SIM and USIM Filesystem: a Forensiscs Perspective
SAC Conference 2007 22nd Annual ACM Symposium on Applied Computing COEX Convention Center Seoul, Korea, March 11 - 15, 2007
Presenter: Ing. Antonio Savoldi Ph.d. student Department of Electronic for Automation University of Brescia - Italy
Authors: Antonio Savoldi Paolo Gubian
2 SAC Conference
15/03/2007
Outline • Cellular forensic tools • SIMBrush ▫ Features and notable results
• SIM/USIM filesystem ▫ The standard part ▫ The non-standard part
• Data hiding in the non-standard part of the filesystem • Examples
3 SAC Conference
15/03/2007
Introduction • There are relatively few tools for digital evidence extraction from SIM/USIM cards ▫ Card4Labs – NFI (only for law enforcement) ▫ Cell Seizure – Paraben (commercial) ▫ .XRI – Micro Systemation (commercial) ▫ TULP2G – NFI (open source) • SIMBrush tool aimed at extracting observable portion of filesystem of a SIM/USIM card ▫ Open source ▫ Standard and non-standard files are revealed
4 SAC Conference
15/03/2007
SIMBrush • SIMBrush can be placed in the imaging technologies technique of the preservation phase (Digital Forensics Framework) ▫ It is used to create a master copy of data present in SIM/USIM cards
• It uses pcsc middleware to interface itself with smart card readers. ▫ It is written in ANSI C language for portability purpose
• A bit by bit SIM card image is impossible while preserving digital integrity and without harming the device ▫ Only standard approach is used to extract observable memory of SIM cards
5 SAC Conference
15/03/2007
Infrastructural part: GSM System • SIMBrush is capable of extracting digital evidence from any SIM card used in GSM system ▫ System most widespread at worldwide level
• GSM system:
▫ Infrastructure: Database + Signalling + Network level ▫ End-user: User level
Mobile Station = Mobile Equipment + Subscriber Identity Module Mobile Equipment = Terminal Equipment + Terminal Adaptor
• UMTS system:
▫ User Equipment = Mobile Equipment + User Service Identity Module (USIM)
• There is small difference between GSM and UMTS SIM card ▫ for example MMS file
6 SAC Conference
15/03/2007
SIM/USIM Cards • SIM cards are proper subset of Smart Cards (SC). These cards ensure the safety of the data stored within ▫ Confidentiality: encryption of voice and data ▫ Authentication: unauthorized user can’t be access the system ▫ Non Repudiation: impossibility to implement frauds (e.g. change of the credit) ▫ Integrity: no possibility to tamper data at higher access level
• Tampering attempts with a smart card could lead to an irreversible blocking of the card
▫ bit by bit image acquisition is impossible but observable part of memory can be obtained in a standard way
7 SAC Conference
15/03/2007
SIM/USIM Filesystem • Organization: ▫ It has an N-ary tree structure ▫ MF (Master File): is the root of the filesystem ▫ DF (Dedicated File): similar to standard directory Header + EFs
▫ EF (Elementary File): objects containing useful data Header + Body ADN, SMS, IMSI, ICCID …
8 SAC Conference
15/03/2007
SIM/USIM Filesystem • Types of elementary files present in a SIM card: ▫ Transparent: sequence of bytes ▫ Linear-fixed: sequence of fixed length records ▫ Cyclic: circular buffer with fixed length records
• Every file in SIM card is univocally identified by its ID • Operations allowed on filesystem are coded into a set of commands issued to the SC by interface device (smart card reader) ▫ Master-slave relation between SC reader and SIM card
• Standard set of commands to interact with SIM card, through Interface Device (IFD) ▫ Select, Get Response, Read Binary, Read Record …
9 SAC Conference
15/03/2007
Access Level Conditions • The access conditions (AC) specify the constraints to the execution of commands ▫ Read, Update, Increase, Rehabilitate and Invalidate are the commands controlled by AC ▫ ALW: command is always executable on the file ▫ CHV1: command executable if CHV1 or UNBLOCK CHV1 code has been provided ▫ CHV2: same as CHV1 ▫ ADM: competence of telephony provider ▫ NEV: command is never executable on the file
10 SAC Conference
15/03/2007
Extractable Data • Information about the subscriber
▫ IMSI (International Mobile Subscriber Identity) ▫ LP (Preferred Languages)
• Information about acquaintances ▫ ADN (list of phone numbers)
• Information about SMS traffic • Information about subscriber
▫ LOCI (Location Information Area)
• Information about calls
▫ LND (Last Number Dialled)
• Information about the provider
▫ SPN (Provider Name), PLMNsel (Used Mobile Network)
• Information about the system ▫ ICCID (Unique ID of the card)
11 SAC Conference
15/03/2007
Filesystem Extraction • No command exists to browse entire filesystem • Brushing ID space issuing a SELECT command, with any file ID, to a SIM card: ▫ Addressable ID file space: “0000” to “FFFF” ▫ Warning from SIM when ID doesn’t exist ▫ Header of file is returned when file exists
• Selection rules of a selectable file. ▫ ▫ ▫ ▫
1. MF can be selected no matter what the current directory is 2. Current directory 3. Parent of current directory 4. Any DF which is an immediate child of the parent of the current directory ▫ 5. Any file which is an immediate child of the current directory
12 SAC Conference
15/03/2007
Selection Rules MF
EF1
EF1,1,1
...
EFN
EF1,1
...
...
EF1,1,N
DF1
...
DF1,2
EF1,N
DF1,1,1
...
DFN
DF1,2
DF1,1,N
...
DF1,N
13 SAC Conference
15/03/2007
Core Algorithm • Definition of file and directory sets associated with preceding costraints: ▫ ▫ ▫ ▫ ▫
MF_SET CURRENT_SET PARENT_SET DF_SIBLINGS_SET SONS_SET
• SELECTABLE_SET is desumed from “brushing” addressable ID space (0000->FFFF) • SELECTABLE_SET =
MF_SET
U
CURRENT_SET U PARENT_SET U DF_SIBLINGS_SET U SONS_SET
14 SAC Conference
15/03/2007
Core Algorithm • SON_SET is unknown and the following relation can be used • SONS_SET =
SELECTABLE_SET \ (MF_SET U CURRENT_SET U PARENT_SET U DF_BRO_SET)
• Equivalence between N-ary and Binary tree. For performance purposes Binary tree has been chosen
15 SAC Conference
15/03/2007
Some examples (SMS)
• Row and translated version of an SMS
16 SAC Conference
15/03/2007
Some examples (ICCID)
0000000A2FE204000FF5550 1020000 98931000006092643586
98931000006092643586 2FE2 10 NEW ADM ALW ADM NEV File invalidated# File not readable or updatable when invalidated# transparent
17 MF 3F00
SAC Conference
7F10
DF (GSM) 7F20
EF (ADN) 6F3A
EF (FDN) 6F3B
6F16
EF (SMS) 6F3C
EF (CCP) 6F3D
6F1C
EF (MSISDN)
6F40
EF (SIMSP) 6F42
6F1E
EF (SMSS) 6F43
EF (LND) 6F44
EF (EXT1) 6F4A
EF (EXT2) 6F4B
2F32
EF (LP) 6F05
EF (IMSI) 6F07
EF (Kc) 6F20
EF (PLMNcel)
2F33
EF (HPLMN) 6F31
EF (ACMmax)
6F37
EF (SST) 6F38
EF (ACM) 6F39
2F34
EF (PUCT) 6F41
EF (CBMI) 6F45
EF (SPN) 6F46
EF (BCCH) 6F74
2FEE
EF (ACC) 6F78
EF (FPLMN) 6F7B
EF (LOCI) 6F7E
EF (AD) 6FAD
2FEF
EF (PHASE) 6FAE
EF (KcGPRS)
EF (LOCIGPRS)
6F52
6F53
EF (SUME) 6F54
EECF
0005
0006
0000
EF (ICCID) 2FE2
DF (TELECOM)
DF (DCS1800)
7F21
7F4F
0011
0100
0200
2F20
2F30
2F31
6F30
15/03/2007
The Hidden Part of the Filesystem •Non-standard part: an issue to deal with •By analyzing the meta-content is possible to see if some non-standard Efs are accessible with the “Update” command •This demonstrate the possibility to use the SIM/USIM card as a covert channel
18 SAC Conference
File Allocation Table
15/03/2007
19 SAC Conference
15/03/2007
Lesson Learnt • Every non-standard EF with CHV1/CHV2 access privileges on the Update command is writable ▫ Concrete possibility to hide plenty information ▫ The SIM/USIM can become a really Covert Channel
• A standard 128 Kbyte SIM card can have around 17 Kbyte of hidden writable space ▫ This part of the filesystem is not foundable by using current forensics tools ▫ GWSS (Global Writable Slack Space)
20 SAC Conference
15/03/2007
Experimental Results • WNSP: Writable Non-standard Part • NSP: Non-standard Part of the filesystem • TES: Total Engaged Space
21 SAC Conference
15/03/2007
Covert Channel • The SIM/USIM can act as a covert channel Extraction of the File Allocation Table (FAT)
Allocation in the non standard part of the SIM/USIM
Selection of a Message to hidden within a SIM (7 bit coding)
Stego-key selection (1FF0, 2FF2, 3FF2…)
22 SAC Conference
15/03/2007
Hidden Message Communcation
23 SAC Conference
15/03/2007
Discovering the Non-standard part • Some guidelines: ▫ Extract all the contents ▫ Try to guess the coding scheme used ▫ Descrambling the hidden message Try to figure out whith the various chunks of text if it is obtainable something of intellegible
24 SAC Conference
15/03/2007
Conclusions • All the analyzied SIM/USIM forensic tools have a missing part ▫ They are unable to extract the non-standard part
• Concrete possibility to use a SIM/USIM as a Covert Channel • Application of some steganalysis concepts in order to extract the hidden message
