Saturday, May 07, 2011

GSM Radio DNA Bracelet - RACH

GSM Radio DNA Bracelet - RACH (Random Access Channel)

The logical channels set out each provide useful information that is of use to cell site analysis (CSA). A common misunderstanding that arises with CSA is it has been used in evidence in such away that only a minutiae of information is considered. This in turn has led to some believing CSA can be defined by a limited selection of elements. The world of CSA is far, far larger in rich content than those limited elements. An examiner only comes to know about the rich content having first applied him/herself to learning the symbiotic, co-partnership between the science & technology and examination & forensic procedure leading to evidence & opinion.

For instance let us accept that RACH is a GSM uplink common control channel. In that little nugget of information given by the statement there is firstly the science and technology. The technology is Global System for Mobile (communications) a digital cellular radio system. The adopted GSM system manipulates (modulates) the physical radio signals such that physical signals whilst analogue in nature when manipulated hold a secret inside that is revealed when de-modulated revealing the important data (digital). Moreover, the statement uplink is relevant to note, as is common control channel (CCCH). There are four nominated logical control channel assigned connected with CCCH - Paging Channel (PCH), Access Grant Channel (AGCH), Notification Channel (NCH) and, of course, RACH.  The term 'common' needs clarification, too, because it identifies that the channels are common to all users (mobile users) in a geographical radio area via their handsets. 'Uplink' defines the direction to which the control channel data are transmitted.

In combination, the examination of transmitted data becomes highly significant for it represent an action by the user's mobile phone creating the 'first' step in radio DNA evidence. A Layer 3 trace (example below), and when we say Layer 3 we are taking about RR (radio resources), identifies the access request RACH message sent to the network and a response from the network to it. The example below has been extrapolited (thus goes beyond) what would normally be seen from the raw data. The network and handset are programmed to understand each other and do not needs man's convoluted and verbose explanations but should the machinery, so to speak, need such explanation, god help us, for access to the GSM radio network would probably take three months just to camp on the network without using further resources.

Equally, for cell site analysis we need to know what information can be gleaned from RACH. The image below identifies a screen from an Ericsson handset with TEMS pocket (a radio diagnostic tool) in active mode. I will deal with the paging details in another discussion thread. 

We first see the string '0 1 4 1 0E'. The point to note is that it only contains basic GSM info and not GPRS. Had it included GPRS info the string would consist of seven different separate elements instead of five. So how do we understand the order in which the data appears?  

First element '0':  refers to Cell Barred (0: No, 1: Yes)
Second element '1': refers to Call Re-establishment (0: Allowed, 1: Not allowed)
Third element '4': refers to Max number of retransmissions (1, 2, 4, 7)
Fourth element '1': refers to Number of RACH bursts sent for the last connection (1–7)
Fifth element '0E': refers to Establishment Cause/Random: Reference used in the latest RACH burst (00–FF)

The fifth element is, as referred to above, the 'first' step in radio DNA evidence. As this is generated by the user's handset it makes it interesting as it shows the examiner has understanding of seeking out evidence from the science and technology under test and that the data should be obtained using forensic methodology to secure unaltered data. Importantly, it illustrates to the examiner how to start to establish a link within the chain of data created by a mobile phone from when it is first switched ON, when using resources, until it it is switched OFF.  

The actually RACH access request generated is no more than 8-bits in length. The GSM standard TS04.08 defines the message content format as seen below:

How to interpret the access request message content for establishment cause can be found in TS04.08:

And when the mobile is answering to paging for radio resources connection establishment.

There is so much detail associated with RACH it is possible to write a book solely dealing with this single subject. I do not have the time or luxury to put all that detail here, but to provide a flavour to you that the radio DNA evidence in the bracelet contains a gold mine of evidential information that is largely and randomly ignored and apparently seen by some as not being relevant. I wonder with the little I have mentioned above whether you would think the same?

In the next RACH discussion I shall open up to you more and give insight into RACH and some evidential possibilities.

No comments: