SIM Card Overview
The Subscriber Identity Module (SIM) card is a small integrated circuit that stores the subscriber identity, authentication keys, and various network-related data. For forensic investigators, SIM cards provide crucial evidence linking a subscriber to specific activities and locations.
SIM Card Types
| Type | Dimensions | Introduction | Notes |
|---|---|---|---|
| Full-size (1FF) | 85.6 x 53.98 mm | 1991 | Credit card size, obsolete |
| Mini-SIM (2FF) | 25 x 15 mm | 1996 | Standard SIM, older phones |
| Micro-SIM (3FF) | 15 x 12 mm | 2003 | Widely used in smartphones |
| Nano-SIM (4FF) | 12.3 x 8.8 mm | 2012 | Current standard |
| eSIM (eUICC) | Embedded chip | 2016 | Non-removable, remote provisioning |
Data Stored on SIM Cards
Identity Data
ICCID (card identifier), IMSI (subscriber identity), MSISDN (phone number), service provider information
Authentication
Ki (authentication key), PIN/PUK codes, cryptographic algorithms for network authentication
User Data
Contacts (ADN - Abbreviated Dialing Numbers), SMS messages (limited), last dialed numbers (LND)
Network Data
LOCI (Location Information), PLMN (network selection), LAC/Cell ID of last connection
ICCID Structure
The Integrated Circuit Card Identifier (ICCID) is a unique 19-20 digit number that identifies the SIM card itself. It is printed on the SIM card and stored in its memory.
# ICCID Format: 89 CC IIIN NNNNNNNNNN C
89 Major Industry Identifier (MII) - Telecom
CC Country Code (ITU-T E.164)
IIIN Issuer Identifier Number (Network Provider)
NNNNNNNNNN Individual Account Identification
C Check Digit (Luhn Algorithm)
# Example Indian ICCID:
89 91 10 0000123456789 2
| | | |
| | | +-- Check digit
| | +----------------- Individual account number
| +-------------------- Issuer (Airtel = 10, Jio = 88, Vi = 11)
+----------------------- India country code (91)Indian Mobile Network Codes (Issuer IDs)
| Issuer Code | Network Provider | Notes |
|---|---|---|
| 10 | Bharti Airtel | Major national carrier |
| 11 | Vodafone Idea (Vi) | Merged entity |
| 88 | Reliance Jio | 4G/5G only network |
| 04 | BSNL | Government operator |
| 05 | MTNL | Delhi/Mumbai only |
ICCID helps trace when and where a SIM was purchased. Telecom providers maintain records linking ICCID to subscriber KYC documents. In India, SIM cards require Aadhaar-based verification, making subscriber identification possible through ICCID records.
IMSI Decoding
The International Mobile Subscriber Identity (IMSI) is a unique 15-digit number that identifies the subscriber on the network. Unlike ICCID which identifies the card, IMSI identifies the subscription.
# IMSI Format: MCC MNC MSIN
MCC Mobile Country Code (3 digits)
MNC Mobile Network Code (2-3 digits)
MSIN Mobile Subscriber Identification Number (9-10 digits)
# Example Indian IMSI:
404 10 1234567890
| | |
| | +-- Subscriber identification
| +----- Network code (Airtel)
+--------- India (404 or 405)
# India MCC: 404, 405
# MNC Examples:
# 10, 31, 40, 45, 49 = Airtel
# 11, 84 = Vodafone Idea
# 88, 89, 90 = Jio
# 72, 73 = BSNLIMSI vs ICCID
| Aspect | ICCID | IMSI |
|---|---|---|
| Identifies | The physical SIM card | The subscription/account |
| Length | 19-20 digits | 15 digits |
| Visibility | Printed on SIM card | Stored internally only |
| Network Use | Card management | Network authentication |
| Portability | Changes with new SIM | Can change (MNP) |
LAC and Cell ID Analysis
Location Area Code (LAC) and Cell ID are network identifiers that indicate where the mobile device last connected to the network. This data is stored on the SIM card and provides valuable location evidence.
Location Identifiers
# Cell Global Identity (CGI) = MCC + MNC + LAC + Cell ID
MCC Mobile Country Code (404 for India)
MNC Mobile Network Code (operator)
LAC Location Area Code (16-bit: 0-65535)
Cell ID Cell Identifier (16-bit: 0-65535)
# Example CGI: 404-10-12345-6789
# India - Airtel - LAC 12345 - Cell 6789
# LOCI (Location Information) on SIM stores:
- TMSI (Temporary Mobile Subscriber Identity)
- LAI (Location Area Identity = MCC + MNC + LAC)
- LOCI update statusLocation Data Forensic Applications
- Last Known Location: LOCI shows the last cell tower the phone connected to before being powered off or SIM removed
- Movement Pattern: Comparing with CDR data can establish movement history
- Timestamp Correlation: LOCI update times can be correlated with other evidence
- Network Verification: Confirms which network the SIM was last used on
Cell tower location data only provides approximate location (cell coverage area can range from 100m in urban areas to several kilometers in rural areas). It does not provide GPS-level precision. However, with multiple tower records from CDRs, triangulation can improve accuracy.
IMEI Structure and Validation
The International Mobile Equipment Identity (IMEI) is a 15-digit unique identifier for mobile devices. Unlike IMSI which identifies the subscriber, IMEI identifies the hardware device itself.
# IMEI Format: TAC FAC SNR CD
# 15 digits total: AABBBBBB CCCCCC D
TAC Type Allocation Code (8 digits)
- First 2 digits: Reporting Body Identifier
- Next 6 digits: Device model identifier
SNR Serial Number (6 digits)
- Unique to each device of that model
CD Check Digit (1 digit, Luhn algorithm)
# Example IMEI: 35-123456-789012-3
35 Reporting Body (GSMA - UK)
123456 Model identifier allocated by manufacturer
789012 Serial number (unique device)
3 Check digit (validates IMEI integrity)
# Common Reporting Body Identifiers:
01, 10 CTIA (USA)
35, 44 GSMA (UK)
86 TAF (China)
91 MSAI (India)IMEI Check Digit Validation (Luhn Algorithm)
# Example IMEI: 490154203237518
Step 1: Starting from rightmost digit, double every second digit
4 9 0 1 5 4 2 0 3 2 3 7 5 1 8
| | | | | | | |
8 18 2 8 6 6 10 2 (doubled values)
Step 2: If doubled value > 9, subtract 9
8 9 2 8 6 6 1 2
Step 3: Sum all digits (original odd positions + processed even)
4 + 9 + 0 + 9 + 5 + 8 + 2 + 8 + 3 + 6 + 3 + 6 + 5 + 1 + 8
= 77
Step 4: Valid if sum is divisible by 10
77 is not divisible by 10 = Invalid IMEI
# For check digit calculation:
# CD = (10 - (sum mod 10)) mod 10Try the IMEI Validator Tool
Use our interactive IMEI Validator to check IMEI validity, decode manufacturer information, and verify check digits. Practice with the concepts you've learned.
IMEI Forensic Applications
- Device Identification: Link a specific phone to crime scene or communications
- Stolen Device Tracking: IMEI is registered in CEIR database for blocking stolen phones
- Manufacturer Query: TAC identifies make and model of device
- Multiple SIM Detection: CDRs show when different SIMs used same IMEI
- IMEI Change Detection: Invalid check digit suggests tampering
Cloning Detection
SIM cloning involves copying the authentication data from one SIM to another, allowing two SIMs to share the same identity. IMEI tampering involves changing a device's IMEI to avoid tracking or blacklisting.
Signs of SIM Cloning
Impossible Movement
CDR shows simultaneous activity in geographically distant locations within impossible timeframes
Overlapping Calls
Multiple concurrent calls or data sessions from same IMSI but different IMEI numbers
Authentication Failures
Increased authentication errors as network detects conflicting sessions from cloned SIMs
IMEI Anomalies
Same IMSI appearing with multiple different IMEI numbers in short time periods
IMEI Tampering Indicators
- Invalid Check Digit: Luhn validation fails - indicates manual modification
- Mismatched TAC: TAC doesn't match actual device model
- Null or All-Zero IMEI: Generic IMEI indicating rooted/modified device
- Duplicate IMEI: Same IMEI on different devices simultaneously
- Blacklist Evasion: Device with previously blocked IMEI appearing with new number
Under Section 66 of the IT Act and BNS provisions, IMEI tampering is a punishable offense. India's CEIR (Central Equipment Identity Register) maintains a database of legitimate and blacklisted IMEIs. Tampering with IMEI to evade blocking is a criminal offense.
Practical SIM Extraction
SIM Forensic Tools and Methods
| Method | Data Accessible | Requirements |
|---|---|---|
| SIM Card Reader | ICCID, IMSI, ADN, LND, SMS, LOCI | PC/SC reader, forensic software |
| Phone Interface | Same as above via device | Unlocked device, forensic tool |
| AT Commands | IMSI, ICCID, network info | Modem access, terminal |
| Provider Records | Full CDR, subscriber info, KYC | Legal process (Section 91 CrPC) |
SIM Data Extraction Process
# Key Elementary Files for Forensic Extraction
EF_ICCID 2FE2 - Integrated Circuit Card ID
EF_IMSI 6F07 - International Mobile Subscriber Identity
EF_ADN 6F3A - Abbreviated Dialing Numbers (Contacts)
EF_FDN 6F3B - Fixed Dialing Numbers
EF_SMS 6F3C - Short Messages
EF_LND 6F44 - Last Number Dialed
EF_MSISDN 6F40 - Mobile Station ISDN Number (Phone Number)
EF_LOCI 6F7E - Location Information
EF_PLMNSEL 6F30 - PLMN Selector
EF_SPN 6F46 - Service Provider Name
# Access conditions vary - some require PIN/ADM codes- ICCID identifies the physical SIM card with 19-20 digits including country and issuer codes
- IMSI identifies the subscription/subscriber with 15 digits (MCC + MNC + MSIN)
- LAC and Cell ID in LOCI provide the last network location before SIM removal or power off
- IMEI identifies the device hardware with 15 digits; check digit validates integrity using Luhn algorithm
- Invalid IMEI check digits indicate potential tampering - use the IMEI Validator tool for verification
- SIM cloning indicators include simultaneous activity in distant locations and overlapping calls
- IMEI tampering is illegal under IT Act and BNS; CEIR maintains blacklist of stolen/tampered devices
- SIM data extraction requires proper forensic tools; provider records need legal process (Section 91 CrPC)