SIM and USIM Filesystem:

a Forensiscs Perspective

SAC Conference 2007

22nd Annual ACM Symposium on Applied
Computing
COEX Convention Center
Presenter:
Ing. Antonio Savoldi
Seoul, Korea, March 11 - 15, 2007
Ph.d. student Authors:
Department of Electronic for Antonio Savoldi
Automation Paolo Gubian
University of Brescia - Italy
 2

SAC Conference 15/03/2007

Outline
• Cellular forensic tools
• SIMBrush
▫ Features and notable results
• SIM/USIM filesystem
▫ The standard part
▫ The non-standard part
• Data hiding in the non-standard part of the
filesystem
• Examples
 3

SAC Conference 15/03/2007

Introduction
• There are relatively few tools for digital evidence
extraction from SIM/USIM cards
▫ Card4Labs – NFI (only for law enforcement)
▫ Cell Seizure – Paraben (commercial)
▫ .XRI – Micro Systemation (commercial)
▫ TULP2G – NFI (open source)
• SIMBrush tool aimed at extracting observable
portion of filesystem of a SIM/USIM card
▫ Open source
▫ Standard and non-standard files are revealed
 4

SAC Conference 15/03/2007

SIMBrush
• SIMBrush can be placed in the imaging technologies
technique of the preservation phase (Digital Forensics
Framework)
▫ It is used to create a master copy of data present in
SIM/USIM cards

• It uses pcsc middleware to interface itself with smart

card readers.
▫ It is written in ANSI C language for portability purpose

• A bit by bit SIM card image is impossible while

preserving digital integrity and without harming the
device
▫ Only standard approach is used to extract observable
memory of SIM cards
 5

SAC Conference 15/03/2007

Infrastructural part: GSM System

• SIMBrush is capable of extracting digital evidence from any
SIM card used in GSM system
▫ System most widespread at worldwide level

• GSM system:
▫ Infrastructure: Database + Signalling + Network level
▫ End-user: User level
 Mobile Station = Mobile Equipment + Subscriber Identity Module
 Mobile Equipment = Terminal Equipment + Terminal Adaptor

• UMTS system:
▫ User Equipment = Mobile Equipment + User Service Identity
Module (USIM)
• There is small difference between GSM and UMTS SIM card
▫ for example MMS file
 6

SAC Conference 15/03/2007

SIM/USIM Cards
• SIM cards are proper subset of Smart Cards (SC). These
cards ensure the safety of the data stored within
▫ Confidentiality: encryption of voice and data
▫ Authentication: unauthorized user can’t be access the system
▫ Non Repudiation: impossibility to implement frauds (e.g.
change of the credit)
▫ Integrity: no possibility to tamper data at higher access level

• Tampering attempts with a smart card could lead to an

irreversible blocking of the card
▫ bit by bit image acquisition is impossible but observable
part of memory can be obtained in a standard way
 7

SAC Conference 15/03/2007

SIM/USIM Filesystem
• Organization:
▫ It has an N-ary tree structure
▫ MF (Master File): is the root of the filesystem
▫ DF (Dedicated File): similar to standard directory
 Header + EFs
▫ EF (Elementary File): objects containing useful
data
 Header + Body
 ADN, SMS, IMSI, ICCID …
 8

SAC Conference 15/03/2007

SIM/USIM Filesystem
• Types of elementary files present in a SIM card:
▫ Transparent: sequence of bytes
▫ Linear-fixed: sequence of fixed length records
▫ Cyclic: circular buffer with fixed length records

• Every file in SIM card is univocally identified by its ID

• Operations allowed on filesystem are coded into a set of
commands issued to the SC by interface device (smart
card reader)
▫ Master-slave relation between SC reader and SIM card

• Standard set of commands to interact with SIM card,

through Interface Device (IFD)
▫ Select, Get Response, Read Binary, Read Record …
 9

SAC Conference 15/03/2007

Access Level Conditions

• The access conditions (AC) specify the
constraints to the execution of commands
▫ Read, Update, Increase, Rehabilitate and
Invalidate are the commands controlled by AC
▫ ALW: command is always executable on the file
▫ CHV1: command executable if CHV1 or UNBLOCK
CHV1 code has been provided
▫ CHV2: same as CHV1
▫ ADM: competence of telephony provider
▫ NEV: command is never executable on the file
 10

SAC Conference 15/03/2007

Extractable Data
• Information about the subscriber
▫ IMSI (International Mobile Subscriber Identity)
▫ LP (Preferred Languages)
• Information about acquaintances
▫ ADN (list of phone numbers)
• Information about SMS traffic
• Information about subscriber
▫ LOCI (Location Information Area)
• Information about calls
▫ LND (Last Number Dialled)
• Information about the provider
▫ SPN (Provider Name), PLMNsel (Used Mobile Network)
• Information about the system
▫ ICCID (Unique ID of the card)
 11

SAC Conference 15/03/2007

Filesystem Extraction
• No command exists to browse entire filesystem
• Brushing ID space issuing a SELECT command, with any
file ID, to a SIM card:
▫ Addressable ID file space: “0000” to “FFFF”
▫ Warning from SIM when ID doesn’t exist
▫ Header of file is returned when file exists
• Selection rules of a selectable file.
▫ 1. MF can be selected no matter what the current directory is
▫ 2. Current directory
▫ 3. Parent of current directory
▫ 4. Any DF which is an immediate child of the parent of the
current directory
▫ 5. Any file which is an immediate child of the current directory
 12

SAC Conference 15/03/2007

Selection Rules
MF

EF1 ... EFN DF1 ... DFN

EF1,1 ... EF1,N DF1,2 DF1,2 ... DF1,N

EF1,1,1 ... EF1,1,N DF1,1,1 ... DF1,1,N

 13

SAC Conference 15/03/2007

Core Algorithm
• Definition of file and directory sets associated with preceding
costraints:
▫ MF_SET
▫ CURRENT_SET
▫ PARENT_SET
▫ DF_SIBLINGS_SET
▫ SONS_SET

• SELECTABLE_SET is desumed from “brushing” addressable ID

space (0000->FFFF)

• SELECTABLE_SET = MF_SET U
CURRENT_SET U
PARENT_SET U
DF_SIBLINGS_SET U
SONS_SET
 14

SAC Conference 15/03/2007

Core Algorithm
• SON_SET is unknown and the following relation can be
used

• SONS_SET = SELECTABLE_SET \
(MF_SET U
CURRENT_SET U
PARENT_SET U
DF_BRO_SET)

• Equivalence between N-ary and Binary tree. For

performance purposes Binary tree has been chosen
 15

SAC Conference 15/03/2007

Some examples (SMS)

• Row and translated version of an SMS

 16

SAC Conference 15/03/2007

Some examples (ICCID)

<EF>
<ef> <ICCID description="EFICCID '2FE2' (ICC
<header> Identification): This EF provides a
unique identification number for the SIM.">
0000000A2FE204000FF5550 <content>98931000006092643586</content>
1020000 <header>
</header> <ID>2FE2</ID>
<SIZE>10</SIZE>
<body> <acINCREASE>NEW<acINCREASE>
<acINVALIDATE>ADM</acINVALIDATE>
<content>
<acREAD>ALW</acREAD>
98931000006092643586 <acREHABILITATE>ADM</acREHABILITATE>
<acUPDATE>NEV</acUPDATE>
</content> <status>
</body> File invalidated#
File not readable or updatable when
</ef> invalidated#
</status>
<structure>transparent</structure>
</header>
</ICCID>
</EF>
 17
MF
3F00 SAC Conference 15/03/2007

0000
EF (ICCID)
2FE2
DF (TELECOM)
7F10
DF (GSM)
7F20
DF (DCS1800)
7F21
7F4F
The Hidden Part of the
0011
Filesystem
EF (ADN) EF (FDN)
6F16
6F3A 6F3B

0100
EF (SMS) EF (CCP)
•Non-standard part: an issue to deal
with
6F1C
6F3C 6F3D

•By analyzing the meta-content is

0200
EF (MSISDN) EF (SIMSP)
6F1E
6F40 6F42

2F20 possible to see if some non-standard

Efs are accessible with the “Update”
EF (SMSS) EF (LND)
6F43 6F44

2F30
EF (EXT1) EF (EXT2) command
•This demonstrate the possibility to use
6F4A 6F4B

2F31

the SIM/USIM card as a covert channel

EF (LP) EF (IMSI) EF (Kc) EF (PLMNcel)
2F32
6F05 6F07 6F20 6F30

EF (HPLMN) EF (ACMmax) EF (SST) EF (ACM)

2F33
6F31 6F37 6F38 6F39

EF (PUCT) EF (CBMI) EF (SPN) EF (BCCH)

2F34
6F41 6F45 6F46 6F74

EF (ACC) EF (FPLMN) EF (LOCI) EF (AD)

2FEE
6F78 6F7B 6F7E 6FAD

EF (PHASE) EF (KcGPRS) EF (LOCIGPRS) EF (SUME)

2FEF 6F53
6FAE 6F52 6F54

EECF 0005 0006

 18

SAC Conference 15/03/2007

File Allocation Table

 19

SAC Conference 15/03/2007

Lesson Learnt
• Every non-standard EF with CHV1/CHV2 access
privileges on the Update command is writable
▫ Concrete possibility to hide plenty information
▫ The SIM/USIM can become a really Covert Channel
• A standard 128 Kbyte SIM card can have around 17
Kbyte of hidden writable space
▫ This part of the filesystem is not foundable by using
current forensics tools
▫ GWSS (Global Writable Slack Space)
 20

SAC Conference 15/03/2007

Experimental Results
• WNSP: Writable Non-standard Part
• NSP: Non-standard Part of the filesystem
• TES: Total Engaged Space
 21

SAC Conference 15/03/2007

Covert Channel
• The SIM/USIM can act as a covert channel
Selection of a
Extraction of the
Message to hidden
File Allocation
within a SIM
Table (FAT)
(7 bit coding)

Allocation in the non

standard part of the Stego-key selection
SIM/USIM (1FF0, 2FF2, 3FF2…)
 22

SAC Conference 15/03/2007

Hidden Message Communcation

 23

SAC Conference 15/03/2007

Discovering the Non-standard part

• Some guidelines:
▫ Extract all the contents
▫ Try to guess the coding scheme used
▫ Descrambling the hidden message
 Try to figure out whith the various chunks of text if it
is obtainable something of intellegible
 24

SAC Conference 15/03/2007

Conclusions
• All the analyzied SIM/USIM forensic tools have
a missing part
▫ They are unable to extract the non-standard part
• Concrete possibility to use a SIM/USIM as a
Covert Channel
• Application of some steganalysis concepts in
order to extract the hidden message