Introduction
SIM cards and IMEI numbers are fundamental to mobile device identification and network connectivity. Understanding these components is crucial for investigators as they provide unique identifiers that can link devices to subscribers and establish usage patterns. This part covers SIM card forensics, IMEI verification, and India's CEIR database.
By the end of this part, you will understand SIM card structure, decode ICCID and IMSI numbers, verify IMEI, use CEIR database, and detect cloned devices.
SIM Card Structure
A SIM (Subscriber Identity Module) card is a smart card that stores subscriber identity information, authentication keys, and limited user data.
SIM Card Types
| Type | Dimensions | Introduction |
|---|---|---|
| Full-size SIM (1FF) | 85.6 x 53.98 mm | 1991 - Credit card size |
| Mini-SIM (2FF) | 25 x 15 mm | 1996 - Standard SIM |
| Micro-SIM (3FF) | 15 x 12 mm | 2003 - Smaller form factor |
| Nano-SIM (4FF) | 12.3 x 8.8 mm | 2012 - Current standard |
| eSIM (MFF2) | Embedded chip | 2016 - Soldered to device |
SIM Card Data Storage
IMSI
International Mobile Subscriber Identity - unique 15-digit number identifying the subscriber on the network.
Ki (Authentication Key)
128-bit secret key used for network authentication. Never transmitted, used for challenge-response.
MSISDN
Mobile Station ISDN Number - the actual phone number associated with the SIM.
SMS Storage
Limited SMS storage (typically 20-50 messages) on the SIM card itself.
SIM File System
SIM cards have a hierarchical file system organized into Elementary Files (EF), Dedicated Files (DF), and Master File (MF).
| File | Description | Forensic Value |
|---|---|---|
| EF_ICCID | SIM card serial number | Unique SIM identifier |
| EF_IMSI | Subscriber identity | Links to subscriber record |
| EF_ADN | Abbreviated Dialing Numbers | Stored contacts |
| EF_SMS | SMS messages | Text message content |
| EF_LOCI | Location information | Last known location area |
| EF_FDN | Fixed Dialing Numbers | Restricted dialing list |
| EF_LND | Last Numbers Dialed | Recent outgoing calls |
Tools for SIM card forensics include: SIM Card Seizure (Paraben), Cellebrite UFED (includes SIM reader), MSAB XRY, MOBILedit Forensic, and open-source tools like pySIM. Most require a dedicated SIM card reader connected via USB.
Understanding ICCID and IMSI
ICCID and IMSI are two critical identifiers that help link SIM cards to operators and subscribers.
ICCID (Integrated Circuit Card Identifier)
The ICCID is a unique 19-20 digit number printed on the SIM card and stored in EF_ICCID.
# ICCID Structure (19-20 digits)
89 91 10 XXXXXXXXXX X
# Breakdown:
89 - Industry Identifier (Telecom)
91 - Country Code (India = 91)
10 - Issuer Identifier (Network operator)
XXXXXXXXXX - Individual Account Identification
X - Check digit (Luhn algorithm)
# Example Indian ICCID:
89 91 10 1234567890 1
89 = Telecom industry
91 = India
10 = Operator code
1234567890 = Account ID
1 = Check digit
Indian Operator Codes (MNC)
| MNC | Operator | Notes |
|---|---|---|
| 02, 03 | Airtel | Bharti Airtel |
| 04, 05, 06 | BSNL | State-owned |
| 07 | IDEA | Now Vi (Vodafone Idea) |
| 10, 11, 12 | Vodafone | Now Vi (Vodafone Idea) |
| 55, 56 | Jio | Reliance Jio |
| 72 | MTNL | Delhi, Mumbai |
IMSI (International Mobile Subscriber Identity)
The IMSI is a 15-digit number that uniquely identifies a subscriber within a network.
# IMSI Structure (15 digits)
MCC MNC MSIN
# Components:
MCC - Mobile Country Code (3 digits)
India = 404, 405
MNC - Mobile Network Code (2-3 digits)
MSIN - Mobile Subscriber Identification Number (9-10 digits)
# Example Indian IMSI:
404 10 1234567890
404 = India (MCC)
10 = Airtel (MNC)
1234567890 = Subscriber ID (MSIN)
IMSI catchers (Stingrays) can capture IMSI numbers by impersonating cell towers. This is used by law enforcement but also potentially by criminals for tracking. Modern networks use TMSI (Temporary Mobile Subscriber Identity) to protect IMSI during normal communications.
IMEI Verification
IMEI (International Mobile Equipment Identity) is a unique 15-digit number that identifies the mobile device hardware, independent of the SIM card.
IMEI Structure
# IMEI Structure (15 digits)
TAC FAC SNR CD
# Components:
TAC - Type Allocation Code (8 digits)
First 2 = Reporting Body (35 = BABT UK)
Next 6 = Manufacturer + Model
FAC - Final Assembly Code (2 digits, often 00)
SNR - Serial Number (6 digits)
CD - Check Digit (Luhn algorithm)
# Example:
35 123456 00 123456 7
35 = Reporting body
123456 = Type approval code (manufacturer/model)
00 = Assembly code
123456 = Serial number
7 = Check digit
# Check IMEI on device:
Dial: *#06#
IMEI Validation (Luhn Algorithm)
The last digit of IMEI is a check digit calculated using the Luhn algorithm.
# Luhn Algorithm Steps:
1. Take first 14 digits of IMEI
2. Double every second digit (from right)
3. If doubled digit > 9, subtract 9
4. Sum all digits
5. Check digit = (10 - (sum mod 10)) mod 10
# Example: IMEI 35-209900-176148-?
Digits: 3 5 2 0 9 9 0 0 1 7 6 1 4 8
Double: 3 10 2 0 9 18 0 0 1 14 6 2 4 16
Adjust: 3 1 2 0 9 9 0 0 1 5 6 2 4 7
Sum: 49
Check: (10 - 49%10) % 10 = (10-9)%10 = 1
# Complete IMEI: 352099001761481
IMEI Verification Resources
- GSMA IMEI Database: imeidb.gsma.com (restricted access)
- Online Checkers: imei.info, imeipro.info (basic info)
- Manufacturer Sites: Apple, Samsung have IMEI verification
- CEIR Portal: India's official database (ceir.gov.in)
CEIR Database (India)
CEIR (Central Equipment Identity Register) is India's national database for mobile device identification, managed by DoT (Department of Telecommunications).
CEIR Components
White List
Legitimate devices with valid IMEI. Allowed to connect to Indian networks.
Black List
Lost, stolen, or counterfeit devices. Blocked from all Indian networks.
Grey List
Devices under verification or with compliance issues. Limited functionality.
CEIR Portal Features
- Check IMEI Status: Verify if device is blocked or legitimate
- Report Lost/Stolen: Citizens can report stolen devices for blocking
- Unblock Request: Request unblocking if device is recovered
- Verify New Device: Check IMEI before purchasing used phones
How to Use CEIR Portal
# CEIR Portal: https://ceir.gov.in
# Check IMEI Status:
1. Visit ceir.gov.in
2. Click "Check IMEI"
3. Enter 15-digit IMEI
4. View status (Valid/Blocked/Not Found)
# Report Lost/Stolen Device:
1. Visit ceir.gov.in
2. Click "Block Stolen/Lost Mobile"
3. Register/Login with mobile number
4. Provide: IMEI, Device details, FIR number
5. Submit request
6. Device blocked on all Indian networks within 24-48 hours
# Alternative: SMS Method
SMS "KYM <space> 15-digit IMEI" to 14422
CEIR for Law Enforcement
- Device Tracing: Track last known network registration of blocked device
- Ownership Verification: Link IMEI to registered owner
- Usage History: Obtain device connection history from TSPs
- Bulk Queries: Law enforcement portal for multiple IMEI checks
When a reported stolen phone is found, investigators can: (1) Check CEIR to confirm it's reported stolen, (2) Get complainant details from the FIR linked in CEIR, (3) Request TSP data for IMEI usage history, (4) Identify when and where the device was used after theft.
Clone Detection
SIM cloning and IMEI tampering are serious crimes that investigators may encounter. Understanding detection methods is essential.
Types of Cloning
- SIM Cloning: Duplicating SIM card data (IMSI, Ki) to another card
- IMEI Cloning: Copying another device's IMEI to make a phone appear legitimate
- IMEI Tampering: Changing IMEI to hide device identity
SIM Cloning Detection
Simultaneous Location
Same IMSI appearing in different locations simultaneously indicates cloning.
Multiple IMEI Usage
Same SIM (IMSI) used with many different devices in short period.
Authentication Failures
Increased authentication failures when clone and original both try to connect.
Billing Anomalies
Calls or data usage the legitimate user doesn't recognize.
IMEI Tampering Detection
- IMEI Format Check: Invalid check digit indicates tampering
- TAC Mismatch: IMEI type code doesn't match actual device model
- Duplicate IMEI: Same IMEI used by multiple devices on network
- Physical Inspection: Compare with IMEI on device label/box
- Software Check: IMEI in different system locations may not match
Detecting IMEI Tampering (Android)
# Multiple methods to check IMEI on Android
# Method 1: Dialer code
*#06#
# Method 2: Settings
Settings > About Phone > IMEI
# Method 3: ADB (with USB debugging)
adb shell service call iphonesubinfo 1
# Method 4: System properties
adb shell getprop ro.gsm.imei
adb shell getprop persist.radio.imei
# Compare all methods - mismatches indicate tampering
# Also compare with IMEI on physical device label
IMEI tampering is illegal under IT Act Section 66 (Computer Related Offences) and Telecom Acts. CEIR has made it mandatory for all devices on Indian networks to have valid, non-tampered IMEI. Devices with invalid IMEI can be blocked from network access.
eSIM Forensics
eSIM (embedded SIM) presents new challenges for forensic investigators as it's soldered to the device and managed remotely.
eSIM Characteristics
- Physical: Chip embedded in device, cannot be removed
- Profiles: Multiple carrier profiles can be stored
- Remote Management: Profiles downloaded/activated remotely
- QR Code Activation: Carrier provides QR code for profile installation
Forensic Challenges with eSIM
- Cannot physically extract eSIM for separate analysis
- Remote profile deletion possible if device has network access
- Multiple profiles mean multiple identities on single device
- Profile history may reveal past carriers/numbers used
eSIM Investigation Approach
- Isolate Device: Faraday bag immediately to prevent remote management
- Check Settings: View installed eSIM profiles before lockout
- Carrier Request: Request profile history from carriers
- Device Backup: Extract via backup to preserve eSIM data
- SIM cards store IMSI, Ki, contacts, SMS, and location information
- ICCID is the SIM card's unique serial number (19-20 digits, printed on card)
- IMSI is the subscriber identity (15 digits: MCC + MNC + MSIN)
- IMEI identifies the device hardware (15 digits, verified by Luhn algorithm)
- India MCC codes: 404, 405; dial *#06# to view IMEI on any phone
- CEIR (ceir.gov.in) is India's database for blocking stolen devices and verifying IMEI
- SIM cloning detected by: simultaneous location, multiple devices, auth failures
- IMEI tampering detected by: check digit validation, TAC mismatch, multiple method comparison
- eSIM requires immediate device isolation to prevent remote profile deletion