SIM Forensics: Last Location

Publication date: 2019-06-18
Last update: 2019-12-24
Author: Victor Celer

 

Every time the mobile phone registers to the GSM/UMTS/LTE network (this is known as IMSI attach) or changes location a specific file in the SIMcard is updated to record the current location. This file is named EFLOCI in the 3GPP standards. The exact structure of this file can be found in 3GPP TS 11.11. Regardless of the technology being 2G, 3G or LTE the LOCI file is always present and contains the following information:

Bytes

Description

Length

1 to 4

TMSI

4 bytes

5 to 9

LAI

5 bytes

10

TMSI TIME

1 byte

11

Location update status

1 byte

 

The Location Area Information (LAI) represents the current location of the mobile equipment or the last location before the device was turned off, switched to airplane mode or damaged. The LAI can be useful for forensic purposes or any geolocation tracking use cases. In this article we'll learn how to extract and decode the LAI.

Basically there are 2 ways to extract any information from the SIM/USIM:

  1. There are smartphone apps, which can be used to read the SIMcard files.
  2. A Card Reader + specialized PC software.

The advantage of the first option is that you don't need to purchase a Card Reader and a specialized PC software and you don't need to remove the SIM from the mobile device. However, there are several disadvantages as well:

  • When the SIMcard is inserted into a mobile phone and a power cycle is performed some data may be overwritten. For instance, the LOCI will be overwritten during the network registration. In order to avoid this problem you can switch on the Airplane mode, but there is no guarantee that all data will be preserved.
  • The mobile app doesn't access the SIMcard memory directly, it is done through the mobile OS. So, there is no guarantee that the information is unmodified and complete. In forensics this is called logical extraction.

Because of these limitations it is more recommended to use a Card Reader. Warning! If you don't have experience using a Card Reader device it is strongly recommended to follow some online tutorials to learn how to handle the SIMcard and the Card Reader properly. Many people have damaged their SIMcards by touching the metal pads or inserting the chip into the Card Reader without using a plastic holder.

We don't recommend a specific Card Reader. Most of them are appropriate for the job and the prices are similar. Let's just give some basic recommendations:

  • First of all, make sure it's a SIMcard Reader, not some SD reader!
  • Size matters! If the size of the reader is similar to an USB flash stick it means that you probably won't need any additional plastic holders/adapters to insert the SIMcard into the reader. However, it also means that the same Card Reader doesn't support larger card sizes like the 1FF used for banking cards, access cards and so on.
  • Some vendors include the drivers and even some PC software. This can be convenient because there are very few generic freeware options.

In this example we'll use MOBILedit. There used to be a Lite version free of charge, but it is not available any longer. The following screenshot shows what MOBILedit managed to extract from our test SIMcard:

MOBILedit screen

We are interested in the LAI, which is extracted from the LOCI file:

d0 d1 d2 d3 d4 d5 d6 d7 d8 d9
371201013C

The LAI is encoded as follows:

Field LAI nibbles Value
Mobile Country Code (MCC) d1 d0 d3 732
Mobile Network Code (MNC) d5 d4 d2 101
Location Area Code (LAC) d6 d7 d8 d9 013C

 

The MCC and the MNC are encoded in BCD, while the LAC is encoded as a 16-bit value. So, the value 13C in hexadecimal has to be converted to decimal: 316. The final decoded LAI is 732-101-316.

We can find out in the MCC/MNC table that 732-101 is Claro Colombia. Moreover, the IMSI starts with the same digits 732101. It means that this SIMcard was issued by the same operator. So, it is not in roaming.

We can use a free LBS service like OpenCellid to find out the approximate location of this specific LAI:

OpenCellid LBS

The LBS API requires a token. You can register for free to get a token, but the number of free requests is limited. The limit is reasonably high, so it is still suitable for most forensic tasks.

Notice that the API uses "LAC fallback" mode. It is necessary because we don't know the Cell ID (CID). This value is not available in the LOCI file stored on the SIMcard. In fact, the CID is included in the LOCI value available in the mobile device and in the operator HLR. So, if you have access to the operator HLR you can query the full LOCI including the CID to achieve much higher location accuracy. There are some SIM-based application which can store the CID and additional data like the NMR. Those applications are not part of the 3GPP standards though.