problem with a GSM ...
 
Notifications
Clear all

problem with a GSM phone

10 Posts
6 Users
0 Likes
512 Views
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

Dunno if this is the right section of the forum to ask for this, couse it's a bit about methodology but also hardware related.

i have a GSM mobile phone wich came to me for analyzing purposes without the SIM Card.

the card was given to me separately from the phone.

the problem is that this phone model doesn't boot without a sim inserted into it.

the following problem is that i can't actually insert the original SIM in the phone couse if it received SMSs from the carrier, by turning it on it would compromise my chance to retrieve evidences.

so what do you gurus suggest to do?

do you know if there are some sort of "dummy" (dunno if the term is correct) SIMs to use for Cell phones forensic examination?

how would you proceed?

thnx in advice.

 
Posted : 18/11/2008 1:25 pm
(@jeffcaplan)
Posts: 97
Trusted Member
 

Insert a blank SIM card and then exploit the phone. Doesn't matter which provider the SIM is with or if it is active, the one thing you want to be sure of is that the SIM contains no data on it which could bleed into your case when exploiting the phone.

 
Posted : 18/11/2008 3:37 pm
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

the problem is "where can i get a blank sim"?

Here in my country they don't sell blank SIMs, a contract is required with the operator to get a SIM, and once the SIM is activated, i'm in danger of receiving bullshit on the evidence phone from the operator itself.

 
Posted : 18/11/2008 3:40 pm
(@jmech)
Posts: 40
Eminent Member
 

Use caution with placing a blank SIM into the phone, as this can cause some information to be deleted on some phones (at least thats the issue we deal with in the USA). Check out http//mobileforensicsinc.com, they sell the Forensic SIM Cloner software for creating forensic SIM clones that can be inserted into a phone without connecting to a network and without losing data. And it comes with a blank SIM card to use to create your clones.

Good luck.
Joe

 
Posted : 19/11/2008 1:05 am
(@mobilephoneforensic)
Posts: 73
Trusted Member
 

Do not attempt to insert a blank SIM card into the handset, or any other SIM card unless it is the original SIM card. Doing this will delete the call register of the handset.

What is the make and model of the handset?

Are you sure the SIM card you received is actually the SIM card belonging to the handset?

What foresic toolkits do you have to work with?

If you purchace this mesh cloth and wrap it around the handset and switch on the handset it wont be able to connect to the network

http//www.bkforensics.com/Phone_mesh.html.

 
Posted : 19/11/2008 7:00 pm
(@jeffcaplan)
Posts: 97
Trusted Member
 

Do not attempt to insert a blank SIM card into the handset, or any other SIM card unless it is the original SIM card. Doing this will delete the call register of the handset.

This may be true for some models of phones (though I've not seen one where this occurs), but it is absolutely not accurate across-the-board.

Jeff

 
Posted : 19/11/2008 7:23 pm
(@mobilephoneforensic)
Posts: 73
Trusted Member
 

This may be true for some models of phones (though I've not seen one where this occurs), but it is absolutely not accurate across-the-board.

Jeff

When you say blank SIM what do you mean exactly?

The call register on a handset is associated to a SIM card which was inserted in the handset when the calls were made, received or missed. When you remove the SIM card and insert a new SIM card the call register WILL be deleted. That’s why in the UK we use flasher boxes when we receive handsets without a SIM card. Using the flasher boxes we download the PM of a handset. Then by analysing the PM to determine the ICCID and IMSI of the last SIM card. We then clone the ICCID and IMSI to a blank SIM card using lets say SIM ID Cloner from Microsystemations. This is the only was we can guarantee the call register will not be deleted.

In previous research conducted by me and my colleagues when we inserted a SIM card with a different ICCID or IMSI into a handset, in 100% of the handsets the call register was deleted. Also the ICCID and IMSI of the last inserted SIM cards had changed in the handsets PM. By inserting a SIM card which was not inserted in the handset originally you are

1 Deleting the call register, and
2 Changing the last inserted ICCID and IMSI details on the handset.

I’m sure forensics means preventing changes to original evidence?

 
Posted : 20/11/2008 3:15 pm
(@vulcan)
Posts: 6
Active Member
 

I was able to get a case of new unused SIM cards from a local cell phone dealer (people transfer their old SIM cards to a new phone). I use XRY to clone the SIM Card and I use the Cloned card in the phone inside an RF box to prevent radio signals from getting to the phone.

 
Posted : 21/11/2008 4:02 am
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

This may be true for some models of phones (though I've not seen one where this occurs), but it is absolutely not accurate across-the-board.

Jeff

When you say blank SIM what do you mean exactly?

The call register on a handset is associated to a SIM card which was inserted in the handset when the calls were made, received or missed. When you remove the SIM card and insert a new SIM card the call register WILL be deleted. That’s why in the UK we use flasher boxes when we receive handsets without a SIM card. Using the flasher boxes we download the PM of a handset. Then by analysing the PM to determine the ICCID and IMSI of the last SIM card. We then clone the ICCID and IMSI to a blank SIM card using lets say SIM ID Cloner from Microsystemations. This is the only was we can guarantee the call register will not be deleted.

In previous research conducted by me and my colleagues when we inserted a SIM card with a different ICCID or IMSI into a handset, in 100% of the handsets the call register was deleted. Also the ICCID and IMSI of the last inserted SIM cards had changed in the handsets PM. By inserting a SIM card which was not inserted in the handset originally you are

1 Deleting the call register, and
2 Changing the last inserted ICCID and IMSI details on the handset.

I’m sure forensics means preventing changes to original evidence?

i have the original SIM, but it was provided to me separately (removed by the phone)

by reading the SIM with a software like SIM card seizure i think i can read the IMSI and ICCID of the card.

i'm totally new in the mobile forensics and i need to learn most of the things from scratch,
any suggestion of hardware/software i need to make a SIM card i can use to analyze the device without worrying about the phone to connect to the GSM network?

i took a look at the XRY sim id cloner but can't find any pricing and i'm damnly in hurry (as usual) there's nothing "open" around the net i can use?

EDIT i tested on my old gsm nokia phone, and actually by changing the SIM card, the call logs is deleted.
the SMS and phonebook are still present but the call log is gone.

 
Posted : 21/11/2008 7:21 pm
(@yunus)
Posts: 178
Estimable Member
 

Use faraday bags, put the phone in one of those bags (very cheap) so it will connect to the carrier. The bag will prevent the signals reach to the phone.

You can also use a jammer inside your lab. So, it will stop signals from reaching your environment as long as you keep it on.

 
Posted : 02/12/2008 1:36 am
Share: