Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mobile Forensics Cookbook

You're reading from   Mobile Forensics Cookbook Data acquisition, extraction, recovery techniques, and investigations using modern forensic tools

Arrow left icon
Product type Paperback
Published in Dec 2017
Publisher
ISBN-13 9781785282058
Length 302 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Igor Mikhaylov Igor Mikhaylov
Author Profile Icon Igor Mikhaylov
Igor Mikhaylov
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. SIM Card Acquisition and Analysis FREE CHAPTER 2. Android Device Acquisition 3. Apple Device Acquisition 4. Windows Phone and BlackBerry Acquisition 5. Clouds are Alternative Data Sources 6. SQLite Forensics 7. Understanding Plist Forensics 8. Analyzing Physical Dumps and Backups of Android Devices 9. iOS Forensics 10. Windows Phone and BlackBerry Forensics 11. JTAG and Chip-off Techniques

SIM card acquisition and analysis with Oxygen Forensic

Oxygen Forensic is one of the best programs for mobile forensics. This program has a function of SIM card analysis besides its other functions. The program is commercial, but there is a 30-day trial full version, which you can get on request. When the request is accepted, you will receive an email in which you will find a registry key and instructions for downloading the installation software.

Getting ready

Download the Oxygen Forensic (https://www.oxygen-forensic.com/en/). Install it with the help of prompts. Go through the menu path: Service|Enter Key. In the opened License window, enter the license key and click on the Save button. Restart the program.

How to do it...

In order to examine a SIM card, you need to remove it from a mobile device and then install it in the SIM card reader, which has to be connected to the expert's computer. As we mentioned earlier, Microsoft PC/SC drivers are pre-installed on the Windows operating systems meaning that there is no need to install anything else.
Now let's see how to use Oxygen Forensic: 

  1. In the Oxygen Forensic program, click on the Connect device button that is located in the toolbar. It will start Oxygen Forensic Extractor:
The main window of Oxygen Forensic Extractor
  1. In the main menu of Oxygen Forensic Extractor, click on the UICC acquisition option. The next window will prompt you to select the connected card reader or it will display an error message:
A card reader connection error message
  1. If access to a SIM card data is limited by a PIN or PUK code, you will be prompted to enter the appropriate code. The number of available attempts to enter PIN and PUK codes is displayed in the program. If there were no attempts to unlock the SIM card, then there should be 3 attempts to enter the PIN code and 10 attempts to enter the PUK code. After 10 failed attempts to enter the PUK code, the SIM card will be blocked forever. The PUK code can be received from the communication provider through an authorized person.
The SIM card data extraction window

The SIM card data extraction window displays the following:

  • Information about the card reader
  • Information about the SIM card
  • Fields for entering PIN and PUK codes

Enter the SIM card unlock code and click on the Next button.

  1. In the next window, you can specify additional information about the extraction that will be stored in the case. Also, in this window, you can select the options to save the extracted data from the device:

The Stored extracted physical dump of backup in the device image... option saves the main files from the SIM card.

The Complete UICC image option saves all files from the SIM card. The SIM card files' extraction process may take over 12 hours if you select this option.

The window for entering additional information about the case
  1. Click on the Next button. The process of extracting data from the investigated SIM card will start.

The following data can be extracted from the SIM card, including the deleted ones:

  • General information about the SIM card
  • Contacts
  • Calls
  • Messages
  • Other information

When the process of data importing is finished, the final window of Oxygen Forensic Extractor with summary information about the import will be displayed. Click the Finish button to finish the data extraction.

The extracted data will be available for viewing and analysis.

  1. At the end of the extraction, the created case can be opened in the Oxygen Forensic program.
Summarized information about the extraction
  1.  Now click on Messages category. An appropriate section with the extracted data can be viewed in respect of the case.
Viewing Messages section
  1. Return on the main screen of Oxygen Forensic. Click on File browser category. In the  File browser section, files that were extracted from the SIM card can be viewed. The analysis of these files contents can be done manually.
Viewing 2FE2 file contents

How it works...

Oxygen Forensic extracts data from the SIM card installed in the card reader that is connected to the expert's computer. After this, you can generate a forensic report or analyze the extracted data from the main window of this program.

There's more...

Oxygen Forensic displays the names of files in hex and this can be inconvenient for an expert. The following table shows the correspondence between the standard files' names in hex view and their content:

File name
Description File name Description
3F00 MF 6F05 EF (LP)
7F10 DF (TELECOM) 6F31 EF (HPLMN)
7F20 DF (GSM) 6F41 EF (PUCT)
7F21 DF (DCS1800) 6F78 EF (ACC)
2FE2 EF (ICCID) 6FAE EF (PHASE)
6F3A EF (AND) 6F07 EF (IMSI)
6F3C EF (SMS) 6F37 EF (ACMmax)
6F40 EF (MSISDN) 6F45 EF (CBM)
6F43 EF (SMSS) 6F7B EF (FPLMN)
6F4A EF (EXT1) 6F52 EF (KcGPRS)
6F3B EF (FDN) 6F20 EF (Kc)
6F3D EF (CCP) 6F38 EF (SST)
6F42 EF (SIMSP) 6F46 EF (SPN)
6F44 EF (LND) 6F7E EF (LOCI)
6F4B EF (EXT2) 6F53 EF(LOCIGPRS)
6F74 EF (BCCH) 6F30 EF (PLMNcel)
6FAD EF (AD) 6F54 EF (SUME)        

See also

You have been reading a chapter from
Mobile Forensics Cookbook
Published in: Dec 2017
Publisher:
ISBN-13: 9781785282058
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image