Users who own devices that are unlocked from a carrier are able to change SIM cards from carrier to carrier. There are several ways in which a user can have his or her device unlocked from a carrier:
1. The device is purchased in full from Apple (depending on jurisdiction).
2. The owner pays his or her provider or a third party to unlock the device.
3. The device is jailbroken and unlocked during the jailbreaking process.
This means that users can use different providers, and different phone numbers to communicate. For investigators, the implications of this practice are significant. From counterterrorism investigations to sex tourism investigations, determining how a suspect communicates is vital to an investigation.
In this blog entry, we'll take a look at the effects of SIM-switching on the iOS device's CellularUsage database, as examined in BlackLight.
Adding a SIM Card to an iOS Device
To add or change a SIM card in an iPhone, locate the SIM card tray on the right side of the device (iPhone 4 and above), and using the SIM card removal tool or a paper clip, eject the SIM card tray, then remove and replace the SIM card.
Note: In iPhone 5 and above, Nano SIM technologies are used. Tools to cut a regular SIM down to Nano SIM format can be easily purchased.
SIM card information on iOS devices is tracked by a database located at /wireless/Library/Databases/CellularUsage.db. The "subscriber_info" table in this database records the SIM card number ("subscriber_id" column), the phone number assigned to the SIM card ("subscriber_mdn" column), and a "last_update_time" expressed in WebKit epoch.
Figure 1. BlackLight view of CellularUsage.db (iOS 9)
In Figure 1 the CellularUsage.db is examined in BlackLight. Focusing on the "subscriber_info" table we see one SIM card numbered 8944200011764032955, and phone number of +447472658428. The date associated with this SIM card is 2015-11-24 17:30:54 (UTC). We will discuss dates in further detail in a moment.
Figure 2. BlackLight view of CellularUsage.db (iOS 9) - Second SIM card installed
Figure 2 shows a second entry in the database. This SIM was installed after the removal of the first SIM. No other interaction by the user is necessary. Note this SIM card numbered 8931090100078239362 and phone number of +31687513067 was updated on 2015-11-24 17:47:57 (UTC).
Now let’s change the SIM again and install a third SIM.
Figure 3. BlackLight view of CellularUsage.db (iOS 9) - Third SIM card installed
Figure 3 shows a third entry to the database, reflecting another SIM card change. Note the SIM card numbered 893301236530025164090 with the phone number of +33789317230 was updated 2015-11-24 18:01:07 (UTC).
Only Three Entries in the Database
Testing has shown that replacing the SIM card with a fourth SIM replaces the first SIM entry in the database, meaning this database only tracks the last three SIM cards used in the device.
Last Update Time
Much testing has gone into determining how the column "last_update_time" is updated. The following chart outlines the effects of changing the SIM on the /wireless/Library/Databases/CellularUsage.db with respect to "last_update_time."
A "Carrier Settings Update" notification occurs when the cell provider issues an update to their services. For example, with the release of iOS 9 cell carriers could include the ability to make phone calls over Wi-Fi. Carriers that included this feature pushed an update to devices connected to their network.
When a user sees this notification and selects Update, the date and time contained in the database is updated to reflect the change in settings.
Though iOS devices track when a user changes the SIM card in the device, as demonstrated above, a lot of actions can affect the "last_update_time." Examiners should take care when using a date contained within the CellularUsage database, as it may represent one of any number of actions performed on the device.
However, the dates can potentially be helpful once one knows what action is being referenced. And the fact that up to three (3) SIM cards can be tracked, including their phone numbers and SIM card numbers, may prove highly beneficial to an investigation.
As always, BlackBag’s training team is here to help if you have questions about this or other areas of digital forensics.