Monday, March 24, 2008

Global Mobile Telephone Forensics and Evidence


Global Mobile Telephone Forensics and Evidence

It is interesting to note, and a subject matter I have been keenly watching since this webblog started, the importance of mobile telephone forensics and evidence is receiving around the globe. It is very easy to get submersed into one's own country's (UK) activities in this area and forget how other countries have significantly increased their activities in forensics and evidence too. Below is a sample of the global visitors to trewmte.blogspot in the last 20 days. Some countries will have more visitors than others, but in itself that does not dent the relevance of the global following interested in mobile telephone forensics and evidence.
.
Albania
Algeria
Aruba
Austria
Australia
Belarus
Belgium
Brazil
Bulgaria
Canada
Colombia
Cote D'ivoire
Denmark
Egypt
Estonia
Finland
France
Germany
Greece
Hungary
India
Indonesia
Iran, Islamic Republic Of
Ireland
Israel
Italy
Jamaica
Japan
Kenya
Korea, Republic Of
Kuwait
Macao
Malaysia
Mauritania
Mauritius
Morocco
Netherlands
New Zealand
Nigeria
Norway
Pakistan
Philippines
Poland
Portugal
Qatar
Romania
Russian Federation
Serbia And Montenegro
Sri Lanka
Saudi Arabia
Senegal
Serbia
Seychelles
Slovakia
South Africa
Sudan
Sweden
Thailand
Taiwan
Turkey
United Arab Emirates
United Kingdom
United States
Viet Nam
.
It would be good to get more feedback from law enforcement, universities, forensic examiners and experts from around the global who, rather than lurk in the background, may like to suggest the type of information you would like to see at this webblog. I have been dealing with a variety of mobile telephone examination and evidence issues (SIM/USIM, handset and cell site) for many years and hopefully topics you raise for discussion can be answered here. I should point out, as I have in the past at this webblog (http://trewmte.blogspot.com/2006/11/cell-site-analysis.html), the more I know, the more I need to know, therefore I don't know everything, but I am willing to try and find out.
.
Additionally, as there are no academic qualifications designed precisely for mobile telephone forensics and evidence - no PhD, MSc, BSc, CEng or anything else, this means qualifications in other subjects other than this subject matter tend to get used as a passport, suggesting qualification to deal with mobile telephone forensics and evidence. To overcome that difficulty I have prepared a Diploma in Mobile Telephone Evidence that may help those who seek recognition for the skillsets they have acquired. The Diploma is not a PhD, MSc etc but it is the good old fashioned Diploma where your knowledge and skillsest need to be demonstrated and will be tested.
.
If you would like to know more about the Diploma please send an email to me, Greg Smith. My email is shown at the top righthand side of this webblog page.

Friday, March 21, 2008

Mobile Calls on Aeroplanes

Mobile Calls on Aeroplanes
.
Back in November 2006 I wrote here at trewmte.blogspot a brief piece regarding "Switch On, Update, Lose Evidence":
.
.
The discussion thread related to the same but more indepth discussion in "Switch On, Update, Lose Evidence" that could be found in MTE (Mobile Telephone Evidence) Newsletter - copy of the May 2006 Newsletter can be downloaded here:
.
.
The purpose of the indepth discussion related to how evidence can be corrupted and contaminated where poor Seizure, Handling and Examination Procedures had been adopted. The discussion illustrated where a user with a mobile telephone steps off an aeroplane and the attempt to discover where the mobile phone had been used.
.
I had been aware for some years before I wrote the MTE Newsletter article that Airline companies were looking at and developing ways passengers could use their mobile phones on planes. At the time of writing the article it wasn't too difficult to imagine that "Switch On, Update, Lose Evidence" implicitly gave a heads up as early as May 2006 to pay attention to formulating various procedures for mobile telephone evidence at airports. Importantly, the indepth discussion wasn't then and isn't now intended to suggest victimising everyone who gets off a plane holding a mobile phone as being involved with something suspicious.
.
It would appear that the MTE Newsletter advanced warning though was well placed, for it now appears March 20th 2008 that according to BBC online middle east news that "Dubai-based airline Emirates has become the first commercial airline to allow passengers to make mobile phone calls during flights. Emirates said the first permitted mobile phone call was made on a flight between Dubai and Casablanca.":
.
.
The technology behind Emirates being able to offer mobile calls on their flights originates from http://www.aeromobile.net using pico-cell radio access technology inflight:
.
"AeroMobile allows the use of GSM phones and can also support GPRS mobile data (for BlackBerry’s etc), Wi-Fi, CDMA and 3G/UMTS. AeroMobile comprises an aircraft cabin ‘pico cell’ system that interfaces with the aircraft’s air-to-ground communications systems, typically a satellite-based system. Once transmitted to the ground, signals are sent to AeroMobile’s ground system and on to the destination mobile phone and telecoms networks around the world."
.
Evidentially, this could be very interesting but the use of mobile phones on planes may seem problematical at first. But we will cope, we always do. The evidence from the device shouldn't be too much of a problem although issues of dead-man's trap should always be considered. Equally of interest will be usage, call records and cell site analysis. The latter, cell site analysis, should prove thought provoking, for is there sovereignty on an aeroplane? If there is not (and sovereighty is only applicable to airspace) and a call starts and terminates within the same airspace the sovereignty of which belongs to country XYZ then there may well be some jurisdictional issues to deal with. However, given the confines of the plane's cabin it may well be difficult for a user, if you follow my drift, to suggest that when the call was made s/he wasn't in the plane, but somewhere in the neighbourhood.

Tuesday, March 18, 2008

World's first cellphone 'telepathic' chat

World's first cellphone 'telepathic' chat

Looking something like out of a future robot cops technology tool kit and been described as a "Nerve-tapping neckband used in 'telepathic' chat", the World's first cellphone telepathic call has taken place (12th March 2008). This new technology basically takes the neurological signals from the brain translates them into a transmission signal which is then sent and decoded through a processor into either, speech, communicate to a computer or communicate to move a wheel chair are just some of the possibilities, and all from a band around the neck and the receiver at the other end.


When this technology fully matures, it only understand "150-words and phrases" at present, and can be made portable, there could be some amazing possibilities for applications in the various cellular technologies and two-way radio fields. Obviously, there appear uses for surveillance, which immediately springs to mind, but other areas as well in high-noise environments such as war zones, industrial sites and airplanes etc.
.
Have a look at the video on the New Scientist's website:
.
Ambient's website URL below (and where the photo above comes from) is well worth visiting.

Tuesday, March 11, 2008

Updating Mobile Telephone Seizure Procedure

Updating Mobile Telephone Seizure Procedure


Every year we work on a Mobile Telephone Seizure Procedure now in its 7-th year. It originated back in 2002 with personnel from law enforcement TSUs adding their wish list as to how mobile telephones should be seized and now the Procedure has input from front line officers as well. The document itself initially started out as a check sheet but this year it is going to have a makeover and more sections with a bit of editorial added.


There will be four sections to the overall document:

- Seizure Procedure
- Examination Procedure
- Investigation Techniques
- Analysing Data


The first section that we are working on is updating and improving the Procedure chart and I wondered whether you may like to have an input on the Seizure Procedure side. Perhaps you may think we have missed something that is worthy of mentioning. Everyone who contributes is mentioned in the credits and receives a full copy of the document when its complete, free. We already have requests for the Procedure from other countries, including the US.


Why would you want to help? If you are a front line officer, when you seize a mobile telephone you are infact the first person that is looked at when evidence gets corrupted or contaminated. Think of the chain of custody.. Imagine that you seize a mobile telephone still switched ON and data that is changed points to you because beyond that point the evidence is in the exhibit bag...until it reaches the Technical Support Unit (TSU), so the theory goes. In practice it can be very different. So if awareness how to avoid corrupting or contaminating evidence is proivded free... then surely that is a good thing. This principle is how the Mobile Telephone Seizure Procedure started back in 2002.


If you are interested and a serving front line police officer send an email to trewmte@googlemail.com and the relevant seizure Procedure chart shall be emailed to you for your comments.

Sunday, March 09, 2008

Writing To Mobile Phones Under Examination

Writing To Mobile Phones Under Examination


There is always the debate as to what amounts to "forensic" processes and whether that can be left to human intervention to do that, whether a device alone can do that or whether it is the combination of human intervention and the device working together that can fulfil the objective? Perhaps germane and relevant to the above question is (1) knowing the potential of each to write to a mobile telephone should be understood first? (2) Whether, as a consequence of using the process, what data are or might be altered/lost? (3) To then decide whether "forensic" is an appropriate and applicable statement to label the process in the first place?


The discussion below starts to address Point 1. When examining mobile telephones there are at least five separate categories under which an examiner can or may write to a mobile telephone due to automated processes (indirect intervention) and/or direct human intervention. The categories and their contents below are not exhaustive, but have been used to illustrate some elements involved with Point 1.



A) Standard powering ON (direct human intervention) a mobile telephone can invoke automated processes (indirect intervention):



- wearleveling - can overwrite physical data



- updating files - writes new content to file



- setting off calendars alarms



B) Connecting data aquisition devices (direct human intervention) to mobile telephones to obtain stored data (indirect intervention):



- AT Command sets; to instruct mobile to identify its profile, fetch data (IMEI and SMS text messages etc). The example below illustrates a typcial communication of seeking the profle of a mobile telephone and the response received:-


SENDING frametype 0x00/length 0x08/8


41A54T2B+43C47G4DM49I0D AT+CGMI.


1 "AT+CGMI"


2 "Sony Ericsson"


3 "OK"


RECEIVED frametype 0x00/length 0x1F/31


41A54T2B+43C47G4DM49I0D 0D 0A 53S6Fo6En79y2045


AT+CGMI...Sony E


72r69i63c73s73s6Fo6En0D 0A 0D 0A 4FO4BK0D 0A


ricsson....OK..


Manufacturer info received


Sony Ericsson [Manufacturer: Sony Ericsson]





SENDING frametype 0x00/length 0x09/9


41A54T2B+43C53S43C53S3F?0D


AT+CSCS?.


1 "AT+CSCS?"


2 "+CSCS:


"GSM""


3 "OK"





SENDING frametype 0x00/length 0x0A/


10 41A54T2B+43C53S43C53S3D=3F?0D


AT+CSCS=?.


1 "AT+CSCS=?"


2 "+CSCS: ("GSM","IRA","8859-1","UTF-8","UCS2")"


3 "OK"





RECEIVED frametype 0x00/length 0x40/64


41A54T2B+43C53S43C53S3D=3F?0D 0D 0A


2B+43C53S43


AT+CSCS=?...+CSC


53S3A:20 28


(22"47G53S4DM22"2C,22"49I52R41A22"2C S:


("GSM","IRA",


22"3883883553992D-31122"2C,22"55U54T46F2D-38822


"8859-1","UTF-8"


2C,22"55U43C53S32222"29)0D 0A 0D 0A 4FO4BK0D 0A ,


"UCS2")....OK..





- Simply connecting a plug and cable to a mobile phone will write a nibble of data to the phone's memory in order to register the communications path along which data shall pass




C) By use of a communications protocol (direct human intervention) in order to extract and harvest data from a mobile telephone can write and overwrite data (indirect intervention):


- Bluetooth: to pair devices requires an identical code to be loaded by examiner on to the mobile telephone and can overwrite previously stored code


- Some Symbian mobile telephones require an agent to be loaded on to the phone in order for the examiners devices to communicate with the phone and then has to be deleted after examination


- Hex-dumping can require the use of flash boxes to flash clips (code) to flash memory that can overwrite blocks of data containing user data



D) To gain access to a mobile telephone may require the entry (direct human intervention)of security codes -


- Passwords/PINS



- Re-setting Passwords/PINs

E) Examiners using devices to select (direct human intervention) specific data can cause the operating system of a mobile telephone to handle data in a particular way (indirect intervention):


-some smart phones write to files in order to keep track of data and in some instances shift data around to accommodate the "fetch" request for certain data


Essentially the categories and content illustrated above merely sets the stage to highlight what an examiner faces when seeking to conduct data aquisition from a mobile telephone. Plug and play (PnP) devices cannot be used in isolation, that they need supervision (direct human intervention). Direct human intervention, with ot without a device, can have consequences too. Furthermore the mobile telephone under examination can as a consequence react to direct human intervention, as well as indirect intervention.

Friday, March 07, 2008

GSM Timers

GSM Timers


In the thread cell site anslysis call analysis <http://trewmte.blogspot.com/2006/12/cell-site-analysis-call-analysis.html> it highlighted the range of Cause Failures for mobile calls. The overview it provided can be quite helpful, but behind those Cause Failures there can be a range of Timers and some of them can be the reason a Cause Failure occurs (positive or negative outcome). For example we can see that timer T3216 (below) in essence relates to the failure of a Immediate Assignment Request, but the "root cause" of the failure can infact be due to SDCCH congestion or poor radio link, such as: interference, coverage restriction or radio path imbalance. Understanding the "Causes for the cessation or loss of mobile communication" requires more than knowing the Cause Code or Timer but all the "root cause" behind them.



The Timer table below provides a useful but not exhaustive list. It essential to keep monitoring the GSM and 3GPP standards. Finally, it is important to recognise that Timers have different durations dependent upon when the timer is applicable. For instance, for radio resources management the durations are often denoted in seconds and some timers are in milliseconds.



However, other timer durations (expiration) are used for internal operation for devices such as mobile telephone or SIM and can be in minutes and in some instances hours. An example of the latter can be the elementary file EFHPLMN (7F206F31) - see GSM11.11. The Timer is set in decimal-digit increments e.g. 01, 02, 03 and so on. Each increment represents a value of n-minutes which the standard GSM0211 refers to as 6 minutes, but commonly rapid updates can cause drain on the mobile telephone's battery it is understood that n-minutes can be 30-minutes. The maximum the timer can be set for is 8-hours. The timer value is network operator dependent, which means either timer method may be used.



Timers and counters for radio resource management



Timers on the mobile station side

T3122: This timer is used during random access, after the receipt of an IMMEDIATE ASSIGN REJECT message.Its value is given by the network in the IMMEDIATE ASSIGN REJECT message.




T3124: This timer is used in the seizure procedure during a hand-over, when the two cells are not synchronized.Its purpose is to detect the lack of answer from the network to the special signal. Its value is set to 675 ms if the channel type of the channel allocated in the HANDOVER COMMAND is an SDCCH (+ SACCH); otherwise its value is set to 320 ms.



T3126:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during an immediate assignment procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the immediate assignment procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T. The maximum value of this timer is 5 seconds.



T3128:This timer is started when the mobile station starts the uplink investigation procedure and the uplink is busy.It is stopped at receipt of the first UPLINK FREE message. At its expiry, the uplink investigation procedure is aborted. The value of this timer is set to 1 second.



T3130:This timer is started after sending the first UPLINK ACCESS message during a VGCS uplink access procedure.It is stopped at receipt of a VGCS ACCESS GRANT message.At its expiry, the uplink access procedure is aborted.The value of this timer is set to 5 seconds.



T3110:This timer is used to delay the channel deactivation after the receipt of a (full) CHANNEL RELEASE. Its purpose is to let some time for disconnection of the main signalling link. Its value is set to such that the DISC frame is sent twice in case of no answer from the network. (It should be chosen to obtain a good probability of normal termination (i.e. no time out of T3109) of the channel release procedure.)



T3134:This timer is used in the seizure procedure during an RR network commanded cell change order procedure. Its purpose is to detect the lack of answer from the network or the lack of availability of the target cell. Its value is set to 5 seconds.



T3142:The timer is used during packet access on CCCH, after the receipt of an IMMEDIATE ASSIGNMENT REJECT message. Its value is given by the network in the IMMEDIATE ASSIGNMENT REJECT message.



T3146:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during a packet access procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message during a packet access procedure, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the packet access procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T are defined in section 3.3.1.2. The maximum value of this timer is 5 seconds.



T3164:This timer is used during packet access using CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message. It is stopped at the transmission of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expire, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.



T3190:The timer is used during packet downlink assignment on CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message or of an PDCH ASSIGNMENT COMMAND message when in dedicated mode.It is stopped at the receipt of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expiry, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.



Timers on the network side

T3101:This timer is started when a channel is allocated with an IMMEDIATE ASSIGNMENT message. It is stopped when the MS has correctly seized the channels. Its value is network dependent. NOTE: It could be higher than the maximum time for a L2 establishment attempt.



T3103:This timer is started by the sending of a HANDOVER message and is normally stopped when the MS has correctly seized the new channel. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the HANDOVER COMMAND, plus the value of T3124, plus the maximum duration of an attempt to establish a data link in multiframe mode.)



T3105:This timer is used for the repetition of the PHYSICAL INFORMATION message during the hand-over procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.



T3107:This timer is started by the sending of an ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly seized the new channels. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the ASSIGNMENT COMMAND message plus twice the maximum duration of an attempt to establish a data link multiframe mode.



T3109:This timer is started when a lower layer failure is detected by the network, when it is not engaged in a RF procedure. It is also used in the channel release procedure. Its purpose is to release the channels in case of loss of communication. Its value is network dependent. NOTE: Its value should be large enough to ensure that the MS detects a radio link failure.



T3111:This timer is used to delay the channel deactivation after disconnection of the main signalling link. Its purpose is to let some time for possible repetition of the disconnection. Its value is equal to the value of T3110.



T3113:This timer is started when the network has sent a PAGING REQUEST message and is stopped when the network has received the PAGING RESPONSE message. Its value is network dependent. NOTE: The value could allow for repetitions of the Channel Request message and the requirements associated with T3101.



T3115:This timer is used for the repetition of the VGCS UPLINK GRANT message during the uplink access procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.



T3117:This timer is started by the sending of a PDCH ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly accessed the target TBF. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the PDCH ASSIGNMENT COMMAND message plus T3132 plus the maximum duration of an attempt to establish a data link in multiframe mode.



T3119:This timer is started by the sending of a RR-CELL CHANGE ORDER message and is normally stopped when the MS has correctly accessed the new cell. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent.NOTE: It could be higher than the maximum transmission time of the RR_CELL CHANGE ORDER, plus T3134, plus the maximum duration of an attempt to establish a data link in multiframe mode.



T3141:This timer is started when a temporary block flow is allocated with an IMMEDIATE ASSIGNMENT message during a packet access procedure. It is stopped when the mobile station has correctly seized the temporary block flow. Its value is network dependent.




More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com

GSM Timers

GSM Timers

In the thread cell site anslysis call analysis <http://trewmte.blogspot.com/2006/12/cell-site-analysis-call-analysis.html; it highlighted the range of Cause Failures for mobile calls. The overview it provided can be quite helpful, but behind those Cause Failures there can be a range of Timers and some of them can be the reason a Cause Failure occurs (positive or negative outcome). For example we can see that timer T3216 (below) in essence relates to the failure of a Immediate Assignment Request, but the "root cause" of the failure can infact be due to SDCCH congestion or poor radio link, such as: interference, coverage restriction or radio path imbalance. Understanding the "Causes for the cessation or loss of mobile communication" requires more than knowing the Cause Code or Timer but all the "root cause" behind them.

The Timer table below provides a useful but not exhaustive list. It essential to keep monitoring the GSM and 3GPP standards. Finally, it is important to recognise that Timers have different durations dependent upon when the timer is applicable. For instance, for radio resources management the durations are often denoted in seconds and some timers are in milliseconds.

However, other timer durations (expiration) are used for internal operation for devices such as mobile telephone or SIM and can be in minutes and in some instances hours. An example of the latter can be the elementary file EFHPLMN (7F206F31) - see GSM11.11. The Timer is set in decimal-digit increments e.g. 01, 02, 03 and so on. Each increment represents a value of n-minutes which the standard GSM0211 refers to as 6 minutes, but commonly rapid updates can cause drain on the mobile telephone's battery it is understood that n-minutes can be 30-minutes. The maximum the timer can be set for is 8-hours. The timer value is network operator dependent, which means either timer method may be used.

Timers and counters for radio resource management

Timers on the mobile station side
T3122: This timer is used during random access, after the receipt of an IMMEDIATE ASSIGN REJECT message.Its value is given by the network in the IMMEDIATE ASSIGN REJECT message.


T3124: This timer is used in the seizure procedure during a hand-over, when the two cells are not synchronized.Its purpose is to detect the lack of answer from the network to the special signal. Its value is set to 675 ms if the channel type of the channel allocated in the HANDOVER COMMAND is an SDCCH (+ SACCH); otherwise its value is set to 320 ms.

T3126:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during an immediate assignment procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the immediate assignment procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T. The maximum value of this timer is 5 seconds.

T3128:This timer is started when the mobile station starts the uplink investigation procedure and the uplink is busy.It is stopped at receipt of the first UPLINK FREE message. At its expiry, the uplink investigation procedure is aborted. The value of this timer is set to 1 second.

T3130:This timer is started after sending the first UPLINK ACCESS message during a VGCS uplink access procedure.It is stopped at receipt of a VGCS ACCESS GRANT message.At its expiry, the uplink access procedure is aborted.The value of this timer is set to 5 seconds.

T3110:This timer is used to delay the channel deactivation after the receipt of a (full) CHANNEL RELEASE. Its purpose is to let some time for disconnection of the main signalling link. Its value is set to such that the DISC frame is sent twice in case of no answer from the network. (It should be chosen to obtain a good probability of normal termination (i.e. no time out of T3109) of the channel release procedure.)

T3134:This timer is used in the seizure procedure during an RR network commanded cell change order procedure. Its purpose is to detect the lack of answer from the network or the lack of availability of the target cell. Its value is set to 5 seconds.

T3142:The timer is used during packet access on CCCH, after the receipt of an IMMEDIATE ASSIGNMENT REJECT message. Its value is given by the network in the IMMEDIATE ASSIGNMENT REJECT message.

T3146:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during a packet access procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message during a packet access procedure, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the packet access procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T are defined in section 3.3.1.2. The maximum value of this timer is 5 seconds.

T3164:This timer is used during packet access using CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message. It is stopped at the transmission of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expire, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.

T3190:The timer is used during packet downlink assignment on CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message or of an PDCH ASSIGNMENT COMMAND message when in dedicated mode.It is stopped at the receipt of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expiry, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.

Timers on the network side
T3101:This timer is started when a channel is allocated with an IMMEDIATE ASSIGNMENT message. It is stopped when the MS has correctly seized the channels. Its value is network dependent. NOTE: It could be higher than the maximum time for a L2 establishment attempt.

T3103:This timer is started by the sending of a HANDOVER message and is normally stopped when the MS has correctly seized the new channel. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the HANDOVER COMMAND, plus the value of T3124, plus the maximum duration of an attempt to establish a data link in multiframe mode.)

T3105:This timer is used for the repetition of the PHYSICAL INFORMATION message during the hand-over procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.

T3107:This timer is started by the sending of an ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly seized the new channels. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the ASSIGNMENT COMMAND message plus twice the maximum duration of an attempt to establish a data link multiframe mode.

T3109:This timer is started when a lower layer failure is detected by the network, when it is not engaged in a RF procedure. It is also used in the channel release procedure. Its purpose is to release the channels in case of loss of communication. Its value is network dependent. NOTE: Its value should be large enough to ensure that the MS detects a radio link failure.

T3111:This timer is used to delay the channel deactivation after disconnection of the main signalling link. Its purpose is to let some time for possible repetition of the disconnection. Its value is equal to the value of T3110.

T3113:This timer is started when the network has sent a PAGING REQUEST message and is stopped when the network has received the PAGING RESPONSE message. Its value is network dependent. NOTE: The value could allow for repetitions of the Channel Request message and the requirements associated with T3101.

T3115:This timer is used for the repetition of the VGCS UPLINK GRANT message during the uplink access procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.

T3117:This timer is started by the sending of a PDCH ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly accessed the target TBF. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the PDCH ASSIGNMENT COMMAND message plus T3132 plus the maximum duration of an attempt to establish a data link in multiframe mode.

T3119:This timer is started by the sending of a RR-CELL CHANGE ORDER message and is normally stopped when the MS has correctly accessed the new cell. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent.NOTE: It could be higher than the maximum transmission time of the RR_CELL CHANGE ORDER, plus T3134, plus the maximum duration of an attempt to establish a data link in multiframe mode.

T3141:This timer is started when a temporary block flow is allocated with an IMMEDIATE ASSIGNMENT message during a packet access procedure. It is stopped when the mobile station has correctly seized the temporary block flow. Its value is network dependent.


More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com

Thursday, March 06, 2008

3G USIM Phonebook

3G USIM Phonebook


Those familiar with the 3G USIM Phonebook (contacts) will know the relevance of examining this data area within USIM, thus the significance of Quantaq's announcement below. If, of course, you do not understand the relevance then coming on my USIM and USIM-D training course will open up the Phonebook (contacts) evidence and other important technical and evidential aspects of USIM, and yes you get trained in USIM-Detective, too. Send your request for training to trewmte [at] googlemail [dot] com or visit the training page at Quantaq's website.




Quantaq (www.quantaq.com) has introduced a major new release of USIM Detective (V2.0.0) - this version has support for the 3G USIM phonebook that is now appearing in many high end handsets.

3G USIM Phonebook

3G USIM Phonebook


Those familiar with the 3G USIM Phonebook (contacts) will know the relevance of examining this data area within USIM, thus the significance of Quantaq's announcement below. If, of course, you do not understand the relevance then coming on my USIM and USIM-D training course will open up the Phonebook (contacts) evidence and other important technical and evidential aspects of USIM, and yes you get trained in USIM-Detective, too. Send your request for training to trewmte [at] googlemail [dot] com or visit the training page at Quantaq's website.




Quantaq (www.quantaq.com) has introduced a major new release of USIM Detective (V2.0.0) - this version has support for the 3G USIM phonebook that is now appearing in many high end handsets.