International Conference on Information and Communication Technology and Its Applications (ICTA 2016) Federal University of Technology, Minna, Nigeria November 28 – 30, 2016 SIM Cards Forensic Capability and Evaluation of Extraction Tools Ismaila Idris1, John K. Alhassan2, Victor O. Waziri3, and Muhammad Umar Majigi4 Department of Cyber Security Science, Federal University of Technology, Minna, Nigeria 1 ismi.idris@futminna.edu.ng, 2jkalhassan@futminna.edu.ng, 3victor.waziri@futminna.edu.ng, 4majigiumar1@gmail.com Abstract—Mobile phones have turned into a very essential tool most cases since it has the same content and has capability for personal communication. Thus, it is of immense importance for the same computing tasks as that of personal computer that forensic investigators have possibilities to extract proof [3]. items from mobile phones. The Modern mobile phones store In Nigeria for instance, mobile phone usage has facts items on inner memories as well as SIM cards. With the continued to increase over the past few years from 0.02 to introduction of modern functionality, these accessories and 67.68 per 100 inhabitants from year 2000 to 2012 [4]. their devices might be used as tools in a crime. Appropriate Due to large and ubiquitous role played by mobile forensic examination of such memories, including recovery of phones in our society, there is a great probability that such deleted items has not been possible until now. This research devices will tend to be part of many investigations as tools or paper presents two mobile SIM cards to assess a chosen set of six existing mobile forensic software tools that where developed accessories to a crime or other malicious incidents, forensic mainly for mobile Subscriber Identification Module (SIM) investigators require specialist tools that would enable the forensics which is aimed to find out their capability and quick, proper retrieval and speedy analysis of any possible efficiency when compared with other software. This would data which is present on the device. For devices conforming help a forensic investigator decision making in choosing a tool to the Global System for Mobile Communications (GSM) unique for acquiring specific evidence from a SIM card, and and related standards, certain data such as dialed numbers, hopefully bring about a save in time and resources. SMS messages and phonebook contacts can also be stored on a Subscriber Identity Module (SIM) [5]. Keywords-forensic; mobile phone SIM card; Tecno android There are at least four major ways whereby a mobile phone; software phone or its accessory could be linked to crime:  A mobile phone could be used as communication tool during the process of committing the crime. I. INTRODUCTION  A mobile phone could contain stored data which is Communication technology is the major integral part of evidence to a crime everyday human life. The invention of telecommunication  A mobile could contain the victim’s or target’s technology, especially smart phones which are one of the information most commonly used and dominant technology derived from  A mobile could be the actual means of committing the advent of Information and Communication Technology the crime. (ICT) over the past few decade, have brought about changes Mobile forensic investigators must be familiar with the and re-defined the world’s order and the way most things different types of mobile phones and understand the are done. intricacies of mobile phone forensics. In other words, Mobile cellular phone usage is seen to have really acquiring and analyzing the data on the device, attached SIM increased tremendously over the past decade, with an cards, and inclusive memory cards. These procedures are estimated average global mobile subscription of 7.2 Billion well documented and should be adhered to in the forensics in 1st Quarter of the year 2015 and 99 percent Global mobile acquisition and analysis of mobile phone. However penetration by 1st Quarter of 2015. Smartphones especially documented, it is well known that there is currently no one accounted for about 75 percent of all mobile phones that examination facilitation tool (hardware or software) that is were sold in the 1st Quarter of 2015, compared to around 65 universally used or recommended to remove the data from percent during 1st Quarter of 2014 [1]. While the estimated each and every mobile phone [6]. number of smartphones in particular is set to double by year The demand for mobile forensics combined with the 2020 [2]. Such portable communication devices which are diversity of the mobile device market has led to a myriad of now very advanced with great computing power have taken mobile forensics tools. In 2016, [7] compared existing tools over the dominant role of personal computers. With a mobile according to their acquisition, examination and reporting phone, a person can make calls, send SMS messages and functions concluding that typical mobile phone information also browse the internet and store large amounts of digital such as the IMEI and SMS/MMS could be discovered by data. Mobile phones are now much more popular than existing tools such as MOBILedit, SIM seizure, personal computers due to portability and can be used in USIMDETECTIVE and Oxygen Phone Manager, etc. 75 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) Williamson et al. studied the performance of mobile forensic  Service Provider Name (SPN) tools TULP 2G, Cell seizure and Oxygen Phone Manager etc  Mobile Network Code (MNC) peculiar to Nokia phones [8]. In 2007, Jansen and Ayers  Mobile Subscriber Identification Number (MSIN) again compared existing tools on contemporary mobile  Abbreviated Dialing Numbers (ADN) phones and collected their work into a NIST report [9].  Mobile Station International Subscriber Directory Later, [10] Yates notes the diversity of the mobile device Number (MSISDN) market and the associated complexity presented to a  Abbreviated Dialing Numbers (ADN) practitioner attempting to select the appropriate digital  Mobile Country Code (MCC) forensics tool. Just the comparison papers mentioned here  Last Dialed Numbers (LDN) cover: Cell Seizure, GSM.XRY, MOBILedit! Forensic, TULP 2G, Forensic Card Reader, ForensicSIM, SIMCon, C. Review of Related Works SIMIS and Oxygen Phone Manager. This study aims at performing a comparative analysis of A. The Subscriber Identification Module (SIM) mobile SIM forensic software tools. This section reviews eight (8) literatures of related forensics based works. Below Most modern mobile cellular mobile phones carry a are Meta table reviews of literatures of related research small removable smart card which is called a SIM card. The background. SIM (Subscriber Identity Module) is a fundamental component of mobile cellular phones that allows a phone user to connect to the GSM telecommunication network, own a cellular number and a subscriber account. It also has a TABLE I. META-ANALYSIS TABLE little memory space that can store valuable user information. A SIM card has a tiny chip containing a file system, a ONE TWO processor and an operating system that runs on top of it to Forensic Software Android Forensic control all the actions and processes undertaking by the SIM Tittle of Tools for Cell Phone Capability and Android Article Subscriber Identity Forensic Capability and card [11]. Most SIM cards have a capacity range from 32 to Modules 128 KB [12]. Wayne Jansen, Rick VIJITH VIJAYAN Authors (Date) Ayers (2006) (2002) Analysis of existing Comparative analysis of II. LITERATURE REVIEW forensic software tools possible software tools existing for SIMs. To for undertaking Andriod Focus confirm capability to phone forensics A. Introduction recover basic data, location information The skills of a forensic investigator is useful for the and EMS data detection and investigation of crime committed on mobile GSM SIM, MobileEdit AFLogical, Oxygen devices, computers and computer networks, the internet and Forensics, Tulp 2G, Forensic, MobileEdit other forms digital devices because such crimes have direct Methodology Cell Seizure, GSM Forensic, HTC and indirect effects on businesses, government, individual’s .XRY,SIMCon,SIMIS, Sensation XE, HTC Forensic Card Reader Desire S privacy and corporate organizations functions due to Basic data recovered The test result showed tremendous increased usage of internet and mobile services. by most tools, also data produced from the Also criminals can take advantage of this large number of location information evaluation is huge and potential unsecured targets and ease of access to various recovered by most was quite difficult to offensive tools in order to gain unauthorized access to tools with challeges of table, graphical sensitive information. Therefore we have a need to translation of LAI and representation of data Result RAI codes to network was used to ensure investigate the ways and processes through which these name readability and easier crimes that are being committed [13]. Forensics based analysis although of all research works by various authors are reviewed for the the tools tested, Oxygen purpose of this work. forensic gave a most visible and standardized results. B. SIM Data of Forensic Value They did not use the He used two android latest versions of phones of the same Depending on the type of mobile phone technology and software tools with manufacturer HTC. access control scheme, various types of data such as contact Limitation enhanced list, SMS messages could be stored on the SIM, in the functionalities for undertaking the mobile phone, or even on the memory card [14]. A typical analysis. SIM card could contain a repository of data and information, some of which are listed below as given by [15]: THREE FOUR  SMS Messages Tittle of Forensic Analysis of Smartphone Forensics:  Contact Numbers Article the content of Nokia A case study with Nokia mobile phones E5-00 Mobile phone.  Deleted SMS and Contact Williamson, B., Seyedhossein, M., Ali,  International Mobile Subscriber Identity (IMSI) Apeldoorn, P. Cheam, D., & Hoorange, G. B.  Integrated Circuit Card Identifier (ICCID) Authors (Date) B., and McDonald, M. (2011) [16]  Abbreviated Dialing Numbers (ADN) (2006) 76 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) Performance Comparing some of the Marrington, A. (2012). [20] evaluation of various mobile forensic tools. [19] mobile forensic Studies demo and trial Forensic analysis of software tools on versions of some mobile FaceBook, Twitter and Focus Nokia mobile phone. forensic tools MySpace. Analysis of different Focused on whether contents of mobile the activities carried Focus devices out on this social Important of SIM Cards Cable, TULP2G, Bluetooth device, USB, network are stored on forensic as a digital Paraben Cell seizure, memory card reader, mobile internal evidence and SIM Cards oxygen forensic oxygen forensic suite, memory and can be from technical point of Methodology manager and, paraben’s device retrieved. view MOBILedit. seizure, MIAT, Blackberry, iPhones Deleted messages can MOBILedit, forensic and Android phones, also be recovered from lite Encase V6.5, USB SIM cards, SIM cards No deleted data was The toolkit cannot be data cable SQLite data that have become Result recovered by either of use to acquire deleted browser v1.0.1 unreadable can be read the tools. data or information after replacing the They stated that They make use of demo EEPROM chip into a different handsets will and trial version of new SIM card or by be used in their software which cannot connecting it to proper analysis of which just acquire deleted data. It probes, People should two handsets were uses only Nokia E5-00 be made aware that SIM Limitation later used. TULP 2G series and it was not cards should not be was not used in the stated if other series simply discarded analysis after it has where compatible with without breaking it into been stated in their the toolkit or not two pieces to make it methodology. nearly impossible by a criminal to steal private Methodology FIVE SIX data easily, scarcely by Overview of potential Smartphone analysis: A using a SIM card reader, Tittle of article analysis of an Android case study SIM cards are vital as Smartphone forensic evidences as it Stefan, S., Knut, K., & Mubarak, A., & Ali, A. contains location Authors(date) information and a list of Reiner, C. (2012) [17] (2013). [18] Forensic examination Investigate an Android all the network towers it of HTC android phone with WhatsApp has recently connected smartphone and live installed to check the to call logs of a suspect analysis of activities carried out by or a criminal can be of Focus Smartphones. the user. immense value in the Using android SDK to Compared the result of proceedings of an access internal oxygen forensic tool investigation, SIM cards memory and UFED physical contain personal and analyzer professional messages USB, PC, Encase, IPhone4 Oxygen such as call logs etc. oxygen forensic suite forensic tool, UFED 2011, X-ways and tool, PC, Wi-Fi In Blackberry no data Methodology was found in the MOBIL edit 5, connection. Micro SD Android SDK, SQLite cards internal memory hence data browser 2.0. nothing can be The forensic tools They stated that similar Result retrieved. IPhones and cannot create a backup android phone can Android stores their image of the internal actually install activities in internal Concept of data memory of the WhatsApp and user can memory and can be recovery from SIM Smartphone. carry out activities. retrieved. Cards. Result Some tools cannot Oxygen forensic tool is They did not research carry out live analysis better in data accessing on other social The concentrate only on of internal flash than UFED tool. Limitation network application forensic important of memory. that can be on the SIM Card as a digital Examination of all the stated mobile phones. evidence data’s was possible They did not access Oxygen forensic tool external application was not able to acquire III. METHODOLOGY Limitation installed on the phone password and username using this toolkit of the WhatsApp This paper is aimed at carrying out comparative evaluation of a set of six existing software tools using two SEVEN EIGHT 3G enabled GSM mobile SIM cards as a case study. In this Forensic analysis of chapter all materials, methods, steps and processes Tittle of social networking Forensic important of undertaking to achieve the project’s aim and objectives are Article application on Mobile SIM Cards as a Digital listed and explained. Including all software tools used, how devices Evidence Al Mutawa, N., Ankit Srivastava & mobile evidence data was created, manipulated and sampling Authors(date) techniques used for data recovery by various tools for the Baggili, I., & Pratik Vatsal (2016). 77 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) purpose of evaluation. The various tools used are listed with Each mobile forensic tools method use against the mobile each capabilities as stated by their developers. SIM data evidence are equally explained for the purpose of Considering the large number of already existing mobile this research. Then the performance results of each mobile forensic software tools for mobile forensics and the fact that forensic analysis report generated by using each tools software vendors generally do not follow a common towards the acquisition of stored and deleted mobile SIM methodology or established standard when developing these card data are explained. The general comparative tools or their capabilities it was paramount to source tools performance and efficiency in retrieving such mobile SIM from various different vendors. From an investigative card data evidence is presented tabular against results perspective it is generally required that all evidence be produced by all the other tools. acquired as quickly as possible and to examine the evidence proper so as to ensure that law enforcement professionals can A. Data Analysis Procedure defend their case in a court of law based on the strong Data analysis is a process involving either qualitative or probative evidence. quantitative inspection, modelling or transformation of any The simple fact is that forensic examiners looking to data sample with an aim of discovering any useful create the forensically sound image in a quick manner, as information, suggesting conclusion and supporting good anything that forces them to delay the evidence will decision making. substantially reduce their chances of producing the evidence Different number of SIM contacts and SMS in form of in the court of law. [21] Various mobile data and devices are data evidence was created on both SIM cards with part of used in order to successfully carry out comparative these data deleted to analyze the capabilities of each mobile evaluation of the chosen forensic software set. forensic tools whether they could be used in retrieval of both The research framework involved in this paper is briefly stored and deleted SIM data. These various SIM forensic discussed by the Flow Chart below. tools used in this project are listed below, their reviews and features as stated by manufacturers explained. The SIM data evidence used were created gradually over a period of 2 days. Half the contacts and SMS data were created on each day. While calls were made on the second day. Also half the SIM data evidence created including Contacts and SMS were then manually deleted from the SIM memory gradually one after the other on both SIM cards. The mobile SIMs are then removed from the Phantom phone and then connected to the laptop via the SIM card reader. After which each software is used to try and recover various data on the both SIM cards. TABLE II. LIST OF SIM DATA GENERATED FOR SAMPLING Number generated Number generated Mobile evidence data SIM 1 (64 Kb) SIM 2(128 Kb) Saved Contacts 40 60 Saved SMS 20 30 Deleted Contacts 20 30 Deleted SMS 10 15 Foreign Language SMS 4 4 (French and Arabic) Applications -- -- Call logs (Dialled, 20 40 received and missed calls) Figure 1. Flow Chart of the framework Usually all the forensic tools will prompt you to connect the SIM card reader to the system and choose if to create a case file or directly carry out any data retrieval from a Tools assessment and testing criteria is based on whether connected SIM card, which would allow for further analysis these tools support of the mobile forensic tools based on individual results being  Basic SIM Data recovery produced by each recovery tool.  Location Information recovery To ensure that all tools do not change any data on the  Deleted data recovery various SIM cards a write block is implemented for USB  Foreign language Data support port by changing registry setting on the computer. Through /Run/HKEY_LOCAL_MACHINE\SYSTEM\CurrentContol  Examine SIM and produce forensic standard results Set\Control (right click and creating a new key 78 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) StorageDevicePolicies with a new Dword WriteProtect  The software were all installed on an Hp system double click and value set to 1). running Microsoft windows 7 64 bit. Also .NET Each forensic software tool is used for data acquisition frameworks was installed to support operations of on the two different SIM cards generating twelve different some of the tools. forensic results which are presented in a tabular format showing each tool’s capability compared to others. B. Research Instruments Several tools and software were used in this research work including various sampling mobile data in order to successfully carry out the comparative analysis all these are listed and explained below. 1) Mobile 3G enabled SIM cards: The two SIM cards have 3G capability and only varying in their individual memory capacity SIM 1 of MTN network has 64kb of memory while SIM 2 of the Etisalat Network has 128kb of Figure 3. SIYOTEAM PC/SC Smart SIM card reader and driver disk memory. Figure 2. Picture of the two SIMs used for this research Figure 4. TECNO Andriod phone (Phantom A+) 2) PC/SC Smart SIM card reader:A SIYOTEAM SY- IV. RESULTS AND DISCUSSION 386 PC/SC mobile SIM card reader is used to connect SIM cards directly to the computer system. It comes with a driver The results generated by use of each forensic tools are software disk which also holds a SIM data management then comparatively evaluated based on the capabilities of each tool for collecting data evidence from the two sample software. SIM cards. 3) TECNO Android Mobile Phone: The TECNO The SIM data being used for sampling was deliberately Phantom A+ Andriod 4.2 Jelly Bean mobile phone was used generated and partially deleted to test the retrieval capability to create new contacts, SMS messages and make calls with of the chosen set of forensics tools. All the tools were able to the two SIM cards. The phantom A+ has capacity for dual connect to the SIM card reader and were able to access and SIM support, with a 5.0 inch touch screen, 1.0 Ghz retrieve at least some stored information from both SIM processor, 3G, Bluetooth 3.0 and Wi-Fi connectivity. cards. 4) Forensic Software Tools: The choice of forensic The forensic evidence data that these software tools were software tools used in this work and all the components tested upon was contact phone numbers, SMS messages, and necessary to install them and carry out the digital forensic foreign language SMS messages and deleted SMS and Contacts. process are listed below:  A set of SIX different mobile forensic tools were A. Evaluation of Results used for this paper these include Dekart SIM Explorer version 2.5, Paraben SIM Seizure version The evaluation of the results produced by all the chosen 4.04954, MOBILedit SIM clone version 3.1, set of forensics tools when used for mobile evidence 001Micon Data recovery SIM Card version 5.4.1.2 collection, against the mobile data evidence that was and Forensic Card Reader version 2.2 are used in generated for the sole purpose of this project. For the results this research. The Paraben SIM seizure and Dekart analysis two comparative table of results was created SIM explorer were obtained by registering with the although all the tools produced the same results when the developers using a secure internet connection, demo same tool is being used to analyze both SIM cards. The version of the softwares were download from the results produced by each forensic tool being tested for each links. specific criteria are analyzed below: 79 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) TABLE III. RESULT EVALUATION FOR MTN SIM FORENSIC ANALYSIS information, although it allowed PIN administration. It was (64KB) able to store such data in file but could not export such in a forensic report format. All the tools were unable to recover any call records because they were stored on the mobile phone. From the performance results of these chosen set of forensic tools we see that to some extent Paraben SIM Seizure is one of the best mobile forensic tools to be considered when trying to investigate any case relating to mobile SIM cards with the capability to recover much information and produce a standard forensic report on such investigation. Also Dekart SIM Explorer is an extensively capable forensic tool for use in the forensic analysis of mobile SIM cards. V. SUMMARY With the constant advancement of technology, the uses, and importance of mobile devices in our everyday way of life cannot be over emphasized. The process of properly and legally acquiring any form of mobile evidence data from any TABLE IV. RESULT EVALUATION FOR ETISALAT SIM FORENSIC mobile devices or accessories must be carefully undertaken, ANALYSIS (128KB) in all stages of the forensic process. Proper care must be taken in selection of which set of tools to be used because some of these mobile forensic tools developed may not be compatible or well suitable to acquire evidence from a specific mobile phone and its SIM card. Great forensic importance is attached to a mobile SIM card considering it as the heart of a mobile phone and is very easily transferable cross devices. Therefore, the efficiency of any mobile forensic tool should be considered before for acquiring of evidence from any kind of mobile device and accessories. In order to carry out this forensic analysis mobile data evidence was gradually generated on two different memory capacity SIM card of 64kb and 128kb over a period of 2 days and then partially deleted using the same mobile phone. The chosen set of SIM forensic tools were installed on a HP laptop running window 7, 64 bit operating system. Then a Siyoteam PC/SC SIM card reader was used to connect the mobile SIM cards to the computer directly. The mobile SIM The two tables above showed that using Dekart SIM forensic tools used are Dekart SIM Explorer, Paraben SIM Explorer we can recover basic evidence on both SIM cards Seizure, Forensic Card reader V2, 001Micron Data Recovery and saved such data with a hash value for integrity before Sim card, Dekart SIM Manager, MOBILedit SIM Clone. A exporting in a forensic report format, with the only limitation Tecno Phanto A+ phone was used for data creation on the of not supporting foreign languages such as Arabic SMS. SIM cards. The result of this research shows Paraben SIM From the analysis results forensic card reader could not Seizure was able to recover most SIM identification recover deleted SMS and contact information but was able to information and stored data, and also produce a forensic recover basic SIM identification numbers and stored SMS standard report. Dekart SIM explorer was able to recover all and Contacts, it also has the capability to export such stored and even deleted data it was also able to produce a information to a Forensic report format. forensic standard report. 001Micron was able to recover While 001Micron Data Recovery was able to recover all basic SIM identification but could not administer SIM pins basic SIM data including the deleted SMS and Contact and could not produce a forensic standard report. Forensic details it did not allow the administration of PIN and PUK card Reader was able to recover basic SIM identification numbers, although the demo version was not able to save the information and stored SMS and contacts but was unable to recovered data evidence or export such as forensic report retrieve any deleted mobile data evidence, MOBILedit SIM format. clone was able to recover basic SIM identification On the other hand Paraben SIM seizure was able to Information and stored SMS and contacts and save such as a recover all basic SIM identification data all stored and file but could not produce the results in a forensic standard deleted SMS and Contacts and stored such with a hash value report. which could be exported in a forensic report format. From the analysis results we see that Dekart Sim VI. CONCLUSION Manager was only able to recover stored SMS and Contacts All the chosen SIM forensic tools were tested on both from both SIM cards with very little SIM identification SIM cards by extracting the data. The results of these 80 International Conference on Information and Communication Technology and Its Applications (ICTA 2016) evaluations shows that it is not easy to retrieve all data [2] Ericsson, "Ericsson Mobility Report" Retieved June, 2015 from especially deleted mobile data evidence from a SIM card by www.ericsson.com/res/docs/2015/ericsson-mobility-report-june- 2015.pdf using only one type of mobile forensic tool because the [3] Dan Lohrmann, "Lohrmann on Cybersecurity & Infrastructure" Will a capability of each tool may be developed just for use in Smartphone Replace Your PC? April 24, 2016. Retrieved from acquiring some specific kind of mobile data evidence. Also http://www.govtech.com/blogs/lohrmann-on-cybersecurity/will-a- the limitations of some of the tools in terms of foreign smartphone-replace-your-pc. language support and generation of a forensic standard report [4] O. Osho and S. O. Ohida, "Comparative Evaluation of Mobile was gotten The main contribution of this research is to test Forensic Tools" I.J. Information Technology and Computer Science, for the capability of each forensic tool as advertised and to 2016, 01, 74-83, doi: 10.5815/ijitcs.2016.01.09 check the compatibility of this specific tool for use in the [5] W. Jansen & R. Ayers, “Guidelines on cell phone forensics” NIST Special Publication, 800, 101. Retrieved June 30, 2015, from forensic analysis of either a MTN 65kb Or Etisalat 128kb http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf SIM for retrieval of any stored, deleted mobile data evidence 2007. in form of SIM identification and user generated data of [6] Kyle D. Lute and Richard P. Mislan, “Challenges in Mobile Phone SMS and contacts. Forensics” International Institute of Informatics and Systemics, p.1, Modern mobile phones SIM are now ubiquitous in this 2008fromwww.iiis.org/cds2008/cd2008sci/citsa2008/paperspdf/i649o world and have progress into full-fledge computing k.pdf platforms. Thus, they are becoming more crucial as [7] Timothy V, Chengye Z and Nicolas C, "Towards a General evidentiary devices in criminal and civil investigations. Collection Methodology for Android Devices" pp.1-2 2016 SIM Cards can yield an abundance of information such as [8] B. Williamson, P. Apeldoorn, B. Cheam, and M. McDonald, “Forensic analysis of the contents of nokia mobile phones” page 36, saved contacts, call logs and text messages etc. Conversely, 2006. no single tool can be used by investigators to retrieve [9] W. Jansen and R. Ayers, “Guidelines on cell phone forensics” NIST evidence from these devices that it can aid in investigations. Special Publication, 800:101, 2007. The possible deterrents to a vendor of forensic tools [10] I. Yates, “Practical investigations of digital forensics tools for mobile from creating single solution is: the number of hardware devices” pages 156–162. ACM, 2010. manufacturers and carriers the unique data formats used [11] Infosec, “Computer Forensics Investigation case study” Retrieved by vendors for storing relevant information and the security July 20, 2015 from http://resources.infosecinstitute.com/computer- mechanisms put in place. forensics-investigation-case-study/2014. [12] Joel Lee, “Why do cellphones need a SIM Card”. Retrieved Dec. 6, 2013 from http://www.makeuseof.com/tag/why-do-cellphones-need-a- VII. RECOMMENDATION sim-card Having used all the chosen mobile forensic tools and [13] D. R. Matthews, “E-Discovery versus Computer Forensics. comparing each result with the manufacturer’s advertised Information Security Journal”: A Global Perspective, vol 19 iss.3, pp. capabilities, it shows that some tools are limited and cannot 118-123, 2010. be used singly to successfully acquire all the mobile data [14] LGC Forensics, "Mobile handset examination" Retrieved 2010 from http://www.ifblgc.de/sites/default/files/assets/Files/Mobile%20handse evidence needed for investigation. Therefore any individual t%20examination.pdf or mobile forensic investigator working to legally acquire [15] He, S., & Paar, I. C. “SIM card security”. Bochum: Ruhr-University. data from mobile SIM should read the software descriptions 2007 and capabilities by developer before proceeding purchase of [16] Seyedhossein, M., Ali, D., & Hoorange, G. B. "Smartphone that specific software tool for use in forensic acquisition. Forensics: A Case Study with Nokia E5-00 Mobile Phone" Considering the fact that some of the forensic tools used in International Journal of Digital Information and Wireless this research were trial and demo versions some of their Communications (IJDIWC) 1(3): 651-655, 2011. features could not be utilized, therefore a forensic [17] Stefan, S., Knut, K., & Reiner, C. "Overview of potential forensic investigator should ensure that they purchase full versions of analysis of an Android smartphone" Conference Paper in Proceedings of SPIE - The International Society for Optical Engineering · these tools when there to be used recovering deleted mobile Retrieved February, 2012 SIM card data evidence. fromhttps://www.researchgate.net/publication/258332974_Overview_ of_potential_forensic_analysis_of_an_Android_smartphone VIII. SUGGESTION FOR FURTHER WORK doi:10.1117/12.909657 [18] Mubarak A., & Ali A. "Smartphone Forensics Analysis: A Case With the wide spread use of social media and their Study" International Journal of Computer and Electrical Engineering, applications on mobile phones, such applications are rich Vol. 5, No. 6, December 2013 repository for potential forensics evidence data. The [19] Al Mutawa, N., Baggili, I., & Marrington, A. “Forensic analysis of Compatibility of existing forensics tools for recovery of social networking applications on mobile devices,” DigitalInvestigation, vol. 9, pp. S24-S33, 2012. these data can be researched. [20] Srivastava A & Vatsal P "Forensic Importance of SIM Cards as a Digital Evidence". J Forensic Res 7: 322. doi:10.4172/2157- REFERENCES 7145.1000322, 2016 [1] Ericsson, “On the pulse of the networked society” Ericsson News [21] Vijith Vijayan, “Android Forensic Capability and Evaluation of CenterRetrieved July20, 2015 from Extraction Tool” A thesis submitted in partial fulfillment of the http://www.ericsson.com/res/docs/2015/tmd_report_feb_web.pdf. requirement of Edinburgh Napier University for the Degree of Master 2015. of Science in Advanced Security & Digital Forensics. April, 2012. 81