CSA - R&TTE Directive

R&TTE Directive applies to telecommunications and radio equipment and therefore is applicable to examiners and advisors involved with forensics and evidence:

Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity....
[Official Journal L 091 , 07/04/1999 P. 0010 - 0028]
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0005:EN:HTML

In fact it is inescapable, thus unavoidable, that an examiner / advsior could not at some stage make reference to R&TTE given the scope of the work involved in CSA (cell site analysis).


The Directive sets out the Essential Requirements, which members states should follow and in turns places obligations incumbent on network operators and manufacturers placing or using equipment in a member state governed by the principles in [the] Directive.  

Article 3
Essential requirements
1. The following essential requirements are applicable to all apparatus:
(a) the protection of the health and the safety of the user and any other person, including the objectives with respect to safety requirements contained in Directive 73/23/EEC, but with no voltage limit applying;
(b) the protection requirements with respect to electromagnetic compatibility contained in Directive 89/336/EEC.
2. In addition, radio equipment shall be so constructed that it effectively uses the spectrum allocated to terrestrial/space radio communication and orbital resources so as to avoid harmful interference.
3. In accordance with the procedure laid down in Article 15, the Commission may decide that apparatus within certain equipment classes or apparatus of particular types shall be so constructed that:
(a) it interworks via networks with other apparatus and that it can be connected to interfaces of the appropriate type throughout the Community; and/or that
(b) it does not harm the network or its functioning nor misuse network resources, thereby causing an unacceptable degradation of service; and/or that
(c) it incorporates safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected; and/or that
(d) it supports certain features ensuring avoidance of fraud; and/or that
(e) it supports certain features ensuring access to emergency services; and/or that
(f) it supports certain features in order to facilitate its use by users with a disability.

The connection to CSA initially comes by way of harmonised standards (ENs) defining the radio requirements that are required to conform across EEC (EU) members states. That is conformance is intended to act as an enabler to ensure EEC (EU) principles to be achieved and succeed relating to the free movement of goods and the reduction and removal of trade barriers brought about by mandatory regulation.

Such an example can be immediately demonstrated by reference to:
*The Radio Equipment and Telecommunications Terminal Equipment Regulations 2000 No. 730 PART II
http://www.legislation.gov.uk/uksi/2000/730/part/II/made
http://www.legislation.gov.uk/uksi/2000/730/pdfs/uksi_20000730_en.pdf

*It should be noted that this UK Regulation applies a different numbering sequence when referencing the Essential Requirements. 

The European Telecommunication Standards Institute (ETSI) has translated the Essential Requirements in the Directive and modularised them in order to assist and enable standards to be produced that create a level playing field for conformance but, at the same time, allowing for innovation and variation in function and technqiue in achievement of the conformance.



In practice the modularised structure (c) ETSI 2000-2003 defines those modules against which standards have been produced. Clearly 3.2 is immediately discernable as having relevance to CSA, thus applicable to examiners to have awareness about the module when performing CSA. Of course the other modules play an important part in varying aspects of CSA and mobile phone investigations, too. The focus though of this discussion is on CSA and making use of the illustration without being verbose on every subject that the illustration refers. The relevance, then, to CSA is that is were device conformance to the standards not to be achieved and not pass technical scrutiny and assessment wireless devices would be unlikely to be allowed to make and receive mobile communications (V/D/F).

To this extent, the spectrum module and its standards associated with it directly relates to defining the use of aspects of the laws of physics, in radio terms, and through setting requirements for radio signalling allow real world realisation of the commodities that that can bring, such as voice and data communications. The standards, underpinned by conformance tests, actually define voice and data communications and the expectation of their performance. If that wasn't possible translating activity in the ether to the physical world would not allow interconnecion; the use of SS7; mobile SCCP; and a very primary form of evidence noted by the mobile academic author (Heine, G), illustrates (c) 1998 in his illustrated model realting to CaPD and CdPD (calling party address and called party address) as seen in the image below. That interconnecion record of a call or, at minimum, an attempt of a call (0-second duration etc) is vitally important for CSA and mobile investigations.

Finally, the above merely discusses a grain of sand relating to technical realisation and end-point evidence and applying the same focus above to other aspects that can (for forensics, evidence and mobile phone investigation) uncover a rich seam of material that can equally be applied to discernng how events may have occurred such as (unlawful) interception, in the course of transmission, signal jamming, voicemail hacking, fake and bogus mobile communications, mobile location tracing etc etc etc, that could be profiled and traced due to having an understanding of what is happening when making use of radio signals in mobile communications and its impact on the sending/receiving device.

Location Update (LU) and Cell Site Analysis (CSA)

Location Update (LU) and Cell Site Analysis (CSA)

Heine, G; referred to the model "An MS performs LU on several occasions: every time it changes the location area, periodically, when a periodic location update is active, or with IMSI attach/ detach switched on at the time when it is subsequently turned on again."

That statement minimises, thus hides, a considerable body of mobile activity and, importantly, cell site analysis (CSA) suffers when students and practitioners fail to take into account the importance in the depth of knowledge and understanding that is needed to include the important facet of Location Update when conducting CSA. The following may assist students and practitioners with a simplified operational background as to events when Location Update (LU) takes place:

The MS requests a control channel from the BSC. The BTS decodes the CHAN_REQ, calculates the distance MS«BTS (timing advance), and forwards all this information to the BSC. Please note that the CHAN_REQ already indicates which service the MS requests (Location Update, in this case).

After the CHAN_RQD is received and processed, the BSC informs the BTS which channel type and channel number shall be reserved (CHAN_ACT).

The BTS confirms with a CHAN_ACT_ACK that it received and processed the CHAN_ACT.

The BSC sends the IMM_ASS_CMD, which activates the previously reserved channel. The BTS sends this information over an AGCH to the MS. The MS finds “its” IMM_ASS_CMD by means of the request reference, which is already contained in the CHAN_REQ.

Layer 2, the LAPDm connection is activated only now. The MS sends a SABM to the BTS, which (differently from LAPD) already contains data (LOC_UPD_REQ in this case).

The BTS confirms that a LAPDm connection was established by sending an UA message, which repeats the LOC_UPD_REQ.

The BTS passes LOC_UPD_REQ to the BSC. Although this is a transparent MM message, the BSC still processes the LOC_UPD_REQ in parts, because the BSC amongst others, requires the Mobile Station Classmark information. The BSC packs LOC_UPD_REQ, together with the current LAC, and CI into a CL3I message (Attention: the LOC_UPD_REQ from the MS contains the old LAC!) and then sends this within a SCCP CR
message to the MSC. The CR message carries not only the LOC_UPD_REQ to the MSC, but also requests establishment of an SCCP connection.

If the MSC is able to provide the requested SCCP connection,then the CR is answered with a CC. A logical connection from the MS to the MSC/VLR exists from this point in time on. The MSC/VLR answers the LOC_UPD_REQ with an AUTH_REQ This message is conveyed to the BSC via the established SCCP connection.

BSC and BTS transparently forward the AUTH_REQ to the MS. Most important content is the random number parameter (RAND). The MS (more precisely the SIM) calculates the result SRES by feeding RAND and Kj into the algorithm A3, then transparently sends SRES in an AUTH_RSP message to the MSC/VLR. The VLR compares SRES with the value provided by the HLR.

The MSC/VLR switches on ciphering, if the result from the authentication is correct. For this purpose, the MSC/VLR sends information to both, the MS and the BTS.

The BTS extracts its part form the ENCR_CMD message, which is Kc and sends the rest in a CIPH_MOD_CMD message to the MS. The CIPH_MOD_CMD message only contains the information, which cipher algorithm (A5/X) shall be used. The MS confirms, by sending a CIPH_MOD_COM message that ciphering was activated.

If Equipment Check is active, then the MSC/VLR requests the MS to provide its IMEI. This is done in an IDENT_REQ message, which is transparent for the BSS. Please note that the IDENT_REQ message also allows to request the TMSI or the IMSI. The equipment check may be performed at almost any time during the scenario, or in other words, is not tied to this place of the scenario.

The MS transparently transmits its IMEI in an IDENT_RSP message to the MSC/VLR, where it is checked by means of the EIR, whether that equipment is registered stolen or not approved.

The MSC/VLR assigns a TMSI, which is used instead of the IMSI in order to make tracking of subscribers more difficult. TMSI_REAL_CMD is also a transparent message between MSC/VLR and MS. The most important content of this message is the new TMSI. Please note that the assignment of a TMSI may also take place at the end within the LOC_UPD_ACC.

The MS confirms with a TMSI_REAL_COM that the new TMSI was received and stored. If the new TMSI is assigned with a LOC_UPD_ACC, then the TMSI_REAL_COM is obviously sent only after the LOC_UPD_ACC.

Sending of the transparent LOC_UPD_ACC message confirms that the MSC/VLR has stored the new Location Area (LAI). This concludes the Location Update process. The control channel that was occupied on the Air-interface has to be released, after the Location Update scenario has ended. For this purpose, the MSC sends the CLR_CMD message to the BSC. The BSC passes this command in a CHAN_REL to the BTS, which passes it to the MS. By sending a DEACT_SACCH, the BSC requests the BTS to cease sending of SACCH messages (SYS_INFO 5/6).The MS reacts on receiving a CHAN_REL message by sending a DISC (LAPDm).

This requests from the BTS to release its Layer 2 connection. The BTS confirms release of the Layer 2 connection by sending an UA message. Towards the BSC, the BTS confirms release of the Air-interface connection by sending of a REL_IND message. The BSC forwards this acknowledgment in a CLR_CMP to the MSC. The BSC requests the TRX in a RF_CHAN_REL to release the occupied resources on the Air-interface. RLSD requests release of the SCCP resources.

RF_CHAN_REL_ACK confirms release on the Air-interface. RLC confirms release of the SCCP resources.