Similar to a mobile device, to acquire data from a UICC, a connection must be established from the forensic workstation to the UICC, using a PC/SC reader. As before, the version of the tool being used should be documented, along with any applicable patches or errata from the manufacturer applied to the tool. Once the connection has been established, the forensic software tool may acquire data from the UICC.
Capturing a direct image of the UICC data is not possible because of the protection mechanisms built into the module. Instead, forensic tools send command directives called Application Protocol Data Units (APDUs) to the UICC to extract data logically, without modification, from each elementary data file of the file system. The APDU protocol is a simple command-response exchange. Each element of the file system defined in the GSM standards has a unique numeric identifier assigned. It can be used to walk through the file system and recover data by referencing an element and performing some operation, such as reading its contents.
Because UICCs are highly standardized devices, few issues exist concerning the logical acquisition. The main consideration is selecting a tool that reports the status of any PINs and recovers the data of interest. Vast differences exist in the data recovered by UICC tools. Some recovering only the data thought to have the highest relevance in a typical investigation, and others performing a complete recovery of all data, even though much of it is network related with little investigative value.