Monday, December 30, 2013

CSA related items

The use of historic cell site evidence doesn't require it to pinpoint the exact spot where the mobile phone was used. The evidential supporting materials do have to stack up though but at the same time avoid assumptions being made on "thin" evidence.

Circumstantial evidence - mobile phone /giffgaff / cell site:
http://www.bailii.org/cgi-bin/markup.cgi?doc=/ew/cases/EWCA/Crim/2013/1916.html

Location and Mast Usage
http://www.bailii.org/cgi-bin/markup.cgi?doc=/scot/cases/ScotHC/2013/2013HCJAC89.html

Location Tracking in the US

We have all read various views expressed by those involved in the US that location data are not kept and it is all too difficult to get any sort of data. Have a read of the article below and maybe ask yourself if the authors of this article are aware that such location data does exists and are retained why others have expressed in other forums such data doesn't exist or if the data did exist the location data isn't retained.

Government Location Tracking: Cell Phones, GPS Devices, and License Plate Readers:
https://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers

Sunday, December 29, 2013

EU common charger for all mobiles/tablets

Members of the European Parliament have presented a persuasive first stage plan, based upon reduction of waste and consumer easy for charger migration when changing to a new handset, to the Council of Members for the need for a universal charger for all new mobiles sold into the EU.

2012/0283(COD)
26.4.2013
***I
DRAFT REPORT
on the proposal for a directive of the European Parliament and of the Council on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment (COM(2012)0584 – C7-0333/2012 – 2012/0283(COD))
Committee on the Internal Market and Consumer Protection


In accordance with the amendment to Article 2(3) of the proposed Directive.
Amendment 3

"appropriate type throughout the Union may be necessary. Interoperability between radio equipment and accessories such as chargers simplify use of radio equipment and reduce unnecessary waste."

"throughout the Union is necessary in some cases. Interoperability between radio equipment and accessories such as chargers simplifies use of radio equipment, reduces unnecessary waste and costs. A renewed effort to develop a common charger would therefore be highly desirable and consequently be beneficial in particular for consumers and other end-users."


If the further proposed stages receive approval the timescale envisaged to introduce a universal charger common to all new mobile phones could be available on the market by 2017 at the earliest. That is because members states will be given two years to transpose the new directive into local legislation.

Of course, the technical realisation needs to be transformed into an approved technical standard. Some years ago the EU approved micro-USB for use with smart phones. However, as the EU has yet to (a) decide the which standard will be ratified for the proposed universal charger; (b) given there has been technology advances since the earlier approval for use of micro-USB; (c) mobile tablets etc have also proliferated in the marketplace; the directive would need to cover these too, as would the Directive's need to have applicablity to other forms of radio equipment using a charger supplied into the EU for consumer use.

Of the various connector types it could be the universal charger connector may come in several guises. Two that come to mind are Apple's Lightning connector and the new type-C connector USB3.1 recently annouce by the USB Standards Group. Both would already be in the marketplace before the two-year deadline has expired.

Apple's Lightning connector
http://en.wikipedia.org/wiki/Lightning_(connector)







USB Standards Group type-C connector USB 3.1
http://www.usb.org/press/USB-IF_Press_Releases/Type-C_PR_20131203_Final.pdf
http://www.usb.org/developers/USB-Futures.pdf


Image Source - http://www.mrgco.com/blog/usb-3-0-promoter-group-announces-new-type-c-connector-for-usb/ 

Wednesday, November 06, 2013

Use of GSM Logical Channels for CSA

When a mobile/smart phone's power button is pressed the mobile triggers the power up sequence. The mobile station MS is in the radio darkness (ignorant) at this stage about the radio coverage that surrounds it in the geographical area in which it has been switched ON. Once switched on, the mobile device will seek to establish, using the embedded routines in its radio program that will enable it to follow a sequence that brings it out of the radio darkness and into the radio light. It gains knowledge about the radio coverage surrounding it; makes comparison of particular coverage to identify the correct transmission technology for which the mobile device has been designed and manufactured; illuminate its presence to the mobile network in the geogrpahical location where it is dwelling for the purpose of communications; to be radio link-enabled for mobile content communications and radio link-disabled to terminate mobile content communications. 

The diagram below omits 'timing' of events because it is not there to demonstrate the time when each event occurs but it is intended the diagram to offer an at-a-glance visual indication of the sequence of channels involved from power ON to terminating a call.

It is possible that a suggestion could be raised that the above diagram is not entirely realistic because following power and registering with the network what happens if there is an incoming call indicator that is received or immediately following power up and registering with the network an SMS is received? In GSM terms it is possible to select the use of the channels identified above for each of those purposes. So the diagram can be considered for use relating to incoming and/or outgoing communications

For the avoidance of doubt regarding GSM logical channels, it is relevant to mention that under the logical allocation of channels there is a separate and divided appraoch to two logical channel paths, if you will: 'Common Channels (CCH)' and 'Dedicated Channels (DCH)'.

Commons Channels (CCH)
CCH has allocated under it two channel sub-divisions:

Broadcast Channels (BCH) which is divided into a further three sub-channels:

- Frequency Control Channel (FCCH); Synchronisation Channel  (SCH); Broadcast Control Channel (BCCH).

Common Control Channels (CCCH) which is divided into a further three sub-channels:

- Paging Channel (PCH); Random Access Control Channel (RACH);  Access Grant Channel (AGCH)


Dedicated Channel (DCH)
DCH has allocated under it two channel sub-divisions.

Common Channels (CH) which is divided into a further three sub-channels groups:

- Stand-alone Dedicated Control Channel (SDCCH); Slow Associated Control Channel (SACCH) ; Fast Associated Control Channel (FACCH)

Traffic Channels (TCH) which is divided into a further two sub-channels:

- Traffic Channel Full (TCH/F) Rate; Traffic Channel Half (TCH/H) Rate 

As a further point to note two DCH logicals channels are shown in the above diagram that are able to be included (transmitted) either in Common Channels communications and/or Traffic Channel communications.  The SACCH has been highlighted because its content can be communicated included in the SDCCH or TCH transmission.

Question1: Do you know the important content that is transmitted in the SACCH packet and its relevance to informing the MS and Network and to cell site analysis?

Question2:  The other DCH logical channel shared has bot been highlighted. Do you know what that other channel is and the important content it holds in the communications informing the MS and Network and to cell site analysis? To refresh its content can too can be communicated included in the SDCCH or TCH transmission.

The Diagram
The diagram above is divided into FOUR separate MS states:

- Power On
- Idle Mode
- Dedicated Mode
- Idle Mode

Each of these separate elements are paramount to GSM CSA and without their basic existence GSM CSA would not be possible from the mobile device element investigation point of view that forms one of the investigation procedures during CSA.

Sunday, November 03, 2013

Directed Retry

A fundamental and vital goal of any mobile communication network is to maintain communications between the network and the mobile station (MS), whether the MS is dwelling in an area or on the move. To assist the aims and objectives GSM is commonly known to use 'Handover' for which there is a specific GSM standard TS03.09 [cf W-CDMA see 3GPP TS23.009].

The assumption being made for these cause values is that the MS is seeking to obtain a service for speech calls

│7 6 5│ 4 3 2 1│ │

│0 0 0│0 0 0 0│ │Radio interface message failure │

│0 0 0│0 0 0 1│ │Radio interface failure │

│0 0 0│0 0 1 0│ │Uplink quality │

│0 0 0│0 0 1 1│ │Uplink strength │

│0 0 0│0 1 0 0│ │Downlink quality │

│0 0 0│0 1 0 1│ │Downlink strength │

│0 0 0│0 1 1 0│ │Distance │

│0 0 0│0 1 1 1│ │O and M intervention │

│0 0 0│1 0 0 0│ │Response to MSC invocation │

│0 0 0│1 0 0 1│ │Call control │

│0 0 0│1 0 1 0│ │Radio interface failure, reversion to old channel │

│0 0 0│1 0 1 1│ ││

│0 0 0│1 1 0 0│ │Better Cell │

│0 0 0│1 1 0 1│ │Directed Retry │

│0 0 0│1 1 1 0│ ││

│0 0 0│1 1 1 1│ │Traffic

Key and germane to handover being successful is that operators can use various handover techniques controlled by handover triggering algorithms. These triggers activiate when detection mechanisms identify propagation or network conditions at the existing cell or for the target cell where neither meet a set criteria for usage. One such condition is referred to by Professor Sami Tabbane in Management of Radio Mobility: The Handover Procedure - 8.1.4.2 Intercell and Intra-BSC Handover "A handover that is triggered for reasons of traffic loading and occurs during call setup is called directed retry." 

Examiners are expected to know about Directed Retry, to take account of its possibility when conducting CSA (cell site analysis) investigations and understand its influence and impact on evidence record in call records and associated cell data. A point of contention in evidence for often arises where a defendant states "I was not at the location claimed by the prosecution but was in a different area". Invariably this receives a response "Why does your mobile use the radio coverage from a particular sector (azimuth) from a particular fixed mast (BTS)?" Directed retry makes possible the scenario of having a mobile phone in an adjacent cell from the one shown in the call records. Directed Retry is not a trigger simply triggering every few minutes but arises as Professor Tabbane records, due to traffic loading at the time of call setup.

A mistake that experts and investigators could make would be to ignore the existence of Directed Retry and, even more problematical, not to have asked the question was Directed Retry active at cell/BSC level at the material time of the calls, apart from any intervention within the network.

GSM standards make Directed Retry explicit that which might be implicit to for a GSM radio location area. This logically raises questions how can Directed Retry be configured and activated? Mobile network radio equipment manufacturers offer the capability in their equipment for mobile network engineers to radio fine tune post-installation, and the parameters that can be fine tuned are the Handover triggers of which Directed Retry is one such trigger:




As each equipment manufacturer vary the way fine tuning may be implemented using a GUI to input the trigger parameters is one methiod. Another is to incorporate data into the .mdb or .xls file which has been scripted to produce e.g. an .xml output for uplifting to the radio base station database. This means Directed Retry can be checked that it is active in a particular GSM radio location area. Furthermore, due to continuing radio fine tuning updates to the trigger parameters can occur and older versions of .mdb/.xls maybe recovered from archive.

Experts and Investigators will need to be aware of the triggers Directed Retry (DR) and Forced Directed Retry (FDR) and identify when, in a mobile network, either of these triggers would be implemented and activated for the radio network. This equally means tracking down the equipment manufacturers that offer one form or another or both forms of Directed Retry.

Saturday, November 02, 2013

GPRS Cell Site Analysis

GPRS CSA

http://cellsiteanalysis.blogspot.co.uk/2013/11/gprs-csa.html



GPRS CSA

There are often forum discussions about GPRS (general packet radio switching) and how to conduct CSA (cell site analysis). Given that GPRS is expected to form a basic data service across GSM/WCDMA/LTE it is always worth starting at the beginning with GSM/GPRS as GPRS has numerous influences on GSM that have evolved for today's mobile networks.

As the old adage goes "time and tide wait for no man" it is important to get to grips with GPRS at its easiest stages and when understood move on to track down changes and comprehend them found in the additional layers involved with later transmission technologies.

When I was teaching/training at the Institute the Professor in-charge of educational studies, at that time, wanted me to show where mobile communication research material originated, authenticate sources and compiled the material before student/delegate training could go ahead. Invariably this meant starting out producing hand-drawn sketches that would be converted and re-produced for slide/powerpoint presentations. The information in the sketehes being sourced from standards, books, articles, whitepapers, manufacturer specs etc, and experience (testing), of course. From my GPRS CSA course researched material prepared back in 2002/2003 I have pulled out the folder one hand-drawn sketch (below) from the collection of sketches prepared for GPRS CSA.



The sketch layout is heavily influenced by the existing standards and industry illustrations available at that time. I have added a few personal touches in order to produce this at-a-glance sketch. Perhaps students, investigators and examiners may find it a useful starting point. I shall add more here, at this blog, about GPRS CSA but I do have quite a few other research projects on the go and I want to write about those too.

Just briefly though, GPRS CSA is not possible simply by referring 'only' to CDRs.

Firstly, There are two CDRs to consider. GPRS usage is not soley defined by a Call Detail Record. GPRS has its own record called the Charging Data Record (also referred to by the acronym CDR) defined to confirm data usage, irrespective of the content transmitted in the data, and services used etc.

Secondly, GPRS CSA should not be undertaken lightly and should not be progressed where the investigator/examiner is being given partial information or being denied access to information.

Thirdly, to avoid mishaps associated with the second point mentioned above, examiners/investigators should establish at first instance the MS, (U)SIM/handset, used at the material time. Confirrmation which cells were GPRS enabled and were available for the relevant location/s at the material time; the requirement is also relevant identifing those cells that were not enabled for GPRS for the relevant location/s.

Fourthly, make sure it is clear which GPRS usage is in the home network and which is GPRS usage caused to be transported across donor roaming partner networks but within the same country (cf. Vodafone and Hutchinson 3G (H3G)).

Saturday, October 26, 2013

Cellular Transmission Technology

Cellular Transmission Technology
Here are two test sheets identifying a range of cellular transmission technologies for CSA beginners and practitioners. It requires going through the charts to identify the accuracy of the information recorded in them and identify the relevant mobile network operators. It means researching not simply at the mobile network operators' websites, but researching the standards, etc etc etc.

http://cellsiteanalysis.blogspot.co.uk/2013/10/cellular-transmission-technology.html

Cellular Transmission Technology

Here are two test sheets identifying a range of cellular transmission technologies for CSA beginners and practitioners. It requires going through the charts to identify the accuracy of the information recorded in them and identify the relevant mobile network operators. It means researching not simply at the mobile network operators' websites, but researching the standards, etc etc etc.




A key aim and objective with CSA is to remember to start out being as thorough as you possibily can and create a very, very long list of all the elements you expect identified and what information you expect to be revealed from the elements and what has actually been revealed from the other side in evidence.

When visiting the discussion various forums discussions can often refer to a technical point but the relevant and specific cellular transmission technology is not identified. The problem this creates is quite often reference to mobile communication 'commands' and 'responses' can be transferred between cellular transmission technology. To assist with these complexities the cellular transmission technology test sheets 1 and 2 identify researched information and you have to find out whether all the information and supporting information is accurate or not. The sense of achievement is guaranteed in the finding out as opposed to confirming to the world look what I know. Have a go and see how much you think you know - what have you got to lose.

Special thanks for all the help from the superb information made available by various sources but not limited to the following organisation GSMA, 3GPP/2, TIA/EIA; Regulatory bodies; the various mobile network operators around the world; Alcatel, Andrew, Anite, Anritsu, Ericsson, Huawei, Jaybeam, Kathrein, Nec, Nokia, Nortel, Siemens, Zapp.

Sunday, October 20, 2013

MTEB CSA Fundamentals Training

The MTEB has received an increase in the number of enquiries about fundamental (core) training in Cell Site Analysis.

It could be useful for readers to be reminded in brief, scoping CSA requires applying a wide-ranging methodology incorporated in the investigation and analysis of mobile device activity and mobile communications. That means a CSA participant needs to understand:

- the science operating behind and underpinning CSA
- identifying forensic stepping stones for CSA
- evidence produced for CSA
- reporting on the findings from the conducted CSA.

None of the MTEB subject headers (below) on the course for each of the sections takes precedence over another as all topic elements in the course requires the investigator/examiner/expert to:

- constantly balance and accommodate all of the investigation elements and lines of enquiry
- correlate constants vis-a-vis ambiguities and determine the findings in each of the topics and confirm what the combined findings mean from all topics when aggregrated
- findings should support and cooroborate / deny and disprove the investigation outcome set out in the engaging party's instructions.

MTEB Cell Site Analysis Fundamentals Course
[]GSM []GSM/(W)CDMA/ []GSM/(W)CDMA/LTE []Other Bespoke Networks

Section 1 Introduction - CSA Fundamentals
Section 2 Legal and Technical Frameworks
Section 3 Guidelines, Specifications, Standards. Reference Sources etc
Section 4 PLMN - Mobile Network Installation and Mobile Elements
Section 5 Originating evidence
Section 6 Cross-referencing originating sources of evidence
Section 7 Techniques/skills for Cell Site Identification
Section 8 Techniques/skills for Cell Site Analysis
Section 9 Techniques/skills for Radio Results Analysis
Section 10 Final Analysis and Reporting

Sunday, October 06, 2013

(U)ICC/(U)SIM Script Commands and Responses

(U)ICC/(U)SIM Script Commands and Responses

The discussion under (U)ICC/(U)SIM Script Commands and Responses is one of a number that will appear to assist Diploma students with their course work.

http://sim2usim.blogspot.co.uk/2013/10/uiccusim-script-commands-and-responses.html

(U)ICC/(U)SIM Script Commands and Responses

(U)ICC/(U)SIM 3F00 7F10 6F4A

3GPP UICC/USIM script selecting Master File, Dedicated File and Elementary File





















GSM ICC/SIM script selecting Master File, Dedicated File and Elementary File






























Reason for script test : defining an examination procedure to isolate and test a single elementary file; determine the EF's status, file structure, coding etc; conrroborate the ability of the (U)ICC/(U)SIM to action responses from commands sent to card; provide corroborating evidence of commands sent to the card to demonstrate evidential integrity (transparency of practices and procedures); testing the examination card reader is functioning correctly; QA procedures. 

Script examination tool used : USIM Commander - http://www.quantaq.com/usimcommander.htm

Relevant Core Diplomas:-

Aims : MTEB Diploma for Mobile Evidence QA and Evidence Handling - Mobile Telephone Diploma Core CQAE1

Objectives : Device Maintenance and Calibration; Examination Procedure

Aims :  MTEB Diploma for SIM and USIM Technology Examination - Mobile Telephone
Diploma Core CSUT2

Objectives : Your understanding of roles and responsibilities and the importance of
appropriate practices and procedures for SIM and USIM Technology
Examination for acquiring evidence.

Reference Standards :
GSM11.11/3GPP TS51.011/3GPP TS31.102,
GSM11.12,
GSM11.17/3GPP TS51.017/3GPP TS31.120/3GPP TS31.121/3GPP TS31.122,
GSM11.18/3GPP31.101,

EU MTEB Diploma Student Note : Remember to check with ETSI Standards e.g. TS102.221 etc

US MTEB Diploma Student Note : Diploma Students remember to check e.g. C.S0065-0 v1.0, C.S0074-0 v1.0, C.S0074-A v1.0, N.S0009-0 v1.0, S.R0095-0 v1.0 etc

Generically speaking, apart from GSMA and 3GPP, there is also 3GPP2 which also includes ARIB, CCSA, TIA TTA, TTC that all have conditions that can impact/influence results on (U)ICC/(U)SIM.

The discussion under (U)ICC/(U)SIM Script Commands and Responses is one of a number that will appear here to assist Diploma students with their course work.

The latest MTEB Diploma Modules Guide MTEdipl 2.2 can be downloaded here:
https://dl.dropboxusercontent.com/u/84491783/MTEdipl%202.2.pdf


Saturday, September 28, 2013

MTEB Diploma CSUT2 Partner

 


Diploma for SIM and USIM Technology Examination
Mobile Telephone Diploma Core
Diploma:CSUT2


Partner Support
The Mobile Telephone Examination Board (MTEB) are pleased announce that Quantaq Solutions (http://www.quantaq.com/about.htm) have agreed to be the MTEB Diploma CSUT2 Partner. Quantaq Solutions role is as a "Partner Support". This role entails

- providing trial copies of software
- respond to technical enquiries that a student may require to make

to assist with the student's Diploma.

Moreover, Quantaq Solutions will host an MTEB webpage solely for use by MTEB Diploma Students so that students can have acess to the software and post questions to seek technical assistance.

Quantaq logoMTEB selected to work with Quantaq Solutions as a "Partner Support" because of their existing experience with (U)SIM/smart card examination tools, their range of independent, stand-alone tools to analyse (action commands/receive responses) on SIM/Smartcard and their highly regarded technical knowledge and experience in the fields of:

SIM, smartcards, NFC, RFID, M2M, location, DRM, security, cryptography, Mobile Wallet, technology, innovation, patents, technical design authority, standardisation, proof-of-concepts and software development

Gary Waite

Leading the "Partner Support" on behalf of Quantaq Solutions is Gary Waite. Gary is very well known in the mobile forensics arena for his work on the tools the (U)SIM forensic tools USIM Detective (USIM-D) and USIM Detective Professional (USIM-DP).

His experience and technical background further underpin his credentials of his expertise:
- Founder of Quantaq Solutions
- Past Vice Chair of the Smart Card Group GSM Association
- Test software supplier to Global Certification Forum (GCF) Field Trial Guidelines
- Authored the original ETSI GSM 11.17 standard. This standard formalised the core test processes and procedures for SIM Cards and remains at the heart of (U)SIM testing, programming and examination today.
- First to introduce recording in CUST File (EF) a particular handset's IMEI on SIM Card, which is important, evidentially
- Employed as Technology Manager for the last 11 years with a well know international Mobile Network Operator
- Skilled in C/C++/Java
- Holds a Degree from the University of Abertay Dundee - Electrical & Electronic Engineering, Electronic Engineering

Diploma:CSUT2
Free trial access to the following tools will be made available to Diploma Students. 

USIMdetective - http://www.quantaq.com/usimdetective.htm
USIMexplorer - http://www.quantaq.com/usimexplorer.htm
USIMexplorer - http://www.quantaq.com/usimcommander.htm
USIMprofiler - http://www.quantaq.com/usimprofiler.htm

Diploma for SIM and USIM Technology Examination
Mobile Telephone Diploma Core
Diploma:CSUT2


The latest MTEB Diploma Modules Guide is MTEdipl 2.2 can be downloaded here:
https://dl.dropboxusercontent.com/u/84491783/MTEdipl%202.2.pdf



MTEB Diploma CSUT2 Partner

 


Diploma for SIM and USIM Technology Examination
Mobile Telephone Diploma Core
Diploma:CSUT2


Partner Support
The Mobile Telephone Examination Board (MTEB) are pleased announce that Quantaq Solutions (http://www.quantaq.com/about.htm) have agreed to be the MTEB Diploma CSUT2 Partner. Quantaq Solutions role is as a "Partner Support". This role entails

- providing trial copies of software
- respond to technical enquiries that a student may require to make

to assist with the student's Diploma.

Moreover, Quantaq Solutions will host an MTEB webpage solely for use by MTEB Diploma Students so that students can have acess to the software and post questions to seek technical assistance.

Quantaq logoMTEB selected to work with Quantaq Solutions as a "Partner Support" because of their existing experience with (U)SIM/smart card examination tools, their range of independent, stand-alone tools to analyse (action commands/receive responses) on SIM/Smartcard and their highly regarded technical knowledge and experience in the fields of:

SIM, smartcards, NFC, RFID, M2M, location, DRM, security, cryptography, Mobile Wallet, technology, innovation, patents, technical design authority, standardisation, proof-of-concepts and software development

Gary Waite

Leading the "Partner Support" on behalf of Quantaq Solutions is Gary Waite. Gary is very well known in the mobile forensics arena for his work on the tools the (U)SIM forensic tools USIM Detective (USIM-D) and USIM Detective Professional (USIM-DP).

His experience and technical background further underpin his credentials of his expertise:
- Founder of Quantaq Solutions
- Past Vice Chair of the Smart Card Group GSM Association
- Test software supplier to Global Certification Forum (GCF) Field Trial Guidelines
- Authored the original ETSI GSM 11.17 standard. This standard formalised the core test processes and procedures for SIM Cards and remains at the heart of (U)SIM testing, programming and examination today.
- First to introduce recording in CUST File (EF) a particular handset's IMEI on SIM Card, which is important, evidentially
- Employed as Technology Manager for the last 11 years with a well know international Mobile Network Operator
- Skilled in C/C++/Java
- Holds a Degree from the University of Abertay Dundee - Electrical & Electronic Engineering, Electronic Engineering

Diploma:CSUT2
Free trial access to the following tools will be made available to Diploma Students. 

USIMdetective - http://www.quantaq.com/usimdetective.htm
USIMexplorer - http://www.quantaq.com/usimexplorer.htm
USIMexplorer - http://www.quantaq.com/usimcommander.htm
USIMprofiler - http://www.quantaq.com/usimprofiler.htm

Diploma for SIM and USIM Technology Examination
Mobile Telephone Diploma Core
Diploma:CSUT2


The latest MTEB Diploma Modules Guide is MTEdipl 2.2 can be downloaded here:
https://dl.dropboxusercontent.com/u/84491783/MTEdipl%202.2.pdf