SMS Status Byte

While answering a post on a list I belong to, it occured to me that forensic practitioners may not know how a piece of SIM software determines whether an SMS message has been sent or recieved or how it “undeletes” SMS.

The key to this is in the SMS status byte. This byte is the first byte to the message and determines the status of the message as outlined in GSM 03.40 and GSM 03.38 . Here is a graphic cut from those documents (click on the smaller image for full size one)

SMS Structure GSM 3.40

And here is another graphic showing the breakdown of the status byte

SMS Structure GSM 3.40

Breaking this down into a narrative here the status byte determines the following (shown in binary)

  • 0000000-Unused
  • 00000001-Mobile equipment terminated, read
  • 00000011-Mobile equipment terminated, not read
  • 00000101-Mobile equipment originated, sent
  • 00000111- Mobile equipment originated, not sent

This then is how the software determines if the SMS was sent from the phone (originated) or received (terminated). Interestingly, the the status byte is /x00 or unused and there is previous data at that slot-you can recover a deleted SMS. This is similar to how the FAT/MFT works in relation to “deleting” files.

I hope this is of some help to the Community.

Mike

Advertisements

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s