Tuesday, May 28, 2013

GSM Measurement Report/Response

A response I made to a question raised at Forensic Focus included the remark relting to a measurement report "(MEAS_RES/MEAS_REP message)" http://www.forensicfocus.com/Forums/viewtopic/t=10600/

I referred to this measurement report as it provide useful information in realtime. Knowledge of its existent and the content it holds is very useful for track and trace, law interception and historcially looking back at a switched ON mobile phones profiles returned to the mobile network based upon its particular location at a particular time.

Measurements Reports are obtained by the network for the purposes of allocation of radio resources. The Radio Resource Management (RRM) has responsibility for communicating the necessary messages to the mobile phone. It is important, however, due to the limited resources of radio that utilising control channel requires using shortform notation to send commands in order for the receiver (the MS) to provide responses. To do this a vocabulary was created for GSM and utilised by the RRM e.g. Skip Indicator/Protocol Discriminator = 06 (relevant to handover). The SI/PD message is predefined in a mobile phone's vocabulary (look-up table) to understand messages sent to it. For MEAS_REP the shortform message sent is known as ID (Hex) 15 [binary (00010101) Decimal digits (21)]. The verbose message translated from the shortform ID (Hex) 15 command requires:

MS - > BTS send MEASurement REPort.

This means MEAS_REP transfers the current measurement results of the MS to the BTS (uplink measurements). These measurements contain the sending levels of the serving cell and neighbouring cells. [It is important to remember there is a distinction to be made between a mobile phone switched ON (idle mode and camped on a cell), one that has already registered to the network (idle mode and ready for radio resources) and one that is actively involved with the radio network using resources. In the idle mode the mobile phone in a registered state can update its position either by commands made by the network, by moving to another radio area or using the periodic update parameter to found in the SIM Card elementary file e.g. EFHPLMN.].

In the case of an active connection, a MEAS_REP is sent to the BTS every 480ms via the SACCH. The BTS forwards the MEAS_REP to the BSC, embedded in its own measurement results (MEAS_RES). [In the active state the MEAS_REP assists the network control MS handovers and power output and the MEAS_RES assist with the building blocks for track and trace of an MS to a particular groups of cells and other surveillance tasks.]

With a single meas_rep sent every 480ms whilst the the MS is in dedicated mode this is very fast timing and the combined results from a number of reports/results obtained can be used with the other processes to locate an MS down to within tens of metres of a particular location. WCDMA and LTE also have similar capability/techniques. Where GPS coordinates are also included in the returned reports to the network it is possible to improve location positioning.

Below is an analysed MEAS_RES in more detail with a MEAS_REP included that was captured using a protocol tester on the Abis-interface (BTS/BSC) of a GSM900 PLMN. This example presents a useful opportunity to see a measurement report/response and equally provides a useful primer when looking more at subscriber track and trace and set up possible target-movements for lawful surveillance and interception.

The above can assists those involved in GSM cell site analysis, enabling an investigator to define in more detail the type of content information sought from an operator; as always subject to the type of case being investigated. The above material is not definitively or precisely accurate as each operator requires variation in content reports and uses varyng methods to harvest data, so care is needed before wading in with a list of requirements.

Monday, May 27, 2013

The Eagles Soar

The Eagles Soar

I am a Crystal Palace Football Club (CPFC) fan. The first football team I ever saw play (was against West Ham United (the Hammers), and we  won) back in 1968. Since then I've never supported another club, never been a journeyman fan. Palace inspired in me loyalty and through the good times or the bad times, the thick and the thin, like many of our fans, I've stuck by Crystal Palace.  

Congratulations to The Eagles ( http://www.cpfc.co.uk/index.aspx ) winning the £120 million football match at Wembley and promotion to the English Premier Football League ( http://en.wikipedia.org/wiki/Premier_League ) after overcoming Watford Football Club - http://uk.soccerway.com/news/2013/May/27/english-championship-crystal-palace-1-watford-0/

Thanks for the photos to:


Monday, May 06, 2013

(U)SIM Examination (Physical) Pt2

(U)SIM Examination (Physical) Pt2

Before we can progress to consider various methods of (U)SIM physical examination there are more standards we need to be aware and there are reasons for that. Transitioning from GSM to 3GPP (*wcdma) standards required rewriting existing GSM standards to make the standards technology neutral to integrate GSM into future mobile developments under 3GPP global standards. Technology-wise, we know that GSM is a defined circuit-switched voice mobile communications system that has evolved with value-added data services (GPRS, HSCSD and EDGE). 3GPP (wcdma) as we know is a defined packet-switched technology and thus would be a pointless exercise to re-invent the wheel, so to speak, and introduce a new voice circuit-switched system and the matured installation base that went with it. That needs to be understood on many levels when dealing with mobile communications. Three examples of GSM and 3GPP working together:

(i) generally, we refer to Release 99 (R99) as a reference point whereby 3GPP could transition and re-write mobile communication technology standards with birthing-periods: GSM only before 3GPP Release 4 (Rel-4); GSM only (Rel-4 and later); 3GPP and beyond / GSM (R99 and later).  This enabled manufacturers, developers and operators and service providers to conintue with GSM standards in a pure GSM environment or evolve to a 3GPP environment but in the knowledge access and inter-connectivity to GSM would continue:

(ii) introduction of 3GPP (*wcdma) would take time and thus should avoid, as best possible, disruption to existing moble services;

(iii) GSM user/subscriber base was still growing at that time and has now reached over 3-billion users, from which we can draw a conclusion that GSM's importance in its relationship with 3GPP should not be under-estimated.GSM is by no means the junior partner.

In the mobile examination environment, we, as examiners, are exposed to multitude and multiple-layers of technical and technology standards many of which impact on (U)SIM, and particuarly so if the technical and technology generates a mobile communication outcome associated to/with a user/subscriber. 

(*) wcdma is one of a family of mobile technology standards under 3GPP and has been used for easy of reference. 

The scope of the tests and the requirements set down in GSM1117 were reproduced under the approved and adopted standard 3GPP TS51.017. In Pt1( usim-examination-physical-pt1.html ) reference was made to GSM11.11, however the approved and adopted standard (and the counterpart to GSM11.11) is 3GPP TS51.011:

PHY:    Physical characteristics - 3GPP TS 51.011 [1], clause 4.
ELEC:    Electronic signals and transmission protocols - 3GPP TS 51.011 [1], clause 5.
AFS:    Application and File structure - 3GPP TS 51.011 [1], clause 6.
SEC:    Security features - 3GPP TS 51.011 [1], clause 7.
CMD:    Description of the commands - 3GPP TS 51.011 [1], clause 9.
CEF:    Contents of the elementary files - 3GPP TS 51.011 [1], clause 10.
APP:    Application Protocol - 3GPP TS 51.011 [1], clause 11.

Whilst GSM11.17 standard is the starting point for ICC/SIM and 3GPP TS51.011 moved the technology to neutral ground to enable 3GPP to evolve 3G environment standards incorportating interconnectivity to and backward compatibility for ICC/UICC, the 3GPP evolution hasn't stopped there. There is, of course, 3GPP TS 31.120 the aim of which is to ensure interoperability between an UICC and a Terminal independently of the respective manufacturer, card issuer or operator. This is the expansion of the 3GPP domain going beyond specific limitations encumbent with a particular proprietory technology.

The run of standards doesn't end there. Attention and consideration should be given to:

ETSI standards
TS 102 230
TS 102 221

International standards
ISO/IEC 7816-pt1 to pt4

The standards referred to above are merely a starting point to identify the complexities involved in dealing with (U)SIM card and tasks involved in considering examination techniques that may not simply relate to recovery of data but other aspects and attributes of a card which may point to evidence. Readers should be prepared to delve into the standards above and release the huge number that haven't been mentioned. There are various analogies that may be used to imagine what I have in mind for this physical series, but I quite like the analogy about forensic vehicle tyre analysis. Evidentially, consideration is given to tyre size, tread, pressure, rubber, moulding, any wheel balacing and so on to assess a skid mark or tracks at the scene of a crime. It is equally possible to use an investigative and examination approach to SIM/USIM card materials, contacts, gold content, embossing etc to identify potential evidence.