To Clone or NOT to Clone?

Greg,

My knowledge of mobile forensics is quite basic, but I thought I would chime in. What does the term CLONE actually mean? Is it an “identical representation” or is it a “close enough representation” of the original? If it were a close enough representation I guess the following question would be who is determining what “close enough” is? Is it the individual designing the soft/hardware or possibly the limitations of the soft/hardware that determine this?

My understanding is that the CLONE was supposed to be an exact representation of the original minus one final number needed for network authorization. I believe this is called the KiA? (If the spellings off forgive me) If that is accurate then isn’t the CLONE actually a 99.0 percent or a 99.5 percent representation of the original?

Can the contents of the original U/SIM be hashed minus the KiA? If so then maybe the contents of the CLONE could be hashed and compared? Is this possible and would this even partially solve the problem?

Ed, as it is Vinny's article I will let him respond.

Greg

May I ask about ?

Unfortunately this option is not a satisfactory way forward due to cost, health & safety issues, practicality and when dealing with volume work.

Isn't "cost" and "when dealing with volume work" either perfect synonyms or complete antonyms?

Which health and safety issues?

I would say that there are also issues with the effectiveness of some "Faraday" tools
http//docs.lib.purdue.edu/cgi/viewcontent.cgi?article=1033&context=techmasters&sei-redir=1
(which indirectly brings us back to trewmte's blog)
http//trewmte.blogspot.it/2011/04/faraday-containers-found-unsafe.html

Also, has anyone some test data on an actual "Faraday" tents or rooms?

I seem to find some references to these, as well as "signal suppressors", like in
http//mobileforensics.files.wordpress.com/2010/07/cell-phone-evidence-extraction-process-development-1-1-8.pdf
http//citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.185.3236&rep=rep1&type=pdf
but seemingly not actual reports of tests carried on them.

jaclaz

Thank you for your responses much appreciated.

When I embarked upon this project almost ten years ago and to my knowledge it saw the introduction of the first U/SIM cloning system that was put into the market place (developed in conjunction with a known product vendor).

The idea behind the venture was to allow an examiner to produce an identical working U/SIM of the target minus the network parameters to permit access to the target handset without compromising stored data as that was the primary issue at that time.

Obviously as technology has advanced other products of a similar nature were also introduced into the market place some better than others.

However the advancement in technology have not led to such systems being improved they operate in exactly the same way as when they were first introduced which in real terms no longer fit the bill.

From an examiners perspective we still experience the same or similar issues with the creation of working U/SIM’s and the extraction/harvesting of stored data, the purpose of the article was to remind examiners of the drawbacks of these systems and to reiterate that best practice methods need to be evaluated on a case by case basis whether this be volume work or not and secondary an attempt to invoke the product vendors to revisit their product development cycles to address such issues which to do compromise best practice and which are cost effective.

excuse my lack of knowledge but im a little bit confused by the article.
my understanding is that you think that SIM loning technology has not kept up with changes in SIM cards.

In practice, I compare a sample of the information a tool has output with what is shown on the phone.

In terms of RF shielded equipment, the RF bags seem to work.

In answer to your 'to clone or not to clone' question clone, unless you have access to RF shielding. its horrible when a phone comes in already wiped….

The title is 'To Clone or NOT To Clone?' but this isn't directly answered?

I see no issue with a cloned card that carries no user data. I actually see that as a benefit. It makes a very clear distinction between the data stored on the handset and the data stored on the U/SIM when being used/extracted by the examiner.

In the second paragraph you raised a point about minimal U/SIM clones being a problem. What are the problems with that? You state that tools that struggle to extract all the data from a U/SIM cause problems, which is true. But if you are not relying on that data for a cloned card I struggle to see the issue?

Sadly it is a very common theme for forensic tools to miss data or not present it correctly! I wish it wasn't but we don't live in a perfect world, you have my full agreement on that as an issue!

In terms of RF shielded equipment, the RF bags seem to work.

Do you mean that the cited research at Purdue University is leading to incorrect results?
Or - literally - that they "seem" to work (but actually do not fully or always - as in the cited thesis)?

jaclaz