Tuesday, August 19, 2014

CSA - Site Survey Method4/Cell Types

Cell types
GSM reports, as far back as 20 years ago, distinguished three kinds of cells as the growth in GSM installations massively increased following popularity as a preferred digital cellular network: large cells, small (mini) cells and micro cells. The main difference between these kind of cells lay in the cell range, the antenna installation site, and the propagation model applying to each of them. Moreover, these cells could be overlayed one on top of another to provide coverage for varying traffic conditions and illustrated in the previous discussion http://cellsiteanalysis.blogspot.co.uk/2014/07/csa-site-survey-methodmobility-models.html.

CSA has been subjected to understanding cell layer tiering involvement in a particular geographical area and what impact the finding of tiering might have determined from radio test measurement results, and what impact the results might infer for a particular investigation. In the previous discussion on Mobility Models it highlighted a simple issue: why walk tests are important to mimic the pedestrian's experience of obtaining mobile services. Germane and relevant, whilst the mobile networks are highly intelligent networks and use memory and memoryless in their propagation models, CSA examiners, students and experts cannot apply intelligent algorithms in the manual function of their work when conducting site surveys. It is, therefore, necessary to distinguish processes and procedures hidden within the intelligent network functionality that provide us (CSA examiners, students and experts) with knowledge that helps us gain skills and experience in the performance of the work we do.

So  we know "walk tests" are unavoidable (thus inescapable) forming part of the methodology we should apply, where relevant, during site surveys. Whilst this requirement is a basic simple binary style approach to CSA that doesn't mean to suggest mobile networks aren't sophiscated, convoluted, NASA style complex system because mobile networks are very much the latter. These grass root levels are important to CSA. For instance a GSM mobile network may use Cell Selection Procedures C1 and C2. The network can use components from C2  (cell reselection) to identify coverage for a slow moving mobile (e.g. pedestrian/walk test) which can be used to understand the microcell coverage. Drive testing equally needs to be represented for the benefits it provides for CSA.


Above, three tiers of cell coverage have been illustrated. Microcells are distnguished as a cell type because predominantly this type of cell in GSM (or CDMA for that matter) is usually represented as localised coverage to a small area. Pedestrian is seen as relevant to it. However, vehicular mobile usage is largely predicted within the network as "fast moving". Let us take the case of the getaway car speeding away from the scene of crime. Would it not seem strange to you to find the target's mobile phone call records identifying a number of Microcell IDs designed to cope with long dwell time in an area associated with slow mobile movements (e.g.5~10mph) compared with Macrocell umbrella coverage designed to handle accelerated speeds (e.g. 30~70mph). Why would the getaway car be driving so slowly after a crime, unless the *bogey wanted to be caught red-handed and why s/he commited the crime in the first place just to be arrested? On first blush of the call record evidence it wouldn't make sense.

*The term bogey has been adopted from the military theatre of war identification procedure representing an un-identified (unknown criminal) target, whereas a bandit is an identified (known criminal) target. In criminal investigations the latter can also suggest surveillance in progress on the target's activities.

But drive testing can throw up unexpected issues. CSA demands keeping an open mind and, as previously mentioned at my blogs, CSA examiner, student and expert should be "not only be environmentally aware, but equally be environmentally astute." A case I dealt with in the North of England concerned a series of smash-n-grabs at wholesale and retail outlets.  From my radio tests I suggested the radio evidence did not follow the getaway route the police required that I test. CSA involves noticing factors that could impede or record a particular route. In this case a speed camera that was in lock-n-load (active) to capture speeding vehicles was located at an early stage on the suggested getaway route. When I asked did the speed camera record a speeding violation, the response came back "no", yet the ascertion by the police was the getaway vehicle was speeding. However, the radio test measurement survey along the complete route did not entirely match the cell IDs in the call records either as some of the cell IDs were for slower mobile traffic and cells covering a middle layer coverage area and the use of these cells suggested the mobile dwell time was not travelling outside a certain geographical area. Eventually, a more senior detective suggested a route that veered away from the first route getaway route. My attention was drawn to an area inbetween local buildings, a mud track leading to a field and a nearby cemetary and housing estate. Infact the bogeys turned out to be previously known bandits and the entire operation of the smash-n-grabs was orchestrated from a house on the estate sited perfectly for comings and goings for the many crimes but quite hard to detect. CSA played an effective part to support other evidence and intel.       

However, umbrella macrocell coverage in a geographical location can be used to support high speed getaways e.g. where CCTV has recorded or an eyewitness had seen the getaway vehicle speeding through dense urban area. Given the speed of the vehicle the network would be detecting the mobile's short dwell time in that area. The omission of use of overlayed microcells providing limited area coverage is a suggestion of fast moving traffic. The use of a macrocell would not be out of place supporting the notion of a fast moving mobile. This can be stated in relation to the density of non-used microcells and their cell boundarys compared to macrocell cell boundaries and, of course, any location updates, time, velocity etc.

Since 2010 Cells types have rapidly moved on with a split between voice/data and data-only cells transforming the way CSA is and will be conducted in the future. For instance, there are increases in carriers (2G frequencies allocation migrating (re-use) to 3G frequencies allocation) Moreover, with LTE linking with WiFi/WLAN etc there are enormous advantages and dis-advantages that have crept into CSA site survey methodology.

The impact of these changes requires improved comprehension about the various cells and as higher frequencies are used or are brought into use cell coverage gets smaller. This fact is a benefit because the approximated location of the mobile is improved and significantly improves where smaller cells are relevant. It may not be GPS accuracy but there seems no reason why it could not meet justification under an e.g. Daubert test. Furthermore, it doesn't means CSA should jettison early styles of CSA site survey method which will remain relevant for some years to come. But CSA will become even more localised creating a specialism in InnerCity CSA (ICCSA) compared with rural CSA. A beneficary of  ICCSA knowledge will be the neuromancer cybercrime arena utilising our forensic and investigative skills to comprehend the technicality behind a suspected crime defined by the outcome from particular usage of technology.

Site survey methods do not have to be overly complicated, merely identify the radio technology at given points and by using a structured appraisal, distinguishing each wireless carrier available at particular geographical locations, to show the relevance to an investigaion or crime scene.

So what are the potentially inter-connected Cell types that fall within the scope of CSA large cell and small cell environments:

WIMAX cells
WLAN cells
WiFi cells

And in support of that environment it should not under-estimate the importance of devices capability from providing services and to accessing services. This mean from not simply the network, but the radio network e.g. BTS/(e)NodeB/H(e)NB etc to the enhanced (U)SIM and handset terminal. That requires knowning which Release (R) is relevant to the investigation:

R99    (Release 1999)
Rel-4    (Release 4)
Rel-5    (Release 5)
Rel-6    (Release 6)
Rel-7    (Release 7)
Rel-8    (Release 8)
Rel-9    (Release 9)
Rel-10    (Release 10)
Rel-11    (Release 11)
Rel-12    (Release 12)