Tuesday, May 28, 2013

GSM Measurement Report/Response

A response I made to a question raised at Forensic Focus included the remark relting to a measurement report "(MEAS_RES/MEAS_REP message)" http://www.forensicfocus.com/Forums/viewtopic/t=10600/

I referred to this measurement report as it provide useful information in realtime. Knowledge of its existent and the content it holds is very useful for track and trace, law interception and historcially looking back at a switched ON mobile phones profiles returned to the mobile network based upon its particular location at a particular time.

Measurements Reports are obtained by the network for the purposes of allocation of radio resources. The Radio Resource Management (RRM) has responsibility for communicating the necessary messages to the mobile phone. It is important, however, due to the limited resources of radio that utilising control channel requires using shortform notation to send commands in order for the receiver (the MS) to provide responses. To do this a vocabulary was created for GSM and utilised by the RRM e.g. Skip Indicator/Protocol Discriminator = 06 (relevant to handover). The SI/PD message is predefined in a mobile phone's vocabulary (look-up table) to understand messages sent to it. For MEAS_REP the shortform message sent is known as ID (Hex) 15 [binary (00010101) Decimal digits (21)]. The verbose message translated from the shortform ID (Hex) 15 command requires:

MS - > BTS send MEASurement REPort.

This means MEAS_REP transfers the current measurement results of the MS to the BTS (uplink measurements). These measurements contain the sending levels of the serving cell and neighbouring cells. [It is important to remember there is a distinction to be made between a mobile phone switched ON (idle mode and camped on a cell), one that has already registered to the network (idle mode and ready for radio resources) and one that is actively involved with the radio network using resources. In the idle mode the mobile phone in a registered state can update its position either by commands made by the network, by moving to another radio area or using the periodic update parameter to found in the SIM Card elementary file e.g. EFHPLMN.].

In the case of an active connection, a MEAS_REP is sent to the BTS every 480ms via the SACCH. The BTS forwards the MEAS_REP to the BSC, embedded in its own measurement results (MEAS_RES). [In the active state the MEAS_REP assists the network control MS handovers and power output and the MEAS_RES assist with the building blocks for track and trace of an MS to a particular groups of cells and other surveillance tasks.]

With a single meas_rep sent every 480ms whilst the the MS is in dedicated mode this is very fast timing and the combined results from a number of reports/results obtained can be used with the other processes to locate an MS down to within tens of metres of a particular location. WCDMA and LTE also have similar capability/techniques. Where GPS coordinates are also included in the returned reports to the network it is possible to improve location positioning.

Below is an analysed MEAS_RES in more detail with a MEAS_REP included that was captured using a protocol tester on the Abis-interface (BTS/BSC) of a GSM900 PLMN. This example presents a useful opportunity to see a measurement report/response and equally provides a useful primer when looking more at subscriber track and trace and set up possible target-movements for lawful surveillance and interception.

The above can assists those involved in GSM cell site analysis, enabling an investigator to define in more detail the type of content information sought from an operator; as always subject to the type of case being investigated. The above material is not definitively or precisely accurate as each operator requires variation in content reports and uses varyng methods to harvest data, so care is needed before wading in with a list of requirements.

No comments: