A Review of Mobile and SIM Forensics Tools - International Journal of ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
150 IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.3, March 2018
A Review of Mobile and SIM Forensics Tools
Mohammed Abdul Rahman AlShehri
CCIS, Majmaah University Al Majmaah, Kingdom of Saudi Arabia.
Summary b) It will retrieve hidden information from non-
The technological advancements in Smartphones and in secure standard files
elements makes their use of value for the criminal community as c) Many instances can be executed in parallel
a secure and tamper resistant data terminal in conducting with in the same system without overloading the
organized crime. When smartphones and secure elements are
system.
used in crimes by criminals, so forensic examiners need tools
which allow secure retrieval and prompt examination of data
d) The output generated using this tool is in
present on mobile devices and secure elements. Substantial textual XML format helping for the purpose of
amount of information is stored on mobile device's internal archiving and for Web integration.
memory and external memory modules and SIM cards which Following are the limitations of this tool
play vital role as evidence. This paper focusses on the currently a) The consumption of time for brushing a
available mobile and SIM forensic tools that help in carrying SIM/USIM is more.
forensic investigation. Security features of SIMs hamper in many b) It cannot extract the body of those files with
ways the possibility to dump a bit for bit internal memory image. ADM or NEV access conditions.
SIM card forensics is a promising area that can provide
investigators with a plethora of evidentiary data, given that they
have the right knowledge and tools to extract it in a forensically-
sound manner.
2. SIM Features
Key words:
Secure elements, SIM Forensics, Smartphones, SIM and
Smart cards are standardized by ISO according to ISO
SIMbrush SIMs are contact (as opposed to contactless) smart cards
specified in [10]. It is impossible to get the bit for bit
image of a SIM card if digital integrity is a constraint,
1. Introduction SIMbrush tool does not guarantee to extract all the data
from the SIM card but can be very useful in real
In April 2004, the number of GSM registered users investigative processes. All the existing SIMs are a subset
exceeded the amount of a billion [4], or a sixth of the of existing smart cards. The main concern of smart cart
world population. Considering several hundred million design is the security of the data stored in the SIM. The
users of non-GSM mobile telephony systems, it is the term “security” can be further specified into four basic
probably is the one that most penetrated technology in our properties of security are confidentiality, authentication,
lives: people bring with themselves mobile phones for the non-repudiation and integrity. Being the SIM a smart card,
majority uses such as to communicate with others. These the aforementioned requisites are used to accomplish the
bring it with them even when they are acting illegally. subsequent tasks:
From a Forensic Sciences point of view, there is nothing Confidentiality: Client’s confidentiality must
better, to confirm evidences, clear, impartial, non- be ensured by encrypting voice and data that transit Over
contradictory and true witness. These are exactly the The Air (OTA). Cryptographic keys are implemented in
characteristics of digital evidence extracted from a SIM the SIM.
card by means of a forensically sound process. Despite Authentication: no unauthorized client can access the
huge advantages investigations could gain from such system. Authentication keys reside in the SIM.
digital evidence, a very small number of tools exists that Non repudiation: no one should be able to access the
can help investigators in their job. SIMbrush is a new signing keys without proper authentication i.e.
forensic imaging tool for SIM/USIM cards. It is an open compromising the private key.
source tool which caters the need of SIM forensics. Integrity: no one should be able to tamper or modify data
Following are the advantages of this tool: that is protected. A lot of protections aimed at this target
a) This tool interfaces with SIM/USIM card in a are implemented in smart cards and SIM cards.
standard way without discriminating based on the A smart card is considered as tamper resistant so it is not
manufacturer, the issuer or the provider of the easy to access data from the smartcard without proper
card authentication. From a forensics perspective we can
Manuscript received March 5, 2018
Manuscript revised March 20, 2018IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.3, March 2018 151
conclude that we cannot use tools that require a physical from a SIM card. He identified 21 extractable items and
manipulation so SIMbrush tool does not make use of any demonstrated how the GSM mobile telephone system can
“black hat” methods; it interfaces, instead, itself with the play a significant role in forensics examination.
SIM in the standard way. This tool only tries to extract Highlighting the challenges in the field of digital forensics,
data from the filesystem. A smart card's filesystem is Savoldi and Gubian (2007) provided a proof-of-concept
stored in an internal EEPROM, with a hierarchical tree with regards to the possibility of data hiding in a
structure, containing root as Master File (MF). There are SIM/USIM card through various techniques that are
two classes of files: directories, called Dedicated Files widespread due to the absence of a nonstandard part in the
(DF) and files, called Elementary Files (EF). These can be SIM/USIM image memory. Cilardo, Mazzocca, and
called as the nodes and leaves of a tree, respectively. The Coppolino proposed a unified architecture, “TrustedSIM,”
MF is a DF. The main difference between a DF and an EF inherently relying on a subscriber’s identification module
is that a DF contains only a header, whereas an EF (SIM) as its core component. This, according to them, was
contains a header and a body. The header contains all the due to the tamper-resistant domain and flexible
control data or meta data that quantitatively relates the file multiplication environment that could manage users’
with the structure of the filesystem (available space under a security profiles. Given the above potential data that could
DF, number of direct children, length of a record, etc.) and be transformed into forensically-sound evidence, general
security information, whereas the body contains forensic examination tools were used to extract and
information related to the application for which the smart recover these data. Jansen and Ayers (2006) demonstrated
card has been issued. The body structure has four types of that some of these tools, however, may yield inaccurate
EF which are listed below: results because they were not specifically designed for
Transparent EF: the organization of files is in the form of SIM Card Forensics. This inefficiency may also be
a sequence of bytes. The content can be read by specifying referred to a programming error, utilization of an incorrect
a numeric interval. protocol, or an out of date specification that might lead to
Linear-fixed EF: A record is a group of bytes that have a improper functionality. Casadei et al (2006), on the other
known coding: every record of the same file represent the hand, tried to experiment with an open-source SIM-
same kind of information. Record is a unit in files instead specific forensic tool instead of commercial and
of the byte. All the records have the same length in a proprietary restricted software. The researchers presented
linear-fixed EF. their SIMbrush tool analysis through conducting an
Linear-variable EF: This is similar to linear-fixed EF experiment to extract all observable memory and non-
with one exception i.e. record's length may vary from one standard files of the SIM Card.
record to the other.
Cyclic EF: Cyclic EF files implement a circular buffer
where the atomic unit is a record. Therefore, the concepts 4. Forensics Tools
of first and last are substituted by those of previous and
next. SIM cards only implement transparent, linear-fixed The number of forensic tools for smart phones are very
and cyclic EFs. Every file is uniquely identified with its ID few compared with personal computers due to different
that is the name of the file. No two files will have the same operating systems, or a type of hardware architecture and
ID. The operations allowed on the filesystem are coded manufacturer's product line (e.g. palm OS, Windows CE
into a set of commands that the interface device (IFD), and others). Some of the forensic tools provides all the
which is the device capable of interfacing with a smartcard functionalities comprising acquisition, examination, and
and setting up a session of communication, issues to the reporting functions, (Paraben, 2006) but other tools
smart-card, then waiting for responses. focuses on a one function such as SIM forensic, external
memory modules (CP, SO, MMC & other) and phone itself,
(Ayers, 2004, 2006). Forensic tools can use many
3. Literature Survey interfaces (e.g., Bluetooth, IrOA, serial cable and USB) to
acquire device contents. Information retrieved from the
SIM Forensics is still in its infancy due to the extensive in- tools depends on the tools specification and vendors
depth knowledge and expertise required; hence, previous hardware and software compatibility. Most common data
research efforts are limited to the best of the authors’ available is PIM data, logs of calls, messages, email, URLs
knowledge. There have been, some pioneering attempts (Uniform Resource Locator), video, audio, image, and
that have paved the way for SIM Forensics which are SIM data. So in order to retrieve all the data from mobile
summarized below. Using the GSM 11.11 Technical phones we can sub-categorize as follows:
Specification, Willassen (2003) focused on the a) Handset based Tools
subscriber’s sensitive information that can be extracted b) Operating System Based Tools152 IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.3, March 2018
c) SIM based Tools binary contents of individual files and storing them as
The setup for the experiment required the arrangement of a individual files.
mobile device and a SIM card reader. We prepared two
mobile devices, an Apple iPhone 4s and a Samsung Galaxy Table 1: Handset Based Tools Comparisons, (Ayers, 2004, 2006)
SIII that included an Etisalat and DU SIM cards, Name Func Features
tion
respectively, in addition to an external SIM card reader. a) Targets Palm OS phones
The selection of two different service providers was made Acqu b) Open source non-forensic
Pilotli isitio software
to investigate the difference—if any—between the various nk n c) No support for recovering SIM
service providers. To complete the setup for the information
d) Supports only cable interface
experiment, data creation was required on both mobiles, Acqu a) Targets certain models of GSM,
such as saving user data (i.e., contacts) to the SIM card. isitio TDMA, CDMA ' with Palm OS,
Devic n, Pocket PC, and RIM OS advance
For the iPhone, this was not directly possible because by Exa Device Examination, handheld
e mina devices support
default, iPhone does not support saving to the SIM card. Seizu
re tion b) Supports data recovery of internal
The authors have to manually move the SIM card to and and external memory
another mobile device that supports this feature (a Nokia Repo c) Supports cable, Bluetooth, and IR
device). The authors additionally set up various social rting interfaces
Acqu
media accounts, i.e., Facebook, Instagram, Dropbox, etc., isitio a) Targets certain models of GSM
and created dummy user data on them. For our n, phones
GSM Exa b) Supports recovery of internal and
experiments, we planned to explore both commercial and mina
XRY tion external SIM
open source tools. The following tools were chosen for c) Supports cable, Bluetooth, and IR
and interfaces
comparison due to their support of SIM card forensic Repo
investigations: rting
Acqu
EnCase Forensics: From Guidance software, EnCase is a isitio
tool widely used in the digital forensics field. EnCase’s n, a) Targets certain models of GSM
OXY Exa phones (forensic)
Smartphone Examiner module collects information from GEN mina b) Supports only internal SIM
different smart devices, SIM card readers, or through PM tion acquisition
device backups. and
Repo
MOBILedit: a mobile forensic tool that not only provides rting
viewing, searching, or retrieval from a phone; but also Acqu
isitio
retrieves information such as IMEI, OS, and firmware, MOB n,
ILedit Exa a) Targets certain models of GSM
SIM card details such as IMSI, ICCID, and location area phones
! mina b) Internal and external SIM support
information. Foren tion
sic and c) Supports cable and IR interfaces
Mobile Phone Examiner: MPE from AccessData includes
Repo
an enhanced smart device rting
acquisition and analysis capabilities. With the integration Acqu a) Targets certain models of COMA
isitio phones
of nFIELD, it provides forensic mobile device data BitPI n and b) Open source software with write-
collections that support both USIM and SIM acquisition M Exa blocking BitPIM capabilities
with reporting abilities. mina c) No support for recovering SIM
tion information
Oxygen Forensic Suite: Oxygen is developed by Oxygen a) Targets GSM and COMA phones
Software Company and performs digital forensic analysis Acqu that use supported protocol s to
isitio establish connectivity
of smartphones through the use of proprietary protocols. TULP n b) Internal and external SIM support
Paraben SIM Card Seizure: SIM Card Seizure is a tool 2G and c) Requires PC/SC-compatible smart
Repo card reader for external SIM cards
from Paraben Cooperation rting d) Cable, Bluetooth , and IR
that performs a forensic SIM card acquisition and analysis interfaces supported
with the ability to recover deleted text messages from SIM
cards. UFED Cellebrite: This forensic tool access mobile data
pySIM: This open forensic tool is from TULP2G used for and exposes every segment of a device’s memory using
extracting and decoding of data stored within the electronic advanced logical file system, and physical extractions.
devices. Additional features of this tool includes in-depth decoding,
SIMBrush: Is an open-source tool which can be used to analysis, and reporting.
extract all observable memory from SIM/USIM cards.
SIMScan: This forensic tool is an open-source toolkit
used to recover SIM card information by downloading the USIMdetective: This forensic tool is from Quantaq
Solutions designed especially for the management ofIJCSNS International Journal of Computer Science and Network Security, VOL.18 No.3, March 2018 153
complex data storage mechanisms which is found in smart 5. Conclusion
cards.
XRY: Is a comprehensive digital forensics examination This paper focusses on the currently available mobile and
tool used for mobile devices. With its ability to grab SIM forensic tools that help in carrying forensic
mobile information, XRY also retrieves specific SIM card investigation. Security features of SIMs hamper in many
information. XRY Viewer is an easy-to-use tool for ways the possibility to dump a bit for bit internal memory
viewing and accessing retrieved data. Different tools image. SIM card forensics is a promising area that can
provide different acquisition techniques, and with respect provide investigators with a plethora of evidentiary data,
to the abovementioned tools, some of them acquire SIM given that they have the right knowledge and tools to
card information through phone acquisitions like EnCase, extract it in a forensically-sound manner. Currently, over-
MOBILedit, Oxygen, and UFED, while others provide the the counter tools are generally built to aid examiners in
acquisition of SIM cards through a SIM card reader like analyzing the mobile phone as a whole unit, neglecting the
Encase, SIM card seizure, SIM Manager, USIMDetective, fact that some vital information is often left out in smaller
and XRY. modules (i.e., the Subscriber Identity Module). Some of
the tools used in this paper’s experiment did yield vital
Table 2: OS Based Tools Comparisons, (Ayers, 2004, 2006) information regarding the subscriber, but further
Palm OS Pocket PC Linux
Acquisition, Acquisition, development is needed to ensure the reliability of the
Device Examination Examination _____ information gathered. Having knowledge of the tools’
Seizure and Reporting and Reporting
Pilot Link Acquisition
strengths and limitations helps investigators develop an in-
Examinati depth expertise on the right tool to use in different
Acquisition, on
Encase Examination _______ situations. Forensic examiners are advised not to rely
and Reporting and
Reporting solely on one tool and to opt instead to cross-validate
findings. SIM card forensics research is a promising realm
Table 3: SIM based Tools Comparisons. (Ayers. 2004. 2006) for future research, which includes a SIM card file system,
Name Function Features data acquired in raw format (binary data) and represents
Device Acquisition, External/ Internal SIM
Examination digital evidence.
Seizure and Reporting cards (direct I indirect)
USIM Acquisition, External SIM cards
Detecti Examination only (direct)
References
ve and Reporting [1] Ayers, R. & Jansen, W. (2006). 'Forensic Software Tools for
Recover information Cell Phone Subscriber Identity Modules’. National Institute
TULP2 Acquisition from SIM card. When
G and Reporting inserted in handset (No of Standards and Technology
direct SIM support) . [2] Ayers, R. & Jansen, W. (2004). 'Guidelines on PDA
Recover information Forensics’. National Institute of Standards and Technology
GSM Acquisition, from SIM card, when
Examination Reporting inserted in (NIST Special Publication 800-72)
XRY and Reporting handset (No direct SIM [3] Ayers, R. & Jansen, W. (2004). 'PDA Forensic Tools: An
support). Overview and Analysis’. National Institute of Standards and
MOBI Recover information
Acquisition, from SIM card. When Technology (NISTIR 7100)
Ledit! Examination Forensic Reporting [4] GSM Association: “Membership & Market Statistics as at
Forensi and Reporting inserted in handset (No
c the End of March 2004”, GSM Association, 2004.
direct SIM support). Downloadable at
Acquisition, External SIM cards
SIMIS Examination http://gsmworld.com/news/statistics/pdf/mar04.pdf.
and Reporting only (direct)
[5] Casadei, F., Savoldi, A., & Gubian, P. (2006). Forensics
External SIM cards and SIM cards: An Overview. International Journal of
Acquisition, only (direct) Produces
Forensi Examination physical Reporting Digital Evidence, 5(1), 1-21.
cSIM and Reporting facsimiles of SIM for [6] Jansen, W., & Ayers, R. (2006). Forensic software tools for
n prosecutor and defense, cell phone subscriber identity modules. In Proceedings of
and as a storage record.
Forensi the Conference on Digital Forensics, Security and Law (pp.
c Acquisition External SIM cards 93-106).
Card and Reporting only (direct) [7] Savoldi, A., & Gubian, P. (2007). Sim and usim filesystem:
Reader A forensics perspective. In Proceedings of the 2007 ACM
SIMCo Acquisition, External SIM cards
Examination symposium on Applied computing (pp. 181-187). ACM.
n and Reporting only (direct) [8] Savoldi, A.; Gubian, P., "Data Hiding in SIM/USIM Cards:
A Stenographic Approach," in Systematic Approaches to
Digital Forensic Engineering, 2007. SADFE 2007. Second
International Workshop pp.86-100, 10-12 April 2007.154 IJCSNS International Journal of Computer Science and Network Security, VOL.18 No.3, March 2018
[9] Willassen, S. (2003). Forensics and the GSM mobile
telephone system. International Journal of Digital Evidence,
2(1), 1-17.
Mohammed Abdul Rahman AlShehri is
working as a Vice Dean for Academic
Affairs in CCIS, Majmaah University Al
Majmaah, Kingdom of Saudi Arabia. His
research interests include Computer
Networks and applications, E-services, E-
learning, IS, Mobile Applications. He can
be reached at ma.alshehri@mu.edu.saYou can also read
