Savoldi-SIM and USIM File System - A Forensics Perspective

SIM and USIM Filesystem: a Forensiscs Perspective

SAC Conference 200722nd Annual ACM Symposium on Applied

ComputingCOEX Convention Center

Seoul, Korea, March 11 - 15, 2007Presenter:Ing. Antonio SavoldiPh.d. studentDepartment of Electronic for AutomationUniversity of Brescia - Italy

Authors:Antonio Savoldi

Paolo Gubian

Outline

• Cellular forensic tools• SIMBrush▫ Features and notable results

• SIM/USIM filesystem▫ The standard part▫ The non-standard part

• Data hiding in the non-standard part of the filesystem

• Examples

15/03/2007SAC Conference

2

Introduction

• There are relatively few tools for digital evidence extraction from SIM/USIM cards▫ Card4Labs – NFI (only for law enforcement)▫ Cell Seizure – Paraben (commercial)▫ .XRI – Micro Systemation (commercial)▫ TULP2G – NFI (open source)

• SIMBrush tool aimed at extracting observable portion of filesystem of a SIM/USIM card▫ Open source▫ Standard and non-standard files are revealed


3

SIMBrush• SIMBrush can be placed in the imaging technologies

technique of the preservation phase (Digital Forensics Framework) ▫ It is used to create a master copy of data present in

SIM/USIM cards

• It uses pcsc middleware to interface itself with smart card readers. ▫ It is written in ANSI C language for portability purpose

• A bit by bit SIM card image is impossible while preserving digital integrity and without harming the device▫ Only standard approach is used to extract observable

memory of SIM cards


4

Infrastructural part: GSM System• SIMBrush is capable of extracting digital evidence from any

SIM card used in GSM system▫ System most widespread at worldwide level

• GSM system:▫ Infrastructure: Database + Signalling + Network level▫ End-user: User level Mobile Station = Mobile Equipment + Subscriber Identity Module Mobile Equipment = Terminal Equipment + Terminal Adaptor

• UMTS system: ▫ User Equipment = Mobile Equipment + User Service Identity

Module (USIM)• There is small difference between GSM and UMTS SIM card ▫ for example MMS file


5

SIM/USIM Cards• SIM cards are proper subset of Smart Cards (SC). These

cards ensure the safety of the data stored within▫ Confidentiality: encryption of voice and data▫ Authentication: unauthorized user can’t be access the system ▫ Non Repudiation: impossibility to implement frauds (e.g.

change of the credit)▫ Integrity: no possibility to tamper data at higher access level

• Tampering attempts with a smart card could lead to an irreversible blocking of the card ▫ bit by bit image acquisition is impossible but observable

part of memory can be obtained in a standard way


6

SIM/USIM Filesystem

• Organization:▫ It has an N-ary tree structure▫ MF (Master File): is the root of the filesystem▫ DF (Dedicated File): similar to standard directory Header + EFs

▫ EF (Elementary File): objects containing useful data Header + Body ADN, SMS, IMSI, ICCID …


7

SIM/USIM Filesystem• Types of elementary files present in a SIM card: ▫ Transparent: sequence of bytes▫ Linear-fixed: sequence of fixed length records▫ Cyclic: circular buffer with fixed length records

• Every file in SIM card is univocally identified by its ID

• Operations allowed on filesystem are coded into a set of commands issued to the SC by interface device (smart card reader)▫ Master-slave relation between SC reader and SIM card

• Standard set of commands to interact with SIM card, through Interface Device (IFD)▫ Select, Get Response, Read Binary, Read Record …


8

Access Level Conditions

• The access conditions (AC) specify the constraints to the execution of commands ▫ Read, Update, Increase, Rehabilitate and

Invalidate are the commands controlled by AC▫ ALW: command is always executable on the file▫ CHV1: command executable if CHV1 or UNBLOCK

CHV1 code has been provided▫ CHV2: same as CHV1▫ ADM: competence of telephony provider▫ NEV: command is never executable on the file


9

Extractable Data• Information about the subscriber▫ IMSI (International Mobile Subscriber Identity)▫ LP (Preferred Languages)

• Information about acquaintances▫ ADN (list of phone numbers)

• Information about SMS traffic• Information about subscriber▫ LOCI (Location Information Area)

• Information about calls▫ LND (Last Number Dialled)

• Information about the provider▫ SPN (Provider Name), PLMNsel (Used Mobile Network)

• Information about the system▫ ICCID (Unique ID of the card)


10

Filesystem Extraction• No command exists to browse entire filesystem• Brushing ID space issuing a SELECT command, with any

file ID, to a SIM card:▫ Addressable ID file space: “0000” to “FFFF”▫ Warning from SIM when ID doesn’t exist▫ Header of file is returned when file exists

• Selection rules of a selectable file.▫ 1. MF can be selected no matter what the current directory is▫ 2. Current directory▫ 3. Parent of current directory ▫ 4. Any DF which is an immediate child of the parent of the

current directory ▫ 5. Any file which is an immediate child of the current directory


11

Selection Rules


12

EF1 EFN DFN

EF1,1 EF1,N DF1,N

... ...

... ...

EF1,1,1 EF1,1,N DF1,1,1 DF1,1,N... ...

MF

DF1

DF1,2DF1,2

Core Algorithm• Definition of file and directory sets associated with preceding

costraints:▫ MF_SET ▫ CURRENT_SET ▫ PARENT_SET ▫ DF_SIBLINGS_SET ▫ SONS_SET

• SELECTABLE_SET is desumed from “brushing” addressable ID space (0000->FFFF)

• SELECTABLE_SET = MF_SET UCURRENT_SET UPARENT_SET UDF_SIBLINGS_SET USONS_SET


13

Core Algorithm• SON_SET is unknown and the following relation can be

used

• SONS_SET = SELECTABLE_SET \(MF_SET UCURRENT_SET UPARENT_SET UDF_BRO_SET)

• Equivalence between N-ary and Binary tree. For performance purposes Binary tree has been chosen


14

Some examples (SMS)

• Row and translated version of an SMS


15

Some examples (ICCID)<ef>

<header>0000000A2FE204000FF55501020000</header><body><content>98931000006092643586</content></body>

</ef>


16

<EF><ICCID description="EFICCID '2FE2' (ICCIdentification): This EF provides aunique identification number for the SIM."><content>98931000006092643586</content><header><ID>2FE2</ID><SIZE>10</SIZE><acINCREASE>NEW<acINCREASE><acINVALIDATE>ADM</acINVALIDATE><acREAD>ALW</acREAD><acREHABILITATE>ADM</acREHABILITATE><acUPDATE>NEV</acUPDATE><status>File invalidated#File not readable or updatable wheninvalidated#</status><structure>transparent</structure></header></ICCID></EF>

The Hidden Part of the Filesystem


17

0000

0011

0100

0200

2F20

2F30

2F31

2F32

2F33

2F34

2FEE

2FEF

EECF

EF (ICCID)2FE2

MF3F00

DF (TELECOM)7F10

DF (GSM)7F20

DF (DCS1800)7F21 7F4F

EF (ADN)6F3A

EF (FDN)6F3B

EF (SMS)6F3C

EF (CCP)6F3D

EF (MSISDN)6F40

EF (SIMSP)6F42

EF (SMSS)6F43

EF (LND)6F44

EF (EXT1)6F4A

EF (EXT2)6F4B

6F16

6F1C

6F1E

EF (LP)6F05

EF (IMSI)6F07

EF (Kc)6F20

EF (PLMNcel)6F30

EF (HPLMN)6F31

EF (ACMmax)6F37

EF (SST)6F38

EF (ACM)6F39

EF (PUCT)6F41

EF (CBMI)6F45

EF (SPN)6F46

EF (BCCH)6F74

EF (ACC)6F78

EF (FPLMN)6F7B

EF (LOCI)6F7E

EF (AD)6FAD

EF (PHASE)6FAE

EF (KcGPRS)6F52

EF (LOCIGPRS)6F53

EF (SUME)6F54

0005 0006

EF (ICCID)2FE2

DF (TELECOM)7F10

DF (GSM)7F20

DF (DCS1800)7F21

EF (ADN)6F3A

EF (FDN)6F3B

EF (SMS)6F3C

EF (CCP)6F3D

EF (MSISDN)6F40

EF (SIMSP)6F42

EF (SMSS)6F43

EF (LND)6F44

EF (EXT1)6F4A

EF (EXT2)6F4B

EF (LP)6F05

EF (IMSI)6F07

EF (Kc)6F20

EF (PLMNcel)6F30

EF (HPLMN)6F31

EF (ACMmax)6F37

EF (SST)6F38

EF (ACM)6F39

EF (PUCT)6F41

EF (CBMI)6F45

EF (SPN)6F46

EF (BCCH)6F74

EF (ACC)6F78

EF (FPLMN)6F7B

EF (PHASE)6FAE

EF (KcGPRS)6F52

•Non-standard part: an issue to deal with•By analyzing the meta-content is possible to see if some non-standard Efs are accessible with the “Update” command•This demonstrate the possibility to use the SIM/USIM card as a covert channel

File Allocation Table


18

Lesson Learnt• Every non-standard EF with CHV1/CHV2 access

privileges on the Update command is writable▫ Concrete possibility to hide plenty information▫ The SIM/USIM can become a really Covert Channel

• A standard 128 Kbyte SIM card can have around 17 Kbyte of hidden writable space▫ This part of the filesystem is not foundable by using

current forensics tools▫ GWSS (Global Writable Slack Space)


19

Experimental Results


20

• WNSP: Writable Non-standard Part • NSP: Non-standard Part of the filesystem• TES: Total Engaged Space

Covert Channel

• The SIM/USIM can act as a covert channel


21

Extraction of the File Allocation

Table (FAT)

Selection of a Message to hidden

within a SIM(7 bit coding)

Allocation in the non standard part of the

SIM/USIMStego-key selection

(1FF0, 2FF2, 3FF2…)

Hidden Message Communcation


22

Discovering the Non-standard part

• Some guidelines:▫ Extract all the contents▫ Try to guess the coding scheme used▫ Descrambling the hidden message Try to figure out whith the various chunks of text if it

is obtainable something of intellegible


23

Conclusions

• All the analyzied SIM/USIM forensic tools have a missing part▫ They are unable to extract the non-standard part

• Concrete possibility to use a SIM/USIM as a Covert Channel

• Application of some steganalysis concepts in order to extract the hidden message


24

Savoldi-SIM and USIM File System - A Forensics Perspective

Documents

file id

umts sim card

sim card image

italy sac conference

file chv1

simusim cards sim cards

header of file

selectable file