See

discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/277814473

Forensic Analysis of SIM Cards for Data

Acquisition
Article February 2015

CITATIONS

READS

367

3 authors, including:
Vibhuti narayan Singh

Shalini Chauhan

Bundelkhand University Jhansi

Babasaheb Bhimrao Ambedkar University

16 PUBLICATIONS 2 CITATIONS

5 PUBLICATIONS 2 CITATIONS

SEE PROFILE

SEE PROFILE

Available from: Vibhuti narayan Singh

Retrieved on: 15 September 2016

Asian Journal of Multidisciplinary Studies

Volume 3, Issue 1, January 2015

ISSN: 2321-8819 (Online)

2348-7186 (Print)
Impact Factor: 0.923

Forensic Analysis of SIM Cards for Data Acquisition

Vibhuti Narayan Singh1, Shalini Chauhan2 and G. Khan3
1

Private Handwriting & Fingerprint Expert,

Bundelkhand Region, Jhansi, U.P.
2
Asst. Professor, Dept. of Forensic Sci. & Criminology,
Babasaheb Ambedkar University,
Lucknow, U.P. Pin- 226025
3
Joint Director, Medicolegal Dept.,
State Forensic Sci. Laboratory, Lucknow, U.P.
Abstract: A SIM card is a basic component for Mobile devices which have function for both identification
and authentication of the subscriber phones to its network. SIM cards themselves contain a repository of
data and information such as ICCID, IMSI, Phonebook, SMS, Call detail etc. which have great forensic
value. In this article we summarize current forensic research for the data extraction of forensic interest
present in SIM cards through a sample tool on window based computer and it is concluded that tools to
extract such evidence from the SIM card are exist but there is a need to develop more accurate and sensitive
forensically sound tools.

Keyword: SIM, Forensic Device, Digital forensic, ICCID, IMSI

Introduction: SIM (Subscriber Identity Module or

Subscriber Identification Module) is also known as
Integrated Circuit Card (ICC) is a portable memory
chip that securely stores account information
requires for the service authentication and user
details. SIM card contains a CPU(Central
Processing Unit), EEPROM (Electronically,
Erasable, and Programmable Read Only Memory),
RAM (Random Access Memory), ROM (Read
Only Memory) and an Operating System. RAM
controls the program execution flow and ROM
controls the operating system work flow, user
authentication, data encryption algorithm and other
applications. File system of SIM card resides in
EEPROM. A typical SIM card file system is shown
in figure 1:-

related local network such as TMSI (Temporary

Mobile Subscriber Identity), RAI (Routing Area
Identifier), detail of services accessed by the user
such asADN (Abbreviated Dialing Number), FDN
(Fixed Dialing Number), SMS (Short Message
Storage), LND (Last Number Dialed),etc. and two
passwords PIN (Personal Identification Number),
PUK (Personal Unblocking Code).These data
sometime helps during police investigation,
Therefore handling and analysis of these types of
evidences is done under forensic sound condition.
Type and Size of SIMGSM is abbreviation for Global System for Mobile
Communication developed by the European
Telecommunication Standards Institute (ETSI). It
describes the protocols for 2G, 3G, and 4G digital
cellular network for transmitting voice, text and
data services.
GSM operates in a number of different frequencies
usually 900 MHz or 1.8 GHz and in Canada and
United States it is 850 MHz or 1.9 GHZ.
CDMA is a short form for Code Division Multiple
Access, a digital cellular technology where several
transmitters can send information simultaneously
over a single communication channel.
Size
SIM cards are manufactured into three sizes Nano,
Micro, and Standard. All details related with SIM
specification are given in table 1:

Fig 1: SIM card File System

SIM card contains ICCID (Integrated Circuit Card

Identification), IMSI (International Mobile
Subscriber Identity) MSSIDN (Mobile Station
International Subscriber Directory Number),
Security Authentication, Temporary information
Available online at www.ajms.co.in

24

Forensic Analysis of SIM Cards for Data Acquisition

SIM

Size

Thickness

Nano

15mm by 12mm

0.76mm

Micro

25mm by 15mm

0.76mm

Standard

85.6mm by 53.98mm

0.76mm

Table 1: Size of SIM card

Fig 2: Size of SIM card

Data of forensic InterestThe SIM card contains sensitive data about service provider, subscriber. Some of which is listed in table no 2.
1

Service Provider Name

Mobile
Country
Code 5
(MCC)
Mobile Station International 8
Subscriber Directory
Number
(MSISDN)
Short Message Services 11
(SMS)
Fixed
Dialed
Number 14
(FDN)
Temporary Mobile
17
Subscriber
Identity (TMSI)
Table 2: Data of Forensic Interest

10
13
16

IMSI (International Mobile

Subscriber Identity)
Mobile
Network
Code
(MNC)
Abbreviated Dialing
Number
(ADN)

Language Preference (LP)

12

Local Area Identity (LAI)

15

Routing Area
(RAI)
Network Code

6
9

ICCID (International Circuit

Card Identifier)
Mobile Subscriber Identification
Number (MSIN)
Last Dialed Number (LDN)

Card Holder Verification (CHV1

& CHV2)
Own Dialing Number

Identifier

Testing Requirement1.

Computer Workstations- The configuration of workstation are mentioned in table 3:

CPU
RAM
OS

2.

Intel Core i5
8 GB
Window 7 Home Basic Service Pack 1
32bit
GPU
NVIDIA 512M 1GB
HDD
500 @ 5400 RPM
Table 3: Configuration Property if Computer Workstation
SIM cards- In this study we use three India brand SIM which details are mentioned below.
Service

ICCID Number

Size

BSNL

89915590631419586640

128 k

Idea

89918951031446662125

128 k

Vodafone

89911500021855394196

128 k

Provider

Table 4: SIM card property

Detail

Fig 2: Physical Appearance of SIM with

Among the three SIMs those are to be analyzed the Vodafone SIM got portability from Aircel.
MNP (Mobile Number Portability): it is a service which enables mobile telephone users to change from one
network operator to another without changing their mobile telephone numbers.
3.

SIM Forensic Tool-

Asian Journal of Multidisciplinary Studies, 3(1) January, 2015

25

Forensic Analysis of SIM Cards for Data Acquisition

Analysis-The SIM card can be accessed by mounting the card in a standard smart-card reader shown in figure.
Then card is accessed logically by software. The contents of the SIM card are stored in a series of files in form
of binary data. These data is extracted by the forensic tool and analyzed by the forensic analyst under
forensically sound environment. In this study we analyses three Indian SIM cards BSNL, Idea, Vodafone. All
the information extracted by these SIM card are mentioned below.
.

Figure 3: SIM Card Reader

a)

ICCID- It is a unique numeric code up to 20 digit long stored in SIM card and also be engraved on
SIM card body. The last number of ICCID is checksum digit used for error detection. The
interpretation of a hypothetical twenty digit ICCID is shown in table 5ICCID
89915590631419586640

BSNL
Industry
Identifier

Country
Code

Issuer
Identifier

Month and
year of
manufactu
ring

Configuration
code

SIM
number

Checksu
m digit

Issuer
Identific
ation
Number

Individual
Account
Identification
Number

89

91

559

0613

41

958664

8991559

063141958664

Industry
Identifier

Country
Code

Issuer
Identifier

Month and
year of
manufactu
ring

Configuration
code

SIM
number

Checksu
m digit

Issuer
Identific
ation
Number

Individual
Account
Identification
Number

89

91

895

1031

44

666212

8991895

103144666212

Issuer
Identific
ation
Number
8991150

Individual
Account
Identification
Number
002185539479

89918951031446662125

Idea

Vodafone

89911500021855394196
Industry
Identifier

Country
Code

Issuer
Identifier

89

91

150

Month and
year of
manufactu
ring
0021

Configuration
code

SIM
number

Checksu
m digit

85

539479

Table 5: Interpretation of ICCID details

As in the table shows that the first two digits refers to the Major industry Identifier, next two country code, next
three digit issuer identifier number, next four digit to month and year of manufacturing, next two digit to switch
configuration code, next six digit to SIM number, and last digit is checksum digit. The major industry identifier,
country code and issuer identification number makeup the Issuer Identification
Number (IIN) and next several digits represent the Individual Account Identification Number.
b) IMSI- This is a unique 15 digit number provided to the subscriber. The interpretation of a hypothetical
15 digit IMSI of all three SIM cards is shown in table 6 as shown in the table the first three digits
Identify the Mobile Country Code next two or three digit identify the Mobile Network code (MNC)
and the rest of the digit identifythe Mobile Subscriber Identification Number (MSIN).
IMSI
404554130958664

BSNL
MCC

MNC

MSIN

404

55

4130958664

MCC

MNC

MSIN

404

89

1034666212

404891034666212

Idea

404152185539419

Vodaf
MCC

one

MNC

MSIN

Table
of IMSI details
404 6: Interpretation
15
2185539419

Asian Journal of Multidisciplinary Studies, 3(1) January, 2015

26

Forensic Analysis of SIM Cards for Data Acquisition

c)

MSISDN-The mobile Station International Subscriber Directory Number is a number uniquely

identifying a subscriber or simply it is the telephone number of the user. The maximum length of an
MSISDN is 15 digits.
d) TMSI- It is the identity that is sent between the mobile and the network. When the mobile operator
moves from one location to new location it is automatically updated. Size of the TMSI is 4 octets with
full hex digit. The extracted TMSI are listed belowService Provider
Extracted TMSI
BSNL

52 58 53 FF

Idea

39 EC C3 59

Vodafone

87 51 CD 7C
Table 7: Extracted TMSI

e)

Phonebook and Call Informationi) Abbreviated Dialling Number (ADN)-Any number and name dialled by the subscriber is saved by
the ADN. The extracted ADN are listed belowService Provider
Extracted AND
BSNL

140

Idea

16

Vodafone

2
Table 8: Extracted ADN

ii) Fixed Dialling Number (FDN)-With this function the used doesnt have to dial number by pressing
any number of the phone pad, he can assess to the assigned phone number. No SIM card has
any detail about FDN.
iii) Last Number Dialled (LND) - The LND contains most recently dialled number. The extracted
LND are listed belowService Provider
Extracted LND
BSNL

10

Idea

Vodafone

10
Table 9: Extracted LND

f)

Messaging Information-SMS history is accessed by this feature. The extracted detail of SMS with last
sent messages references are listed belowService Provider
Extracted
Last Sent Message Reference
SMS

Number

BSNL

18

223

Idea

13

103

Vodafone

20

147
Table 10: Extracted SMS

g) Local Area Identity (LAI)-LAI identified with its own unique identification number represents
specific locations. The extracted detail of LAI is given belowService Provider
Extracted LAI
BSNL

71 AC

Idea

07 EO

Vodafone

OB BB
Table 10: Extracted LAI

Conclusion-In the above analysis we have

analyzed three Indian Brand SIMs namely BSNL,
Idea and Vodafone. The following data can be
extracted by these SIM cards like ICCID which

includes industry identifier, country code, SIM

number, issuer identification number etc., TMSI,
Contact, last Dialed Numbers, Messages, Local
Area Identity etc. can also be extract. IMSI

Asian Journal of Multidisciplinary Studies, 3(1) January, 2015

27

Forensic Analysis of SIM Cards for Data Acquisition

(International Mobile Subscriber Identity) a 15

digit number, in these first three digits identify the
Mobile Country Code next two or three digits
identify the Mobile Network code (MNC) and the
rest of the digit identifies the Mobile Subscriber
Identification Number (MSIN). Among these three
SIMS the Vodafone SIM was got portability from
Aircel. During the analysis it is analyzed that in
IMSI, MNC of Aircel is relatively shown in place
of Vodafone, which is an ambiguous evidentiary
value.

The best Forensic procedure is to image the entire

contentsby downloading the entire memory of the
digital evidences such as hard disk, memory card,
pen drive, SIM etc. and compute a Hash value of
this memory but in case of SIM cards there is no
tool available which provide these type of analysis.
Hence it is concluded that data extraction of
forensic interest can be done which is present in the
SIM cards but there is need to develop more
accurate
and
sensitive
forensic
tool.

ReferenceAntonio Savoldi, Polo Gubian (2007), SIM and USIM File System: a Forensic Perspective, ACA 1-59593-4804 07/10003
B.J. Jones and A.J. Kenyon, Retention of data in heat-damaged SIM cards and potential recovery methods
Forensic
Science
International
(2007)
available
at
DOI:
http://dx.doi.org/10.1016/j.forsciint.2007.10.007
e-evidence info The Electronic Evidence Information Centre. BitPim. Software available at: http://www.eevidence.info/index.html.
Forensic and SIM cards: an Overview (http://www.utica.edu/academic/institutes/ecii/publications/article/EFE3EDD5-0AD1-608628804D798A0.PDF)
Fabio Casadei, Antonio Savoldi el all (2006), Forensic and SIM cards, An overview, IJDE, Vol.5, Issue 1
ISO. Identification Cards - Integrated Circuit Cards with Contacts. Paper available at:
http://www.cardwerk.com/smartcards/smartcard_ standard_ISO7816.aspx.
SIMCon (http://www.simcon.no/)
http://en.wikipedia.org/wiki/MSISDN
http://en.wikipedia.org/wiki/Location_Area_Identity
http://en.wikipedia.org/wiki/SIM_Cards
http://www.forensicmag.com/articles/2011/04/sim-forensics-part-1
http://en.wikipedia.org/wiki/Mobility_management

Asian Journal of Multidisciplinary Studies, 3(1) January, 2015

28