Hello everybody… again ^^
as you may have noticed i'm dealing with a couple of GSM phones experiments and analysis.
first the easy question
does anyone know if there is some software capable of analyzing a SAMSUNG SGH-Z240 apart from cellbrite and xray?
i already own a license for oxygen forensics suite, and that particular model is not supported.
it's not supported by paraben device seizure too.. or even FTK mobile device investigation software.
Ok, now let's go to the interesting experiments part )
i already made a post about using dummy sims for analyzing GSM phones.
i went through some tests and actually verified that if the SIM card used doesn't have the same IMSI & ICC-ID the phone erases the call log, or for some few models even all personal data.
I was wondering if it was possible to create a fake SIM with the same IMSI and ICC-ID to analyze the phone without altering data, and looking around, i noticed that there is a way to use a common PIC/EEPROM based smart-card and use a particular firmware called SIM-EMU to create a working SIM Card.
many ppl use/used this software to create fully working SIMs, you can enter manually both IMSI ICC-ID and other data such as SMS center etc.
ppl are stuck with SIM cloning using this software because to produce a fully working SIM you need the KI, wich is encrypted in the SIM card and if the original one is recent, you won't extract it.
but for forensic examination, don't i actually need a fully working SIM card right?
but just a SIM wich fakes the device to think it's the original one.
so i don't need the KI, and it's even better so that the phone is isolated from the network.
do you think that it's possible to create a forensic SIM clone with the original IMSI & ICC-ID, a silver card (PIC + EEPROM), SIM-EMU, and a smartmouse phoenix programmer?
i think it's worth a try.
I'm going to check this out myself but if someone already tried it out, please post feedback.
Rampage
As you are running experiments, run a read to identify the ATR and elementary files before and after a test clone SIM card (using one of the forenisc SIM cloners) and then run the same test again but this time using the method you propose in your thread above.
- verify the results produce and post a report for both at ForensicFocus
- verify what access you get to the handset using different handset using different operating systems (proprietory OS, Symbian OS etc) produce and post a report on results for all OS at ForensicFocus
It will take me some time, and i don't have a forensic sim cloner at the moment, so i can't make a comparison.
once i've come to some concrete conclusions i'll post something for sure )
thnx for the suggestions.
Ok, i've found a way to browse the filesystem of the sgh Z240 by accessing the test menu and setting the phone to work as a DCMA phone on the USB interface
then i connected to the phone by using BitPim and i'm browsing the FS right now
the problem now is accessing sensitive data and opening the correct files
does anyone have any sort of documentation about file format used, filesystem structure, where data like phonebook, call logs and such are stored?
thnx in advice.