It would be interesting to figure out where the data is being sent. It could probably be done in a variety of ways (JTAG? Replace the SIM card and setup a fake GSM base station? Check your local laws...).
It would be pretty ironic if they routed through Tor...
It should be relatively easy to pop the SIM card out and use an off the shelf forensics tool. Those things have like 64kb of storage. At the least you'd get the phone's number and IMEI.
Not sure forensics tools are needed; getting the phone number and IMEI should be a Hayes command[1] away. Throw the SIM into something like a Telit GM862 (which runs Python) and you have a full scriptable phone. I played with that module seven years ago and there are bound to be better ones now.
It would be pretty ironic if they routed through Tor...