Deleted SMS from a SIM card

Hello,

I need to understand the mechanism that the SIM card performs when a message is deleted, and why they can no longer be recovered using forensic tools.

Any help with this will be most appreciated.

Are you sure they cannot be recovered?

I would say that it depends on a number of factors
http//www.dekart.com/howto/howto_sim_reader/how_to_recover_a_deleted_sms/

jaclaz

SMS can be recovered using almost any mobile forensic software. The issue most mobile users run into is that they don't realize their SMS is almost always stored within the phone memory with today's phones rather than on the SIM.

Are you sure they cannot be recovered?

I would say that it depends on a number of factors
http//www.dekart.com/howto/howto_sim_reader/how_to_recover_a_deleted_sms/

jaclaz

Hello,

You hit the nail on the head - can they be recovered?

We have been seeing the phrase "cannot decode SMS" alot with deleted text messages on a SIM. My understanding is that the status is altered when a message is marked for deletion and the first character is removed. Forensic tools can easily recover these files if they are not overwritten.

I looked at the file system the Cellebrite performed and looked at the messages with the EF file and it looks like there should be messages but they are not 7 bit.

I was wondering if the handset has instructed the SIM card to overwrite the 176bytes as well as marking the message area as available?

We have been seeing the phrase "cannot decode SMS" alot with deleted text messages on a SIM.

I think this is more likely to be your issue - the software you are using (Cellebrite?) doesn't understand the contents of the EF and therefore can't give you any 'readable' content.

Have you looked directly at the data itself to see what's there? IIRC, some network operators send configuration/update messages etc. by SMS which may not be designed to be human readable. This could be one reason for the issues you're having.

We have been seeing the phrase "cannot decode SMS" alot with deleted text messages on a SIM.

'Cannot decode SMS' I believe is the phrase that XRY displays on any SIM/Handset data in relation to config messages for network providers. Do you have USIM Detective? You could look into EF_SMS in HEX format at the 176 bytes of free space, in an attempt to identify the data.

As a cause factor there can be handset dependent mechanisms, as well, whereby the handset deletes the entire content (overwrites) with FFFFF. This approach can be used to slow-delete the entire file but then uses fast record (saving) for new messages e.g. handset with reduced memory area needing SIM for its text message storage capacity. It has been awhile since I have seen some GSM Phase 2/2+ handsets that had this feature. The point being it maybe worth checking to see whether with later release smartphones from conducted tests determine on a case-by-case (model-by-model) those smartphones that overwrite (erase) file (text message).