While answering a post on a list I belong to, it occured to me that forensic practitioners may not know how a piece of SIM software determines whether an SMS message has been sent or recieved or how it “undeletes” SMS.
The key to this is in the SMS status byte. This byte is the first byte to the message and determines the status of the message as outlined in GSM 03.40 and GSM 03.38 . Here is a graphic cut from those documents (click on the smaller image for full size one)
Breaking this down into a narrative here the status byte determines the following (shown in binary)
- 00000001-Mobile equipment terminated, read
- 00000011-Mobile equipment terminated, not read
- 00000101-Mobile equipment originated, sent
- 00000111- Mobile equipment originated, not sent
This then is how the software determines if the SMS was sent from the phone (originated) or received (terminated). Interestingly, the the status byte is /x00 or unused and there is previous data at that slot-you can recover a deleted SMS. This is similar to how the FAT/MFT works in relation to “deleting” files.
I hope this is of some help to the Community.