SIM and USIM Filesystem: a Forensiscs Perspective SAC Conference 2007 22nd Annual ACM Symposium on Applied Computing COEX Convention Center Seoul, Korea, March 11 - 15, 2007 Presenter: Ing. Antonio Savoldi Ph.d. student Department of Electronic for Automation University of Brescia - Italy Authors: Antonio Savoldi Paolo Gubian
24
Embed
Savoldi-SIM and USIM File System - A Forensics Perspective
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SIM and USIM Filesystem: a Forensiscs Perspective
SAC Conference 200722nd Annual ACM Symposium on Applied
ComputingCOEX Convention Center
Seoul, Korea, March 11 - 15, 2007Presenter:Ing. Antonio SavoldiPh.d. studentDepartment of Electronic for AutomationUniversity of Brescia - Italy
Authors:Antonio Savoldi
Paolo Gubian
Outline
• Cellular forensic tools• SIMBrush▫ Features and notable results
• SIM/USIM filesystem▫ The standard part▫ The non-standard part
• Data hiding in the non-standard part of the filesystem
• Examples
15/03/2007SAC Conference
2
Introduction
• There are relatively few tools for digital evidence extraction from SIM/USIM cards▫ Card4Labs – NFI (only for law enforcement)▫ Cell Seizure – Paraben (commercial)▫ .XRI – Micro Systemation (commercial)▫ TULP2G – NFI (open source)
• SIMBrush tool aimed at extracting observable portion of filesystem of a SIM/USIM card▫ Open source▫ Standard and non-standard files are revealed
15/03/2007SAC Conference
3
SIMBrush• SIMBrush can be placed in the imaging technologies
technique of the preservation phase (Digital Forensics Framework) ▫ It is used to create a master copy of data present in
SIM/USIM cards
• It uses pcsc middleware to interface itself with smart card readers. ▫ It is written in ANSI C language for portability purpose
• A bit by bit SIM card image is impossible while preserving digital integrity and without harming the device▫ Only standard approach is used to extract observable
memory of SIM cards
15/03/2007SAC Conference
4
Infrastructural part: GSM System• SIMBrush is capable of extracting digital evidence from any
SIM card used in GSM system▫ System most widespread at worldwide level
• GSM system:▫ Infrastructure: Database + Signalling + Network level▫ End-user: User level Mobile Station = Mobile Equipment + Subscriber Identity Module Mobile Equipment = Terminal Equipment + Terminal Adaptor
• UMTS system: ▫ User Equipment = Mobile Equipment + User Service Identity
Module (USIM)• There is small difference between GSM and UMTS SIM card ▫ for example MMS file
15/03/2007SAC Conference
5
SIM/USIM Cards• SIM cards are proper subset of Smart Cards (SC). These
cards ensure the safety of the data stored within▫ Confidentiality: encryption of voice and data▫ Authentication: unauthorized user can’t be access the system ▫ Non Repudiation: impossibility to implement frauds (e.g.
change of the credit)▫ Integrity: no possibility to tamper data at higher access level
• Tampering attempts with a smart card could lead to an irreversible blocking of the card ▫ bit by bit image acquisition is impossible but observable
part of memory can be obtained in a standard way
15/03/2007SAC Conference
6
SIM/USIM Filesystem
• Organization:▫ It has an N-ary tree structure▫ MF (Master File): is the root of the filesystem▫ DF (Dedicated File): similar to standard directory Header + EFs
▫ EF (Elementary File): objects containing useful data Header + Body ADN, SMS, IMSI, ICCID …
15/03/2007SAC Conference
7
SIM/USIM Filesystem• Types of elementary files present in a SIM card: ▫ Transparent: sequence of bytes▫ Linear-fixed: sequence of fixed length records▫ Cyclic: circular buffer with fixed length records
• Every file in SIM card is univocally identified by its ID
• Operations allowed on filesystem are coded into a set of commands issued to the SC by interface device (smart card reader)▫ Master-slave relation between SC reader and SIM card
• Standard set of commands to interact with SIM card, through Interface Device (IFD)▫ Select, Get Response, Read Binary, Read Record …
15/03/2007SAC Conference
8
Access Level Conditions
• The access conditions (AC) specify the constraints to the execution of commands ▫ Read, Update, Increase, Rehabilitate and
Invalidate are the commands controlled by AC▫ ALW: command is always executable on the file▫ CHV1: command executable if CHV1 or UNBLOCK
CHV1 code has been provided▫ CHV2: same as CHV1▫ ADM: competence of telephony provider▫ NEV: command is never executable on the file
15/03/2007SAC Conference
9
Extractable Data• Information about the subscriber▫ IMSI (International Mobile Subscriber Identity)▫ LP (Preferred Languages)
• Information about acquaintances▫ ADN (list of phone numbers)
• Information about SMS traffic• Information about subscriber▫ LOCI (Location Information Area)
• Information about calls▫ LND (Last Number Dialled)
• Information about the provider▫ SPN (Provider Name), PLMNsel (Used Mobile Network)
• Information about the system▫ ICCID (Unique ID of the card)
15/03/2007SAC Conference
10
Filesystem Extraction• No command exists to browse entire filesystem• Brushing ID space issuing a SELECT command, with any
file ID, to a SIM card:▫ Addressable ID file space: “0000” to “FFFF”▫ Warning from SIM when ID doesn’t exist▫ Header of file is returned when file exists
• Selection rules of a selectable file.▫ 1. MF can be selected no matter what the current directory is▫ 2. Current directory▫ 3. Parent of current directory ▫ 4. Any DF which is an immediate child of the parent of the
current directory ▫ 5. Any file which is an immediate child of the current directory
15/03/2007SAC Conference
11
Selection Rules
15/03/2007SAC Conference
12
EF1 EFN DFN
EF1,1 EF1,N DF1,N
... ...
... ...
EF1,1,1 EF1,1,N DF1,1,1 DF1,1,N... ...
MF
DF1
DF1,2DF1,2
Core Algorithm• Definition of file and directory sets associated with preceding
<EF><ICCID description="EFICCID '2FE2' (ICCIdentification): This EF provides aunique identification number for the SIM."><content>98931000006092643586</content><header><ID>2FE2</ID><SIZE>10</SIZE><acINCREASE>NEW<acINCREASE><acINVALIDATE>ADM</acINVALIDATE><acREAD>ALW</acREAD><acREHABILITATE>ADM</acREHABILITATE><acUPDATE>NEV</acUPDATE><status>File invalidated#File not readable or updatable wheninvalidated#</status><structure>transparent</structure></header></ICCID></EF>
The Hidden Part of the Filesystem
15/03/2007SAC Conference
17
0000
0011
0100
0200
2F20
2F30
2F31
2F32
2F33
2F34
2FEE
2FEF
EECF
EF (ICCID)2FE2
MF3F00
DF (TELECOM)7F10
DF (GSM)7F20
DF (DCS1800)7F21 7F4F
EF (ADN)6F3A
EF (FDN)6F3B
EF (SMS)6F3C
EF (CCP)6F3D
EF (MSISDN)6F40
EF (SIMSP)6F42
EF (SMSS)6F43
EF (LND)6F44
EF (EXT1)6F4A
EF (EXT2)6F4B
6F16
6F1C
6F1E
EF (LP)6F05
EF (IMSI)6F07
EF (Kc)6F20
EF (PLMNcel)6F30
EF (HPLMN)6F31
EF (ACMmax)6F37
EF (SST)6F38
EF (ACM)6F39
EF (PUCT)6F41
EF (CBMI)6F45
EF (SPN)6F46
EF (BCCH)6F74
EF (ACC)6F78
EF (FPLMN)6F7B
EF (LOCI)6F7E
EF (AD)6FAD
EF (PHASE)6FAE
EF (KcGPRS)6F52
EF (LOCIGPRS)6F53
EF (SUME)6F54
0005 0006
EF (ICCID)2FE2
DF (TELECOM)7F10
DF (GSM)7F20
DF (DCS1800)7F21
EF (ADN)6F3A
EF (FDN)6F3B
EF (SMS)6F3C
EF (CCP)6F3D
EF (MSISDN)6F40
EF (SIMSP)6F42
EF (SMSS)6F43
EF (LND)6F44
EF (EXT1)6F4A
EF (EXT2)6F4B
EF (LP)6F05
EF (IMSI)6F07
EF (Kc)6F20
EF (PLMNcel)6F30
EF (HPLMN)6F31
EF (ACMmax)6F37
EF (SST)6F38
EF (ACM)6F39
EF (PUCT)6F41
EF (CBMI)6F45
EF (SPN)6F46
EF (BCCH)6F74
EF (ACC)6F78
EF (FPLMN)6F7B
EF (PHASE)6FAE
EF (KcGPRS)6F52
•Non-standard part: an issue to deal with•By analyzing the meta-content is possible to see if some non-standard Efs are accessible with the “Update” command•This demonstrate the possibility to use the SIM/USIM card as a covert channel
File Allocation Table
15/03/2007SAC Conference
18
Lesson Learnt• Every non-standard EF with CHV1/CHV2 access
privileges on the Update command is writable▫ Concrete possibility to hide plenty information▫ The SIM/USIM can become a really Covert Channel
• A standard 128 Kbyte SIM card can have around 17 Kbyte of hidden writable space▫ This part of the filesystem is not foundable by using
current forensics tools▫ GWSS (Global Writable Slack Space)
15/03/2007SAC Conference
19
Experimental Results
15/03/2007SAC Conference
20
• WNSP: Writable Non-standard Part • NSP: Non-standard Part of the filesystem• TES: Total Engaged Space
Covert Channel
• The SIM/USIM can act as a covert channel
15/03/2007SAC Conference
21
Extraction of the File Allocation
Table (FAT)
Selection of a Message to hidden
within a SIM(7 bit coding)
Allocation in the non standard part of the
SIM/USIMStego-key selection
(1FF0, 2FF2, 3FF2…)
Hidden Message Communcation
15/03/2007SAC Conference
22
Discovering the Non-standard part
• Some guidelines:▫ Extract all the contents▫ Try to guess the coding scheme used▫ Descrambling the hidden message Try to figure out whith the various chunks of text if it
is obtainable something of intellegible
15/03/2007SAC Conference
23
Conclusions
• All the analyzied SIM/USIM forensic tools have a missing part▫ They are unable to extract the non-standard part
• Concrete possibility to use a SIM/USIM as a Covert Channel
• Application of some steganalysis concepts in order to extract the hidden message