SIM card to authenticate users to the network. A good example of a UMTS device is a Verizon iPhone 4s. The Verizon iPhone 4s contains a micro-SIM. This differs from the Verizon iPhone4, which is strictly CDMA and does not contain a SIM card.
The authentication key (Ki) is not copied during a forensic acquisition. Ki is used to authenticate the SIM on the GSM network. This key is unique for each SIM card. NOTE: Ki has been known to be decrypted by certain applications and groups. Once a network senses that two devices are using two SIM cards with the same Ki, both are disabled. Although you won't learn how to decrypt and capture Ki in this course, it doesn't mean it hasn't been done before.
The Removable User Identity Module (R-UIM) is a SIM card that was designed for CDMA handsets. This is commonly seen in China and is used by China Unicom.
Remember, the SIM card is not an SD card. They are completely different components of smart devices. For UICCs, the easiest thing to remember is that GSM devices use SIM cards, and CDMA devices use R-UIM. Forensic acquisition of R-UIM devices is not supported by all the commercial tools supporting SIM cards. A great tool for R-UIM devices is the SIMIS 3G kit from Teel Technologies.
SIM cards essentially have two sections of information. The first is the system area, which cannot be locked by a user PIN. The second is the data area, which contains the user data, including the contacts, dialed calls, and SMS messages. Deleted SMS messages are commonly recovered from SIM cards.
The system area contains the following equipment identifiers of interest:
• Integrated Circuit Card ID (ICCID): An 18-digit number with a single check digit, which assists in error detection. This number is essentially the serial number of the SIM card. The ICCID is sometimes printed on the external side of the SIM card and is always stored internally on the media. Most forensic kits acquire this data, even on locked SIM cards.
Here is an example of an ICCID with a detailed explanation of the numbering:
8996430671601871055 – 19-digit ICCID (18 digits + one single check digit)
89 96 43 0671 60 187105 5
89:
Represents the Telecom ID
96:
Represents the country code
43:
Represents the network code
0671:
Represents the month and year of manufacturing
60:
Represents the switch configuration code
187105:
Represents the SIM number
5:
Represents the check digit
A tool such as https://www.numberingplans.com/ offers SIM analysis tools, which can assist the examiner in identifying the components listed. Understanding each chunk of the ICCID makes verifying the results from www.numberingplans.com, or your forensic tool, much easier.
• International Mobile Subscriber Identity (IMSI): Used by the NSP to identify the device and the subscriber on handsets. The IMSI is normally 15–16 digits but can be shorter, depending on the NSP.
Here
is an example of an IMSI with a detailed breakdown:
3101501234567892
– IMSI
310 150 1234567892
310:
Represents the Mobile Country Code (MCC)
150:
Represents the Mobile Network Code (MNC) (two digits used for European Standard
and other countries who don’t use three digits, three digits used for North American
Standard, India, the Caribbean, and South America); this number is the SIM
card’s home network
1234567892:
Represents the 10-digit Mobile Subscriber Identification Number (MSIN), which
is the unique ID for the subscriber
• Mobile Subscriber Integrated Services Digital Network Number or Mobile Station International Subscriber Directory Number (MSISDN) (may be interpreted in other manners): Phone number for the handset. This number is not always easy to recover because users often are required to save their own phone numbers to the SIM card or the handset. The MSISDN is not hard-coded to the device by the NSP.
• Network Service Provider (NSP)
The file structure of a SIM card contains master files (MFs), dedicated files (DFs), and elementary files (EFs). Every SIM card must contain at least one MF, which is the root directory of the file system. The MF folder contains the DF and EF. The DFs are directories that contain elementary files. The EFs are containers storing user data. As shown above, an EF can fall directly under a MF.
The
hexadecimal representation of the first byte of the SIM directories is:
3F
= Master file
7F
= Dedicated file
2F
= Elementary file under the master file
6F
= Elementary file under a dedicated file
For
example, the DFTelecom contains several EFs. These EFs are comprised of user
data, such as the phone number, contacts, SMS, and dialed calls. Each category
of data is assigned to an individual EF. A further explanation of this is
3F00
= Master file
7F10
= DFTelecom
6F40
= EF MSISDN
6F3A
= EF ADN
6F3C
= EF SMS
6F44
= EF LDN
To further explain this example, the MF containing the Telecom DF contains four EFs. The EF MSISDN (Mobile Station International Subscriber Directory Number) contains the phone number for the SIM card. The EF ADN (Abbreviated Dialing Number) contains the contacts for the SIM card. The EF SMS contains the SMS message communications. Deleted SMS messages may reside here and should be recovered for forensic examination. Finally, the EF LDN (Last Dialed Number) is comprised of the most recent outgoing calls. Only outgoing calls are tracked on SIM cards.