Wednesday, November 06, 2013

Use of GSM Logical Channels for CSA

When a mobile/smart phone's power button is pressed the mobile triggers the power up sequence. The mobile station MS is in the radio darkness (ignorant) at this stage about the radio coverage that surrounds it in the geographical area in which it has been switched ON. Once switched on, the mobile device will seek to establish, using the embedded routines in its radio program that will enable it to follow a sequence that brings it out of the radio darkness and into the radio light. It gains knowledge about the radio coverage surrounding it; makes comparison of particular coverage to identify the correct transmission technology for which the mobile device has been designed and manufactured; illuminate its presence to the mobile network in the geogrpahical location where it is dwelling for the purpose of communications; to be radio link-enabled for mobile content communications and radio link-disabled to terminate mobile content communications. 

The diagram below omits 'timing' of events because it is not there to demonstrate the time when each event occurs but it is intended the diagram to offer an at-a-glance visual indication of the sequence of channels involved from power ON to terminating a call.

It is possible that a suggestion could be raised that the above diagram is not entirely realistic because following power and registering with the network what happens if there is an incoming call indicator that is received or immediately following power up and registering with the network an SMS is received? In GSM terms it is possible to select the use of the channels identified above for each of those purposes. So the diagram can be considered for use relating to incoming and/or outgoing communications

For the avoidance of doubt regarding GSM logical channels, it is relevant to mention that under the logical allocation of channels there is a separate and divided appraoch to two logical channel paths, if you will: 'Common Channels (CCH)' and 'Dedicated Channels (DCH)'.

Commons Channels (CCH)
CCH has allocated under it two channel sub-divisions:

Broadcast Channels (BCH) which is divided into a further three sub-channels:

- Frequency Control Channel (FCCH); Synchronisation Channel  (SCH); Broadcast Control Channel (BCCH).

Common Control Channels (CCCH) which is divided into a further three sub-channels:

- Paging Channel (PCH); Random Access Control Channel (RACH);  Access Grant Channel (AGCH)

Dedicated Channel (DCH)
DCH has allocated under it two channel sub-divisions.

Common Channels (CH) which is divided into a further three sub-channels groups:

- Stand-alone Dedicated Control Channel (SDCCH); Slow Associated Control Channel (SACCH) ; Fast Associated Control Channel (FACCH)

Traffic Channels (TCH) which is divided into a further two sub-channels:

- Traffic Channel Full (TCH/F) Rate; Traffic Channel Half (TCH/H) Rate 

As a further point to note two DCH logicals channels are shown in the above diagram that are able to be included (transmitted) either in Common Channels communications and/or Traffic Channel communications.  The SACCH has been highlighted because its content can be communicated included in the SDCCH or TCH transmission.

Question1: Do you know the important content that is transmitted in the SACCH packet and its relevance to informing the MS and Network and to cell site analysis?

Question2:  The other DCH logical channel shared has bot been highlighted. Do you know what that other channel is and the important content it holds in the communications informing the MS and Network and to cell site analysis? To refresh its content can too can be communicated included in the SDCCH or TCH transmission.

The Diagram
The diagram above is divided into FOUR separate MS states:

- Power On
- Idle Mode
- Dedicated Mode
- Idle Mode

Each of these separate elements are paramount to GSM CSA and without their basic existence GSM CSA would not be possible from the mobile device element investigation point of view that forms one of the investigation procedures during CSA.

Sunday, November 03, 2013

Directed Retry

A fundamental and vital goal of any mobile communication network is to maintain communications between the network and the mobile station (MS), whether the MS is dwelling in an area or on the move. To assist the aims and objectives GSM is commonly known to use 'Handover' for which there is a specific GSM standard TS03.09 [cf W-CDMA see 3GPP TS23.009].

The assumption being made for these cause values is that the MS is seeking to obtain a service for speech calls

│7 6 5│ 4 3 2 1│ │

│0 0 0│0 0 0 0│ │Radio interface message failure │

│0 0 0│0 0 0 1│ │Radio interface failure │

│0 0 0│0 0 1 0│ │Uplink quality │

│0 0 0│0 0 1 1│ │Uplink strength │

│0 0 0│0 1 0 0│ │Downlink quality │

│0 0 0│0 1 0 1│ │Downlink strength │

│0 0 0│0 1 1 0│ │Distance │

│0 0 0│0 1 1 1│ │O and M intervention │

│0 0 0│1 0 0 0│ │Response to MSC invocation │

│0 0 0│1 0 0 1│ │Call control │

│0 0 0│1 0 1 0│ │Radio interface failure, reversion to old channel │

│0 0 0│1 0 1 1│ ││

│0 0 0│1 1 0 0│ │Better Cell │

│0 0 0│1 1 0 1│ │Directed Retry │

│0 0 0│1 1 1 0│ ││

│0 0 0│1 1 1 1│ │Traffic

Key and germane to handover being successful is that operators can use various handover techniques controlled by handover triggering algorithms. These triggers activiate when detection mechanisms identify propagation or network conditions at the existing cell or for the target cell where neither meet a set criteria for usage. One such condition is referred to by Professor Sami Tabbane in Management of Radio Mobility: The Handover Procedure - Intercell and Intra-BSC Handover "A handover that is triggered for reasons of traffic loading and occurs during call setup is called directed retry." 

Examiners are expected to know about Directed Retry, to take account of its possibility when conducting CSA (cell site analysis) investigations and understand its influence and impact on evidence record in call records and associated cell data. A point of contention in evidence for often arises where a defendant states "I was not at the location claimed by the prosecution but was in a different area". Invariably this receives a response "Why does your mobile use the radio coverage from a particular sector (azimuth) from a particular fixed mast (BTS)?" Directed retry makes possible the scenario of having a mobile phone in an adjacent cell from the one shown in the call records. Directed Retry is not a trigger simply triggering every few minutes but arises as Professor Tabbane records, due to traffic loading at the time of call setup.

A mistake that experts and investigators could make would be to ignore the existence of Directed Retry and, even more problematical, not to have asked the question was Directed Retry active at cell/BSC level at the material time of the calls, apart from any intervention within the network.

GSM standards make Directed Retry explicit that which might be implicit to for a GSM radio location area. This logically raises questions how can Directed Retry be configured and activated? Mobile network radio equipment manufacturers offer the capability in their equipment for mobile network engineers to radio fine tune post-installation, and the parameters that can be fine tuned are the Handover triggers of which Directed Retry is one such trigger:

As each equipment manufacturer vary the way fine tuning may be implemented using a GUI to input the trigger parameters is one methiod. Another is to incorporate data into the .mdb or .xls file which has been scripted to produce e.g. an .xml output for uplifting to the radio base station database. This means Directed Retry can be checked that it is active in a particular GSM radio location area. Furthermore, due to continuing radio fine tuning updates to the trigger parameters can occur and older versions of .mdb/.xls maybe recovered from archive.

Experts and Investigators will need to be aware of the triggers Directed Retry (DR) and Forced Directed Retry (FDR) and identify when, in a mobile network, either of these triggers would be implemented and activated for the radio network. This equally means tracking down the equipment manufacturers that offer one form or another or both forms of Directed Retry.

Saturday, November 02, 2013

GPRS Cell Site Analysis



There are often forum discussions about GPRS (general packet radio switching) and how to conduct CSA (cell site analysis). Given that GPRS is expected to form a basic data service across GSM/WCDMA/LTE it is always worth starting at the beginning with GSM/GPRS as GPRS has numerous influences on GSM that have evolved for today's mobile networks.

As the old adage goes "time and tide wait for no man" it is important to get to grips with GPRS at its easiest stages and when understood move on to track down changes and comprehend them found in the additional layers involved with later transmission technologies.

When I was teaching/training at the Institute the Professor in-charge of educational studies, at that time, wanted me to show where mobile communication research material originated, authenticate sources and compiled the material before student/delegate training could go ahead. Invariably this meant starting out producing hand-drawn sketches that would be converted and re-produced for slide/powerpoint presentations. The information in the sketehes being sourced from standards, books, articles, whitepapers, manufacturer specs etc, and experience (testing), of course. From my GPRS CSA course researched material prepared back in 2002/2003 I have pulled out the folder one hand-drawn sketch (below) from the collection of sketches prepared for GPRS CSA.

The sketch layout is heavily influenced by the existing standards and industry illustrations available at that time. I have added a few personal touches in order to produce this at-a-glance sketch. Perhaps students, investigators and examiners may find it a useful starting point. I shall add more here, at this blog, about GPRS CSA but I do have quite a few other research projects on the go and I want to write about those too.

Just briefly though, GPRS CSA is not possible simply by referring 'only' to CDRs.

Firstly, There are two CDRs to consider. GPRS usage is not soley defined by a Call Detail Record. GPRS has its own record called the Charging Data Record (also referred to by the acronym CDR) defined to confirm data usage, irrespective of the content transmitted in the data, and services used etc.

Secondly, GPRS CSA should not be undertaken lightly and should not be progressed where the investigator/examiner is being given partial information or being denied access to information.

Thirdly, to avoid mishaps associated with the second point mentioned above, examiners/investigators should establish at first instance the MS, (U)SIM/handset, used at the material time. Confirrmation which cells were GPRS enabled and were available for the relevant location/s at the material time; the requirement is also relevant identifing those cells that were not enabled for GPRS for the relevant location/s.

Fourthly, make sure it is clear which GPRS usage is in the home network and which is GPRS usage caused to be transported across donor roaming partner networks but within the same country (cf. Vodafone and Hutchinson 3G (H3G)).