Saturday, January 04, 2014

Tracing Packet Switch (PS) Users

Investigations into mobile activity tend largely to concentrate on recovering data from the user handset, mast (tower) data and call records. The core network (CN) is less well understood and therefore picking through a GSM/3GPP standard can often assist in understanding the identity and form of tarried/empheral data surviving in a network. The standard to be used for this discussion is:

3GPP TS 25.413 V12.0.0 (2013-12)
3rd Generation Partnership Project;
Technical Specification Group Radio Access Network;
UTRAN Iu interface
Radio Access Network Application Part (RANAP) signalling
(Release 12)

Now with an investigation underway initial enquiries lead to an active smartphone user operating in the pack switched (PS) domain. The target under surveillance requires the investigator to combine visual logs and the use of the of the handset. Unlike CS, packet data communications requires a range of information BUT for the purposes of the current investigation understanding the services being used and the geographical area where services are being obtained the trainee investigator can start with understanding what can be learned from:

Cell ID - Cell Identity
C-ID - Common Identity
IMEI - International Mobile Equipment Identity

IMSI - International Mobile Subscriber Identity
IPAddress - Internet Protocol Address
SAI - Service Area Identifier

SAP - Service Access Point
LAI  - Location Area Identifier
RNC - Radio Network Controller

RNS  - Radio Network Subsystem

Some examples of trainee investigation elements for consideration:

Para 8.16.1

The purpose of the Common ID procedure is to inform the RNC about the permanent NAS UE Identity (i.e. IMSI) of a user. This is used by the RNC e.g. to create a reference between the permanent NAS UE identity of the user and the RRC connection of that user for UTRAN paging co-ordination. The procedure may also be used to provide the SNA Access Information IE to the RNC or to provide the Management Based MDT Allowed IE to the RNC or to provide the Management Based MDT PLMN List IE to the RNC.

Para 8.17.2

If Trace Collection Entity IP Address IE is included and if the MDT Configuration IE is also included then the RNC shall, if supported, store the Trace Collection Entity IP address and use it when transferring Trace records, otherwise if MDT Configuration IE is not included, the RNC may use the Trace Collection Entity IP address when transferring trace records.

Para 8.35.2
When the transferred information in the Information Transfer Type IE relates to a Trace Session in the RNC, the Trace Activation Indicator IE indicates whether the Trace Session identified by the Trace Reference IE is activated or deactivated in the RNC. In case the Trace Session is activated, the Equipments To Be Traced IE gives the Equipment Identity of the UEs that the RNC has to trace. If the Trace Recording Session Reference IE, Trace Collection Entity IP Address IE, the IMSI IE and optionally the Serving Cell Identifier IE are included in the message, the CN shall take the information into account for anonymization of MDT data (TS 32.422 [10]).
The purpose of this brief discussion is to illustrate mobile networks naturally hold surviving data in the network for a range of reasons to enable the network to a have uniformed approach for the objective of operational performance, enquiry and, equally, to trace user terminals and roaming user terminals active in or obtaining services from a network.

Friday, January 03, 2014

FSR positioning for statutory powers

You'll need to be quick to catch this one. 

Today, 3rd January 2014, the UK Government's consultation period ends regarding seeking views on whether new powers should be given to the Forensic Science Regulator.

Decisions are to be made which will impact on mobile, digital and computer evidential collection, forensic examination, acquiring evidence etc and you will need to decide where you or your organisation fit with the whole scheme of things.!

There is most likely to have been a wide range of responses from different industries and professions. One such response is the Forensic and Policing Services Association (FAPSA) and it is interesting to note that amongst its proposals they believe "high standard" is relevant. I take no issue with their stance and I am not suggesting for one moment this organisation hasn't always advocated such a stance. It is not always the case and some responses from other quarters, in the past, have suggested advocating "high standards" was to take an "elitist" attitude because 'some work to high standards and some work to low standards', which in my view was a strange stance to take regarding an individual's competency working in forensics and not in the interests of skillsets and standards to underpin forensic science.  FAPSA's stance communicates a useful message for those wanting to be or are involved with forensics science.

Another response to the consultation from Peter Sommer can be read here (see link below) and highlights some useful disparities between envisaged outcomes vis-a-vis the costs to implement them/the appropriate payment for such work:

What is clear is the need for those who never have to spend out of their own pockets should not set or allow vertical and horizontal market costs to rise by holding individuals or companies to ransom. This is quite important as there is too much reliance on the 'machine will do the thinking for me' and if my evidence and opinion is wrong then the human equation is not at fault. Knowledge, skills and experience are paramount to the work of forensic science. It is accepted devices are needed for acquisition but understanding how the device communicates with the target "thing" under examination (commonly we call this a DUT - device under test) and exactly what is being communicated to "action a command and receive a response" should be the prime facie case.

Useful examples of commands and responses can be found during the examination of mobile/smart phones. here are a few standards, but be mindful as standards extend to the air-interface (thus relevant to lawful interception etc) and mobile networks interfaces, too. 

Mobile/Smart Phones
GSM/3GPP TS 07.07 AT Command set for GSM Mobile Equipment (ME)

3GPP TS 27.007 AT command set for User Equipment (UE)

3GPP TS 11.11 Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) Interface

3GPP TS 51.011 Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface

3GPP TS 31.101 UICC-terminal interface; Physical and logical characteristics

3GPP TS 31.102 Characteristics of the Universal Subscriber Identity Module (USIM) application

The point of mentioning the abve standards brings the discussion back to an individual's understanding vis-a-vis the device being used against the target "DUT" and not leaving it to a machine to do the thinking.

Furthermore, it is essential to remember who is actually being 'caught in the net' under proposed changes. A response to a consultation I submitted some years ago raised the observation that if legal aid was to change regarding witness/expert fees where do organisations and scrutiny of the rules come into it where evidence is submitted directly e.g. from a mobile network operator. Never got a response on that one, but it really ought to be a fundamental requirement to identify who the FSR thinks should be excluded from his/her executive powers being imposed?