Wednesday, October 29, 2014

Apple's New Nano-SIM Card

Should make examinations interesting. Apparently, an open-ended SIM that can be either postpaid or prepaid account without the need to change SIMs but still switch between carriers. Either Apple intend to go for their own IMSI (thus become an operator) or the IMSI will need to be updated OTA...hmmmm

"If you are among the millions who will purchase one of the 4G versions of the new iPad Air 2 or iPad mini 3 tablets from Apple in the next few months, and you live in the US or UK, then when you switch the tablet on for the first time, you will find a nano-SIM card already installed in the SIM card slot."


"What Apple envisions with its SIM is that users will be able to quickly and easily switch between different carriers to take advantage of the best short-term deals available at any given time - without having to go through the hassle of getting a new SIM card.

"Obviously, if you have signed up to a two-year contract you won't be switching deals that often, but if you are on a pay-as-you-go deal, then this could be a real money-saver......."

Quotes from:

Thursday, October 09, 2014

Fast moving wireless world

I have been working on research for as the changing landscape for cell site analysis (CSA) requiries comprehending the complex involvement with the various wireless connectivity creating a universal point-of-presence for mobile users. Moreover, CSA is equally being impacted with the architecture defining internet of things (IoT) causing a growth expansion for M2M wireless devices, naturally wireless forensics in this area will grow, too.

M2M was highlighted back in 2011

M2M Crime

Mobile Markets: Nokia 'Mobile Man' tells of a story


Reverse Engineering For Beginners

Steve Hailey*, who kindly sent out a reminder about Reverse Engineering for Beginners, that this is guide with "Lots of great information that will be especially helpful for reverse engineering malware that you come across in your investigations......" It is  "652 pages, all free. You do not need to give out your personal information or subscribe to anything..."

The original link to get the publication is no longer current. However, a copy can still be downloaded using the following link: 

*Steve is President/CEO CyberSecurity Institute, a practicing Consultant, Digital Forensic Examiner and works also as an Educator, InfoSec Author & Lecturer

Sunday, September 28, 2014

CSA - Site Survey Method/LTE SIBtype1

CSA - Site Survey Method/LTE SIBtype1

Before continuing with GSM/GERAN System Information Message Types, thanks for the enquiries regarding LTE and requests for an example of a systeminformationblocktype(SIB). It would appear there is a requirement to explore LTE and UMTS SIBs some more before moving on to GSM/GERAN. I will do my best to answer some of the enquiries.

For educational purposes only, followingthe masterinformationblock(MIB) having been decoded by the UE a useful example of content for systeminformationblocktype1 was illustrated by Ralf Kreher and Karsten Gaenger (c)2011 using Tektronix K2Air as an example when conducting a LTE investigation into signalling troubleshooting and optimisation.

|ID Name |Comment or Value |
systemInformationBlockType1 |
|Tektronix K2Air LTE PHY Data Message Header (K2AIR-PHY) PDSCH (= PDSCH Message) |
|1 PDSCH Message |
|1.1 Common Message Header |
|Protocol Version |0 |
|Transport Channel Type |DL-SCH |
|Physical Channel Type |PDSCH |
|System Frame Number |454 |
|Direction |Downlink |
|Radio Mode |FDD |
|Internal use |0 |
|Status |Original data |
|Reserved |0 |
|Physical Cell ID |0 |
|Subframe Number |5 |
|UE ID/RNTI Value |'ffff'H |
|1.2 PDSCH Header |
|CRC report |CRC ok |
|HARQ process number |0 |
|Reserved |0 |
|Transport Block Indicator |single TB info |
|Reserved |0 |
|1.2.1 Transport Block#1 Information |
|Transport Block#1 Size |144 |
|Modulation Order DL 1 |QPSK |
|New Data Indicator DL 1 |new data |
|Redundancy Version DL 1 |1 |
|Reserved |0 |
|Modulation Scheme Index DL 1 |5 |
|Reserved |0 |
|1.2.2 Transport Block Data |
|TB1 Mac-PDU Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|Padding |'0068'H |
|1.3 Additional Call related Info |
|Number Of Logical Channel Informations |1 |
|1.3.1 Logical Channel Information |
|LCID |0 |
|RLC Mode |Transparent Mode |
|Radio Bearer ID |0 |
|Radio Bearer Type |Control Plane (Signalling) |
|Spare |0 |
|Spare |0 |
|Logical Channel Type |BCCH |
|Call ID |'fffffff5'H |
|3GPP LTE-RLC/MAC Rel.8 (MAC TS 36.321 V8.5.0, 2009-03, RLC TS 36.322 V8.5.0, 2009-03) (LTE-RLC/
MAC) MAC-TM-PDU (DL) (= MAC PDU (Transparent Content Downlink)) |
|1 MAC PDU (Transparent Content Downlink) |
|MAC Transparent Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|RRC (BCCH DL SCH) 3GPP TS 36.331 V8.5.0 (2009-03) (LTE-RRC_BCCH_DL_SCH)
systemInformationBlockType1 (= systemInformationBlockType1) |
|bCCH-DL-SCH-Message |
|1 message |
|1.1 Standard |
|1.1.1 systemInformationBlockType1 |
| cellAccessRelatedInfo |
| plmn-IdentityList |
| pLMN-IdentityInfo |
| plmn-Identity |
| mcc |
| mCC-MNC-Digit |2 |
| mCC-MNC-Digit |9 |
| mCC-MNC-Digit |9 |
| mnc |
| mCC-MNC-Digit |0 |
| mCC-MNC-Digit |0 |
| cellReservedForOperatorUse |notReserved |
| trackingAreaCode |'0000'H |
| cellIdentity |'2000100'H |
| cellBarred |notBarred |
| intraFreqReselection |notAllowed |
| csg-Indication |false |
| cellSelectionInfo |
| q-RxLevMin |-65 |
| freqBandIndicator |1 |
| schedulingInfoList |
| schedulingInfo |
| si-Periodicity |rf16 |
| sib-MappingInfo |
| schedulingInfo |
| si-Periodicity |rf32 |
| sib-MappingInfo |
| sIB-Type |sibType3 |
| sIB-Type |sibType6 |
| schedulingInfo |
| si-Periodicity |rf32 |
| sib-MappingInfo |
| sIB-Type |sibType5 |
| si-WindowLength |ms20 |
| systemInfoValueTag |22 |

This form of analysis provides an excellent grounding when conducting ICCSA.Why would that be so? Familiarisation with this education content enables knowledge to be gleaned from the real-world SIBs detected by the UE at particular locations. Importantly information that informs the UE about varying cells benefits an investigation.  For instance, we know that when the UE has successfully received and decoded MIB and SIBs type 1 and 2 etc during its travels SIB type9 might identify (H)eNobeB that is available. To be clear that latter information provides two unique pieces of information. (1) The identity of the radio source (2) it is location specific to tens of metres in an area thus refines location identification where the UE would have dwelt (dwell time - slow moving UE).

It also refines the location for the investigation and even where SIB1 and SIB2 provide a wider location area the UE detection (SIB type9) of the (H)eNobeB coverage would have the effect of demonstrating  pre-requisite requirement of proximity to an area. Now readers could point out how would the person conducting the ICCSA know about the (H)eNobeB in the first place if call/data records are not available. For those situations where immediate is important aspect of current bandit surveillance the UE stores relevant information of the radio resources in an area for up to 3-hours after which old data are discarded. For a live UE acquisition this time frame could be useful. For a UE switched off (e.g. at the target site area) retains that information and requires extraction and harvest without invoking UE power up and network detection and registration.

Tuesday, September 23, 2014

CSA - Site Survey Method/LTE-UMTS SIBs

There is a huge volume of materials and standards to be considered when undertaking study or work as an InnerCity CSA (ICCSA) expert, technician or student. However, the materials and standards referred to at my webblog aim to control the flow of such volumous information and provide instead an easy guide to seeking out the information experts, technicians or students can be exposed to when involved with ICCSA.

A highly defined smartphone etc can be offered services by a range of mobile network access systems e.g. GSM, GERAN, UTRAN, e-UTRAN etc when switched ON and actively in use or in idle mode. Access system information for LTE and UMTS are mapped in System Information Blocks (SIBs). When conducting ICCSA test measurement it is useful to identify which broadcasted SIBs contain data to help understand the survey results. Knowing the content allocated to SIBs can assist enormously in interpretation and when considering the propositions highlighted in the previous discussion thread -

Below are commonly referred to LTE/UMTS SIBs. GSM and GERAN data are mapped to System Information Types that will be given in the next discsssion.

LTE System Information Blocks
SIB 1 contains PLMN identity, tracking area code, and CI of the broadcasting cell. Q-RxLevMin minimumRSRP threshold that a broadcasting cell should be measured before initial cell selection, and later for random access performed by UE. SIB Mapping Info included to inform the UE which SIBs are transmitted and how they are scheduled.

SIB 2 contains timers and constants, access barring information, UL frequency information, and UL bandwidth information.

SIB 3 contains parameters for the cell reselection procedure.

SIB 4 contains neighbour cell information for intra-frequency cell reselection.

SIB 5 contains information for interfrequency cell reselection.

SIB 6 contains information for inter-RAT cell reselection to the UTRAN.

SIB 7 contains information for inter-RAT cell reselection to the GERAN.

SIB 8 contains information for inter-RAT cell reselection to CDMA2000.

SIB 9 is used to broadcast the home eNB name (HNB name).

SIB 10 and SIB 11 can be used to broadcast warning information to subscribers (e.g. tsunami warnings).

SIB 12 assigned for Commercial Mobile Alerting System (CMAS) information usage

UMTS System Information Blocks
SIB 1 NAS System Information, UE Timer and counter for RRC idle and connected mode

SIB 2 URA Identity

SIB 3 Parameter for Cell Selection and Cell Reselection

SIB 4 Parameter for Cell Selection and Cell Reselection in RRC connected mode

SIB 5 Parameter for configuration of Common Physical Channel (CPCH) of actual cell

SIB 6 Parameter for configuration of Common and shared Physical Channel of actual cell

SIB 7 Fast changing parameter for uplink Interference and Dynamic Persistent Level

SIB 8 Static CPCH Information of actual cell [FDD only]

SIB 9 CPCH Information of actual cell [FDD only]

SIB 10 Information for UE, which DCH is controlled by Dynamic Resource Allocation Control Procedure

SIB 11 Measurement Control Information of actual cell

SIB 12 Measurement Control Information of actual cell in RRC connected mode

SIB 13 ANSI-41 System Information

SIB 13.1 ANSI-41 RAND Information

SIB 13.2 ANSI-41 User Zone Identification

SIB 13.3 ANSI-41 Private Neighbour List

SIB 13.4 ANSI-41 Global Service Redirection

SIB 14 UL outer loop power control information for common and dedicated physical channels in RRC idle and connected mode

SIB 15 Information for UE positioning method

SIB 15.1 Information for UE GPS positioning method with Differential Global Positionig System (DGPS) correction

SIB 15.2 Information for GPS Navigation-Model

SIB 15.3 Information for GPS Almanac, ionospheric and UTC Model

SIB 15.4 Ciphering Information of SIB 15.5

SIB 15.5 Information for OTDOA UE positioning method

SIB 16 Information of Radio Bearer, transport and physical channels for UE in RRC idle or connection mode in case of Handover to UTRA

SIB 17 Fast changing parameter for the configuration of Shared Physical Channels in RRC conected mode [FDD only]

SIB 18 PLMN Identifies neighbour cells

Tuesday, August 19, 2014

CSA - Site Survey Method4/Cell Types

Cell types
GSM reports, as far back as 20 years ago, distinguished three kinds of cells as the growth in GSM installations massively increased following popularity as a preferred digital cellular network: large cells, small (mini) cells and micro cells. The main difference between these kind of cells lay in the cell range, the antenna installation site, and the propagation model applying to each of them. Moreover, these cells could be overlayed one on top of another to provide coverage for varying traffic conditions and illustrated in the previous discussion

CSA has been subjected to understanding cell layer tiering involvement in a particular geographical area and what impact the finding of tiering might have determined from radio test measurement results, and what impact the results might infer for a particular investigation. In the previous discussion on Mobility Models it highlighted a simple issue: why walk tests are important to mimic the pedestrian's experience of obtaining mobile services. Germane and relevant, whilst the mobile networks are highly intelligent networks and use memory and memoryless in their propagation models, CSA examiners, students and experts cannot apply intelligent algorithms in the manual function of their work when conducting site surveys. It is, therefore, necessary to distinguish processes and procedures hidden within the intelligent network functionality that provide us (CSA examiners, students and experts) with knowledge that helps us gain skills and experience in the performance of the work we do.

So  we know "walk tests" are unavoidable (thus inescapable) forming part of the methodology we should apply, where relevant, during site surveys. Whilst this requirement is a basic simple binary style approach to CSA that doesn't mean to suggest mobile networks aren't sophiscated, convoluted, NASA style complex system because mobile networks are very much the latter. These grass root levels are important to CSA. For instance a GSM mobile network may use Cell Selection Procedures C1 and C2. The network can use components from C2  (cell reselection) to identify coverage for a slow moving mobile (e.g. pedestrian/walk test) which can be used to understand the microcell coverage. Drive testing equally needs to be represented for the benefits it provides for CSA.


Above, three tiers of cell coverage have been illustrated. Microcells are distnguished as a cell type because predominantly this type of cell in GSM (or CDMA for that matter) is usually represented as localised coverage to a small area. Pedestrian is seen as relevant to it. However, vehicular mobile usage is largely predicted within the network as "fast moving". Let us take the case of the getaway car speeding away from the scene of crime. Would it not seem strange to you to find the target's mobile phone call records identifying a number of Microcell IDs designed to cope with long dwell time in an area associated with slow mobile movements (e.g.5~10mph) compared with Macrocell umbrella coverage designed to handle accelerated speeds (e.g. 30~70mph). Why would the getaway car be driving so slowly after a crime, unless the *bogey wanted to be caught red-handed and why s/he commited the crime in the first place just to be arrested? On first blush of the call record evidence it wouldn't make sense.

*The term bogey has been adopted from the military theatre of war identification procedure representing an un-identified (unknown criminal) target, whereas a bandit is an identified (known criminal) target. In criminal investigations the latter can also suggest surveillance in progress on the target's activities.

But drive testing can throw up unexpected issues. CSA demands keeping an open mind and, as previously mentioned at my blogs, CSA examiner, student and expert should be "not only be environmentally aware, but equally be environmentally astute." A case I dealt with in the North of England concerned a series of smash-n-grabs at wholesale and retail outlets.  From my radio tests I suggested the radio evidence did not follow the getaway route the police required that I test. CSA involves noticing factors that could impede or record a particular route. In this case a speed camera that was in lock-n-load (active) to capture speeding vehicles was located at an early stage on the suggested getaway route. When I asked did the speed camera record a speeding violation, the response came back "no", yet the ascertion by the police was the getaway vehicle was speeding. However, the radio test measurement survey along the complete route did not entirely match the cell IDs in the call records either as some of the cell IDs were for slower mobile traffic and cells covering a middle layer coverage area and the use of these cells suggested the mobile dwell time was not travelling outside a certain geographical area. Eventually, a more senior detective suggested a route that veered away from the first route getaway route. My attention was drawn to an area inbetween local buildings, a mud track leading to a field and a nearby cemetary and housing estate. Infact the bogeys turned out to be previously known bandits and the entire operation of the smash-n-grabs was orchestrated from a house on the estate sited perfectly for comings and goings for the many crimes but quite hard to detect. CSA played an effective part to support other evidence and intel.       

However, umbrella macrocell coverage in a geographical location can be used to support high speed getaways e.g. where CCTV has recorded or an eyewitness had seen the getaway vehicle speeding through dense urban area. Given the speed of the vehicle the network would be detecting the mobile's short dwell time in that area. The omission of use of overlayed microcells providing limited area coverage is a suggestion of fast moving traffic. The use of a macrocell would not be out of place supporting the notion of a fast moving mobile. This can be stated in relation to the density of non-used microcells and their cell boundarys compared to macrocell cell boundaries and, of course, any location updates, time, velocity etc.

Since 2010 Cells types have rapidly moved on with a split between voice/data and data-only cells transforming the way CSA is and will be conducted in the future. For instance, there are increases in carriers (2G frequencies allocation migrating (re-use) to 3G frequencies allocation) Moreover, with LTE linking with WiFi/WLAN etc there are enormous advantages and dis-advantages that have crept into CSA site survey methodology.

The impact of these changes requires improved comprehension about the various cells and as higher frequencies are used or are brought into use cell coverage gets smaller. This fact is a benefit because the approximated location of the mobile is improved and significantly improves where smaller cells are relevant. It may not be GPS accuracy but there seems no reason why it could not meet justification under an e.g. Daubert test. Furthermore, it doesn't means CSA should jettison early styles of CSA site survey method which will remain relevant for some years to come. But CSA will become even more localised creating a specialism in InnerCity CSA (ICCSA) compared with rural CSA. A beneficary of  ICCSA knowledge will be the neuromancer cybercrime arena utilising our forensic and investigative skills to comprehend the technicality behind a suspected crime defined by the outcome from particular usage of technology.

Site survey methods do not have to be overly complicated, merely identify the radio technology at given points and by using a structured appraisal, distinguishing each wireless carrier available at particular geographical locations, to show the relevance to an investigaion or crime scene.

So what are the potentially inter-connected Cell types that fall within the scope of CSA large cell and small cell environments:

WIMAX cells
WLAN cells
WiFi cells

And in support of that environment it should not under-estimate the importance of devices capability from providing services and to accessing services. This mean from not simply the network, but the radio network e.g. BTS/(e)NodeB/H(e)NB etc to the enhanced (U)SIM and handset terminal. That requires knowning which Release (R) is relevant to the investigation:

R99    (Release 1999)
Rel-4    (Release 4)
Rel-5    (Release 5)
Rel-6    (Release 6)
Rel-7    (Release 7)
Rel-8    (Release 8)
Rel-9    (Release 9)
Rel-10    (Release 10)
Rel-11    (Release 11)
Rel-12    (Release 12)  

Sunday, July 27, 2014

CSA - Site Survey Method3/Mobility Models

Albert Einstein’s work has influenced and still influences, even today, mobility in cellular networks that we take for granted when applying cell site analysis. Mobile telecommunications is very lucky that it has a fantastic collection of grand luminaries whose influential work from the world of science and mathematics that underpins mobile communications. To understand Einstein’s influence it is useful to firstly understand the mobile radio background which CSA examiners, technicians and student can use to improve the art of performing cell site analysis. It does, though, require keeping a mindset to remain active at all times and that mindset is CSA needs to keep focused on how the mobile network is arranged to react to how the mobile phone is being used whilst moving around. 
The goals of mobile network is to keep the mobile phone in touch with the network to maximum the network’s chances of providing services (e.g. revenue generation) to the subscriber customer. The network will do its very best to make coverage available when coping with outages (  as it will when radio coverage degrades ( until it can no longer sustain a revenue service to it (the mobile phone).

Importantly, the goal for available service intensifies the denser the urban area in which the mobile phone is to be found. Having to propagate coverage into a hostile environment requires operators to strive to meet that goal by saturating a particular geographical landscape with more mobile network infrastructure base stations and nodes. 

The monitoring of the switched ON mobile phone that is in use is to ensure a base station/node is available, but that doesn’t just stop there though. Humans move around either as pedestrians on the pavement (sidewalk) or using some form of transportation. Therefore, the movement and the time (called dwell time) that a mobile phone remains in an area will have an influence upon the layer/s of mobile coverage that may be allocated for a particular call. You may remember the image below from a previous cell coverage discussion at my blog:

The above image is a useful guide to CSA examiners, technicians and students as it illustrates how a mobile network operator looks at designing coverage. The guidance it offers is that when conducting CSA merely conducting drive tests during site surveys is an entirely insufficient CSA method as a human walking does not do so at the speed of a human using transport. Whilst walking a person can stop and start dependent upon the intention or circumstances at that time. However, unless the transport is stuck in a traffic jam then we generally comprehend the transport to be moving more quickly/faster whilst on the road than the human on the pavement or crossing the road. 

There have been a huge range of studies that have generated mobility models for incorporation into propagation models. These mobility models are based upon complex study, testing and/or mathematical data endeavouring to predict (mimic) a moving target from which conclusions are generated and later produced for simulation software. The simulation can then be added into programs for designing the coverage (cell planning) for particular geographical locations. 

The image above is by Professor Sami Tabbane from his book detailing Planning Stages Of A Cellular Network: Radio Planning - propagation prediction tools.

Cell planning software tools amalgamate a wide range of models (or iterations of them) that the CSA examiner, technician and student maybe blinded to the compilations/combinations of mobility models that maybe incorporated into program. Identifying mobility models provides such needed knowledge, skill and experience that to ignore them might mean that a CSA examiner, technician and student conclusion/s about results obtained during or following site survey may be flawed. Below is a selection of mobility models that are well known:

- Brownian Mobility Model
- Random Waypoint Mobility Model
- Random Walk Mobility Model (including its many derivatives)
- Random Direction Mobility Model
- Random Gauss-Markov Model
- Gauss-Markov Mobility Model
- Markovian Mobility Model
- Incremental Mobility Model,
- Mobility vector model
- Reference Point Group Model (RPGM)
- Reference Point Group Mobility Model
- Pursue Mobility Model
- Nomadic Community Mobility Model
- Column Mobility Model
- Fluid Flow Model/Morales Mobility Model
- Exponential Correlated Random Model
- Exponential Correlated Random Mobility Model
- Map Based Model
- Manhattan Mobility Model
- Rush Hour (Human) Traffic Model
- Mission Critical Mobility Model
- Obstacle Mobility Model
- Smooth Random Mobility Model
- Post Disaster Mobility Model
- A Probabilistic Version of the Random Walk Mobility Model
- City Section Mobility Model

Albert Einstein

Einstein’s first described mathematically “The Random Walk Mobility Model” in 1926 [] which later became adopted and used for mobile telecommunications mobility. The Random Walk Mobility Model, its elements are widely used to create simulations, is sometimes also referred to as “Brownian Motion”. 

The mathematical proposition states since many entities in nature move in extremely unpredictable ways, the Random Walk Mobility Model was developed to mimic this erratic movement. For this mobility model mobile node (MN), a common expression used for human (target) movement, moves from its current location to a new location by randomly choosing a direction and speed in which to travel. The new speed and direction are both chosen from pre-defined ranges, [speedmin; speedmax] and [0;2p] respectively. Each movement in the Random Walk Mobility Model occurs in either a constant time interval t or a constant distance travelled d, at the end of which a new direction and speed are calculated. If an MN which moves according to this model reaches a simulation boundary, it “bounces” off the simulation border with an angle determined by the incoming direction. The MN then continues along this new path.

In A Survey of Mobility Models for Ad Hoc Network Research the authors Camp, Boleng and Davies comment that many derivatives of the Random Walk Mobility Model have been developed including the 1-D, 2-D, 3-D, and d-D walks. In 1921, Polya proved that a random walk on a one or two-dimensional surface returns to the origin with complete certainty, i.e., a probability of 1.0. This characteristic ensures that the random walk represents a mobility model that tests the movements of entities around their starting points, without worry of the entities wandering away never to return. The 2-D Random Walk Mobility Model is of special interest, since the Earth’s surface is modelled using a 2-D representation.

So how might a CSA examiner, technician or student apply Einstein’s Random Walk Mobility Model? One key element to remember that this model is a memory-less mobility pattern because it retains no knowledge concerning its past locations and speed values. The current speed and direction of an MN is independent of its past speed and direction. This characteristic can generate unrealistic movements such as sudden stops and sharp turns which if undesired for simulation purposes can be addressed using e.g. Gauss-Markov Mobility Model. Because there is a memory-less occurrence of random movements it is the investigation into the mobile phone usage that requires analysis.  

Points to consider for that analysis can be those that I raised to the 2005 consultation by the Legal Services Commission regarding the Use of Experts in Public Funded Cases: 

In any assessment of the evidence the Defence expert at first instance seeks to correlate all the evidence to identify consistency or discrepancy regarding the data from the devices compared to the data obtained from mobile network operators and/or third parties. To assess that against the opinion of the Prosecution expert and/or the findings of the examiner at first instance. To then check the information against the Defence case. Eliminate the points agreed and to deal with those aspects concerning usage and the services obtained against the radio network in the geographical locations where the mobile telephone is alleged to have been. For instance, information not seen or ignored could result in an inaccurate opinion. By way of illustration, a Defendant is alleged to have been at a certain location where a murder occurred and cell site identity of the Mast used to make/receive mobile calls is presented as a justification for the Defendant being at the location.  Experience teaches one not to accept that as absolute, but to consider the radio coverage and how the Defendant might use there mobile phone is daily life. The key is 'daily life', referring to regular or irregular movements of the human being in a locale and the purposes of him/her being there. An experienced Defence expert should be looking for evidence that may assist where the Defendant may have been so as to assess that evidence against the allegation. That can require knowing for instance whether the Defendant visited a burger bar outlet or cafĂ©. Knowing whether the defendant used a cash machine, purchased petrol or used their Nectar card and so on. Knowing the aforementioned information it is then required to conduct a site visit and conduct radio test measurements at those locations identified by the Prosecution and Defence, where these types of events took place. A Prosecution expert is unlikely to know aspects of the Defence case as the Defendant's Proof of Evidence comes after the case material has been served and the Defence's consideration of it. Proof of Evidence is never served to the Prosecution expert or to the examiner for that matter.

Another key element to be reminded for the site survey is if the specified time (or specified distance) an MN moves in the Random Walk Mobility Model is short, then the movement pattern is a random roaming pattern restricted to a small portion of the simulation area. Some simulation studies using this mobility model set the specified time to one clock tick or the specified distance to one step. This can require taking account of e.g.  Location; Time of Day/Night; Call duration [sCall;eCall]; Base stations/nodes used and so on.
Using the cell coverage layers image at the beginning of the discussion we can use a description of a dense urban area (e.g. a high street) and the target (mobile phone user) is a pedestrian on the pavement/sidewalk. In the vicinity, at below roof level, are three micrcocells (uBTS) providing lower layer coverage.

All things being equal the MS moving in a uniform linear direction may pass (handover) a call from BTS1 to BTS2. Bearing in mind we are discussing Random Walk Mobility Model the target whilst walking changes direction (turns left) which brings the MS into an area covered by BTS3. It maybe along the road covered by BTS3 there is a shop window the target stops to look in whilst chatting on the phone or decides to use a ATM cash machine to withdraw cash which is next to the shop. The call records show BTS1 and BTS 2 are used for the shop window browsing but BTS1 and BTS 3 have been used for the ATM cash machine usage. Why might this occur?  
Microcell coverage usage has parameters included to detect the speed of the MS/dwell time of the MS in an area. The key is slow MS movement in an area is handled differently by the network than a fast MS movement. In this regard the network may apply techniques for homogeneity of speed discrimination in lower layer and upper layer cells. The network does this because the MS speed is detected based upon the signals received by the network. Microcell coverage has problems with street corners and can create fast ping-pong effect in the network to handover between Microcells; hence why I have often stated previously to this discussion that Microcells don’t go around corners. 

A coping mechanism in the network is to use emergency handover (HO) to an upper layer of coverage that is more suited to handle traffic signalling for a period of time to decide the best handover candidate for the rest of an MS call.

The use case of BTS1 and BTS2 for the shop window scenario could be as a consequence that the shop was on the corner of the road and the period of target static time was short due to one to three steps (clock ticks) where as the BTS1 to BTS3 dwell time for the ATM cash machine scenario was much longer and requires handover via an upper layer cell down to BTS 3 to remove/reduce chances of fast ping pong on street corners and subsequent call drop.

Whilst the above discussion used Einstein’s Random Walk Mobility Model there are other Mobility Models that have been highlighted and each can be used to good effect to broaden CSA examiners, technician and student knowledge skills and experience.

Tuesday, July 22, 2014

LTE-WiFi Aggregation

LTE-U workshop: LAA (Licensed Assisted Access) - Use cases and scenarios


LTE workshop: LAA (Licensed Assisted Access)

Saturday, July 19, 2014

International Telecommunications Union and CSA

International Telecommunications Union and CSA

Were the standards to be made binding that could have political implications / ramifications regarding national sovereignty etc. However, a standard adopted by the ITU are called "recommendations". The recommendations carry a voluntary adoption by members states. The recommendations can though become directly or indirectly binding if it is incorporated into member states legislation where the legislation refers to a particular ITU recommendation. That would have a direct binding agreement. An indirect binding agreement could be where European legislation does not mention ITU recommendation per se but refers to CEPT or ETSI standards that become recorded that are in-turn derived from ITU recommendations. Were there to be an inextricable link requiring identical wording for CEPT/ESTI standard/ITU recommendation then that may amount to an indirect binding agreement with or to the ITU recommendation.

CSA - Site Survey Method 2/ITU -

As this discussion relates to CSA and identified recommendations listed here ( ) the detail below highlights the radio subject matter from the division ITU-R.

CSA - Site Survey Method 2/ITU

The International Telecommunications Union (ITU) combines standards making capability and also has regulatory functions specific to mobile telecommunications. Therefore the ITU goes beyond standards making that may not create obligations in contrast with issuing regulatory measures that clearly do create regulation for it members who are signatories to the Convention.

Three important functions of the ITU are:

1) Regulation and Recommendations

Where there is an international aspect involved the ITU has the responsibility to manage the radio-frequency spectrum. The ITU allocates frequency bands to certain applications that would make use of the RF bands (see list below) e.g. Radio/Television Broadcast; Microwave Links; Radio-Astronomy; Mobile Telephony. The technical means and the physical nature of the frequency bands form the basis of the allocations. That is to say where a frequency band can be used and doesn't interfere with prescribed wide-ranging criteria; and the technical means exists or can be developed that enables the physical radio medium to be manipulated for use. Member states are bound to this allocation prepared by the ITU but assigning the frequencies to users is within the power and autonomy for each member state. ITU decisions are, in principle, binding to its members. The relevance behind that statement is that the ITU origins began to facilitate and enable subsequent amendments of the agreements to be agreed upon made at the Interntaional Telegrahy Convention of 1865. The principle of being bound only comes into effect when member states ( ) ratify the text of an evolving Convention. Changes to any text in the Convention thereafter also need to be ratified. A member state ( compare with ) failing to ratify new text is not bound by it thus watering down the effects of any binding powers over national sovereignty.

Essentially, whilst understanding ITU's can make decisions when it comes to Band allocations we know that ITU does not hold regulatory functions when it comes to standards. When dealing with interntional bodies like ITU the term standard, as we commonly understand it, is more profound at the ITU's level. This is because international technical issues are being addressed. Were the standards to be made binding that could have political implications / ramifications regarding national sovereignty etc. However, a standard adopted by the ITU are called "recommendations". The recommendations carry a voluntary adoption by members states. The recommendations can though become directly or indirectly binding if it is incorporated into member states legislation where the legislation refers to a particular ITU recommendation. That would have a direct binding agreement. An indirect binding agreement could be where European legislation does not mention ITU recommendation per se but refers to CEPT or ETSI standards that become recorded that are in-turn derived from ITU recommendations. Were there to be an inextricable link requiring identical wording for CEPT/ESTI standard/ITU recommendation then that may amount to an indirect binding agreement with or to the ITU recommendation. It may be accepted that *CEPT/ETSI might be in the driving seat but isn't this nothing more than that old adage 'What is in a name? That which we call a rose by any other name would smell as sweet...(Romeo and Juliet)?'

* At an appropriate juncture in another discussion CEPT/ETSI will also be discussed.

2) Recommendations as Standards

ITU draws up standards (recommendations) and provides them to the telecommunications community that are relevant for telecommunications between countries.  There are numerous diverse tasks requiring standards under the umbrella and responsibility of the ITU that are prepared and developed by numerous advisory groups that are split into divisions.

As this discussion relates to CSA and identified recommendations listed here ( ) the detail below highlights the radio subject matter from the division ITU-R.


Individual Recommendations for allocated bands
BO - Satellite delivery
BR - Recording for production, archival and play-out; film for television
BS - Broadcasting service (sound)
BT - Broadcasting service (television)
F - Fixed service
M - Mobile, radiodetermination, amateur and related satellite services
P - Radiowave propagation
RA - Radio astronomy
RS - Remote sensing systems
S - Fixed-satellite service
SA - Space applications and meteorology
SF - Frequency sharing and coordination between fixed-satellite and fixed service systems
SM - Spectrum management
SNG - Satellite news gathering
TF - Time signals and frequency standards emissions
V - Vocabulary and related subjects



Whether a member state has signed up to using the standards (recommendations) or not predominantly it is inescapable the technical information in the standards provides useful advice to countries and industry concerning: interconnection, access, terminal device standards, reference standards etc. Certainly in the areas of GSM, TDMA, CDMA, WCDMA/UMTS-UTRA etc many of those standards specific to these technologies constantly refer to ITU recommendations, thus further underpinning how useful ITU recmmendations are to use as references and guidance for cell site analysis.

3) Forums and Facilitors

Agreements between members require a commonality in understanding as to the reliability of international services available; thus technical services and commercial agreements need to be acceptable to both parties. ITU offers forums that help facilitate international agreements.

Final thoughts

The intention of this mini-overview about ITU recommendations was to demonstrate the value they offer given that they have weight due to the requirement of reliability to assist commonality and provide useful guidance for member states for that purpose. When dealing with CSA we are usually not involved at the member state level but at the operational performance of radio communications and services at the local level of which the ITU recommendations can and do provide useful reference material for reports and useful knowledge, skill and experience when conducting in the field surveys.

Sunday, July 13, 2014

CSA, propagation and keeping norms

CSA, propagation and keeping norms is an in-for-the-long-haul series of discussions about CSA (cell site analysis) and highlighting all the wider area topics of CSA that seldom get discussed. The first three discussions can be found here:

CSA - Site Survey Method -

CSA - Site Survey Method 1 -

CSA - Site Survey Method 2 -

CSA - Site Survey Method 2

The purpose of these CSA - Site Survey Method discussions invites examiners, technicians and students to consider the wider area analysis involved in cell site analysis (CSA) beyond simply conducting radio test measurements at site and producing test results from particular Masts.

The wider area analysis enables examiners, technicians and students to suggest why coverage is being detected at particular locations. The coverage detected may not be LOS (line of sight) but due to NLOS (non line of sight). With these two radio scenarios there are a wide range of propagation models/components that are commonly referred to and used for mobile (cellular) communications.

Uniformity for CSA surveys is not impossible and has been established by industry and mobile radio network operators and radio architects/designers. It is simply due to lack of consensus in the forensic community that has largely stopped consensus. The latter state has arisen because of the way investigations have been subjected to intervening factors/limitation imposed, caused by constraints: financial constraints; knowledge, skill and experience constraints; timing constraints; combination of constraints. Can you imagine a DNA or Blood specialist giving evidence in court and stating the results I obtained are these but I have no clue as to why those results would be obtained at a particular juncture/point in the examination / survey and there is no consensus in industry as to what I should refer to as a criteria or norm.

CSA can be defined by five practical forensic headings:

1) Call-Billing Records/Cell Details/Operational Records/Network Records;
2) Radio Coverage and Mast-Tower BTS;
3) Radio Coverage and Mobile Station-Smartphone;
4) Radio Coverage and Geo-Clutter;
5) Radio Coverage and Scene of Crime.

It is agreed that each heading will have its own subset headings but for each of the main five headings it is possible to produce primers for each. It is also accepted that another reason for naming convention consensus yet to be achieved in the forensic community is due to the disparate range of definitions by industry. Mobile Forensics must develop a generic title and statement. This would not only assist the prosecution and defence to have firm ground upon which to question/cross examine a witness but aid the court to understand submissions. And this is only right and proper. With medical principals and practices it roughly takes 10-20 years to accept/understand each medical terms, yet we find after 30 years of cellular radio technology the courts and legal profession still struggle to get to grips with mobile cellular terminology and techniques. Thus using headings such as those above with appropriate descriptions attached to them should reduce or remove that problem. The following discussion illustrates established norms that are available that can be used consensually between expert, forensic and legal parties. 

The discussion in CSA - Site Survey Methods form subsets of 2), 3), 4) and 5). By way of illustration in the discussion here [ ] it refers to affects to radio coverage. The examiner, technician and student having obtained all the information at 1) above may wish to then consider 2) and 4) above.


The above photo of a Mast-BTS/NodeB/eNodeB shows an example of identified radio transmssion technology that the examiner, technician and student should identify at first instance to comprehend (a) communications transmissions available and (b) the services to be obtained from this type of multi-basestation.

The examiner, technician and student are ultimately considering scenarios into which radio-coverage will be propagated. These will not just simply be the standard radio coverage frequencies allocated to GSM/W-CDMA/CDMA/LTE etc but also microwave links for backhaul of the sites traffic where no landline backhaul is possible.

It follows therefore background knowledge about propagation, models and survey profiles etc can assist how an examiner, technican and student may plan on-site surveys and radio test measurements or those components that might be involved in the results detected. Some examples are:

Basic algorithm: COST 231 Model (ETR 364, COST 231 Final Report)
Type: Point-to-area (multipoint)
Frequency: about 800 MHz - 2 GHz
Distance: up to 5 km
Basic algorithm: IEEE 802.16
Type: Point-to-area (multipoint)
Frequency: about 2 GHz - 5 GHz
Distance: up to 70 km

Type: Point-to-point
Frequency: 150MHz - 1500 MHz
Distance: 1Km to 20 MHz
Allows for correction factor where mobile is different from baseline height 1.5m

Type: Point-to-multipoint
Frequency: ~ 150 MHz - 2 GHz
Distance: up to 100 km

Line of Sight
Basic algorithm: ITU-R P.452-14
Type: Point-to-point and Point-to-multipoint
Frequency: about 700 MHz - 40 GHz
Distance: up to 100 - 150 km

ITU-R P.1411 provides guidance on outdoor propagation for systems that operate under distances 1 km, and over the frequency range 300 MHz to 100 GHz

ITU-R P.1546 provides guidance on outdoor propagation for systems that operate over distances of 1 km and greater, and over the frequency range 30 MHz to 3 GHz

Effective Antenna Height:

Analysing point to point/area components:

Examiners, technicians and students should note I have used in these examples the ITU (international telecommunications union) recommendations adopted around the world by its members. This means whether the CSA is located in Europe, Middle East, Asia, Africa, North America etc these are useful recommendations to consider and refer to in final reports. Put another way there should be nothing in a final report that should have be made-up (false statement) by the report's author.

Free space path loss: ITU-R P.525-2
Fresnel zone ellipsoids: ITU-R P.526-11
Path clearance: ITU-R P.530-13

Reflection, Diffraction, Scattering and Attenuation:
Specific attenuation: ITU-R P.676-8
Preciptation attenuation: ITU-R P.837-5
Specific Rain attentuation: ITU-R P.838-3
Rain Height Model ITU-R P.839-3
Hydrometeors attenuation: ITU-R P.530-13
Fog attenuation: ITU-R P.840-5
Single knife-edge: ITU-R P.526-11
Deygout: ITU-R P.526-11
Average: ITU-R P.530-15
Spherical Earth: ITU-R P.526-11
Reflection: ITU-R-REC-P.527-3
Multipath: ITU-R-REC-P.1407-5
Scattering due to RET: ITU-R P.833-5
Vegetation: ITU-R-REC-P.833-8
Polar and Desert Dry Temperatures: ITU-R-REC-P.841-4
Buildings: ITU-R-REC-P.1812-3
Building Materials and Structures: ITU-R-REC-P.2040-0 

There are of course other regional specific cellular transmission technology standards for North American, Europe etc e.g. ETR 364: Digital cellular telecommunications system; Radio network planning aspects. These shall be referred to in another discussion.

PLEASE NOTE: The page will be updated with other ITU recommendations from time to time.