Академический Документы
Профессиональный Документы
Культура Документы
A Basic Guide
Version 1.1 [public]
23/07/2014
TRN-0033
www.forensicanalytics.co.uk
mobile phone
cell site
CDR
date/time called/calling
numbers Cell ID
Network operators are able, under tight regulatory guidelines, to provide details of
the calls made by target phones and can also provide details of the locations of
the cells used by those phones.
Cell site analysis is designed to enable an investigator to determine whether calls
made at or around the time of an incident or offence used cells that are located
near the location of that offence.
Additional evidence can be provided by undertaking an RFPS (Radio Frequency
Propagation Survey) at each significant location. RFPS equipment captures details
of the cells that can be detected at a location and can indicate which cells are
mostly likely to be selected for use by a phone at those locations.
Cell site analysis, based on a combination of a phones billing records, cell location
details and RFPS results, can provide compelling evidence to support an allegation
made by investigators.
Page 2
www.forensicanalytics.co.uk
Page 3
www.forensicanalytics.co.uk
The CDR (Call Detail Record) billing data for each target phone
Details of the locations of the cells used by the phone
Details of the events, times and locations significant to the case
Solid attribution of the target phone(s) to the suspected individual(s)
Ideally, a description of the specific allegations the investigators would like
tested against the cell site data
Events,
locations
cell
addresses
attributions
CDRs
RFPS
allegations
Report
Maps
Call
Tables
The elements that form the output of cell site analysis include:
Forensic Analytics has developed CSAS the Cell Site Analysis Suite to automate
both the processing of call record data and the creation of survey reports, call tables
and mapping.
Collectively, the results of a cell site analysis can be used to prove (or disprove) the
specific allegations made in a case. It is important to remember that cell site analysis
can be just as useful to the Defence in a case as it is to the Prosecution.
Forensic Analytics Ltd 2014
Page 4
www.forensicanalytics.co.uk
Radio
Cellular networks use communications methods based on basic RF (Radio
Frequency) transmission principles.
A radio signal is essentially a targeted ball of energy that has a certain frequency of
operation and power level.
In the UK Ofcom (the Office of the Communications Regulator) are the custodians
of the Radio Spectrum. What this means is that only licensed operators have the
right to broadcast on certain frequencies. For example the BBC own the sole right
to broadcast on the frequencies that they use.
It is the same with Cellular Service Providers (CSPs). Each has an exclusive right
to broadcast on certain frequencies, for which they pay Ofcom a licence fee. For
example the recent 4G spectrum auction in the UK channelled 4 billion into
government coffers.
In general there are chunks of frequency spectrum that have been allocated to
Cellular Service Providers for previous generations of mobile technology. We only
identify one frequency when discussing these, but in reality, just like radio stations
we have chunks of spectrum either side of (for example) 900Mhz that are chopped
up into channels and allocated to specific CSPs for their Cellular Radio Access
Networks.
Radio signals have certain properties that must be born in mind when gathering cell
site evidence: the higher the frequency (for a given power level) the shorter the
usable distance; the higher the frequency (for a given power level) the greater the
loss experience whilst travelling through walls, vehicles, humans etc.
A radio signal can get reflected, blocked, bent or absorbed as it travels between A
and B. The only way to tell which signals can actually be received at a specific
location is to go and measure the radio coverage there, which is the reason for
taking forensic radio surveys as part of a cell site analysis report.
A radio wave is essentially a sine wave (a alternating cycle of radio energy), which
has a certain amount of power, and travels or propagates through free space.
One cycle per second is known as one Hertz (after the scientist who first described
this phenomenon) and is abbreviated as 1Hz. 1000 cycles per second is 1kiloHertz
(1kHz), 1 million cycles per second is 1MegaHertz (1MHz) and so on.
The basic terms employed to describe aspects of RF transmission include:
Page 5
www.forensicanalytics.co.uk
Radio
Spectrum
The range of possible radio frequencies is known as the Radio Spectrum. The
useable range of frequencies available within the radio spectrum runs from around
3kHz up to over 300GHz.
To ensure that Interference between users is kept to a minimum, individual
systems or networks are licensed to operate within a particular range of radio
frequencies this is known as a Frequency Band.
Radio Spectrum
Radio
Channels
3kHz
80MHz
104MHz
FM Radio Band
300GHz
880MHz
960MHz
900MHz Band
Within each band smaller allocations of frequencies are defined for individual users
of the network these are known as Radio Channels. The bandwidth (e.g. the
range of frequencies used) of the radio channels used by a network is determined
by the amount of capacity the network assigns to each user.
UK cellular networks employ the same set of radio bands as other EU members.
The set of bands employed to support cellular services in the UK includes (or
potentially includes):
300MHz band
450MHz band
700MHz band
800MHz band
900MHz band
1800MHz band
2100MHz band
2300MHz band
2600MHz band
3400MHz band
Details of the exact spectrum allocations currently in force in the UK are published
by Ofcom in the UK Frequency Allocation Table, which can be accessed here http://stakeholders.ofcom.org.uk/binaries/spectrum/spectruminformation/UKFAT_2013.pdf
Forensic Analytics Ltd 2014
Page 6
www.forensicanalytics.co.uk
Radio
Measurements
The unit in which radio signal strengths are measured is the Watt (W), although the
th
milliwatt (mW) is also commonly used one milliwatt is 1/1000 of a Watt.
To allow for simpler comparisons and calculation to be made when performing
radio measurements, engineers generally use decibels (dB) and decibel milliwatts
(dBm) respectively. The decibel uses a logarithmic scale to allow for simpler
comparisons of large and small numbers.
A logarithm is a mathematical term that can be paraphrased as the power that
number X must be raised by to get number Y. An alternative way of writing this is:
a
X =Y
2G (dBm)
3G (dB)
4G (dB)
Very Strong
-48 to -84
-3 to -6
-3 to -10
Strong
-85 to -90
-7 to -10
-11 to -15
Moderate
-91 to -100
-11 to -18
-16 to -20
Poor
-101 to -112
-19 to -25
-21 to -30
-110
-25
-30
Page 7
www.forensicanalytics.co.uk
base station
rural area
radio cell
The size of the cells used in a network can vary dependent upon such factors as
geography and demand. Base stations serving rural locations with, low demand for
service, might be configured with cells that cover a large area. Base Stations
covering high-demand areas such as city centres; business areas and airports
might be configured to provide coverage using very small cells
Page 8
www.forensicanalytics.co.uk
Network
Generations
The earliest type of mobile communication was provided by radio telephone
networks, which offered a very expensive service to a very limited number of users.
The first truly cellular mobile networks began to appear in the late 1970s and are
st
now collectively known as 1G (1 Generation) systems.
The modern era of digital mobile communications began in the early 1990s with the
nd
release of 2G (2 Generation) networks. Several competing versions of 2G
network were developed in different regions, but the system developed in Europe
known as GSM (Global System for Mobile communications) eventually came to
be the dominant global 2G technology.
2G GSM networks offered access to a limited range of services voice calls, text
messaging, dial-up data services but provided them in a secure, high capacity
and high quality fashion. In the late 1990s two updates to GSM were released,
known as GPS (General Packet Radio Service) and EDGE (Enhanced Data rates
for Global Evolution), which offered more efficient data and Internet connectivity.
GPRS/EDGE formed what became known as a 2.5G system. In the early 2000s
rd
networks started to launch 3G (3 Generation) services, beginning with a
technology known as UMTS (Universal Mobile Telecommunications System),
which offered voice, text and picture messaging and faster Internet connections.
3.5G upgrades to UMTS were developed later in the decade, known as
HSPA/HSPA+ (High Speed Packet Access), which offered increasing fast mobile
broadband data rates. 4G (4th Generation) services began to launch in the early
2010s, which offer very fast Internet connectivity.
The progression of technologies shown in the diagram reflects the European
brands of mobile technologies and although these are the dominant network types
around the world, other technologies are used in some countries and regions.
Whichever mix of technologies they use, most countries now support a mix of 2G,
3G and 4G services.
Forensic Analytics Ltd 2014
Page 9
www.forensicanalytics.co.uk
Network Identities
PLMN
ID
Mobile networks are technically known as PLMNs (Public Land Mobile Networks)
and each authorised network is assigned a unique PLMN ID This consists of a
three digit MCC (Mobile Country Code), which indicates the country the network
operates in, and a 2 or 3 digit MNC (Mobile Network Code), which identifies the
network within their country.
Examples include: 234 (UK), 208 (France), 505 (Australia), 310 (USA).
The MCC/MNC pair is used as a prefix on values such as Cell IDs and IMSIs.
IMSI
The purpose of the IMSI is to identify the subscriber in the mobile network. The
IMSI number is used for registering and identifying a subscriber within the PLMN.
The HLR uses the IMSI to uniquely identify each mobile subscriber. A mobile
device identifies its user/subscriber using the IMSI number that is stored held on
the SIM card.
An IMSI is always 15 digits long and it consists of the following format:
MCC MNC MSIN (Mobile Subscriber ID Number, unique within PLMN)
IMEI
The International Mobile Equipment Identity (IMEI) is a number unique to every
GSM and UMTS mobile phone. It is usually found printed on the phone and can
also be displayed by dialling the sequence *#06# into the phone.
The IMEI is composed of the following elements (each element consists of decimal
digits only):
The IMEI (14 digits) is complemented by a check digit. The check digit is not part of
the digits transmitted at IMEI check occasions, which means that the IMEI printed
on a handset often differs from the IMEI captured in call records, with a different
last digit. The Check Digit avoids manual input errors, for example when customers
register stolen MEs at the operators customer care desk.
MS-ISDN
The MSISDN is a number uniquely identifying a subscription in a GSM or UMTS
mobile network. It is the telephone number allocated to the SIM card and it is the
MSISDN which is the number normally dialled to connect a call to the mobile
phone.
Page 10
www.forensicanalytics.co.uk
Network
Architecture
Cellular networks are generally divided into two main areas:
The Radio Access Network which is home to the cells, base stations
and other radio elements
The CS (Circuit Switched) core, which deals with real time services such
as voice and video telephony and also typically deals with SMS text
messaging
The PS (Packet Switched) core network, which deals with non real time
data services such as Internet connections, email, instant messaging and
MMS
4G LTE networks only have a PS core network, as they only provide data services.
All generations of network share a common administrative area that hosts
subscriber databases, the billing system and other key services.
HLR/HSS
The most important network database is the HLR (Home Location Register), which
is also known as the HSS (Home Subscriber Server). The HLR/HSS is the main
repository of subscriber data within a network and stores each subscribers details,
listed against their IMSI. The database record also holds details of the MS-ISDN
associated with the account and lists the set of services (international roaming, call
diversions, call barring, etc) that the user has set or is permitted to use.
EIR
The EIR (Equipment Identity Register) is an operators database of mobile devices
and their IMEIs.
The operator registers the IMEI of each device they supply with the EIR, which
allows the IMEI to be checked when a device attempts to connect to the network.
The EIR holds IMEIs in one of three areas of its database:
The white list contains IMEIs of devices that are permitted to use the
network
The grey list contains details of IMEIs that are permitted to use the
network but that should be monitored, possibly due to a fraud flag or
because they are suspected of having a fault
The black list contains details of IMEIs that are not permitted to use the
network, normally because they have been registered as stolen
The main UK operators have interlinked their EIRs, at the request of the Home
Office, which should ensure that no stolen phones or other cellular devices would
be permitted to connect to those networks. The theory behind this being that if a
stolen device cant be used there is little point in stealing it.
Forensic Analytics Ltd 2014
Page 11
www.forensicanalytics.co.uk
600
3000
1200
2400
1800
Each cell is assigned a unique Cell ID, which will be unique within its network. The
Cell ID is advertised on a broadcast channel in each cell, allowing mobile devices
to determine the identity of the cell they are currently connected to.
Page 12
www.forensicanalytics.co.uk
microcell 0.5-1km
picocell 20-500m
cell site
femtocell 10-20m
On the other hand, a few large cells can cover a large area, lowering the cost of
providing service to that area, while a large number of small cells would be required
to cover the same area, which would increase the cost of service. Cellular
operators are therefore very careful about planning the size and number of cells
they deploy to match the expected customer demand in each area.
The range of cell types that operators can choose from is generally categorised as
follows:
Macrocells outdoor sites that provide wide area coverage with typical
cell radius measurements of 1km up to 20km or more
Microcells outdoor sites that provide more focused hotspot coverage
with typical cell radius measurements of 0.5-1km
Picocells can be deployed as outdoor sites, in which case the cell radius
can be up to 500m, or as indoor sites in offices, shopping centres or
airports with a typical cell radius of 20-30m
Femtocells can be deployed as outdoor sites or indoor sites with a
typical cell radius of 10-20m
There are no rigidly defined standards for cell descriptions and so the descriptions
provided above should be viewed as guidelines rather than rules.
In general, the cells in a mobile network provide coverage over a limited area.
Overall network coverage is therefore base on a patchwork of coverage provided
by deploying large numbers of closely spaced base stations.
Cellular network coverage is very deliberately planned and well engineered. This is
worth bearing in mind as the defence have a tendency to create the illusion that it is
somehow random and totally unpredictable.
Page 13
www.forensicanalytics.co.uk
UK Mobile Networks
There are two types of network operator: an MNO (Mobile Network Operator) owns
their own base stations, radio access network and core network and supports a full
range of mobile services; an MVNO (Mobile Virtual Network Operator) offers
mobile services to their customers but does not own its own physical network,
instead they piggyback on the facilities of an MNO. Examples of UK MNVOs
include: Virgin Media, Tesco Mobile, Lebara, Lyca Mobile and many others.
Forensic Analytics Ltd 2014
Page 14
www.forensicanalytics.co.uk
Page 15
www.forensicanalytics.co.uk
UK
Network
CDRs
There are currently 4 main network operators in the UK: Vodafone, O2, Three and
EE (which consists of EE, T-Mobile and Orange). Each operator has its own
specific CDR format and each has issues and idiosyncrasies.
Data
Retention
and
Acquisition
Call data is retained within CSP storage networks for minimum of 12 months.
All CSPs now have an automated system in place in which a SPoC (Single Point of
Contact for dealing with CSPs) with appropriate authority under RIPA (Regulation
of Investigatory Powers Act) legislation has the authority to download data directly
from CSP billing platforms. This copy we call the golden copy, which should be
securely retained by the SPoC, and only a further copy of this data should be
forwarded to investigation teams. This means that there is always a clean source
of un-manipulated original data available should the need arise to access this.
Forensic Analytics CSAS (Cell Site Analysis Suite) tool currently recognises and
automatically processes over 55 UK CDR formats, which includes all current
formats and most recent historical formats.
Page 16
www.forensicanalytics.co.uk
RF
Propagation
Surveys
Radio Frequency Propagation Surveys can be undertaken for several reasons:
To determine the set of cells that provide coverage at a location
To determine the extent of coverage of a given cell
To determine serving coverage along a given route
RFPS surveys are usually undertaken in support of historical cell site analysis but
may also be performed to gather intelligence as part of live events such as
kidnaps.
Spot/Location
Surveys
Incident
location
spot
survey
taken
in
vicinity
Spot or location surveys provide details of the set of serving and non-serving cells
that provide coverage at a given location. Generally the spot chosen is the address
or location where an incident has occurred or where a person of interest lives or
works.
The strength of a radio signal can vary hugely. This is because a radio signal is like
a breeze, it will ebb and gust over time, which means that radio conditions are ever
changing. Phones located in an area served by more than one cell might elect to
reselect to a different cell without the phone necessarily moving anywhere.
Spot/location surveys therefore work best when the taken over an extended period.
A typical ideal value for this would be between 5 and 10 minutes, which allows the
survey to capture the changes in radio signal strengths caused by the breeze effect
All
Network
Profiles
Spot/location surveys are typically undertaken to gather evidence related to a
specific target phone and are therefore often conducted on just one or two
networks or technologies at a time.
Mobile networks are constantly being upgraded and optimised, with new cells being
built and existing cells being expanded and adjusted. Due to the fast rate of change
going on in the radio networks of all CSPs it would be sensible for investigators to
commission a network profile at key locations as soon as these can be identified
within a case.
Page 17
www.forensicanalytics.co.uk
Page 18
www.forensicanalytics.co.uk
If the cells provide non-serving coverage then the report can conclude that
the calls could have been made in the general area of the location
If the cells were not detected during the RFPS survey then the report can
conclude that the calls are unlikely to have been in the general area of
the location
Cell site reports are often used to provide support for, or confirmation of, other
forms of evidence.
For example, a significant event in a case may have been the suspect was
captured on CCTV making a phone call. Cell site evidence would then be used to
show whether any call details were recorded for the suspects phone at that time
and if so, whether the cell used serves at the observed location.
Cell site reports are also often used to show association between individuals, so
reports might be required to focus on calls made between target phones or to
highlight instances of co-location where target phones might be using cells that
cover the same areas.
In cases where the attribution of a mobile phone to a suspect is not solid, especially
where there is a suspicion that clean and dirty handsets are being used
interchangeably, cell site analysis can be used to provide additional attribution
evidence.
Cell site reports are sometimes required to show whether calls could have been
made from a car during a specific journey; for example, if a call was made during a
period when the suspect was alleged to have been in a getaway car fleeing a
robbery scene. In this case the cell site analyst might request an RFPS route
profile to be performed following the route of the getaway vehicle. If the cells used
by the target phone serve at points along the route, then it supports the allegation
that the user of the phone could have been in the vehicle at the time the calls were
made.
It is important to remember that cell site evidence is generally not definite enough
to be used on its own; it works best when supporting other evidence.
Page 19
www.forensicanalytics.co.uk
As investigations evolve and target mobiles are added or removed from the
investigation, CSAS enables this seamlessly and efficiently, instantly updating the
database as old file or phones are removed or new files are added.
Analyse Data Once data has been cleansed it is placed into a professionalgrade database. Once in the database it can be viewed (using our powerful CDR
Browser feature), filtered (by date/time, called/calling numbers, call type, etc.) or
queried (using our best-in-class analytical engine). CSAS Analytics supports a
range of standard queries Top Callers, First Call/Last Call analysis, IMEI & IMSI
timelines and many others - which allows analysts to gain quick, accurate access to
information related to a just one or a collection of handsets.
RF Survey Results CSAS will import and process raw RF survey data captured
by common RF survey devices, such as CSurv, NEMO or TEMS. The data will be
averaged and tabulated ready for analysts to review. CSAS also makes survey
results available to CSAS Analytics, allowing it to be used as the basis for further
queries and analysis, such as creating call tables showing calls made using cells
that serve at particular locations.
Mapping the call data in the CSAS database can be used to automatically
populate maps with call and cell details using Microsoft MapPoint or Google Maps
and can also generate Map Labels for PowerPoint mapping presentations at the
push of a button.
Page 20
www.forensicanalytics.co.uk
Glossary
2G
3G
4G
ANPR
Azimuth
CCTV
CDR
CI
CSA
CSAS
CSP
dB
dBm
EDGE
EE
GHz
GPRS
GSM
Hex
HLR
HSPA/HSPA+
Hz
IMEI
IMSI
kHz
LAC
Log
LTE
MCC
MHz
MMS
MNC
MS-ISDN
MSIN
mW
Ofcom
PLMN
RF
RFPS
RIPA
SAC
SIM
SMS
UMTS
Page 21
Want more copies of this free Cell Site guide? Email us and let us know:
cellsiteguide@forensicanalytics.co.uk