GSM,CDMA,SIM,IMEI and MAC address in Mobile and SIM Forensics.

1. MOBILE PHONE FORENSICS
GSM,CDMA,SIM,IMEI and MAC address in
Lecture on
Hosted by:
Central Detective Training Institute
Ghaziabad
Delivered by:
Yugal Pathak (CyberYuvi)
Cyber and Digital Forensics Consultant
Phone: 8755485564
Email: cyberyuvi4u@gmail.com
© Yugal Pathak

2. Mobile device forensics
 It is a major sub-branch of digital forensics, relating to recovery of digital
evidence or data from a mobile device.
 It differs from Computer forensics as a mobile device would have an inbuilt
communication system (e.g. GSM) and, usually, proprietary storage
mechanisms.
 Investigations usually focus on simple data such as call data and
communications (SMS/E-mail) rather than in-depth recovery of deleted data.
 Mobile devices are also useful for providing location information; either from
inbuilt GPS/location tracking or via cell site logs, which track the devices within
their range.
© Yugal Pathak

3. Mobile Acquisition Conditions
© Yugal Pathak

4. Significance of Mobile Device Evidence
© Yugal Pathak

5.  You don’t need computer for Business now a day.
 MOBILE IS THE NEW COMPUTER
 MOBILE = TV
 MOBILE = RADIO
 MOBILE = COMMUNICATION/CALLS/MESSAGES/CHAT
 MOBILE = STORAGE
MOBILE COMPUTER
Why are we interested in Mobile Devices?
© Yugal Pathak

6. INTRODUCTION
GSM is a mobile telephony network based on the cellular
concept.
Users can place and receive calls without being fixed to a
specific location or wired to a physical connection.
To supply this capability, a GSM network consists of four
Basic components:
•The Mobile Station (MS).
•The Base Station Subsystem (BSS).
•The Network and Switching Subsystem (NSS).
•The Operation and Support Subsystem (OSS).
Global System for Mobile Communications (GSM)
© Yugal Pathak

7. ARCHITECTURE
PLMN
ISDN
PSDN
PSTN
SIM
OSS
AUC
HLR EIR
MSC
VLR
BSC
BTS
NSS
A Interface
Abis interface
UM interface
MS
© Yugal Pathak

8. 1)Mobile Station- A Mobile Station consists of two main
elements i.e mobile equipment or terminal and
Subscriber Identity Module (SIM).
2) The Base Station Subsystem -The BSS connects the
Mobile Station and the NSS.
 3) The Network and Switching Subsystem-Its main role is
to manage the communications between the mobile users
and other users, such as mobile users, ISDN users etc.
 4) The Operation and Support Subsystem (OSS)-The OSS
is connected to the different components of the NSS and to
the BSC, in order to control and monitor the GSM system.
© Yugal Pathak

9. FUNCTIONS
1)Transmission.
2)Radio Resources management (RR).
3)Mobility Management (MM).
4)Communication Management (CM).
5)Operation, Administration and Maintenance (OAM).

SERVICES
1) Teleservices.
2) Bearer services.
3) Supplementary Services
© Yugal Pathak

10. INTRODUCTION
GENERAL PACKET RADIO SERVICE (GPRS)
General Packet Radio Services (GPRS) is a standardized
packet switched data service for GSM.
The GPRS provides us with:
1) Fast coverage rollout, adding packet switching nodes to an
existing GSM network.
2) Efficient use of scarce radio resources
© Yugal Pathak

11. GPRS design is to support burst data transfer.
Two new elements are added to keep packet data traffic
separated from traditional GSM voice and data.
i.e. a) The Serving GPRS Support Node (SGSN)
b) The Gateway GPRS Support Node (GGSN).
The migration path from GSM to GPRS requires:
a) Additional packet switching nodes
b) Software upgrades in the base station subsystem
c) Transmission links can be reused
d) Station Controllers (BSCs) for both GSM and GPRS.
© Yugal Pathak

12. ARCHITECTURE
IP
Network
Internet
PSTN/SST
IP BASED
GPRS
BACKBONE
Cisco
GGSN
MSC
SGSN
BTS
BTS
BSC
Notebook
© Yugal Pathak

13. Data Transfer Time { in seconds}
GSM {9.6 Kbps}
E-mail
Web Page
Photo
Microsoft Word
Microsoft PowerPoint
Video clip
Audio clip
25
42
43
286
GPRS {56 Kbps}
83
833
3,333
250
1,667
4
14
143
571
7
Data Transfer Comparison
© Yugal Pathak

14. ADVANTAGES
Faster Data Transfer Rates
Always-On Connection
Robust Connectivity
Broad Application Support
Security Support
© Yugal Pathak

15. CODE DIVISION MULTIPLE ACCESS (CDMA)
INTRODUCTION
CDMA is a "spread spectrum" technology, allowing many
users to occupy the same time and frequency allocations in
a given band/space.
The spectral spreading of the transmitted signal gives to
CDMA its multiple access capability.
CDMA is a form of Direct Sequence Spread Spectrum
communications
© Yugal Pathak

16. Public Wired
Phone
network
(PSTN)
Mobile
Station
Base
Stations
Base
Stations
Controller
Switch
Wireline
Telephone
Other Cellular
Switches
Intelligent Add
on Functions
& Databases
ARCHITECTURE
© Yugal Pathak

17. BENEFITS
Outstanding Voice and Call Quality
Greatest Coverage for Lower Cost
Packet Data
Longer Talk Time, Longer Battery Life and
Smaller Phones
Fewer Dropped Calls
Improved Security and Privacy
Contd…
© Yugal Pathak

18. Greater Capacity
Reduced Background Noise and Interference
Rapid Deployment
© Yugal Pathak

19. COMPARISON
GSM has been the catalyst in the tremendous shift in
traffic volume from fixed networks to mobile networks.
GPRS cost is less than circuit- switched services since
communication channels are being used on a shared basis
and also the packets are need-based rather than dedicated
only to one user.
CDMA, for Code Division Multiple Access, is different
than those traditional ways in that it does not allocate
frequency or time in user slots but gives the right to use
both to all users simultaneously.
© Yugal Pathak

20. SIM Cards
 The chip that is generally referred to, as a SIM (Subscriber Identity Module) card is in
fact, a UICC, i.e., Universal Integrated Circuit Card, which is a smart card that helps
devices like, mobile phones, Set Top Boxes, etc., connect to its nearest cellular radio
network tower for communication purposes.
 Instead of referring these smart cards as UICC, they are commonly referred to as SIM
cards in day to day usage.
© Yugal Pathak

21. Subscriber identity module (SIM) cards
 Found most commonly in GSM devices
 Microprocessor and from 16 KB to 4 MB EEPROM
Sometimes even more, up go 1 GB EEPROM
 GSM refers to mobile phones as “mobile stations” and divides a station
into two parts:
The SIM card and the mobile equipment (ME)
 SIM cards come in two sizes
 Portability of information makes SIM cards versatile
 Additional SIM card purposes:
Identifies the subscriber to the network
Stores personal information
Stores address books and messages
Stores service-related information
© Yugal Pathak

22. SIM Forensics
 SIM card Forensics is an essential section of Mobile device forensics.
 The information that a SIM card can provide the forensic examiner can be crucial
to an investigation.
 Obtaining a SIM card permits a plethora of information, which the suspect has
dealt with over the phone to be investigated.
In general, some of this data can help an investigator determine:
• Phone numbers of calls made/received
• Contacts
• SMS details (time/date, recipient, etc.)
• SMS text (the message itself)
© Yugal Pathak

23. Service Provider Data
Some additional information the service providers might store:
• A customer database
• Call Detail Records (CDR)
• Home Location Register (HLR)
© Yugal Pathak

24. SIM Cards from a Technical Point of View
The card contains its own:
•Microprocessor (CPU)
• Program memory (ROM)
• Working memory (RAM)
• Data memory (EPROM or E2PROM)
• Serial communication module
© Yugal Pathak

25. SIM structure
A SIM Card has six pads that also correspond to the six SIM connector pins, but only
five pins have connection on the entire layout:
• SIM data - This accesses the digital data being stored on a SIM
memory.
• SIM clock - This is a clock frequency signal that synchronizes to the digital data to
create data signal for transferring or sending and receiving data information.
• SIM reset - This is a frequency signal that is meant to trigger or reset all the
synchronization processes.
• VSIM B+ supply voltage – It is a power supply voltage which is used to activate
the circuit of a SIM card.
• SIM ground - A ground line voltage.
• The sixth one is not connected.
© Yugal Pathak

26. Layout of SIM connector pins
© Yugal Pathak

27. Digit Position Example Description of SIM
 A typical SIM (19 digits) : 89 91 10 1200 00 320451 0
 First two digits 89 Major Industry Identifier
 Next two digits 91 Country Code (91 is for India)
 Next two digits 10 Issuer Identifier Number
 Next four digits 1200 Month and Year of build
 Next two digits 0 Switch Configuration Code
 Next six digits 320451 SIM number
 Last digit 0 Check Sum Digit
© Yugal Pathak

28. SIM digits
 These digits can be further grouped for additional information.
 The Major Industry Identifier, Country Code, and Issuer Identifier Number make
up the Issuer Identification Number (IIN) which is maximum upto 7 digits.
 The next several digits which may be of variable length represent the
Individual Account Identification Number.
 The last digit is the checksum digit .
© Yugal Pathak

29. File System Organization of a SIM card
The file system of a SIM card is organized in a hierarchical tree structure, as given below:
 Master File (MF) – Master file is the root of the file system organization. It contains all the
dedicated and elementary files.
 Dedicated File (DF) – Dedicated files are subordinate directories to the master file that
contain dedicated and elementary files.
 Elementary File (EF) – These are files that contain various types of formatted data structures,
which can be a sequence of data bytes, a sequence of fixed size records, or a fixed set of
fixed size records used cyclically.
© Yugal Pathak

30. SIM cards showing ICCID
 Every SIM is identified internationally by its ICC-ID (Integrated Circuit Card ID).
 The ICC-IDs are stored in the SIM card and they may even be engraved or printed on
the SIM card’s body during a process which is called personalization.
 The number is generally up to 18 digits long with an addition of a single “check digit”
that is used for error detection.
 This single digit allows us to detect mistyped digits, an input error of digits or a
permutation of two successive digits.
 This digit is calculated with the use of the Luhn algorithm.
© Yugal Pathak

31. The Concept of Data Recovery from SIM
Cards
 SIM cards which are technically smart cards containing an embedded EEPROM
memory chip.
 The EEPROM chip in the smart cards is the same flash memory devices that are
the same flash memory devices that are present in pen drives, SSDs, etc.
 Hence, it is possible to recover data from other electronic memory chip devices.
 But SIM cards in damaged conditions might become unrecognizable by the SIM
extraction device being used.
 Therefore, the card should be properly cleaned before being subjected to the
process of extraction.
 In the field of forensics, Digital Forensics laboratories may receive SIM cards in
various unusual conditions, from soiled, dusty, to physically broken SIM cards.
 The connecting plates of the SIM cards might be rusted or soaked with blood.
© Yugal Pathak

32. What is the IMEI number?
© Yugal Pathak
 IMEI (International Mobile Equipment Identity) is a 15 digit unique number that
is found in every phone.
 This number is an identity certificate for your phone and cannot be changed.
 Whenever you buy a new phone, you can check the IMEI on the box or inside
the Settings functionality.
 It is very important and useful to note down and keep this number safe as it
could be used in the future if your phone ever gets lost or misplaced.
 The model and origin comprise the initial 8-digit portion of the IMEI/SV, known
as the Type Allocation Code (TAC). The remainder of the IMEI is manufacturer-
defined, with a Luhn check digit at the end. For the IMEI format prior to 2003,
the GSMA guideline was to have this Check Digit always transmitted to the
network as zero. This guideline seems to have disappeared for the format valid
from 2003 and onwards.

33. How do police track IMEI numbers?
 Every phone has a specific 15-digit number known as the IMEI (International
Mobile Equipment Identity) number.
 This number can be used by the police to locate your lost or misplaced cell
phone.
 Even with a different SIM, the moment a call is made, the IMEI number helps
police to track your phone to the exact or nearby cell phone tower.
 After blocking your IMEI number, it will be blacklisted thus forbidding you to use
your mobile from that instant.
 Basically, the device is blocked for protective purposes such as due to theft
incidents.
 Once the purpose is solved, one can legally unblock the blacklisted IMEI
number.
© Yugal Pathak

34. The check digit is validated in three steps:
1. Starting from the right, double every other digit (e.g., 7 → 14).
2. Sum the digits (e.g., 14 → 1 + 4).
3. Check if the sum is divisible by 10.
Conversely, one can calculate the IMEI by choosing the check digit that would give
a sum divisible by 10.
© Yugal Pathak

35. Check IMEI Number
 For the example IMEI 49015420323751
 Let’s understand that what would be placed at the point of question
mark?
 To make the sum divisible by 10, we set ? = 8, so the IMEI would be
490154203237518
© Yugal Pathak

36. IMEI Tracking
© Yugal Pathak

37. MAC Address
 MAC Address is a 12-digit hexadecimal number (6-Byte binary number), which
is mostly represented by Colon-Hexadecimal notation. The First 6-digits (say
00:40:96) of MAC Address identifies the manufacturer, called OUI
(Organizational Unique Identifier). IEEE Registration Authority Committee
assigns these MAC prefixes to its registered vendors.
Example:
CC:46:D6 - Cisco
3C:5A:B4 - Google, Inc.
3C:D9:2B - Hewlett Packard
00:9A:CD - HUAWEI TECHNOLOGIES CO.,LTD
© Yugal Pathak

38. MAC based tracking
 Mac addresses allow you to filter devices on modern routers: you can tell
your router to deny access to specific MAC addresses (i.e., specific physical
devices) or only allow certain MAC addresses to connect.
 You can't do the same with IP addresses because routers assign internal IP
addresses to devices as they connect and recycle them when devices
disconnect.
 That's why your smartphone could have an internal IP address of 192.168.0.1
in the morning but 192.168.0.3 when you come home from work. As such,
you can't filter a device using its IP address because it's always changing.
 Another nifty use for MAC addresses is triggering Wake-on-LAN. Ethernet
adapters can accept a "magic packet" that causes the device to turn on,
even if it's shut down.
 The magic packet can be sent from anywhere on the same network, and
the MAC address of the receiving device's Ethernet adapter is how the
magic packet knows where to go.
© Yugal Pathak

39. GOOGLE ANDROID
APPLE iOS
WINDOWS PHONE
BLACKBERRY OS
FIRE OS
SYMBIAN OS
SAILFISH OS
FIRE OS
BADA
PALM OS
Mobile Phone OPERATING SYSTEMS
© Yugal Pathak

40. Brand specific Mobile OS
 Google - Pixel, Nexus; OS - Android (open source)
 Apple - iPhones; OS - iOS (not open source)
 Huawei – Harmony OS
 Oppo – Color OS
 Realme – Realme OS
 Xiaomi - MIUI and MIUI for Poco
 OnePlus – Oxygen OS
 Vivo – FunTouch OS
 Asus Zenfones - ZenUI
 Huawei and Honor - EMUI
© Yugal Pathak

41. List of Forensic Tools
© Yugal Pathak

42. •Chain of Custody Form
•Expert Report
Reporting
© Yugal Pathak

43. EXPERT REPORT
• THE LAST STAGE OF A DIGITAL EVIDENCE EXAMINATION IS TO INTEGRATE ALL
FINDINGS & CONCLUSIONS INTO A FINAL REPORT.
• THIS REPORT IS THE ONLY VIEW THAT OTHERS HAVE OF THE ENTIRE PROCESS. BUILD
SOLID ARGUMENTS, SUPPORT ASSERTIONS AND INCLUDE ALL RELEVANT EVIDENCE.
Reporting
© Yugal Pathak

44. • INTRODUCTION
• EVIDENCE SUMMARY
• EXAMINATION & ANALYSIS SUMMARY
• CONCLUSIONS
• GLOSSARY OF TERMS
• APPENDIX OF SUPPORTING EXHIBITS
Reporting
© Yugal Pathak

45. Conclusion
DIGITAL FORENSIC FIELD IS ABLE TO FIND CRUCIAL
ELECTRONIC EVIDENCE WHETHER IT IS
• LOST
• DELETED
• DAMAGED
• HIDDEN
AND CAN BE USED TO PROSECUTE INDIVIDUAL
© Yugal Pathak

46. © Yugal Pathak