Mobile devices that do not require a UICC are relatively straightforward as the acquisition entails a single device. Mobile devices requiring UICCs are more complex. It is required to exam to two items: the handset and the UICC. Depending on the state of the mobile device (i.e., active, inactive), the handset and UICC may be acquired jointly or separately. It is generally accepted to process the UICC first while the device is in an inactive state.
Suppose the mobile device is active, first, joint acquisition of the handset and UICC contents. A direct acquisition recovers deleted messages on a UICC, while an indirect acquisition via the handset does not. The UICC must be removed from the mobile device and inserted into an appropriate reader for direct acquisition.
A well-known forensic issue that arises when performing a joint acquisition is that the status of unread text messages change between acquisitions. The first acquisition may alter the status flag of an unread message to read. Reading an unread text message from a UICC indirectly through the handset causes the device’s operating system to change the status flags. UICCs that are read directly by a tool does not make these modifications. One way to avoid this issue is to omit to select the recovery of UICC memory when performing the joint acquisition (if the tool allows such an option).
If the mobile device is inactive, the contents of the UICC may be acquired independently before that of the handset. The UICC acquisition should be made directly through a PC/SC reader. Attempt the handset acquisition without the UICC present. Many devices permit an acquisition under such conditions, allowing PIN entry for the UICC to be bypassed if it were enabled. If the acquisition attempt is unsuccessful, the UICC may be reinserted and a second attempt made. Performing separate independent acquisitions (i.e., acquiring the UICC before acquiring the contents of the handset) avoids any operating system-related forensic issues associated with an indirect read of UICC data. However, removing the SIM can reportedly cause data to be deleted on some mobile devices.