Following my article France Car Shootings and Mobile Evidence http://www.trewmte.blogspot.co.uk/2012/09/france-car-shootings-and-mobile-evidence.html an investigator, previously working with a well-known cellular and fixed network manufacturer, confirmed to me the results of an internal forensics investigation which he conducted.
An employee had made threats to a Director. The employee had been found to use a 'prepaid sim' card to send theat messages but added a delay period for the sent messages of 2-hours. The employee then switched OFF the handset and inserted the company SIM card into the same handset which had previously held the prepaid SIM that had sent the threat messages. The handset with the company SIM card in it was then switched ON; the employee claimed not to have been responsible for the threats sent from a different IMSI (SIM card). The intention of the employee was to mask any connection with the threats. However, tracing the IMSIs of the prepaid SIM card and the company SIM card found both to have been operating in the same handset (IMEI). Such trace capability can be made from enquiries of network databases such as BTS, HLR etc. Moreover with high levels of text messaging that are sent and received whilst roaming there is trace capability that can be made by interrogating CAMEL.
There is also useful data that can be obtained for linking with cell site analysis (CSA), which is a bonus although there appears to be some confusion occuring in the US at the moment as to the value of CSA evidence http://www.forensicfocus.com/Forums/viewtopic/t=9679/ and how the material may be applied on a case by case basis. I am not convinced that licenced operators with highly developed as they are in the US cellular networks simply could not/would not sufficient call record/cell data available to know what is happening when an MS has been active in their networks, about the arrangement at a particular mast (cell tower) as used by an MS, the configuration of the radio network operating at the time an MS has been used and so on.
Showing posts with label HLR. Show all posts
Showing posts with label HLR. Show all posts
Saturday, September 22, 2012
Monday, November 01, 2010
Location Update (LU) and Cell Site Analysis (CSA)
Location Update (LU) and Cell Site Analysis (CSA)
Heine, G; referred to the model "An MS performs LU on several occasions: every time it changes the location area, periodically, when a periodic location update is active, or with IMSI attach/ detach switched on at the time when it is subsequently turned on again."
That statement minimises, thus hides, a considerable body of mobile activity and, importantly, cell site analysis (CSA) suffers when students and practitioners fail to take into account the importance in the depth of knowledge and understanding that is needed to include the important facet of Location Update when conducting CSA. The following may assist students and practitioners with a simplified operational background as to events when Location Update (LU) takes place:
The MS requests a control channel from the BSC. The BTS decodes the CHAN_REQ, calculates the distance MS«BTS (timing advance), and forwards all this information to the BSC. Please note that the CHAN_REQ already indicates which service the MS requests (Location Update, in this case).
After the CHAN_RQD is received and processed, the BSC informs the BTS which channel type and channel number shall be reserved (CHAN_ACT).
The BTS confirms with a CHAN_ACT_ACK that it received and processed the CHAN_ACT.
The BSC sends the IMM_ASS_CMD, which activates the previously reserved channel. The BTS sends this information over an AGCH to the MS. The MS finds “its” IMM_ASS_CMD by means of the request reference, which is already contained in the CHAN_REQ.
Layer 2, the LAPDm connection is activated only now. The MS sends a SABM to the BTS, which (differently from LAPD) already contains data (LOC_UPD_REQ in this case).
The BTS confirms that a LAPDm connection was established by sending an UA message, which repeats the LOC_UPD_REQ.
The BTS passes LOC_UPD_REQ to the BSC. Although this is a transparent MM message, the BSC still processes the LOC_UPD_REQ in parts, because the BSC amongst others, requires the Mobile Station Classmark information. The BSC packs LOC_UPD_REQ, together with the current LAC, and CI into a CL3I message (Attention: the LOC_UPD_REQ from the MS contains the old LAC!) and then sends this within a SCCP CR
message to the MSC. The CR message carries not only the LOC_UPD_REQ to the MSC, but also requests establishment of an SCCP connection.
If the MSC is able to provide the requested SCCP connection,then the CR is answered with a CC. A logical connection from the MS to the MSC/VLR exists from this point in time on. The MSC/VLR answers the LOC_UPD_REQ with an AUTH_REQ This message is conveyed to the BSC via the established SCCP connection.
BSC and BTS transparently forward the AUTH_REQ to the MS. Most important content is the random number parameter (RAND). The MS (more precisely the SIM) calculates the result SRES by feeding RAND and Kj into the algorithm A3, then transparently sends SRES in an AUTH_RSP message to the MSC/VLR. The VLR compares SRES with the value provided by the HLR.
The MSC/VLR switches on ciphering, if the result from the authentication is correct. For this purpose, the MSC/VLR sends information to both, the MS and the BTS.
The BTS extracts its part form the ENCR_CMD message, which is Kc and sends the rest in a CIPH_MOD_CMD message to the MS. The CIPH_MOD_CMD message only contains the information, which cipher algorithm (A5/X) shall be used. The MS confirms, by sending a CIPH_MOD_COM message that ciphering was activated.
If Equipment Check is active, then the MSC/VLR requests the MS to provide its IMEI. This is done in an IDENT_REQ message, which is transparent for the BSS. Please note that the IDENT_REQ message also allows to request the TMSI or the IMSI. The equipment check may be performed at almost any time during the scenario, or in other words, is not tied to this place of the scenario.
The MS transparently transmits its IMEI in an IDENT_RSP message to the MSC/VLR, where it is checked by means of the EIR, whether that equipment is registered stolen or not approved.
The MSC/VLR assigns a TMSI, which is used instead of the IMSI in order to make tracking of subscribers more difficult. TMSI_REAL_CMD is also a transparent message between MSC/VLR and MS. The most important content of this message is the new TMSI. Please note that the assignment of a TMSI may also take place at the end within the LOC_UPD_ACC.
The MS confirms with a TMSI_REAL_COM that the new TMSI was received and stored. If the new TMSI is assigned with a LOC_UPD_ACC, then the TMSI_REAL_COM is obviously sent only after the LOC_UPD_ACC.
Sending of the transparent LOC_UPD_ACC message confirms that the MSC/VLR has stored the new Location Area (LAI). This concludes the Location Update process. The control channel that was occupied on the Air-interface has to be released, after the Location Update scenario has ended. For this purpose, the MSC sends the CLR_CMD message to the BSC. The BSC passes this command in a CHAN_REL to the BTS, which passes it to the MS. By sending a DEACT_SACCH, the BSC requests the BTS to cease sending of SACCH messages (SYS_INFO 5/6).The MS reacts on receiving a CHAN_REL message by sending a DISC (LAPDm).
This requests from the BTS to release its Layer 2 connection. The BTS confirms release of the Layer 2 connection by sending an UA message. Towards the BSC, the BTS confirms release of the Air-interface connection by sending of a REL_IND message. The BSC forwards this acknowledgment in a CLR_CMP to the MSC. The BSC requests the TRX in a RF_CHAN_REL to release the occupied resources on the Air-interface. RLSD requests release of the SCCP resources.
RF_CHAN_REL_ACK confirms release on the Air-interface. RLC confirms release of the SCCP resources.
Friday, June 18, 2010
UTRAN & GERAN 3G Inter-PLMN Handover
UTRAN & GERAN 3G Inter-PLMN Handover
.The subscriber's home network is France. The visited network where the subscriber is registered in a VLR (Visitor Location Register) is Germany. The signalling connection between HLR (Home Location Register) and VLR is indicated by dotted lines. The calls for the subscriber are controlled by the MSC collocated to the VLR where the subscriber is registered. This MSC (Mobile Services switching Centre) is called "anchor MSC".
.
Handover to a different MSC may occur if the cell serving the subscriber after handover is not controlled by the anchor MSC. This MSC is called the "serving MSC". Even after the call has been handed over to a different MSC, the call control function remains in the anchor MSC. The signalling connection and circuit switched connection established between anchor MSC and serving MSC are indicated by a solid line.
.
When the French subscriber registered in a German network roams near the border to the Netherlands, inter-PLMN handover may occur. In this case a Dutch network is the target network. After handover, the anchor MSC located in a German network continues to control the call. The German network remains the visited network where the subscriber is registered. The subscriber's location information stored in the HLR remains unchanged. The signalling and circuit switched connections between the anchor MSC and the previously serving MSC in the German network will be released when the User Equipment (UE) is served by a cell within a Dutch network. The Dutch network becomes the serving network. From the Dutch network the subscriber may be handed over to a Belgian network (see Figure 1).
.
.It is noteworthy. A problem exists for mobile users when commuting across national borders. Whilst manual network selection may be used to ensure that the user can select the HPLMN (Home PLMN)/ EHPLMN (Equivalent Home-PLMN), many users use Automatic Selection mode; and the ME is only permitted to select PLMNs of a higher priority within the same country in automatic mode. This leads to the situation that, having crossed back into its home country and within HPLMN coverage, an ME might remain camped on the VPLMN in the adjacent territory.
.
As a consequence, the user will be charged international roaming rates for all calls made or received until such time as an MS either:
.
(a) moves out of VPLMN coverage or
(b) manually selects the HPLMN.
.
Note: Power cycling the ME does not solve the problem because the mobile will look for the RPLMN (Roaming-PLMN). The reference to ME is infact a reference also to 3G UE (User Equiment).
.
These matter can impact when considering Roaming Cell Site Analysis and Call/Billing Records. It is recommend therefore that reviewing the 3GPP Standards aid understanding how UTRAN and GERAN can function under certain UE conditions particularly when dealing with Network Selection Principles.
.
Thanks to 3GPP for provision of information used in this discussion.
Tuesday, April 13, 2010
UTRAN & GERAN 3G Inter-PLMN Handover
UTRAN & GERAN 3G Inter-PLMN Handover
.
The subscriber's home network is France. The visited network where the subscriber is registered in a VLR (Visitor Location Register) is Germany. The signalling connection between HLR (Home Location Register) and VLR is indicated by dotted lines. The calls for the subscriber are controlled by the MSC collocated to the VLR where the subscriber is registered. This MSC (Mobile Services switching Centre) is called "anchor MSC".
.
Handover to a different MSC may occur if the cell serving the subscriber after handover is not controlled by the anchor MSC. This MSC is called the "serving MSC". Even after the call has been handed over to a different MSC, the call control function remains in the anchor MSC. The signalling connection and circuit switched connection established between anchor MSC and serving MSC are indicated by a solid line.
.
When the French subscriber registered in a German network roams near the border to the Netherlands, inter-PLMN handover may occur. In this case a Dutch network is the target network. After handover, the anchor MSC located in a German network continues to control the call. The German network remains the visited network where the subscriber is registered. The subscriber's location information stored in the HLR remains unchanged. The signalling and circuit switched connections between the anchor MSC and the previously serving MSC in the German network will be released when the User Equipment (UE) is served by a cell within a Dutch network. The Dutch network becomes the serving network. From the Dutch network the subscriber may be handed over to a Belgian network (see Figure 1).
.
.
It is noteworthy. A problem exists for mobile users when commuting across national borders. Whilst manual network selection may be used to ensure that the user can select the HPLMN (Home PLMN)/ EHPLMN (Equivalent Home-PLMN), many users use Automatic Selection mode; and the ME is only permitted to select PLMNs of a higher priority within the same country in automatic mode. This leads to the situation that, having crossed back into its home country and within HPLMN coverage, an ME might remain camped on the VPLMN in the adjacent territory.
.
As a consequence, the user will be charged international roaming rates for all calls made or received until such time as an MS either:
.
(a) moves out of VPLMN coverage or
(b) manually selects the HPLMN.
.
Note: Power cycling the ME does not solve the problem because the mobile will look for the RPLMN (Roaming-PLMN). The reference to ME is infact a reference also to 3G UE (User Equiment).
.
These matter can impact when considering Roaming Cell Site Analysis and Call/Billing Records. It is recommend therefore that reviewing the 3GPP Standards aid understanding how UTRAN and GERAN can function under certain UE conditions particularly when dealing with Network Selection Principles.
.
Thanks to 3GPP for provision of information used in this discussion.
.
More on Cell Site Analysis: http://cellsiteanalysis.blogspot.com
Subscribe to:
Comments (Atom)