Abstract
This chapter is aimed at introducing SIM and USIM card forensics, which pertains to the Small Scale Digital Device Forensics (SSDDF) (Harril, & Mislan, 2007) field. Particularly, we would like to pinpoint what follows. First, we will introduce the smart card world, giving a sufficiently detailed description regarding the main physical and logical main building blocks. Then we will give a general overview on the extraction of the standard part of the file system. Moreover, we will present an effective methodology to acquire all the observable memory content, that is, the whole set of files which represent the full file system of such devices. Finally, we will discuss some potential cases of data hiding at the file system level, presenting at the same time a detailed and useful procedure used by forensics practitioners to deal with such a problem.
TopPhysical And Logical Description Of A Sim/Usim Card
The purpose of this section is to give an overview on smart cards used in the telecommunications field by detailing the main building blocks, their functions and how they are related to each other. Generally speaking, smart cards belong to the group of identification cards using a ID--1 format formally defined in ISO Standard 7810, Identification Cards -- Physical Characteristics. This standard specifies the physical properties, such as mechanical flexibility and temperature resistance, of four types of cards, namely ID--1, used for banking cards such as ATM (Automatic Teller Machine) cards, credit cards, and debit cards; ID--2, prevalently used for identity documents; ID--3, used worldwide for passports and visas; and finally, ID--000 used for SIM/USIM cards. In Table 1, some technical details regarding these cards are shown.
Table 1. | Type of Card | Size [mm] | Application field |
| ID--1 | 85.60 × 53.98 | banking field |
| ID--2 | 105 × 74 | identity documents |
| ID--3 | 125 × 88 | passports and visas |
| ID--000 | 25 × 15 | SIMs/USIMs |
As stated in the standard reference, a smart card is the youngest and cleverest member of the family of identification cards in the ID--1 format. Among its features there is an embedded integrated circuit within the card, which is aimed at transmitting, storing and processing data for a specific purpose. The central component for such a pervasive embedded system is undoubtedly the microcontroller, whose main purpose is to control and monitor all the card's activities. Usually, for functional security and reliability reasons, a smart card processor is based on a well known platform, which can be optimized in order to provide the right performance and the appropriate level of system security.
As it can be seen in Figure 1, there are several elements to consider in order to describe a smart card at the functional level. Current state-of-the-art microprocessors usually have a RISC (Reduced Instruction Set Computer) 32 bits architecture with emphasis on the security of the system. For instance, the Atmel AT91SC512384RCT microcontroller (Atmel, 2007) is based on the well known ARM SC 100 secure core (ARM, 2003), with a 32-bit instruction set, a Von Neumann Load/Store architecture, a 3-stage pipeline architecture and data types within the range 8--32 bits. From the memory point of view, it has a 512 Kbytes of ROM program memory, 384 Kbytes of EEPROM, including 256 bytes of One Time Programming (OTP) memory, and 24 Kbytes of RAM. Another common platform frequently used in the realm of smart cards is the SmartMIPS architecture (MIPS, 2005). It aims at improving the protection of the system by using cryptographic algorithms such as RSA, DES, AES, and Elliptic Curve.
Key Terms in this Chapter
USIM (Universal Subscriber Identity Module): The common name of the smart card for UMTS. The USIM bears the identity of the subscriber, and its primary function is to secure the authenticity of the mobile station with respect to the network and vice versa. Additional functions include executing programs with protection against manipulation (authentication), user identification (using a PIN) and storing data, such as the telephone numbers
Smart Card: strictly speaking, the term “smart card” is an alternate name for a microprocessor card, in that it refers to a chip card that is “smart”. Memory cards thus do not properly fall into the category of smart cards. However, the expression “smart card” is generally used in English-speaking countries to refer to all types of cards containing chips
Observable memory: it defines the complete E2PROM memory which can be accessed by means of standard commands issued to the SIM/USIM card.
UMTS (Universal Mobile Telecommunication System): The European successor to GSM and a member of the ITM-2000 family. UMTS is a third generation (3G) digital, cellular, interoperable, transnational land-based mobile telecommunication system. The frequency band allocated to this mobile telecommunication system lies at 2000 MHz. UMTS represents the next major evolutionary step for GSM. The essential changes with respect to GSM are a new air interface using CDMA technology and a significantly higher data transmission rate of up to 2 Mbit/s
Nonstandard part: the set of non-declared elementary and dedicated files which are located in every SIM/USIM card. Some of this files, those who have the proper access privileges, may be modified with arbitrary data, by means of steganographic policies
SIM (Subscriber Identity Module): the usual designation for a GSM-specific smart card. It is a mandatory security module that is present in mobile telephones in an exchangeable form. It may be the same size as a standard credit card (ID-1 format), or it may be a small plug-in card in the ID-000 format. The SIM bears the identity of the subscriber, and its primarily function is to secure the authenticity of the mobile station with respect to the network. Additional functions include executing programs with protection against manipulation (authentication), user identification (using a PIN) and storing data, such as telephone numbers
ETSI (European Telecommunications Standard Institute): The standards institute of the European telecommunication companies, with headquarters in Sophia Antipolis, France. ETSI is responsible for defining standards in the field of European telecommunication
Standard part: the set of well-known elementary and dedicated files which have a defined position in the file system. Some notable examples are SMS (6F3C), ADN (6F3A), ICCID (2FE2)
GSM (Global System for Mobile Communications): A digital, cellular, interoperable, transnational and ground-based second-generation mobile telecommunication system. The frequency bands allocated to this mobile telecommunications system are 900 MHz (GSM 900), 1800 MHz (GSM 1800) and 1900 MHz (GSM 1900). The GSM system is defined by a family of specifications published by ETSI. The designated successor to GSM is UMTS