9 (1). Cellular Network Flashcards
What are the key components of a cellular network?
- MS (Mobile Station)
- BSS (Base Station Subsystem):
BTS and BSC - Network Subsystem:
MSC
Service Provider’s server:
(HLR, VLR, EIR and AUC)
What is a Mobile Station (MS)
This is the mobile device and a smart card (i.e SIM or U SIM)
What is the Base Transeiver Station (BTS)?
This is what the MS connects to when it makes a call - otherwise known as Cell Site / Cell Tower / Cell Anntennae.
Can be standalone or attached to a building.
Generally has antennae with 3 panals on each side (usually middle panel is the TRANSMITTER and the two outer ones are the RECEIVERS).
Forensically important to establish whch side of the tower the call data came from as it tells us which side of the towever the phone wasa being used on.
Generally over 200 feet high
Can contain multiple antennae operated by different service providers.
opencellid.org: a website that allows you to look up tower info, integrated with google maps and google earth.
What is the Base Station Controller (BSC)?
This controlls the BTS.
The BTS is the equipment at the cell site that facilitates communication between the cell phone user and the carrier’s network.
It manages the radio signals for BTS in terms of assigning frequencies and handoffs between cell sites.
When you move through an area your cell phone may be handled by several BTS - i.e. a handoff from one BTS to another.
There are two types of handoff: Hard and soft.
A soft handoff is when a cellular communication is CONDITIONALLY handed off from one BTS to another, and the ME is simultaneously communicating with multiple BTS’s. The handoff is conditional because the signal strength on a new BTS will be adjudicated.
A hard handoff is when the communication is only handled by one BTS at a time with no simultaneous communication.
What makes up the Base Station Subsystem (BSS)
The Base Station Subsystem is comprised of the BTS and the BSC
What is the Mobile Switching Center (MSC)?
This is the ‘brains’ of the cellular network. Contains a number of key systems operated by the cellular service provider (HLR, VLR, EIR, AUC)
What is the HLR?
HLR = Home Location Register
Another core function of MSC.
This is a central database containing details of each subscriber authorised to use the network. Handles provisioning & supplementary services
Includes, home address of user, their IMSI, their tel no. and ICCID and other services used by the provider.
What is the AUC?
AUC = Authentication Centre.
It’s function is to authenticate every sim attempting to connect to the network and to encrypt data.
Another core function of MSC. A database that contains the subscriber’s IMSI, authentication and encryption algorithms. It issues an encryption key to the subscriber which will encrypt wireless comms between the ME and the network.
What is the EIR?
EIR = Equipment Identity Register
Another core function of MSC. Used to track IMEI and used to establish if an IMEI is suspect or stolen.
Blacklist of stolen or non approved mobile devices
White list of approved devices
Grey list of monitored devices
What is a VLR?
VLR = Visitor Location Register
Temporary database of roaming subscribers using a particular area.
One VLR per BTS
One VLR per MSC
A single subscriber can only be in one HLR but can be found in multiple VLRs
The current location of a handset can be found in the VLR.
A roaming subscriber is allocated a Mobile Station Roaming Number MSRN by the VLR
Assigns a 32 bit TMSI
Communicates with the HL re movements of subscribers
Receives admin info for call control & provisioning of services available to the subscriber
What is a TMSI (Temporary Mobile Subscriber Identity)?
A TMSI is contained in the VLR and is a randonly generated number assigned to a MS by a VLR when the handset is switched on and is based on the location.
What is a SIM and UICC?
The most general term for a smart card (a micro-controller based access module) - not just for mobile communication purposes is Integrated Circuit Card (ICC)
Subscriber Identity Module (SIM) is the ICC defined for 2G GSM networks including the physical card & logical application
Universal Integrated Circuit Card (UICC) is the physical card as defined by UMTS, LTE & 5G networks
Universal Subscriber Identity Module (USIM) is the logical application as designed for the UMTS, LTE & 5G networks.
It is possible to have a number of USIM applications installed on one UICC
What does IMEI stand for & what is it?
International Mobile Equipment Identity
It is the ‘serial number’ of a mobile device handset.
It identifies the Mobile Equipment (ME) on a network:
- Used by the network operator to ensure the device is a valid piece of equipment to be allowed on the mobile network.
- Identifes the device make, model, date & country of origin
Structure of IMEI - What is a TAC?
TAC is a Type Allocation Code.
- Unique identifier that represents the first 8 digits of the device’s IMEI number.
Darren says 6 to 8 in his lecture!) - Identifies the make, model, and country of origin - agency that issued the IMEI e.g Britsh Approvals Board for Telecommunications (BABT) - not necessarily where it was manufactured.
- The first 2 digits are the reporting body identifier (e.g 35 = BABT)
35 = BABT
01 = CTIA
86 = TAF
91 = MSAI
00 = Test
98 = Reserved for future use
99 = GHA
- Digits 3 to 8 are the Mobile Equipment Model Identifier - allocated to the device manufacturer for a specific model (e.g 195000 = Siemens MC60)
Can use online sources to understand the TAC e.g. www.nobbi.com/tacquery.php and numbering plans.
Where / how can you obtain the IMEI of a device?
- May be printed on it (e.g under the battery)
- May be on a sticker on the device
- May be electronically stored - found in the device settings (e.g ‘about phone’)
- May be electronically stored - displayed by typing *#06#
- May be found on device packaging
- remember in some instances the IMEI on sticker, packaging or electronically stored may be different. This could be due to a replacement cover being fitted, the main circuit board could have been replaced or the IMEI could have been changed using software. If an IMEI is reported stolen then the network operator can block network access for that device - can be overcome by programming a new known IMEI - not usually possible with high end devices who restrict IMEI reprogramming.
Forensic Evidence from a full file system of a device: What is the MCC?
Mobile Country Code (MCC)
A three-digit code that identifies the country in which a mobile network operates.
Forensic Evidence from a full file system of a device: What is the MNC?
The Mobile Network Code (MNC) is a two- or three-digit number used in mobile telecommunications to identify a specific mobile network operator within a country. Only unique within that country
The Mobile Network Code (MNC) is a critical identifier in mobile telecommunications, used alongside the Mobile Country Code (MCC) to uniquely identify mobile network operators. It ensures that mobile devices can connect to the correct network both at home and when roaming, allowing for proper authentication, service provision, and billing.
The MCC plus the MNC is unique.
Forensic Evidence from a full file system of a device: What is the LAC?
LAC = Location Area Code (generally an area where there is a group of base stations)
Forensic Evidence from a full file system of a device: What is a CI or CID or CellID?
CI = Cell Identity.
A number assigned to a cell. Every individual cell has Cell Identity. Sometimes called CID. This can change so must verify location information
What must you consider when making data requests about a subscriber’s phone useage from the provider?
- the format of the data (spreadsheet is most useable)
- to ask the provider not to inform the subscriber of your request
- what is your lawful grounds for requesting it
- how long is the data retained for?
The SIM Card storage - how is data stored?
SIM is mini computer - with working memory (RAM), operating software (ROM) Data Store area (E PROM min size 16kb modern devices up to 128kb - still v small compared to device memory sizes), micro processsor and serial input / output.
(An EPROM, or erasable programmable read-only memory, is a type of programmable read-only memory chip that retains its data when its power supply is switched off.)
The data store area (EPROM) is where the hierachchal file system is stored
The OS / user authentication and encryption algorithms are found in the ROM.
Describe the SIM file system structure
The SIM file structure is a hierachical File Tree sturcture.
3 types of file
- Master File (MF)
Root files containing access conditions & the DFs and EFs (i.e all the other files are contained in the MF) - Dedicated File (DF)
Underneath the MF in structure & can contain access conditions & other DF & MF (like sub folders). Remember first level DF and second level DF. In simple terms are mainly directories - Elementary File (EF)
Usually sits underneath a DF in structure & contains access conditions and defined formatted data but there are exceptions… Some EF sit directly under the MF. Some EF are mandatory some are optional. EF’s are where the majority of data is stored.
One imported first level DEDICATED file is the DF Telecom. What does this contain?
DF Telecom contains service and subscriber related information. This includes the following ELEMENTARY FILES:
- EF_ADN (Abbrieviated Dialling Numbers): Contains contact names and numbers input by the subscriber.
- EF_SMS (Short Message Servive): Simple text messages.
-EF_LOCI (Contains the TMSI - assigned by the VLR ): Represents the last location where the mobile was shut down. The TMSI is 4 octets long and can be understood by contacting the network carrier.
- EF_LND (Last Numbers Dialled) a list of all outgoing calls made by subscriber
- EF_FPLMN (Forbidden Public Land Mobile Networks): Cellular networks that the subscriber attempted to contect to but was forbidden. i.e assists in helping where suspect wass located even if they were not able to connect.
-
What are SMS?
SMS = Short Message Service (i.e. a simple text message). Can be stored on either the SIM or the handset memory (more common)
When stored on SIM can be found in the DF Telecom file in the EF_SMS file
Can determine the status of a SIM (whether it has been read or not, deleted or sent or unsent) from the binary status flag value. The byte value will change based on the status.
SMS: What are the different binary status flag values and their meanings?
0000 0000 = DELETED message
0000 0001 = READ message
0000 0011 = UNREAD message
0000 00101 = SENT message
0000 0111 UNSENT message
What is the PIN / CHV?
CHV (Card Holder Verification)
- Commonly known as a PIN but now correctly known as CHV
- 2 user editable locks are available. Usually PIN1 is used.
- 4 to 8 digits in length
- 3 incorrect attempts usually require an unblocking key or PUK to unlock
- Some providers use default values
What is the PUK / PUC / UCHV?
UCHV (Unblock Card Holder Verification)
- Commonly called PIN unblocking key (PUK). Correct name is Unblock Card Holder Verification (UCHV)
- 8 digit code to unblock SIM/ UICC and will remove the PIN
- Set by and can be requested from the CSP. Cannot be edited by user. Investigator may be able to request it.
- 10 failed PUK / UCHV attempts permanently destroys data on the SIM UICC. Important because SP sometimes give incorrect codes due to wrong database, or people may deliberately enter it wrong 9 times to leave only 1.
UCHV can be input on the handset or cardreader by the forensic tool (preferred method)
What is the Public Switched Telephone Network (PSTN)?
Public Switched Telephone Network (PSTN)
◼ Aggregate of all Circuit-switched Telephone Networks
◼ Connects all Telephone Networks Worldwide
◼ Tolls are calculated and Assessed
So if a MS makes a call to a ME on another network (carrier) the call is routed from the MSc to the PSTN.
