2012-09-29

Of course before probing into the area of mobile forensics you should at least have some general idea of two  primary mobile standards and some brief background. Some information may be redundant and a bit scattered so I apologize for that!

Computer forensics is the scientific practice of using digital data in an investigation and mobile forensics is using digital data created by a mobile device. Computer and mobile forensics is reactive whereas security is proactive. Meaning some type of crime or infraction was committed already and a forensic expert in these areas must show that the person they are investigating had control like utilizing his own IP address,  ownership also shows perhaps on a computer or phone pornographic materials and intent of abuse which can lead to civil or criminal prosecution. There are many misconceptions about computer/mobile forensics. As stated before this is not security as it is reactive in nature, computer forensics is not just the examination of computers but any digital storage media and the recovery of data used for criminal and civil court cases and abuse where it’s the process of acquisition, analysis and reporting. Computer forensics also investigates a wide variety of crime, including child pornography, fraud, cyber stalking, murder and rape not just computer crime. Finally computer forensics is not just the recovery of deleted files but can also be files still active on the computer, the use of firewall logs, the use of IP address logs, logs acquired by the cell phone operators on the location of a perp and so on. Evidence can be found on any hardware device such as a computer, any mobile device, a gaming device or any device that executes digital content. Unless you remove the battery a mobile device is always transmitting a signal, has personal data on it including voice and data, multimedia which can be used in a crime or civil case, a device that is on the Internet leaves tracks of where people have been surfing the web and so on, and many of these devices can be tracked and utilize GPS systems. Therefore you can also as describes above garner data about the location of the device. So what is the difference between mobile and static devices. Well for one thing mobile devices are embedded with a chip, a different files system, different information such as call logs and text messages, the cell phone stores its programs in the ROM memory and your data in RAM. The phone never really turns off completely, even when it seems to be off, in order to keep the data in RAM for disappearing. You can use cell phone in flight, they are comprised of flash memory.  Cell phones now average 128 MB of RAM for data storage and another 128 MB-256 MB of memory for software and storing music and photos. Often more storage can be added via an expandable memory slot for a digital memory card.

The Phone of course first came into being with alexander graham bells phone and telegraph machine makes first sounds in 1875 of Scottish descent, In 1876 the phone began to actually work as bell said come here mr watson I want to see you then came the first switch boards,in 1885 AT&T was founded, in 1919 the first  rotary phones where the main devices used to make call, in 1946 area codes were established, the touch tone phone was first released to the public and in 1963 came the first push button telephone.  In the 1970’s the first cordless phones were introduced and cell phone in 197, caller ID was established in 1983, in 1984 AT&T was broken up into the baby bells. In 1991 GSM was first established. As for cell phones the first Push-to-talk (1993), Motorola StarTAC (1996), RIM BlackBerry 2 way pager (1999) and the Motorola RAZR (2003). Hardware such as the Cellebrite Universal Memory Exchanger (UME) which was used in transferring your data from your old phone to your new one was now used with software for personal investigations.

The growth of mobile phones has proliferated significantly. CTIA reported In 1995 Subscribers: 28.1 million,  Call Minutes: 31.5 billion. By 2011 Subscribers: 327.6 million, Call Minutes: 2.2 trillion (6 billion .Call Mins. per Day), Text Msgs: 5.7 billion per Day, Cell Towers: 250,000 and 29.7% of Households are Wireless Only. Now lets talk a bit about the FBI who formed in 2009 the Cellular Analysis Survey Team (CAST). CAST provides technical assistance, case support and training to federal, state and local law enforcement officers around the nation on cell phone tracking. Cell site analysis team provides a comprehensive set of analytical services across a range of telecommunications disciplines inclusive is examination and interpretation of call data records, on-site network readings and radio surveys, including spot readings at significant locations, route profiles to determine cellular coverage along routes travelled by suspects, coverage profiles to determine the area covered by particular cell masts, network profiles showing the coverage of all cellular networks at a given location, compilation of comprehensive cell site analysis reports which include geographic mapping and call data presentations, RF signal detection equipment/software and presentation of evidence at court by experienced expert witnesses in high profile cases . CAST has 19 Special Agents Nationwide and theses analysts puts agents through a 4 week training program. Some high profile cases include a disgruntlesd wife named piper roundtree who killed her husband Fred Jablin in Oct 2004. They tracked the location of her cell through the pinging of her cell phone hitting tower sites as she stated she was somewhere else when she called her son. She was convicted in may 2005 to life plus three years. Other high profile case Michael Jacksons doctor recorded him via cell phone as he was dazed and confused. Doc was convicted. Iphone of murder victim katy mccaffrey was stolen, and photos via her phone of perps where automatically uploaded to her facebook account, Higinio O. Ochoa III has been charged with illegally hacking into at least four U.S. law enforcement websites - feats he allegedly boasted about across social networking sites. Girlfriend took photos of herself with his twitter account name on her body which led to her than him via iphone pics. He is an anonymous member. Finally there was the recent time square incident where a man was holding a knife and shot by police. People iphones were confiscated although they could have rejected to give them this based on the 5th amendment but not before videos were uploaded of the incident on the Internet.

Some methods criminals use to exploit systems and people are through point of sale skimmers; Bluesnarfing the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to a calendar, contact list, emails and text messages, and on some phones users can copy pictures and private videos; and vruses. In fact the android phone has had the most strands of malware making up around 70 percent of the mobile phone market.

Some technological advancements include A British research group that developed software that can predict, within 20 meters, where you will be 24 hours from now and stop a crime before it happens and the app localscope can determine the location of people and what they upload or text via their mobile devices if they are in close proximity.  Apps assisting law enforcement include Brooklyn Quality of Life" application which allows users to email photos or recorded messages with their iPhones and Android smartphones. The anonymous emails go to a group of retired detectives who decide whether the content should be posted on a Facebook page accessible only to members of city agencies. The Child ID App, first released in August 2011 for iPhones, provides parents with an easy way to electronically store pictures and vital information about their children in case they go missing.

Also helping you learn about forensics is a guide on your smartphone known as the Forensic Computer Examiner Quick Reference Guide App. To go off in a tangent The Forensic Specialties Accreditation Board (FSAB) approved the International Association of Computer Investigative Specialists (IACIS) as an accredited certifying body in the field of computer/digital forensics, one of the first in the world!

When a cell phone is found at the scene of a crime the officers should not turn off the cell as there may be a pin used to lock the phone and if it is shut off and you try and unlock it will take three tries until the ohone is blocked by the provider but left on the phone can receive messages and signals that can overwrite info on the phone and an app known as protect can be used on blackberry devices to remotely delete all data from that seized device. Faraday bags are recommended to shoeld the device and arson cans which shoeld s the device from the network. However placing them in a bag can have the battery drain while searching for a signal and jeopardizing location info. Warrantless searches vary from state to state where as some courts state a person is protected due to the 4th amendment other courts do not adhere to that.

Some other difficulties with reference to mobile forensics is the numerous operating systems an investigator has to keep pace with, the costs of tools to image a device although some tools are free and the growth in cellular phone technology advancing so rapidly that forensic tools have a hard time keeping pace with the new innovations in mobile technology.  Cloud computing is also expected to play a key role in mobile forensics as it provides access to additional resources that could aid with cumbersome processes. One such innovation is known as cloud cloning. Another new innovation being tested is a tool called P3 which is tool used to aid people on the seen by providing information to examine specific devices.

Lets get into the two major types of technologies that encompass mobile phones

The Global System for Mobile (GSM) communications is an international standard for signal communications which uses TDMA (time division multiple access - radio comminication methodology allows devices to communicate on same frequency by splitting digital signals into time slots or bursts - are data packets that are transmitted on the same frequency) and FDD (frequency division duplex communicaiton methods).  GSM cellular telephone networks therefore use bursts.  GSM is an international standard created by the European Telecommunications Standard Institute (ESI) which was primarily designed by Nokia and Erikkson.

Every GSM Phone has what is known as a Subscriber identity module (SIM card) which gives the phone its unique identity through what is known as the International Subscriber Identity (IMSI). The SIM stores phone numbers, short messages, the A3 authentication algorithm, A8 ciphering key generating algorithm and authentication key (k1) and IMSI. Therefore without the card being implemented although removable the phone would not work. SIM also contains a personal identification number to protect it being used by someone else who doesn’t know the pin and if by chance someone tries to enter a pin and fails 3 times the phone is blocked and the only way to reactivate it is for the SIM card owner to call their subscriber who unblocks it by entering an 8 digit personal Unblocking Key stored on the SIM as well. When someone places a call the signal goes to what’s known as the base transceiver station acting much like a modem which than passes the signal to the base station controller(s). Synonymous with its name the BSC controls which signals will be passed off to other BTS’s and also is in charge of the allocation of frequencies. The signal than gets passed off to the mobile services switching center (MSC) which than connects to the Public Switched telephone Network (PSTN) or other GSM cell phone users. Within the MSC or what they call the Network Subsystem (NSS) is a Home Location Register (HLR) (stores permanent IMSI, user subscribed services, subscribers number from public network, K1 and other data), the Visitor Location Register (VLR) (stores permanent info of all that are currently serviced by the MSC) and finally for security reasons the VLR stores just a Temporary Mobile Subscriber Identity (TMSI) used for limited intervals. The NSS also contains The Equipment Identity Register (EIR) which stores the International Mobile Equipment Identities (IMEI) and also knows and controls which devices are allowed to utilize the network therefore it has what is known as a white list (calls that are approved for use by the network that meet certain criteria), a black list (devices that cannot use the network based on certain info) and a gray list (faulty equipment but still can use the network). It must be noted CDMA also utilizes white and black lists but network based so unlike with GSM you can’t swap a SIM card from one GSM phone to another. Finally within the NSS is the Authentication Center (AuC) which is the database that stores the k1, the A3 authentication algorithm, the A5 ciphering algorithm and the A8 ciphering key generating algorithm. The previous sentence is significant in that this is representative of the security that surrounds the networks. When a call is first placed a signal is transmitted with a 128 bit random number to the mobile station which is then passed on to the devices SIM sent through the A3 authentication algorithm (a one way function although an operator option) along with the k1. The output of the A3 algorithm a signed response (SRES) is then transmitted to the mobile station back to the network whereby the AuC on the network compares the value of the SRES it received from the mobile station and if the values match the users device is now approved to access the network. In further describing the encryption/decryption GSM schema the k1 in combination with the RAND which comes from the SIM is transmitted through the A8 ciphering key generating algorithm producing a ciphering key (GSM makes use of a ciphering key to protect both user data and signaling on the vulnerable air interface. Once the user is authenticated, the RAND (delivered from the network) together with the KI (from the SIM) is sent through the A8 ciphering key generating algorithm (stored on the SIM) to produce a ciphering key (Kc) which is then used with the A5 ciphering algorithm (which enciphers or deciphers data) whereby the A5 is embedded into the phones hardware to encrypt and decrypt the data.

2. CDMA stands for code division multiple access technology and other cellular technology as discussed with GSM when it comes to the physical architecture it varies in that with other multiplexing techniques they differentiate one mobile customer from another by assigning frequencies ranges or to arrange data via bit sequences in time through a non-contiguous way to increase performance however one disadvantage is latency because the entire interleaved block must be received before the packets can be decoded and also interleavers hide the structure of errors. CDMA in contrast permits a multitude of mobile customers to share a common set of frequencies by assigning a unique digital code to each user, this is also referred to as spread spectrum technology. This technology spread the tranmsission of a signal over a wide range of frequencies making use of mathematical values for example as the original data is embedded into a direct sequence modulator whereby each binary 1 and 0 is replaced with a larger bit sequence. In using an example each CDMA phone is assigned its own bit sequence and when this sequence arrives at its destination station the code division multiplexor is given the ability to tell one mobile devices bit sequence from the other. One other thing to not is that in actual cell phone systems code division multiplexingis only utilized from what is called the mobile telephone office to the mobile phones and not during transmission from the mobile phones to the mobile telephone office. Subsequently CDMA Phones that operate on the CDMA network do not use SIM cards instead, most save the phone number and other identifying information in the handset itself. CDMA phones stores user data including phone book and scheduler information, on the operator’s database so if your phone is stolen or lost you can access your information again from the database unlike GSM's SIM card. Also GSM has significant roaming capabilities where you can use these devices in multiple countries CDMA offers no multiband capability disallowing it to be used in multiple countries. For risk of redundancy and since other classmates have discussed already where CDMA is predominant in the world I will not get into that subject except to say CDMA has less share of the market.

Can you tell from examination of sim where suspect used a cell and tools utilized?

Yes.

The system architecture of a GSM cellular network is very complex. It can generally be divided into three broad parts: the Mobile Station (the cell phone and its SIM), the Base Station Subsystem (which is responsible for handling traffic and signaling between the phone and the Network Switching Subsystem), and the Network Switching Subsystem (which performs the switching of calls between the mobile users and the Public Switched Telephone Network). Phones connect to a GSM network by searching for “cells” within their immediate location. GSM networks have several different “cell” sizes, and depending upon which is being implemented, the coverage area will vary. Regardless of the coverage, a cell phone’s location information could be of significant forensic value.

A. LOCATION INFORMATION
A SIM card contains the LOCI (Location Information) Elemental File which can be found under the GSM Dedicated File. This file contains the Temporary Mobile Subscriber Identity (TMSI), TMSI TIME, Location Area Information/Local Area Identifier (LAI), and the Location Update Status.

1.Temporary Mobile Subscriber Identity (TMSI):
In addition to allowing mobile phones to communicate with each other, the Network Switching Subsystem (NSS) also acts somewhat as a telephone exchange. However, it has additional functionality to deal with the roaming ability of cell phones. A key component of the NSS is the Mobile services Switching Center (MSC) which provides functionality such as registration, location updating, and call routing. When a subscriber roams into the jurisdiction of an MSC, information about the cell phone is stored in a temporary database called the Visitor Location Register (VLR). Since each Base Station in the GSM network is served by one VLR, a subscriber cannot be present in more than one VLR at a time. The VLR assigns the TMSI which ensures privacy since it prohibits tracing of the identity of the subscriber should anyone attempt to intercept the link. The TMSI is assigned for the duration that the subscriber is within the jurisdiction of a particular MSC and combined with the current location area, allows a subscriber to be uniquely identified.

2. Location Area Information/Local Area Identifier (LAI)
The LAI for voice communications is structured hierarchically and uniquely identifies a Location Area (LA) within a GSM network. It consists of three components:

Mobile Country Code (MCC): consists of three decimal places and is used to identify the country of origin of the SIM card.
Mobile Network Code (MNC): consists of two decimal places and is used in conjunction with the MCC to identify the SIM card’s network provider.
Location Area Code (LAC): consists of a maximum of five decimal places.

GSM networks are divided into LAs which are comprised of one or more radio cells. Each of the LAs is uniquely identified within the network by its Location Area Code (LAC). These numbers are stored on the SIM card, thus providing the handset with its location. This also serves as a unique reference for the location of the subscriber as well since the LAI is required before the handset can receive an incoming call. When the subscriber roams into a new LA, the handset also stores the new LAI on the SIM card, adding it to a list of the previous LAIs. After being powered off and then powered back on, the handset will search the list of its stored LAIs until it finds the one it is currently located in, thereby allowing service to resume. Analyzing the SIM card can provide the geographical location(s) where the SIM card, the phone, and the owner of the phone (suspect) may have been.

B. FORENSIC TOOL OVERVIEW
To analyze a SIM card, it is normally removed from the handset and inserted into an appropriate reader. Command directives, called application Protocol Data Units (APDUs), are sent to the SIM by the tool to extract potential probative evidence that may be present in the SIM file system. The original data on the SIM card is normally preserved by the elimination of write requests to the SIM during its analysis. Extracted data integrity can be maintained by the tool calculating the hash value(s) of the data from the files created and re-verifying as necessary to demonstrate that they remain unchanged. Some SIM tools extract and preserve data better than others. As with any forensic tool, examiners need to thoroughly research those that are available to determine which one(s) meet their needs. Most examiners are aware (or should be) that no one tool will be able to extract all the data from every different type of cell phone or SIM card. Listed below are some tools that examiners commonly use.

AccessData Mobile Phone Examiner (MPE) Plus: integrates seamlessly with Forensic Toolkit. Enables advanced reporting to detail phone data [such as] call history, contacts, messages, photos, voice recordings, video files, calendar, tasks, and notes. MPE supports more than 2,500 phones and can be purchased with hardware to include a SIM reader and phone cables. (http://accessdata.com/products/computer-forensics/mobile-phone-examiner).
Cellebrite (UFED): the UFED family of products is able to extract and analyze data from more than 3,000 phones including smartphones and GPS devices. UFED devices have a built-in SIM reader that allows the device to obtain data such as call logs, phonebooks, SMS, IMSI, and the ICCID. SIM card cloning is also supported. (http://www.cellebrite.com/forensic-products/forensic-products.html?loc=seg).
EnCase Smartphone Examiner: designed to forensically collect data from smartphone and tablet devices, such as the iPhone and iPad. It can capture evidence from devices that use the Apple iOS, HP Palm OS,Windows Mobile OS, Google Android OS, or RIM Blackberry OS. Can acquire data from Blackberry and iTunes backup files as well as a multitude of SD cards. The evidence can be seamlessly integrated into EnCase Forensic. (http://www.guidancesoftware.com/encase-smartphoneexaminer. htm).
Data Pilot Secure View Kit: provides both a software and hardware solution which [enables] logical data extraction of the content stored in the mobile phone. Kit includes a universal cable set supporting Motorola (including iDen), Nokia, Samsung, LG, Sanyo, Audiovox, and Sony Ericsson phones. Can acquire cell phone data via USB, Bluetooth, IrDA, or a SIM card reader. (http://www.datapilot.com/productdetail/253/supphones/Notempty).
MOBILedit! Forensic: analyzes phones via Bluetooth, IrDA, or cable connection; analyzes SIMs through SIM readers and can read deleted messages from the SIM card. (http://www.mobiledit.com/mef-features.htm).
Paraben’s SIM-Card Seizure: can recover deleted SMS/text messages and perform comprehensive analysis of SIM card data. SIM Card Seizure includes the software as well as a Forensic SIM Card Reader. SIM Card Seizure has Unicode support to read multiple languages such as Arabic, Chinese, and Russian. (http://www.paraben.com/sim-card-seizure.html).
pySIM: a SIM card management tool capable of creating, editing, deleting, [and performing] backup and restore operations on the SIM Phonebook and SMS records. (http://simreader.sourceforge.net/).
SIMBrush: can be used to extract all observable memory (the ones that can be explored by means of standard APIs) from SIM/USIM cards compatible with T_0 protocol. Capable of acquiring standard and non-standard files present [on] every SIM card. The output of the program is an XML file representing the SIM/USIM card file system. (http://sites.google.com/site/savolabs/Home/tools).
Teel Technologies’ SIMIS for SIM/USIM/R-UIM: engineered in accordance with ACPO guidelines to ensure that no data on the SIM is modified during the read process. SIMIS reports are digitally signed with both MD5 and SHA 256 hashes to ensure integrity. A full audit trail is included in the analysis. The SIMIS Mobile Handheld Reader enables users to collect data from multiple SIM cards for on-site analysis or later review using SIMIS PC software. (http://teeltech.com/tt3/simis.asp).
SIMQuery: a command line tool that retrieves the ICCID and IMSI from a GSM SIM card. A smart card reader that is compatible with the Windows smart card subsystem is needed along with a Plug-in (GSM SIM card size) to ID-1 (ordinary smart card size) adapter card so the SIM card fits into the reader. (http://vidstrom.net/otools/simquery/).
UndeleteSMS: a command line tool that recovers deleted SMS messages from a GSM SIM card; has the same requirements as the SIMQuery tool. (http://vidstrom.net/stools/undeletesms/).
XRY Logical & Complete Package with SIM id-Cloner: performs both logical and physical extractions from a device [cell phone]. Specifically designed to assist in the forensic recovery of data from GSM SIM Cards and also provide a 100% secure environment. SIM id-Cloner will allow the creation of a replica of the SIM card found within a mobile device so examiners can enable the operating system without the risk of it making a network connection and changing the data held on the device. (http://www.msab.com/xry/what-is-xry).

What kind of evidence can be retrieved from a SIM card?

SIMs contain both a processor (CPU) and an operating system which is either native (proprietary, vendor specific) or Java Card (a subset of the Java programming language). SIMs also have Electrically Erasable Programmable Read Only Memory (EEPROM), Random Access Memory (RAM) for controlling program execution, and persistent Read Only Memory (ROM) which stores user authentication, data encryption algorithms, the operating system, and other applications. Communication between the SIM card and the handset is via a serial interface. A SIM card also contains a hierarchical file system which resides in EEPROM. The file structure consists of a Master File (MF), which is the root of the file system, Dedicated Files (DFs), and Elementary Files (EFs). Dedicated Files are subordinate directories under the MF, their contents and functions being defined by the GSM11.11 standards. Three are usually present: DF (DCS1800), DF (GSM), and DF (Telecom). Also present under the MF is EF (ICCID). Subordinate to each of the DFs are supporting EFs which contain the actual data. The EFs under DF (DCS1800) and DF (GSM) contain network related information and the EFs under DF (Telecom) contain the service related information. While all the files have headers, only the EFs contain data. The first byte of the header identifies the file type. Headers contain the security and meta-information related to the structure and attributes of the file, such as length of record. The body of the EFs contains information related to theapplication(s). Files can be either administrative or application specific and access to stored data is controlled by the operating system.

IM cards have built in security features that are designed to make them tamper resistant, thereby ensuring data security. A SIM card’s MF, DFs, and EFs all contain security attributes. One security attribute, the access conditions, are constraints upon the execution of commands. They filter every execution attempt, thus ensuring that only those with the proper authorization can access the requested functionality controlled by the DFs or EFs. Access conditions can be thought of as somewhat analogous to the user rights associated with the file/directory attributes found in computer operating systems. There are different levels of access conditions associated with DF and EF files: Always (ALW): file access is allowed without restrictions and the command is executable upon the file;Card Holder Verification 1 (CHV1): file access is allowed with the valid verification of the users PIN1 (or PIN1 verification is disabled) and the command is executable upon the file;Card Holder Verification 2 (CHV2): file access is allowed with a valid verification of the user’s PIN2 (or PIN2 verification is disabled) and the command is executable upon the file; Administrative (ADM): the administrative authority (i.e. the card issuer who provides the SIM card to subscribers), is responsible for the allocation of these levels; Never (NEV): file access is prohibited and the command is never executable upon the file.

Depending upon the phone’s technology and access scheme, the same data, such as a contact list, may be stored on the SIM, in the handset, or on the phone’s memory card. SIM cards themselves contain a repository of data and information, some of which are Integrated Circuit Card Identifier (ICCID);  Subscriber Identity (IMSI); Service Provider Name (SPN); Mobile Country Code (MCC); Mobile Network Code (MNC); Mobile Subscriber Identification Number (MSIN); Mobile Station International Subscriber Directory Number (MSISDN); Abbreviated Dialing Numbers (ADN); Last Dialed Numbers (LDN);Short Message Service (SMS);Language Preference (LP);Card Holder Verification (CHV1) and (CHV2);Ciphering Key (Kc);Ciphering Key Sequence Number; Emergency Call Code;Fixed Dialing Numbers (FDN);Local Area Identity (LAI);Own Dialing Number;Temporary Mobile Subscriber Identity (TMSI);Routing Area Identifier (RIA) network code; and Service Dialing Numbers (SDNs)

Some additional information on the architecture of the Cell network covered in more detail that what is described in the above paragraphs

The cellular network
The architecture of the cellular network is comprised of the mobile station (MS) which includes the mobile phone and Subscriber Identifier Module (SIM) card which gives the phone its unique identity through what is known as the International Subscriber Identity (IMSI). The SIM stores phone numbers, short messages, the A3 authentication algorithm, A8 ciphering key generating algorithm and authentication key (k1) and IMSI. Therefore without the card being implemented although removable the phone would not work. SIM also contains a personal identification number to protect it being used by someone else who doesn’t know the pin and if by chance someone tries to enter a pin and fails 3 times the phone is blocked and the only way to reactivate it is for the SIM card owner to call their subscriber who unblocks it by entering an 8 digit personal Unblocking Key stored on the SIM as well. When someone places a call the signal goes to what’s known as the base transceiver station acting much like a modem which than passes the signal to the base station controller(s). The base station subsystem which is comprised of the base transceiver stations (BTS which sits on top of the cell cite/cell tower/radio mast (where you can find detailed info on towers and antennas at the following link www.antennasearch.com) whereby one BTS covers one cell which is the basic service area. Each cell is given a Cell Global Identity (CGI), a number that uniquely identifies the cell. BTS also houses the radio transceivers corresponding to the transceivers and antennas used in each cell of the network, also reflecting the increasing co-location of multiple mobile operators transmitting and receiving radio signals, decrypting/encrypting traffic as well) followed by the base station controller (BSC’s also part of the cell tower it manages the radio resources for one or more BTSs. It handles radio channel setup, frequency hopping, and handovers. The BSC is the connection between the mobile and the MSC.), the network subsystem (NSS)which is also where the mobile switching center (MSC) is located containing the service providers server which include the functions of the databases and messaging systems. These components include the Home Location register (HLR) (stores permanent IMSI, user subscribed services, subscribers number from public network, K1 and other data),, Visitor Location Register (VLR stores permanent info of all that are currently serviced by the MSC), equipment identity register (EIR which stores the International Mobile Equipment Identities (IMEI uniquely identifies a mobile station internationally. It is a kind of serial number. The IMEI is allocated by the equipment manufacturer and registered by the network operator and registered by the network operator who stores it in the EIR. By means of IMEI one recognizes obsolete, stolen or nonfunctional equipment) and also knows and controls which devices are allowed to utilize the network therefore it has what is known as a white list) and the Authentication center (Auc) which is the database that stores the k1, the A3 authentication algorithm, the A5 ciphering algorithm and the A8 ciphering key generating algorithm. The previous sentence is significant in that this is representative of the security that surrounds the networks. When a call is first placed a signal is transmitted with a 128 bit random number to the mobile station which is then passed on to the devices SIM sent through the A3 authentication algorithm (a one way function although an operator option) along with the k1. The output of the A3 algorithm a signed response (SRES) is then transmitted to the mobile station back to the network whereby the AuC on the network compares the value of the SRES it received from the mobile station and if the values match the users device is now approved to access the network. In further describing the encryption/decryption GSM schema the k1 in combination with the RAND which comes from the SIM is transmitted through the A8 ciphering key generating algorithm producing a ciphering key (GSM makes use of a ciphering key to protect both user data and signaling on the vulnerable air interface. Once the user is authenticated, the RAND (delivered from the network together with the KI (from the SIM) is sent through the A8 ciphering key generating algorithm (stored on the SIM) to produce a ciphering key (Kc) which is then used with the A5 ciphering algorithm (which enciphers or deciphers data) whereby the A5 is embedded into the phones hardware to encrypt and decrypt the data. Getting back to placing a call internationally each registered user is uniquely identified by its international mobile subscriber identity (IMSI) which is stored in the subscriber identity module (SIM) A mobile station can only be operated if a SIM with a valid IMSI is inserted into equipment with a valid IMEI. The following component to an IMSI include Mobile Country Code the first 3 Digits of IMSI, the Mobile Network Code next 2-3 Digits and the Mobile Subscriber Identification Number (MSIN) consisting of the remaining digits, maximum 10 decimal places, an identification number of the subscriber in the home mobile network created by the carrier which identifies the subscriber on the network. The real telephone number of a mobile station is the mobile subscriber ISDN number (MSISDN). It is assigned to the subscriber SIM. The MSISDN categories follow the international ISDN number plan which is basically inclusive is the country code, numbering plan area (area code) and subscriber number. American country code is 1 and European countries are in zone 3 and four. Also on the SIM is the Integrated Circuit Card ID (ICCID) 19 to 20 digits printed on SIM and the major Industry Identifier (MII) the first 2 Digits. To go off in a tangent the second major standard is CDMA stands for code division multiple access technology and other cellular technology as discussed with GSM when it comes to the physical architecture it varies in that with other multiplexing techniques they differentiate one mobile customer from another by assigning frequencies ranges or to arrange data via bit sequences in time through a non-contiguous way to increase performance however one disadvantage is latency because the entire interleaved block must be received before the packets can be decoded and also interleavers hide the structure of errors. CDMA in contrast permits a multitude of mobile customers to share a common set of frequencies by assigning a unique digital code to each user, this is also referred to as spread spectrum technology. This technology spread the tranmsission of a signal over a wide range of frequencies making use of mathematical values for example as the original data is embedded into a direct sequence modulator whereby each binary 1 and 0 is replaced with a larger bit sequence. In using an example each CDMA phone is assigned its own bit sequence and when this sequence arrives at its destination station the code division multiplexor is given the ability to tell one mobile devices bit sequence from the other. One other thing to not is that in actual cell phone systems code division multiplexingis only utilized from what is called the mobile telephone office to the mobile phones and not during transmission from the mobile phones to the mobile telephone office. Subsequently CDMA Phones that operate on the CDMA network do not use SIM cards instead, most save the phone number and other identifying information in the handset itself. CDMA phones stores user data including phone book and scheduler information, on the operator’s database so if your phone is stolen or lost you can access your information again from the database unlike GSM's SIM card. Also GSM has significant roaming capabilities where you can use these devices in multiple countries CDMA offers no multiband capability disallowing it to be used in multiple countries. For risk of redundancy and since other classmates have discussed already where CDMA is predominant in the world I will not get into that subject except to say CDMA has less share of the market. After describing CDMA getting back to the signal flow it finally is passed from the NSS interface on to the public switched network (PSTN). Getting back to the BTS it houses the radio transceivers that define a cell and handles the radio link protocols with the MS. GSM makes use of narrowband Time Division Multiple access technique for transmitting signals and & Frequency Division Duplex (FDD) Protocols. Due to the fact that the radio spectrum is a limited resource shared by all users, TDM is utilized to divide up the bandwidth among as many users as possible. First there is the division by frequency by which one or more carrier frequencies are then assigned to each BS. Each of these carrier frequencies is then divided in time, using a TDMA schema, into 8 time slots, one time slot is used for transmission by the mobile and one for reception. They are separated in time so that the mobile unit does not receive and transmit at the same time.

There are three main protocols that should also be noted. they include layer 1 (The physical layer, which uses the channel structures over the air interface), layer 2 (the data-link layer. Across the Um interface, the data-link layer is a modified version of the Link access protocol for the D channel (LAP-D) protocol used in ISDN, called Link access protocol on the Dm channel (LAP-Dm). Across the A interface, the Message Transfer Part (MTP), Layer 2 of SS7 is used) and finally layer 3 (which is divided into three sublayers (Radio Resource management (RR), Mobility Management (MM) and Connection Management (CM)). Moving ahead further once again the BTS corresponds to the transceivers and antennas used in each cell of the network. A BTS is usually placed in the center of a cell. Its transmitting power defines the size of a cell. Each BTS has between 1 and 16 transceivers, depending on the density of users in the cell. Each BTS serves a single cell. It also includes Encoding, encrypting, multiplexing, modulating, and feeding the RF signals to the antenna; Transcoding and rate adaptation; Time and frequency synchronizing; Voice through full- or half-rate services; Decoding, decrypting, and equalizing received signals; Random access detection; Timing advances; and Uplink channel measurements. The BSC manages the radio resources for one or more BTSs. It handles radio channel setup, frequency hopping, and handovers. The BSC is the connection between the mobile and the MSC. The BSC also translates the 13 Kbps voice channel used over the radio link to the standard 64 Kbps channel used by the Public Switched Telephone Network (PSDN) or ISDN. The BTS assigns and releases frequencies and time slots for the MS. The BSC also handles intercell handover. It controls the power transmission of the BSS and MS in its area. The function of the BSC is to allocate the necessary time slots between the BTS and the MSC. It is a switching device that handles the radio resources. The BTS also Control of frequency hopping; Performs traffic concentration to reduce the number of lines from the MSC; Provides an interface to the Operations and Maintenance Center for the BSS; Reallocates frequencies among BTSs; Time and frequency synchronization; Power management; and Time-delay measurements of received signals from the MS. Having said all that if one wants to perform some cell site analysis for private or public litigation the following sites are advantageous. They include Call & Mapping Analysis http://www.cellanalyst.com/ and free mapping at http://batchgeo.com . It must also be said that regulators can request keys to tower codes and request data in parsed excel format for evidence in criminal trials. SIM cards also discussed above have all sorts of data that can provide evidence at trial.

References:
Forensic Magazine
NIST
Bradley Susser
Dr. Darren Hayes

Show more