CYBER SECURITY (Unit-3)

NETWORK DATA ANALYSIS:

Data analysis is the art and science of transforming raw data into meaningful and useful
information. Historically, businesses have used data analysis to monitor their overall
performance and to better understand factors that drive that performance, such as
customer preferences and purchasing habits. But data analysis can also be used to
identify cybersecurity threats, risks, and incidents, helping businesses become safer and
less vulnerable to cyber attacks.

The Role of Data Analysis in Cybersecurity

Cybersecurity is concerned with protecting digital assets, networks, and computers

from attack or unauthorized access of data. As businesses continue to rely on
technology and the Internet, they also face the increased risk of cybercrime. And
due to the constantly evolving nature of technology and related security risks,
preventing cybercrime is a challenging responsibility.

Fortunately, data analysis also has the potential to be used to identify the risks that
have resulted from the exponential growth of technology and the Internet, and our
increasing reliance on both. Data analysis can give businesses a comprehensive
view of internal and external risks by alerting decision makers about potential
fraud, unusual network traffic patterns, hardware failures, and security breaches. It
converts data into actionable information, helping businesses move their
cybersecurity measures from a reactive state to a proactive state.

EMAIL FORENSICS SERVICES AND CLIENTS

Email is universal - it is a major component of any cyber forensic investigation whether

involving business or personal communications.

The main concerns with emails as evidence are:

1) Can emails be recovered from whatever devices and services might be involved?

2) Can emails be authenticated?

3) In cases of where emails are erased, deleted can enough data be recovered to support
the case or a spoliation hearing?

Global Digital Forensics addresses these issues and more by provides complete email forensics
services for law firms, businesses, governmental bodies as well as private investigators.
Email Data Types and Evidence Recovery

Email evidentiary data can be recovered from:

 Email clients on desktop or laptop computers such as Outlook 360, Apple Mail, Inbox by
Gmail, MailSpring, Mailbird, Em Client, Windows, Linux, MAC OSX operating
systems. et.
 Smart phones from Apple, Samsung, Google, Huawei, Sony, Nokia, etc
 Tablets from Apple, Lenovo, Samsung, Microsoft (including Surface), Amazon Kindle,
etc.
 Digital devices such as smart watches, video gaming consoles.
 Online email services such as Gmail, Gsuite, MS Outlook, Yahoo Mail, Hotmail, iCloud,
AOL, GoDaddy, Zoho Mail, integrated mail systems in CMS and CRM software, as well
as ISP based email systems, corporate email systems and servers, private email servers,
etc.

Many different types of data can be recovered as evidence. Not only is there information
explicitly in the email itself, but there is data (metadata) generated by the sending/receiving
process that can be useful in an investigation.

The following is a partial list of the types of data can be recovered from email:

 Written communications
 Photographs, diagrams, compressed attachments, etc.
 Send to / Received from data
 Date and location data
 Send path information
 Contact list data
 There can be email log information, email headers and other types of metadata that can
be used to establishing timelines of action, locations, and connections between subjects
involved in investigations.

Recovering Evidence from Desktop-based or Device-based Email Clients

Email client programs, such as Outlook 360, Mac Mail and others, are prime sources of forensic
email data.

The data on these systems however, is prone to deletion and other attempts at spoliation. Similar
issues are present when trying to recover emails from iPhones, Androids, iPads, Surface tablets,
etc.

Device / Drive Imaging

Imaging is making a bit-by-bit copy of any data source, which helps to main the integrity of the
data and facilitate the speed and thoroughness of the investigation.

Recover Deleted Emails

GDF provides services to recover normal AND deleted emails in their original form, with no
data modification done at any time during the process so as to maintain admissibility.

Repair Corrupted or Damaged Emails

GDF provides services to repair damaged or corrupted emails, again, while maintain
admissibility. These services are discussed on a case by case basis.

Email Header Analysis

Email headers are crucial in establishing the origin, destination and all the “hops” along the way
an email traveled. Email headers can divulge data such as:

 Who sent and received the email

 The full network path the email traversed
 Timestamp Information
 Information about the email client used
 Information about the device used

WHAT IS INTERNET FRAUD?

Internet fraud is a type of fraud which makes use of the internet. It is not a single fraud, there are
numerous frauds under that. Internet fraudsters are everywhere and they come up with innovative
tricks to cheat people and wipe out money from their bank account. In this blog, we will discuss
the type of internet frauds

Types of internet fraud

1. Phishing or email scam

It is a method used by fraudsters to steal your personal information. Under this fraud, fraudsters
send you emails by posing as a genuine or reputed company. The primary intention of sending
those emails is to steal your bank details. These emails usually will have a link or attachment. If
you click on those links, you will be taken to a fake website. The fake website will ask you to
provide your sensitive information like card details, UPI code and other bank details. Also,
clicking on such links will lead to a virus attack on your computer.

2. Online shopping frauds

It is one of the biggest internet frauds since the past few years. Under this, fraudsters set up fake
online shopping portals with the intention of cheating innocent people of their hard-earned
money. In the website, they display attractive product at a very cheap rate. But, after the
purchase is made by paying the money, either the fake product is delivered or the product is not
delivered at all. These websites will not have any return or refund policies and also there will be
no customer support team to contact.
3. Identity theft
Under identity theft, your personal information is stolen by fraudsters through the internet and
used to apply for a personal loan, two-wheeler loan or a credit card with a bank. When loans are
availed in your name, you will be responsible for its repayment. Banks will send you the notice
for repayment. If the loan is not repaid it will have a bad impact on your credit score and you
will be marked a loan defaulter.

Also, the stolen information of yours can be used to create fake social media accounts.

4. Work from home scam

Work from home scam is one of the serious internet fraud. Under this, fraudsters dupe people
who are looking for work from home opportunities by promising that they will earn handsome
money, just by working for a few hours from home. To register for the scheme, job seekers will
be asked to deposit a certain amount of money for job kit which is useful for the work. After the
money is deposited, there will be no track of employers.
5. Lottery fraud

Lottery fraud is one among the top three internet frauds in India. Under lottery fraud, fraudsters
call you or send emails and messages stating you have won a lottery worth rupees some crore. To
receive the lottery money, you will be asked to transfer money online in the name of tax.
Sometimes you will be asked to pay money by visiting fake websites. When you try to make
payment using those websites, all your card details will be stolen.

6. Matrimonial frauds
In this busy lifestyle, people prefer online matrimonial sites to find their life partners. But, the
sad part here is a lot of people lose lakhs of money while finding their soulmates on
the matrimonial sites. Fraudsters dupe innocent people by creating fake profiles. Also, there are
many gangs set up to carry out this fraud. Under this fraud, first, fraudsters make victims believe
them. Once the trust is created, money is looted from the victims.
7. Tax scams

This fraud normally takes place during the tax season when taxpayers will be waiting for their
tax refund. Fraudsters send fake refund SMS and emails to taxpayers claiming to be from the
income tax department. These notifications are mainly sent with the intention of collecting their
personal information like login details of I-T Department website, bank details and so on. To
credit the refund money to your bank account, you will be asked to provide your sensitive bank
information.

8. Credit card reward point fraud

Reward points or loyalty points are offered by the credit card companies to promote the usage of
a credit card. Frauds are also taken place in the name of credit card reward point. Fraudsters call
credit cardholders claiming to be from their credit card company and tell them that they would
help them in redeeming their credit card reward point. They create urgency among cardholders
stating offer will end very soon. To redeem the reward points, cardholders will be asked to
provide their card details along with OTP. Fraudsters carry out fraudulent transactions using
these details.

9. Frauds on OLX

Frauds on OLX have become very common and many people have lost their money while
buying and selling products on the website. The fraud which normally takes place on OLX is,
fraudsters pose as Army personnel and post their advertisement on the website. Fraudsters use
the stolen Id card of army personnel to make people trust them. They collect money from the
buyer for the advertised product but they will never deliver the product. Here goodwill
associated with the armed forces is used by fraudsters to cheat people of their hard-earned
money.

10. Social media frauds

With the number of people using social media, social media frauds are on the rise. Cyberbullying
is one of the biggest social media fraud to which many teenagers have fallen prey. Under
cyberbullying social media sites are used to bully people. Also, there are many other social
media frauds like a Facebook friend fraud.

SPAM INVESTIGATION

Investigating and analyzing a phishing email can be far easier if one follows these steps and
makes him/herself sure of each of the following points.

Check the Sender's Email Address

 The sender's email address is something that should be checked and double-checked as
there is more than one approach to trick the receiver.

 Not many organizations send emails to their customers through public domains, not the
giants like Facebook, Twitter, TEDed, and more. (Some small businesses, on the other
hand, still use public domains such as Gmail for their email services.)

 So, one has to make sure the domain for the email address is not public if the email is on
behalf of a well-known and reputable organization with a dedicated domain.

 Facebook won't ever send you an email using a Gmail account, for instance. Secondly,
check for the spelling, letter by letter, of the domain name.

 The human mind is so clever that it fixes errors during reading, even if it is not correctly
written. Say, we take Spring Field as an organization that has a Finance Manager called
Jordan Smith. His email address is jordansmith@springfield.com.

 Employees in this organization receive an email with a form to fill from

jordansmith@springfeild.com, and they all do what is wanted. Some emailing
 applications don't show the sender's email entirely. Hence, you have to go through an
extra step and check the sender's complete details, which differs based on the email
applications individuals are using.

Salutation Matters

 The salutation in phishing emails is usually impersonal, addressing the receiver as "dear
user, dear customer, dear valuable user, and more."

 Legitimate companies, educational websites, social media websites, platforms for fun, for
instance, address their receivers by their names.

 This can be seen as proof in any of your Facebook, Gmail, FutureLearn, Cybrary, and
much more of these enterprises and small organizations' emails.

 Although this is not much of a red flag because sometimes even legitimate companies
send emails with an impersonal salutation or even no salutation at all.

 It doesn't mean that an email having an impersonal salutation is necessarily a phishing or

quite the opposite, so being cautious is an important trait.

Links Are Just Like Hidden Bombs

 Links are one of the most harmful components in phishing emails.

 They can take the target to malicious websites, fake login pages, and much more.

 Some phishers make the entire content as a link, so clicking anywhere would lead to
opening the (hyper)link, and as a result, the malicious resource will be opened.

 The receiver must check the URL of the link. The URL of a link can be easily seen by
hovering the pointer on the link, or the URL is represented at the very left-bottom of the
browser's window. It must be checked whether the URL seems legitimate or not.

 This has to be remarked that if one is suspicious of an email, not any links must be
clicked.

Haven't Phishers Learned How to Write English Properly?

 Phishing emails' content mostly contains mistakes in grammar, punctuation, and even in
using the correct language.

 Even some easy-to-spell words are spelled wrong. But why is that? One of the reasons is
that the hackers who send emails are from non-English speaking countries, so they have
 some critical mistakes that can't be easily ignored. Committing mistakes in writing can
also be done intentionally to escape spam filters expressed by details here.

 A reputable company knows how to spell the words or where to use a comma and where
to use a particular tone of writing, but this is quite different for phishers most of the time.
However, it does not mean that an email without a single mistake in its content is not a
phishing email.

 On the other hand, it doesn't necessarily mean that an email containing mistakes and
errors is a phishing one, such as emails from colleagues, college professors, friends, or
associates. So, individuals must be cautious only on suspicious emails.

Take Care with Attachments

There are often malicious attachments in phishing emails containing the payload (a malicious
code that runs as the file is opened), different types of malware such as worm and viruses.
Individuals must take care of the attachments in an email and not open it under any condition
until they are sure of the email's validity.

Money does not grow on trees

The above proverb is a bit related to this part as sometimes phishing emails claim things that are
too good to be true. For example, winning an iPhone 11, a lottery, or a prize all of a sudden is
something unusual or someone claiming to have a lot of fortune and asks the receiver to transfer
it to his/her place.

These scams are different in their mechanisms and process. Let's take the prize/lottery scam as
an example. In this type of scam, the phishers send an email to the target claiming he/she has
won a prize/lottery. The prize or lottery could be anything from a phone to a free tropical holiday
and much more. Still, to go on with the process, the receiver must provide personal/financial
information.

Hurry Up!!! (sense of urgency)

 Phishers usually take benefit of some tactics such as fear tactics. Phishing emails can
hardly be found that does not have any sense of urgency.

 This is either expressed in the subject line or contents, or it can be in both. They use the
fear or threat tactic, losing a subscription or getting the bank account closed, for instance,
making the receiver do what is wanted and provide the expected information.

 Facebook scams, for instance, tells the receivers that their account will be deleted during
the next 24 hours, so they have a choice to cancel the deletion, which most of the
receivers tend to do. If we take an instance of it within an organization, the phisher may
send an email on behalf of the Finance Manager to all employees asking them to give up
 their bank account details within the next 1 hour. This sense of urgency gives the target
less time to think and takes the benefit of their emotions.

Letters' Closing and Signature Can Be an Alert

 Just like the salutation, the ending of a phishing email is often impersonal as well.

 It may not end with a specific person, but instead, it says something like the support
team, the survey team, and things that do not refer to a specific person.

 However, this type of letter closing is also common in many legitimate emails, so that is
why this point is a bit weaker, among others, mentioned previously.

 Coming to the signature, there is mostly fake information in the emails signature, such as
locations with the wrong spelling, a fake phone number to answer in case somebody is
deceived, and more.

 In my opinion, the attackers add the signature to the email to make it look more valid
because most people don't go over the signature, and they only read until the sender's
name.

The aforementioned points above are marked and labeled in the following picture, so you can
have a clearer picture of what to search for when you face a suspicious email.
EMAIL TRACKING
Email tracking means monitoring opens and clicks of emails to follow up with leads, job
applicants, and partners.

Contents

 How does email tracking work?

 Email Tracking Tools

 Disadvantages of Email Tracking

 How to Track Marketing Emails with SendPulse

 References

How does email tracking work?

 Email trackers are browser extensions for Chrome, which automatically add a 1x1 pixel
image to the body of the email you send.

 Once a recipient opens it, their browser requests to get that image from the server where
it is hosted. This request will be parsed, indicating that the email has been opened.

 You can use this tool for recruitment and link-building to save time and know when to
follow-up with more emails in case the recipient opened the email but never answered.
They could have forgotten to reply, or something could have disturbed their attention.

 We've collected a list of the most popular email trackers for your consideration.

Email Tracking Tools

1. Snov.io

2. MailTrack

3. Orangebox
There are many email trackers on the market. Some of them share basic standard features like
monitoring opens and clicks, the others have some advanced functionality, so we’ve collected
three email trackers that go beyond basics.

Snov.io

Snov.io's Unlimited Email Tracker offers email opens and link click tracking, as well as
additional features like email scheduling, follow-up reminders, real-time notifications, and
reports.

It's a free and unlimited Chrome extension that integrates seamlessly into Gmail. This email
tracker extension does not add any signatures, labels, or logos to your email.

It shows the exact number of clicks and opens and helps to enable or disable the monitoring of
particular email addresses.

MailTrack

This service provides the same features as Snov.io, but it adds a branding signature to each email
sent, so recipients may find out that you keep track of opens and clicks. It offers fewer metrics
for tracking unless you use a paid plan.

In the screenshot below, you see for opens information directly in the inbox. You can see if a
person opened an email once or twice.
Orangebox

This service allows you to monitor the way recipients interact with your attachments — slides,
and PDFs — in Gmail. You can see when the document has been viewed and how far a recipient
has progressed in reading it.

On the screenshot below, you see that half of PDF-presentation has been read, so perhaps there
was something unappealing halfway through it, and you may consider changing that.
However, there are some tricky points in email tracking that you should consider before using
such a service.

Disadvantages of Email Tracking

Images can be blocked by default

Blockers installed by users

Previews count as an open

It doesn’t work for groups

Unfortunately, email tracking isn’t a 100% accurate method since some issues may stand in your
way:

Images can be blocked by default. This means that some email providers like Outlook
don’t load images unless you change the default settings. It includes a 1x1 tracking pixel, which
is added by the tracking extension, so you will never find out if the email has been opened.
Blockers installed by users. There are applications like PixelBlock, which allow users to
prevent their messages from being tracked.

Previews count as an open. Some providers allow previewing emails without actually opening
them. These previews may count as an opening, so you will have incorrect information that may
lead to misunderstanding.

It doesn’t work for groups. If you send emails to groups, i.e., one message to a few people in
the form of a chat, you will again have misinformation since you won’t be able to know who
exactly read the message.

So, now you know the pros and cons of tracking single emails, let’s find out a bit about bulk
email monitoring, which we mentioned at the very beginning of the article.

How to Track Marketing Emails with SendPulse

Email tracking works not only for single emails in Gmail, but it is an essential part of email
marketing. Once you’ve launched an email campaign, check the statistics like the percentage of
delivered, opened, clicked-through emails, and see how many users unsubscribed or marked it
as spam.

SendPulse allows you to monitor data in two ways: like a horizontal graph or pie chart showing
the number and percentage of open, clicked, marked as spam, and unsubscribed emails.

Review the list of recipients for a particular campaign to see who exactly received, opened, or
clicked. Get to know which domains, devices, and browsers are the most popular among your
target audience and adjust your future emails based on that data.

The screenshot below shows a list of recipients filtered by status. In this case, it is “delivered,
read, clicked a link.” It also shows the country, device, and browser that was used to open the
email.
Find out if there are any delivery errors, which may indicate some inactive email addresses or
technical issues your email campaign may have.

The service shows why emails never found their way to some of your subscribers. Among these
reasons are invalid emails, mailbox full, marked spam by recipient’s server, and other.

If you need to stay in touch with a massive audience for marketing purposes, and keep track of
all data, utilize services like SendPulse.

MOBILE FORENSIC PROCESS: STEPS AND TYPES

Mobile forensics is a branch of digital forensics related to the recovery of digital evidence
from mobile devices. “Forensically sound” is a term used extensively in the digital forensics
world to qualify and justify the use of a particular forensic technology or methodology. The
 central principle for a sound forensic examination is that the original evidence must not be
modified.

Let’s understand this very important process step by step.

1. Identifying is the location of evidence (on a mobile phone). Preserving it means making sure
that the integrity of the digital evidence is not manipulated in any way, shape, or form.
Preservation must also consist of protecting or shielding the evidence from any radio
interference such as a mobile data network, Wi-Fi, Bluetooth, or any other application which
can give the device a remote connection. One of the best ways to isolate a mobile device is by
putting it into a Faraday Bag which prevents the transmission of the electromagnetic
waves. Seizing the evidence is the process to protect it from physical damage which includes
the secure evacuation of evidence and proper transportation of it to protect it from any
electromagnetic, electric shock, excessive heat, etc. This is to protect from any tampering.
In hand with these steps, clear documentation is to be maintained (aka the “Chain of
Custody” forms) for future reference, such as in a court of law. This Chain of
custody contains details pertaining to evidence values, any special notes, a chain which
describes the handover of the evidence from an individual to another entity, with the date and
time captured in these instances. Another part of documentation is taking pictures
(photographs) of the crime scene, capturing the original state of the mobile device, as well as
the make, model, serial numbers and so on. The other of the phone – such as IMEI number or
operating system version – which would help during the acquisition phase and need to be
captured as well.

2. Forensic acquisition is the process of acquiring the original evidence in a forensically sound
manner while maintaining the integrity of it. This process is also known as “Imaging.” It can
be done on site (at the scene) and can also be done off-site (in the lab. The acquisition tools of
today now possess the technical capabilities to break the passcode/pin/pattern of just about
any mobile device.
3. In the examination phase, the image is captured from the original evidence. It also consists
of data which is deleted or hidden on the mobile device. In these instances, the relevant and
irrelevant data is segregated by the forensic analyst based on the case background shared by
the investigator. In the analysis phase, the analyst looks for the correlation between the
relevant data (revealed during the examination phase) and sets priorities to this data set based
on the proceeding investigation. In summary, the examiner looks to collect as much
information as he or she can, and builds up the evidence. Some of the common types of
evidence are the contacts, call logs, SMS, Audio and Video files, emails, any saved notes (this
might contain passwords for other accounts), saved geographic location, web activity, and
social media updates and chats.
4. Reporting is a comprehensive summary of the results of the mobile forensics investigation.
This phase also explains the reason why a particular step was performed with the result that
followed from it. The final report also consists of all the compiled documentation, which
include the Chain of Custody forms, photographs, etc.
 Types:
There are several types of Mobile Forensics Processes which are based on the below-
mentioned parameters:

1. Type of phone (Make, Model, Manufacture)

2. Operating System
3. Encryption level
4. Availability of necessary passcode/pin code/pattern
Manual Method:
In the manual method, the device is browsed through manually by the forensic specialist. The
data on the phone is directly seen/observed/accessed by using its keypad or touchpad. It is a
quick method as the examiner is aware of which data to browse first. This method holds the
advantage of viewing specific data in a readable format using its native application as it is
being observed directly by the forensics investigator. However, this method is prone to human
error and biases. Also, it would take a lot of time to capture all the needed data from the
mobile device in question.

Logical Method:
The Logical Method is a quick way of extracting data from the user files directly. The
advantage of this method is that it can be viewed easily in the mobile forensic tools. The size
of the extracted data is less as the data is not acquired from the flash memory. However, the
disadvantage of this method is that it cannot recover deleted data/items from the mobile
device.

Physical Method:
The Physical Method consists of accessing flash memory of the mobile phone and extracting
data from that space. In this case, the flash memory is being accessed directly to garner the
existing data, and the deleted data also gets captured as well. This method proves to be very
beneficial in many forensics cases. To access the flash memory, tools use a bootloader to
bypass the security patch of the mobile device.

File System:
The File System method extracts data from the system level of the mobile device in question.
In this process, information and data related to the applications of the mobile device also get
extracted. It is the OS which stores information related to the deleted files in the file system.

SIM investigation

The SIM (subscriber identity module) is a fundamental component of cellular phones. It also
known as an integrated circuit card (ICC), which is a microcontroller-based access module. It
is a physical entity and can be either a subscriber identity module (SIM) or a universal
integrated circuit card (UICC). A SIM can be removed from a cellular handset and inserted
into another; it allows users to port identity, personal information, and service between
devices. All cell phones are expected to incorporate some type of identity module eventually,
in part because of this useful property. Basically, the ICC deployed for 2G networks was
called a SIM and the UICC smart card running the universal subscriber identity
module(USIM) application. The UICC card accepts only 3G universal mobile
telecommunications service (UMTS) commands. USIMs are enhanced versions of present-day
SIMs, containing backward-compatible information. A USIM has a unique feature in that it
allows one phone to have multiple numbers. If the SIM and USIM application are running on
the same UICC, then they cannot be working simultaneously.

The SIM (subscriber identity module) is a fundamental component of cellular phones. It also
known as an integrated circuit card (ICC), which is a microcontroller-based access module. It
is a physical entity and can be either a subscriber identity module (SIM) or a universal
integrated circuit card (UICC). A SIM can be removed from a cellular handset and inserted
into another; it allows users to port identity, personal information, and service between
devices. All cell phones are expected to incorporate some type of identity module eventually,
in part because of this useful property. Basically, the ICC deployed for 2G networks was
called a SIM and the UICC smart card running the universal subscriber identity
module(USIM) application. The UICC card accepts only 3G universal mobile
telecommunications service (UMTS) commands. USIMs are enhanced versions of present-day
SIMs, containing backward-compatible information. A USIM has a unique feature in that it
allows one phone to have multiple numbers. If the SIM and USIM application are running on
the same UICC, then they cannot be working simultaneously.

SIM Structure and File Systems

A SIM card contains a processor and operating system with between 16 and 256 KB of
persistent, electronically erasable, programmable read-only memory (EEPROM). It also
contains RAM (random access memory) and ROM (read-only memory). RAM controls the
program execution flow and the ROM controls the operating system work flow, user
authentication, data encryption algorithm, and other applications. The hierarchically organized
file system of a SIM resides in persistent memory and stores data as names and phone number
entries, text messages, and network service settings. Depending on the phone used, some
information on the SIM may coexist in the memory of the phone. Alternatively, information
may reside entirely in the memory of the phone instead of available memory on the SIM.

The hierarchical file system resides in EEPROM. The file system consists of three types of
files: master file(MF), dedicated files, and elementary files. The master file is the root of the
file system. Dedicated files are the subordinate directories of master files. Elementary files
contain various types of data, structured as either a sequence of data bytes, a sequence of
fixed-size records, or a fixed set of fixed-size records used cyclically.
As can be seen in the above figure, dedicated files are subordinate directories under the MF,
their contents and functions being defined by the GSM11.11 standards. Three are usually
present: DF (DCS1800), DF (GSM), and DF (Telecom). Also present under the MF are EFs
(ICCID). Subordinate to each of the DFs are supporting EFs, which contain the actual data.
The EFs under DF (DCS1800) and DF (GSM) contain network-related information and the
EFs under DF (Telecom) contain the service-related information.

All the files have headers, but only EFs contain data. The first byte of every header identifies
the file type and the header contains the information related to the structure of the files. The
body of an EF contains information related to the application. Files can be either
administrative- or application-specific and access to stored data is controlled by the operating
system.

Security in SIM

SIM cards have built-in security features. The three file types, MF, DF, and EF, contain the
security attributes. These security features filter every execution and allow only those with
proper authorization to access the requested functionality. There are different level of access
conditions in DF and EF files. They are:
 Always—This condition allows to access files without any restrictions.
 Card holder verification 1 (CHV1)—This condition allows access to files after successful
verification of the user’s PIN or if PIN verification is disabled.
 Card holder verification 2 (CHV2)—This condition allows access to files after successful
verification of the user’s PIN2 or if the PIN2 verification is disabled.
 Administrative (ADM)—The card issuer who provides SIM to the subscriber can access only
after prescribed requirements for administrative access are fulfilled.
 Never (NEV)—Access of the file over the SIM/ME interface is forbidden.
The SIM operating system controls access to an element of the file system based on its access
condition and the type of action being attempted. The operating system allows only limited
number of attempts, usually three, to enter the correct CHV before further attempts are
blocked. For unblocking, it requires a PUK code, called the PIN unblocking key, which resets
the CHV and attempt counter. If the subscriber is known, then the unblock CHV1/CHV2 can
be easily provided by the service provider.

Sensitive Data in SIM

The SIM card contains sensitive information about the subscriber. Data such as contact lists
and messages can be stored in SIM. SIM cards themselves contain a repository of data and
information, some of which is listed below:

 Integrated circuit card identifier (ICCID)

 International mobile subscriber identity (IMSI)
 Service provider name (SPN)
 Mobile country code (MCC)
 Mobile network code (MNC)
  Mobile subscriber identification number (MSIN)
 Mobile station international subscriber directory number (MSISDN)
 Abbreviated dialing numbers (ADN)
 Last dialed numbers (LDN)
 Short message service (SMS)
 Language preference (LP)
 Card holder verification (CHV1 and CHV2)
 Ciphering key (Kc)
 Ciphering key sequence number
 Emergency call code
 Fixed dialing numbers (FDN)
 Local area identity (LAI)
 Own dialing number
 Temporary mobile subscriber identity (TMSI)
 Routing area identifier (RIA) network code
 Service dialing numbers (SDNs)
These data have forensics value and can be scattered from EF files. Now we will discuss some
of these data.

A. Service Related Information

ICCID: The integrated circuit card identification is a unique numeric identifier for the
SIM that can be up to 20 digits long. It consists of an industry identifier prefix (89 for
telecommunications), followed by a country code, an issuer identifier number, and an
individual account identification number.
Twenty-digit ICCIDs have an additional “checksum” digit. One example of the
interpretation of a hypothetical nineteen digit ICCID (89 310 410 10 654378930 1) is
shown below.

 Issuer identification number (IIN) is variable in length up to a maximum of seven digits:

–The first two digits are fixed and make up the Industry Identifier. “89” refers to the
telecommunications industry.

-The next two or three digits refer to the mobile country code (MCC) as defined by ITU-T
recommendation E.164. “310” refers to the United States.
 -The next one to four digits refer to the mobile network code (MNC). This is a fixed
number for a country or world zone. “410” refers to the operator, AT&T Mobility.

-The next two digits, “10,” pertain to the home location register.

 Individual account information is variable in length:

–The next nine digits, “654378930,” represent the individual account identification number.
Every number under one IIN has the same number of digits.

 Check digit—the last digit, “1,” is computed from the other 18 digits using the Luhn
algorithm.
IMSI: The international mobile subscriber identity
is a unique 15-digit number provided to the subscriber. It has a similar structure to ICCID and
consists of the MCC, MNC, and MSIN. An example of interpreting a hypothetical 15-digit
IMSI (302 720 123456789) is shown below:

 MCC—The first three digits identify the country. “302” refers to Canada.
 MNC—The next two (European Standard) or three digits (North American
Standard) identify the operator. “720” refers to Rogers Communications.
 MSIN—The next nine digits, “123456789,” identify the mobile unit within a
carrier’s GSM network
MSISDN—The Mobile Station International Subscriber Directory Number is intended to
convey the telephone number assigned to the subscriber for receiving calls on the phone. An
example of the MSISDN format is shown below:

 CC can be up to 3 digits.
 NDC usually 2 or 3 digits.
 SN can be up to a maximum 10 digits.
B. Phonebook and Call Information

1. Abbreviated dialing numbers (ADN)—Any number and name dialed by the

subscriber is saved by the ADN EF. The type of number and numbering plan identification
is also maintained under this. This function works on the subscriber’s commonly dialed
numbers. The ADN cannot be changed by the service provider and they can be attributed
to the user of the phone. Most SIMs provide 100 slots for ADN entries.

2. Fixed dialing numbers (FDN)—The FDN EF works similar to the ADN because it
involves contact numbers and names. With this function, The user doesn’t have to dial
numbers; by pressing any number pad of the phone, he can access to the contact number.

3. Last number dialed (LND)—The LND EF contains the number most recently dialed
by the subscriber . The number and name associated with that number is stored in this
 entry. Depending upon the phone, it is also conceivable that the information may be stored
in the handset and not on the SIM. Any numbers that may be present can provide valuable
information to an investigator.

XML Phonebook Entry

C. Messaging Information—Messaging is a communication medium by which text is

entered on one cell phone and delivered via the mobile phone network. The short message
service contains texts and associated parameters for the message. SMS entries contain
other information besides the text itself, such as the time an incoming message was sent,
as recorded by the mobile phone network, the sender’s phone number, the SMS center
address, and the status of the entry. An SMS is limited to either 160 characters (Latin
alphabet) or 70 characters (for other alphabets). Longer messages are broken down by the
sending phone and reassembled by the receiving phone.

Tools for SIM Forensics

To perform forensic investigation on a SIM card ,it has to be removed from the cell phone and
connect to a SIM card reader. The original data of SIM card is preserved by the elimination of
write requests to the SIM during its analysis. Then we calculate the HASH value of the data;
hashing is used for checking the integrity of the data, that is, whether it has changed or not.
There are lots of forensic tools are available but all tools are not able to extract data from
every type of cell phone and SIM card. Now we will discuss about some famous tools:

Encase Smartphone Examiner: This tool is specifically designed for gathering data from
smartphones and tablets such as iPhone, iPad, etc. It can capture evidence from devices that
use the Apple iOS, HP Palm OS, Windows Mobile OS, Google Android OS, or RIM
Blackberry OS. It can acquire data from Blackberry and iTunes backup files as well as a
multitude of SD cards. The evidence can be seamlessly integrated into EnCase Forensic.

MOBILedit! Forensic: This tool can analyze phones via Bluetooth, IrDA, or cable
connection; it analyzes SIMs through SIM readers and can read deleted messages from the
SIM card.
pySIM: A SIM card management tool capable of creating, editing, deleting, and performing
backup and restore operations on the SIM phonebook and SMS records.

AccessData Mobile Phone Examiner (MPE) Plus: This tool supports for than 7000 phones
including iOS , Android , Blackberry, Windows Mobile, and Chinese devices and can be
purchased as hardware with a SIM card reader and data cables. File systems are immediately
viewable and can be parsed in MPE+ to locate lock code, EXIF, and any data contained in the
mobile phone’s file system.
SIMpull: SIMpull is a powerful tool, a SIM card acquisition application that allows you to
acquire the entire contents of a SIM card. This capability includes the retrieval of deleted
SMS messages, a feature not available on many other commercial SIM card acquisition
programs. SIMpull first determines if the card is either a GSM SIM or 3G USIM, then
performs a logical acquisition of all files defined in either ETSI TS 151.011 (GSM) or ETSI
TS 131.102 (USIM) standards.

As can be seen in above figure, by using the SIMpull application we can see the information
of SMS such as a SMS text and its length, the SMS sender’s number information, service
center information, etc.

PDA
The simplest view of a computing device, such as a desktop computer, is that it is in either an
“on” or “off” state. However, further amplification is needed, particularly for PDAs, whose
behavior is more complex. Figure 5 gives a high-level diagram that illustrates the various states
in which a PDA can be at any time, along with the transitions that can occur to cause a change of
state. While a more detailed state diagram is possible, the following four states provide a simple
but comprehensive generic model that applies to most PDAs: „
Nascent State – Devices are in the nascent state when received from the manufacturer – the
device contains no user data and observes factory configuration settings. The PDA must be
charged to a minimum voltage level to be usable and to gain initial entry to the nascent state,
which is attained when the device is first powered on by pressing the power button. Any user
action transitions the device out of this state. This state can be attained again by performing a
hard reset or letting the battery drain, which clears both the filesystem and dynamic working
memory and restores factory settings. „
Active State – Devices that are in the active state are powered on, performing tasks, and able to
be customized by the user and have their filesystems populated with data. If a soft reset is
performed, the device returns back to the active state after clearing working memory. If user
authentication mechanisms are enabled, they are asserted on a power on or soft reset transition to
this state. „
Quiescent State – The quiescent state is a dormant mode that conserves battery life while
maintaining user data and performing other background functions. Context information for the
device is preserved in memory to allow a quick resumption of processing when returning to the
active state. Pressing the power button when in the active or semi-active state (i.e., to power off
the device), or having an inactivity timer expire when in the semi-active state, causes a transition
to the quiescent state. „
Semi-Active State – The semi-active state is a state partway between active and quiescent. The
state is reached by a timer, which is triggered after a period of inactivity allowing battery life to
be preserved by dimming the display and taking other appropriate actions. The semi-active state
returns to the active state when a screen-tap, button press, or soft reset occurs. Devices that do
not support a semi-active state need only a single inactivity timer to transition directly from the
active to quiescent state.
Simply stated – a PDA device with sufficient battery power is never really turned off, since
processes are active even when no visible cues are present. For simplicity, a device is said to be
“off” or “powered off” if it is in the quiescent state, and “on” or “powered on” if it is in any of
the remaining states. Similarly, a device is said to be “cleared” and devoid of data when in the
nascent state. Note, however, deviations can occur should devices utilize flash memory for
purposes other than exclusively housing the operating system. For example, applications exist for
the Palm OS that allow data to be stored on flash memory in space unused by the operating
system. Similarly, some recent Pocket PC PDAs are beginning to include a feature to backup
important PIM data on flash memory, where it can be retained and restored if a hard reset is
performed on the device. Finally, Linux handheld distributions, such as the Familiar Distribution
from handhelds.org, often use flash memory in lieu of RAM for user data to avoid loss when a
hard reset occurs. In these situations, the nascent state must be interpreted accordingly.

Unlike the situation with personal computers, the number and variety of toolkits for PDAs and
other handheld devices are considerably limited. Not only are there fewer specialized tools and
toolkits, but also the range of devices over which they operate is typically narrowed to only the
most popular families of PDA devices – those based on the Pocket PC and Palm OS. Linux-
based devices can be imaged with the dd utility, somewhat analogously to a Linux desktop, and
analyzed with the use of a compatible tool (e.g., EnCase). Since Palm OS devices have been
around the longest, more forensic tools are available for them than for other device families.
Table 1 lists open-source and commercially available tools known to the authors and the
facilities they provide: acquisition, examination, or reporting. The abbreviation NA means that
the tool at the left of the row is not applicable to the device at top of the column. With one
exception (i.e., versions of Palm OS prior to 4.0), these tools require that the examiner have
unobstructed access to acquire contents (i.e., no authentication technique need be satisfied to
gain access).
Table 1: PDA Forensic Tools

Forensic tools acquire data from a device in one of two ways: physical acquisition or logical
acquisition. Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a disk
drive or RAM chip), while logical acquisition implies a bit-by-bit copy of logical storage objects
(e.g., directories and files) that reside on a logical store (e.g., a filesystem partition). The
difference lies in the distinction between memory as seen by a process through the operating
system facilities (i.e., a logical view), versus memory as seen in raw form by the processor and
other related hardware components (i.e., a physical view).
Physical acquisition has advantages over logical acquisition, since it allows deleted files
and any data remnants present (e.g., unallocated RAM or unused filesystem space) to be
examined, which otherwise would go unaccounted. Physical device images are generally more
easily imported into another tool for examination and reporting. However, a logical structure has
the advantage that it is a more natural organization to understand and use during examination.
Thus, if possible, doing both types of acquisition on PDAs is preferable.
Tools not designed specifically for forensic purposes are questionable and should be
thoroughly evaluated before use. In some situations, they might be the only means to retrieve
information that could be relevant as evidence.