Saturday, January 04, 2014

Tracing Packet Switch (PS) Users

Investigations into mobile activity tend largely to concentrate on recovering data from the user handset, mast (tower) data and call records. The core network (CN) is less well understood and therefore picking through a GSM/3GPP standard can often assist in understanding the identity and form of tarried/empheral data surviving in a network. The standard to be used for this discussion is:

3GPP TS 25.413 V12.0.0 (2013-12)
3rd Generation Partnership Project;
Technical Specification Group Radio Access Network;
UTRAN Iu interface
Radio Access Network Application Part (RANAP) signalling
(Release 12)

Now with an investigation underway initial enquiries lead to an active smartphone user operating in the pack switched (PS) domain. The target under surveillance requires the investigator to combine visual logs and the use of the of the handset. Unlike CS, packet data communications requires a range of information BUT for the purposes of the current investigation understanding the services being used and the geographical area where services are being obtained the trainee investigator can start with understanding what can be learned from:

Cell ID - Cell Identity
C-ID - Common Identity
IMEI - International Mobile Equipment Identity

IMSI - International Mobile Subscriber Identity
IPAddress - Internet Protocol Address
SAI - Service Area Identifier

SAP - Service Access Point
LAI  - Location Area Identifier
RNC - Radio Network Controller

RNS  - Radio Network Subsystem

Some examples of trainee investigation elements for consideration:

Para 8.16.1

The purpose of the Common ID procedure is to inform the RNC about the permanent NAS UE Identity (i.e. IMSI) of a user. This is used by the RNC e.g. to create a reference between the permanent NAS UE identity of the user and the RRC connection of that user for UTRAN paging co-ordination. The procedure may also be used to provide the SNA Access Information IE to the RNC or to provide the Management Based MDT Allowed IE to the RNC or to provide the Management Based MDT PLMN List IE to the RNC.

Para 8.17.2

If Trace Collection Entity IP Address IE is included and if the MDT Configuration IE is also included then the RNC shall, if supported, store the Trace Collection Entity IP address and use it when transferring Trace records, otherwise if MDT Configuration IE is not included, the RNC may use the Trace Collection Entity IP address when transferring trace records.

Para 8.35.2
When the transferred information in the Information Transfer Type IE relates to a Trace Session in the RNC, the Trace Activation Indicator IE indicates whether the Trace Session identified by the Trace Reference IE is activated or deactivated in the RNC. In case the Trace Session is activated, the Equipments To Be Traced IE gives the Equipment Identity of the UEs that the RNC has to trace. If the Trace Recording Session Reference IE, Trace Collection Entity IP Address IE, the IMSI IE and optionally the Serving Cell Identifier IE are included in the message, the CN shall take the information into account for anonymization of MDT data (TS 32.422 [10]).
The purpose of this brief discussion is to illustrate mobile networks naturally hold surviving data in the network for a range of reasons to enable the network to a have uniformed approach for the objective of operational performance, enquiry and, equally, to trace user terminals and roaming user terminals active in or obtaining services from a network.

No comments: