Some tools have the ability to create a Cellular Network Isolation Card (CNIC) [SWG13]. CNICs provide cellular network isolation that prevents network communication that may modify data on a mobile device (e.g., remote wiping, incoming text messages). A CNIC lacks specific data elements required to establish connectivity between the mobile device and its associated network. For example, CNIC’s do not contain a cipher key, thus preventing access to a cellular network. A CNIC may be required for mobile device data extraction, as some phones cannot boot without a UICC present.
Some tool manufacturers and vendors refer to this as a “SIM clone.” The creation of a CNIC is not a true clone of the source UICC because the authentication key and other user data are not copied in the cloning process.
A CNIC may be created either by the examiner using the original UICC as a source or manually entering the data. Manual entry is helpful if the UICC associated with a specific mobile device is not present. CNICs are tool-specific; they are not interchangeable between the tools of various manufacturers. CNICs vary in their effectiveness and support based on specific mobile devices. For example, CNICs may not be used for data extraction from TDMA devices.
Occasionally, a UICC may not be present with a mobile device or get intentionally damaged, but necessary for data acquisition. One of the most common mistakes forensic examiners make is to insert a foreign UICC into the mobile device to facilitate data acquisition. Some mobile devices are linked to a specific UICC. When this linkage exists, booting a mobile device with a foreign UICC causes data elements such as call logs (missed, incoming and outgoing calls) and SMS messages present within the mobile device’s internal memory to be erased.
A better approach is to create a substitute UICC (i.e., CNIC) to use with the mobile device that mimics key characteristics of the original UICC, tricking the device to accept it as the original. Most mobile forensic tools provide the forensic examiner with the ability to create a CNIC.
Substituting UICCs, sometimes referred to as CNICs, may be useful in many situations:
- If a mobile device’s UICC is missing or damaged and is required for acquisition with a forensic tool, the creation of a CNIC permits data to be recovered from the handset.
- If the UICC for a device is present but requires a PUK code, a substitute UICC can be created providing acquisition to proceed without having to contact the service provider for the PUK.
- If cellular network isolation is required (e.g., avoiding incoming calls or text messages), a CNIC provides a method permitting data acquisition from the handset while simultaneously denying cellular network authentication.
- If a forensic tool accesses the UICC during the acquisition process, using a CNIC in the handset eliminates the possibility of the original being modified (e.g., status flag of SMS messages modified from unread to read).
The values by which the mobile device correlates to the previously inserted UICC are the ICCID and the IMSI. Often only one of these values is used. Both identifiers are unique and used to authenticate the user to the network. While the minimum data needed to create a UICC may be simply one of these two values, some mobile devices may require additional data to be populated on the CNIC to be properly recognized. The possibility exists that data, other than user data, may change on the handset due to inserting a CNIC.