Radio Survey Field Notes

Radio Survey Field Notes

The CSA Training Explanatory Diagram illustrated (previous thread) some of the codes identified in the broadcast radio identities. At this stage the examiner/expert might want to get an early indicator of what this information could mean when attributed to other knowledge, previously acquired, about the target location of interest where radio test measurements are scheduled to be conducted.   

Of course, if you have a keen eye you will note the document is not acquainted with complete pre-profiled cell site details. These details are excluded for a reason, which I shall come onto later. For now it is useful to analyse the Explanatory Diagram content and cross-reference it with the Radio Survey Field Notes.

Some questions:

- What sort of  information do you think can be taken for granted that need not be included into the Field Notes that is in the Explanatory Notes?
- What identities are absence by their omission from the Field Notes that are in the Explanatory Diagram?
- Do you think those identities should be in the field notes?

The purpose of pushing these points is that often evidence is omitted and examiners/experts will certainly need that information to hand when preparing for their opinion, writing a report and giving evidence.  

CSA Training Explanatory Diagram

CSA Training Explanatory Diagram

Given the huge range of knowledge and information needed for Cell Site Analysis (CSA) I have spent a considable amount of time creating many training sheets for the courses. The explanatory diagram below represents just some basic information acquired from radio tests and the meaning of the codes shown in the test screens.

This training document forms part of the procedure of a step-by-step guide in a long, long line of steps an trainee examiner will undertake and aids the trainee grasp the basics. Later the trainee will be shown additional information that isn't shown in the above diagram to extend knowledge and understanding.

Soon the examiner will come to realise that when I started out in an early thread in this blog identifying the elements in the GSM Radio DNA Bracelet I had a reason for doing that.  The data displayed in the screens (like the ones above) occur as a consequence of being assigned to one or more of the logical channels identified in the GSM Radio DNA Bracelet delivered by the physical channels of the radio system.

iOS 4.3.3 deletion of Location Cache

iOS 4.3.3 deletion of Location Cache

Apple responded in April 2011 to concerns in the marketplace about location data that enables a user to be tracked without their knowledge or without knowing such a mechanism existed in the iPhone:

http://www.apple.com/pr/library/2011/04/27location_qa.html

By 3rd May 2011 an early fix was suggested would be available pending the outcome of Beta tests. That the fix would deal with location backups to iTunes when Location Services was switched OFF.  

On the 5th May the promised iOS patch to resolve the iPhone location tracking went live and reduced the size of the cache of information that had been backed up. Noticeable the cache file is now considerable smaller, however the size of the update to do that was over 650 megabytes.

Loss of evidence in the cache is one observation and another is with Location Services switched OFF on the handset this may impact on historical and current Cell Site Analysis investigations.

Requesting Cell Site Data

Requesting Cell Site Data

Engaging with defence solicitors or law enforcement with respect to seeking cell site evidence can be a tricky business. Invariably the request for data is largely governed by the type of case and the instruction of work. Problematical with the latter point is there maybe the notion that the person instructing actually has sufficient technical knowledge and understanding to comprehend the technical details to be analysed and the types of detail the CSA expert will need.

A mistake in common practice that I have noted with examiners and experts is to assume the CDR contains the complete cell site details, and clearly that cannot be the case. The structure and content of CDR vis-a-vis TAP files both are different and have different purposes, but ae not generated for the purposes to include cell site details. I have seen some company websites identifying themselves as experts and suggesting cell site details are found in extended CDRs. I do not agree as cell site details have absolutely nothing to do with a generated per call CDR or indeed TAP file for that matter. There are a minimal references to cell sites by way of cell ID (start/end) and a few other bits and pieces, but nothing more would be generated by the mobile phone, radio network, the switch or data capture machine for inclusion into a CDR/TAP file.

Another matter I have noted, when dealing with expert and examiner cell site reports and those conducting radio test measurements is this vague suggestion allude to an implicit fact that because the examiner took GPS measurements when conducting tests this somehow creates a fact that the cellular radio coverage is corroborated by this or the movements of the handset user is somehow tracked this way. There appears on the face of it at least a confusion between GPS and the mobile network. Neither GSM or WCDMA propagate GPS signals, merely they take data output in the form of a packet of data from a GPS module/unit and forward that packet through the device/network to the terminal that will somehow make use of the data. If I need support for that fact then I find it at first instance in the radio frequencies adopted for GSM and WCDMA and from which all else will follow when dealing with cellular radio propagation and communications.

So what are the data field elements that the examiner/expert might seek at first instance. Clearly there needs to be corroboration of a GSM originated/terminated and start and/or end of a mobile communication. The list below is not data (email/internet/download etc) communication related.

----------------------------------------
Date ?
Time ?
Calling party ?
Called party ?
Type of call ?
Duration ?
Registration (ringing time before answer) ?


Mast location Details for start of call
---------------------------------------
[Start of call] Site ID number?
[Start of call] Site Name?
[Start of call] Site Address?
[Start of call] Site Post code?
[Start of call] Type of transmission 3G WCMDA site or GSM site?
[Start of call] Frequency Range?
[Start of call] Macrocell or Microcell?
[Start of call] Height of Antennas?
[Start of call] Is this a omni-directional site?
[Start of call] How many sectors at site (e.g. 3, 6 etc)?
[Start of call] Easting and Northing?
[Start of call] Longitude and Latitude?
[Start of call] Cell ID (hex)?
[Start of call] Cell ID (dec)?
[Start of call] Cell ID (last digit as sector)?
[Start of call] Broadcast Control Channel (BCCH) number?
[Start of call] Azimuth (bearing of coverage)?


Mast location Details for end of call
-------------------------------------
[End of call] Site ID number?
[End of call] Site Name?
[End of call] Site Address?
[End of call] Site Post code?
[End of call] Type of transmission 3G WCMDA site or GSM site?
[End of call] Frequency Range?
[End of call] Macrocell or Microcell?
[End of call] Height of Antennas?
[End of call] Is this a omni-directional site?
[End of call] How many sectors at site (e.g. 3, 6 etc)?
[End of call] Easting and Northing?
[End of call] Longitude and Latitude?
[End of call] Cell ID (hex)?
[End of call] Cell ID (dec)?
[End of call] Cell ID (last digit as sector)?
[End of call] Broadcast Control Channel (BCCH) number?
[End of call] Azimuth (bearing of coverage)?

The cell site details should relate at minimum to the material time of the mobile communications and at least  upto the date the request for  information is being made in order to comprehend any changes at the Masts for the Mast that handled the start of the call and the Mast that handled the end of the call.

Request notification of any Mast alterations
-----------------------------------------
[Any change to Mast] Decommissioned?
[Any change to Mast] Height of Antenna altered?
[Any change to Mast] Azimuth Bearing of coverage?
[Any change to Mast] Mechanical or electrical tilt changes and to what degree?
[Any change to Mast] Licenced Power or Transmission power?
[Any change to Mast] Type of transmission from 2G GSM to 3G WCDMA or vice versa?

It is quite possible to seek considerably more about the arrangements at each Mast, but that often means dealing with each operator's specific matters on a case by case basis.   These elements are not included here.

Blackberry Forensic Analysis

GSM Radio DNA Bracelet - RACH

GSM Radio DNA Bracelet - RACH (Random Access Channel)

The logical channels set out http://cellsiteanalysis.blogspot.com/2011/01/gsm-radio-dna-bracelet.html each provide useful information that is of use to cell site analysis (CSA). A common misunderstanding that arises with CSA is it has been used in evidence in such away that only a minutiae of information is considered. This in turn has led to some believing CSA can be defined by a limited selection of elements. The world of CSA is far, far larger in rich content than those limited elements. An examiner only comes to know about the rich content having first applied him/herself to learning the symbiotic, co-partnership between the science & technology and examination & forensic procedure leading to evidence & opinion.

For instance let us accept that RACH is a GSM uplink common control channel. In that little nugget of information given by the statement there is firstly the science and technology. The technology is Global System for Mobile (communications) a digital cellular radio system. The adopted GSM system manipulates (modulates) the physical radio signals such that physical signals whilst analogue in nature when manipulated hold a secret inside that is revealed when de-modulated revealing the important data (digital). Moreover, the statement uplink is relevant to note, as is common control channel (CCCH). There are four nominated logical control channel assigned connected with CCCH - Paging Channel (PCH), Access Grant Channel (AGCH), Notification Channel (NCH) and, of course, RACH.  The term 'common' needs clarification, too, because it identifies that the channels are common to all users (mobile users) in a geographical radio area via their handsets. 'Uplink' defines the direction to which the control channel data are transmitted.

In combination, the examination of transmitted data becomes highly significant for it represent an action by the user's mobile phone creating the 'first' step in radio DNA evidence. A Layer 3 trace (example below), and when we say Layer 3 we are taking about RR (radio resources), identifies the access request RACH message sent to the network and a response from the network to it. The example below has been extrapolited (thus goes beyond) what would normally be seen from the raw data. The network and handset are programmed to understand each other and do not needs man's convoluted and verbose explanations but should the machinery, so to speak, need such explanation, god help us, for access to the GSM radio network would probably take three months just to camp on the network without using further resources.

Equally, for cell site analysis we need to know what information can be gleaned from RACH. The image below identifies a screen from an Ericsson handset with TEMS pocket (a radio diagnostic tool) in active mode. I will deal with the paging details in another discussion thread. 

We first see the string '0 1 4 1 0E'. The point to note is that it only contains basic GSM info and not GPRS. Had it included GPRS info the string would consist of seven different separate elements instead of five. So how do we understand the order in which the data appears?  

First element '0':  refers to Cell Barred (0: No, 1: Yes)
Second element '1': refers to Call Re-establishment (0: Allowed, 1: Not allowed)
Third element '4': refers to Max number of retransmissions (1, 2, 4, 7)
Fourth element '1': refers to Number of RACH bursts sent for the last connection (1–7)
Fifth element '0E': refers to Establishment Cause/Random: Reference used in the latest RACH burst (00–FF)

The fifth element is, as referred to above, the 'first' step in radio DNA evidence. As this is generated by the user's handset it makes it interesting as it shows the examiner has understanding of seeking out evidence from the science and technology under test and that the data should be obtained using forensic methodology to secure unaltered data. Importantly, it illustrates to the examiner how to start to establish a link within the chain of data created by a mobile phone from when it is first switched ON, when using resources, until it it is switched OFF.  

The actually RACH access request generated is no more than 8-bits in length. The GSM standard TS04.08 defines the message content format as seen below:

How to interpret the access request message content for establishment cause can be found in TS04.08:

And when the mobile is answering to paging for radio resources connection establishment.

There is so much detail associated with RACH it is possible to write a book solely dealing with this single subject. I do not have the time or luxury to put all that detail here, but to provide a flavour to you that the radio DNA evidence in the bracelet contains a gold mine of evidential information that is largely and randomly ignored and apparently seen by some as not being relevant. I wonder with the little I have mentioned above whether you would think the same?

In the next RACH discussion I shall open up to you more and give insight into RACH and some evidential possibilities.

GSM Radio DNA Bracelet

GSM Radio DNA Bracelet

We may wish to consider what might be forensically deduced from radio test measurements when conducting cell site analysis (CSA). CSA, as we know, in the majority of circumstances in which it may be deployed, takes account of historical perspectives of radio coverage in a particular geographical location after mobile communications have occurred. It does not automatically follow the precise area in which radio tests are conducted is identical to the precise area in which mobile calls took place. The results obtained from such tests are usually aligned and suggested to correspond to mobile communications usage on a particular subscriber account using data from call data record (CDR) details. The combined details of both may be presented, usually in a report and/or oral evidence, in legal proceedings.

Understanding the radio test measurement results requires at first instance knowing the technical identity, structure and content employed in the cycled (eg TDMA) frames containing overhead paramaters (control channel data) that a mobile phone may receive, decode, action commands and receive responses. In this discussion content associated with traffic channel data (voice communication. SMS, email, etc) is not dealt with due to the historical examination of control channel data arising from radio tests and assessment of coverage in an area obtained after the event of mobile communications.

As examiners will be using radio test equipment to collect radio information, the GSM heirachial frames (see below) displays the structure of the entire cycling processing designed for GSM. Essentially, examiners need to know the heirachial structure in order to identify where in the structure control data captured by the radio test equipment logically originates. The first point to note, since it is control channel data that is relevant, is that there are 51 TDMA frames set aside for the transportation of control channel signalling, albeit the control channel data can be duplicated over numerous frames.   

 

Analysis of the heirachial frames reveals that only a proportion of the frames are actually considered relevant to cell site analysis as the frames being monitored in the demesne are real time over the air interface at the time of conducting radio tests subject to the quantifying period an examiner remains at site conducting tests at a particular location. For instance, rarely, if ever, is it found an examiner stays at one location monitoring for 3.30hrs to allow for the entire GSM heirachial frames to complete their cycle (as set down by the GSM standards) because it is simply not practicable or relevant to do so. Instead, an examiner needs to know which control channels are available and the likelihood of signalling data being communicated within each control channel.

I shall deal with types of bursts and timing of frames in a later discussion. For now, it is perhaps useful to think about when examiners goes to site for testing that radio signals travel over the air in mico-seconds, the radio receiver (handset) detects the signals in milli-seconds and the entire decoding process occurs approximately in seconds and thereafter, at which point, the examiner may then be able to begin comprehending the resulting output of the processed data. It is the comprehension of data that significantly examiners needs to understand which control channel/s such data may be attributable (eg. for BCCH  - the examiner may expect to determine paramaters relating to cell specific data).

It is precisely the nature of control channels in the assigned frames that contains signalling data being constantly cycled at high speed in order to contact, connect and retain network communication with the radio receiver (handset) in order that the handset can process, understand, respond, where necessary. The range of control channels are defined by GSM and repetituously cycling of the control channels that led to identifying the GSM Radio DNA Bracelet, illustrated below. 

I shall stop here because there is a considerable body of information that I have condensed into this byte-size primer discussion. Readers may wish to take time to digest what I have stated. Also, I am in no hurry discuss everything. What I can state, I rely on evidence, analysis and facts drawn from standards and test results, each used to corroborate each other.  Over the years I have had mobile network operator staff, experts and examiners who have suggested something different or initially disagreed with the GSM Radio DNA Bracelet only for them to reconsider their own view down the line. This has largely been due to radio engineers/experts/examiners thinking in terms of KPIs, fault finding, radio planning or not fully appreciating the subject matter being discussed. The findings I am discussing: relate to forensic analysis and evidence; the findings have remained constant (in my opinion) over the years; control channel data used for CSA assigned only to those logical channels identified in the GSM Radio DNA Bracelet and no other logical channel. It is true to say operators may use various combinations of control channels (examples are set out in the GSM standards) but in each instant the control channels are constantly cycled in a pattern that forms a bracelet effect, the signalling data in them has unique identity properties analogous to the way DNA attributes can be understood. Objectively, if the aforementioned doesn't occur GSM handsets and SIM cards may not determine/understand control channel data to make effective use of the data and, logically, GSM would fail to work effectively with its claimed objecitives. It is because of these GSM constants that they fortify that a GSM Radio DNA Bracelet exists, subject to the caveat control channels used by particular operators at particular locations might vary.

The work above is Copyright and the entire original artistic work or part thereof may not be reproduced or distributed without the prior consent of the author. (c) Gregory Smith 2011.