Saturday, September 09, 2023

"Outside Looking In" Part 1

 This is one of a series of articles I have prepared concerning expert evidence

"Outside Looking In" - This title relates to experts that have not gone the Forensic Science Regulator (FSR) route to hunker-down and embrace the ISO17025 accreditation process. We are told the concept of aiming for quality and reliable evidence is at or should be at the forefront of everyone's mind when involved with forensics and evidence. I think we all agree with that one. It is just how to go about that? ISO17025 was selected to meet that task but came with an excessive limitation - it only works for you if there is a high-level of quantity of cash to pay for it.
This is where the "Outside Looking In" arises as many single-person enterprise (often referred to as sole trader) and even small to medium-sized enterprises (SMEs) find it difficult to join the ISO17025 approved list. Financially, both the above mentioned enterprises can face outgoing costs of estimated an £76,000.00 before handling any work under this new ISO17025 regime.
But I see another route through all of this for these enterprises and that is expert opinion on assessing the Reports/Logs/CDRs etc., introduced as [Evidence]; assessment of that evidence doesn't require creating more, new evidence by the assessing expert, merely an opinion on it [e.g. process]. By process I mean recognition of steps taken to bring about the evidence. To illustrate, a document in a murder case said to be the original had apparently been used in order to make copies of it. Mysteriously, the duplicated copies had come from the first photocopier in history to change the original wording from lower case lettering to exactly the same wording but now appearing in upper case lettering. Amazing!
Today, there is much concern over the loss of highly experienced experts in the above enterprises no longer assisting the Criminal Justice System. It is hard to believe no clear and precise path had been created for them. To understand this concern associated with long term knowledge, skills and experience I use an example of a presentation I created back in 2008 regarding mobile telephone evidence. This is to make the point that categories used in the presentation are just "labels" BUT under which vast and deep wells of knowledge skills and experience are needed by practitioners and had to be known back then; because they regularly cropped up in evidence. These weren't learnt overnight but over many, many years.
Those "Outside Looking In" are now asking themselves why is it someone else has decided my knowledge, skills and experience is no longer worthy?

TREWMTE-Starter-Kit-Part-TWO https://www.dropbox.com/scl/fi/ec7issg2m2batw9p0okd3/TREWMTE-Starter-Kit-Part-TWO.pdf?

In "Outside Looking In" Part 2 I want to show acquisition of "Knowledge" and its relevance to expert opinion. I will be using Cell Site Analysis as the relevant science in relation to evidence.

Sunday, January 27, 2019

LTE Attach and Default Bearer Setup Messaging

Prior to the LTE mobile phone being tracked in the LTE network their is still the setup process that enables the handset to gain access to network services. This useful guide illustrates the steps involved which a CSA investigator should have an understanding, not least of which is knowing S1AP: when the IMSI and GUTI are used; S11: The IP assigned to the mobile station and current location of the user; and a host of other useful information that often crops up in investigations.




LTE Tracking Area Update

This useful guide produced using EventStudio System Designer drives home the processes and procedures involved to understand how LTE Tracking Area Update works. Every CSA investigator will need to have knowledge in this area to be able to define in a statement, report or at Court how a mobile phone is tracked whilst switched ON and moving around in an LTE network.

3G Networks position techniques.pdf

For those CSA investigators interested in a skeleton outline on 3G Networks position techniques, this info should help as a starting point.

Cell Site Analysis - location and radio coverage signals

It still holds true with LTE radio coverage that signals arrive in a scattered manner detected at the mobile phone handset. A good CSA investigator will know how to explain how coverage might inconceivably be thought by the untrained not to be detected at a particular location, may well be possible due to the location of the phone at the material time.
 
As mentioned in a previous post understanding density of masts in an area must equally be understood not simply from the point of calls handled by a single mast. There is also the instance where a call's start and end masts are different that can be involved, which may involve the network having to deal with 'hard handover'. Advancements with 3G and 4G enables calls (data) being handled by several masts delivering data to the smartphone in a seamless fashion. This maybe due to the amount of data involved or fast-fading etc. These types of handovers are called 'soft-handover'. When understood correctly the use of these combined masts in soft-handover because they are often in very close proximity can narrow down the location through improved triangulation (etc.). 
 
 
There is the occasion where the operator only has one mast in a particular area but several sectors of the same mast might be used seamlessly for an e.g. data call, and this is called softer-handover. When thinking about soft and softer handover think in terms of 'inter' and 'intra'.
 
 
 
Furthermore, smartphones, which I call 'ultra-smarts' due to their increased embedded communications capabilities, use close proximity masts or access points (Wi-Fi) to enable uninterrupted communication and network access. Network operators have deployed microcells, as you (may) know. Microcells deployment help remove the burden of signalling and traffic on macro-cells by directing slow-moving mobiles to short range coverage. These microcells can be useful for slow-moving users, walking down the high street or located in one area for a period of time. Remaining in an area for a period of time is called 'dwell time'. The latter is a term CSA investigators should know as it can have important bearing upon a case. In some instances, small coverage points have been deployed called pico-cells and nano-cells which can refine location distances between the mobile phone and the cell to a few meters.
 
The 'ultra-smarts' Wi-Fi capability creates an additional attractive proposition for cell site analysis investigations as the investigator will need to be keenly aware that dual usage of cellular and Wi-Fi coverage can produce a rich resource of location positioning. The image below has been used at this blog before but it is still a useful reminder what should be considered when conducting radio surveys.
 
 
And if further illustration is needed to illuminate a survey assessment criteria then hopefully this image below will provide the investigator with some ideas.
 
 
Cell site analysis has evolved so much more from the days of GSM and early days of WCDMA. It is not enough to use call records and CDRs in isolation and/or going to a particular geographical location to conduct tests at one single location; the wider area needs to be taken into context as to what impact that might have on a call or calls being handled by a cell or cells etc. (mast, masts or access points).
 

LTE Positionng Methods

 
As with GSM and WCDMA, LTE is no different. Cell Site Analysis investigators still need to have a general understanding of location positioning methods in order to refine how using static and drive test radio test measurements do not clearly define radio boundaries alone. There are a enormous range of strategies that can be adopted and should be adopted based on a case-by-case basis.
 
If network operator adopted methods for determining location (and they have the infrastructure to do that) an external investigator cannot use CDRs and radio test measurements to pinpoint call location at the material time. It still requires knowing how each operator has planned their network radio coverage and still does no harm to request single cell prediction maps and best server plots -density maps.
 
 
Remember the density-map is important as it provides an underlying indication of potential cell usage or handover.
 
 
 
 
 
 
 
 
 
 
 
 
 

Sunday, September 28, 2014

CSA - Site Survey Method/LTE SIBtype1

CSA - Site Survey Method/LTE SIBtype1

Before continuing with GSM/GERAN System Information Message Types, thanks for the enquiries regarding LTE and requests for an example of a systeminformationblocktype(SIB). It would appear there is a requirement to explore LTE and UMTS SIBs some more before moving on to GSM/GERAN. I will do my best to answer some of the enquiries.

For educational purposes only, followingthe masterinformationblock(MIB) having been decoded by the UE a useful example of content for systeminformationblocktype1 was illustrated by Ralf Kreher and Karsten Gaenger (c)2011 using Tektronix K2Air as an example when conducting a LTE investigation into signalling troubleshooting and optimisation.



+-------------------------------------------------------+---------------------------------------------+
|ID Name |Comment or Value |
+-------------------------------------------------------+---------------------------------------------+
|56 05:43:34,555,032 RRC-UU K2AIR-PHY PDSCH LTE-RLC/MAC MAC-TM-PDU (DL) LTE-RRC_BCCH_DL_SCH
systemInformationBlockType1 |
|Tektronix K2Air LTE PHY Data Message Header (K2AIR-PHY) PDSCH (= PDSCH Message) |
|1 PDSCH Message |
|1.1 Common Message Header |
|Protocol Version |0 |
|Transport Channel Type |DL-SCH |
|Physical Channel Type |PDSCH |
|System Frame Number |454 |
|Direction |Downlink |
|Radio Mode |FDD |
|Internal use |0 |
|Status |Original data |
|Reserved |0 |
|Physical Cell ID |0 |
|UE ID/RNTI Type |SI-RNTI |
|Subframe Number |5 |
|UE ID/RNTI Value |'ffff'H |
|1.2 PDSCH Header |
|CRC report |CRC ok |
|HARQ process number |0 |
|Reserved |0 |
|Transport Block Indicator |single TB info |
|Reserved |0 |
|1.2.1 Transport Block#1 Information |
|Transport Block#1 Size |144 |
|Modulation Order DL 1 |QPSK |
|New Data Indicator DL 1 |new data |
|Redundancy Version DL 1 |1 |
|Reserved |0 |
|Modulation Scheme Index DL 1 |5 |
|Reserved |0 |
|1.2.2 Transport Block Data |
|TB1 Mac-PDU Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|Padding |'0068'H |
|1.3 Additional Call related Info |
|Number Of Logical Channel Informations |1 |
|1.3.1 Logical Channel Information |
|LCID |0 |
|RLC Mode |Transparent Mode |
|Radio Bearer ID |0 |
|Radio Bearer Type |Control Plane (Signalling) |
|Spare |0 |
|Spare |0 |
|Logical Channel Type |BCCH |
|Call ID |'fffffff5'H |
|3GPP LTE-RLC/MAC Rel.8 (MAC TS 36.321 V8.5.0, 2009-03, RLC TS 36.322 V8.5.0, 2009-03) (LTE-RLC/
MAC) MAC-TM-PDU (DL) (= MAC PDU (Transparent Content Downlink)) |
|1 MAC PDU (Transparent Content Downlink) |
|MAC Transparent Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|RRC (BCCH DL SCH) 3GPP TS 36.331 V8.5.0 (2009-03) (LTE-RRC_BCCH_DL_SCH)
systemInformationBlockType1 (= systemInformationBlockType1) |
|bCCH-DL-SCH-Message |
|1 message |
|1.1 Standard |
|1.1.1 systemInformationBlockType1 |
|1.1.1.1 cellAccessRelatedInfo |
|1.1.1.1.1 plmn-IdentityList |
|1.1.1.1.1.1 pLMN-IdentityInfo |
|1.1.1.1.1.1.1 plmn-Identity |
|1.1.1.1.1.1.1.1 mcc |
|1.1.1.1.1.1.1.1.1 mCC-MNC-Digit |2 |
|1.1.1.1.1.1.1.1.2 mCC-MNC-Digit |9 |
|1.1.1.1.1.1.1.1.3 mCC-MNC-Digit |9 |
|1.1.1.1.1.1.1.2 mnc |
|1.1.1.1.1.1.1.2.1 mCC-MNC-Digit |0 |
|1.1.1.1.1.1.1.2.2 mCC-MNC-Digit |0 |
|1.1.1.1.1.1.2 cellReservedForOperatorUse |notReserved |
|1.1.1.1.2 trackingAreaCode |'0000'H |
|1.1.1.1.3 cellIdentity |'2000100'H |
|1.1.1.1.4 cellBarred |notBarred |
|1.1.1.1.5 intraFreqReselection |notAllowed |
|1.1.1.1.6 csg-Indication |false |
|1.1.1.2 cellSelectionInfo |
|1.1.1.2.1 q-RxLevMin |-65 |
|1.1.1.3 freqBandIndicator |1 |
|1.1.1.4 schedulingInfoList |
|1.1.1.4.1 schedulingInfo |
|1.1.1.4.1.1 si-Periodicity |rf16 |
|1.1.1.4.1.2 sib-MappingInfo |
|1.1.1.4.2 schedulingInfo |
|1.1.1.4.2.1 si-Periodicity |rf32 |
|1.1.1.4.2.2 sib-MappingInfo |
|1.1.1.4.2.2.1 sIB-Type |sibType3 |
|1.1.1.4.2.2.2 sIB-Type |sibType6 |
|1.1.1.4.3 schedulingInfo |
|1.1.1.4.3.1 si-Periodicity |rf32 |
|1.1.1.4.3.2 sib-MappingInfo |
|1.1.1.4.3.2.1 sIB-Type |sibType5 |
|1.1.1.5 si-WindowLength |ms20 |
|1.1.1.6 systemInfoValueTag |22 |

This form of analysis provides an excellent grounding when conducting ICCSA.Why would that be so? Familiarisation with this education content enables knowledge to be gleaned from the real-world SIBs detected by the UE at particular locations. Importantly information that informs the UE about varying cells benefits an investigation.  For instance, we know that when the UE has successfully received and decoded MIB and SIBs type 1 and 2 etc during its travels SIB type9 might identify (H)eNobeB that is available. To be clear that latter information provides two unique pieces of information. (1) The identity of the radio source (2) it is location specific to tens of metres in an area thus refines location identification where the UE would have dwelt (dwell time - slow moving UE).

It also refines the location for the investigation and even where SIB1 and SIB2 provide a wider location area the UE detection (SIB type9) of the (H)eNobeB coverage would have the effect of demonstrating  pre-requisite requirement of proximity to an area. Now readers could point out how would the person conducting the ICCSA know about the (H)eNobeB in the first place if call/data records are not available. For those situations where immediate is important aspect of current bandit surveillance the UE stores relevant information of the radio resources in an area for up to 3-hours after which old data are discarded. For a live UE acquisition this time frame could be useful. For a UE switched off (e.g. at the target site area) retains that information and requires extraction and harvest without invoking UE power up and network detection and registration.