Expert Witness Corner: SIM Card Data Retrieval – The Essentials

The Importance Of SIM Cards:

There are more mobile telephones in the UK then there are people – this pervasive technology impacts on almost all areas of industry and life. Unsurprisingly, mobile communications have enabled old crime to be effected in new ways and mobile telephones are increasingly forming a part of criminal prosecutions, where linkages between individuals or evidence of being at the scene of the crime is provided by an analysis of the digital evidence available within the mobile phones.

At the heart of every mobile telephone is the Subscriber Identity Module (SIM), a small fingernail sized chip, responsible for service with a telecom network provider.

Digital Evidence From SIM Cards:

Despite limited memory capacity, the SIM contains a wealth of information that, when considered in context, can greatly aid lawyers in their case preparations:

• Stored telephone numbers/contacts.

• Listings of ‘Last Dialled Numbers’.

• Text messages received, sent, drafted or deleted.

• General location information from last use.

• References to overseas network providers that have been used.

Common Questions:

Q: Could the SIM card have been cloned?

A: SIM cards produced after June 2002 employ the COMPv2 algorithm which provides a number of technical and security safeguards to prevent unauthorised modification. Despite media reports, the cloning of modern SIM cards is an extremely rare practice.

Q: Can my PIN code be cracked?

A: SIM card information can be locked using a four digit ‘Personal Identification Number’. RIPA contains provisions to force disclosure of passwords, however, it is usually easier to request a ‘Phone Unlock Key’ (PUK), enabling PIN settings to over- ridden, from the Data Protection Officer (DPO) at the relevant network provider.

Q: PAYG SIMs are untraceable!

A: With ‘Pay As You Go’ (PAYG) there is no formal contract with a network provider (e.g. Orange) to enable a customer look-up, however, ‘Call Data Records’ (CDRs) are still available from the network provider, providing information as to patterns of communication, calls to/from, time/dates etc. By mapping this information to known acquaintances of the defendant, considering the evidence in the context of other material (such as messages recovered from the telephone handset) and undertaking Cell Site Analyses (CSAs)3 it is possible to prove/disprove ownership of a handset.

Q: Does the SIM reveal who I’ve been in touch with?

A: Even without the disclosure of Call Data Records (CDRs) from the network provider, the SIM provides a plethora of useful information relating to contacts in the form of ‘Last Numbers Dialled’ (LND) and sections of the ‘Contacts Directory’. Numbers that haven’t been saved may still show up in the LND.

Q: Can a telephone handset be uniquely identified?

A: Mobile phone handsets are assigned unique 15-digit numbers, known as the International Mobile Equipment Identifier (IMEI), which is passed to the network provider before communication services can be utilised. This serial number allows specific handsets that have been stolen or blacklisted to be blocked from a network irrespective of what SIM card is inserted. Defences suggesting that a given handset has been ‘found’ and is not owned by the suspect are unlikely to hold water if Call Data Records (CDRs) show a pattern of usage that indicate the owners identity.

Q: What about sending anonymous texts?

A: They are not really that anonymous… If they are being sent via an internet service, there is typically a log retained by the site provider as to the computer IP address that sent the specific message – this can ultimately be tied by to an Internet Service Provider (ISP), and in turn a specific subscriber. If anonymous texts have been sent from a mobile telephone – typically a PAYG handset/SIM – the uniquely assigned International Mobile Subscriber Identifier (IMSI) code embedded in the SIM can be used in concert with CDRs to provide compelling evidence as to the sender identity.

Q: Can deleted text messages & numbers be recovered?

A: Data content (especially multimedia formats) is primarily stored on the handset or on a removable memory stick. The general rule of thumb is that any data that has been deleted can be recovered, however, if it has been over-written it does make the process more complex and the chances of success reduce with every over-write.

Q: Is possession of multiple SIM cards indicative of wrongdoing?

A: Not at all – many individuals are discovering that they can benefit greatly from the free text and talk allowances granted on mobile phone contracts by having two or more SIMs (typically with different network providers). Adapters are available to connect multiple SIMs to a handset simultaneously.

Did you know?

The SIM card will often contain a reference to the last network base station that it communicated with before being disconnected from the telecoms network.

If the SIM card has been used overseas, it is possible to retrieve a reference code from the card that will indicate which national/regional network provider was used.

Language preferences can be stored on SIM cards – useful intelligence for investigators which can open up new avenues of enquiry.

Ross Patel is a forensic computer consultant with Afentis Forensics. You can view the company profile and find an expert witness at X-Pro UK, the innovative expert witness directory.

Find More Expert Witness Articles

Computer Forensics, Mobile Phone Forensics, Expert Witness and Data Recovery throughout the UK

HD Forensics is a computer and mobile phone forensic specialist and security consultancy company, based in the North East of England. We offer an impartial, independent and specialised professional digital forensic investigation service to both defence and prosecution clients. We provide an expert witness service for court if required. Our experts are trained and certified by Bond Solon and Cardiff University. For more details log on to .
Video Rating: 0 / 5

McCann E-Investigations Houston Computer Forensics Announces New Rates for Data Storage

Houston, TX (PRWEB) May 13, 2012

McCann E-Investigations (McCann EI), a Texas-based computer forensics firm announced that it will offer new storage rates for all data collected in computer forensics investigations. Many of McCann EIs clients have on-going cases which require storage of imaged data for future use. McCann will offer secure storage of client data at McCann EIs state-of-the-art computer forensics lab for as low as $ 0.75 per gigabyte per month.

Our technicians always work from copies made of the original data and the original drives are securely stored, said Dan Weiss, Partner and Licensed Private Investigator at McCann E-Investigations. Once the project is completed, we will now offer to store the copies of the data for future use, continued Weiss.

McCann EI will retain the data for forty five (45) days following the final report related to such data. After the 45 days, the client can agree to storage of all of the data at $ 0.75 per gigabyte per month. McCann EI will also provide secure destruction of all data related to the case upon the clients request. All hard drives will be permanently wiped and any case files will be securely disposed. It should be noted that the destruction of data and related case files is permanent, irreversible and irreparable. Should the case be re-opened, the data acquisition process would have to begin again at the normal rates.

After the 45 day retention period and absent other written agreement between McCann EI and the client, any data/equipment/media unclaimed or otherwise abandoned for a period in excess of thirty (30) days will be disposed of at McCann EIs discretion. McCann EI will not be responsible for data/equipment/media left in its possession beyond such thirty (30) day period.

About McCann EI:

Twitter: @McCannEI or!/McCannEI


Call us toll-free at 800-713-7670

McCann Investigators follow the trail and decipher the information regardless of whether the evidence is digital, such as electronically stored information found on computers, mobile phones or other devices or if the investigation requires traditional private investigative services. McCanns PI tools and techniques include surveillance, undercover work and detailed record searches. The final product helps our clients gain a deeper understanding of what has happened or what is occurring. The gained clarity and discovery of truth allows our clients to quickly respond and recover.

McCann EI is based out of our state-of-the-art forensic labs in Houston, which provide the latest in computer forensic and IT security technology. Our e-investigators combine digital skills with traditional private investigative techniques to provide you with an one-stop solution for your investigative needs. Our lab houses our computer forensics and electronic discovery service along with our databases, surveillance technology, and undercover investigators. Our investigators are experienced in providing expert witness testimony, including computer forensic testimony, in courts across Texas. Although we are headquartered in Houston, our investigators live in and work in cities all across Texas.

Call us toll-free at 800-713-7670 or speak to a local investigator:

Austin Computer Forensics: 512-377-6142

Houston Computer Forensics: 832-628-4904

Dallas Computer Forensics: 214-329-9059

Lubbock Computer Forensics: 806-589-0320

Lufkin Computer Forensics: 936-585-4070

Brownsville Computer Forensics: 956-465-0849

More Expert Witness Press Releases