The use of historic cell site evidence doesn't require it to pinpoint
the exact spot where the mobile phone was used. The evidential
supporting materials do have to stack up though but at the same time
avoid assumptions being made on "thin" evidence.
Circumstantial evidence - mobile phone /giffgaff / cell site:
http://www.bailii.org/cgi-bin/markup.cgi?doc=/ew/cases/EWCA/Crim/2013/1916.html
Location and Mast Usage
http://www.bailii.org/cgi-bin/markup.cgi?doc=/scot/cases/ScotHC/2013/2013HCJAC89.html
GSM(2G)-GPRS(2.5G)-HSCSD/EDGE-WCDMA(3G/UMTS)-HSPA/LTE(3.5G)-LTE-A(4G)- 5G/IoT- 802.11xx-WiMAX, plus other radio & paging technologies: Analysis of Call Record Attribution, Network Record, Coverage, Masts, Location, Co-location, Movement for Commercial and In Building Solutions, Public and Tribunal Inquiries, Criminal Cases, Civil Cases, Human Rights and Investigation into tracking, lost and missing persons...
Sunday, December 29, 2013
Location Tracking in the US
We have all read various views expressed by those involved in the US
that location data are not kept and it is all too difficult to get any
sort of data. Have a read of the article below and maybe ask yourself if
the authors of this article are aware that such location data does
exists and are retained why others have expressed in other forums such
data doesn't exist or if the data did exist the location data isn't
retained.
Government Location Tracking: Cell Phones, GPS Devices, and License Plate Readers:
https://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers
Government Location Tracking: Cell Phones, GPS Devices, and License Plate Readers:
https://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers
Labels:
cell details,
cell site analysis,
data retention,
evidence,
location,
tracking,
US
Wednesday, November 06, 2013
Use of GSM Logical Channels for CSA
When a mobile/smart phone's power button is pressed the mobile triggers the power up sequence. The mobile station MS is in the radio darkness (ignorant) at this stage about the radio coverage that surrounds it in the geographical area in which it has been switched ON. Once switched on, the mobile device will seek to establish, using the embedded routines in its radio program that will enable it to follow a sequence that brings it out of the radio darkness and into the radio light. It gains knowledge about the radio coverage surrounding it; makes comparison of particular coverage to identify the correct transmission technology for which the mobile device has been designed and manufactured; illuminate its presence to the mobile network in the geogrpahical location where it is dwelling for the purpose of communications; to be radio link-enabled for mobile content communications and radio link-disabled to terminate mobile content communications.
The diagram below omits 'timing' of events because it is not there to demonstrate the time when each event occurs but it is intended the diagram to offer an at-a-glance visual indication of the sequence of channels involved from power ON to terminating a call.
It is possible that a suggestion could be raised that the above diagram is not entirely realistic because following power and registering with the network what happens if there is an incoming call indicator that is received or immediately following power up and registering with the network an SMS is received? In GSM terms it is possible to select the use of the channels identified above for each of those purposes. So the diagram can be considered for use relating to incoming and/or outgoing communications
For the avoidance of doubt regarding GSM logical channels, it is relevant to mention that under the logical allocation of channels there is a separate and divided appraoch to two logical channel paths, if you will: 'Common Channels (CCH)' and 'Dedicated Channels (DCH)'.
Commons Channels (CCH)
CCH has allocated under it two channel sub-divisions:
Broadcast Channels (BCH) which is divided into a further three sub-channels:
- Frequency Control Channel (FCCH); Synchronisation Channel (SCH); Broadcast Control Channel (BCCH).
Common Control Channels (CCCH) which is divided into a further three sub-channels:
- Paging Channel (PCH); Random Access Control Channel (RACH); Access Grant Channel (AGCH)
Dedicated Channel (DCH)
DCH has allocated under it two channel sub-divisions.
Common Channels (CH) which is divided into a further three sub-channels groups:
- Stand-alone Dedicated Control Channel (SDCCH); Slow Associated Control Channel (SACCH) ; Fast Associated Control Channel (FACCH)
Traffic Channels (TCH) which is divided into a further two sub-channels:
- Traffic Channel Full (TCH/F) Rate; Traffic Channel Half (TCH/H) Rate
As a further point to note two DCH logicals channels are shown in the above diagram that are able to be included (transmitted) either in Common Channels communications and/or Traffic Channel communications. The SACCH has been highlighted because its content can be communicated included in the SDCCH or TCH transmission.
Question1: Do you know the important content that is transmitted in the SACCH packet and its relevance to informing the MS and Network and to cell site analysis?
Question2: The other DCH logical channel shared has bot been highlighted. Do you know what that other channel is and the important content it holds in the communications informing the MS and Network and to cell site analysis? To refresh its content can too can be communicated included in the SDCCH or TCH transmission.
The Diagram
The diagram above is divided into FOUR separate MS states:
- Power On
- Idle Mode
- Dedicated Mode
- Idle Mode
Each of these separate elements are paramount to GSM CSA and without their basic existence GSM CSA would not be possible from the mobile device element investigation point of view that forms one of the investigation procedures during CSA.
The diagram below omits 'timing' of events because it is not there to demonstrate the time when each event occurs but it is intended the diagram to offer an at-a-glance visual indication of the sequence of channels involved from power ON to terminating a call.
It is possible that a suggestion could be raised that the above diagram is not entirely realistic because following power and registering with the network what happens if there is an incoming call indicator that is received or immediately following power up and registering with the network an SMS is received? In GSM terms it is possible to select the use of the channels identified above for each of those purposes. So the diagram can be considered for use relating to incoming and/or outgoing communications
For the avoidance of doubt regarding GSM logical channels, it is relevant to mention that under the logical allocation of channels there is a separate and divided appraoch to two logical channel paths, if you will: 'Common Channels (CCH)' and 'Dedicated Channels (DCH)'.
Commons Channels (CCH)
CCH has allocated under it two channel sub-divisions:
Broadcast Channels (BCH) which is divided into a further three sub-channels:
- Frequency Control Channel (FCCH); Synchronisation Channel (SCH); Broadcast Control Channel (BCCH).
Common Control Channels (CCCH) which is divided into a further three sub-channels:
- Paging Channel (PCH); Random Access Control Channel (RACH); Access Grant Channel (AGCH)
Dedicated Channel (DCH)
DCH has allocated under it two channel sub-divisions.
Common Channels (CH) which is divided into a further three sub-channels groups:
- Stand-alone Dedicated Control Channel (SDCCH); Slow Associated Control Channel (SACCH) ; Fast Associated Control Channel (FACCH)
Traffic Channels (TCH) which is divided into a further two sub-channels:
- Traffic Channel Full (TCH/F) Rate; Traffic Channel Half (TCH/H) Rate
As a further point to note two DCH logicals channels are shown in the above diagram that are able to be included (transmitted) either in Common Channels communications and/or Traffic Channel communications. The SACCH has been highlighted because its content can be communicated included in the SDCCH or TCH transmission.
Question1: Do you know the important content that is transmitted in the SACCH packet and its relevance to informing the MS and Network and to cell site analysis?
Question2: The other DCH logical channel shared has bot been highlighted. Do you know what that other channel is and the important content it holds in the communications informing the MS and Network and to cell site analysis? To refresh its content can too can be communicated included in the SDCCH or TCH transmission.
The Diagram
The diagram above is divided into FOUR separate MS states:
- Power On
- Idle Mode
- Dedicated Mode
- Idle Mode
Each of these separate elements are paramount to GSM CSA and without their basic existence GSM CSA would not be possible from the mobile device element investigation point of view that forms one of the investigation procedures during CSA.
Labels:
AGCH,
BCCH,
cell site analysis,
CSA,
dedicated mode. power ON,
FACCH,
FCCH,
GSM logical channels,
idle mode,
mobile station,
MS,
PCH,
power OFF,
RACH,
SCH,
SDCCH,
TCH
Sunday, November 03, 2013
Directed Retry
A fundamental and vital goal of any mobile communication network is to maintain communications between the network and the mobile station (MS), whether the MS is dwelling in an area or on the move. To assist the aims and objectives GSM is commonly known to use 'Handover' for which there is a specific GSM standard TS03.09 [cf W-CDMA see 3GPP TS23.009].
The assumption being made for these cause values is that the MS is seeking to obtain a service for speech calls
│7 6 5│ 4 3 2 1│ │
│
│0 0 0│0 0 0 0│ │Radio interface message failure │
│
│0 0 0│0 0 0 1│ │Radio interface failure │
│
│0 0 0│0 0 1 0│ │Uplink quality │
│
│0 0 0│0 0 1 1│ │Uplink strength │
│
│0 0 0│0 1 0 0│ │Downlink quality │
│
│0 0 0│0 1 0 1│ │Downlink strength │
│
│0 0 0│0 1 1 0│ │Distance │
│
│0 0 0│0 1 1 1│ │O and M intervention │
│
│0 0 0│1 0 0 0│ │Response to MSC invocation │
│
│0 0 0│1 0 0 1│ │Call control │
│
│0 0 0│1 0 1 0│ │Radio interface failure, reversion to old channel │
│
│0 0 0│1 0 1 1│ ││
│
│0 0 0│1 1 0 0│ │Better Cell │
│
│0 0 0│1 1 0 1│ │Directed Retry │
│
│0 0 0│1 1 1 0│ ││
│
│0 0 0│1 1 1 1│ │Traffic
Key and germane to handover being successful is that operators can use various handover techniques controlled by handover triggering algorithms. These triggers activiate when detection mechanisms identify propagation or network conditions at the existing cell or for the target cell where neither meet a set criteria for usage. One such condition is referred to by Professor Sami Tabbane in Management of Radio Mobility: The Handover Procedure - 8.1.4.2 Intercell and Intra-BSC Handover "A handover that is triggered for reasons of traffic loading and occurs during call setup is called directed retry."
Examiners are expected to know about Directed Retry, to take account of its possibility when conducting CSA (cell site analysis) investigations and understand its influence and impact on evidence record in call records and associated cell data. A point of contention in evidence for often arises where a defendant states "I was not at the location claimed by the prosecution but was in a different area". Invariably this receives a response "Why does your mobile use the radio coverage from a particular sector (azimuth) from a particular fixed mast (BTS)?" Directed retry makes possible the scenario of having a mobile phone in an adjacent cell from the one shown in the call records. Directed Retry is not a trigger simply triggering every few minutes but arises as Professor Tabbane records, due to traffic loading at the time of call setup.
A mistake that experts and investigators could make would be to ignore the existence of Directed Retry and, even more problematical, not to have asked the question was Directed Retry active at cell/BSC level at the material time of the calls, apart from any intervention within the network.
GSM standards make Directed Retry explicit that which might be implicit to for a GSM radio location area. This logically raises questions how can Directed Retry be configured and activated? Mobile network radio equipment manufacturers offer the capability in their equipment for mobile network engineers to radio fine tune post-installation, and the parameters that can be fine tuned are the Handover triggers of which Directed Retry is one such trigger:
As each equipment manufacturer vary the way fine tuning may be implemented using a GUI to input the trigger parameters is one methiod. Another is to incorporate data into the .mdb or .xls file which has been scripted to produce e.g. an .xml output for uplifting to the radio base station database. This means Directed Retry can be checked that it is active in a particular GSM radio location area. Furthermore, due to continuing radio fine tuning updates to the trigger parameters can occur and older versions of .mdb/.xls maybe recovered from archive.
Experts and Investigators will need to be aware of the triggers Directed Retry (DR) and Forced Directed Retry (FDR) and identify when, in a mobile network, either of these triggers would be implemented and activated for the radio network. This equally means tracking down the equipment manufacturers that offer one form or another or both forms of Directed Retry.
The assumption being made for these cause values is that the MS is seeking to obtain a service for speech calls
│7 6 5│ 4 3 2 1│ │
│
│0 0 0│0 0 0 0│ │Radio interface message failure │
│
│0 0 0│0 0 0 1│ │Radio interface failure │
│
│0 0 0│0 0 1 0│ │Uplink quality │
│
│0 0 0│0 0 1 1│ │Uplink strength │
│
│0 0 0│0 1 0 0│ │Downlink quality │
│
│0 0 0│0 1 0 1│ │Downlink strength │
│
│0 0 0│0 1 1 0│ │Distance │
│
│0 0 0│0 1 1 1│ │O and M intervention │
│
│0 0 0│1 0 0 0│ │Response to MSC invocation │
│
│0 0 0│1 0 0 1│ │Call control │
│
│0 0 0│1 0 1 0│ │Radio interface failure, reversion to old channel │
│
│0 0 0│1 0 1 1│ ││
│
│0 0 0│1 1 0 0│ │Better Cell │
│
│0 0 0│1 1 0 1│ │Directed Retry │
│
│0 0 0│1 1 1 0│ ││
│
│0 0 0│1 1 1 1│ │Traffic
Key and germane to handover being successful is that operators can use various handover techniques controlled by handover triggering algorithms. These triggers activiate when detection mechanisms identify propagation or network conditions at the existing cell or for the target cell where neither meet a set criteria for usage. One such condition is referred to by Professor Sami Tabbane in Management of Radio Mobility: The Handover Procedure - 8.1.4.2 Intercell and Intra-BSC Handover "A handover that is triggered for reasons of traffic loading and occurs during call setup is called directed retry."
Examiners are expected to know about Directed Retry, to take account of its possibility when conducting CSA (cell site analysis) investigations and understand its influence and impact on evidence record in call records and associated cell data. A point of contention in evidence for often arises where a defendant states "I was not at the location claimed by the prosecution but was in a different area". Invariably this receives a response "Why does your mobile use the radio coverage from a particular sector (azimuth) from a particular fixed mast (BTS)?" Directed retry makes possible the scenario of having a mobile phone in an adjacent cell from the one shown in the call records. Directed Retry is not a trigger simply triggering every few minutes but arises as Professor Tabbane records, due to traffic loading at the time of call setup.
A mistake that experts and investigators could make would be to ignore the existence of Directed Retry and, even more problematical, not to have asked the question was Directed Retry active at cell/BSC level at the material time of the calls, apart from any intervention within the network.
GSM standards make Directed Retry explicit that which might be implicit to for a GSM radio location area. This logically raises questions how can Directed Retry be configured and activated? Mobile network radio equipment manufacturers offer the capability in their equipment for mobile network engineers to radio fine tune post-installation, and the parameters that can be fine tuned are the Handover triggers of which Directed Retry is one such trigger:
As each equipment manufacturer vary the way fine tuning may be implemented using a GUI to input the trigger parameters is one methiod. Another is to incorporate data into the .mdb or .xls file which has been scripted to produce e.g. an .xml output for uplifting to the radio base station database. This means Directed Retry can be checked that it is active in a particular GSM radio location area. Furthermore, due to continuing radio fine tuning updates to the trigger parameters can occur and older versions of .mdb/.xls maybe recovered from archive.
Experts and Investigators will need to be aware of the triggers Directed Retry (DR) and Forced Directed Retry (FDR) and identify when, in a mobile network, either of these triggers would be implemented and activated for the radio network. This equally means tracking down the equipment manufacturers that offer one form or another or both forms of Directed Retry.
Labels:
3GPP TS23.009,
call records.,
cell site analysis,
CSA,
directed retry,
evidence,
GPRS,
GSM,
GSM TS03.09,
mobile calls,
wcdma
Saturday, November 02, 2013
GPRS CSA
There are often forum discussions about GPRS (general packet radio switching) and how to conduct CSA (cell site analysis). Given that GPRS is expected to form a basic data service across GSM/WCDMA/LTE it is always worth starting at the beginning with GSM/GPRS as GPRS has numerous influences on GSM that have evolved for today's mobile networks.
As the old adage goes "time and tide wait for no man" it is important to get to grips with GPRS at its easiest stages and when understood move on to track down changes and comprehend them found in the additional layers involved with later transmission technologies.
When I was teaching/training at the Institute the Professor in-charge of educational studies, at that time, wanted me to show where mobile communication research material originated, authenticate sources and compiled the material before student/delegate training could go ahead. Invariably this meant starting out producing hand-drawn sketches that would be converted and re-produced for slide/powerpoint presentations. The information in the sketehes being sourced from standards, books, articles, whitepapers, manufacturer specs etc, and experience (testing), of course. From my GPRS CSA course researched material prepared back in 2002/2003 I have pulled out the folder one hand-drawn sketch (below) from the collection of sketches prepared for GPRS CSA.
The sketch layout is heavily influenced by the existing standards and industry illustrations available at that time. I have added a few personal touches in order to produce this at-a-glance sketch. Perhaps students, investigators and examiners may find it a useful starting point. I shall add more here, at this blog, about GPRS CSA but I do have quite a few other research projects on the go and I want to write about those too.
Just briefly though, GPRS CSA is not possible simply by referring 'only' to CDRs.
Firstly, There are two CDRs to consider. GPRS usage is not soley defined by a Call Detail Record. GPRS has its own record called the Charging Data Record (also referred to by the acronym CDR) defined to confirm data usage, irrespective of the content transmitted in the data, and services used etc.
Secondly, GPRS CSA should not be undertaken lightly and should not be progressed where the investigator/examiner is being given partial information or being denied access to information.
Thirdly, to avoid mishaps associated with the second point mentioned above, examiners/investigators should establish at first instance the MS, (U)SIM/handset, used at the material time. Confirrmation which cells were GPRS enabled and were available for the relevant location/s at the material time; the requirement is also relevant identifing those cells that were not enabled for GPRS for the relevant location/s.
Fourthly, make sure it is clear which GPRS usage is in the home network and which is GPRS usage caused to be transported across donor roaming partner networks but within the same country (cf. Vodafone and Hutchinson 3G (H3G)).
As the old adage goes "time and tide wait for no man" it is important to get to grips with GPRS at its easiest stages and when understood move on to track down changes and comprehend them found in the additional layers involved with later transmission technologies.
When I was teaching/training at the Institute the Professor in-charge of educational studies, at that time, wanted me to show where mobile communication research material originated, authenticate sources and compiled the material before student/delegate training could go ahead. Invariably this meant starting out producing hand-drawn sketches that would be converted and re-produced for slide/powerpoint presentations. The information in the sketehes being sourced from standards, books, articles, whitepapers, manufacturer specs etc, and experience (testing), of course. From my GPRS CSA course researched material prepared back in 2002/2003 I have pulled out the folder one hand-drawn sketch (below) from the collection of sketches prepared for GPRS CSA.
The sketch layout is heavily influenced by the existing standards and industry illustrations available at that time. I have added a few personal touches in order to produce this at-a-glance sketch. Perhaps students, investigators and examiners may find it a useful starting point. I shall add more here, at this blog, about GPRS CSA but I do have quite a few other research projects on the go and I want to write about those too.
Just briefly though, GPRS CSA is not possible simply by referring 'only' to CDRs.
Firstly, There are two CDRs to consider. GPRS usage is not soley defined by a Call Detail Record. GPRS has its own record called the Charging Data Record (also referred to by the acronym CDR) defined to confirm data usage, irrespective of the content transmitted in the data, and services used etc.
Secondly, GPRS CSA should not be undertaken lightly and should not be progressed where the investigator/examiner is being given partial information or being denied access to information.
Thirdly, to avoid mishaps associated with the second point mentioned above, examiners/investigators should establish at first instance the MS, (U)SIM/handset, used at the material time. Confirrmation which cells were GPRS enabled and were available for the relevant location/s at the material time; the requirement is also relevant identifing those cells that were not enabled for GPRS for the relevant location/s.
Fourthly, make sure it is clear which GPRS usage is in the home network and which is GPRS usage caused to be transported across donor roaming partner networks but within the same country (cf. Vodafone and Hutchinson 3G (H3G)).
Saturday, October 26, 2013
Cellular Transmission Technology
Here are two test sheets identifying a range of cellular transmission technologies for CSA beginners and practitioners. It requires going through the charts to identify the accuracy of the information recorded in them and identify the relevant mobile network operators. It means researching not simply at the mobile network operators' websites, but researching the standards, etc etc etc.
A key aim and objective with CSA is to remember to start out being as thorough as you possibily can and create a very, very long list of all the elements you expect identified and what information you expect to be revealed from the elements and what has actually been revealed from the other side in evidence.
When visiting the discussion various forums discussions can often refer to a technical point but the relevant and specific cellular transmission technology is not identified. The problem this creates is quite often reference to mobile communication 'commands' and 'responses' can be transferred between cellular transmission technology. To assist with these complexities the cellular transmission technology test sheets 1 and 2 identify researched information and you have to find out whether all the information and supporting information is accurate or not. The sense of achievement is guaranteed in the finding out as opposed to confirming to the world look what I know. Have a go and see how much you think you know - what have you got to lose.
Special thanks for all the help from the superb information made available by various sources but not limited to the following organisation GSMA, 3GPP/2, TIA/EIA; Regulatory bodies; the various mobile network operators around the world; Alcatel, Andrew, Anite, Anritsu, Ericsson, Huawei, Jaybeam, Kathrein, Nec, Nokia, Nortel, Siemens, Zapp.
A key aim and objective with CSA is to remember to start out being as thorough as you possibily can and create a very, very long list of all the elements you expect identified and what information you expect to be revealed from the elements and what has actually been revealed from the other side in evidence.
When visiting the discussion various forums discussions can often refer to a technical point but the relevant and specific cellular transmission technology is not identified. The problem this creates is quite often reference to mobile communication 'commands' and 'responses' can be transferred between cellular transmission technology. To assist with these complexities the cellular transmission technology test sheets 1 and 2 identify researched information and you have to find out whether all the information and supporting information is accurate or not. The sense of achievement is guaranteed in the finding out as opposed to confirming to the world look what I know. Have a go and see how much you think you know - what have you got to lose.
Special thanks for all the help from the superb information made available by various sources but not limited to the following organisation GSMA, 3GPP/2, TIA/EIA; Regulatory bodies; the various mobile network operators around the world; Alcatel, Andrew, Anite, Anritsu, Ericsson, Huawei, Jaybeam, Kathrein, Nec, Nokia, Nortel, Siemens, Zapp.
Saturday, June 01, 2013
Examples of cell site maps used in evidence
Here are another two examples of specifically generated cell site maps
using network infrastructure and radio survey data from a particular
mobile network operator, in this case orange PCS, which formed part of
the jury bundle in an old murder case.
Equal Power Boundary Map
Character (Text) Composite Map
Tuesday, May 28, 2013
GSM Measurement Report/Response
A response I made to a question raised at Forensic Focus included the remark relting to a measurement report "(MEAS_RES/MEAS_REP message)" http://www.forensicfocus.com/Forums/viewtopic/t=10600/
I referred to this measurement report as it provide useful information in realtime. Knowledge of its existent and the content it holds is very useful for track and trace, law interception and historcially looking back at a switched ON mobile phones profiles returned to the mobile network based upon its particular location at a particular time.
Measurements Reports are obtained by the network for the purposes of allocation of radio resources. The Radio Resource Management (RRM) has responsibility for communicating the necessary messages to the mobile phone. It is important, however, due to the limited resources of radio that utilising control channel requires using shortform notation to send commands in order for the receiver (the MS) to provide responses. To do this a vocabulary was created for GSM and utilised by the RRM e.g. Skip Indicator/Protocol Discriminator = 06 (relevant to handover). The SI/PD message is predefined in a mobile phone's vocabulary (look-up table) to understand messages sent to it. For MEAS_REP the shortform message sent is known as ID (Hex) 15 [binary (00010101) Decimal digits (21)]. The verbose message translated from the shortform ID (Hex) 15 command requires:
MS - > BTS send MEASurement REPort.
This means MEAS_REP transfers the current measurement results of the MS to the BTS (uplink measurements). These measurements contain the sending levels of the serving cell and neighbouring cells. [It is important to remember there is a distinction to be made between a mobile phone switched ON (idle mode and camped on a cell), one that has already registered to the network (idle mode and ready for radio resources) and one that is actively involved with the radio network using resources. In the idle mode the mobile phone in a registered state can update its position either by commands made by the network, by moving to another radio area or using the periodic update parameter to found in the SIM Card elementary file e.g. EFHPLMN.].
In the case of an active connection, a MEAS_REP is sent to the BTS every 480ms via the SACCH. The BTS forwards the MEAS_REP to the BSC, embedded in its own measurement results (MEAS_RES). [In the active state the MEAS_REP assists the network control MS handovers and power output and the MEAS_RES assist with the building blocks for track and trace of an MS to a particular groups of cells and other surveillance tasks.]
With a single meas_rep sent every 480ms whilst the the MS is in dedicated mode this is very fast timing and the combined results from a number of reports/results obtained can be used with the other processes to locate an MS down to within tens of metres of a particular location. WCDMA and LTE also have similar capability/techniques. Where GPS coordinates are also included in the returned reports to the network it is possible to improve location positioning.
Below is an analysed MEAS_RES in more detail with a MEAS_REP included that was captured using a protocol tester on the Abis-interface (BTS/BSC) of a GSM900 PLMN. This example presents a useful opportunity to see a measurement report/response and equally provides a useful primer when looking more at subscriber track and trace and set up possible target-movements for lawful surveillance and interception.
The above can assists those involved in GSM cell site analysis, enabling an investigator to define in more detail the type of content information sought from an operator; as always subject to the type of case being investigated. The above material is not definitively or precisely accurate as each operator requires variation in content reports and uses varyng methods to harvest data, so care is needed before wading in with a list of requirements.
I referred to this measurement report as it provide useful information in realtime. Knowledge of its existent and the content it holds is very useful for track and trace, law interception and historcially looking back at a switched ON mobile phones profiles returned to the mobile network based upon its particular location at a particular time.
Measurements Reports are obtained by the network for the purposes of allocation of radio resources. The Radio Resource Management (RRM) has responsibility for communicating the necessary messages to the mobile phone. It is important, however, due to the limited resources of radio that utilising control channel requires using shortform notation to send commands in order for the receiver (the MS) to provide responses. To do this a vocabulary was created for GSM and utilised by the RRM e.g. Skip Indicator/Protocol Discriminator = 06 (relevant to handover). The SI/PD message is predefined in a mobile phone's vocabulary (look-up table) to understand messages sent to it. For MEAS_REP the shortform message sent is known as ID (Hex) 15 [binary (00010101) Decimal digits (21)]. The verbose message translated from the shortform ID (Hex) 15 command requires:
MS - > BTS send MEASurement REPort.
This means MEAS_REP transfers the current measurement results of the MS to the BTS (uplink measurements). These measurements contain the sending levels of the serving cell and neighbouring cells. [It is important to remember there is a distinction to be made between a mobile phone switched ON (idle mode and camped on a cell), one that has already registered to the network (idle mode and ready for radio resources) and one that is actively involved with the radio network using resources. In the idle mode the mobile phone in a registered state can update its position either by commands made by the network, by moving to another radio area or using the periodic update parameter to found in the SIM Card elementary file e.g. EFHPLMN.].
In the case of an active connection, a MEAS_REP is sent to the BTS every 480ms via the SACCH. The BTS forwards the MEAS_REP to the BSC, embedded in its own measurement results (MEAS_RES). [In the active state the MEAS_REP assists the network control MS handovers and power output and the MEAS_RES assist with the building blocks for track and trace of an MS to a particular groups of cells and other surveillance tasks.]
With a single meas_rep sent every 480ms whilst the the MS is in dedicated mode this is very fast timing and the combined results from a number of reports/results obtained can be used with the other processes to locate an MS down to within tens of metres of a particular location. WCDMA and LTE also have similar capability/techniques. Where GPS coordinates are also included in the returned reports to the network it is possible to improve location positioning.
Below is an analysed MEAS_RES in more detail with a MEAS_REP included that was captured using a protocol tester on the Abis-interface (BTS/BSC) of a GSM900 PLMN. This example presents a useful opportunity to see a measurement report/response and equally provides a useful primer when looking more at subscriber track and trace and set up possible target-movements for lawful surveillance and interception.
The above can assists those involved in GSM cell site analysis, enabling an investigator to define in more detail the type of content information sought from an operator; as always subject to the type of case being investigated. The above material is not definitively or precisely accurate as each operator requires variation in content reports and uses varyng methods to harvest data, so care is needed before wading in with a list of requirements.
Subscribe to:
Posts (Atom)