SIM Forensic In e-Discovery

Spread the love
  • Introduction to E-Discovery.
    • What is E-Discovery ?
      • Electronic discovery (sometimes known as e-discovery, eDiscovery, or e-Discovery) is the electronic aspect of identifying, collecting and producing electronically stored information (ESI) in response to a request for production in a law suit or investigation.Electronic discovery refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often referred to as electronically stored information or ESI).Discovery is the term used for the initial phase of litigation where the parties in a dispute are required to provide each other relevant information and records, along with all other evidence related to the case.

        Electronic discovery (e-discovery) describes any process where electronic data is sought, secured, located, explored and retrieved with intended use as evidence in a civil or criminal case. Electronic discovery may be performed offline on an individual computer or in a computer network.

        E-Discovery is short for electronic discovery, which is defined as the process of discovery in civil litigation that is carried out in electronic formats. It encompasses what most often is referred to as electronically stored information, or ESI.

        eDiscovery is a defensible, multi-step process in which electronic data is sought, located, secured, and/or searched with the intent of using it as evidence in a civil or criminal legal case.

    • What is ESI ?
      • Electronically stored information (often referred to as ESI) can be any electronic file containing content that could be relevant to a given legal matter. ESI can be in any format including but not limited to:
        • E-mail
        • work files
        •  databases
        •  voicemail
        • audio and video files
        • social media
        • web site content
    • TYPE OF ESI.
      • Electronically Stored Information (ESI) represents any data that is created, manipulated and stored in digital form. ESI can consist of user-created files (native files) or files stored elsewhere in a computer’s memory (logical data). This includes backup media, legacy data, electronic communications (including E-mail) and ancillary data. To retrieve ESI, the use of specialized computer H/S or both, is required.Ex. of the types of ESI included are e-mails, instant messaging chats, documents, accounting databases, Web sites, and any other electronic information that could be relevant evidence in a lawsuit. Also included in e-discovery are “raw data” and “metadata,” which forensic investigators can review for hidden evidence.In 2006, the Federal Rules for Civil Procedure (Section 26(f)) legally defined Electronically Stored Information for the purposes of creating proper procedures for maintenance, custody and discovery of Electronically Stored Information. Electronically stored information (ESI), for the purpose of the Federal Rules of Civil Procedure (FRCP) is information created, manipulated, communicated, stored, and best utilized in digital form, requiring the use of computer H/S.
        1. Native Files:-  E-mail messages, calendar data, contacts, videos, images, call logs etc. comes under native files. The term native files refer to user-created documents, which could be in MS office document formats as well as other files stored on computer, but could include video surveillance footage saved on a computer hard drive, Computer-aided design files such as blueprints or maps, digital photographs, scanned images, archive files, and digital audio files, among other data.
        2. Logical Data:- The data from the RAM are logical files.
    •  Why E-Discovery ?
      • The American Records Management Association (ARMA) state that over 90% of documents created today are in electronic format and, according to a report published by the Radicati Research Group, “the number of business emails sent and received each day totaled 89 billion” in 2012!At a grass-roots level, the importance of e-discovery stems from the fact that the majority of information these days is electronic and can potentially is sought as Evidence in a court of law. Additionally, with the sheer amount of data available and regulatory and legal compliance requirements continuing to evolve, organizations face new challenges when it comes to information retention and governance.If you couple all of this with the fact that (according to a Litigation Trends Survey published by Fulbright & Jaworski LLP a few years ago) around 90% of US Organizations are engaged in some kind of litigation, it becomes critical that, as an organization, your electronic house is in order and that you have the right systems

        And procedures in place to deal with e-discovery requests.

    • What is EDRM ?
      • The Electronic Discovery Reference Model (EDRM) is a framework that outlines standards for the recovery and discovery and of digital data. The EDRM is designed to serve as guidance for gathering and assimilating electronic data during the legal process, including criminal evidence discovery.


Electronic document and records management system (EDRMS) is a type of content management system and refers to the combined technologies of document management and records management systems as an integrated system.

  • Information Governance

Implement data governance processes that alleviate risk and expenses in the event of an electronic discovery request. Getting your electronic house in order to mitigate risk & expenses should e-discovery become an issue, from initial creation of ESI through its final disposition.

  • Identification

Identifies the relevant custodians and maps their relevant data sources. Locate sources of information to determine exactly what the data is.

  • Preservation

Ensure potentially e-discovery-relevant ESI is properly stored using measures such as retention and deletion schedules. Ensuring that ESI is protected against inappropriate alteration or destruction.

  • Collection

Collection is the acquisition of potentially relevant electronically stored information (ESI) as defined in the identification phase of the electronic discovery process. The exigencies of litigation, governmental inquiries, and internal investigations generally require that ESI and its associated metadata should be collected in a manner that is legally defensible, proportionate, efficient, auditable, and targeted. The process of collecting ESI will generally provide feedback to the identification function which may impact and expand the scope of the overall electronic discovery process.

  • Processing

Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis.

  • Review

Evaluating ESI for relevance & privilege. Document review is a critical component to most litigation and is used to identify responsive documents to produce and privileged documents to withhold. Review application functionality are providing increasingly efficient options for handling the volume of data.

  • Analysis

Evaluating ESI for content & context, including key patterns, topics, people & discussion.  

  • Production

Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.

  • Presentation

Displaying ESI before audiences (at depositions, hearings, trials, etc.), especially in native forms, to elicit further information, validate existing facts or positions, or persuade an audience.

  • Why E-Discovery Can Be Valuable in Litigation.
    • With the advancement of technology, electronic discovery is not only valuable in litigation, it is essential. Electronic evidence is affecting virtually every investigation today whether it is criminal or civil. Usually, there are no longer “paper trails” that establish who did what and when. Instead, electronic evidence is providing the clues to understanding what actually happened. Consider these statistics regarding the electronic evidence explosion:
      • “In 2002, the International Data Corporation estimated that 31billion e-mails were sent daily. This number is expected to grow to 60 billion a day by 2006.
      • Most companies store up to 70 percent of their records in electronic form.
      • Within ten years, the total number of electronic records produced on the planet could be doubling every sixty minutes.”
      • “Ninety-three percent of all business documents are created electronically, and most are never printed.”
    • One example of how electronic discovery can be valuable in litigation is in the civil suit brought by New York Attorney General Eliot Spitzer against the insurance brokerage arm of Marsh & McLennan charging the company with price fixing and Collusion in October of 2004. The complaint accused Marsh “of steering clients to favored insurers and working with major insurers to rig the bidding process for property casualty insurance coverage.” Spitzer relied on pivotal internal e-mails and memoranda in which insurance executives were alleged to have openly discussed actions focused on maximizing Marsh’s revenue and insurance companies’ revenue, without any regard to their clients, who ranged from large corporations to school districts and individuals.
    • One Marsh executive is alleged to have solicited an insurance company’s participation in a phony bid meeting so that Marsh could maintain the illusion of Competition, while at the same time steering business to another insurance company that had already agreed to pay kickbacks. In his e-mail to the insurance company, the executive stated: “This month’s recipient of our Coordinator of the Month Award requests a body at the rescheduled April 23 meeting . . . He just needs a live body.

  • E-Discovery Deep Understanding with Example.
    • Assume that there are two organizations X and Y. When both the companies went into litigation for pattern related issues claiming each other. E.g. both organizations released a mobile in the same year with the same pattern.Here X Organization is claiming that they had made the pattern two years before the Y Company made. Here X organization become ‘PLAINTIFF’ and Y organization become ‘DEFENDANT’. Now X organization wants to undergo E-Discovery process. So for that first they will contact the law firm and the law firm will take permission from the court to perform E-Discovery. After getting permission the Law firm will go to E-Discovery Company for the further processing.

      Plaintiff – A person who brings a case against another in a court of law.

      Defendant – the defendant in a law suit is the person against whom the action is brought by the plaintiff.

      Law firm – A law firm is a business entity formed by one or more lawyers to engage in the practice of law.

  • Introductions to SIM Card
    • History of SIM Card.
      • The first SIM card was created in 1991, and these devices quickly became a crucial part of GSM networks. The cards are based on integrated circuits called subscriber identity modules, hence the name SIM. These modules store information required for authentication, allowing the user’s phone to attach to a GSM network. Each card has a serial number as well as network information, and users can remove the card from one phone and install it in a new one without registering the device.The first SIM card was developed in 1991 by Munich smart-card maker Giesecke & Devrient, who sold the first 300 SIM cards to the Finnish wireless network operator Radiolinja.

        The ability of users to switch their data to new mobile devices is advantageous in many ways. If a subscriber’s phone runs out of batteries, he or she can install the SIM card into a friend’s phone while still using the minutes attached to the card’s wireless plan. SIM cards can also store authentication information for up to 80 networks, allowing users to take advantage of the best networks available when traveling.


        The first SIM cards were about the size of a credit card, but they shrank over time to the size of a postage stamp. SIM cards also developed increasingly advanced functions and storage abilities. Modern cards are able to store information such as contact lists, user locations and phone numbers, text messages, patches, and settings. They also store applications and allow users to access them from any phone.

    • Information SIM Card.
      • A SIM card, also known as a subscriber identity module, is a subscriber identity module application on a smartcard that stores data for GSM/CDMA Cellular telephone subscribers. Such data includes user identity, network authorization data, personal security keys, contact lists and stored text messages.A subscriber identity module or subscriber identification module (SIM) is an integrated circuit that is intended to securely store the international mobile subscriber identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers). It is also possible to store contact information on many SIM cards. SIM cards are always used on GSM phones; for CDMA phones, they are only needed for newer LTE-capable handsets. SIM cards can also be used in satellite phones.

        The SIM circuit is part of the function of a Universal Integrated Circuit Card (UICC) physical smart card, which is usually made of PVC with embedded contacts and semiconductors. “SIM cards” are transferable between different mobile devices. The first UICC smart cards were the size of credit and bank cards; sizes were reduced several times over the years, usually keeping electrical contacts the same, so that a larger card could be cut down to a smaller size.


        A SIM card contains its unique serial number (ICCID), international mobile subscriber identity (IMSI) number, security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to, and two passwords: a personal identification number (PIN) for ordinary use, and a personal unblocking code (PUK) for PIN unlocking.

      • SIM Cards from a Technical Point of View
        • The card contains its own:
          • Microprocessor (CPU)
          • Program memory (ROM)
          • Working memory (RAM)
          • Data memory (EPROM or E2PROM)
          • Serial communication module


          Technically SIM (Subscriber Identity Module) is just one of several applications running on the smart card (the UICC). Theoretically, a single UICC can contain multiple SIMs, which allows managing multiple phone numbers or accounts to be accessed by a single UICC, but it is seldom seen in practice. Though nowadays “12 in 1” SIM card is being advertised, but is extremely rare or non-prevalent in India, at least.

          The SIM card is actually a microcomputer that has its own microprocessor, input-output interface, volatile and non-volatile memory. These entire components meet together to mainly calculate the responses to the challenges presented. In the next figure we can see the functional and logical structure of a SIM card.

Structure Of SIM.png

Structure of a SIM card

Structure Of SIM

SIM card communication


Display all the data store in chip

The way that the SIM Card interacts with the Mobile device is via a serial Input/output connection that serves as a link for the Mobile phone to handle commands to the SIM card and get a response. The most widely used protocol is T=0 that defines exactly the APDU (Application Protocol Data Unit) electrical coding for each command and the responses (Status Words) that the SIM card can return (Rankl and Effing, 2000). It must be said that at this level the SIM Card is a

To tally passive element, that is, it holds a slave position and cannot initiate the communication with the handset, just reply Status Words to questions (APDUs) from the handset. A SIM Card has six pads that also correspond to the six SIM connector pins, but only five pins have connection on the entire layout.

  • SIM Card structure and file systems.
    • A SIM card contains a processor and operating system with between 16 and 256 KB of persistent, electronically erasable, programmable read-only memory (EEPROM). It also contains RAM (random access memory) and ROM (read-only memory). RAM controls the program execution flow and the ROM controls the operating system work flow, user authentication, data encryption algorithm, and other applications. The hierarchically organized file system of a SIM resides in persistent memory and stores data as names and phone number entries, text messages, and network service settings. Depending on the phone used, some information on the SIM may coexist in the memory of the phone. Alternatively, information may reside entirely in the memory of the phone instead of available memory on the SIM.
    •  The hierarchical file system resides in EEPROM. The file system consists of three types of files: master file(MF), dedicated files, and elementary files. The master file is the root of the file system. Dedicated files are the subordinate directories of master files. Elementary files contain various types of data, structured as either a sequence of data bytes, a sequence of fixed-size records, or a fixed set of fixed-size records used cyclically.

File System.jpg

File System

  • As can be seen in the above figure 5, dedicated files are subordinate directories under the MF, their contents and functions being defined by the GSM11.11 standards. Three are usually present: DF (DCS1800), DF (GSM), and DF (Telecom). Also present under the MF are EFs (ICCID). Subordinate to each of the DFs are supporting EFs, which contain the actual data. The EFs under DF (DCS1800) and DF (GSM) contain network-related information and the EFs under DF (Telecom) contain the service-related information.All the files have headers, but only EFs contain data. The first byte of every header identifies the file type and the header contains the information related to the structure of the files. The body of an EF contains information related to the application. Files can be either administrative- or application-specific or access to stored data is controlled by the operating system.

    Master File (MF) – Master file is the root of the file system organization. It contains all the dedicated and elementary files.

    Dedicated File (DF) – Dedicated files are subordinate directories to the master file that contain dedicated and elementary files.

    Elementary File (EF) – These are files that contain various types of formatted data structures, which can be a sequence of data bytes, a sequence of fixed size records, or a fixed set of fixed size records used cyclically.

  • Type and Size of SIM Card.
    • GSM is abbreviation for Global System for Mobile Communication developed by the European Telecommunication Standards Institute (ETSI). It describes the protocols for 2G, 3G, and 4G digital cellular network for transmitting voice, text and data services. GSM operates in a number of different frequencies usually 900 MHz or 1.8 GHz and in Canada and United States it is 850 MHz or 1.9 GHZ.
    • CDMA is a short form for Code Division Multiple Access, a digital cellular technology where several transmitters can send information simultaneously over a single communication channel.
    • Size SIM cards are manufactured into three sizes Nano, Micro, and Standard. All details related with SIM specification are given in table.


SIM card size

  • Security in SIM Card.
    • SIM cards have built-in security features. The three file types, MF, DF, and EF, contain the security attributes. These security features filter every execution and allow only those with proper authorization to access the requested functionality. There is different level of access conditions in DF and EF files. They are:
      • Always—This condition allows to access files without any restrictions.


      • Card holder verification 1 (CHV1)—This condition allows access to files after successful verification of the user’s PIN or if PIN verification is disabled.


      • Card holder verification 2 (CHV2)—This condition allows access to files after successful verification of the user’s PIN2 or if the PIN2 verification is disabled.


      • Administrative (ADM)—The card issuer who provides SIM to the subscriber can access only after prescribed requirements for administrative access are fulfilled.


      Never (NEV)—Access of the file over the SIM/ME interface is forbidden. The SIM operating system controls access to an element of the file system based on its access condition and the type of action being attempted. The operating system allows only limited number of attempts, usually three, to enter the correct CHV before further attempts are blocked. For unblocking, it requires a PUK code, called the PIN unblocking key, which resets the CHV and attempt counter. If the subscriber is known, then the unblock CHV1/CHV2 can be easily provided by the service provider.


One Reply to “SIM Forensic In e-Discovery”

  1. Pingback: My Homepage

Leave a Reply