Introduction
Sim cards can be a useful evidence for a forensic analyst beacuse they can help tie a phone to a individual due to the fact that things like the ICCID(Integrated circuit card ID) is unique to every phone out there in the world. All the information stored on the SIM cards are is stored in files and for more information on the simcard file structure please check out this video.
However this information is normally in a different file format compared to what is on the phone so can be harder to extract the data and there will also be different protection levels on the sim card compared to the phone even if the phone is unlocked. Also due to the fact that there can be differnt manufactures making the sim cards there may be some differences in the way the sim card works like what commands it accepts and the size. However sim cards are normally well documented so that all phones on a network can communicate with each other regardless of the manufacture.
UICC
This and sim card are used interchangeably however the UICC is the latest version of the sim card and is the hardware part of the sim card where the data and applications are actually stored on the UICC and the sim card is software that runs on this card. The applications on the UICC refer to the applications that run on the UICC OS not the phone OS like contacts where data is stored to the UICC not to the phone data storage. Applications can contain information that help with the flow of information to the mobile device depending on the network used and can be recovered even if the phone itself is not present.
Analysis
To access the data on the UICC mobile forensic software replicates commands used by mobile devices to communicate with the applications on the UICC. The software used can collect various data files (depending on the protection of the data files) using application protocol data units (APDU).
A mobile device or the operating firmware on the mobile device can request the device serial number, the last SMS message and last known locations by replicating the commands that the phone would of sent the mobile forensic software can obtain the same amount of information which could be important to an investigation like the last know location could try the suspect to the crime scene.
During the investigation of the UICC through the APDU any files that have security permissions will need to be meet before the file can be accessed. To be satisfy this security permissons will have to entered as APDU commands. These security conditions can be ADM (Administrator) a pin that is only know to the mobile operator company or CHV (Card Holder Verification) which is a pin that needs to be entered to access the file and can be changed from mobile user to mobile user.
Network Information
Most of the files that reside on the UICC are network related and contain information used by the mobile device to communicate on the network in a format that only makes sense to the carrier of the phone. However some files on the UICC will contain important information and should always be examined to make sure not missing any data that is not stored on the phone. I will be discussing some of the most important files in the following chapters.
ICCID
This file is the serial number of the UICC in the phone (an unique number for the UICC) and no other UICC on the cellular network will have the same so can identity the owner of the UICC if can get the permission of the phone carrier company. Typically this number is located on outside of the UICC but not always and is a maximum of 20 characters. This ICCID is always available to the mobile phone and has no authentication requirements like ADM this is beacuse this serial number is used in the authentication process to the phone carriers network. This means that even when the UICC is locked with a pin this data will still be available and then could maybe get the pin needed to unlock the UICC by sending the correct paper work to the phone carrier.
The ICCID is made up of 10 bytes with the first 2 digits are the system code which is 89 for mobile devices. The next two to three digits depending on the country is the country code. Then the next two or three digits is the issuer identifier number which represents the carrier that gave out the UICC. The remaining digits represent the UICC number and is made up of the year and month of manufacturing, configuration and the unique UICC number and the final digit is the check sum to make sure the ICCID is sent correctly.
IMSI (International Mobile Subscriber Number)
This is the unique number that identifies the subscriber on the cellular network. This is the number that is used to do things like deliver calls often there is a misconception that the mobile phone number is important to the cellular network however it is this number that is needed for contact to be made. The IMSI file is a protected file unlike the ICCID so if the UICC is locked with a pin and the pin isn't know then this file will not be accessible. The IMSI is normally 9 bytes and follows a similar format to the ICCID.
LOCI (Location Information)
This identifies the geographic area where the device was last turned off it does this by writing the last tower location which the device was connected to before the power off. This is done so that the phone can connect to the last accessed tower quickly after being turned back on but if the mobile phone did not shut down successfully then this data wouldn't be written to the UICC. The LOCI is made up of a TMSI (temporary mobile subscriber identity), LAI(location area information), TMSI time and location update status. The TMSI is used instead of the IMSI so that if the data sent out by the phone is captured the identification of the owner of the phone cant be identified. The LAI is the MNC (Mobile Network Code), the MCC (Mobile Country Code) and the LAC (Location Area Code) into one and can use a website like https://www.mcc-mnc.com/ to find out where the phone was last successfully powered off.
FPLMN (Forbidden Public Land Mobile Network)
Forbidden Public Land Mobile Network (FPLMN) identifies when the mobile phone tried to connect to a network that the device carrier does not allow (However this may become less useful because most mobile network have networks across the world). The records in the FPLMN will contain the MCC and MNC corresponding to the station that rejected the connection and there will store a different amount of connections depending on the UICC manufacture. This can show historical information like which country's the phone has been it which useful will depend on the network the phone is using and the FPLMN size used by the manufacture.
Summary
Overall the UICC is the hardware that runs applications like SIM and contacts and can contain imporant information to a case and should always be examied. However some of the data may not be able to accquired due to the security permissons like ADM and CHV. Most of the data stored on the UICC is network related and needs to be parsed to make any sense also data stored on the UICC may not be correct due to a improper shut down like with the FPLMN data so need to be careful. If I have made any mistakes or you want to give any feedback please contact me here any help with be gratefully appreciated.