SIM Card Forensics

A SIM card organises its data in a hierarchical file system with three node types. The Master File (MF) is the root, identified by file identifier 3F00. Dedicated Files (DFs) are directories that group related Elementary Files. Elementary Files (EFs) are the leaf nodes that contain actual data. The GSM and 3GPP standards define which EFs must exist, their file identifiers, and their data format. A forensic examiner navigates this tree by sending SELECT APDUs with the file identifier, then READ commands to retrieve the contents.

The primary dedicated file for GSM data is DF_GSM (7F20) under the MF. The USIM application data lives under a separate Application Dedicated File (ADF_USIM), accessed by selecting the USIM application identifier rather than a file identifier. Each application file system contains its own set of Elementary Files, and some data, such as the phonebook, may be stored under a separate dedicated file (DF_TELECOM at 7F10) shared across applications. A complete forensic acquisition reads all three regions: DF_GSM, DF_TELECOM, and ADF_USIM.

Not all EFs are populated on every card. A card that has never received an SMS will have EF_SMS present but empty. A card used only on LTE networks may have LOCI data that reflects a 4G location update stored in EPSLOCI rather than the 2G LOCI file. The examiner should read all defined EFs and note which are empty, which are populated, and whether the data is consistent with the card's apparent history.

Forensic SIM acquisition uses a hardware reader that provides electrical power and clock signals to the card through the ISO 7816 contact interface. The reader connects to an examination workstation via USB, and the acquisition software sends APDU commands to the card to select and read each file. The process is non-destructive: read-only APDUs do not alter any file on the card. Most tools generate a SHA-256 or MD5 hash of all acquired data immediately after acquisition, creating a verifiable record that the card contents were not modified during examination.

Common forensic SIM tools include Cellebrite UFED (which includes a dedicated SIM reader), MSAB XRY, Oxygen Forensic Detective, and AccessData's MPE+. Specialised SIM-only tools include the Susteen DataPilot and the open-source pySIM library, which allows scripted APDU interaction for research purposes. Commercial tools typically provide automated file-system traversal, automatic decoding of standard EF formats, and reporting templates. Open-source tools require the examiner to decode raw bytes against the standard manually, but offer full transparency into what commands were sent.

Some files on a SIM, including EF_Ki (the authentication key), are protected by the card operating system and cannot be read via the standard APDU interface regardless of PIN status. EF_Ki is write-only from the perspective of external readers: the card uses it internally for authentication but never exposes its value. Recovering Ki requires destructive chip-level techniques outside normal forensic SIM acquisition.

EF_SMS is a fixed-record file: it contains a set number of records, each 176 bytes, regardless of how many messages are stored. Each record begins with a one-byte status field. Status values defined in 3GPP TS 31.102 include: 01 (MT read), 03 (MT unread), 05 (MO sent), 07 (MO not sent), and 00 (free or deleted). When a handset deletes an SMS, it writes 00 to the status byte of that record. The 175 bytes of message data in the record body are usually not zeroed; they remain on the card until a new incoming message is assigned to that record slot.

Forensic tools recover deleted SMS records by reading all EF_SMS records regardless of status byte, and flagging those with status 00 that contain non-zero data in the message body. The recovered bytes can be decoded using the SMS PDU format defined in 3GPP TS 23.040: the PDU encodes the service centre address, the originating or destination number, the timestamp, and the message text in either GSM 7-bit encoding or UCS-2 Unicode. Many commercial tools decode PDUs automatically. Examiners working with raw output need to parse the PDU fields manually or use a PDU decoder utility.

Contact entries in EF_ADN follow a similar record structure. Each ADN record stores an alphanumeric name (up to 10 characters in the basic format, more in the extended phonebook) and a phone number in BCD-encoded format. Deleted contact records also retain their data until overwritten. EF_LND stores the last numbers dialled in the same format as ADN, typically with a smaller record count. LND recovery follows the same method as ADN: read all records, decode non-empty free-status entries.

EF_LOCI stores the Location Area Identity (LAI) that the network last sent to the SIM during a location update procedure. A location update occurs whenever the handset moves into a new Location Area, registers on the network after being powered on, or completes a periodic registration timer. The LAI is a 5-byte structure: 2 bytes for the Mobile Country Code and Mobile Network Code combined (in BCD format), and 2 bytes for the Location Area Code. EF_LOCI also contains a byte indicating the location update status (updated, not updated, or PLMN not allowed).

EF_EPSLOCI is the LTE equivalent, used when the USIM registers on a 4G network. It stores the Tracking Area Identity (TAI) rather than an LAI. The TAI has the same MCC and MNC components but uses a Tracking Area Code instead of a Location Area Code. Tracking Areas on LTE networks are typically smaller than 2G Location Areas, meaning EPSLOCI data can provide tighter geographic resolution than LOCI. Both files store only the most recent location update: they are not logs. A card that has registered on the network thousands of times still holds only the single most recent LAI or TAI.

Interpreting LOCI data requires mapping the Location Area Code to a geographic area using the network operator's internal cell site database. Operators in most jurisdictions are required to retain and disclose this data in response to lawful process. In India, the Information Technology Act 2000 and the Telecommunications Act 2023 provide the legal basis for compelling operators to provide location records. In the United States, cell site location information requires a warrant under the Supreme Court's ruling in Carpenter v. United States (2018). The UK's Investigatory Powers Act 2016 and the EU's national implementations of Directive 2002/58/EC govern operator disclosure in their respective jurisdictions.

The forensic value of LOCI is not the location of the device at the time of an offence: LOCI only records the last update, which may have occurred well before or after the relevant event. Its value is placing the card in a network zone at some point before the next location update, and confirming the card was active on a network, which contradicts claims that the device was switched off or the SIM was removed.

The SIM's primary cryptographic function is authenticating the subscriber to the network. The card stores a secret authentication key (Ki) in a protected EF. During authentication, the network sends a random challenge (RAND) to the handset, which passes it to the SIM. The SIM uses Ki and RAND to compute a Signed Response (SRES) using the A3 algorithm, and returns SRES to the network. The network performs the same computation independently; if the values match, authentication succeeds. The SIM also computes a session encryption key (Kc) using the A8 algorithm.

Ki is never readable via the APDU interface. The card operating system enforces this: SELECT and READ commands against EF_Ki return a security status error. Recovering Ki requires physical chip-level analysis, which is destructive and outside the scope of standard forensic SIM examination. The forensic implication is that a cloned SIM, one that shares the same IMSI but has a different Ki, will fail network authentication unless the attacker also obtained Ki through other means.

The USIM extends authentication for 3G and 4G networks using the AKA (Authentication and Key Agreement) protocol, which adds mutual authentication: the USIM also verifies the network's identity before completing the exchange. The relevant EFs for 3G and 4G authentication are in ADF_USIM and include EF_KEYS and EF_KEYSPS, which store the current session keys. These files can be read after successful PIN authentication and reveal the active Kc and CK/IK session keys, which are relevant in cases involving real-time interception claims.

SIM card evidence must be acquired under lawful authority and with documented chain of custody to be admissible. The legal basis varies by jurisdiction but the requirements are consistent: the examiner must be authorised to possess and examine the device, the acquisition method must be documented and reproducible, and the integrity of the evidence must be demonstrable through hashing. Courts in most jurisdictions accept forensic tool output from named commercial tools when the examiner can explain the tool's function and confirm the hash values match.

In India, digital evidence from SIM cards is admitted under the Bharatiya Sakshya Adhiniyam 2023 (BSA), which replaced the Indian Evidence Act 1872. Section 63 of the BSA addresses electronic records and requires a certificate from the person responsible for the device attesting to its proper functioning. Searches and seizures involving SIM cards are conducted under the Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS), which replaced the CrPC. The Digital Personal Data Protection Act 2023 is relevant when examination involves personal data beyond the scope of the investigation.

In the United States, SIM examination is governed by the Fourth Amendment's warrant requirement for digital evidence, reinforced by Riley v. California (2014), which held that police must obtain a warrant to search the digital contents of a mobile phone incident to arrest. A SIM card is part of the phone's digital contents. In the United Kingdom, the Police and Criminal Evidence Act 1984 (PACE) and the Investigatory Powers Act 2016 govern examination of devices and compelled disclosure from operators. In the European Union, member state implementations of the European Investigation Order framework apply for cross-border cases.

Documentation requirements are the same across jurisdictions: the examiner records the make and model of the SIM reader, the software version, the date and time of acquisition, the ICCID and IMSI of the card, the hash values of the acquired data, and any errors or anomalies encountered during acquisition. This record forms part of the chain of custody and supports the examiner's testimony if the acquisition method is challenged.