Skip to content

CH4: Cellular Networks and Subscriber Identity

Chapter Overview

In previous chapters, we focused on the device itself—handling it at the crime scene, understanding the legal framework for seizure, and managing its power state. However, a mobile device does not exist in a vacuum. It is a radio transmitter designed to communicate constantly with a vast, complex infrastructure: the cellular network.

For the digital forensic investigator, the network is often as important as the device. When a suspect destroys a phone, the network logs remain. When a device is encrypted and inaccessible, the Call Detail Records (CDRs) from the service provider can still prove location and association.

This chapter explores the invisible tether between the mobile device and the cellular tower. We will examine the evolution of network standards—from the days of 2G to the modern 5G landscape—and how these shifts impact what evidence is recoverable. We will also dissect the "Subscriber Identity," specifically the SIM card, which serves as the digital key to the network. Understanding how Mobile Network Operators (MNOs) and Mobile Virtual Network Operators (MVNOs) function is critical for drafting accurate search warrants and identifying the correct custodian of records.

Learning Objectives

By the end of this chapter, you will be able to:

  • Differentiate between legacy architectures (CDMA vs. GSM) and explain their historical significance in device identification.
  • Analyze the forensic implications of the transition from circuit-switched (2G/3G) to packet-switched (4G/5G/LTE) networks.
  • Identify the major Mobile Network Operators (MNOs) and Mobile Virtual Network Operators (MVNOs) and the specific challenges MVNOs present in criminal investigations.
  • Utilize open-source intelligence (OSINT) tools to determine the carrier associated with a specific mobile number.
  • Explain the structural hierarchy of a SIM card file system and the specific artifacts (ICCID, IMSI) valuable to investigations.

4.1 The Evolution of Cellular Communication

Mobile forensics is unique among digital forensic disciplines because it is inextricably linked to the history of radio telecommunications. Unlike a hard drive, which has stored data relatively the same way for decades, mobile phones change behavior based on the network generation they connect to.

A Brief History of Standards: CDMA vs. GSM

For nearly two decades (roughly 1995–2015), the mobile world was divided into two incompatible camps: GSM (Global System for Mobile Communications) and CDMA (Code Division Multiple Access). While 4G and 5G have largely unified these standards, you will frequently encounter this distinction in historical cases, cold cases, or when analyzing older "burner" phones found in drug trafficking operations.

  • GSM (AT&T, T-Mobile): The "Global" standard used by most of the world. Its defining forensic feature was portability. User identity was stored on a removable smart card called a SIM (Subscriber Identity Module). If a user swapped their SIM into a new phone, their phone number and network identity moved with them immediately.
  • CDMA (Verizon, Sprint): The dominant standard in the United States. In pure CDMA implementations, there was no SIM card. The subscriber identity was programmed directly into the device's NVRAM (Non-Volatile Random Access Memory). To change phones, a user had to call the carrier to "ESN Swap" (Electronic Serial Number swap) the device on the backend.

Forensic Significance: In older investigations, this distinction dictated where the evidence lived. In a GSM investigation, the contact list and SMS messages might be found on the SIM card, independent of the phone. In a CDMA investigation, that data lived solely on the handset’s internal memory. Today, almost all modern carriers (including Verizon) utilize LTE/5G standards that require a SIM card (or eSIM), effectively ending the "CDMA era" of hard-coded phones. However, knowing why a phone lacks a SIM slot is crucial when cataloging older evidence.

The 5G Shift & The "Sunset" of 2G/3G

We are currently living through a massive infrastructure shift known as the "Sunset." Carriers are actively decommissioning 2G and 3G towers to free up radio frequency (spectrum) for 5G.

  • The "Dumb Phone" Obsolescence: Criminals have historically preferred older "feature phones" (cheap, disposable devices) because they were perceived as harder to track and had no GPS apps. However, these devices relied on 2G and 3G networks. As those networks shut down, these phones stop working.
  • Forensic Impact:
    • Live Tracking: You can no longer perform "ping" requests (exigent location pings) on a 2G device if the carrier has dismantled the 2G network in that region.
    • Cold Cases: Even if the network is gone, the data inside the device remains. An old Nokia found in an evidence locker from 2010 can still be acquired physically, even if it can never make a call again. The device forensics remain valid, even if the network forensics are obsolete.

Circuit-Switched vs. Packet-Switched Networks

The most profound change in cellular history—and one that affects how we analyze intercepted data—is the move from circuit switching to packet switching.

  1. Circuit-Switched (2G/3G): Think of this like a landline or a tin-can telephone. When you made a call, the network reserved a dedicated physical path (circuit) between you and the receiver. Data was linear and continuous.
    • Forensic view: Call logs were simple. Start time, End time, Duration.
  2. Packet-Switched (4G LTE/5G): This is how the Internet works. Your voice is not sent as a continuous wave; it is chopped into tiny digital "packets" of data, sent over the internet protocol (IP), and reassembled at the other end.
    • Forensic view: A "call" on a modern 5G phone is actually a VoLTE (Voice over LTE) session. It is data usage, technically similar to a Zoom call. This creates vastly richer metadata. We can now potentially see IP addresses associated with calls, precise data usage timestamps, and "pings" as the device constantly handshakes with data servers, providing much more granular location data than the old "start/end" call logs.

4.2 Network Infrastructure & The Service Provider Landscape

To obtain a search warrant for mobile records, you must first understand who holds the keys to the data. The architecture of the cellular network involves physical hardware (towers) and corporate entities (carriers).

Modern Cellular Architecture

When a suspect makes a call, the signal flows through a specific hierarchy. Understanding this helps you interpret "Tower Dumps" and location records.

  1. UE (User Equipment): The mobile device and SIM.
  2. The Radio Access Network (RAN):
    • Cell Site (The Tower): The physical structure with antennas.
    • Base Station (NodeB / eNodeB / gNodeB): The hardware controlling the radio signals. Note: You will see "eNodeB" in 4G records and "gNodeB" in 5G records.
  3. The Core Network: The carrier's central brain. This is where the HLR (Home Location Register) and VLR (Visitor Location Register) live.
    • Forensic Relevance: When you subpoena a carrier, you are asking for data from their Core Network. They query their HLR to see where the suspect's phone was last seen (which VLR it was connected to).

MNOs vs. MVNOs

This is the most common stumbling block for new investigators. Not every company that sells a SIM card owns the towers.

Mobile Network Operators (MNOs)

These are the facility owners. They own the spectrum licenses, the towers, and the core network infrastructure. In the United States, the "Big Three" are:

  • Verizon Wireless
  • AT&T
  • T-Mobile (which acquired Sprint)

If you need Tower Dumps (a list of all phones that pinged a specific tower at a specific time), you must go to an MNO. Only they own the towers.

Mobile Virtual Network Operators (MVNOs)

These are "resellers." They lease bulk access from the MNOs and resell it to consumers under their own brand.

  • Examples: Mint Mobile, Boost Mobile, Cricket Wireless, Google Fi, Consumer Cellular.
  • TracFone: The most significant MVNO in criminal investigations is TracFone (now owned by Verizon, but historically separate). TracFone owns multiple sub-brands like Straight Talk, Walmart Family Mobile, and Simple Mobile. These are the quintessential "burner" phones sold in cash at big-box retailers.

The relationship between MNOs and MVNOs creates a complex "Legal Nexus." You must serve the warrant to the entity that actually holds the data you need.

  • Scenario: A suspect uses a Mint Mobile phone. Mint Mobile runs on T-Mobile's network.
  • Billing/Subscriber Data: If you want to know who pays the bill, the credit card used, or the name on the account, you must subpoena Mint Mobile. T-Mobile does not have Mint's customer billing records.
  • Location/Tower Data: If you want to know where the phone was (Call Detail Records with Cell Site Location Info), you may need to go to T-Mobile. Mint Mobile (the MVNO) often does not retain raw engineering logs of tower connections; the MNO (T-Mobile) does.
  • The Trap: A common mistake is serving a warrant to T-Mobile for the subscriber name, only for T-Mobile to reply, "Not our customer, this is a wholesale reseller number." You then have to re-serve the warrant to the MVNO, wasting critical days in the investigation.

MNO vs. MVNO Evidence Matrix

Evidence Type Primary Custodian (Usually) Notes
Subscriber Name/Address MVNO The company who sends the bill knows the customer.
Credit Card/Payment MVNO Essential for de-anonymizing "burner" phones.
Call Logs (Who called whom) MVNO (and sometimes MNO) Both usually retain these for billing purposes.
Tower Dumps (Geo-fence) MNO ONLY MVNOs do not own towers and cannot provide dump data.
Per-Call Location (CSLI) Shared / Context Dependent Start with MVNO; they may have to request it from the MNO.

Carrier Identification Tools

Before writing your preservation letter or search warrant, you must identify the carrier. You cannot rely on the "branding" on the phone (a suspect might put an AT&T SIM card into an unlocked Verizon phone).

  1. Free Online Lookups:

    • FreeCarrierLookup.com / FoneFinder.net: These sites allow you to input a phone number. They return the OCN (Operating Company Number).
    • Warning: These tools often identify the original carrier of the number block, not necessarily the current carrier if the number has been ported (transferred).

  2. NPAC (Number Portability Administration Center):

    • For Law Enforcement in the US, the gold standard is the IVR (Interactive Voice Response) systems provided by the NPAC or accessing the Law Enforcement/Public Safety portal. This database tracks every phone number in North America and, critically, tells you if a number has been "ported" from one carrier to another.
    • Example: A number starting with (212) might originally be a Verizon landline, but NPAC will show it is currently active on a T-Mobile cell phone.

  3. Search.org:

    • This is an invaluable resource for law enforcement. They provide a comprehensive "ISP List" and "Mobile Carrier" database that details exactly where to send a subpoena (fax numbers, legal compliance addresses) and what specific language each carrier requires.

  4. Device-Based Identification:

    • If you have the physical device, remove the SIM card and look at the ICCID (Integrated Circuit Card Identifier). The first few digits (the IIN) identify the issuer.
    • 890141 = AT&T
    • 890126 = T-Mobile
    • 891480 = Verizon

4.3 Identity and Attribution: Hardware vs. Subscriber

In mobile forensics, we must constantly distinguish between the container and the user. A suspect may use multiple phones (containers) with a single SIM card, or a single phone with multiple SIM cards (users). To attribute criminal activity correctly, you must understand the unique identifiers assigned to the hardware versus those assigned to the subscriber.

The IMEI (International Mobile Equipment Identity)

The IMEI is the digital fingerprint of the mobile device itself. It is independent of the user; it identifies the physical handset. Every GSM, LTE, and 5G phone has a unique IMEI.

Anatomy of an IMEI

An IMEI consists of 15 digits arranged in a specific structure. Understanding this structure allows an investigator to learn about a device without even touching it.

The structure is: AA-BBBBBB-CCCCCC-D (formatted as TAC-SNR-CD)

  1. TAC (Type Allocation Code) - First 8 Digits:
    • This is the most valuable section for initial triage. The TAC identifies the specific make and model of the device.
    • Forensic Application: If you find a device that is smashed, burned, or locked, and you can only recover the IMEI (perhaps from the SIM tray or billing records), you can look up the TAC to determine exactly what the device is (e.g., "iPhone 14 Pro, North American Model").
  2. SNR (Serial Number) - Next 6 Digits:
    • This is the unique serial number assigned by the manufacturer to that specific unit within the TAC batch.
  3. CD (Check Digit) - Last 1 Digit:
    • A calculated digit used to verify the integrity of the IMEI.

Integrity Checks: The Luhn Algorithm

The final digit of the IMEI is calculated using the Luhn Algorithm (also used for credit card numbers). This is a checksum formula used to validate that the IMEI has not been mistyped or corrupted.

How it works (Simplified):

  1. Starting from the second-to-last digit and moving left, double the value of every second digit.
  2. If doubling a number results in a two-digit number (e.g., 8 x 2 = 16), add the two digits together (e.g., 1 + 6 = 7).
  3. Sum all the digits.
  4. If the total modulo 10 equals 0 (ends in zero), the number is valid.

Forensic Tip: If you are manually typing an IMEI into a warrant application or a forensic tool, and the tool rejects it, you likely have a typo that failed the Luhn check.

Discovery Methods

How do you find the IMEI?

  1. Dialing *#06#: This is the universal "USSD" code. Dialing this on almost any phone in the world will display the IMEI on the screen.
  2. Physical Labels: On older phones with removable batteries, the IMEI is printed on a sticker under the battery.
  3. SIM Tray: On modern iPhones (iPhone 6s and later) and many Androids that are sealed (no removable battery), the IMEI is often laser-etched in microscopic text on the SIM card tray.
  4. Settings Menu: Typically found in Settings > General > About (iOS) or Settings > About Phone (Android).
  5. Original Packaging: If the phone is missing, the original box seized during a search warrant will list the IMEI.

The IMSI (International Mobile Subscriber Identity)

While the IMEI identifies the phone, the IMSI identifies the actual subscriber account within the cellular network. The IMSI is stored inside the SIM card, not the phone.

The IMSI is generally a 15-digit number, distinct from the phone number. It is the "private" identity used for routing calls within the network backbone.

Structure: MCC-MNC-MSIN

  1. MCC (Mobile Country Code): 3 digits. Identifies the country of origin (e.g., 310 for the USA).
  2. MNC (Mobile Network Code): 2 or 3 digits. Identifies the carrier (e.g., 410 for AT&T, 260 for T-Mobile).
  3. MSIN (Mobile Subscriber Identification Number): The remaining digits. This identifies the specific user account.

Forensic Relevance: "IMSI Catchers" (often called Stingrays) utilize this identifier. These devices mimic a cell tower to trick a suspect's phone into connecting, revealing the IMSI and location.

MEID, MDN, and MIN

You will encounter these acronyms, especially in older case files or records from Verizon/Sprint (legacy CDMA carriers).

  • MEID (Mobile Equipment Identifier): This was the CDMA equivalent of the IMEI. It is 56 bits long and often represented in Hexadecimal (letters A-F and numbers 0-9). Modern tools often display both an IMEI and an MEID for world-phones.
  • MDN (Mobile Directory Number): This is the 10-digit phone number you dial (e.g., 555-555-0199).
    • Crucial Note: The MDN is portable. A user can move their MDN from Verizon to T-Mobile. Therefore, the MDN is just a "label" and not a hard-coded technical identifier.
  • MIN (Mobile Identification Number): Historically, in the CDMA world, this was a permanent internal tracking number. In the past, the MIN and MDN were the same. However, due to "Number Portability" (keeping your number when you switch carriers), these have separated. The MDN follows the user; the MIN stays with the carrier.

4.4 The Subscriber Identity Module (SIM) Deep Dive

The SIM card is often underestimated. It is not just a "memory card" like a microSD. It is a Smart Card—a fully functional computer with its own processor, operating system, and file structure.

Definition & Purpose

SIM stands for Subscriber Identity Module. Its primary purpose is to authenticate the subscriber to the network. It holds the cryptographic keys (Ki) that allow the phone to prove to the tower, "I am who I say I am, and I have a paid subscription."

From a forensic perspective, the SIM is a treasure trove because it is designed to be portable. If a suspect smashes their phone but moves the SIM to a new device, the evidence (contacts, SMS, location caches) survives on the card.

Physical Evolution (Form Factors)

While the computing power of the SIM has increased, its physical size has decreased to save space inside modern smartphones.

  1. 1FF (First Form Factor - 1991): The size of a full credit card. The entire card was inserted into early car phones.
  2. 2FF (Mini SIM): The "Standard" SIM we used for years in the 2000s.
  3. 3FF (Micro SIM): Introduced largely by the iPhone 4.
  4. 4FF (Nano SIM): The current standard for physical cards. It is essentially just the gold contact pad with zero plastic border.
  5. eSIM (Embedded SIM): A chip soldered directly onto the phone's motherboard. It cannot be removed. To "swap" carriers, the user downloads a software profile.
    • Forensic Challenge: You cannot perform a "SIM isolation" (removing the card) to prevent remote wiping on an eSIM device. You must rely on Faraday bags or Airplane Mode.
  6. iSIM (Integrated SIM): The future standard. The SIM functionality is integrated directly into the main processor (SoC) of the phone, removing the separate chip entirely.

SIM Architecture

The SIM card (a smart card) contains three types of memory, mirroring a standard computer:

  1. ROM (Read Only Memory): Contains the SIM's operating system (A0C) and security algorithms. We cannot write to this, and forensic tools rarely extract it.
  2. RAM (Random Access Memory): Working memory for the processor. This data is volatile and lost when power is cut (i.e., when the phone is turned off or the SIM is removed).
  3. EEPROM (Electrically Erasable Programmable Read-Only Memory):
    • This is the forensic target.
    • This is the non-volatile storage where user data (Contacts, SMS) and network data (IMSI, LOCI) are stored. It retains data even when removed from the device.

The SIM File System

Unlike a Windows computer which uses folders like "C:\Users\Documents," the SIM uses a specialized file system defined by international standards (ISO 7816). It is a hierarchical tree structure.

  • MF (Master File): The "Root" of the file system. It is the top level (like C:\).
  • DF (Dedicated Files): These act like "Directories" or folders. They group related files together.
    • Example: DF_GSM contains standard GSM network files. DF_TELECOM contains phonebook and SMS service files.
  • EF (Elementary Files): These are the actual "Files" containing the data.
    • Naming Convention: They are identified by 4-digit Hex IDs.
    • Key Examples:
      • EF_ICCID (2FE2): The serial number of the SIM.
      • EF_IMSI (6F07): The subscriber ID.
      • EF_SMS (6F3C): Stored text messages.
      • EF_ADN (6F3A): Abbreviated Dialing Numbers (Contacts).

Real-World Application: When you run a forensic tool like Cellebrite UFED or Magnet AXIOM on a SIM card, the tool is automating the process of navigating this tree. It sends a command to "Select MF," then "Select DF_TELECOM," then "Read EF_SMS." If a tool fails to parse the data automatically, an advanced examiner can manually traverse this file system to recover the raw hex data of a text message.

4.5 Forensic Analysis of SIM Data

While the SIM card is physically small, the data organized within its file system is structured and standardized. For the forensic examiner, knowing exactly which "Elementary Files" (EFs) to target can mean the difference between solving a case and drowning in hexadecimal data.

Critical Evidence Files: The SIM Reference Table

As discussed in Section 4.4, the SIM uses a hierarchical file system. The most valuable data resides in specific Elementary Files (EFs) located under the DF_TELECOM or DF_GSM directories.

Critical SIM Elementary Files (EFs)

File Name Hex ID Description & Forensic Value
EF_ICCID 2FE2 The Serial Number. This file contains the Integrated Circuit Card Identifier. It is the primary way to link a physical card to a specific subscription plan sold by a carrier.
EF_IMSI 6F07 The Subscriber ID. Contains the International Mobile Subscriber Identity. This links the user to the cellular network and is essential for requesting Call Detail Records (CDRs).
EF_LOCI 6F7E Location Information. Stores the Location Area Information (LAI) of the last tower the device registered with. Note: This is not a GPS coordinate, but it proves the device was in a general area (e.g., a specific sector of a city) at the last moment of connectivity.
EF_ADN 6F3A Abbreviated Dialing Numbers. This is the technical term for "Contacts" or the Phonebook. On older phones, this was the primary storage. On modern phones, this usually acts as a backup.
EF_LND 6F3B Last Number Dialed. A list of outgoing calls. This is frequently overwritten but can provide immediate intelligence on who the suspect contacted most recently.
EF_SMS 6F3C Short Message Service. Contains text messages. SIM cards have very limited storage (typically 20-50 messages). It uses a "Cyclic" buffer—new messages overwrite the oldest ones.
EF_MSISDN 6F40 The Phone Number. Interestingly, the phone number is not always hard-coded on the SIM. This file stores it, but it is often left blank or user-editable. Do not rely on this for attribution without verification.

Evidence Location: SIM vs. Device Storage

One of the most critical decisions in mobile forensics is knowing where to look. The location of evidence depends entirely on the generation of the device.

  • Feature Phones (Burners): On older devices or cheap "dumb phones" often used in drug trafficking, the device has very little internal memory. Therefore, SMS messages and Contacts are almost exclusively stored on the SIM card. If you only image the phone and ignore the SIM, you may lose the entire case.
  • Modern Smartphones (iOS/Android): Modern operating systems store contacts and messages in internal SQLite databases (e.g., sms.db on iOS) located on the phone's NAND flash memory, not the SIM.
    • The Hybrid Exception: Users can manually choose to "Export Contacts to SIM" as a backup. Always acquire the SIM card data even in modern investigations, as it may contain an old "snapshot" of contacts that were deleted from the phone's main memory.

Modern Messaging Realities

The relevance of EF_SMS is fading. In the current landscape, criminal communication has shifted away from cellular SMS/MMS to Over-the-Top (OTT) applications.

  • The Shift: Suspects use WhatsApp, Signal, Telegram, or Messenger.
  • Forensic Impact: These apps use data (packet-switching) rather than the cellular signaling channel. Consequently, their messages are never stored on the SIM card. They are stored in encrypted databases on the device itself or in the cloud.
  • Ephemeral Data: Apps like Signal offer "disappearing messages." Unlike the SIM EF_SMS which retains deleted data until it is physically overwritten by a new message, ephemeral apps cryptographically erase the data, making recovery significantly harder.

4.6 SIM Security & Best Practices

The SIM card is designed to be secure. It actively defends itself against unauthorized access. As an investigator, you must understand these defenses to avoid destroying evidence.

Security Mechanisms: PIN and PUK

The SIM operating system has a built-in "Three Strikes" policy.

  1. PIN (Personal Identification Number): A 4-to-8 digit code set by the user. If enabled, the phone will not connect to the network or allow data extraction until the PIN is entered.
    • The Risk: You typically have 3 attempts to enter the correct PIN. If you fail 3 times, the SIM blocks the PIN and enters a "Blocked" state.
  2. PUK (Personal Unblocking Key): Once the PIN is blocked, the SIM requests the PUK. This is an 8-digit code that is generated by the carrier and cannot be changed by the user.
    • The Danger Zone: You generally have 10 attempts to enter the PUK. If you fail 10 times, the SIM enters a "bricked" state. It permanently disables its processor. The data is effectively destroyed and unrecoverable.
    • Best Practice: Never "guess" a PUK. You must obtain it via a search warrant or subpoena to the carrier, providing them with the ICCID.

Forensic Techniques

SIM Cloning

Historically, SIM Cloning was a standard forensic procedure. Investigators would create an exact replica of the suspect's SIM card onto a blank "Test SIM".

  • Purpose: This allowed the investigator to put the clone into the suspect's phone and power it on. The phone would think it had a valid SIM and allow access to the menus, but the clone was programmed to never connect to the cellular network. This prevented the phone from receiving a "Remote Wipe" signal while allowing manual analysis.
  • Modern Relevance: This is decreasingly an option. Modern SIM cards (USIM/ISIM) use advanced encryption (Milenage algorithm) that prevents the extraction of the Ki (Authentication Key) necessary to create a clone. Today, we rely more on isolation techniques.

Isolation & Preservation

Because we often cannot clone modern SIMs, we must physically isolate the device. 1. Faraday Bags: As discussed in Chapter 1, placing the device in a Faraday bag blocks all radio signals. 2. Network Isolation: If you must remove the SIM to image it separately, ensure your forensic workstation is offline. * The "Auto-Update" Risk: If a SIM connects to a network, it may receive "Over-the-Air" (OTA) updates from the carrier. These updates can refresh the EF_LOCI (overwriting the crime scene location data) or push new roaming lists. Maintaining isolation preserves the state of the SIM exactly as it was at the time of seizure.

Validation

Validation is the cornerstone of forensics. How do you know the data you parsed from the SIM is accurate?

  • Cross-Tool Validation: Use two different tools (e.g., Cellebrite and specialized SIM readers like Dekart) to ensure the parsed text messages match.
  • Call Detail Records (CDRs): The ultimate validation is external. If your forensic analysis of the SIM (EF_SMS) shows a text sent to 555-0199 at 14:00, the Carrier's CDR logs should show a corresponding SMS event at that exact time. If they match, your evidence is verified against a third-party source.

Real-World Example: The "Burner" Discrepancy In a narcotics investigation, a suspect claimed the flip phone found in his car was "planted" and he had never used it.

  1. The Extraction: The investigator extracted the SIM card and found EF_SMS was empty (messages deleted).
  2. The Artifact: However, the EF_LOCI (Location Information) on the SIM contained a Location Area Code matching the cell tower nearest the suspect's home.
  3. The Contact List: The EF_ADN (Contacts) contained an entry labeled "Mom."
  4. The Validation: CDRs from the carrier showed that the phone number for "Mom" was called daily.

Result: While the messages were gone, the SIM artifacts (LOCI and ADN) definitively linked the device to the suspect, disproving his claim that he had never used it.

Chapter 4 Summary

  • Network Evolution: The history of mobile forensics is tied to the transition from CDMA/GSM (where identity was split between device and card) to the unified 4G/5G standards. While legacy "dumb phones" are vanishing due to the network "sunset," they remain critical sources of evidence in cold cases.
  • Packet Switching: The shift from circuit-switched voice to packet-switched data (VoLTE) has transformed "calls" into data sessions, enriching the metadata available to investigators but complicating the analysis.
  • The Provider Landscape: Distinguishing between MNOs (who own the towers) and MVNOs (who resell the service) is vital for the legal process. You cannot subpoena tower dumps from an MVNO like TracFone; you must go to the underlying carrier (e.g., Verizon or T-Mobile).
  • Identity Hierarchy:
    • IMEI: Identifies the hardware (Device).
    • IMSI: Identifies the subscriber (User/Account).
    • ICCID: Identifies the physical card (SIM).
  • SIM Forensics: The SIM is a smart card with a hierarchical file system. Critical evidence files include EF_ICCID (serial), EF_IMSI (subscriber ID), and EF_LOCI (location). While modern smartphones store less user data on the SIM, the SIM remains the primary key for network attribution.
  • Security: SIM cards are protected by PIN and PUK codes. Mismanaging these codes can permanently destroy evidence. Always maintain device isolation (Faraday bags) to prevent network updates from altering volatile SIM data like location artifacts.

Next Steps: Now that we understand how the device connects to the world, the next chapter will take us inside the device itself. In Chapter 5, we will explore Mobile Device Architectures & The Boot Process, examining the hardware components and the complex sequence of events that occurs when you press the power button.