Saturday, December 06, 2014

Santa Arrest

Olden but golden. Still a good laugh to watch.

Wednesday, October 29, 2014

Apple's New Nano-SIM Card

Should make examinations interesting. Apparently, an open-ended SIM that can be either postpaid or prepaid account without the need to change SIMs but still switch between carriers. Either Apple intend to go for their own IMSI (thus become an operator) or the IMSI will need to be updated OTA...hmmmm

"If you are among the millions who will purchase one of the 4G versions of the new iPad Air 2 or iPad mini 3 tablets from Apple in the next few months, and you live in the US or UK, then when you switch the tablet on for the first time, you will find a nano-SIM card already installed in the SIM card slot."


"What Apple envisions with its SIM is that users will be able to quickly and easily switch between different carriers to take advantage of the best short-term deals available at any given time - without having to go through the hassle of getting a new SIM card.

"Obviously, if you have signed up to a two-year contract you won't be switching deals that often, but if you are on a pay-as-you-go deal, then this could be a real money-saver......."

Quotes from:

Thursday, October 09, 2014

Fast moving wireless world

I have been working on research for as the changing landscape for cell site analysis (CSA) requiries comprehending the complex involvement with the various wireless connectivity creating a universal point-of-presence for mobile users. Moreover, CSA is equally being impacted with the architecture defining internet of things (IoT) causing a growth expansion for M2M wireless devices, naturally wireless forensics in this area will grow, too.

M2M was highlighted back in 2011

M2M Crime

Mobile Markets: Nokia 'Mobile Man' tells of a story


Reverse Engineering For Beginners

Steve Hailey*, who kindly sent out a reminder about Reverse Engineering for Beginners, that this is guide with "Lots of great information that will be especially helpful for reverse engineering malware that you come across in your investigations......" It is  "652 pages, all free. You do not need to give out your personal information or subscribe to anything..."

The original link to get the publication is no longer current. However, a copy can still be downloaded using the following link: 

*Steve is President/CEO CyberSecurity Institute, a practicing Consultant, Digital Forensic Examiner and works also as an Educator, InfoSec Author & Lecturer

Sunday, September 28, 2014

CSA - Site Survey Method/LTE SIBtype1

CSA - Site Survey Method/LTE SIBtype1

Before continuing with GSM/GERAN System Information Message Types, thanks for the enquiries regarding LTE and requests for an example of a systeminformationblocktype(SIB). It would appear there is a requirement to explore LTE and UMTS SIBs some more before moving on to GSM/GERAN. I will do my best to answer some of the enquiries.

For educational purposes only, followingthe masterinformationblock(MIB) having been decoded by the UE a useful example of content for systeminformationblocktype1 was illustrated by Ralf Kreher and Karsten Gaenger (c)2011 using Tektronix K2Air as an example when conducting a LTE investigation into signalling troubleshooting and optimisation.

|ID Name |Comment or Value |
systemInformationBlockType1 |
|Tektronix K2Air LTE PHY Data Message Header (K2AIR-PHY) PDSCH (= PDSCH Message) |
|1 PDSCH Message |
|1.1 Common Message Header |
|Protocol Version |0 |
|Transport Channel Type |DL-SCH |
|Physical Channel Type |PDSCH |
|System Frame Number |454 |
|Direction |Downlink |
|Radio Mode |FDD |
|Internal use |0 |
|Status |Original data |
|Reserved |0 |
|Physical Cell ID |0 |
|Subframe Number |5 |
|UE ID/RNTI Value |'ffff'H |
|1.2 PDSCH Header |
|CRC report |CRC ok |
|HARQ process number |0 |
|Reserved |0 |
|Transport Block Indicator |single TB info |
|Reserved |0 |
|1.2.1 Transport Block#1 Information |
|Transport Block#1 Size |144 |
|Modulation Order DL 1 |QPSK |
|New Data Indicator DL 1 |new data |
|Redundancy Version DL 1 |1 |
|Reserved |0 |
|Modulation Scheme Index DL 1 |5 |
|Reserved |0 |
|1.2.2 Transport Block Data |
|TB1 Mac-PDU Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|Padding |'0068'H |
|1.3 Additional Call related Info |
|Number Of Logical Channel Informations |1 |
|1.3.1 Logical Channel Information |
|LCID |0 |
|RLC Mode |Transparent Mode |
|Radio Bearer ID |0 |
|Radio Bearer Type |Control Plane (Signalling) |
|Spare |0 |
|Spare |0 |
|Logical Channel Type |BCCH |
|Call ID |'fffffff5'H |
|3GPP LTE-RLC/MAC Rel.8 (MAC TS 36.321 V8.5.0, 2009-03, RLC TS 36.322 V8.5.0, 2009-03) (LTE-RLC/
MAC) MAC-TM-PDU (DL) (= MAC PDU (Transparent Content Downlink)) |
|1 MAC PDU (Transparent Content Downlink) |
|MAC Transparent Data |40 51 00 21 00 00 20 00 10 0c 14 01 10
21 00 68 22 b6 |
|RRC (BCCH DL SCH) 3GPP TS 36.331 V8.5.0 (2009-03) (LTE-RRC_BCCH_DL_SCH)
systemInformationBlockType1 (= systemInformationBlockType1) |
|bCCH-DL-SCH-Message |
|1 message |
|1.1 Standard |
|1.1.1 systemInformationBlockType1 |
| cellAccessRelatedInfo |
| plmn-IdentityList |
| pLMN-IdentityInfo |
| plmn-Identity |
| mcc |
| mCC-MNC-Digit |2 |
| mCC-MNC-Digit |9 |
| mCC-MNC-Digit |9 |
| mnc |
| mCC-MNC-Digit |0 |
| mCC-MNC-Digit |0 |
| cellReservedForOperatorUse |notReserved |
| trackingAreaCode |'0000'H |
| cellIdentity |'2000100'H |
| cellBarred |notBarred |
| intraFreqReselection |notAllowed |
| csg-Indication |false |
| cellSelectionInfo |
| q-RxLevMin |-65 |
| freqBandIndicator |1 |
| schedulingInfoList |
| schedulingInfo |
| si-Periodicity |rf16 |
| sib-MappingInfo |
| schedulingInfo |
| si-Periodicity |rf32 |
| sib-MappingInfo |
| sIB-Type |sibType3 |
| sIB-Type |sibType6 |
| schedulingInfo |
| si-Periodicity |rf32 |
| sib-MappingInfo |
| sIB-Type |sibType5 |
| si-WindowLength |ms20 |
| systemInfoValueTag |22 |

This form of analysis provides an excellent grounding when conducting ICCSA.Why would that be so? Familiarisation with this education content enables knowledge to be gleaned from the real-world SIBs detected by the UE at particular locations. Importantly information that informs the UE about varying cells benefits an investigation.  For instance, we know that when the UE has successfully received and decoded MIB and SIBs type 1 and 2 etc during its travels SIB type9 might identify (H)eNobeB that is available. To be clear that latter information provides two unique pieces of information. (1) The identity of the radio source (2) it is location specific to tens of metres in an area thus refines location identification where the UE would have dwelt (dwell time - slow moving UE).

It also refines the location for the investigation and even where SIB1 and SIB2 provide a wider location area the UE detection (SIB type9) of the (H)eNobeB coverage would have the effect of demonstrating  pre-requisite requirement of proximity to an area. Now readers could point out how would the person conducting the ICCSA know about the (H)eNobeB in the first place if call/data records are not available. For those situations where immediate is important aspect of current bandit surveillance the UE stores relevant information of the radio resources in an area for up to 3-hours after which old data are discarded. For a live UE acquisition this time frame could be useful. For a UE switched off (e.g. at the target site area) retains that information and requires extraction and harvest without invoking UE power up and network detection and registration.

Tuesday, September 23, 2014

CSA - Site Survey Method/LTE-UMTS SIBs

There is a huge volume of materials and standards to be considered when undertaking study or work as an InnerCity CSA (ICCSA) expert, technician or student. However, the materials and standards referred to at my webblog aim to control the flow of such volumous information and provide instead an easy guide to seeking out the information experts, technicians or students can be exposed to when involved with ICCSA.

A highly defined smartphone etc can be offered services by a range of mobile network access systems e.g. GSM, GERAN, UTRAN, e-UTRAN etc when switched ON and actively in use or in idle mode. Access system information for LTE and UMTS are mapped in System Information Blocks (SIBs). When conducting ICCSA test measurement it is useful to identify which broadcasted SIBs contain data to help understand the survey results. Knowing the content allocated to SIBs can assist enormously in interpretation and when considering the propositions highlighted in the previous discussion thread -

Below are commonly referred to LTE/UMTS SIBs. GSM and GERAN data are mapped to System Information Types that will be given in the next discsssion.

LTE System Information Blocks
SIB 1 contains PLMN identity, tracking area code, and CI of the broadcasting cell. Q-RxLevMin minimumRSRP threshold that a broadcasting cell should be measured before initial cell selection, and later for random access performed by UE. SIB Mapping Info included to inform the UE which SIBs are transmitted and how they are scheduled.

SIB 2 contains timers and constants, access barring information, UL frequency information, and UL bandwidth information.

SIB 3 contains parameters for the cell reselection procedure.

SIB 4 contains neighbour cell information for intra-frequency cell reselection.

SIB 5 contains information for interfrequency cell reselection.

SIB 6 contains information for inter-RAT cell reselection to the UTRAN.

SIB 7 contains information for inter-RAT cell reselection to the GERAN.

SIB 8 contains information for inter-RAT cell reselection to CDMA2000.

SIB 9 is used to broadcast the home eNB name (HNB name).

SIB 10 and SIB 11 can be used to broadcast warning information to subscribers (e.g. tsunami warnings).

SIB 12 assigned for Commercial Mobile Alerting System (CMAS) information usage

UMTS System Information Blocks
SIB 1 NAS System Information, UE Timer and counter for RRC idle and connected mode

SIB 2 URA Identity

SIB 3 Parameter for Cell Selection and Cell Reselection

SIB 4 Parameter for Cell Selection and Cell Reselection in RRC connected mode

SIB 5 Parameter for configuration of Common Physical Channel (CPCH) of actual cell

SIB 6 Parameter for configuration of Common and shared Physical Channel of actual cell

SIB 7 Fast changing parameter for uplink Interference and Dynamic Persistent Level

SIB 8 Static CPCH Information of actual cell [FDD only]

SIB 9 CPCH Information of actual cell [FDD only]

SIB 10 Information for UE, which DCH is controlled by Dynamic Resource Allocation Control Procedure

SIB 11 Measurement Control Information of actual cell

SIB 12 Measurement Control Information of actual cell in RRC connected mode

SIB 13 ANSI-41 System Information

SIB 13.1 ANSI-41 RAND Information

SIB 13.2 ANSI-41 User Zone Identification

SIB 13.3 ANSI-41 Private Neighbour List

SIB 13.4 ANSI-41 Global Service Redirection

SIB 14 UL outer loop power control information for common and dedicated physical channels in RRC idle and connected mode

SIB 15 Information for UE positioning method

SIB 15.1 Information for UE GPS positioning method with Differential Global Positionig System (DGPS) correction

SIB 15.2 Information for GPS Navigation-Model

SIB 15.3 Information for GPS Almanac, ionospheric and UTC Model

SIB 15.4 Ciphering Information of SIB 15.5

SIB 15.5 Information for OTDOA UE positioning method

SIB 16 Information of Radio Bearer, transport and physical channels for UE in RRC idle or connection mode in case of Handover to UTRA

SIB 17 Fast changing parameter for the configuration of Shared Physical Channels in RRC conected mode [FDD only]

SIB 18 PLMN Identifies neighbour cells

Tuesday, August 19, 2014

CSA - Site Survey Method4/Cell Types

Cell types
GSM reports, as far back as 20 years ago, distinguished three kinds of cells as the growth in GSM installations massively increased following popularity as a preferred digital cellular network: large cells, small (mini) cells and micro cells. The main difference between these kind of cells lay in the cell range, the antenna installation site, and the propagation model applying to each of them. Moreover, these cells could be overlayed one on top of another to provide coverage for varying traffic conditions and illustrated in the previous discussion

CSA has been subjected to understanding cell layer tiering involvement in a particular geographical area and what impact the finding of tiering might have determined from radio test measurement results, and what impact the results might infer for a particular investigation. In the previous discussion on Mobility Models it highlighted a simple issue: why walk tests are important to mimic the pedestrian's experience of obtaining mobile services. Germane and relevant, whilst the mobile networks are highly intelligent networks and use memory and memoryless in their propagation models, CSA examiners, students and experts cannot apply intelligent algorithms in the manual function of their work when conducting site surveys. It is, therefore, necessary to distinguish processes and procedures hidden within the intelligent network functionality that provide us (CSA examiners, students and experts) with knowledge that helps us gain skills and experience in the performance of the work we do.

So  we know "walk tests" are unavoidable (thus inescapable) forming part of the methodology we should apply, where relevant, during site surveys. Whilst this requirement is a basic simple binary style approach to CSA that doesn't mean to suggest mobile networks aren't sophiscated, convoluted, NASA style complex system because mobile networks are very much the latter. These grass root levels are important to CSA. For instance a GSM mobile network may use Cell Selection Procedures C1 and C2. The network can use components from C2  (cell reselection) to identify coverage for a slow moving mobile (e.g. pedestrian/walk test) which can be used to understand the microcell coverage. Drive testing equally needs to be represented for the benefits it provides for CSA.


Above, three tiers of cell coverage have been illustrated. Microcells are distnguished as a cell type because predominantly this type of cell in GSM (or CDMA for that matter) is usually represented as localised coverage to a small area. Pedestrian is seen as relevant to it. However, vehicular mobile usage is largely predicted within the network as "fast moving". Let us take the case of the getaway car speeding away from the scene of crime. Would it not seem strange to you to find the target's mobile phone call records identifying a number of Microcell IDs designed to cope with long dwell time in an area associated with slow mobile movements (e.g.5~10mph) compared with Macrocell umbrella coverage designed to handle accelerated speeds (e.g. 30~70mph). Why would the getaway car be driving so slowly after a crime, unless the *bogey wanted to be caught red-handed and why s/he commited the crime in the first place just to be arrested? On first blush of the call record evidence it wouldn't make sense.

*The term bogey has been adopted from the military theatre of war identification procedure representing an un-identified (unknown criminal) target, whereas a bandit is an identified (known criminal) target. In criminal investigations the latter can also suggest surveillance in progress on the target's activities.

But drive testing can throw up unexpected issues. CSA demands keeping an open mind and, as previously mentioned at my blogs, CSA examiner, student and expert should be "not only be environmentally aware, but equally be environmentally astute." A case I dealt with in the North of England concerned a series of smash-n-grabs at wholesale and retail outlets.  From my radio tests I suggested the radio evidence did not follow the getaway route the police required that I test. CSA involves noticing factors that could impede or record a particular route. In this case a speed camera that was in lock-n-load (active) to capture speeding vehicles was located at an early stage on the suggested getaway route. When I asked did the speed camera record a speeding violation, the response came back "no", yet the ascertion by the police was the getaway vehicle was speeding. However, the radio test measurement survey along the complete route did not entirely match the cell IDs in the call records either as some of the cell IDs were for slower mobile traffic and cells covering a middle layer coverage area and the use of these cells suggested the mobile dwell time was not travelling outside a certain geographical area. Eventually, a more senior detective suggested a route that veered away from the first route getaway route. My attention was drawn to an area inbetween local buildings, a mud track leading to a field and a nearby cemetary and housing estate. Infact the bogeys turned out to be previously known bandits and the entire operation of the smash-n-grabs was orchestrated from a house on the estate sited perfectly for comings and goings for the many crimes but quite hard to detect. CSA played an effective part to support other evidence and intel.       

However, umbrella macrocell coverage in a geographical location can be used to support high speed getaways e.g. where CCTV has recorded or an eyewitness had seen the getaway vehicle speeding through dense urban area. Given the speed of the vehicle the network would be detecting the mobile's short dwell time in that area. The omission of use of overlayed microcells providing limited area coverage is a suggestion of fast moving traffic. The use of a macrocell would not be out of place supporting the notion of a fast moving mobile. This can be stated in relation to the density of non-used microcells and their cell boundarys compared to macrocell cell boundaries and, of course, any location updates, time, velocity etc.

Since 2010 Cells types have rapidly moved on with a split between voice/data and data-only cells transforming the way CSA is and will be conducted in the future. For instance, there are increases in carriers (2G frequencies allocation migrating (re-use) to 3G frequencies allocation) Moreover, with LTE linking with WiFi/WLAN etc there are enormous advantages and dis-advantages that have crept into CSA site survey methodology.

The impact of these changes requires improved comprehension about the various cells and as higher frequencies are used or are brought into use cell coverage gets smaller. This fact is a benefit because the approximated location of the mobile is improved and significantly improves where smaller cells are relevant. It may not be GPS accuracy but there seems no reason why it could not meet justification under an e.g. Daubert test. Furthermore, it doesn't means CSA should jettison early styles of CSA site survey method which will remain relevant for some years to come. But CSA will become even more localised creating a specialism in InnerCity CSA (ICCSA) compared with rural CSA. A beneficary of  ICCSA knowledge will be the neuromancer cybercrime arena utilising our forensic and investigative skills to comprehend the technicality behind a suspected crime defined by the outcome from particular usage of technology.

Site survey methods do not have to be overly complicated, merely identify the radio technology at given points and by using a structured appraisal, distinguishing each wireless carrier available at particular geographical locations, to show the relevance to an investigaion or crime scene.

So what are the potentially inter-connected Cell types that fall within the scope of CSA large cell and small cell environments:

WIMAX cells
WLAN cells
WiFi cells

And in support of that environment it should not under-estimate the importance of devices capability from providing services and to accessing services. This mean from not simply the network, but the radio network e.g. BTS/(e)NodeB/H(e)NB etc to the enhanced (U)SIM and handset terminal. That requires knowning which Release (R) is relevant to the investigation:

R99    (Release 1999)
Rel-4    (Release 4)
Rel-5    (Release 5)
Rel-6    (Release 6)
Rel-7    (Release 7)
Rel-8    (Release 8)
Rel-9    (Release 9)
Rel-10    (Release 10)
Rel-11    (Release 11)
Rel-12    (Release 12)