Wednesday, June 30, 2010

Cell Site Analysis Fundamentals

Cell Site Analysis Fundamentals

COURSE CONTENT

Section 1 Introduction
Section 2 Legal and Technical Frameworks
Section 3 GSM and 3GPP Standards
Section 4 Subscriber Check/Billing/Call Records Check List
Section 5 Example Subscriber Check
Section 6 Example Call Detail/Data Record (CDR)
Section 7 Example Subscriber Billing
Section 8 Example of Call Records
Section 9 Example Mobile Network Details
Section 10 Cross-referencing sources of evidence
Section 11 PLMN - Introduction to GSM/WCDMA Network Elements
Section 12 PLMN - Base Transceiver Station (BTS)
Section 13 PLMN - GSM & WCDMA Base Stations
Section 14 PLMN - GSM & WCDMA Mobile Switching Centre (MSC)
Section 15 PLMN - GSM & WCDMA Databases VLR EIR OMC HLR & AuC
Section 16 PLMN - GSM & WCDMA Support Databases
Section 17 Introduction to Cell Site Identification
Section 18 Introduction to Cell Site Analysis
Section 19 Cell Site Analysis - Tools
Section 20 Cell Site Analysis - Ideas on Site Surveys
Section 21 Cell Site Analysis - Ideas for Radio Testing
Section 22 Cell Site Analysis - Regulation/Industry Requirements that assists CSA
Section 23 Cell Site Analysis - Notable Review Material
Section 24 Sample Cell Site Investigation Check List
Section 25 Support Material - Evidence & Legal issues

DOWNLOAD DETAILS HERE:
http://www.4shared.com/document/7AjcSbww/MTEB_CSAF_Booking_Form.html

Monday, June 21, 2010

Gold Wafer SIM Cards

Gold Wafer SIM Cards

A snippet of information I recently noted that was interesting related to the recyclicable gold used in SIM Cards. It is said that although the thickness of gold is measured in microns, a generalised (perhaps inaccurate) comparison that has been made is that it would take the gold leaf removed from at least 500,000 recycled SIM Cards to make one gold ring. Thought provoking comparison perhaps, but it tells us nothing about the real weight of the gold used for each SIM Card and nothing about the gold's purity either.

So don't give up work just yet.


Gold Wafer SIM Cards

Gold Wafer SIM Cards

A snippet of information I recently noted that was interesting related to the recyclicable gold used in SIM Cards. It is said that although the thickness of gold is measured in microns, a generalised (perhaps inaccurate) comparison that has been made is that it would take the gold leaf removed from at least 500,000 recycled SIM Cards to make one gold ring. Thought provoking comparison perhaps, but it tells us nothing about the real weight of the gold used for each SIM Card and nothing about the gold's purity either.

So don't give up work just yet.


3G USIM 2G SIM Service Numbers

3G USIM 2G SIM Service Numbers

3G USIM (2010-04)
Service n°1: Local Phone Book
Service n°2: Fixed Dialling Numbers (FDN)
Service n°3: Extension 2
Service n°4: Service Dialling Numbers (SDN)
Service n°5: Extension3
Service n°6: Barred Dialling Numbers (BDN)
Service n°7: Extension4
Service n°8: Outgoing Call Information (OCI and OCT)
Service n°9: Incoming Call Information (ICI and ICT)
Service n°10: Short Message Storage (SMS)
Service n°11: Short Message Status Reports (SMSR)
Service n°12: Short Message Service Parameters (SMSP)
Service n°13: Advice of Charge (AoC)
Service n°14: Capability Configuration Parameters 2 (CCP2)
Service n°15: Cell Broadcast Message Identifier
Service n°16: Cell Broadcast Message Identifier Ranges
Service n°17: Group Identifier Level 1
Service n°18: Group Identifier Level 2
Service n°19: Service Provider Name
Service n°20: User controlled PLMN selector with Access Technology
Service n°21: MSISDN
Service n°22: Image (IMG)
Service n°23: Support of Localised Service Areas (SoLSA)
Service n°24: Enhanced Multi Level Precedence and Pre emption Service
Service n°25: Automatic Answer for eMLPP
Service n°26: RFU
Service n°27: GSM Access
Service n°28: Data download via SMS-PP
Service n°29: Data download via SMS CB
Service n°30: Call Control by USIM
Service n°31: MO-SMS Control by USIM
Service n°32: RUN AT COMMAND command
Service n°33: shall be set to '1'
Service n°34: Enabled Services Table
Service n°35: APN Control List (ACL)
Service n°36: Depersonalisation Control Keys
Service n°37: Co-operative Network List
Service n°38: GSM security context
Service n°39: CPBCCH Information
Service n°40: Investigation Scan
Service n°41: MExE
Service n°42: Operator controlled PLMN selector with Access Technology
Service n°43: HPLMN selector with Access Technology
Service n°44: Extension 5
Service n°45: PLMN Network Name
Service n°46: Operator PLMN List
Service n°47: Mailbox Dialling Numbers
Service n°48: Message Waiting Indication Status
Service n°49: Call Forwarding Indication Status
Service n°50: Reserved and shall be ignored
Service n°51: Service Provider Display Information
Service n°52 Multimedia Messaging Service (MMS)
Service n°53 Extension 8
Service n°54 Call control on GPRS by USIM
Service n°55 MMS User Connectivity Parameters
Service n°56 Network's indication of alerting in the MS (NIA)
Service n°57 VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°58 VBS Group Identifier List (EFVBS and EFVBSS)
Service n°59 Pseudonym
Service n°60 User Controlled PLMN selector for I-WLAN access
Service n°61 Operator Controlled PLMN selector for I-WLAN access
Service n°62 User controlled WSID list
Service n°63 Operator controlled WSID list
Service n°64 VGCS security
Service n°65 VBS security
Service n°66 WLAN Reauthentication Identity
Service n°67 Multimedia Messages Storage
Service n°68 Generic Bootstrapping Architecture (GBA)
Service n°69 MBMS security
Service n°70 Data download via USSD and USSD application mode
Service n°71 Equivalent HPLMN
Service n°72 Additional TERMINAL PROFILE after UICC activation
Service n°73 Equivalent HPLMN Presentation Indication
Service n°74 Last RPLMN Selection Indication
Service n°75 OMA BCAST Smart Card Profile
Service n°76 GBA-based Local Key Establishment Mechanism
Service n°77 Terminal Applications
Service n°78 Service Provider Name Icon
Service n°79 PLMN Network Name Icon
Service n°80 Connectivity Parameters for USIM IP connections
Service n°81 Home I-WLAN Specific Identifier List
Service n°82 I-WLAN Equivalent HPLMN Presentation Indication
Service n°83 I-WLAN HPLMN Priority Indication
Service n°84 I-WLAN Last Registered PLMN
Service n°85 EPS Mobility Management Information
Service n°86 Allowed CSG Lists and corresponding indications
Service n°87 Call control on EPS PDN connection by USIM
Service n°88 HPLMN Direct Access
Service n°89 eCall Data
Service n°90 Operator CSG Lists and corresponding indications

------------------------------------------------------------------

2G SIM (2007-06)
Service n°1 : CHV1 disable function
Service n°2 : Abbreviated Dialling Numbers (ADN)
Service n°3 : Fixed Dialling Numbers (FDN)
Service n°4 : Short Message Storage (SMS)
Service n°5 : Advice of Charge (AoC)
Service n°6 : Capability Configuration Parameters (CCP)
Service n°7 : PLMN selector
Service n°8 : RFU
Service n°9 : MSISDN
Service n°10: Extension1
Service n°11: Extension2
Service n°12: SMS Parameters
Service n°13: Last Number Dialled (LND)
Service n°14: Cell Broadcast Message Identifier
Service n°15: Group Identifier Level 1
Service n°16: Group Identifier Level 2
Service n°17: Service Provider Name
Service n°18: Service Dialling Numbers (SDN)
Service n°19: Extension3
Service n°20: RFU
Service n°21: VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°22: VBS Group Identifier List (EFVBS and EFVBSS)
Service n°23: enhanced Multi-Level Precedence and Pre-emption Service
Service n°24: Automatic Answer for eMLPP
Service n°25: Data download via SMS-CB
Service n°26: Data download via SMS-PP
Service n°27: Menu selection
Service n°28: Call control
Service n°29: Proactive SIM
Service n°30: Cell Broadcast Message Identifier Ranges
Service n°31: Barred Dialling Numbers (BDN)
Service n°32: Extension4
Service n°33: De-personalization Control Keys
Service n°34: Co-operative Network List
Service n°35: Short Message Status Reports
Service n°36: Network's indication of alerting in the MS
Service n°37: Mobile Originated Short Message control by SIM
Service n°38: GPRS
Service n°39: Image (IMG)
Service n°40: SoLSA (Support of Local Service Area)
Service n°41: USSD string data object supported in Call Control
Service n°42: RUN AT COMMAND command
Service n°43: User controlled PLMN Selector with Access Technology
Service n 44: Operator controlled PLMN Selector with Access Technology
Service n 45 HPLMN Selector with Access Technology
Service n 46: CPBCCH Information
Service n 47: Investigation Scan
Service n°48: Extended Capability Configuration Parameters
Service n°49: MExE
Service n°50 Reserved and shall be ignored

3G USIM 2G SIM Service Numbers

3G USIM 2G SIM Service Numbers

3G USIM (2010-04)
Service n°1: Local Phone Book
Service n°2: Fixed Dialling Numbers (FDN)
Service n°3: Extension 2
Service n°4: Service Dialling Numbers (SDN)
Service n°5: Extension3
Service n°6: Barred Dialling Numbers (BDN)
Service n°7: Extension4
Service n°8: Outgoing Call Information (OCI and OCT)
Service n°9: Incoming Call Information (ICI and ICT)
Service n°10: Short Message Storage (SMS)
Service n°11: Short Message Status Reports (SMSR)
Service n°12: Short Message Service Parameters (SMSP)
Service n°13: Advice of Charge (AoC)
Service n°14: Capability Configuration Parameters 2 (CCP2)
Service n°15: Cell Broadcast Message Identifier
Service n°16: Cell Broadcast Message Identifier Ranges
Service n°17: Group Identifier Level 1
Service n°18: Group Identifier Level 2
Service n°19: Service Provider Name
Service n°20: User controlled PLMN selector with Access Technology
Service n°21: MSISDN
Service n°22: Image (IMG)
Service n°23: Support of Localised Service Areas (SoLSA)
Service n°24: Enhanced Multi Level Precedence and Pre emption Service
Service n°25: Automatic Answer for eMLPP
Service n°26: RFU
Service n°27: GSM Access
Service n°28: Data download via SMS-PP
Service n°29: Data download via SMS CB
Service n°30: Call Control by USIM
Service n°31: MO-SMS Control by USIM
Service n°32: RUN AT COMMAND command
Service n°33: shall be set to '1'
Service n°34: Enabled Services Table
Service n°35: APN Control List (ACL)
Service n°36: Depersonalisation Control Keys
Service n°37: Co-operative Network List
Service n°38: GSM security context
Service n°39: CPBCCH Information
Service n°40: Investigation Scan
Service n°41: MExE
Service n°42: Operator controlled PLMN selector with Access Technology
Service n°43: HPLMN selector with Access Technology
Service n°44: Extension 5
Service n°45: PLMN Network Name
Service n°46: Operator PLMN List
Service n°47: Mailbox Dialling Numbers
Service n°48: Message Waiting Indication Status
Service n°49: Call Forwarding Indication Status
Service n°50: Reserved and shall be ignored
Service n°51: Service Provider Display Information
Service n°52 Multimedia Messaging Service (MMS)
Service n°53 Extension 8
Service n°54 Call control on GPRS by USIM
Service n°55 MMS User Connectivity Parameters
Service n°56 Network's indication of alerting in the MS (NIA)
Service n°57 VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°58 VBS Group Identifier List (EFVBS and EFVBSS)
Service n°59 Pseudonym
Service n°60 User Controlled PLMN selector for I-WLAN access
Service n°61 Operator Controlled PLMN selector for I-WLAN access
Service n°62 User controlled WSID list
Service n°63 Operator controlled WSID list
Service n°64 VGCS security
Service n°65 VBS security
Service n°66 WLAN Reauthentication Identity
Service n°67 Multimedia Messages Storage
Service n°68 Generic Bootstrapping Architecture (GBA)
Service n°69 MBMS security
Service n°70 Data download via USSD and USSD application mode
Service n°71 Equivalent HPLMN
Service n°72 Additional TERMINAL PROFILE after UICC activation
Service n°73 Equivalent HPLMN Presentation Indication
Service n°74 Last RPLMN Selection Indication
Service n°75 OMA BCAST Smart Card Profile
Service n°76 GBA-based Local Key Establishment Mechanism
Service n°77 Terminal Applications
Service n°78 Service Provider Name Icon
Service n°79 PLMN Network Name Icon
Service n°80 Connectivity Parameters for USIM IP connections
Service n°81 Home I-WLAN Specific Identifier List
Service n°82 I-WLAN Equivalent HPLMN Presentation Indication
Service n°83 I-WLAN HPLMN Priority Indication
Service n°84 I-WLAN Last Registered PLMN
Service n°85 EPS Mobility Management Information
Service n°86 Allowed CSG Lists and corresponding indications
Service n°87 Call control on EPS PDN connection by USIM
Service n°88 HPLMN Direct Access
Service n°89 eCall Data
Service n°90 Operator CSG Lists and corresponding indications

------------------------------------------------------------------

2G SIM (2007-06)
Service n°1 : CHV1 disable function
Service n°2 : Abbreviated Dialling Numbers (ADN)
Service n°3 : Fixed Dialling Numbers (FDN)
Service n°4 : Short Message Storage (SMS)
Service n°5 : Advice of Charge (AoC)
Service n°6 : Capability Configuration Parameters (CCP)
Service n°7 : PLMN selector
Service n°8 : RFU
Service n°9 : MSISDN
Service n°10: Extension1
Service n°11: Extension2
Service n°12: SMS Parameters
Service n°13: Last Number Dialled (LND)
Service n°14: Cell Broadcast Message Identifier
Service n°15: Group Identifier Level 1
Service n°16: Group Identifier Level 2
Service n°17: Service Provider Name
Service n°18: Service Dialling Numbers (SDN)
Service n°19: Extension3
Service n°20: RFU
Service n°21: VGCS Group Identifier List (EFVGCS and EFVGCSS)
Service n°22: VBS Group Identifier List (EFVBS and EFVBSS)
Service n°23: enhanced Multi-Level Precedence and Pre-emption Service
Service n°24: Automatic Answer for eMLPP
Service n°25: Data download via SMS-CB
Service n°26: Data download via SMS-PP
Service n°27: Menu selection
Service n°28: Call control
Service n°29: Proactive SIM
Service n°30: Cell Broadcast Message Identifier Ranges
Service n°31: Barred Dialling Numbers (BDN)
Service n°32: Extension4
Service n°33: De-personalization Control Keys
Service n°34: Co-operative Network List
Service n°35: Short Message Status Reports
Service n°36: Network's indication of alerting in the MS
Service n°37: Mobile Originated Short Message control by SIM
Service n°38: GPRS
Service n°39: Image (IMG)
Service n°40: SoLSA (Support of Local Service Area)
Service n°41: USSD string data object supported in Call Control
Service n°42: RUN AT COMMAND command
Service n°43: User controlled PLMN Selector with Access Technology
Service n 44: Operator controlled PLMN Selector with Access Technology
Service n 45 HPLMN Selector with Access Technology
Service n 46: CPBCCH Information
Service n 47: Investigation Scan
Service n°48: Extended Capability Configuration Parameters
Service n°49: MExE
Service n°50 Reserved and shall be ignored

Sunday, June 20, 2010

CSA: Directed Retry Can Alter Mobile Phone's Location

CSA: Directed Retry Can Alter Mobile Phone's Location

Class│Value│
0 0 0│1 1 0 1│ Directed Retry

The accuracy or inaccuracy of cell site analysis testing measurements largely depends upon what has been considered and there are indeed many points to consider. One handover (HO) procedure, if it is included within a mobile network's radio-availability and traffic-flow arsenal, is called Directed Retry (DR). The GSM and 3GPP standards refers to this procedure.



What is Directed Retry (DR)?
Directed retry has adjustable parameters in order to define thresholds that once passed can trigger DR. When DR is set as Not Use it is inactive. Once set to Use the default value is set until the parameter is adjusted. That is to say a 'value' that is set as default can be modified in response to condtions eg quality of service (QoS) or traffic observations. A manufacturer of the say the BSS may provide recommended values, but it might be the OMC-R or BSS engineering team may require to make their own determination about values for internal or external handover procedures.

Use DR enables for example the BSS to move a mobile phone's communications to another cell (Mast or sector of a Mast) prior to call set up. That can be for an outgoing or incoming communication.

DR may be triggered by, for instance, due to 'congestion' and therefore may require internal or external handover procedures to combat that traffic condition. An outcome is that a mobile phone that receives service from the current serving cell (maybe the Mast is seen as closer to the mobile phone as well) is handed over to a cell that originates from a Mast that could be eg:

- some distance from the mobile phone's actual location
- coverage from a adjacent Mast in an area
- etc

This is one of many radio cases that when conducting radio test measurments a 2G/3G passive radio detection device and its readings may not record the appropriate network messages and thus mis-inform their users attempts in assessing a mobile phone's general location when conducting cell site analysis, as the device's readings may be incomplete. The Cell ID obtained from a call detail record (CDR) can only reflect the antenna identities on a fixed-positioned Mast and that a mobile phone has had its communications routed to and from the network using a particular Mast (so to speak). It doesn't automatically follow that the Cell ID confirms the general local area in which the mobile phone was actually located without certain radio data and other necessary checks being made.

Friday, June 18, 2010

Orange and Vodka - mixing mobile networks

Orange and Vodka - mixing mobile networks
(shaken, not stirred)
.

Good title for a book or article that heading. I thought this would be a useful post regarding the unusual occurrence of roaming onto a forbidden UK network from the home UK network.These screenshots record an event that happened on my wireless broadband. In the area I was located at the time Orange provided GPRS at 56K but download rates of under 6.5kbps (no 3G) - so not very good at all.
.

.
Such a matter like this may have an influence, if understood that it may occur, on any post-obtained radio test measurements after an alleged crime, or may even taint what may be considered a flawless opinion or conclusion, that is when conducting cell site analysis (CSA) investigations for evidential purposes.
.

.
It is not the fact that post-obtained radio test measurements failed to replicate an earlier event, it is the fact that a 'possibility' that may need to be explored to provide a more rounded opinion or conclusion in a report and at Court maybe missed or overlooked.

.

There are answers to the above conundrum but this is not the point of this post, which has been to highlight a technical event that might impact on evidence.

UTRAN & GERAN 3G Inter-PLMN Handover

UTRAN & GERAN 3G Inter-PLMN Handover

.

The subscriber's home network is France. The visited network where the subscriber is registered in a VLR (Visitor Location Register) is Germany. The signalling connection between HLR (Home Location Register) and VLR is indicated by dotted lines. The calls for the subscriber are controlled by the MSC collocated to the VLR where the subscriber is registered. This MSC (Mobile Services switching Centre) is called "anchor MSC".

.

Handover to a different MSC may occur if the cell serving the subscriber after handover is not controlled by the anchor MSC. This MSC is called the "serving MSC". Even after the call has been handed over to a different MSC, the call control function remains in the anchor MSC. The signalling connection and circuit switched connection established between anchor MSC and serving MSC are indicated by a solid line.

.

When the French subscriber registered in a German network roams near the border to the Netherlands, inter-PLMN handover may occur. In this case a Dutch network is the target network. After handover, the anchor MSC located in a German network continues to control the call. The German network remains the visited network where the subscriber is registered. The subscriber's location information stored in the HLR remains unchanged. The signalling and circuit switched connections between the anchor MSC and the previously serving MSC in the German network will be released when the User Equipment (UE) is served by a cell within a Dutch network. The Dutch network becomes the serving network. From the Dutch network the subscriber may be handed over to a Belgian network (see Figure 1).

.



.

It is noteworthy. A problem exists for mobile users when commuting across national borders. Whilst manual network selection may be used to ensure that the user can select the HPLMN (Home PLMN)/ EHPLMN (Equivalent Home-PLMN), many users use Automatic Selection mode; and the ME is only permitted to select PLMNs of a higher priority within the same country in automatic mode. This leads to the situation that, having crossed back into its home country and within HPLMN coverage, an ME might remain camped on the VPLMN in the adjacent territory.

.

As a consequence, the user will be charged international roaming rates for all calls made or received until such time as an MS either:

.

(a) moves out of VPLMN coverage or

(b) manually selects the HPLMN.

.

Note: Power cycling the ME does not solve the problem because the mobile will look for the RPLMN (Roaming-PLMN). The reference to ME is infact a reference also to 3G UE (User Equiment).

.

These matter can impact when considering Roaming Cell Site Analysis and Call/Billing Records. It is recommend therefore that reviewing the 3GPP Standards aid understanding how UTRAN and GERAN can function under certain UE conditions particularly when dealing with Network Selection Principles.

.

Thanks to 3GPP for provision of information used in this discussion.

Cell Site Analysis (CSA) Images Part 2

Cell Site Analysis (CSA) Images Part 2
.
It may interest those reading the discussions that I post that Cell Site Analysis (CSA) results from terrain and clutter analysis and radio test measurements can be defined in many different ways that can demonstrate particular elements of importance to a case.
.



Image 5
.
First we need to model (Image 5) the landscape that represents the geographical area and natural and manmade phenomenon in the surrounding area. In this case the scene of crime is close to a crossroads in the middle of small urban town.
.
For the sake of comfort, juries rarely understand radio coverage that is verbally discussed but respond much better to discussion revolving around a visual aid presentation.
.

Image 6
.
In this particular case I want to show the jury that two microcells* were used and each microcell first needs to be defined (Image 6) to the jury so they have it clearly in their minds the origin and direction of the radio coverage that forms part of the discussion.
.
In the first posting below (Cell Site Analysis (CSA) Images) coverage maps were shown defining large cell/macrocell coverage. Here, it is possible to refine and finesse coverage to a specific area with microcell coverage. Importantly, it is a really good idea to make sure the first image the jury sees represents the first radio coverage that a particular mobile phone has used that you want to talk about.
.
Image 7
.
The second microcell coverage (Image 7) should also be defined and distinguished. It's always best to remember with microcell coverage radio path is shaped in the same way as the High Street. Microcells don't go around corners.
.


Image 8
.
Finally the culmination of the presentation defines how the coverage from both microcells blend (Image 8 ) at particular points along the radio path.
.
*Remember that mobile telephones need to be encouraged to use microcell coverage and the microcell location, coverage boundary, speed at which a mobile phone is moving and cell reselection cause system challenges that required the use of a new criterion that was introduced into the GSM Phase 2 Standards in 1996. Do you know what that criterion is called and how it works?
.
Lastly, having mentioned microcell and large cell, the image below (Image 9) represents a visual indication about very important technical aspects concerning radio coverage and the layers depicted are often referred to in evidence. Indeed, if you care to read some of the Mobile Telephone Case Law you can find Appeal Courts referring to the importance of comprehending how far coverage extends.
.
Image 9


Cell Site Analysis (CSA) Images

Cell Site Analysis (CSA) Images
.
Cell Site Analysis (CSA) has had a good deal of airing recently here on the forum, so I thought you might like to see images from the work that I get involved.
.

Image 1
.
Image 1 is one slide from the training course material to introduce students to CSA when starting out discussing radio test measurements. It should be noted that this image represents less than 1% of all data acquired during radio test measurements.
.
Image 2
.
I thought it would be useful to include this Terrain and Clutter Map (Image 2) as I use this software to assist me in complex cases. Terrain and Clutter are discussed during training and as it was a topic of the discussion about UK Criminal Evidence Delays I thought it would be helpful to let forum members see that I am not referring to theoretical matters, terrain and clutter analysis actually takes place.
.
Image 3
.
It is essential to understand, when conducting radio test measurements, that just because radio signals can travel some distance from a particular Mast (Image 3) that coverage should not be dismissed or excluded. Operators set threshold limits, hard limits and boundary limits. It does not follow that just because a mobile is in the Green area shown in the Single Cell Prediction Map that the mobile will be excluded from using that coverage.
.
Do you remember the discussion that I put up here CSA: Mobile Phones and Fringe Coverage?:
.
Image 4
.
Best serving coverage is often posed as the deal-clincher to suggest the mobile phone was most likely or consistent with being at a particular location. There can be numerous points that could (and I say 'could' advisedly) point to best server coverage being used but rarely does it come up in evidence because the radio content in evidence rarely gets disclosed these days.
.
It is possible with best serving coverage that it can induce a negative outcome that may prevent calls taking place, so it is always important to see the other side of the coin, so to speak:
.
GSM Radio Test Measurements Non-Dominance
GSM Radio Test Measurements

.
I hope the above provides a further illustration of how smart and intelligent a science Cell Site Analysis really is and that by not applying it properly and dumbing down this art of this forensic science:
.
- is not only a great loss to the law of evidence
- it reduces the examiner's/expert's knowledge and understanding about the subject with which they are dealing - mobile telephone evidence.

Checking Masts - CSA 2

Checking Masts - CSA 2
.
In response to the discussion at Checking Masts - CSA, a couple of questions that I have been asked:
.
- Do you, yourself perform Cell Site Analysis/Surveys for cases?
.
- If so what equipment do you use for this very interesting task??
.
Answer:
Yes I do and have been doing so since the early 90s for GSM and since 2006 for 3G.
.
I use Nokia network monitor for 2G and have used, but do not particularly like, some of these newer independent flash files that enable some smartphones to obtain 3G network control data. I do continue to use them as one tool but for fairness reasons in dealing with the radio evidence.
The reason for that is there are no:
.
1) forensic standards for the calibration of test equipment generating evidence
2) forensic standards for the content or quantity of radio data captured for evidence
3) forensic requirements for user mobile phones to be calibrated
4) standards that requires a mobile phone after it has left the manufacturing production line to maintain its radio mask calibration longer than 12-months.
.
For example, dealing with point 4) most mobiles in use do not precisely meet calibration standards, but largely their radio mask is towards the upper or lower limits due to the way in which mobile phones are treated by their users: dropped, fall in water, exposed to fag ash, drink splatter, overcharging, over heating, running the battery flat during calls etc etc. All these things and more take there toll on mobile phone operation over time and it is not surprising to find that calibrated radio engineer test equipment often produce a better RxLv sensitivity. For instance, if one puts a used mobile phone side by side with a radio engineers test rig they both record 'absolute' measurments, obviously, but the disparity between 'relative' measurements can be surprising.
.
For radio engineer test rig I use Anite's Nemo Handy. Also I have secured in evidence the requirement for the readings and the electronic files that contain the readings and the screen prints to be served in evidence because:
.
a) they are original evidence
b) it exposes not just preservation of evidence but the processes which brought the evidence about
c) it means the prosecution can meet the Golden Rule without being fed spurious argument of why things can't be done
d) it stops outsourcer firms holding back on evidence or unilaterally deciding that they control what our courts and criminal justice system can or cannot see
e) whilst I used Anite's Nemo Handy .dt1 file for the criminal case in which I was advising, the requirement is not limited to simply radio test measurements from Nemo Handy but all other radio test equipment etc and equally applies to handset and U/SIM card evidence.
.
The additional benefit this offers is that where the police want to save money extracting and harvesting data that is subsequently produced in reports and want to cut down on unessential data, this means they can still produce reports with only the content they want to show. The full copy of data are still obtained by the examiner and this means the defence, having a copy of the full data in electronic format, can examine all the other data to see whether any vital evidence for the defendant's case has been overlooked or not.
.
Moreover, the defence can still examine the exhibit as the prosecution will have already produced their evidence. This will allow for variations in evidential standard or interpretation to be checked and exposed, if any, in order to maintain the principle 'nothing lost in translation.'
.
This can also work on other levels as well. Such as, we know the Forensic Regulator is due to launch soon and the public sector are rushing around to create and approve their own standards. However, the independent sector has not had the opportunity to qualify whether the public sector standards are better than the standards in the independent sector. The work I have been doing is to highlight issues and attitudes to mobile phone evidence and to let the courts know there is evidence the courts can have. If the Regulator accepts procedures created by the public sector it should not bar the independent sector procedures being accepted also.
.
If the independent sector were automatically disbarred from having their own procedures accepted it could potentially lead to following public sector standards containing systemic failure being promulgated throughout the country. Not only that but the knock-on can directly affect small business by placing heavy regulation and financial demands upon small business, causing collapse and unemployment in MPs constituencies. Apart from which there may be the issues associated with breach of human rights under the Human Rights Act and the European Convention on Human Rights.
.
Apologies for the length of commentary. It was necessary to go along this discussion path because it is important to promote standards and to highlight choices available to people interested in mobile telephone evidence and identify what is possible by knocking over artificially generated psychological boundaries. I would hope to get the message into evidence in the London area, but my instructions come from outside of London these days and London appears to be a bit of a no-go zone.
.
If you want to start a new topic, ask a question or join the discussion on ny previous postings then please join in a Forensic Focus Mobile Forensic Discussion Forum.

CHECKING MASTS - CSA

CHECKING MASTS - CSA
.
I have had several discussions with people who are new to mobile telephone evidence and have asked me to provide further discussion on matters concerning Checking Masts. Also from police sections asking me to open up the discussion as to what might happen when Mast checks are not made and how that might impact on a criminal case. Whilst the criminal case discussion is hypothetical, some events happening in the discussion are factual and drawn from a number of criminal cases.
.
The necessity to check with a mobile network operator regarding details of a particular Mast (Cell Site) and the bearing of coverage (azimuth) from it, for a particular Cell ID, at the material time to see whether it has changed prior to conducting cell site analysis is a useful rule to follow. There are, of course, many other matters that need to be checked also, but I have simplified the issues for the purposes of this discussion.
.
The details of Mast changes are recorded by Operators and recorded in their databases. Single Point of Contact (SPOC) is not prevented from asking about Checking Mast details and obtaining the relevant information. However, as a SPOC doesn’t decide what evidence should or shouldn’t be required for a criminal investigation, the SPOC should be asked to obtain this information.
.
The Masts
Below is an image (a) which displays a Mast's radio coverage for a particular Cell ID illuminating in a westerly direction towards a block of flats.


Image (a)
.
The next image (b) below displays the same Mast (as above) relating to radio coverage with its associated Cell ID but this time the radio coverage is illuminating in an easterly direction, in the opposite direction towards a house.



Image (b)
.
For the purposes of this discussion the Mast is shown close to the properties in both images. This was done for artistic purposes and is not intended to mean the Mast is actually that close to both properties. Also an actual Cell ID has not been shown but the inference about Cell ID being relevant is inferred by the presence of radio coverage being displayed.
.
Criminal Case
Imagine if you will that on a particular date, let us say the 30th March 2008, a dead body is found in the house, shown in image (b). The police have been alerted to the property by a neighbour because of a dreadful smell emanating from the direction of the house. Upon entering the property the police find a decomposing body of a woman on the floor. The Pathologist is called and indicates, following assessment of the decomposing body, that the body had been dead for approximately two weeks. That would generate a time line back to Tuesday 16th March 2008.
.
The police conduct door-to-door enquiries and one neighbour next door but one mentions that two weeks ago as she passed the house there was shouting emanating from inside the property and cries for help. The neighbour thought nothing more of it because the couple that lived there had regular arguments, which the neighbours and passers-by could overhear.
.
The police asked the neighbours had they noticed anything else? One lady who lived a few doors away replied that she looked out of her window and that she had seen the man that lived there leave the property at about 8.30pm, and that would have been a Tuesday, and funnily enough that was about two weeks ago.
.
To cut a long story short, the police found the man who lived in the house a month later, seized his mobile telephone and having retrieved his mobile telephone subscriber details, obtained call records and identified the Masts that routed mobile calls to and from his mobile phone. From the records it was noted that two weeks before the body was found his mobile had used a Mast for a call (on Tuesday at 8.00pm), the Mast was sited 2.4Km away from where he lived with his partner. This was also the nearest Mast to the house.
.
The police called for radio test measurements to be conducted outside the house three weeks later. The time-span from the estimated time of death to radio testing was approximately 9 weeks. The radio tests confirmed that the Cell ID recorded in the call records is the same as detected outside the house.
.
The man, during questioning, confirmed he had not been back to the house since leaving on the Saturday. That being the Saturday prior to the Tuesday when it is approximated the death took place. He had also been living in a Bedsit because the relationship with his partner had irrevocably broken down and they had agreed to split and go their separate ways.
.
The police believed from the evidence that they had thus far that it was enough to hold the man, now a suspect, and the death case turned into a murder case. The evidence they relied upon was:
.
1) The neighbours hearing regular arguments and cries for help on the fateful day
2) The neighbour that says she saw the suspect leaving the house at 8.30pm
3) The call records that shows a call on the Tuesday from the suspect's mobile telephone using a Cell ID from a Mast that is sited 2.4Km away and is the nearest Mast to the house
4) The radio test measurements that show the Mast’s coverage, thus Cell ID, used by the suspect's mobile phone illuminated outside the house.
.
So at minimum there appears to be four good pillars of evidence. However, when the radio test measurements were conducted no checks had been made with the mobile operator whether any changes had been made to the Masts in the area prior to radio test measurements being conducted. It subsequently came to light at trial that the Cell ID illuminating towards the house (image (b)) had only been illuminating eastwards towards the house from Thursday 18th March 2008 after the alleged murder due to changes at the Mast. Prior to that date the Mast had been illuminating westwards, towards a block of flats (image (a)).
.
Impact on Criminal Case
So when the police had noted from the suspect's call records that over the last few months they showed the suspect's mobile phone using a particular Cell ID for mobile calls that the police thought could be made or received from the house, they were mislead and operated under a false assumption. The suspect had, in fact, been having an affair with a married woman in the block of flats (image (a)) and didn't want to say anything for fear of reprisals from the woman’s husband who was known to have a temper and may take it out on the woman if she was called as a witness. It was this affair that the victim, when she was alive, and been tipped off about some months earlier and the cause of the couple constantly arguing.
.
The lack of discovery about any changes to a particular Mast prior to conducting radio test measurements impacted on the case by:
.
- the test results, that should add value to a case, were inaccurate and unhelpful- introduced delays into an investigation as the test results steered the police investigation in the wrong direction
- operational man-hours increased
- operational costs increased
- worst still, a false allegation of murder was made against an innocent person
.
As to the other pillars of evidence: 3) and 4) were no longer valid and the woman with whom the suspect was having an affair corroborated the dates and times she was with the suspect. As to 1) and 2)? On the fateful day, 1) the argument that was heard by a neighbour turned out to be the victim's ex-boyfriend from a previous relationship whom she had given evidence against him for drug dealing, some 5 years earlier, and who had been released from prison 20 days before the murder. He had vowed to seek revenge against the victim. 2) The neighbour who saw the suspect at 8.30pm at night in fact saw a silhouette of the man she thought was the suspect because it was 8.30pm at night and her eyesight wasn't as good at night. The silhouette leaving the house was the ex-boyfriend leaving after having murdered his ex-girlfriend.
.
Further Observations
In consequence, by not checking with the operator about their Masts prior to conducting radio test measurement caused lost investigation time to find the real culprit, unnecessary redundant evidence, increased costs, investigation time increased exponentially, apart from wrongly accusing a person. Moreover, as checking the Masts is a well known procedure, not to have checked it during an investigation may amount to act of intent to plant evidence to create incrimination against someone by using an act of deliberate omission during an investigation.
.
This is only a hypothetical discussion, but if these acts were operated in reality on a regular basis in criminal cases and applied as policy in widespread use across England, it may potentially lead to £20 millions in retrials. Of course that shouldn’t be possible arising from the 'Golden Rule' of disclosure, enunciated by Lord Bingham in R -v- C & H (February 2004), when he said that ‘fairness requires that full disclosure should be made of all material held by the prosecution that weakens its case or strengthens that of the defence’. The test is an objective one and is grounded on what is ‘reasonable’. However, the guidance makes it plain that an expert witness is no longer to be trusted to exercise his or her own judgment in deciding what falls within this definition and what is and is not relevant.
.
It is the influence of the Golden Rule placing affirmative duties on the prosecution from 2004 onwards that safeguards the reliability of evidence in criminal cases. That suggests were Her Majesty's Inspectorate called upon to require the prosecution tomorrow to provide, from randomly selected 200 cases from across the country by the Inspectorate, documents of enquiry to a particular operator seeking to be notified of any changes to a particular Mast in a particular case and the documented response received from the operator, they could do so.
.
That doesn't mean to say if the prosecution mobile telephone case has 50 Masts used for calls that documentation for each of the 50 Masts would be necessary, as rarely are all Masts relevant to an alleged crime, anyway, and a large proportion being used for padding simply to show movement. The relevant Masts are those where the Masts and coverage can illustrate that the mobile telephone or telephones could potentially be at the scene of crime, which on the whole usually relates to the last three to six Masts nearest the scene of crime. Besides I couldn't see the prosecution being hoodwinked into believing that because there are 50 Masts in a case that the number amounted to far too many enquiries to be made to the operator and so didn't make any enquiries at all.
.
As I have mentioned above this is purely hypothetical, but hopefully it illustrates the importance of Checking Masts before conducting radio test measurements.
.

CSA: Mobile Phones and Fringe Coverage

CSA: Mobile Phones and Fringe Coverage

.
I have this habit with mobile phones and cell coverage that when I see something that interests me, even if I am holiday, I have to see what I can find out about it there and then. Whilst on holiday in Cornwall I noticed the area I was staying had fringe coverage. I thought this was strange as I would have expected to find the Cornish village of Mousehole to have at least a microcell, given the popularity of this tourist attraction to see the Mousehole Lights at Christmas. I decided to conduct an experiment to see how various mobile phones would react under fringe coverage radio conditions. I used no special equipment, nor did I switch ON an network engineering software. The mobile phones were as any ordinary user would have them and the radio conditions with which they would be faced. Yes, I know I know, I can be a bit of an anorak at times.


1. The place I was staying was Duck Street, Mousehole, Cornwall. Accessed at one end by a no through road for cars to use a car park and Duck Street narrows to an alley for pedestrians and no access for cars.
2. The place in Duck Street where I conducted tests is in a car park that has been marked with a black cross (X) in the photo above. The close proximity of clutter (housing and a warehouse) falls within the clutter range of 10m to 30m in line with propagation models for dense to urban areas (ITU-R P.1546-2)

3. The above image displays how far Mousehole extends and the terrain clutter, along with natural phenomenon.

4. This last image provides an approximate indication of how far the main town of Penzance is from Mousehole and the general area where the Masts were located.
.
Okay, so I have now laid out the background to the tests. For the tests I used three mobile phones, all with built-in antennas, which were a Motorola Pebble U6 (which I nicked off my wife, much to her annoyance), Alcatel BH4 735 and a Nokia 3210. I ran tests at different times of the day (morning, afternoon and evening) and with three battery charge levels (charge in battery nearly empty, charge in battery half full and fully charged battery). The GSM networks were Orange, T-Mobile, O2 and Vodafone. The test area as has been shown is at para 2, above.
.

An interesting factor I noted was that all network coverage there was fringe all day, so that was the first matter. The second, and of far more interest, was how the mobile phones reacted to the radio conditions profiling the phones when switched ON.
.
Motorola Pebble U6:
Displayed 'No Service Available'. No calls or texts could be sent or received.
.
Nokia 3210:
Displayed 'Emergency Calls Only'. No calls or texts could be sent or received.
.
Alcatel BH4 735:
Displayed 'One bar of coverage and, intermittently, no coverage'. Attempted made and received calls either rang and when answered no voice communication and/or call dropping. However, surprise, surprise I could send and receive text messages.
.
Now, bearing in mind all the tests were being conducted in the same area, yet varying results obtained indicated alot about the various sensitivity of the antennas for these mobile phones. Technically, the BER of 2% for the measurement where the received signal strength is at a standard -100dBm and that a c-value would not be obtained, theoretically, below the reference BTS1 (-105dBm). I hear, though, that because of the loose wording in the standard -112dBm has been noted in some cases. Surprising, yes, but not in the realms of fantasy as GSM defines a mask lower level received signal strength, during testing, of -120dBm.
.

These very basic practical tests I conducted opens the door, though, to considering what could be extrapolated from the results when dealing with mobile telephone call records and Mast usage. For instance, if I were to conduct radio testing at this location where a person said they were for a particular call or text and I used a Motorola test handset, I may not get a positive result and may report back that not even a text could be sent from that location. Where then might the mobile phone be suggested to be located? What if a mobile phone is put nearer to the scene of a crime than it really was? What might be an inference drawn from that?
.
What may seem an ugly, awkward problem being raised here, is indeed not as bad as it seems. It really requires taking pragmatic steps before going to site to find out what mobile phone the person was using at the material time and then formulate from there how the tests should be conducted. There are other considerations, of course, to be taken into account, as well.
.
Acknowledgement: the screen images were obtained using Google Maps:
http://maps.google.co.uk/maps?hl=en&tab=wl

CSA: From Ockham's (Occam's) Razor to Checking Mast

CSA: From Ockham's (Occam's) Razor to Checking Masts

Creating a 'de facto' standard is always going to be a hard job and none more so than when dealing with 'Cell Site Analysis', abbreviated to the acronym 'CSA'. The objective of the analysis is, as best possible; to determine a likely or approximate location of a particular mobile station (MS) at the material date and time of a call. There are a large and varied number of issues to be considered when entering into cell site analysis. Cell site analysis, or CSA, is not a precise science and this has largely lead many people to misconstrue how cell site analysis can be conducted and for those who require to make an interpretation about the interpretation being given by an expert, giving evidence, leads to mistrust about cell site analysis. So it all becomes rather a vicious circle of events, with few conceding their comprehension about the fragility and instability of the stance they have adopted.

CSA is a highly intelligent science, and an evolving forensics science at that, also. CSA has many elements in its foundation that are based on scientifically proven facts. For instance, the scientifically proven fact that 0-dBm (deciBel milliwatt) always equals 1-mW (milliWatt) of power (energy) is but one good example. Furthermore, such a scientific fact allows experts to make the declaration that each result in the measurements obtained are 'absolute' and can be demonstrated as 'relative' when compared alongside other 'absolute' results.

Given that CSA extends beyond obtaining measurements and extends also into the arena of the radio spectrum, radio protocols, beamforming etc and the infrastructure required to propagate and provide a service, this, too, is an area where many scientifically proven facts and mandatory requirements exists. This again leads to forming conclusions without the need of the expert to make assumptions.

The area where CSA needs assistance is to rely upon human intervention and that requires having deep knowledge of the subject matter and solid skillsets. Again, this does not require the person to make assumptions, but to demonstrate the possibilities and potential conclusions that may help inform a Court in order that the Court can arrive at its own conclusions.

There are indeed some useful scientific philosophy dictums that can aid and support a CSA practitioner that can be adopted when striving for the aim of being 'objective', in addition to ‘independent’ and ‘impartial’, and one of the most important of these is Ockham's (Occam's) Razor attributed to the distinguished 14th century medieval logician and philosopher William of Ockham (c1285-1349). 'Leff, Gordon'; in his 1958 work 'Medieval Thoughts: St Augustine to Ockham' enunicated the so-called Ockham's Razor as 'entities ought not to be multiplied except of necessity'. However, the use of the term 'Razor' in reference to a rather superficially simple phenomenon having a complex mechanism behind it, did not appear until after Ockham's death and, although he didn't invent it, it is the frequency, apparently, with which he used the phenomenon 'should make as few assumptions as possible' in his writings that associates Ockham to this dictum. This can be clearly seen from the dictum commonly associated with the Ockham (Occam's) Razor 'Numquam ponenda est pluralitas sine necessitate', translated, means, 'Plurality ought never be posited without necessity'. How incredible, within six words, he encapsulates in that sentence that a simple explanation would be simplistic if it failed to capture all the essential and relevant parts. It is essential to understand that language and meaning were still developing in the 14th Century and care in translation in relation to subject matter statements makes Ockham's statement even more incredible, for his comments crossed boundaries unlimited to specific subject matter. Ockham probably drew inspiration from earlier philosophers such as Aristotle (384–322 BC), Alhazen (965-1039), Maimonides (1138-1204), Thomas Aquinas (c. 1225–1274) and John Duns Scotus (1265–1308), the latter who Ockham, it has been suggested, studied under him at Oxford.

Essential to Ockham's philosophy, who later, it is suggested, influenced philosophers such as Francis Bacon, is an interpretation given to his work that, when arriving at a conclusion, it is on the basis that 'facts' have already been considered before a conclusion is drawn. It is that philosophy that relates to CSA practitioners, for invariably it is not the conclusion the expert arrives at but what is required to be known is how s/he got to a particular conclusion in the first place that will be tested. By way of illustration, my report in a recent case asked the question that prior to testing what enquiries were made to the mobile network operator as to what alterations had occurred at the Masts prior to conducting radio test measurements, and can the defence please have copies of the operator's written responses?

The question went to the heart of the matter regarding accuracy of test results that underpin the opinion. Significantly, it is the prosecution that deserves praise for their benchmark standard they set in the Soham Murder case of Jessica and Holly and the subsequent conviction of Mr Huntley. I was not in that case, but as I understand it for the prosecution to show how Mr Huntley had used his mobile phone required the resurrection (I believe) of a decommissioned Mast and all the other Masts with a coverage footprint illuminating towards Mr Huntley's property to have been aligned so as to be the same as it was at the material time of mobile calls. This was required, as I understand it, in order to show the mobile telephone evidence had 'weight' and 'substance' and to avoid it being kicked out of evidence were it the case that Masts were generating coverage that would be incompatible with cell coverage at the material time. I have to say I am pro-prosecution on that landmark work and it is important to give praise where it is due. It does also mean, though, that the prosecution has established a precedent for standard of workmanship for a murder case, albeit in a high profile case, and set a marker that they will work to, and would not retract from, that standard for murder cases, at least. So it is clear why I would naturally request in a murder case what checks had been made to the mobile network operator regarding changes they had made to their Masts before the prosecution expert went on to conduct tests?

No names, no pack drill, just suffice to say the defence were told operators had 'no obligation' to keep records and, if they did keep records, were found on occasions to be inaccurate so they didn't ask, was the general thrust of the response. Really! What, no requirements under the Public Mobile Operators Licence (PMOL) to retain records about a Mast up to six months after it had been decommissioned? So how on earth could OFCOM ever check matters of interference to emergency frequencies bands from an unstable Mast if operators simply ditched their records or kept unreliable records? More importantly, what does this say about historical matters?

So does the approach in that recent murder case affect the previous prosecution benchmark approach? In my opinion, No it doesn't, and I have considerably more faith in the prosecution than that. The mobile network operator's witness provided to the court evidence of logs they regularly and continuously retain about changes to their base stations. Interestingly, on and prior to the dates of radio tests being conducted in that murder case the operator had in fact been making changes at some of the Masts targeted for their cell footprint.

Now, if I am picking that up in just one case, what is happening in other cases that have or are being rammed through the Court system to hit targets and what checks have or are being made regarding accuracy?

Of equal importance, the positive aspects coming out of cases like this means we can start to build a ‘de facto’ standard as we know the things that are required to be done.

Cell Site Analysis - .DT1 Files

Cell Site Analysis - .DT1 Files

Why is this electronic file extension (.DT1) and significantly the data it contains important to the law of evidence and its relevance to generated original material obtained in criminal cases, but equally for civil cases, too? I will tell you more about that soon, its introduction into evidence and the technical and evidential arguments raised to get into evidence.

For now, what you can know is it is important to cell site analysis and here is a clue about the device that generated it.


GSM Mast Installations (Density)

GSM Mast Installations (Density)
.
When planning a cellular radio network there are many aspects to consider. The matter of radio technology and their frequencies (carriers) are but two examples. A relevance to be understood from these examples relate to what services may be obtained and delivered through these carriers? GSM for basic voice and text services and W-CDMA providing high data rates for video, gaming and conferencing etc.
.
Germane and relevant to obtaining radio services are the radio access technologies needed for that - Masts and Antennas. In radio engineering terms, antennas provide the physical technology to access the services obtained in the radio coverage by use of transmitters and receivers, commonly referred to by the acronym TRXs. The Masts provide the physical location for the siting of the TRXs. An important aspect of Mast installations is knowing the potential customer numbers that will use the services obtained from them. The calculation used for the number of customers and the number of calls that can be handled by one Mast's TRXs is calculated using the Erlang formulae - the number of calls and time length of each call in an hour.
.
Generally, though, to understand how Erlang can be used to determine the number of Masts and TRXs for an area let's just say there are 50,000 potential customers for a particular area. Let us also say to retain quality of service three sectors with 2 or 4 TRXs per sector, s222 or s444 respectively, are required. Let's also indicate that it is known that:
.
=======
.
1 TRX = 3 erlang, 2 TRXs = 5 erlang, 3 TRXs = 15 erlang, 4 TRXs = 20 erlang
.
The relevant TRXs selected for this Mast installation scenario are 2 TRXs and 4 TRXs.
.
Let:
.
50,000 x 0.02 erlang, where 0.02 erlang is used per customer = **1000 erlang
.
Each sector of an s444 may carry up to 20 erlang x 3 sectors = **60 erlang
.
**1000/**60 = 16.7
.
Therefore:
.
16.7 (17) Mast installations would be needed where a configuration of TRXs s444
.
or where
.
33.4 (35) Mast installations would be needed where a configuration of TRX s222
.
================
.
Remember the above is intended only to be illustrative so that it can be used to draw inferences about Masts installations and potential user numbers based upon the density of Masts in an area. An inference, such as, why a Mast further away than Masts sited closer to where a mobile station (MS) may be located routed the text message to the MS?
.
There are a large number of issues to be considered but let us take iwo important issues to be considered are:
.
- Point-to-Area predictions for terrestrial services 30 MHz to 3000 MHz
- Point-to-Point short message service (SMS)
.
In relation to point-to-area it could be the height of buildings surrounding the MS may be a cause for a distant Mast routing a point-to-point SMS text message. Alternatively, it may be the routing of the point-to-point SMS text message from a distant Mast occurred because the MS, in the idle mode, was surrounded by Masts that were at call traffic capacity. Alternatively it could be because of a combination of both buildings and call traffic capacity.
.
Knowing matters like these are very useful when dealing cell site analysis and a reason why they are incorporated into the Core Skills Knowledge of the TrewMTE training courses:
.
GSM Cell Site Analysis Training Course
-------------------------------------------------------
.
Course One: GSM Core Skills Knowledge Course (CSA Part 1)
3-days training
.
Course Two: GSM Cell Site Analysis Course (CSA Part 2)
3-days training
.
Course Three: GSM Cell Site Analysis Course (CSA Part 3)
3-days training
.
3G Cell Site Analysis Training Course
----------------------------------------------------
Course One: 3G Core Skills Knowledge Course (CSA Part 1)
4-days training
.
Course Two: 3G Cell Site Analysis Course (CSA Part 2)
3-days training
.
Course Three: 3G Cell Site Analysis Course (CSA Part 3)
3-days training
.
SIM Card Training
-------------------------
GSM SIM Card Training Course
3-days training
.
USIM/UICC Card Training
------------------------------------
3G USIM/UICC Training Course
3-days training
.
GSM/3G Handset Examination Training
------------------------------------------------------
GSM/3G Mobile Telephone Training Course
4-days training
------------------------------------------------------
MTEB Mobile Telephone Evidence Diplomas (MTEdipl).

GSM MS List of States for the cell selection process

GSM MS List of States for the cell selection process

The GSM mobile station (MS) enters various states when switched on, but in the idle mode. Three such states are PLMN selection, cell selection and location registration that GSM standards described as a "set of states". The overall state of the mobile is thus a "composite of the states of the three processes". As TS 100 930 makes mention "In some cases, an event which causes a change of state in one process may trigger a change of state in another process, e.g., camping on a cell in a new registration area triggers an LR request." Below are those states relevant for MS cell selection but for a more detailed description of the behaviour of these states read GSM05.08.

C1 Normal Cell Selection ‑ This is the process of initial cell selection, searching all RF channels.
.
C2 Stored List Cell Selection ‑ This is the process of initial cell selection where BCCH carrier information (e.g. a BA list) for the selected PLMN is stored in the MS.
.
C3 Camped Normally ‑ This is where the MS is camped on a cell of the selected PLMN and may be able to make and receive calls. (Whether or not the MS can make and receive calls depends on the state within the location registration process). The MS monitors received level and the system information and checks whether cell reselection is needed.
.
C4 Normal Cell Reselection ‑ This is where the MS has determined that cell reselection is needed and an attempt is being made to reselect a new cell.
.
C5 Choose Cell ‑ This is where the MS has returned to idle mode from "connected mode" and is choosing a suitable cell to camp on.
.
C6 Any Cell Selection ‑ This is where the MS is unable to camp normally on any cell of the selected PLMN, or cannot obtain service because of certain responses to a location registration (LR) attempt. It is searching for a cell of any PLMN to camp on (so that emergency calls can be made).
.
C7 Camped on any Cell ‑ This is where the MS has camped on a cell irrespective of its PLMN identity, so that emergency calls can be made.
.
C8 Any Cell Reselection ‑ This is where the MS is attempting to reselect a cell, irrespective of PLMN identity.
.
C9 Choose Any Cell ‑ This is where the MS is returning to idle mode, after having entered "connected mode" from the "camped on any cell" state to make an emergency call. It is attempting to find an acceptable cell to camp on.

GSM Timers

GSM Timers

In the thread Cell Site Analysis-Call Analysis it highlighted the range of Cause Failures for mobile calls. The overview it provided can be quite helpful, but behind those Cause Failures there can be a range of Timers and some of them can be the reason a Cause Failure occurs (positive or negative outcome). For example we can see that timer T3216 (below) in essence relates to the failure of a Immediate Assignment Request, but the "root cause" of the failure can infact be due to SDCCH congestion or poor radio link, such as: interference, coverage restriction or radio path imbalance. Understanding the "Causes for the cessation or loss of mobile communication" requires more than knowing the Cause Code or Timer but all the "root cause" behind them.

The Timer table below provides a useful but not exhaustive list. It essential to keep monitoring the GSM and 3GPP standards. Finally, it is important to recognise that Timers have different durations dependent upon when the timer is applicable. For instance, for radio resources management the durations are often denoted in seconds and some timers are in milliseconds.

However, other timer durations (expiration) are used for internal operation for devices such as mobile telephone or SIM and can be in minutes and in some instances hours. An example of the latter can be the elementary file EFHPLMN (7F206F31) - see GSM11.11. The Timer is set in decimal-digit increments e.g. 01, 02, 03 and so on. Each increment represents a value of n-minutes which the standard GSM0211 refers to as 6 minutes, but commonly rapid updates can cause drain on the mobile telephone's battery it is understood that n-minutes can be 30-minutes. The maximum the timer can be set for is 8-hours. The timer value is network operator dependent, which means either timer method may be used.

Timers and counters for radio resource management

Timers on the mobile station side
T3122: This timer is used during random access, after the receipt of an IMMEDIATE ASSIGN REJECT message.Its value is given by the network in the IMMEDIATE ASSIGN REJECT message.


T3124: This timer is used in the seizure procedure during a hand-over, when the two cells are not synchronized.Its purpose is to detect the lack of answer from the network to the special signal. Its value is set to 675 ms if the channel type of the channel allocated in the HANDOVER COMMAND is an SDCCH (+ SACCH); otherwise its value is set to 320 ms.

T3126:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during an immediate assignment procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the immediate assignment procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T. The maximum value of this timer is 5 seconds.

T3128:This timer is started when the mobile station starts the uplink investigation procedure and the uplink is busy.It is stopped at receipt of the first UPLINK FREE message. At its expiry, the uplink investigation procedure is aborted. The value of this timer is set to 1 second.

T3130:This timer is started after sending the first UPLINK ACCESS message during a VGCS uplink access procedure.It is stopped at receipt of a VGCS ACCESS GRANT message.At its expiry, the uplink access procedure is aborted.The value of this timer is set to 5 seconds.

T3110:This timer is used to delay the channel deactivation after the receipt of a (full) CHANNEL RELEASE. Its purpose is to let some time for disconnection of the main signalling link. Its value is set to such that the DISC frame is sent twice in case of no answer from the network. (It should be chosen to obtain a good probability of normal termination (i.e. no time out of T3109) of the channel release procedure.)

T3134:This timer is used in the seizure procedure during an RR network commanded cell change order procedure. Its purpose is to detect the lack of answer from the network or the lack of availability of the target cell. Its value is set to 5 seconds.

T3142:The timer is used during packet access on CCCH, after the receipt of an IMMEDIATE ASSIGNMENT REJECT message. Its value is given by the network in the IMMEDIATE ASSIGNMENT REJECT message.

T3146:This timer is started either after sending the maximum allowed number of CHANNEL REQUEST messages during a packet access procedure. Or on receipt of an IMMEDIATE ASSIGNMENT REJECT message during a packet access procedure, whichever occurs first. It is stopped at receipt of an IMMEDIATE ASSIGNMENT message, or an IMMEDIATE ASSIGNMENT EXTENDED message. At its expiry, the packet access procedure is aborted. The minimum value of this timer is equal to the time taken by T+2S slots of the mobile station's RACH. S and T are defined in section 3.3.1.2. The maximum value of this timer is 5 seconds.

T3164:This timer is used during packet access using CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message. It is stopped at the transmission of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expire, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.

T3190:The timer is used during packet downlink assignment on CCCH. It is started at the receipt of an IMMEDIATE ASSIGNMENT message or of an PDCH ASSIGNMENT COMMAND message when in dedicated mode.It is stopped at the receipt of a RLC/MAC block on the assigned temporary block flow, see GSM 04.60. At expiry, the mobile station returns to the packet idle mode. The value of the timer is 5 seconds.

Timers on the network side
T3101:This timer is started when a channel is allocated with an IMMEDIATE ASSIGNMENT message. It is stopped when the MS has correctly seized the channels. Its value is network dependent. NOTE: It could be higher than the maximum time for a L2 establishment attempt.

T3103:This timer is started by the sending of a HANDOVER message and is normally stopped when the MS has correctly seized the new channel. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the HANDOVER COMMAND, plus the value of T3124, plus the maximum duration of an attempt to establish a data link in multiframe mode.)

T3105:This timer is used for the repetition of the PHYSICAL INFORMATION message during the hand-over procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.

T3107:This timer is started by the sending of an ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly seized the new channels. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the ASSIGNMENT COMMAND message plus twice the maximum duration of an attempt to establish a data link multiframe mode.

T3109:This timer is started when a lower layer failure is detected by the network, when it is not engaged in a RF procedure. It is also used in the channel release procedure. Its purpose is to release the channels in case of loss of communication. Its value is network dependent. NOTE: Its value should be large enough to ensure that the MS detects a radio link failure.

T3111:This timer is used to delay the channel deactivation after disconnection of the main signalling link. Its purpose is to let some time for possible repetition of the disconnection. Its value is equal to the value of T3110.

T3113:This timer is started when the network has sent a PAGING REQUEST message and is stopped when the network has received the PAGING RESPONSE message. Its value is network dependent. NOTE: The value could allow for repetitions of the Channel Request message and the requirements associated with T3101.

T3115:This timer is used for the repetition of the VGCS UPLINK GRANT message during the uplink access procedure. Its value is network dependent. NOTE: This timer may be set to such a low value that the message is in fact continuously transmitted.

T3117:This timer is started by the sending of a PDCH ASSIGNMENT COMMAND message and is normally stopped when the MS has correctly accessed the target TBF. Its purpose is to keep the old channel sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent. NOTE: It could be higher than the maximum transmission time of the PDCH ASSIGNMENT COMMAND message plus T3132 plus the maximum duration of an attempt to establish a data link in multiframe mode.

T3119:This timer is started by the sending of a RR-CELL CHANGE ORDER message and is normally stopped when the MS has correctly accessed the new cell. Its purpose is to keep the old channels sufficiently long for the MS to be able to return to the old channels, and to release the channels if the MS is lost. Its value is network dependent.NOTE: It could be higher than the maximum transmission time of the RR_CELL CHANGE ORDER, plus T3134, plus the maximum duration of an attempt to establish a data link in multiframe mode.

T3141:This timer is started when a temporary block flow is allocated with an IMMEDIATE ASSIGNMENT message during a packet access procedure. It is stopped when the mobile station has correctly seized the temporary block flow. Its value is network dependent.