3G Networks position techniques.pdf

For those CSA investigators interested in a skeleton outline on 3G Networks position techniques, this info should help as a starting point.

Network Positioning Techniques

Orange and Vodka - mixing mobile networks

Orange and Vodka - mixing mobile networks

(shaken, not stirred)

.

Good title for a book or article that heading. I thought this would be a useful post regarding the unusual occurrence of roaming onto a forbidden UK network from the home UK network.These screenshots record an event that happened on my wireless broadband. In the area I was located at the time Orange provided GPRS at 56K but download rates of under 6.5kbps (no 3G) - so not very good at all.
.

.
Such a matter like this may have an influence, if understood that it may occur, on any post-obtained radio test measurements after an alleged crime, or may even taint what may be considered a flawless opinion or conclusion, that is when conducting cell site analysis (CSA) investigations for evidential purposes.

.

.
It is not the fact that post-obtained radio test measurements failed to replicate an earlier event, it is the fact that a 'possibility' that may need to be explored to provide a more rounded opinion or conclusion in a report and at Court maybe missed or overlooked.
.
There are answers to the above conundrum but this is not the point of this post, which has been to highlight a technical event that might impact on evidence.

UTRAN & GERAN 3G Inter-PLMN Handover

UTRAN & GERAN 3G Inter-PLMN Handover

.
The subscriber's home network is France. The visited network where the subscriber is registered in a VLR (Visitor Location Register) is Germany. The signalling connection between HLR (Home Location Register) and VLR is indicated by dotted lines. The calls for the subscriber are controlled by the MSC collocated to the VLR where the subscriber is registered. This MSC (Mobile Services switching Centre) is called "anchor MSC".
.
Handover to a different MSC may occur if the cell serving the subscriber after handover is not controlled by the anchor MSC. This MSC is called the "serving MSC". Even after the call has been handed over to a different MSC, the call control function remains in the anchor MSC. The signalling connection and circuit switched connection established between anchor MSC and serving MSC are indicated by a solid line.
.
When the French subscriber registered in a German network roams near the border to the Netherlands, inter-PLMN handover may occur. In this case a Dutch network is the target network. After handover, the anchor MSC located in a German network continues to control the call. The German network remains the visited network where the subscriber is registered. The subscriber's location information stored in the HLR remains unchanged. The signalling and circuit switched connections between the anchor MSC and the previously serving MSC in the German network will be released when the User Equipment (UE) is served by a cell within a Dutch network. The Dutch network becomes the serving network. From the Dutch network the subscriber may be handed over to a Belgian network (see Figure 1).
.

.
It is noteworthy. A problem exists for mobile users when commuting across national borders. Whilst manual network selection may be used to ensure that the user can select the HPLMN (Home PLMN)/ EHPLMN (Equivalent Home-PLMN), many users use Automatic Selection mode; and the ME is only permitted to select PLMNs of a higher priority within the same country in automatic mode. This leads to the situation that, having crossed back into its home country and within HPLMN coverage, an ME might remain camped on the VPLMN in the adjacent territory.
.
As a consequence, the user will be charged international roaming rates for all calls made or received until such time as an MS either:
.
(a) moves out of VPLMN coverage or
(b) manually selects the HPLMN.
.
Note: Power cycling the ME does not solve the problem because the mobile will look for the RPLMN (Roaming-PLMN). The reference to ME is infact a reference also to 3G UE (User Equiment).
.
These matter can impact when considering Roaming Cell Site Analysis and Call/Billing Records. It is recommend therefore that reviewing the 3GPP Standards aid understanding how UTRAN and GERAN can function under certain UE conditions particularly when dealing with Network Selection Principles.
.
Thanks to 3GPP for provision of information used in this discussion.

GSM Mast Installations (Density)

GSM Mast Installations (Density)

.

When planning a cellular radio network there are many aspects to consider. The matter of radio technology and their frequencies (carriers) are but two examples. A relevance to be understood from these examples relate to what services may be obtained and delivered through these carriers? GSM for basic voice and text services and W-CDMA providing high data rates for video, gaming and conferencing etc.
.

Germane and relevant to obtaining radio services are the radio access technologies needed for that - Masts and Antennas. In radio engineering terms, antennas provide the physical technology to access the services obtained in the radio coverage by use of transmitters and receivers, commonly referred to by the acronym TRXs. The Masts provide the physical location for the siting of the TRXs. An important aspect of Mast installations is knowing the potential customer numbers that will use the services obtained from them. The calculation used for the number of customers and the number of calls that can be handled by one Mast's TRXs is calculated using the Erlang formulae - the number of calls and time length of each call in an hour.
.

Generally, though, to understand how Erlang can be used to determine the number of Masts and TRXs for an area let's just say there are 50,000 potential customers for a particular area. Let us also say to retain quality of service three sectors with 2 or 4 TRXs per sector, s222 or s444 respectively, are required. Let's also indicate that it is known that:

.

=======

.
1 TRX = 3 erlang, 2 TRXs = 5 erlang, 3 TRXs = 15 erlang, 4 TRXs = 20 erlang
.

The relevant TRXs selected for this Mast installation scenario are 2 TRXs and 4 TRXs.
.

Let:
.

50,000 x 0.02 erlang, where 0.02 erlang is used per customer = **1000 erlang
.

Each sector of an s444 may carry up to 20 erlang x 3 sectors = **60 erlang
.

**1000/**60 = 16.7
.

Therefore:
.

16.7 (17) Mast installations would be needed where a configuration of TRXs s444
.

or where
.

33.4 (35) Mast installations would be needed where a configuration of TRX s222
.

================

.

Remember the above is intended only to be illustrative so that it can be used to draw inferences about Masts installations and potential user numbers based upon the density of Masts in an area. An inference, such as, why a Mast further away than Masts sited closer to where a mobile station (MS) may be located routed the text message to the MS?

.

There are a large number of issues to be considered but let us take iwo important issues to be considered are:

.

- Point-to-Area predictions for terrestrial services 30 MHz to 3000 MHz

- Point-to-Point short message service (SMS)

.

In relation to point-to-area it could be the height of buildings surrounding the MS may be a cause for a distant Mast routing a point-to-point SMS text message. Alternatively, it may be the routing of the point-to-point SMS text message from a distant Mast occurred because the MS, in the idle mode, was surrounded by Masts that were at call traffic capacity. Alternatively it could be because of a combination of both buildings and call traffic capacity.

.

Knowing matters like these are very useful when dealing cell site analysis and a reason why they are incorporated into the Core Skills Knowledge of the TrewMTE training courses:

.

GSM Cell Site Analysis Training Course

-------------------------------------------------------

.

Course One: GSM Core Skills Knowledge Course (CSA Part 1)

3-days training

.
Course Two: GSM Cell Site Analysis Course (CSA Part 2)

3-days training
.

Course Three: GSM Cell Site Analysis Course (CSA Part 3)

3-days training
.

3G Cell Site Analysis Training Course

----------------------------------------------------

Course One: 3G Core Skills Knowledge Course (CSA Part 1)

4-days training

.
Course Two: 3G Cell Site Analysis Course (CSA Part 2)

3-days training

.
Course Three: 3G Cell Site Analysis Course (CSA Part 3)

3-days training

.

SIM Card Training

-------------------------
GSM SIM Card Training Course

3-days training

.
USIM/UICC Card Training

------------------------------------

3G USIM/UICC Training Course

3-days training

.
GSM/3G Handset Examination Training

------------------------------------------------------

GSM/3G Mobile Telephone Training Course

4-days training

------------------------------------------------------
MTEB Mobile Telephone Evidence Diplomas (MTEdipl).

Cell Site Analysis Obervations

Cell Site Analysis Obervations

"Radio, she is a beauty but a mistress to none. Just when you think you have her coralled up she'll jump and kick you right in the backside when you least expect it. She is indeed a worthy challenge."

I said that in 1994, and I haven't changed my mind todate.

The above will be brought home to you only too quickly when you deal with digital radio and the art of cell site analysis. If you want a starting point with GSM, then start with the GSM standards. Having spent many years dealing with GSM and the evidence that can be produced from it, I am still in awe today as I was back in 1993 when I first started to work with GSM. For those not yet having an insight into the GSM, I can only say we really do stand on the shoulders of geniuses. I cannot think of any other technology where the authors produced such an amazing system and went on to fully document what they have done, only asking you respect what they have done by reading the standards and comprehending, and then go on to use it.

For example, when considering GSM, it is worth knowing at least four principles to be understood:

- There are mandatory requirements with mandatory outcomes
- There are mandatory requirements with optional outcomes
- There are optional requirements with mandatory outcomes
- There are optional requirements with optional outcomes

This appears to apply right across the GSM system.

There are some very good radio detection systems around, such as TEMS, Sagem etc, useful for part of the job of cell site analysis radio data acquisition. Each provides different ways to assess the radio system. An expert or examiner cannot get by though relying on devices alone. You need knowledge, skill and experience in order to comprehend the radio assessment and then how to apply it.

If you do come to our branch of forensic science, do make sure you understand the GSM system and not simply knowing how the device works. It does make for better quality of evidence and assist in a higher degree of certainty about the opinion that may be expressed regarding mobile telephone evidence.

Also, if you intend to enter 3G forensic investigation, you will find it much easier having a GSM background understanding and how it impacts; and of course having read the 3G standards.

The caveat in all of this, of course, is both systems (GSM & 3G) are constantly evolving. Even with all the years I have been working with GSM, what I have found is the more I know, the more I need to know. I find exactly the same with 3G.