Most people think of a SIM card as just a carrier activation chip. Forensically, it’s a distinct evidence source with its own data storage — separate from the phone and recoverable even when the phone itself is damaged or encrypted.
SIM card forensics is a specialized area with specific tools, procedures, and limitations.
What Data Is Stored on a SIM Card
SIM cards are smart cards with integrated circuits that store a defined set of data:
ICCID (Integrated Circuit Card Identifier): The SIM card’s unique serial number. Identifies the specific SIM.
IMSI (International Mobile Subscriber Identity): A unique number tied to the subscriber’s account on the carrier’s network. Identifying the IMSI identifies the account holder.
SMS messages: SIM cards have a fixed capacity for SMS storage (typically 20–50 messages). When the capacity is full, new messages overwrite old ones unless the user manually saves messages to the phone’s internal storage. SIM-stored SMS is separate from the phone’s SMS database.
Contact list: SIM cards store a limited address book (usually 100–250 entries) with name and phone number. These are separate from the phone’s contact database and may contain different entries.
Last dialed numbers: Some SIM cards store the last 10–20 dialed numbers.
Service provider information: Network operator name, preferred networks, and data service settings.
Authentication keys: The Ki authentication key is stored on the SIM and used by the carrier network for subscriber authentication. This is not extractable by standard forensic tools — attempting to access it causes the SIM to lock permanently.
What SIM Cards Don’t Store
A common misunderstanding: SIM cards don’t store:
All of these reside on the phone’s internal storage, not the SIM.
SIM Card Forensic Tools
Cellebrite UFED: Includes a SIM card reader that extracts contacts, SMS, and other SIM-stored data independently of the phone.
Forensic SIM readers: Dedicated hardware that connects to a SIM card via standard card reader and reads all accessible elementary files.
SIM Card Seizure (Paraben): A legacy but still used tool specifically designed for SIM card data extraction.
The extraction process is non-destructive and typically takes 5–15 minutes per SIM.
eSIM — The Forensic Challenge
Physical SIM cards are being progressively replaced by eSIM (embedded SIM) technology. eSIMs are soldered directly onto the device’s motherboard and cannot be physically removed for separate extraction.
eSIM forensics requires:
SIM Swapping and Forensic Implications
SIM swapping is a fraud technique where an attacker convinces a carrier to transfer a victim’s phone number to a new SIM. Forensically:
SIM swap fraud investigations often involve both device forensics (victim’s original phone) and carrier records (showing the account change).
FAQ: SIM Card Forensics
Q: Can forensic examiners recover deleted SMS messages from a SIM card?
A: Sometimes. SIM cards flag deleted SMS messages as deleted without immediately zeroing the storage space. Forensic tools can read the raw memory blocks and recover messages flagged for deletion but not yet overwritten. This is different from the phone’s SMS database recovery.
Q: If I remove the SIM card before handing over my phone, does that protect my data?
A: No. The SIM card contains a very small subset of what’s on the phone. Your photos, app data, email, and most messages are on the phone’s internal storage, not the SIM.
Q: Can a SIM card be tied to a specific crime location using cell tower data?
A: The SIM’s IMSI is what the cell tower logs — so yes, tower records showing an IMSI at a specific location can be tied back to the SIM card bearing that IMSI, and therefore to the account holder.
Q: Does a factory reset make data unrecoverable?
A: On modern devices with hardware encryption, a factory reset destroys the encryption keys, making data practically unrecoverable. On older devices, some data may survive in unallocated storage sectors.
Q: How should a device be handled between seizure and examination?
A: Place it in a Faraday bag, keep it charged, enable airplane mode if accessible, and document its state at seizure. Avoid powering it off if it is already on.
Case Example
In a civil dispute, one party alleged digital evidence had been altered after a preservation obligation arose. The forensic examiner compared file system metadata against the litigation timeline and found several files modified after the preservation letter was received. A system cleanup utility had been run during the same period. The examiner documented the specific artifacts indicating post-preservation modifications, distinguishing between routine system operations and deliberate user actions, providing the court with a factual basis for evaluating the spoliation claim.
Practitioner Takeaways
- Verify forensic images with cryptographic hashing before analysis.
- Document every examination step for reproducibility.
- Cross-reference findings across multiple artifact types.
- Note tool versions used — behavior changes between versions affect reproducibility.
- Distinguish facts from inferences in your report.
See also: Nft Fraud Forensics | Tiktok Forensics | Employment Investigation Forensics
Need Professional Digital Forensics?
Octo Digital Forensics provides expert mobile forensics, data recovery, and digital investigation services for attorneys, insurance companies, and private investigators. Court-admissible reports. Certified examiners.
Contact: octodf.com | info@derickdowns.com | (858) 692-3306
