The main function of a SIM card is the identification of a user of a cellular phone on the network so that they can get access to its services.
The following types of data, which are valuable for an expert or investigator, can be found in the SIM card:
- Information related to the services provided by the mobile operator
- Phonebook and information about calls
- Information about messages exchanged
- Location information
Initially, SIM cards were almost the only source of data about the contacts of the mobile device owner, as the information about the phonebook, calls, and messages could be found only in their memory. Later, the storage of these data was relocated to the mobile devices memory and SIM cards began to be used only to identify subscribers in cellular networks. This is why some of the forensic tools developers, for the examination of mobile devices, decided not to include the SIM cards examination function in their products. However, today there are a lot of cheap phones (often, we call them "Chinese phones") with limited memory capacity. In these phones, part of the phone owners' data is stored in the SIM cards. This is why the forensic examination of SIM cards remains relevant.
SIM card is a regular smart card. It contains the following main components:
- Processor
- RAM
- ROM
- EEPROM
- A file system
- Controller I/O
In practice, we come across two kinds of SIM cards with six and eight contacts on the contact pads. This happens because the two contacts do not directly interact with the phone (smartphone) and their absence decreases the size of the area occupied by a SIM card when it is placed in the mobile device.
SIM cards can use three types of supply voltage (VCC): 5 V, 3.3 V, 1.8 V. Each card has a particular supply voltage.
There is an overvoltage protection in SIM cards. This is why when a 3.3 V supply voltage SIM card is placed in the card reader, that can operate only with 5 V supply voltage (old models), neither the information nor the SIM card can be damaged, and it will be impossible to work with this SIM card. As such, an expert may think that the SIM card is faulty. However, it is not so.
The forensic examination of a SIM card, before data extraction from the mobile device, where it is installed, is unreasonable. As the user's data stored in the memory of the mobile device, it can be reset or deleted during the process of removing the SIM card.
For analysis, a SIM card has to be removed from the mobile device and connected to the expert's computer via a specific device: a card reader.
Based on the previously mentioned information about SIM cards, we can figure out the main requirements to a card reader device with which it will be comfortable for an expert to examine SIM cards:
- The card reader device has to support smart cards with supply voltage of 5 V, 3.3 V, and 1.8 V.
- The card reader device has to support smart cards with six and eight contacts on the contact pads.
- The card reader device has to support Microsoft PC/SC protocol. Drivers for this kind of devices are pre-installed on all versions of the Windows operating systems. This is why there is no need to install additional drivers in order to connect such devices to the expert's computer.
The following image shows an example of such a card reader:
SIM cards reader produced by «ASR» company, model «ACR38T».
Despite the fact that there are card reader devices designed for reading data from SIM cards, card reader devices designed for reading data from the standard size cards (having the size of a bank card) can be used. To work comfortably with these devices, a blank card, to which the SIM card is adjusted with some small pieces of tape, is used.
This is a SIM card adjusted with a bank card looks.