Forensic Radio Survey Techniques for Cell Site Analysis [2 ed.] 9781394197170, 9781394197187, 9781394197194

Citation preview

Forensic Radio Survey Techniques for Cell Site Analysis

Forensic Radio Survey Techniques for Cell Site Analysis Second Edition

Joseph Hoy

Forensic Analytics Ltd UK

This edition first published 2024 © 2024 John Wiley & Sons Ltd Edition History Forensic Radio Survey Techniques for Cell Site Analysis (1e, 2015); John Wiley & Sons Ltd. (1e, 2015) All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions. The right of Joseph Hoy to be identified as the author of this work has been asserted in accordance with law. Registered Offices John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com. Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats. Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book Limit of Liability/Disclaimer of Warranty While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Library of Congress Cataloging-in-Publication Data Names: Hoy, Joseph, author. Title: Forensic radio survey techniques for cell site analysis / Joseph   Hoy. Description: Hoboken, NJ : Wiley, 2024. | Includes index. Identifiers: LCCN 2023032891 | ISBN 9781394197170 (hardback) | ISBN   9781394197187 (adobe pdf) | ISBN 9781394197194 (epub) Subjects: LCSH: Mobile device forensics. | Electronic evidence. | Computer   networks. | Electronics in criminal investigation. Classification: LCC TK5103.4837 .H69 2024 | DDC 363.25/2–dc23/eng/20230809 LC record available at https://lccn.loc.gov/2023032891 Cover Design: Wiley Cover Image: © travenian/Getty Images Set in 9.5/12.5pt STIXTwoText by Straive, Pondicherry, India

For Nicola, Ellie and Isabel, who always find much more interesting things for me to do when I should be writing.

vii

Contents About the Author  xvii Preface  xix Acknowledgements  xxi Acknowledgements for the 2nd Edition  xxiii Glossary  xxv 1 1.1 1.2

Forensic Radio Surveys for Cell Site Analysis  1 ­Cell Site Analysis  1 ­Forensic Radio Surveying  1

2 2.1 2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 2.2 2.2.1 2.2.2 2.3 2.3.1 2.3.2 2.3.3 2.3.4 2.4 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 ­

Radio Theory  3 ­RF Propagation  3 Radio Theory  3 Basic Terminology  4 Propagation Modes  5 Multipath Transmission  6 Propagation Issues  8 ­Carrying Information on a Radio Signal  8 Analogue Transmission Systems  8 Digital Transmission Systems  9 ­Radio Spectrum  10 Radio Bands and Channels  10 Effects of Frequency on Propagation  11 Cellular Bands  12 Shared and Unlicensed Access Schemes  13 ­RF Measurements  14 Decibel Notation  14 Decibels  15 Decibel Milliwatts  16 Cellular Measurements  17 Measurements Used by Different Cellular Generations  18 Describing Signal Strengths  18 Note  19 References  19

3 3.1 3.2 3.2.1 3.2.2 3.2.3

Wireless Technologies and Deployments  21 ­Coordinating Cellular Development  21 ­Evolution from 0G to 5G  21 0G – Pre-­cellular Networks  22 1G – First-­Generation Networks  22 2G – Second-­Generation Networks  23

viii

Contents

3.2.4 3.2.5 3.2.6 3.3 3.4 3.5 3.5.1 3.5.2 3.5.3 3.5.4 3.5.5 3.5.6 3.5.7 3.5.8 3.5.9 3.5.10 3.6 3.7

3G – Third-­Generation Networks  23 4G – Fourth-­Generation Networks  24 5G – Fifth-­Generation Networks and Beyond  24 ­3GPP Network Types  25 ­3GPP2 Network Types  26 ­Other Types of Network  26 TD-­SCDMA  27 iDEN  27 WIFI  27 Wireless Broadband  27 WIMAX  27 Wireless Local Loop  28 Railway Communications – GSM-­R and FRMCS  28 TETRA  28 4G/5G Mission Critical Communications  28 Mobile Satellite and Non-­terrestrial Networks  29 ­Deployed Technologies by Region  29 ­Commonly Used Frequency Bands by Region  30 ­References  30

4 4.1 4.2 4.3 4.4 4.5 4.5.1 4.5.2 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.6.5 4.7 4.8 4.8.1 4.8.2 4.9 4.9.1 4.9.2 4.9.3 4.9.4 4.9.5 4.9.6 4.9.7 4.10 4.10.1 4.10.2 4.10.3 4.10.4 4.10.5

Cellular Theory  33 ­Pre-­cellular Radiotelephone Networks  33 ­Radio Cells  33 ­Frequency Reuse  35 ­Cell Size and Coverage  36 ­Duplex Techniques  37 Frequency Division Duplex  37 Time Division Duplex  38 ­Multiple Access Techniques  38 Time Division Multiple Access  38 Code Division Multiple Access  38 Orthogonal Frequency Division Multiple Access  39 Multiple Radio Access Technologies  39 MIMO, Carrier Aggregation and Dual Connectivity  39 ­Generic Network Architecture  41 ­Mobile Devices and SIMs  41 The Third Generation Partnership Project Mobile Devices  41 Devices in Other Network Types  42 ­Radio Access Networks  43 Cells and Base Stations  43 Location and Tracking Areas  44 Multi-­RAT Base Stations  45 C-­RAN – Centralised or Cloud RAN  46 Disaggregated RAN  47 Open RAN  48 Base Station Activities  49 ­Core Networks  50 2G/3G Core Networks  51 4G Core Networks  51 5G Core Networks  52 IMS – IP Multimedia Subsystem  53 Billing and Disclosure Management Systems  54

Contents

4.10.6 4.10.7 4.11 4.11.1 4.11.2 4.11.3 4.11.4 4.12 4.12.1 4.12.2 4.12.3 4.12.4 4.13 4.13.1 4.13.2 4.13.3 4.13.4 4.13.5 4.13.6 4.13.7 4.14 4.14.1 4.14.2 4.15 4.16 4.17 4.18 4.18.1 4.18.2 4.18.3 4.19 4.19.1 4.19.2 4.19.3 4.20 4.21 4.21.1 4.21.2 4.21.3 4.21.4 4.21.5 4.22 4.22.1 4.22.2 4.22.3 4.22.4 4.23 4.23.1 4.23.2 4.24 4.25 4.25.1

Lawful Intercept  54 Interconnects and IPX  55 ­Subscriber and Device Identifiers  55 Mobile Subscriber ISDN Number  56 International Mobile Subscriber Identity  56 Temporary Mobile Subscriber Identity  57 International Mobile Equipment Identity  58 ­Network Databases  59 Home Location Register/Home Subscriber Server  59 Local Mobility Management Database  60 Equipment Identity Register  60 Network Types – MNOs and MVNOs  60 ­Cell Sites  61 Channels and Carriers  61 Cells and Sectors  62 Cell Capacity  63 Cell Identifiers  64 Physical-­Layer Cell Identifiers  64 Cell Global Identifiers  64 Decimal, Binary and Hexadecimal  65 ­Antennas and Azimuths  66 Cellular Antennas  66 Azimuths and Centroids  67 ­Uptilt and Downtilt  68 ­Cell Types and Sizes  69 ­Cell Site Types and Uses  70 ­Single and Multi-­frequency Networks  70 Single Frequency Networks  70 Multi-­frequency Networks  71 Multi-­carrier SFNs  72 ­Cell Coverage Concepts  73 Dominance  73 Non-­dominance  74 Poor Coverage Areas  74 ­Small Cells and Closed Subscriber Groups  75 ­Network Activities  76 Mobile Device Activities at Power On  76 Attach and Detach  77 Authentication and Ciphering  78 TMSI Allocation  78 Detach  79 ­Idle Mode and Connected Mode  80 Idle Mode Procedures (Cell Selection and Reselection)  80 Connected Mode Procedures (Connection Setup and Handover)  83 Transition from Idle Mode to Connected Mode  83 Timing Advance  84 ­Cell Access Control  85 Cell Barring  86 Forbidden LAC/TAC  86 ­Location Updating (Idle Mode Mobility)  87 ­Handover (Connected Mode Mobility)  88 Inter-­carrier Handover  88

ix

x

Contents

4.25.2 4.26

Intra-­carrier Handover  89 ­Network Sharing  89 ­References  90

5 5.1 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.1.10 5.2 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.3 5.3.1 5.3.2 5.3.3 5.3.4 5.3.5 5.3.6 5.3.7 5.3.8 5.3.9 5.3.10 5.3.11 5.3.12 5.3.13 5.3.14 5.3.15 5.4 5.4.1 5.4.2 5.4.3 5.4.4

3GPP Network Types  91 ­2G GSM Networks  91 2G GSM Access Networks  92 2G GSM Radio Interface  92 GSM Channel Configuration  93 2G GSM Cell Selection  94 2G GSM Reselection Candidates  97 2G GSM Cell Configurations  98 2G GSM Channel Numbering  99 2G GSM Cell Identifiers  100 2G GSM Cell Discrimination  102 2G GSM Radio Measurements  102 ­3G UMTS/HSPA Networks  103 3G UMTS Access Networks  104 3G UMTS Radio Interface  105 3G UMTS Cell Selection  106 Active and Monitored Cells  107 Single Frequency 3G UMTS Networks  108 3G UMTS Handover – Soft Handover  109 Other Kinds of 3G UMTS Handover  110 Cell Breathing  111 3G UMTS Radio Measurements  112 3G UMTS Channel Numbering  113 3G UMTS Cell Identifiers  114 3G UMTS Cell Configurations  116 3G UMTS Cell Discrimination  117 Multi-­carrier UMTS Services  117 ­4G LTE Networks  118 4G LTE Network Architecture  118 4G LTE Radio Interface  119 4G LTE Cell Selection and Reselection  121 4G LTE Handovers  122 4G LTE Cell Configurations  123 4G LTE Radio Bands and Channel Numbering  124 4G LTE Cell Identifiers  127 4G LTE Cell Discrimination  128 4G LTE Radio Measurements  129 4G LTE Variants – TDD and FDD  130 4G LTE Voice Call Options  130 LTE Evolution – LTE-­Advanced and Beyond  133 LTE-­Based Mission Critical Communications  134 LTE-­Based Railway Communications  134 LTE and 5G Non-­standalone Mode  134 ­5G NR Networks  135 5G NR Network Architecture  135 5G NR Radio Interface  139 5G NR Cell Selection and Reselection  142 5G NR Handovers  144

Contents

5.4.5 5.4.6 5.4.7 5.4.8 5.4.9 5.4.10 5.4.11 5.4.12 5.4.13

5G NR Cell Configurations  145 5G NR Radio Bands and Channel Numbering  146 5G NR Cell Identifiers  148 5G NR Cell Discrimination  149 5G NR Radio Measurements  150 5G NR Variants – TDD and FDD  151 5G NR Voice Call Options  151 5G NR Network Slicing  151 5G NR Evolution – 5G-­Advanced and Beyond  153 ­References  153

6 6.1 6.2 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.3 6.3.1 6.3.2 6.4 6.4.1 6.4.2 6.4.3 6.4.3a 6.4.4 6.4.5 6.4.6 6.4.7 6.4.8 6.4.9 6.4.10 6.4.11 6.4.12 6.4.13 6.4.14 6.4.15 6.5

Other Cellular Network Types  157 ­2G IS-­95/cdmaOne  157 ­3G IS-­2000/CDMA2000 1x RTT  158 CDMA2000 Generations and Variants  158 CDMA2000 Network Architecture  158 CDMA2000 Network Structure  159 3G CDMA2000 User and Device Identities  160 3G CDMA2000 Radio Interface  161 3G CDMA2000 Cell Selection  162 3G CDMA2000 Handover  162 3G CDMA2000 Radio Measurements  163 3G CDMA2000 Band Classes and Channel Numbering  163 3G CDMA2000 Cell Identifiers  163 3G CDMA2000 Cell Configurations  166 ­3G CDMA2000 EV-­DO  166 EV-­DO Forensic Surveys  167 CDMA2000 Specifications  167 ­Surveying Other Technologies  168 2G iDEN  168 2G Personal Digital Cellular (Japan)  169 2G TETRA  169 P25 Public Safety Networks  169 2G GSM for Railways  170 3G TD-­SCDMA (China)  171 4G WIMAX  172 WIFI  173 Bluetooth  178 Ultra-­Wide Band (UWB)  179 Near Field Communication (NFC)  180 IoT (Internet of Things) Local Networking  180 Low Power Wide Area Networks  181 Satellite Communications Networks  183 V2X  187 Electronic Tags/Offender Monitoring  188 ­Global Navigation Satellite Systems  188 ­References  188

7 7.1 7.2 7.3

Forensic Radio Surveys  191 ­ orensic Radio Survey Objectives  191 F ­Forensic Radio Survey Terminology  191 ­Forensic Radio Survey Types and Techniques  192

xi

xii

Contents

7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.3.6 7.3.7 7.3.8 7.4 7.4.1 7.4.2 7.4.3 7.4.4 7.4.5 7.4.6 7.4.7 7.5 7.5.1 7.5.2 7.5.3 7.5.4 7.5.5 7.6 7.6.1 7.6.2 7.6.3 7.7 7.7.1 7.7.2 7.7.3 7.7.4 7.7.5 7.7.6 7.7.7 7.8 7.8.1 7.8.2 7.8.3 7.9 7.10 7.10.1 7.10.2 7.10.3 7.10.4 7.10.5 7.10.6 7.10.7 7.10.8 7.11 7.11.1 7.11.2 7.11.3

Spot/Location Surveys  193 Local Coverage Surveys  194 Static Spot Surveys  195 Indoor Surveys  196 All-­Network Profiles  196 Cell Coverage Surveys  197 Route Profile Surveys  199 Crowd-­sourced Cell Coverage Data  200 ­Idle Mode versus Connected Mode Surveys  201 Idle Mode  202 Connected Mode  202 Transition from Idle Mode to Connected Mode  202 Idle Mode Surveys  203 Connected Mode Surveys  204 Mixed Mode Surveys  207 Suggested Survey Modes  208 ­Additional Survey Techniques  208 Surveying using Multiple Devices  208 Test Call Protocols  209 Lock Files and Channel Scans  211 Orbit Tests  212 Band Locks  212 ­Survey Preparation  213 Survey Specifications  213 Preparing Survey Devices  215 Survey Safety  215 ­Typical Survey Actions and Procedures  216 Spot/Location Surveys  216 All-­Network Profiles  219 Cell Coverage Surveys  219 Route Profile Surveys  223 Proactive Surveys and Hostile Reconnaissance  225 Surveys Supporting Live Operations  225 Potential Survey Issues  225 ­Survey Results: Checking and Confirmation  226 Confirming the Expected Results  226 Expected Results Not Found  226 Surveying Near Location/Tracking Area Boundaries  227 ­Survey Notes and Progress Maps  228 ­Survey Equipment Types  228 3G Forensics CSurv  229 Keysight NEMO Handy  229 Infovista TEMS  230 Group 2000 Lima Cell Monitor  230 QRC Technologies – ICS  231 Gladiator Forensics – GAR  232 Rohde & Schwarz – TSMA6B  232 App-­Based Survey Tools  233 ­Raw Survey Results  233 CSurv Data  233 Lima CM Data  233 NEMO Data  236

Contents

7.11.4 7.11.5 7.11.6 7.11.7 7.11.8 7.12 7.12.1 7.12.2 7.12.3 7.12.4 7.12.5 7.13 7.13.1 7.13.2 7.13.3 7.13.4 7.14 7.14.1 7.14.2 7.14.3 7.15 7.15.1 7.15.2 7.15.3 7.15.4 7.15.5 7.15.6 7.16 7.16.1 7.16.2 7.16.3 7.16.4 7.16.5 7.16.6

TEMS Data  237 QRC – ICS Data  237 Gladiator GAR Data  238 Rohde & Schwarz TSMA6B Data  238 WIFI Survey Data  238 ­Processing Survey Results  239 Spot/Location Raw Survey Results  239 Spot/Location Survey Summarised Results  240 All-­Network Profile Results  241 Coverage Survey Results  242 Route Profile Results  243 ­Understanding Survey Results  245 Understanding Coverage and Route Survey Results  245 Understanding Spot/Location Survey Results  245 Finding ‘Missing’ Cell IDs  247 RF Survey Analysis Tools  248 ­Storage of Survey Data  248 Continuity of Evidence  248 Historical Survey Data  249 Proactive Surveys  250 ­Quality and Best Practice  250 Survey Preparation  251 Idle Mode Versus Connected Mode  251 Best Practice for Survey Types  252 Contemporaneous Note Taking  253 Post-­Survey Reports  253 Summary of Survey Best Practice  253 ­Summary of Typical Survey Results  254 GSM Measurements  254 UMTS Measurements  254 LTE Measurements  255 cdmaOne and CDMA2000 Measurements  255 NR Measurements  255 WIFI Measurements  256 ­References  256

8 8.1 8.2 8.2.1 8.2.2 8.2.3 8.2.4 8.2.5 8.2.6 8.3 8.3.1 8.3.2 8.3.3 8.3.4 8.4 8.5

Cell Site Analysis  259 ­Cell Site Concepts  259 ­Uses and Limitations of Cell Site Evidence  260 Limitations  260 Cell Site Analysis Uses  261 Historical Versus Live Cell Site  264 Combining Cell Site Analysis with Other Evidence  264 Attribution  266 Forensic Countermeasures  266 ­Regulation of Cell Site Analysis  267 Regulation of Investigatory Powers  267 International Cooperation  268 International Standards  269 Codes of Practice  269 ­Components of Cell Site Analysis  271 ­Call Detail Records  271

xiii

xiv

Contents

8.5.1 8.5.2 8.5.3 8.5.4 8.5.5 8.5.6 8.5.7 8.6 8.6.1 8.6.2 8.6.3 8.7 8.7.1 8.7.2 8.8 8.8.1 8.8.2 8.8.3 8.9 8.10 8.11 8.12 8.12.1 8.12.2 8.12.3 8.12.4 8.13 8.13.1 8.13.2 8.14 8.14.1 8.14.2 8.14.3 8.14.4 8.14.5 8.14.6 8.14.7 8.14.8 8.14.9 8.14.10 8.15

Voice/Text CDRs  272 GPRS Data CDRs  274 CDR Examples  278 DDR – Device Data Records  280 Cell Dumps or Tower Dumps  281 Network-­derived Location Data  282 CDRs for Wearable and Secondary Devices  282 ­Sources of Cellular Coverage Data  283 Serving Cell Plots  283 Path Profiles  284 Crowd-­Sourced Cell Coverage Data  284 ­Forensic Radio Surveys  284 Role of Forensic Radio Survey Results  285 Limitations of Forensic Surveys  285 ­Cell Site Reports  286 Full Cell Site Report  286 Streamlined Forensic Report  291 Network Profile Report  291 ­Call Schedules  291 ­Maps and Graphics  292 ­Report Checking and Peer Review  295 ­Professional and Expert Witnesses  295 Witness of Fact  296 Witness of Opinion  296 Duties of an Expert Witness  296 Defence Cell Site Reports  297 ­Court Presentations  297 Evidence-­in-­Chief  297 Typical Cross-­Examination Questions  299 ­Support for ‘Live’ Investigations  300 Real-­time Usage Data  300 Location-­Based Services Infrastructure  301 Device Location Requests  301 2G/4G/5G Timing Advance  302 3G Propagation Delay  303 Other Location-­Based Techniques  304 MDT – Minimisation of Drive Testing  305 Cell Site Simulators  306 MAC Grabbers and Emulators  307 Social Media Takeout and Geofence Data  307 ­Cell Site Analysis and Forensic RF Surveys  308 ­References  308

9 9.1 9.1.1 9.1.2 9.1.3 9.1.4 9.1.5 9.1.6 9.2

Summary and Practical Activities  311 ­Radio and Cellular Concepts  311 Basic Radio Terminology  311 Decibels  311 Decibel Milliwatts  312 Cellular Radio Bands  312 Cellular Radio Bands by Region  312 Decimal, Binary and Hexadecimal  314 ­Cellular Identifiers  314

Contents

9.2.1 9.3 9.3.1 9.3.2 9.3.3 9.3.4 9.3.5 9.4 9.4.1 9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.5 9.5.1 9.5.2 9.6 9.7 9.7.1 9.7.2 9.7.3 9.7.4 9.7.5 9.8 9.8.1 9.8.2 9.8.3 9.9 9.10 9.11 9.12 9.12.1 9.13 9.14 9.15 9.15.1 9.15.2 9.15.3 9.16 9.17 9.18 9.19 9.19.1 9.19.2 ­

Mobile Country Code List  314 ­Cellular Network Types  321 2G GSM Networks  321 3G UMTS Networks  321 2G cdmaOne and 3G CDMA2000 Networks  323 4G LTE Networks  323 5G NR Networks  323 ­Forensic Radio Surveys  329 Spot/Location Surveys  329 All-­Network Profiles  331 Cell Coverage Surveys  332 Route Profiles  332 Survey Specifications  333 Preparing Survey Devices  333 Survey Safety  335 ­Survey Results: Checking and Confirmation  336 Confirming the Expected Results  336 Expected Results Not Found  336 ­Survey Notes and Progress Maps  337 ­Survey Results  337 Spot/Location Survey Results  337 All-­Network Profile Results  338 Coverage Survey Results  338 Route Profile Results  341 Summary of Survey Best Practice  341 ­Cell Site Analysis  343 Limitations of Cell Site Analysis  343 Components of Cell Site Analysis  343 Report Checking and Peer Review  345 ­End-­to-­End Process  346 ­Overall List of Events/Locations  347 ­Source Files Attribution List  348 ­Normalise Call Data into a Standard Format  348 CDR Normalisation  349 ­Create an Overall Cell List  352 ­Creating a Case Overview Map  352 ­Compile Radio Survey Summary Tables  353 Spot/Location Survey Data  354 Cell Coverage Surveys  355 Route Profile Surveys  356 ­Creating Call and Cell Labels  358 ­Cell Site Mapping Presentations  359 ­Summary  362 ­Further Reading  362 3GPP Technical Specifications  362 Bibliography  363 References  363 Index  365

xv

xvii

About the Author Joseph Hoy has a background in telecom engineering and training. Gaining experience initially as an IT and telecoms engineer with BT, NCR and AT&T, Joseph moved across to cellular telecoms and worked on a variety of engineering and training projects for Nokia around the world. He has also worked as a cell site analyst and expert witness, compiled forensic reports for a variety of police forces and agencies and presented them in a range of courts, including the Old Bailey in London. Joseph specialises in cellular and forensic telecoms training and is co-­founder and Chief Product Officer of Forensic Analytics, which has developed a suite of software applications that automate many of the processes involved in cell site analysis and forensic RF surveying. He is a member of the Institution of Engineering and Technology (IET) and has been a member of the United Kingdom Forensic Science Regulator’s cell site analysis working group. Joseph was the winner of the prestigious techUK President’s Award for ‘contribution to society’ in 2023. Joseph lives in the United Kingdom with his wife and two daughters.

xix

Preface This book is intended to serve two purposes: to provide a coherent explanation of the theories and procedures that underpin forensic radio surveying and of the network technologies that are being surveyed in a form that can be read cover to cover as a textbook, but also to act as a reference resource that can be dipped into as needed. Forensic radio surveying is undertaken in support of the digital forensics discipline of cell site analysis and is, on the face of it, a very simple process: ‘go to a location, switch on the survey device, capture measurements, go back to the office and process the results’. But without a proper understanding of the operation of the cellular networks that are being surveyed, of the issues related to different networks or technologies and without knowledge of the things that can go wrong with surveys (and their remedies), survey results will not be as accurate or useful as they could be. The ability to demonstrate a full understanding of the fundamental cellular technologies and forensic radio surveying techniques is also of use if surveyors are called to court to explain their evidence. A lack of technical knowledge or understanding may be quickly discovered under cross-­examination and will be used to undermine the credibility of any cell site evidence being presented. In general, the aims of this book are to provide a readily understandable introduction to the topic for those who are new to forensic radio surveying and to act as an aide memoire to remind more experienced forensic radio surveyors of information related to surveying that they have learned on training courses but may sometimes have trouble remembering. The second edition of this book has been fully overhauled and updated to include new technologies (such as 5G) and techniques that have been developed since the first edition in 2015. It has also benefited from a huge and very welcome amount of feedback from readers. The forensic disciplines of cell site analysis and radio surveys are dynamic and challenging. New technologies, updated techniques and evolving networks ensure that the specific details of the topic change over time. We endeavour to keep up with these changes and will update the information in this book at regular intervals. We recognise, however, that we will not always get everything right and may not always be quick enough to amend outdated material, so we welcome comments or criticism from readers. We will be happy to debate the topics and issues raised, provide further information and generally engage with the forensics community as required to ensure that this book is as accurate, comprehensive and up-­to-­date as possible. Questions, comments and feedback can be sent to: [email protected]

xxi

Acknowledgements A great number of people have helped with the development of this book, including: My co-­founders at Forensic Analytics, Martin Griffiths and Andrew Hausler. Ian Clark, David Bell and Tom Hoy at Lynross Training. Much of the basic network overview content in Chapters 4 and 5 is based on material that we jointly developed for Lynross courses, and they kindly gave me permission to adapt it for this book. My former colleagues at LGC Forensic – Ceri Walsh, Sue Carter, Sue Delahaye, Nick Chandler and Mick Shelley – who helped me to understand what cell site is all about. David Bristowe and Professor Jan Stuart, who were instrumental in developing the discipline of cell site analysis. Dr Matthew Tart and Dr Iain Brodie of CCL Group Ltd (both formerly of the Forensic Science Service) for suggestions and ideas and also for their 2010 paper ‘Historic cell site analysis – Overview of principles and survey methodologies’, which they co-­authored with Nicholas Patrick-­Gleed and James Matthews when they were all working for the Forensic Science Service. Fellow cell site experts and practitioners who provided comments that were used in the precursor document to the first edition of this book, including Dominic Kirsten, Ben Spencer, Thea Selby, Phil Gardiner, Vicki Meaton, Mark Johnson, Greg Smith, Nicky Haigh, Peter Brown and Duncan Brown. Chris Cox, of Cox Communications, gave advice on presenting the mathematics of radio systems in Chapter 2. Professor Berthold K.P. Horn at MIT, Bruno Xavier of CelPlan, Brazil and Don Hill of Proactive Technical Solutions, Inc, who provided information about CDMA2000 in Chapter 6. Tom Hoy and Ian Church for proofreading and grammatical advice. Anna Smart, Sandra Grayson, Clarissa Lim, Alan Mill and Radjan Lourde Selvanadin at Wiley.

xxiii

­Acknowledgements for the 2nd Edition I received a great deal of very useful feedback and suggestions from readers of the first edition, some of which took a reasonable amount of discussion with them and research for me to include aspects of it in the 2nd edition. As well as my co-­founders at Forensic Analytics Ltd – Martin Griffiths and Andrew Hausler – I had a great deal of help and encouragement from other colleagues, including Steve Rick, Darran Fletcher, Dave Cutts, Sue Carter, Paul Kilby, Will Metters, Jon Cornish, June Woodland and Isabel Duncan. Gareth Howell and Jamie Fleming, who both have PhDs in Physics, also helped me unpick the mathematics associated with overlapping annuli (which is apparently the correct technical term for overlapping arcs). I’d also like to thank Gerry McQuade, our chairman, and the board of Forensic Analytics for allowing me to take a sabbatical to work on this second edition. I interviewed a number of practitioners and expert witnesses in the course of preparing the 2nd Edition and would like to thank the following individuals and groups for their patient assistance: Olof Lundberg, formerly of Inmarsat; Peter Brown, Duncan Brown, Nicky Haigh, Adam Munday, Dominic Kirsten and Richard Baxter of Forensic Partners Ltd.; Matt Tart, Iain Brodie, Brian Edwards, and the cell site team at CCL Solutions Group Ltd; Rick Yeomans and Steph Curwen of Intaforensics Ltd; Jon Heathcote of Staffordshire Police and the College of Policing’s RF Development User Group; Chad Fitzgerald of the FBI CAST team; Joo Jung and his team from Ottawa Provincial Police; Farid (Sal) Salehroa of Advanced Concepts Exploitation LLC; Brian Bisceglia of Worcester Police, MA; Simon Hudson of BT plc. Any errors or inaccuracies are my own and do not reflect the advice I was given. The 2nd Edition contains descriptions of a wider set of forensic radio survey devices and of CDR and RF data processing tools than the 1st Edition did. I would like to thank the following representatives of the companies who agreed to allow me to describe their products: Wim Fokke of Group  2000  Ltd; Shaun Desmond of Keysight Technologies; Kevin Parma of Infovista SAS; David Stewart and Charles Amoury of Gladiator Forensics LLC; Jim Cairns of Technical Solutions Group Ltd, representing QRC Technologies LLC. Thanks also to Sandra Grayson, Becky Cowan, Kavipriya Ramachandran and Sindhu Raj Kuttappan at Wiley. A number of figures and tables in this book were taken from various 3GPP Technical Specifications (TSs) or Technical Reports (TRs). In relation to this content: © 2023. 3GPP TM TSs and TRs are the property of ARIB, ATIS, CCSA, ETSI, TSDSI, TTA and TTC, who jointly own the copyright in them. They are subject to further modifications and are therefore provided to you ‘as is’ for informational purposes only. Further use is strictly prohibited. A number of tables in the book were taken from various 3GPP2 Technical Specifications. In relation to this content: COPYRIGHTED MATERIAL reproduced and distributed by John Wiley & Sons under written permission of the Organisational Partners of the Third Generation Partnership Project 2 (3GPP2).

xxv

­Glossary 0G 1G 2G 2.5G 2.75G 3G 3.5G 3GPP 3GPP2 4G 4.5G 4.75G 5G 5.5G 5GC 5QI 6G 6LowPAN 802 802.11 802.15 802.16 λ

Pre-­cellular radiotelephone networks First Generation mobile networks Second Generation mobile networks, e.g. GSM Enhanced 2G networks, e.g. GPRS Enhanced 2G networks, e.g. EDGE Third Generation mobile networks, e.g. UMTS Enhanced 3G networks, e.g. HSPA/HSPA+ Third Generation Partnership Project – global standards body 3GPP mark 2 – United States standards body Fourth Generation mobile networks, e.g. LTE Enhanced 4G Networks, e.g. LTE-­Advanced Enhanced 4G Networks, e.g. LTE-­Advanced Pro Fifth Generation of mobile networks, e.g. NR Enhanced 5G networks, e.g. 5G-­Advanced 5G Core network 5G Quality of Service Identifier Sixth Generation of mobile networks IPv6 over Low Power Access Networks IEEE family of networking standards IEEE WiFi standards family IEEE Wireless Speciality Network standards family IEEE WIMAX standards family (lambda) Wavelength

A A2DP AAU AC ACB ACC Active ADC AGCH A-­GPS ALPR AM AMF AMP

Advanced Audio Distribution Profile Active Antenna Unit Access Category Access Class Barring Access Control Class a 3G cell currently selected to serve a mobile device’s Connected Mode connections Analogue to Digital Conversion Access Grant Channel Assisted GPS Automatic License Plate Recognition Amplitude Modulation Access and Mobility Management Function Additional MAC and PHY

xxvi

­Glossar

AMPS ANPR ANSI AO AOA API APCO AP APN ARFCN ARIB ARP AS ATIS AuC AUSF AUTN

Advanced Mobile Phone System Automatic Number Plate Recognition American National Standards Institute Authorising Officer Angle of Arrival Application Programming Interface Association of Public Safety Communications Officials Access Point Access Point Name Absolute Radio Frequency Channel Number in 2G Association of Radio Industries and Businesses Allocation and Retention Priority Access Stratum Alliance for Telecommunications Industry Solutions Authentication Centre Authentication Server Function (in 5G) Authentication Token (Network)

B BA List BCC BCCH BER BGAN BID BLE BLER BPSK BSC BSIC BSID BSS BSSID BT BTS BWA

BCCH Allocation List – neighbour cell list in 2G Base Station Colour Code (part of BSIC) Broadcast Control Channel Bit Error Rate Broadband Global Area Network Base Station ID Bluetooth Low Energy Block Error Rate Binary Phase Shift Keying Base Station Controller (in 2G) Base Station Identity Code (in 2G) Base Station ID (in CDMA2000) Base Station Subsystem Broadcast Service Set Identifier Bluetooth Base Transceiver Station (in 2G) Broadband Wireless Access

C c C1 C2 CA CAG Camp On CC CCCH CCDC CCH CCTV CCSA

Speed of light Cell Selection algorithm (in 2G) Cell Reselection algorithm (in 2G) Carrier Aggregation Closed Access Group (in 5G) To select a cell as the serving cell in Idle Mode Component Carrier (in Carrier Aggregation) Common Control Channel Covert Communications Data Capture Control Channel Closed Circuit Television China Communications Standards Association

­Glossar

CDG CDR CDMA CDMA2000 cdmaOne CELL_DCH CELL_FACH CELL_PCH CF CGI CI CINR CIoT CLOUD Connected Mode CoP CoP COPO CPIA CPICH CPS C-­RAN CRH CRS CS CSA CSAS CSFB CSG CSI CSI CSLI CSP CSP CSS CSV CU C-­V2X

CDMA Development Group Call Detail Record Code Division Multiple Access 3G network type 2G network type Cell Dedicated Channel state (in 3G) Cell Forward Access Channel state (in 3G) Cell Paging Channel state (in 3G) Call Forward Cell Global ID Cell ID Carrier to Interference and Noise Ratio Cellular IoT Clarifying Lawful Overseas Use of Data Act The state a mobile device is in when a connection has been established to a base station and traffic flow is possible Code of Practice College of Policing Crime (Overseas Production Orders) Act Criminal Procedures and Investigations Act Common Pilot Channel (in 3G) UK Crown Prosecution Service Centralised RAN/Cloud RAN Cell Reselection Hysteresis Cell-­specific Reference Signal (in 4G, 5G) Circuit Switched, e.g. traditional voice telephony service Cell Site Analysis Cell Site Analysis Suite Circuit Switched Fallback Closed Subscriber Group (for 3G/4G femtocells) Channel State Information Crime Scene Investigator Cell Site Location Information Cellular Service Provider Cell Selection Priority Cell Site Simulator Comma Separated Values Central Unit Cellular – Vehicle to Anything

D D2D DAA DAC D-­AMPS DAS dB dBm dBW dBi

Direct 2 (to) Device Data Access Agreement Digital to Analogue Conversion Digital Advanced Mobile Telephone System Distributed Antenna System decibels decibel milliwatts decibel watts decibel isotropic

xxvii

xxviii

­Glossar

DC DC-­HSPA DDR DECT Dedicated Mode DCS DL DNN DOCSIS DPA DRVCC DRX DSA DSL DSP DSRC DSS DU

Dual Connectivity Dual Carrier HSPA Device Data Record Digital Enhanced Cordless Telephone Original term for Connected Mode used in GSM Digital Communications Service Downlink Data Network Name Data Over Cable Service Interface Specification Data Protection Act Dual Radio Voice Call Continuity Discontinuous Reception Derived Service Area Digital Subscriber Line Digital Signal Processor Dedicated Short Range Communications Dynamic Shared Spectrum Distributed Unit

E E.164 E.212 EARFCN Ec/Io Ec/No ECGI ECI EC-­GSM-­IoT ECM EDGE E-­GSM EIR EIRENE EIRP EM eMLPP eNB eNB ID EN-­DC EPC EPS EPLMN eSIM ESN ESN ETSI EUTRAN EV-­DO

ITU international phone number standard ITU network numbering (MCC + IMSI) standard Evolved Absolute Radio Frequency Channel Number (in 4G) Energy per chip/Interference – signal-­-­to-­noise ratio measurement (in 3G) Energy per chip/noise – signal-­to-­noise ratio measure (in 3G) EUTRAN Cell Global Identifier (in 4G) EUTRAN Cell ID Enhanced Coverage GSM for IoT EPS Connection Management (in 4G) Enhanced Data Rates for Global Evolution, PS data for 2G networks Extended GSM900 band Equipment Identity Register European Integrated Radio Enhanced Network Effective Isotropic Radiated Power Electromagnetic Enhanced Multilevel Precedence and Pre-­emption EUTRAN Node B (also Evolved Node B) – 4G base station eNB Identifier EUTRA-­NR Dual Connectivity (in 5G NSA) Evolved Packet Core (4G core network) Evolved Packet System (4G network) Equivalent PLMN Embedded SIM card Electronic Serial Number Emergency Services Network European Telecoms Standards Institute Evolved Universal Terrestrial Radio Access Network (in 4G) Evolution – Data Optimised (or Data Only)

F F FACCH FAT

Frequency Fast Associated Control Channel Frequency Allocation Table

­Glossar

F-­BCCH FCH FDD FDMA Femtocell FF FHSS FM F-­PCH F-­PICH FR FR1 FR2 FRMCS FSS FSR F-­SYNC FWA

Forward Broadcast Control Channel Frequency Correction Channel Frequency Division Duplex Frequency Division Multiple Access A small-­scale cell/base station designed to be deployed at a user’s home or office, which provides a small bubble of network service Form Factor (in relation to SIM cards) Frequency Hopping Spread Spectrum Frequency Modulation Forward Paging Channel Forward Pilot Channel Frequency Range 5G frequency range below 6 GHz 5G frequency range above 6 GHz Future Railways Mobile Communications System Fixed Satellite System Forensic Science Regulator Forward Synchronisation Channel Fixed Wireless Access

G GAP GEO GERAN GGSN GHz GIS gNB GNSS GPRS GPS GSCN GSM GSMA GSM-­R GUAMI GUMMEI GUTI

Generic Access Profile Geosynchronous Earth Orbit/Geostationary Earth Orbit GSM/EDGE Radio Access Network Gateway GPRS Support Node Gigahertz (billions of cycles per second) Geographical Information System 5G Node B (5G base station) Global Navigation Satellite System General Packet Radio Service, PS data for 2G networks Global Positioning System Global Synchronisation Channel Number Global System for Mobile, 2G network type GSM Association GSM for Railways Globally Unique AMF ID Globally Unique MME ID Globally Unique Temporary Identifier

H Handover HARQ HBO HCR HD-­FDD HF HFP HHO HLR HPLMN

The process of passing the active connections for a mobile device in Connected Mode from one cell/base station to another Hybrid ARQ (Automated Retransmission Request) Home Breakout High Chip Rate Half Duplex – Frequency Division Duplex High Frequency Handsfree Profile Hard Handover Home Location Register Home PLMN

xxix

xxx

­Glossar

HSDPA HSPA/HSPA+ HSS HSUPA Hysteresis Hz I ICCID iDEN Idle Mode

High Speed Downlink Packet Access High Speed Packet Access, fast PS data for 3G networks Home Subscriber Server (evolved form of HLR) High Speed Uplink Packet Access A process that attempts to prevent an Idle Mode mobile device from reselecting to a new cell too quickly after a previous reselection hertz (cycles per second)

IEEE IFAST IMEI IMEISV IMS IMSI IMTS IoT IP IPA IPX IRAT IS IS54 IS95/A/B IS136 IS2000 ISDN ISHO ISM ISO ITS ITU

Integrated Circuit Card Identification Number Integrated Digital Enhanced Network A state where a mobile device is powered on and attached to a network but has no active control or traffic connections International Electrical and Electronics Engineers International Forum on ANSI-­41 Standards Technology International Mobile Equipment Identifier IMEI and Software Version number IP Multimedia Subsystem International Mobile Subscriber Identifier Improved Mobile Telephone Service (0G network) Internet of Things Internet Protocol Investigatory Powers Act IP Exchange Inter-­Radio Access Technology Interim Standard D-­AMPS/TDMA 2G system cdmaOne 2G system Enhanced D-­AMPS/TDMA 2G system CDMA2000 system Integrated Services Digital Network Inter System Handover Industrial, Science and Medical radio bands International Standards Organisation Intelligent Transport Services International Telecommunications Union

K K kHz

Subscription-­specific secret security key kilohertz (thousands of cycles per second)

L LA LAA LAC LAI LAU LBO LBS LCI LCR

Location Area (in 2G and 3G) Licence Assisted Access Location Area Code Location Area Identifier (LAC plus country code, network code) Location Area Update Local Breakout Location-­Based Services Local Cell ID Low Chip Rate

­Glossar

LCS LEA LEO LF LI LIG LMDS LMF LOS LTE LTE-­A LTE-­M LTE-­U LW LWPA LWPAN

Location Server Law Enforcement Agency Low Earth Orbit Low Frequency Lawful Intercept Lawful Intercept Gateway Local Multipoint Distribution Service Location Management Function Line of Sight Long Term Evolution, a 4G network type LTE-­Advanced LTE for Machine Type Communication LTE deployed in unlicensed radio bands Long Wave Low Power Wide Area LPWA Network

M M2M MAC Mbps MC MC MCS MCC MC-­HSPA MCL Mcs MDG MDN MDT ME MEID MeNB MEO MF MFN MGW MgNB MHz MIB MIMO MMDS MME MMS mmWave MNC MNO MORAN MPS MS

Machine 2 (to) Machine Medium Access Control Megabits per second Mission Critical Multiple Connectivity Modulation and Coding Scheme Mobile Country Code, e.g. 234 for the UK Multi-­Carrier HSPA Maximum Coupling Loss Megachips per second Mobile Development Group Mobile Directory Number Minimisation of Drive Testing Mobile Equipment Mobile Equipment ID Master e Node B (in Dual Connectivity) Medium Earth Orbit Medium Frequency Multi Frequency Network Media Gateway Master G Node B (in Dual Connectivity) Megahertz (millions of cycles per second) Master Information Block Multiple Input Multiple Output Multi-­channel Multipoint Distribution Service Mobility Management Entity (in 4G) Multimedia Messaging Service Millimetre Wave (radio band) Mobile Network Code, e.g. 10 for O2 UK Mobile Network Operator Multiple Operator Radio Access Network Multimedia Priority Service Mobile Station, a 2G mobile device

xxxi

xxxii

­Glossar

MSC MS-­ISDN MSIN MSS MSS MTC MTPAS MTS MuNST MVNA MVNE MVNO mW MW

Mobile Switching Centre (2G/3G CS core network node) Mobile Subscriber/Station International Subscriber Directory Number – mobile phone number Mobile Subscriber Identification Number MSC Server Mobile Satellite System Machine Type Communication Mobile Telephony Privileged Access Scheme Mobile Telephone Service (0G network) Multi Network Survey Tool, as CSurv device Mobile Virtual Network Aggregator Mobile Virtual Network Enabler Mobile Virtual Network Operator milliwatts Medium Wave

N NAI NAS NB-­IoT NCC NCI NCGI NCL NFC NFV NG-­RAN NGSO NID NLOS NMT NR NR NR-­ARFCN NSA NSSF NTN

Network Access Identifier Non-­Access Stratum Narrowband IoT network Network Colour Code (part of BSIC) NR Cell ID NR Cell Global Identifier Neighbour Cell List (in 3G and 4G) Near-­Field Communications Network Function Virtualisation Next Generation – Radio Access Network (in 5G) Non-­Geostationary Orbit Network ID Non-­Line of Sight Nordic Mobile Telephone National Roaming New Radio New Radio Absolute Radio Frequency Channel Number Non-­Standalone Network Slice Selection Function (in 5G) Non-­Terrestrial Network

O OCDA ODTOA OFDM OFDMA Ofcom O-­RAN OTSR OTT

Office for Communications Data Authorisations Observed Difference in Time of Arrival Orthogonal Frequency Division Multiplexing Orthogonal Frequency Division Multiple Access (in 4G/5G/WIFI) Office of the Communications Regulator Open RAN Omni-­directional Transmit, Sectorised Receive Over the Top

P P25 P-­ANI PAYG

Project 25 – emergency services network type in USA Private header – Access Network Information Pay-­as-­you-­go

­Glossar

PBAP PCCH PCell PCH PCI PCS PD PDC PDN-­GW PDP PDSN PEI P-­GSM PGW PHS PKI PLMN P_MAX PN POI PR PRB PRL PRS PS PSC PSCell P-­SCR PSS PSTN P-­TCH P-­TMSI PTT

Phone Book Access Profile Paging Control Channel Primary Cell (in Carrier Aggregation) Paging Channel Physical-­layer Cell ID (in 4G) Personal Communications System Propagation Delay Personal Digital Cellular Packet Data Network Gateway (4G core network node) Packet Data Protocol Packet Data Service Node Permanent Equipment Identifier Primary GSM900 band Packet Data Network Gateway (4G core network node) Personal Handyphone System Public Key Infrastructure Public Land Mobile Network Maximum permitted uplink transmit power Pseudo Noise Period of Interest Probe Request/Probe Response Physical Radio Block Preferred Roaming List Positioning Reference Signal Packet Switched, e.g. the data transmission mechanism used by data networks like the Internet Primary Scrambling Code (in 3G) Primary Secondary Cell (in Dual Connectivity) Primary Scrambling Code – alternative abbreviation (in 3G) Primary Synchronisation Signal (in 4G) Public Switched Telephone Network Packet switched Traffic Channel (n 2G) Packet switched Temporary Mobile Subscriber Identifier (in 2G and 3G) Press to talk/Push to talk

Q QAM QCI QoS QPSK

Quadrature Amplitude Modulation QoS Class Identifier Quality of Service Quadrature Phase Shift Keying

R R R99 RA RAC RACH RAI RAU RAN RAND RAT

Cell Reselection algorithm (in 3G, 4G and 5G) Release 99 (3GPP specification set) Routing Area (in 2G and 3G) Routing Area Code Random Access Channel Routing Area Identifier Routing Area Update Radio Access Network Random number used in authentication Radio Access Technology

xxxiii

xxxiv

­Glossar

RB RE RES Reselection RF RFID RFSS RFPS RIC RIPA RNA RNAU RNC RNC ID RNS RRC RRH RRM RRU RS RSCP RSRP RSRQ RSSI RTT RTT RXLev RXQUAL S S SA SAC SAE SACCH SAP SCell SC-­FDMA SCH SDCCH SDL SDN SDP SDR SeNB Serving SF SFN SFR SgNB

Resource Block (in 4G/5G) Resource Element (in 4G/5G) Response sent during authentication In Idle Mode, the process by which a mobile device selects the serving cell that it will camp on Radio Frequency Radio Frequency ID Radio Frequency Sub-­System Radio Frequency Propagation Survey RAN Intelligent Controller Regulation of Investigatory Powers Act RAN-­Based Notification Area RNA Update Radio Network Controller (in 3G) RNC Identifier Radio Network Subsystem (in 3G) Radio Resource Control Remote Radio Head Radio Resource Management Remote Radio Unit Reference Signal Received Signal Code Power (in 3G) Reference Signal Received Power (in 4G/5G) Reference Signal Received Quality (in 4G/5G) Received Signal Strength Indicator Radio Transmission Technology Round-­Time Trip Received Signal Level (in 2G) Received Signal Quality (in 2G)

Cell selection algorithm (in 3G, 4G and 5G) Standalone Service Area Code (in 3G) System Architecture Evolution Slow Associated Control Channel SIM Access Profile Secondary Cell (in Carrier Aggregation) Single Carrier Frequency Division Multiple Access (in 4G) Synchronisation Channel (in 2G) Standalone Dedicated Control Channel Supplementary Downlink Software Defined Network Session Description Protocol Software Defined Radio Secondary e Node B (in Dual Connectivity) Term applied to the cell that an Idle Mode device is currently camped on or that a Connected Mode device is connected to Spreading Factor Single Frequency Network Streamlined Forensic Report Secondary g Node B (in Dual Connectivity)

­Glossar

SGSN S-­GW SHO SI SIB SID SIG SIM SIP SINR SMF SNR SMS SMSC Sng-­eNB SNR SNR SOCO SON SPoC SR SRD SrHO SRVCC SSID SSS S-­TMSI STSR SUCI SUL SUPI SVDO SVN

Serving GPRS Support Node (2G/3G PS core network node) Serving Gateway (4G core network node) Soft Handover (in 3G) International System of Units System Information Block System ID Special Interest Group Subscriber Identity Module Session Initiation Protocol Signal to Interference and Noise Ratio Service Management Function (in 5G) Serial Number Short Message Service Short Message Service Centre Secondary Next Generation e Node B (in Dual Connectivity) Signal-to-­Noise Ratio Serial Number (part of an IMEI) Scene of Crime Officer Self-­Optimising Network Single Point of Contact Spreading Rate Short Range Device Softer Handover (in 3G) Single Radio Voice Call Continuity Service Set ID Secondary Synchronisation Signal (in 4G) Serving Temporary Mobile Subscriber Identifier (in 4G/5G) Sectorised Transmit Sectorised Receive Subscription Concealed Identifier Supplementary Uplink Subscription Permanent Identifier Simultaneous Voice and Data Software Version Number (part of an IMEI)

T TA TA TAC TAC TACS TAI TAU TCH TDD TD-­LTE TDMA TD-­SCDMA TETRA T-­GSM THF THz

Timing Advance Tracking Area (in 4G) Tracking Area Code Type Allocation Code (part of an IMEI) Total Access Communications System Tracking Area Identifier Tracking Area Update Traffic Channel (in 2G) Time Division Duplex TDD version of LTE Time Division Multiple Access Time Division – Synchronous Code Division Multiple Access Terrestrial Trunked Radio TETRA Tremendously High Frequency Terahertz (Trillions of cycles per second)

xxxv

xxxvi

­Glossar

TIA/EIA TMSI TO TO TOA TRX TS TSDSI

Telecoms Industry Association/Electronics Industries Alliance Temporary Mobile Subscriber Identifier Telecoms Operator Temporary Offset Time of Arrival Transceiver or Transmitter-­Receiver Technical Standard Telecommunications Standards Development Society, India

U UAC UARFCN UDM UE UHF UIC UICC UL UMTS UMTSHCR UMTS-­FDD UMTSLCR UMTS-­TDD UPF URA_PCH USIM USRAN UTRA UTRAN UWB

Unified Access Control UMTS Absolute Radio Frequency Channel Number Unified Data Management function (in 5G) User Equipment (in 3G, 4G and 5G) Ultra High Frequency Union International des chemins de fer (International Railway Union) Universal Integrated Circuit Card Uplink Universal Mobile Telecommunications System, a 3G network type High Chip rate version of UMTS (e.g. standard UMTS) FDD version of UMTS Low Chip rate version of UMTS (e.g. TD-­SCDMA) TDD version of UMTS User Plane Function (in 5G) UTRAN Registration Area Paging Channel (in 3G) Universal SIM Universal Satellite Radio Access Network (in 3G) Universal Terrestrial Radio Access (in 3G) Universal Terrestrial Radio Access Network (in 3G) Ultra-­Wide Band

V V2I V2P V2V V2X VHF VLF VLR VM VoIP VoLTE VoNR VoWIFI

Vehicle to Infrastructure Vehicle to Pedestrian Vehicle to Vehicle Vehicle to anything Very High Frequency Very Low Frequency Visitor Location Register Voicemail Voice over IP Voice over LTE Voice over NR Voice over WIFI

W W WACN WAVE WCDMA

watts Wide Area Communications Network ID Wireless Access in Vehicular Environments Wideband Code Division Multiple Access

­Glossar

WIFI WIMAX WLAN WLL WPAN WRC WSN

Wireless Fidelity Wireless Interoperability for Microwave Access Wireless Local Area Network Wireless Local Loop Wireless Personal Area Network World Radio Conferences Wireless Speciality Network

X XRES

Expected Response during authentication

xxxvii

1

1 Forensic Radio Surveys for Cell Site Analysis 1.1 ­Cell Site Analysis Cell site analysis attempts to provide evidence of where a mobile phone may have been located when certain significant calls were made, or where it is currently located for some types of live investigation. Cell site analysis is generally interested in just four things in relation to a technology or network type: ●● ●● ●● ●●

What useful information does the usage or billing data contain? What radio resources does the technology or network use? How can those resources be measured? What conclusions can we draw?

This book examines the range of network types that are currently available, cellular or otherwise and attempts to provide the answers to each of those questions for each network or technology type discussed. Mobile phone networks consist of a large number of radio ‘cells’, each of which covers a limited geographical area. Each cell is assigned a unique ‘Cell ID’, which is captured in the billing record (CDR or Call Detail Record) when calls are made. Network operators are able, under tight regulatory guidelines, to provide details of the calls made by ‘target’ phones and can also provide details of the locations of the cells used by those phones. Cell site analysis is designed to enable an investigator to determine whether calls made at or around the time of an ­incident or offence used cells that are located near the location of that offence.

1.2 ­Forensic Radio Surveying Forensic radio surveys are designed to provide solid evidence to back up the assumptions made by investigators and cell site analysts. Forensic radio survey equipment captures details of the cells that can be detected at a location and can indicate which cells would be selected for use by a phone being used at those locations. Forensic radio survey results can be used to prove that particular cells provide coverage at significant locations and can, therefore, indicate whether it is possible for a phone using those cells to have been at or near those locations when particular calls were made, assuming that the cell coverage at the time of the calls was the same as at the time of the radio survey. The only totally definite conclusion that can be drawn from cell site analysis is that the use of a particular cell by a target phone means that the phone must have been within the serving coverage area of that cell at the time. Forensic radio surveys can set approximate limits to the area within which the target phone might have been located. This type of evidence can be very useful when attempting to prove or disprove an alibi or other statement. Overall, forensic radio surveys add empirical rigour to an area of investigation that would otherwise fall prey to assumptions and wishful thinking. Cell site analysis, based on a combination of CDRs, cell location details and forensic radio survey results, can provide compelling evidence to support the allegations made by investigators.

Forensic Radio Survey Techniques for Cell Site Analysis, Second Edition. Joseph Hoy. © 2024 John Wiley & Sons Ltd. Published 2024 by John Wiley & Sons Ltd.

3

2 Radio Theory Cellular networks use communications methods based on basic RF (Radio Frequency) transmission principles.

2.1 ­RF Propagation 2.1.1  Radio Theory Radio signals are created when an alternating electrical current is applied to an antenna. Any electrical current applied to a conductor generates a magnetic field around the conductor. This field extends for only a short distance. As shown in Figure 2.1, if the electrical current through an antenna is made to alternate – that is, to change its direction of flow from forwards to backwards, which causes the electrical current to move through a cycle of positive and then ­negative values – the entangled electrical and magnetic (or ‘electromagnetic’) field generated around the antenna begins to extend far beyond the antenna and turns into a radio signal. As the current travelling through the conductor alternates, the electromagnetic field generated around the antenna expands to match each peak positive value and then collapses back towards the antenna, it then expands again to match the peak negative value and then collapses, and so on for each cycle of alternations. If the rate of alternation (i.e. the number of cycles of changing positive to negative values per second) is sufficiently fast, each instance of the electromagnetic field that is generated does not have time to fully collapse before the instance generated by the next cycle of alternation begins to expand. A conceptual way of imagining the effect of these alternating cycles could be as follows: a change in the electric current sets up a disturbance in the magnetic field close to the conductor. In turn, that disturbance causes the electric and magnetic fields further out from the conductor to change. Continuation of this process leads to a ripple of electric and magnetic fields travelling away from the conductor, which take the form of an electromagnetic wave. The whole process is very like the formation of a water wave when a stone is dropped into a pond. As the source signal continues to cycle, wave after wave of electromagnetic fields are pushed out from the antenna as a phenomenon that we term ‘radio waves’. This is demonstrated in Figure 2.2. Each alternation of the source electrical signal is termed a ‘cycle’, and the ‘frequency’ of a signal is calculated by counting the number of ‘cycles per second’. One cycle per second is known as 1 hertz (after Heinrich Hertz, the scientist who first demonstrated the existence of electromagnetic waves in the late nineteenth century) and is abbreviated as 1 Hz. In total, 1000 cycles per second is 1 kilohertz (1 kHz), 1 million cycles per second is 1 megahertz (1 MHz) and so on. More standard SI (International System of Units) descriptions of magnitude are shown in Table 2.1 [1]. Scientific notation is generally employed to represent very large or very small numbers or to standardise the way in which collections of numbers of both large and small magnitudes are presented. This notation indicates the base value and a multiplier, which would usually be 10 raised to a power. The value 1000 would be represented in scientific notation as 1 × 103 (1 × 10 × 10 × 10), or a value such as 3 240 000 would be represented as 3.24 × 106.

Forensic Radio Survey Techniques for Cell Site Analysis, Second Edition. Joseph Hoy. © 2024 John Wiley & Sons Ltd. Published 2024 by John Wiley & Sons Ltd.

4

2  Radio Theory

Figure 2.1  Alternating current.

Conductor Alternating current

Positive current flow

Negative current flow

Magnetic field created around conductor expands and contracts

Figure 2.2  Generating a radio wave. Waves of radio energy move out from antenna

Conductor/ antenna

Alternating current applied to antenna

Table 2.1  SI units related to radio signal measurements. Cycles/s

Scientific

Description

RF notation

1000

103

Kilohertz

kHz

1 000 000

106

Megahertz

MHz

Gigahertz

GHz

Terahertz

THz

9

1 000 000 000

10

1 000 000 000 000

1012

The ‘radio effect’ can be created at any frequency, however, low. There are, for example, systems that use very low ­frequencies (VLFs) of just a few tens or hundreds of hertz to send very long-­distance signals that can communicate with submarines on the other side of the world. VLF transmission is, however, quite difficult to achieve and very limited in the amount of information that can be transmitted. The most common forms of radio transmission use higher frequencies, with typical applications starting above around 3 kHz. The upper end of the range of frequencies that can be used to carry radio signals is generally accepted to be up at around 300 GHz, although there are emerging radio applications that use frequencies in the terahertz (THz) range, which is near the point where radio energy begins to be perceived as infra-­red radiation and then light energy. The range of frequencies that can be used to carry radio signals is, therefore, commonly classed as being between 3 kHz and 300 GHz. These frequencies are often collectively known as RF (Radio Frequency). A radio receiver essentially consists of an antenna connected to a ‘tuner’ circuit that allows the user to specify the characteristics of the radio signal they wish to recover. The moving electromagnetic wave of the transmitted signal induces a current as it passes through the receiving antenna, which can then be filtered and amplified to allow any information ­carried by the signal to be recovered. Radio can, therefore, be thought of as ‘induction over a distance’.

2.1.2  Basic Terminology The basic terms employed to describe aspects of RF transmission are illustrated in Figure 2.3 and include ●●

Frequency: The rate at which a source electrical signal alternates and therefore also the rate at which the generated electric and magnetic fields cycle from their peak positive values to their peak negative values, and back to

2.1 ­RF Propagatio

Figure 2.3  The frequency, wavelength and amplitude of a signal.

1 cycle/1 Hertz

Amplitude

c = fλ Wavelength (λ)

1 second

Frequency (f) = 6 cycles per second (6 Hertz)

●● ●●

●●

●●

their peak positive values again. Frequency is ­measured as ‘cycles per second’, with one cycle per second equal to 1 Hz. Frequency is usually represented using the symbol ‘f ’. Wavelength: The distance a radio signal travels during one cycle and hence the physical length of one cycle. Radio waves have a velocity, meaning the rate at which they move away from a transmitter, of the speed of light (300 000 km/s), Frequency so a 1 Hz signal (1 cycle/s) has a wavelength of 300 000 km for each cycle – it will have travelled 300 000 km during 1 s Channel bandwidth but will only have cycled once during that period. A 2-­Hz signal has wavelength of 150 000 km for each cycle and so Figure 2.4  Bandwidth of a radio channel. on. The speed of light is usually represented using the symbol ‘c’. At cellular frequencies, a 900-­MHz signal has a wavelength of approximately 30 cm and an 1800-­MHz signal has a wavelength of around 15 cm. Wavelength is usually represented using the Greek lambda symbol ‘λ’. The relationship between the velocity of a radio signal, its frequency and its wavelength can, therefore, be stated as c = fλ. Amplitude: Relates to the strength of the electrical and magnetic fields and is measured when the waves reach their peak positive and negative values. Spectrum: The range of frequencies that can be classed as being RF is termed the ‘radio spectrum’. This extends up to around 300 GHz or even into the low terahertz at the highest. Electromagnetic frequencies above the terahertz range begin to be classed as ‘infra-­red’ radiation and then ‘light’ rather than ‘radio’. Bandwidth: A radio signal is typically centred on a ‘carrier centre frequency’ (or just ‘carrier frequency’) but extends to cover a range of frequencies on either side of this centre point. The range of frequencies covered by a transmission is known as its ‘bandwidth’, that is the width of the radio band occupied by that transmission. A graphical representation of this is shown in Figure 2.4. Power

●●

Velocity (c) = speed of light, 300 000 km/s

2.1.3  Propagation Modes The frequency of a radio signal has an impact on the manner in which that signal propagates (i.e. the way in which the signal travels) as demonstrated in Figure 2.5. Below 30 MHz, VLF, LF signals (which are also sometimes termed ‘long wave’ due to the long wavelength/LF) and medium frequency (also known as ‘medium wave’ [MW]) signals are generally classed as ‘ground wave’ signals, as they tend to stay close to the ground and follow the curvature of the Earth following transmission.

5

6

2  Radio Theory Space wave (LOS) Ionosphere

Medium wave (NLOS)

Earth

VLF/LF ground waves (NLOS)

Figure 2.5  Radio propagation modes.

This phenomenon is due to the properties of the ionosphere, a layer in the Earth’s atmosphere that starts around 85 km above sea level and reflects radio signals with a frequency below 30 MHz. VLF and LF (also known as ‘long wave’) frequencies are useful for very long-­distance transmissions as these signals can hug the ground to travel beyond the transmitter’s horizon. Signals with frequencies that are above the point where they can break free from the ‘ground wave’ effect but that are still below 30 MHz are able to reflect off the ionosphere and be carried beyond the natural horizon of the transmitter. This is the principle employed by MW radio stations. Both of these are examples of ‘non-­line of sight’ (NLOS) transmission, in which a transmitter and receiver do not necessarily need to have a clear view of each other in order to exchange signals. Higher-­frequency (and shorter wavelength) signals above 30 MHz tend to travel in straight lines and are also able to travel through the ionosphere, which generally makes them suitable only for ‘line of sight’ (LOS) transmission, which means that the transmitter and receiver do need a clear view of each other in order to exchange signals. The distance over which terrestrial versions of this type of transmission system can operate is limited by the curvature of the Earth. This means that signals from a terrestrial (ground based) transmitter can rarely extend past the transmitter’s horizon to reach very distant ground-­based receivers, although the range of this type of radio service can be increased by placing the transmitter and receiver as high up as possible, for example, on top of a tall building or a hill. This type of high-­frequency (HF) wave is often called a ‘space wave’ due to the tendency of signals to pass through the ionosphere and travel out into space. Cellular systems use frequencies in and beyond the ultra-­high-­frequency (UHF) band, which exists between 300 MHz and 3 GHz and are, therefore, limited to LOS transmission. However, the physical and geographical ‘clutter’ that exists in most areas where cellular services are deployed allows radio signals to be deflected and reflected over short distances in ways that allow them to reach places where there is no direct LOS between transmitter and receiver.

2.1.4  Multipath Transmission Cellular systems deployed in very mountainous rural areas or heavily built-­up urban areas often struggle to achieve LOS, as there is often some form of obstruction between the transmitter (base station) and receiver (mobile phone). In these scenarios, a phenomenon known as ‘multipath transmission’, which is illustrated in Figure 2.6, becomes important. Radio waves propagate in much the same way as light waves; just like a beam of light, a radio signal can be blocked or attenuated by a large building or a hill, causing a ‘radio shadow’ to be created behind the obstruction. Also like light, however, radio signals can be diffracted (bent) as a result of travelling close to an object, or can reflect off smooth surfaces like windows or the sides of buildings, or scatter off rough surfaces; each of these events can allow some of the signal’s energy to travel along different propagation paths than would be possible using just LOS. Some forms of interaction can cause a single beam of radio energy to be split into several different beams, each deflected along a different path. This means that in a dense urban environment, signals from base stations can be received by mobile devices even if there is no direct LOS path between them due to the signal bouncing off buildings or other objects and being reflected into areas

2.1 ­RF Propagatio

Figure 2.6  Multipath transmission.

Multipaths

Delay spread

Figure 2.7  Multipath combining.

=

Constructive combining

Signals reinforce each other and result in increased amplitude

= Signals cancel each other and result in decreased amplitude Destructive combining

that would not be reached by pure LOS transmission. The same is also true of the connection that travels in the reverse direction between a mobile phone and a base station. Several duplicate elements of a signal may reach the mobile device having been reflected along different propagation paths to get there – each of these is known as a ‘multipath’. The signal being received by a mobile phone at any moment may consist of several multipaths combined together and will, therefore, be an aggregate of those separate ‘echoes’ or ‘copies’ of the same signal. The period between the earliest arriving version of a signal and the latest arriving multipath ‘echo’ is called the signal’s ‘delay spread’ – the larger the delay spread, the more likely it is that the multipath ‘echoes’ will start interfering with the next transmitted element in the signal. Multipaths often build up as a consequence of a long journey between transmitter and receiver; so, delay spread becomes more of a problem the further the receiver is from the transmitter. Multipaths can combine ‘constructively’, in which case the sum of their values creates a stronger signal, or they can combine ‘destructively’, in which case some or all of the multipaths cancel each other out and reduce the strength of the received signal. This is illustrated in Figure 2.7. As multipaths are typically created by reflections, their paths can be altered by changes to the surface on which they are reflecting, so if a bus stops in front of a wall that had been causing a reflection, the multipath created by the signal reflecting off the bus instead could be redirected along some other path. The same may happen if the phone moves and is no longer aligned to one or more of the multipaths it was previously receiving. Multipath energy is added to and removed from the set being detected by a phone all the time, causing the signal strength measured by the phone (which is an aggregate or sum of all of the multipaths being received) to fluctuate or ‘fade’ quite markedly.

7

8

2  Radio Theory

LOS connectivity offers the best signal quality for a cellular service, but it is important to understand that a connection can still be maintained via diffracted, refracted or reflected signals even if no direct LOS exists.

2.1.5  Propagation Issues Radio signals will generally propagate or travel until they run out of power or get blocked by something. Signals sent in typical urban and rural environments can be blocked or scattered by many different kinds of ‘clutter’: urban clutter can include buildings, trees, vehicles, bridges and so on; rural clutter can include trees, hills and mountains. Buildings with smooth or shiny surfaces reflect radio signals in new directions, often causing multipaths; those with rough surfaces cause a signal to scatter into unusable radio noise. Trees and vegetation can be a cause of variable propagation issues; in the autumn and winter, when trees have lost their leaves, they pose no great problem for radio signal propagation; in the spring and summer, when trees are in full leaf and especially after it has rained, the wet leaves can be a transient source of radio scatter for signals that have already been weakened by travelling for some distance.

2.2  ­Carrying Information on a Radio Signal Radio is an analogue medium, in the sense that a radio signal is a continuously changing stream of energy that moves through an infinite number of values during each cycle. All radio systems are, therefore, based on analogue transmission techniques. When the various types and generations of radio system are examined, however, some are described as ‘analogue’ systems and others as ‘digital’ – it is important to understand the differences between these concepts if the differences between the associated radio technologies are to be understood.

2.2.1  Analogue Transmission Systems All early radio systems, including quite a significant number of systems that are still in use, relied on an analogue information transmission method. In an analogue system, a copy of the raw information to be transmitted – a person’s voice or some music, for example – is simply overlaid onto a radio carrier frequency and the combined signal is then transmitted. This process is illustrated in Figure 2.8. (Note on Figure 2.8 – in reality, the frequency of the analogue carrier wave would be many times higher than the frequency of the analogue signal it was carrying – a low frequency carrier has been depicted for simplicity.) Sound is simply another form of analogue medium, so a voice, music and other forms of audio information exist as streams of analogue energy; and so, the combination of an analogue sound stream and an analogue radio carrier creates a combined analogue radio signal.

Analogue information

Analogue radio carrier

Figure 2.8  Analogue transmission.

Carrier signal modulated with analogue information

2.2  ­Carrying Information on a Radio Signa

The content of an analogue radio transmission is carried in the variety of ‘modulations’ or changes to the frequency and amplitude of the transmitted radio signal, which not only makes for a comparatively simple transmitter/receiver architecture but also creates a transmission medium that is easily disrupted. All radio transmissions are susceptible to interference; sources of radio interference create ‘noise’ that combine with the radio signal. Too high a level of interference can impair a receiver’s ability to understand the nature of the information being conveyed. Analogue transmission systems provide poor-­quality services in the presence of too much interference. Analogue transmission also offers limited scope for security, as it can be difficult to apply encryption to analogue information streams. Analogue transmission is still widely employed to carry services like broadcast radio – Amplitude Modulation (AM) and Frequency Modulation (FM) radio stations transmit using comparatively basic analogue transmission techniques – but the majority of cellular systems migrated to digital techniques during the 1990s.

2.2.2  Digital Transmission Systems Most modern radio systems are described as being ‘digital radio’ systems, which can be confusing. As previously stated, all radio systems use analogue transmission techniques, as radio is an analogue medium. The distinction between analogue and digital transmission is instead related to the format of the information that is conveyed via the radio connections. An analogue transmission system modulates an analogue radio carrier with analogue information, such as an audio signal. A digital transmission system modulates an analogue radio carrier with a stream of digital ones and zeroes, as illustrated in Figure 2.9. If the information to be transmitted is already in a digital format – computer data, Internet traffic and so on – then it can be conveyed directly to the transmitter. Information that starts in an analogue format, such as voice, must be converted from analogue to digital before being transmitted (and converted from digital back to analogue at the receiving end). Most digital transmission devices, such as a modern digital mobile phone, include the capability to perform ADC (Analogue-­to-­ Digital Conversion) to allow audio ‘traffic’ to be transmitted over a digital radio service and DAC (Digital-­to-­Analogue Conversion) to convert it back to audio at the receiving end. Digital systems encode binary data onto a radio carrier by modulating one or more of the basic properties of that radio carrier – this involves making changes to the frequency, amplitude or phase of the carrier. Frequency modulation could, for example, involve increasing the frequency of the radio signal for a short period of time to represent a ‘1’ in the transmitted information stream and decreasing the frequency to represent a ‘0’. Amplitude modulation works in the same way but varies the power of the signal – higher power to represent a ‘1’ and lower power to represent a ‘0’. Phase modulation is more complex and more difficult to visualise but involves rapidly jumping the transmitted radio signal from one part of its cycle to another without passing through the intervening parts – this manifests itself as a sharp change in the radio signal rather than the expected smooth ‘sine wave’ progression through a cycle. Simple examples of the various digital modulation schemes are outlined in Figure 2.10.

Analogue information

Digital information

ADC

0101

Analogue radio carrier

Figure 2.9  Digital transmission.

Carrier signal amplitude modulated with digital information

9

10

2  Radio Theory

Figure 2.10  Digital modulation techniques. Amplitude modulation

Frequency modulation

Phase modulation

A simple digital modulation scheme – such as BPSK or Binary Phase Shift Keying – would require one type of modulation to represent a ‘1’ and a different type of modulation to represent a ‘0’; each modulation made to a radio carrier is known as a ‘symbol’ and the more modulations or symbols that can be encoded per second, the greater the data rate that can be carried by a radio service. With two modulations available, each symbol can carry one bit of data: 1 or 0. Modern digital systems use advanced modulation schemes that use more than two modulation types; so if four different modulations (four different amplitude levels, for example) are supported, then each change in the radio carrier can be used to carry two bits of data: one amplitude value represents 00, and the other amplitude values represent 01, 10 or 11. QPSK (Quadrature Phase Shift Keying) works in this way, using four different phase changes to encode binary data onto a ­carrier signal. With 16 modulation types (16 different combinations of amplitude and phase, for example), each symbol can carry four bits of data: 0000, 0001, 0010 and so on. 16QAM (Quadrature Amplitude Modulation) works in this exact way. The fastest modern radio data systems can encode millions of symbols per second onto a radio carrier, and each symbol can represent 2, 4, 16 or more bits of data. Digital transmission techniques lie at the heart of the ability to access fast mobile broadband services. The fact that information is transmitted in a simple format, at least when compared to the infinite variety of properties that can be carried by an analogue transmission system, means that digital systems typically offer more consistent quality, ­especially in the presence of radio interference. The quality of a digital transmission can be further enhanced using complex ‘error correction’ techniques, and the security of a radio link can be assured using sophisticated digital encryption schemes. The more complex a modulation scheme is, however, the more difficult it becomes for a receiver to successfully and accurately distinguish between the various transmitted symbols due to the effects of radio ‘noise’ on the received signal, leading to errors. A radio signal using complex modulation generally needs to be received at quite a high-­power level for the signal to overcome the interference enough for each modulation symbol to be detected accurately. Complex or ‘high-­order’ modulation schemes that carry fast data traffic, therefore, generally only work well when the receiver is close to the transmitter and has a good quality signal; as a receiver moves further away, the received signal strength diminishes and the potential for errors increases. As reported signal quality drops, the transmitter usually switches to a less complex (low order) modulation scheme, which carries less data but offers better accuracy. The data rate available to a device therefore generally reduces as it moves further away from the transmitter.

2.3 ­Radio Spectrum 2.3.1  Radio Bands and Channels The range of possible radio frequencies is known as the radio spectrum. The usable range of frequencies available within the radio spectrum runs from around 3 kHz up to over 300 GHz. This spectrum may appear to be very wide, but it is not infinite.

2.3  ­Radio Spectru

Figure 2.11  Radio bands and channels.

Radio spectrum Radio channels

3 kHz

80 MHz

104 MHz

FM radio band

300 GHz

880 MHz

960 MHz

900 MHz band

The radio spectrum in each country is controlled by that country’s government, but governments cooperate to implement regional or global spectrum allocation plans. To ensure that interference between users is kept to a minimum, individual systems or networks are ‘licensed’ to operate within a particular range of radio frequencies – this is known as a frequency band. Depending upon the type of service being operated, these bands might cover just a few kilohertz or many megahertz of bandwidth. Radio bands are usually labelled using the main frequency that the band is based around – that is, 900-­band networks would use frequencies in a wide band based around 900 MHz and 1800-­band systems would be based around 1800 MHz. Within each band, smaller allocations of frequencies are defined for individual users of the network – these are known as radio channels. The bandwidth of the radio channels used by a network is determined partly by the radio technology being used and partly by the amount of capacity the network assigns to each user. Generic examples of spectrum, bands and channels are shown in Figure 2.11. Traditionally, different radio bands have been given shorthand ‘names’ to allow them to be more easily discussed without having to quote the frequency ranges every time; one naming convention, which was used in the early days of commercial radio broadcasting, was based on the wavelength of the signal, with names such as shortwave, mediumwave and longwave being used. Another naming method, which was also used in the early days of radio broadcasting, is based on the frequency of the signal –LF, HF, very HF (VHF), UHF and so on. A more scientific naming convention gives each band above 1 GHz a one-­or two-­letter designation, such as the L-­band and other letters – S, C, X, Ku, K, Ka, V and W – are also used for other bands.

2.3.2  Effects of Frequency on Propagation It is generally the case that, at a similar transmit power level or with a similar-­sized antenna, a LF (long wavelength) signal will be usable over longer distances than a HF (short wavelength) signal. One way of visualising this is to imagine that there is only a finite amount of energy carried by each cycle of a signal; a long wavelength allows that energy to dissipate over a long distance; and a short wavelength uses that energy up over a shorter distance. This concept is illustrated in Figure  2.12. This explanation is technically inaccurate; the relationship between frequency and propagation is based on a more complex set of principles, but it makes for a readily understandable mental image.1 In practice, this means that it is more economical to use LF bands to send signals over longer distances rather than HF bands as long-­distance LF transmission can be achieved using lower transmit power levels.

Figure 2.12  Frequency versus distance.

Short distance travelled during high-frequency cycle Long distance travelled during low-frequency cycle

11

12

2  Radio Theory

2.3.3  Cellular Bands 2G and 3G cellular systems were based on frequencies in the UHF band, between 300 MHz and 3 GHz. 4G and 5G networks not only reuse those same frequency bands but can also be deployed in much higher bands; 4G/5G deployments commonly occupy bands at around 3.5 GHz and some 5G deployments take place in the so-­called millimetre wave bands at 20 GHz or higher. Some 6G services could be deployed in terahertz (THz) bands. Systems based on frequencies at the lower end of this range (300–900 MHz) typically offer good long-­distance coverage, which is useful for creating large radio cells in rural areas. Other systems, based on higher frequencies (e.g. 1800–2600 MHz), tend to be used to generate smaller radio cells to serve urban areas. Systems based on very high frequencies (above 3 GHz) tend to be used to generate cells that are just a few tens of metres in radius or are used only to provide indoor coverage. The set of radio bands employed to support cellular services in various regions around the world, as illustrated in Figures 2.13 and 2.14, are detailed in Table 2.2.

3800 3700 3600 3500 3400 3300 3200 3100 3000 2900 2800 2700 2600 2500 2400 2300 2200 2100 2000 1900 1800 1700 1600 1500 1400 1300 1200 1100 1000 900 800 700 600 600 MHz

3800 MHz

Figure 2.13  Traditional cellular radio bands.

Traditional cellular Additional frequency 4G & 5G bands bands 0.3–3 GHz

Additional 5G mm Wave/ millimetre wave bands

3–7 GHz

24–29 GHz

37–43 GHz

57–71 GHz 47–48 GHz

0 GHz

7 GHz

Figure 2.14  Extended cellular radio bands.

Table 2.2  Cellular radio bands. Frequency band (MHz)

Network types

Characteristics

300

Public safety networks

Long-­distance, wide-­area cellular coverage

400

2G, 4G

600

4G, 5G

700

2G, 3G, 4G, 5G

800

2G, 3G, 4G, 5G

900

2G, 3G, 4G, 5G

1400

3G, 4G, 5G

1500

2G, 3G, 4G, 5G

1600

4G, 5G

1700

2G, 3G, 4G, 5G

1800

2G, 3G, 4G, 5G

1900

2G, 3G, 4G, 5G

2000

4G, 5G

2100

3G, 4G, 5G

Medium distance, medium area coverage

100 GHz

2.3  ­Radio Spectru

Table 2.2  (Continued) Frequency band (MHz)

Network types

Characteristics

2300

4G, 5G

Short distance, local area coverage

2400

4G, 5G

2500

3G, 4G, 5G

2600

3G, 4G, 5G

3300

4G, 5G

3400

3G, 4G, 5G

3500

3G, 4G, 5G

3600–3800

4G, 5G

4400

5G

5000–5900

4G, 5G

6400

5G

24 000–29 000

5G

37 000–43 000

5G

47 000–48 000

5G

57 000–71 000

5G

Millimetre wave bands

Details of the exact spectrum allocations currently in force in each country are published by the relevant national regulator. As an example, spectrum allocations in the United Kingdom are published by Ofcom (Office of the Communications Regulator) in the United Kingdom Frequency Allocation Table [2]. The Third Generation Partnership Project (3GPP) – the organisation responsible for coordinating the development of most modern cellular systems – currently (as of Spring 2023) defines around 60 different radio bands for various cellular technologies, most of these are in (or near) the UHF band [3], but there are a growing number of cellular bands being defined in higher-­frequency spectrum. The differences between 2G, 3G, 4G and 5G network types will be explained in a later section.

2.3.4  Shared and Unlicensed Access Schemes Traditionally, cellular spectrum has been licensed and regulated, meaning that cellular operators required specific licences to operate in specific radio bands; this can be expensive (paying for spectrum licences), bureaucratic (complex licence application process) and slow (waiting for the licensing process to complete) causing some organisations to adapt cellular technologies to work in unlicensed bands. Other schemes have been developed that allow different operators or different technologies to share the same radio carriers. There are several defined parts of the radio spectrum that are set aside for ‘unlicensed’ use – the 2.4 and 5 GHz bands used by WIFI, for example, are part of the spectrum set aside for ISM (Industrial, Scientific and Medical) use, which can be used by applications without any specific licensing (although there are usually rules concerning maximum transmit powers and other aspects of radio transmission). Several schemes have been developed – such as LTE-­U (LTE Unlicensed) and LAA (Licence-­Assisted Access) – which allow 4G and 5G networks to use unlicensed spectrum, in the 5-­GHz ISM band, allowing operators to roll out services without waiting to obtain spectrum licences. These schemes generally take the form of a ‘traffic offload’ function, where signalling and connection control are managed via cells in regular (licensed) channels, and phones are instructed to send data traffic via cells operating in unlicensed bands. The potential downsides of unlicensed access mostly relate to the uncontrollable levels of interference experienced in shared access spectrum, where anything from local WIFI hotspots to other operators’ unlicensed cells could be competing with each other. Shared spectrum schemes can take two forms: sharing cells between two or more operators and sharing channels between technologies. Cell sharing is supported by the MORAN (Multi Operator Radio Access Network) concept, in which multiple operators can share the same base stations and cells – this is usually achieved by having cells physically deployed

13

14

2  Radio Theory

by one network operator, who then allows those cells to also broadcast cell IDs belonging to other networks. A 4G LTE cell, for example, can theoretically broadcast details of up to six cell IDs simultaneously. Connections managed by a shared base station can still be connected through to the relevant operator’s core network, allowing providers to share the costs of deploying and running parts of the access network. Shared technology schemes allow signals belonging to different technologies to share the same radio channels; there was a scheme put forward by the Chinese equipment vendor Huawei in the early 2010s, for example, that allowed 2G and 4G cells to share the same channels, and the sharing of channels between 4G and 5G is a standardised part of the specifications. Traditionally, the vast majority of cellular capacity is deployed using licensed, single-­operator, single-­technology techniques, but the use of unlicensed and shared spectrum techniques may increase as the technologies mature.

2.4 ­RF Measurements Radio signal strength measurements form the foundation of forensic radio surveying. The basic unit in which radio signal strengths are often measured is the watt (W), although the milliwatt (mW) scale is also commonly used – 1 mW is 1/1000 W. It is often necessary when taking radio measurements to compare the strength of a signal when it leaves a transmitter to the strength of that signal when it arrives at a receiver. Radio is an enormously inefficient transmission medium, and signals lose large amounts of power as they propagate. This means that a comparison of ‘transmitted’ versus ‘received’ signals is often a comparison of a large number versus a very small number. For example, a signal might be transmitted with a power level of 100 mW but might be received with a power level of 0.000 001 mW. To allow for simpler comparisons and calculations to be made when performing radio measurements, engineers generally use the decibel (dB) and decibel milliwatt (dBm) scales. By using decibels, the enormous variations encountered between transmitted and received signal strengths can be represented using simpler numbers.

2.4.1  Decibel Notation The decibel uses a logarithmic scale to allow for simpler comparisons of large and small numbers. A logarithm is a mathematical term that can be paraphrased as ‘the power that number X must be raised by to get number Y’. An alternative way of writing this is: Xa

Y

where ‘a’ is the logarithm of X that equates to Y (the inverse of which is Logx(Y) = a). A simple example of a logarithm is: Log10(100) = 2 – as 2 is the power that 10 must be raised by to equal 100: 102 = 100. A more mathematically rigorous term for ‘power of’ is ‘exponent’. In 102, for example, a number (10) is raised to a power by an exponent (2). The logarithm of 10 (or the base 10 logarithm) required to make 100 is 2 as the exponent that 10 must be raised by to get 100 is 2: 102 100 and conversely log10 (100) 2. Similarly, Log10(1000) = 3 as 103 = 1000. The real purpose of logarithms is to simplify calculations involving very large and/or very small numbers, and this is due to the mathematical ‘law of powers’. This states the following: Xa X b

Xa

b

and also Xa /X b

Xa

b

So, to multiply two numbers together, it is only necessary to add their logarithms. For example: 103 102

(10 10 10) (10 10) 103

2

105 100000

Similarly, to divide two numbers, it is necessary only to subtract their logarithms: 103 /102

(10 10 10) / (10 10) 103

2

101 10

An example of a logarithmic system that makes use of these concepts is the decibel.

2.4  ­RF

Measurement

2.4.2 Decibels The unit known as the decibel was designed to enable easier calculations of power gains and power losses in a system. If these gains were each expressed as a logarithm, then the total gain would be the sum of these values, following the law of powers. This logarithmic value is known as a ‘Bel’ (named after Alexander Graham Bell, one of the inventors of the telephone). The logarithm of a radio signal’s power gain or power loss – that is, Log10(mW) – is expressed as a ‘decibel’ (or dB), the value of which is one-­tenth of a Bel. The standard notation employed for dB values is, therefore, to multiply the Log value by 10 to make the outcome equivalent to a Bel value: dB 10 log10 (value ) The multiplication symbol is often omitted, making: dB 10 log10 (value ) Using the values mentioned earlier (power at transmitter = 100 mW, power at receiver = 0.000 001 mW), the benefit of using the dB scale becomes clearer: 100 mW 10 Log10 (100 mW ) 10 2 20 0.000001mW 10 Log10 (0.000001mW ) 10 6

60

The power loss experienced during transmission is, therefore, the ratio of the transmitted and received values: Power loss 100mW/0.000001mW 100000000 Using the law of powers with dB values (where exponential dB values are subtracted, as opposed to the division that would be performed on linear values): 20 ( 60) 80 dB or Power loss (dB) 10 log10 (100000000) 80dB This shows the received signal experienced a loss of 80 dB compared to the transmitted signal, which equates to it being 100 million times less powerful than when it left the transmitter. From Table 2.3, it can be seen that every time the power level doubles, 3 dB is added, and every time a power level halves, 3 dB is subtracted.

Table 2.3  Typical decibel values. Ratio of transmitted to received signal power

Decibels (dB)

10 000

40

1000

30

100

20

10

10

2

3

1

0

1/2

−3

1/10

−10

1/100

−20

1/1000

−30

1/10 000

−40

15

16

2  Radio Theory

This corresponds to a doubling or halving of signal strength for every change of ±3 dB. A 10-­dB gain/loss corresponds to a 10-­fold increase/decrease in the signal level. A 20-­dB gain/loss corresponds to a 100-­fold increase/decrease in signal level. In other words, a device like a cable that has 20-­dB loss through its length will lose 99% of its signal power by the time that signal is received at the other end. It can be seen, therefore, that by using the decibel scale, big variations in signal levels are easily handled with simple digits. The dB scale is known as a ‘logarithmic’ or ‘non-­linear’ scale as the measurements represented by the dB values do not increase in a linear fashion. Each increase of 10 dB is not an increase of 10 units (as it would if linear), it is an increase of × 10 units. So, where the normal linear counting system would increase in steps of 10, 20, 30. . ., the dB scale increases exponentially in steps of 10, 100, 1000. . .

2.4.3  Decibel Milliwatts The dB scale provides a comparison of gain or loss between two values. A dB measurement itself is, therefore, not an ‘absolute’ value but a ‘comparative’ value. Where dB will show the comparative difference between two values, the dBm scale will provide a result that can be mapped to a specific or ‘absolute’ milliwatt value. The dBm scale is, therefore, used to describe specific measurements, while the dB scale is used to compare the values of two different measurements. dBm employs the same logarithmic scale as dB and is calibrated around the value 1 mW, which is equal to 0 dBm. To convert an ‘absolute’ milliwatt value to dBm, use the following method: dBm = 10 Log10(mW). A signal measured with a strength of 100 mW will, therefore, equate to a value of 20 dBm. The milliwatt value is known as a ‘linear’ value as the measured units progress in a linear fashion (e.g. 10 mW + 10 mW  =  20 mW), this compares to the ‘non-­linear’ progression of the logarithmic dBm values (e.g. 10 mW + 10 mW = 13 dBm). A comparison of linear (mW) values and logarithmic (dBm) values is provided in Table 2.4. Note: Linear and logarithmic values cannot be mixed in the same calculations, so if a calculation requires the use of a dBm value and a multiplying or dividing value, the dBm value must either be converted back to linear mW or the multiplier/divisor must be converted to its logarithmic equivalent. To recap: To convert mW to dBm: dBm = 10 Log10(mW) To convert dBm to mW: mW = 10(dBm/10) Table 2.4  Linear mW values compared to exponential dBm values. Linear power level (mW)

Decibel milliwatts (dBm)

100 000 (100 W)

50

10 000 (10 W)

40

1000 (1 W)

30

100

20

10

10

2

3

1

0

0.5

−3

0.1

−10

0.01

−20

0.001

−30

0.000 1

−40

0.000 01

−50

2.4  ­RF

Measurement

A similar measurement scale, known as dBW (decibel watts), is also sometimes used, which is based on watts instead of milliwatts. 0 dBW = 1 W and dBW values are 1000× stronger than the same dBm values (because 1 W = 1000 mW). There is also a scale known as dBi (decibel isotropic), which is used to measure the ‘gain’ of an antenna. Antenna gain is a way of measuring the power increase conferred on a signal due to the physical properties of a transmitting antenna that focuses or concentrates its output signal and is a comparison with the power of an ‘isotropic’ antenna that radiates in all directions. The output power of a base station antenna is often measured in dBi (whereas the RF signal output of the base station itself before being applied to an antenna is measured in dBm).

2.4.4  Cellular Measurements Measurements taken by normal mobile phones and by forensic RF survey devices are usually expressed in dBm (or use reporting values that map to dBm values). Radio is an extremely inefficient transmission medium, mainly due to the fact that a radio signal spreads out as it propagates, thereby diluting the transmitted power, and the power loss associated with sending radio signals can be significant. Radio signals typically leave a base station with power levels of up to a few hundred milliwatts (20–50 dBm) but can be reported by, for example, GSM mobile devices at power levels of, at best, −48 dBm (0.000 016 mW) and are usually much lower than that. A GSM mobile phone measuring signals from a nearby base station would typically report values of −48 to −80 dBm, whereas a phone being used some distance away from a suburban or rural base station will commonly report signal strengths of −80 to −100 dBm. In other technologies, such as those used in 4G and 5G networks, the ‘lowest’ receivable signal strength figures are even lower, at −140 dBm or less. Table 2.5 presents a selection of common cellular dBm values and their linear equivalents (in mW). The mW values shown are unrealistically precise (in reality, it is not likely that a mobile device would be capable of capturing measurements to 15 decimal places), and the values have been shown in this format simply to emphasise how small they are. The lowest usable received signal strength for a GSM phone is around –110 dBm. To put this into some perspective: If a GSM signal is transmitted with an output power of 100 W (100 000 mW or 50 dBm) and is received by a distant mobile device at or near the minimum value of −110 dBm (1.00 × 10−11 mW or 0.000 000 000 01 mW), the power loss will be 160 dB, which means that the received signal would be: ●● ●● ●●

1/10 000 000 000 000 000, or one-­ten thousand billionth (or one-­ten trillionth), or a factor of 10−16

Table 2.5  Examples of common cellular dBm values. dBm

Linear power level (mW)

−45

0.000 031 622 776 602

3.16 × 10–5

−50

0.000 010 000 000 000

1.0 × 10–5

−55

0.000 003 162 277 660

3.16 × 10–6

−60

0.000 001 000 000 000

1.00 × 10–6

−65

0.000 000 316 227 766

3.16 × 10–7

−70

0.000 000 100 000 000

1.00 × 10–7

−75

0.000 000 031 622 777

3.16 × 10–8

−80

0.000 000 010 000 000

1.00 × 10–8

−85

0.000 000 003 162 278

3.16 × 10–9

−90

0.000 000 001 000 000

1.00 × 10–9

−95

0.000 000 000 316 228

3.16 × 10–10

−100

0.000 000 000 100 000

1.00 × 10–10

−105

0.000 000 000 031 623

3.16 × 10–11

−110

0.000 000 000 010 000

1.00 × 10–11

17

18

2  Radio Theory

of its original power, which is a power loss level of 99.999 999 999 999 9%, but that radio signal should still be able to carry a reasonable quality phone call. The performance requirements of 3G UMTS, 4G LTE and 5G NR systems can be even more spectacular, with the minimum receiver sensitivity in UMTS set at around −120 dBm and in LTE/NR set at −156 dBm [4].

2.4.5  Measurements Used by Different Cellular Generations 2G GSM networks employ mandatory frequency reuse techniques, which means that no neighbouring cells should be using the same radio channel as each other. GSM devices are, therefore, only required to take measurements of the strength of the ‘wanted’ cell’s signal without needing to compare it to anything else. The primary 2G GSM signal strength measurement is known as RXLev (received signal strength level) and is measured in dBm; this means that it provides an ‘absolute’ measurement of received signal strength and is not required to compare that signal against anything else. 3G, 4G and 5G technologies offer the opportunity for networks to operate as ‘single frequency networks’, in which all neighbouring cells can use the same radio channel. Measurements taken in these circumstances must be ‘comparative’ rather than ‘absolute’, meaning that they need to provide an indication of the strength of the ‘wanted’ cell’s signal in ­comparison to the amount of ‘unwanted’ noise and interference produced by neighbouring cells. 3G, 4G and 5G systems capture a range of measurements, including ●● ●●

●●

A measurement of the ‘wanted’ cell’s signal, measured in dBm; A measurement of the total interference (also known as ‘noise’) received on the channel (known as RSSI – Received Signal Strength Indicator), measured in dBm; A ‘signal to noise ratio’ quality comparison of wanted signal versus channel noise, measured in dB.

The ‘comparative’ value is usually considered to offer the most useful signal strength measurement in 3G/4G/5G ­networks as it provides an indication of how ‘usable’ the cell is in relation to the current noise level. This is important to know because a 3G/4G/5G cell might have a strong ‘wanted’ signal strength (−90 dBm, for example), but if it was being received in a cell that was currently suffering from a very high background noise level (e.g. −70 dBm), then the signal-­to-­noise ratio would also be very high ([−90 dBm] – [−70 dBm] = −20 dB), meaning that the signal was significantly (1/100th) lower strength than the noise, making the traffic carried by that signal difficult to recover. If a wanted signal were to be received at −90 dBm in a cell experiencing lower levels of background noise (e.g. −85 dBm), then the resulting signal-­to-­noise ratio would be much lower ([−90 dBm] – [−85 dBm] = −5 dBm), and the ‘wanted’ signal would compare much more favourably to the noise level. This would offer a much better-­quality connection for users. The calculations shown in the above examples are generic and are used for demonstration purposes only, and the actual signal-­to-­noise ratio calculations performed in 3G, 4G and 5G networks can be more complex. So, it can be seen from the above that knowledge of the ‘wanted’ received signal strength (in dBm) alone can potentially provide a misleading view of the quality of the cell being measured.

2.4.6  Describing Signal Strengths One of the difficulties experienced by cell site analysts and expert witnesses is conveying the details of cellular operation to investigators, lawyers and jurors who have little understanding of the technologies or concepts involved. One way of making cell site evidence more understandable for a lay audience is to put information such as signal strengths into more everyday language. Instead of talking about dB and dBm values, it is often more effective to map these values to a set of simple labels. An example of a potential method of mapping signal strength values to simple descriptions is shown in Table 2.6. Great care should be taken when using this approach, however, as there is currently no agreed standard for mapping values to descriptions and any scale used must be regarded as subjective. Different cell site experts use different scales of values and some refuse to map values to text labels at all. Disagreements about the subjective labelling of signal strength values are often highlighted in defence cell site reports, so it is recommended that if a ‘value to text’ mapping formula is employed in a cell site report there should be a paragraph of explanatory text somewhere in the report that gives the ranges of signal strengths that map to each text description. This should forestall at least some of the criticism that could be levelled by defence experts.

­References  19

Table 2.6  Example of mapping signal strength values into simple descriptions. Description

2G (dBm)

3G (dB)

4G (dB)

5G (dB)

Very strong

−45 to −85

−3 to −6

−3 to −10

+20 to −5

Strong

−86 to −90

−7 to −10

−11 to −15

−6 to −9

Moderate

−91 to −100

−11 to −18

−16 to −20

−10 to −20

Poor

−101 to −110

−19 to −25

−21 to −30

−21 to −43

Lowest reportable value

−110

−25

−30

−43

Note 1 There are several more technically accurate reasons for why lower-­frequency signals tend to travel further than higher-­ frequency ones. The first, and more important, comes from mathematical calculations of the reception of radio waves. Such calculations tell us that the effective collecting area of the receive antenna depends on the square of the wavelength of the radio waves. At lower frequencies (longer wavelengths), the receive antenna has a larger collecting area than it does at higher frequencies. It, therefore, acts as a larger bucket for the incoming radio waves, receives a stronger signal and can detect incoming radio waves more easily. The second reason is that, at high radio frequencies (above a few GHz), radio waves are absorbed by atmospheric water vapour and oxygen as they travel. The higher the frequency, the greater the absorption, and the weaker the radio signal itself will be.

­References 1 Bureau International des Poids et Mesures (2023) SI Prefixes, https://www.bipm.org/en/measurement-­units/si-­prefixes (accessed 12 February 2023). 2 OFCOM (2014) The United Kingdom Frequency Allocation Table, https://www.ofcom.org.uk/spectrum/information/uk-­fat (accessed 12 February 2023). 3 3GPP Technical Specification (2022) NR; Base Station (BS) Radio Transmission and Reception, TS 38.104 v9.0.0 Section 5.2, www.3gpp.org (accessed 02 February 2023). 4 3GPP Technical Specification (2022) NR; Requirements for Support of Radio Resource Management, TS 38.133 v18.0.0 Section 10.1.6 www.3gpp.org (accessed 02 February 2023)

21

3 Wireless Technologies and Deployments 3.1 ­Coordinating Cellular Development Cellular communication networks span the globe. It is common nowadays for users to expect to be able to use their mobile devices in whichever country they happen to be visiting and to be able to call anybody in any other country. The fact that this is usually possible is a testament to the enormous efforts that have been made over recent decades to convince different countries, equipment manufacturers and network operators to cooperate with each other and coordinate the joint development of common standards. To ensure that common standards are employed around the world, a number of ‘standards bodies’ have emerged to coordinate system development. Overall responsibility for the development of telecoms standards of all kinds rests with the ITU (International Telecommunications Union), an agency of the United Nations tasked with ensuring that the various national and regional telecoms networks interconnect as a coherent global system [1]. An offshoot of the ITU, the WRC (World Radio Conference) is responsible for coordinating the use and allocation of radio spectrum globally. The WRC divides the world into three regions: Region 1 covers Europe, the Middle East, Africa and Russia; Region 2 covers the Americas; and Region 3 covers Asia Pacific. Countries within each region theoretically apply a consistent set of spectrum allocation rules and conventions, which is one of the main reasons that there are different allocations of spectrum in use for cellular systems in different parts of the world [2]. Many nations and some regions have their own telecoms standards bodies, responsible for coordinating the development and deployment of new telecoms systems. Examples of these bodies include ETSI (European Telecoms Standards Institute) in Europe [3], ARIB (Association of Radio Industry Bodies) in Japan [4], ATIS (Alliance for Telecommunications Industry Solutions) in the United States  [5], CCSA (China Communications Standards Association) in China  [6], TSDSI (Telecommunications Standards Development Society, India) in India [7] and many others. In the past, cellular systems were developed by individual regions or nations and some were developed by individual companies, which led to a lack of common standards and fragmentation in the industry. In the late 1990s, a number of separate standards bodies (as shown in Figure 3.1) grouped together to jointly develop new cellular systems; the first of these was 3GPP (the Third Generation Partnership Project) [8] which was later joined by a sister organisation known as 3GPP2 (Third Generation Partnership Project 2) [9]. 3GPP is the organisation responsible for coordinating the development of the most widely deployed cellular technologies, which include 2G GSM (the Global System for Mobile Communications), 3G UMTS (Universal Mobile Telecommunications System), 4G LTE (Long-­Term Evolution) and 5G (New Radio). 3GPP2 coordinated the development of the CDMA2000 and EV-­DO standards, but ceased operations in 2013, when those standards were largely replaced by LTE.

3.2 ­Evolution from 0G to 5G The successive waves of cellular technology can be broadly and loosely classified into a series of ‘generations’, each of which can be further subdivided into the sets of technologies that are employed in different regions.

Forensic Radio Survey Techniques for Cell Site Analysis, Second Edition. Joseph Hoy. © 2024 John Wiley & Sons Ltd. Published 2024 by John Wiley & Sons Ltd.

22

3  Wireless Technologies and Deployments

ARIB

ATIS

CCSA

ETSI

TTA

TTC

Japan

North America

China

Europe

Korea

Japan

Figure 3.1  3GPP members.

3GPP

3.2.1  0G – Pre-­cellular Networks The very first types of ‘mobile’ radio communications systems were developed to serve police forces and other types of emergency or public safety users. It is often stated that the first mobile, two-­way, car-­mounted ‘radio telephone’ system was developed by Bell Laboratories (then part of AT&T) in 1924 and that the Detroit police department started to use a one-­way broadcast radio system in 1928. Various forms of radiotelephone systems were developed over the following decades, partly driven by the need to provide battlefield communications systems during the Second World War and led to the commercial radiotelephone networks that began to be deployed in the late 1940s and early 1950s. These developments are sometimes grouped and classified as 0G (zero G) networks and were precursors to the cellular generations developed later. Among the most prominent 0G technologies were the MTS (Mobile Telephone Service) operated by Motorola and Bell in the United States from the mid-­1940s (which was replaced by the more advanced IMTS system in 1964), the A-­Netz system in West Germany and System 1 in the United Kingdom.

3.2.2  1G – First-­Generation Networks The cellular concept was developed in 1948, again by Bell Laboratories, but networks based on these principles were not developed until the 1970s, when the technology caught up with the theory. The first cellular phone call is reputed to have been made in 1973 by Martin Cooper of Motorola, who used an experimental handset and a test network in New York to call a rival developer at Bell Laboratories. Commercial cellular networks began to be deployed from the late 1970s and have come to be known as the First Generation (1G) of cellular systems. All of the early 1G systems were based on analogue radio transmission techniques. Different 1G systems were developed and deployed in different countries around the world and few of them were compatible with each other. In most cases, this led to limited economies of scale, high rollout and deployment costs and limited opportunities for roaming by users. The only notable exception to this was the NMT system developed in Finland and Sweden, which supported a form of international roaming that covered those countries plus Denmark, Norway and Iceland. Examples of 1G systems are illustrated in Figure 3.2 and include the TACS (Total Access Communications System) developed in the United Kingdom, the TZ-­80x and JTACS (Japanese TACS) developed in Japan, the AMPS (Advanced Mobile Americas

Europe

AMPS

Middle East

Africa

AMPS

TZ-80x TACS

Radiocom C-NETZ

Figure 3.2  First-­generation mobile networks.

Pacific AMPS

NMT TACS

Asia

C-NETZ

JTACS

3.2  ­Evolution from 0G to 5

Phone System) developed in the United States, the C-­NETZ/C-­450 system developed in West Germany, the Radiocom2000 system developed in France and the NMT (Nordic Mobile Telephone) system developed to serve the Nordic countries.

3.2.3  2G – Second-­Generation Networks It became apparent during the 1980s, as these 1G network types began to be deployed, that the quality, capacity and security issues related to analogue transmission coupled with the lack of compatibility and roaming were destined to become limiting factors to the widespread adoption of cellular services. Several organisations began the process of developing Second-­Generation (2G) systems, all of which were designed to use digital radio transmission techniques. When compared to their analogue 1G predecessors, digital 2G networks offered: better security, as digitised user traffic could be encrypted before transmission; higher capacity, as digital multiplexing techniques allow multiple users to share each radio channel concurrently; and more consistent call quality, as the process of digitising traffic effectively prevents reasonable levels of radio interference from influencing the content of a received signal. Some of the more popular 2G network types are shown in Figure 3.3 and include: GSM developed in Europe by ETSI; PHS (Personal Handyphone System) and PDC (Personal Digital Cellular) developed in Japan; D-­AMPS (Digital AMPS; also known as IS54/IS136 and TDMA) developed in the United States; cdmaOne (also known as IS95) developed in the United States; and iDEN developed in the United States. The first 2G networks started to be deployed in the late 1980s and began to go into use in the early 1990s, with GSM eventually becoming by far the most widely deployed system. The original 2G systems typically offered voice and text messaging services, with some also offering dial-­up data and fax services. Later enhancements to these networks, collectively known as 2.5G (GPRS) and 2.75G (EDGE) evolutions, added PS (Packet Switched), Internet-­based data connectivity to the set of services provided by 2G systems.

3.2.4  3G – Third-­Generation Networks Development of Third-­Generation (3G) systems began in the mid-­1990s, just as access to the Internet was becoming widespread. 3G systems were therefore designed to offer much faster and more efficient data handling capabilities than had been the case with 2G networks. One of the reasons that GSM came to dominate the 2G world was that it offered a common and non-­proprietary standard that could be deployed in many countries and which allowed users from one country to ‘roam’ to other countries that also had GSM networks. The widespread adoption of GSM also led to large economies of scale developing in the manufacture of network equipment and mobile devices, making it a less expensive system to deploy and operate than some of its competitors. These factors led to a degree of consolidation in the industry when the development phase of 3G systems began. As indicated in Figure 3.4, instead of the 10 or more types of 1G system or the five or more types of 2G system, there were really only three main types of 3G system.

Americas

Europe

Middle East

Africa

Asia

IS-136 DAMPS/TDMA

Pacific PDC

iDEN

iDEN

iDEN

iDEN

cdmaOne IS-95

cdmaOne IS-95

cdmaOne IS-95

cdmaOne IS-95

cdmaOne IS-95

cdmaOne IS-95

GSM

GSM

GSM

GSM

GSM

GSM PHS

Figure 3.3  Second-­generation mobile networks.

23

3G

3  Wireless Technologies and Deployments

Americas

Europe

Middle East

Africa

Asia

Pacific

CDMA2000

CDMA2000

CDMA2000

CDMA2000

CDMA2000

CDMA2000

UMTS/HSPA

UMTS/HSPA

UMTS/HSPA

UMTS/HSPA

UMTS/HSPA

UMTS/HSPA

TD-SCDMA China

4G

24

LTE

LTE

LTE

LTE

LTE

LTE

WIMAX

WIMAX

WIMAX

WIMAX

WIMAX

WIMAX

Figure 3.4  Third-­and fourth-­generation mobile networks.

These were: UMTS an evolution of GSM jointly developed in Europe and Japan; CDMA2000, an evolved version of cdmaOne/IS95 developed in the United States; and TD-­SCDMA (Time Division–Synchronous Code Division Multiple Access) a variant of UMTS developed in China to meet the requirements of Chinese operators. 3G systems began to be deployed from around 2002 and, later, 3.5G (HSPA) enhancements progressively increased the capacity and maximum data rates that were achievable.

3.2.5  4G – Fourth-­Generation Networks Further consolidation took place in the eventual development of Fourth-­Generation (4G) systems, with only two network types being generally deployed: LTE, which was a further evolution of the GSM/UMTS family; and WIMAX, which developed out of a desire to create a ‘wide area’ version of WIFI. WIMAX-­based networks had been available since the mid-­2000s, but the development of ‘Mobile WIMAX’ saw the technology eventually adopted as an official 4G standard. LTE networks began to be deployed 5 years or more after WIMAX started to become popular. Although Mobile WIMAX was a popular and widely deployed technology, many of the operators initially adopting that technology subsequently swapped to using LTE, which became by far the dominant 4G technology. Enhancements to LTE, known as LTE-­Advanced and LTE-­A Pro, were made available that offered large increases in potential user data rates, as illustrated in Figure 3.5.

3.2.6  5G – Fifth-­Generation Networks and Beyond The ultimate level of consolidation took place in the development of 5G networks, with only one technology, NR or New Radio, being put forward. 5G NR was, like 3G UMTS and 4G LTE, developed under the auspices of 3GPP and was adopted as the single global 5G technology. The radio techniques used in NR are an evolution of those employed by 4G LTE and there is a large degree of commonality between them; the 5G core network broadly follows the architectural design of 4G, although the names of network nodes have changed and there has been a redistribution of functions between them, but the core network signalling environment, which carries administrative messaging between network nodes is significantly different to 4G. To ease the development schedule and also to provide a more gradual upgrade path from 4G, 5G networks were designed to be rolled out in two phases: the first phase, known as NSA (Non-­standalone mode), saw 5G base stations deployed as adjuncts to existing 4G sites, with services controlled by the 4G cell and connections that were routed through the 4G core network; a second phase, known as SA (Standalone) mode, permits 5G base stations to operate independently of 4G and introduces the upgraded 5G core network for connection handling and mobility management. 5G NSA networks began to be deployed from around 2019, with the first 5G SA deployments or upgrades beginning to emerge from 2022.

3.3  ­3GPP Network Type 100 Gb/s 5.5G

10 Gb/s

5G Advanced

6G?

1 Gb/s

Download speeds (Mbit/s)

800 5G

700 600 500 400

4.75G

LTE-A PRO

4.5G

300

LTE-A

200 100 0 1970

0G

1G

1980

2G

2.5G GPRS

1990

3.5G

2.75G

4G

HSPA

EDGE

2000 Year

3G

2010

3.75G

2020

2030

HSPA+

Figure 3.5  Cellular download speed increases over time.

Early work on 6G was underway at the time of writing (Spring 2023), but no definite decisions on radio or core network technologies had been made by that point. The general expectation was that 6G networks would continue the rapid increase in both network capacity (the number of devices that could be served per cell) and data rates, with throughput of 100 Gbit/s or more being a target.

3.3 ­3GPP Network Types The 3GPP was formed to coordinate the development of 3G UMTS, but also inherited responsibility for 2G GSM and led the development of standards that came after 3G. The timeline of 3GPP technology development is shown in Figure 3.6. The 2G GSM networks began to be launched in the early 1990s. They offered voice, SMS text, fax and dial-­up data services. GPRS (General Packet Radio Service) enhancements were added in the late 1990s, which added the ability to carry ‘packet data’ services like IP (Internet Protocol) that allowed Internet and e-­mail traffic to be carried more efficiently. A further upgrade, known as EDGE (Enhanced Data rates for Global Evolution), was also added in the late 1990s and improved the data rate available for GPRS data services. GPRS and EDGE are regarded as 2.5G and 2.75G technologies, respectively. 3G UMTS was developed by 3GPP and was an evolution of 2G GSM/GPRS/EDGE services. The original version of UMTS (known as Release 99) supported voice and text services and also offered, by the standards of the time, quite fast packet data services (128–300 kbps). A 3.5G enhancement developed in the mid-­2000s was known as HSPA (High-­Speed Packet Access) that greatly increased the data rates available for packet data (e.g. Internet connection) services. A further evolution known as HSPA + was developed that offered very fast, for the time, data services (40 Mbit/s or more). 3GPP was also responsible for coordinating the development of 4G LTE, which was a further evolution of GSM and UMTS technologies. LTE offered very fast packet data services (70–100 Mbps) but did not originally offer a voice service, meaning that mobile phones had to use a technique known as Circuit Switched Fallback, which forced them to ‘fall back’ to a 2G or 3G cell to make a call. A ‘native’ voice service for 4G networks, known as VoLTE (Voice over LTE), began to be rolled out by some operators in late 2013.

25

3  Wireless Technologies and Deployments ETSI

Figure 3.6  3GPP networks.

3GPP NR SA

5G

NR NSA LTE-A Pro LTE-A

4G

LTE

3.5G

HSPA

3G

UMTS

2.75G

EDGE GPRS

2.5G 2G

2030

2025

2020

2015

2010

2005

2000

1995

GSM

1990

26

An enhancement of LTE, known as LTE-­Advanced (or LTE-­A), was developed later in the 2010s, which provided much higher maximum user data rates (150+ Mbit/s) and greater network capacity. LTE-­A Pro offered further advances. Most recently, 3GPP was responsible for coordinating the development of 5G NR networks. 5G radio technologies were an extension and evolution of those used in 4G LTE, whilst the core network design was fundamentally different. 5G NR networks began to be deployed from around 2019.

3.4 ­3GPP2 Network Types The development of cellular networks in the United States was mainly undertaken by individual companies, for example, cdmaOne was developed by Qualcomm, and iDEN was developed by Motorola. These activities were coordinated to some degree by the United States telecoms standards body, ANSI (American National Standards Institute), which was responsible for defining what were termed IS (Interim Standards), such as the IS54/IS136 standards that referred to the 2G D-­AMPS/TDMA system and the IS95, IS95A and IS95B standards that applied to cdmaOne. Following the successful collaboration between national and regional standards bodies to create ETSI and then 3GPP, which saw them collectively coordinate the development of the GSM family of technologies, it was decided to pass the responsibility for the development of the 3G IS2000/CDMA2000 standard, the successor to the IS95/cdmaOne system, to a new body known as 3GPP2. The 3G CDMA2000 standard was widely deployed in the United States and in many other countries around the world in the 2000s. It underwent a number of evolutions and revisions, including 1x RTT (Radio Transmission Technology), which was the first iteration of the standard and various revisions of EV-­DO (Evolution–Data Optimised), which offered a data-­ only mobile broadband service. 3GPP2 undertook initial development work on a 4G successor to CDMA2000 known as UWB (Ultra-­Wide Band), but development efforts were abandoned in favour of using LTE as the preferred 4G technology and 3GPP2 ceased active development operations in 2013.

3.5 ­Other Types of Network Other types of cellular network have been deployed and are (or have been) in use around the world. Although the vast majority of currently deployed commercial networks use the 3GPP technologies described above, there is a possibility that a forensic radio surveyor may be asked to survey or comment on one of these other network types.

3.5  ­Other Types of Networ

3.5.1  TD-­SCDMA TD-­SCDMA (Time Division–Synchronous Code Division Multiple Access) was a 3G network type developed in China for use within its own domestic communications market. The impetus for developing this network type was for China to be able to adopt its own standard allowing it to be less reliant on technologies developed and controlled by other regions. TD-­SCDMA refers to the radio technology used within the system and the wider network was essentially the same as a UMTS network. TD-­SCDMA therefore offered services that were broadly similar to UMTS and CDMA2000 using broadly similar technologies and techniques, but it was adapted to meet the density requirements of Chinese urban environments. TD-­SCDMA deployments began to be phased out in 2014 in favour of 4G LTE.

3.5.2  iDEN iDEN (Integrated Digital Enhanced Network) was a 2G network type originally developed by Motorola that was deployed in all world regions but most notably by Nextel/Sprint in the United States. iDEN was designed to offer services that are a cross between the ‘one to one’ communications of standard telephony and the group communications techniques usually found in ‘all informed’ messaging systems such as those used by public safety organisations. iDEN handsets therefore offered both ‘dial up’ and ‘press to talk’ services to users. The iDEN networks in the United States were decommissioned in 2013.

3.5.3  WIFI WIFI (Wireless Fidelity) is an umbrella term used to describe the family of WLAN (Wireless Local Area Network) technologies that have been developed since the mid-­1990s. The development of these technologies is coordinated by the IEEE (Institute of Electrical and Electronics Engineers), which publishes WLAN specifications in a family of standards known as 802.11 [10]. More recently, WIFI standards have been given simpler names, such as WIFI6 (or 802.11ax). Most types of forensic radio survey devices are capable of capturing WIFI/802.11 measurements and, thanks to the growing popularity of WIFI hotspots, the demand for this type of survey is also increasing.

3.5.4  Wireless Broadband There are several broadband providers who employ radio to connect over the ‘last mile’ to their subscribers in a service known generically as FWA (Fixed Wireless Access) or BWA (Broadband Wireless Access). Traditional FWA/BWA providers used dedicated ‘point to point’ microwave transmission techniques, but most networks have converted to using cellular technologies and all of them are competitors to ‘wired’ broadband alternatives such as DSL (Digital Subscriber Line), which is carried over telephone lines, DOCSIS (Data Over Cable Service Interface Specification), which is carried via cable TV connections and fibre broadband. There have been multiple FWA/BWA standards developed over the years, including LMDS (Local Multipoint Distribution Service) and MMDS (Multichannel Multipoint Distribution Service). Providers have also made use of UMTS, WIMAX, LTE and 5G NR as bearers for fixed wireless broadband services.

3.5.5  WIMAX WIMAX (Worldwide Interoperability for Microwave Access) was originally designed as an evolved FWA technology but gradually developed to support mobile services too. WIMAX, like WIFI, was developed under the coordination of the IEEE (although much of the development was actually undertaken by Intel and by the industry sponsored WIMAX Forum) and was given the IEEE standards designation 802.16. Mobile WIMAX (also known as 802.16e) offered high-­speed mobile broadband data services that were deployed in many countries around the world [11], although many of these have now been replaced by LTE or NR services. The original version of Mobile WIMAX was adopted as a 3G standard and a more recent evolved version (802.16 m) was adopted as a 4G standard.

27

28

3  Wireless Technologies and Deployments

3.5.6  Wireless Local Loop WLL (Wireless Local Loop) services are a voice-­only companion to FWA and aim to provide standard voice telephony services to fixed users via radio as an alternative to standard ‘wired’ landline services. A number of WLL technologies were developed during the 1980s and 1990s, but many of the systems that were eventually deployed use adapted versions of standard mobile cellular technologies, particularly the GSM and cdmaOne/ CDMA2000 1x RTT standards, although the cordless telephony DECT (Digitally Enhanced Cordless Telephony) standard has also been used. WLL has proved popular in the developing world, where basic voice services can be rolled out to new users quickly and without the necessity to dig up streets or install networks of telephone poles to distribute wired connections. The popularity of WLL has been diminished by the growing availability of cellular services and many remaining WLL deployments have migrated to 4G and 5G standards in recent years.

3.5.7  Railway Communications – GSM-­R and FRMCS Based, as the name suggests, on standard 2G GSM technologies, GSM-­R (GSM for Railways) networks were designed to offer radio communications services tailored for the needs of railway networks. It allowed, for example, railway control rooms to connect to train drivers and maintenance crews. Although GSM-­R networks use an adapted version of 2G GSM, the technology and the frequency bands it uses (such as the 876–880 MHz uplink and 921–925 MHz downlink resources assigned in the United Kingdom) are not accessible by ‘normal’ phone-­based forensic radio survey devices, even though these frequencies fit around those used by GSM900 [12], making it difficult to survey this network type without specialist equipment or radio scanners. GSM-­R, as an adapted version of GSM, relies on technologies originally developed in the mid-­1980s and the first GSM-­R networks went into use in 1999; although GSM-­R continues to offer adequate voice services, it cannot readily deal with the growing demands to also carry data and video traffic. An evolution of GSM-­R, known as FRMCS (Future Railway Mobile Communication System), has been specified by the UIC (International Union of Railways), which coordinates international rail standards development. FRMCS is based on 4G/5G technologies and is expected to begin to be deployed in 2026, with GSM-­R being phased out by 2030 [13].

3.5.8  TETRA TETRA (Terrestrial Trunked Access) is a 2G cellular technology designed for use by ‘blue light’ emergency services and other public safety services. TETRA uses a heavily adapted version of GSM that offers ‘group communication’ functions in addition to standard ‘one to one’ connections [14]. Although TETRA employs the same basic cellular techniques as GSM, TETRA cells use frequency ranges that are generally not accessible to standard forensic radio survey devices but may be surveyable using scanner-­based devices. The frequency bands typically assigned to TETRA networks are in a range between 380 and 395 MHz, with other allocations commonly made in the 450-­MHz band. The relatively low frequencies assigned to TETRA deployments are designed to ensure that each base station can serve a comparatively large area (30 km or more in radius) allowing public safety ­networks to be deployed as cost-­effectively as possible. There have also been a number of commercial TETRA providers in some countries (such as the United Kingdom and Qatar), who offer the ‘group calling’ capabilities of TETRA to private sector users, such as taxi companies and airports. TETRA is in the process of being replaced in some territories by 4G-­based emergency communication or ‘mission critical’ systems.

3.5.9  4G/5G Mission Critical Communications The core services offered by TETRA – robust and reliable, ‘press-­to-­talk’ group voice communications – have been replicated in a series of updates to 4G LTE and 5G NR networks under the banner of ‘mission critical’ (or MC) services. Mission critical networks based on LTE and NR, such as the UK’s Emergency Services Network (ESN), offer a mix of traditional ‘press-­to-­talk’ group calls plus high-­speed data and video transmission. Emergency services networks based on MC-­LTE/NR are expected to replace legacy TETRA networks by 2030 [15].

3.6  ­Deployed Technologies by Regio

3.5.10  Mobile Satellite and Non-­terrestrial Networks Satellites have been used for telecommunications since the 1960s – initially, these were geostationary satellites (in geosynchronous orbit at 36 000 km above the equator) that acted as fixed relays between telecommunications networks. By the 1990s, the technology had developed to the point where a network (or ‘constellation’) of satellites in much lower orbits could offer connectivity to mobile devices. Satellite phone networks, as they became known, such as Iridium and Globalstar required specialised handsets with comparatively large, directional antennas to support a connection to an orbiting satellite. More recently, further advances have allowed connectivity to be established between standard mobile phones and low Earth orbit satellites, which has seen the provision of ‘emergency SOS via satellite’ services for both iPhone and Android devices since 2022. These services allow a mobile device to send text messages to emergency services if they have no service from a terrestrial cellular network. 3GPP has included specifications for ‘non-­terrestrial network’ (NTN) capabilities in their designs from 3G UMTS onwards – for example, the traditional 3G UMTS access network was known as the UTRAN (UMTS terrestrial radio access network), but there were also specifications for an USRAN (UMTS satellite radio access network) [16]. More recent 3GPP iterations have also included support for satellite-­borne radio base stations and there have been experiments as recently as the early part of 2023 to test the viability of ‘space to ground’ or D2D (Direct to Device) 5G NR services from orbiting satellites. There are also multiple schemes to allow cellular devices to connect to proprietary satellite systems such as those operated by OneWeb and Starlink [17].

3.6 ­Deployed Technologies by Region The ITU coordinates spectrum use and spectrum policy through the WRC conferences, which are held every 3–4 years and bring together policy makers, regulators, technology vendors and spectrum users in an attempt to ensure harmonised use of the global spectrum. The WRC divides the planet into three administrative regions, each of which has its own spectrum use policies. Region 1 covers Europe, the Middle East, Africa and Russia; Region 2 covers the Americas and Greenland; and Region 3 covers Asia Pacific. Table 3.1 provides a basic overview of the extent to which the wireless technologies that have so far been discussed in this section are or have been deployed across the world. The descriptions ‘high’, ‘medium’ and ‘low’ are intended to provide an Table 3.1  Regional deployment of popular wireless technologies. Region 1

Region 2

Region 3

2G GSM

High

High

High

3G UMTS/HSPA/HSPA+

High

High

High

4G LTE

High

High

High

5G NR

High

High

High

2G cdmaOne/IS95

Low

High

Low

3G CDMA2000/IS2000

Low

High

Low

3G TD-­SCDMA

None

None

China only

2G iDEN

Low

Low

Low

WIMAX

Low

Low

Low

WIFI

High

High

High

GSM-­R

Low

None

Low

TETRA

Medium

Low

Low

WLL

Low

Low

Low

FWA/BWA

Low

Low

Low

Source: GSM Association [18], CDMA Development Group [19] and 5G Americas [20].

29

30

3  Wireless Technologies and Deployments

Table 3.2  Commonly used cellular frequency bands by region (Spring 2023).

Africa

Eastern Europe and CIS

Western Europe

Middle East

450

✓

✓

✓

✓

600

✓

—­

—­

✓

700

✓

✓

✓

800

✓

✓

✓

Band (MHz)

North America and Caribbean

South and Central America

Asia Pacific

—­

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

900

✓

✓

✓

✓

—­

✓

✓

1500

—­

✓

✓

✓

—­

—­

✓

1600

—­

—­

—­

—­

✓

✓

✓

1700

—­

—­

—­

—­

✓

✓

✓

1800

✓

✓

✓

✓

✓

✓

✓

1900

—­

—­

—­

—­

✓

✓

✓

2000

—­

—­

✓

—­

✓

✓

✓

2100

✓

✓

✓

✓

✓

✓

✓

2300

✓

✓

✓

✓

✓

✓

✓

2500

—­

✓

—­

—­

✓

—­

✓

2600

✓

✓

✓

✓

✓

✓

✓

3300–4200 C-­band

✓

✓

✓

✓

✓

✓

✓

3500

✓

✓

✓

✓

✓

✓

✓

3700

✓

✓

✓

✓

—­

✓

✓

4900

—­

✓

—­

—­

—­

—­

✓

24 250–27 500

—­

✓

✓

✓

✓

✓

✓

26 500–29 500

—­

✓

✓

✓

✓

✓

✓

39 500–43 500

—­

—­

✓

—­

✓

✓

✓

Source: GSM Association [18], CDMA Development Group [19] and 5G Americas [20], www.spectrummonitoring.com [21].

indication as to how densely deployed or how popular each technology was when it was at the height of its popularity – many of the network types mentioned in the table have since been decommissioned and these are indicated using italics. In general, 3GPP network types (GSM, UMTS, LTE and 5G NR) are typically quoted as having the vast majority of cellular user share globally, with a diminishing set of other, legacy technologies making up most of the remaining numbers. WIFI, a non-­cellular technology, is the most widely deployed wireless standard of all.

3.7 ­Commonly Used Frequency Bands by Region Each of the three WRC regions has its own subsets of radio bands dedicated to carrying cellular services, and there are also some bands that are available in most parts of the world. Table 3.2 provides an overview of the usage patterns of the most commonly deployed cellular frequency bands around the world.

­References 1 International Telecommunications Union (2023) Home Page, https://www.itu.int/en/Pages/default.aspx (accessed 12 February 2023). 2 International Telecommunications Union (2023) World Radiocommunication Conferences, https://www.itu.int/en/ITU-­R/ Conferences/WRC/Pages/default.aspx (accessed 12 February 2023).

  ­Reference

3 European Telecoms Standards Institute (2023) Home Page, http://www.etsi.org (accessed 12 February 2023). 4 Association of Radio Industries and Businesses (2023) Home Page, http://www.arib.or.jp/english/ (accessed 12 February 2023). 5 Alliance for Telecommunications Industry Solutions (2023) Home Page, http://www.atis.org (accessed 12 February 2023). 6 China Communications Standards Association (2023) Home Page, http://www.ccsa.org.cn/english/(accessed 12 February 2023). 7 Telecommunications Standards Development Society, India (2023) Home Page, http://tsdsi.org (accessed 12 February 2023). 8 Third Generation Partnership Project (2023) Home Page, http://www.3gpp.org (accessed 12 February 2023). 9 Third Generation Partnership Project 2 (2013) Home Page (dormant since 2013), http://www.3gpp2.org (unavailable when accessed attempted 12 February 2023). 10 Institute of Electrical and Electronic Engineers (2023) IEEE Get 802 Program, https://ieeexplore.ieee.org/browse/standards/ get-­program/page/series?id=68 (accessed 12 February 2023). 11 Institute of Electrical and Electronic Engineers (2023) IEEE 802.16: Broadband Wireless Metropolitan Area Networks (MANs), https://ieeexplore.ieee.org/document/8303870 (accessed 12 February 2023). 12 UIC – International Union of Railways (2023) GSM-­R Specifications, https://uic.org/rail-­system/gsm-­r/ (accessed 12 February 2023). 13 UIC – International Union of Railways (2023) FRMCS Overview, https://uic.org/rail-­system/frmcs/ (accessed 14 April 2023). 14 European Telecoms Standards Institute (2023) TETRA, http://www.etsi.org/technologies-­clusters/technologies/tetra (accessed 12 February 2023). 15 3GPP (2023) 3GPP Mission Critical Specifications, https://www.3gpp.org/news-­events/3gpp-­news/mc-­services (accessed 14 April 2023). 16 3GPP Technical Specification (1999) UMTS; Iu Principles, TS 23.930 1999-­06, www.3gpp.org (accessed 14 April 2023). 17 Business Weekly (2023) TTP Aims for 5G Low-­Earth Orbit Satellite Breakthrough, https://www.businessweekly.co.uk/news/ hi-­tech/ttp-­aims-­5g-­low-­earth-­orbit-­satellite-­breakthrough (accessed 14 April 2023). 18 GSM Association: GSMA Intelligence (2023) Home Page, https://gsmaintelligence.com (accessed 12 February 2023). 19 CDMA Development Group (2023) Worldwide Deployments (dormant), http://cdg.org/worldwide/index.asp (accessed 12 February 2023). 20 5G Americas (2023) 5G & LTE Deployment Status, https://www.5gamericas.org/resources/deployments/ (accessed 12 February 2023). 21 www.spectrummonitoring.com (2023) Frequency Use by Market (subscription required), https://spectrummonitoring.com (accessed 17 April 2023).

31

33

4 Cellular Theory 4.1 ­Pre-­cellular Radiotelephone Networks The original radiotelephone networks, which went into service from the 1920s onwards, employed a single radio transmitter to provide service over a wide geographical area. The main limiting factor of these networks was the lack of capacity caused as a consequence of the large radio transmission areas used. If a network operator employed just one very powerful transmitter to provide coverage for a city or a region, they would only ever be able to serve a tiny fraction of the potential user base in that area. This is illustrated in Figure 4.1. Cellular mobile communications networks were developed to address this capacity problem. As shown in Figure 4.2, cellular network architecture does not provide just one transmitter for each region, but instead uses hundreds or even thousands of much smaller and less powerful radio transmitters to cover a region that would previously have been served by a single, large transmitter. These smaller transmitters are known as base stations, and the small geographical areas covered by their radio signals are known as radio cells. In the same area previously covered by just one large transmitter, a cellular operator might site hundreds of base stations, each supporting several radio channels, which would increase the number of radio connections available to users by several orders of magnitude. The size of the cells used in a network can vary depending upon factors such as geography and demand. Base stations serving rural locations with low demand for user services might be configured with a small number of cells that cover a large area and collectively offer low capacity. Base stations covering high-­demand areas such as city centres, business areas and airports might be configured to use a large number of very small cells, which each cover a limited area but collectively offer high capacity.

4.2 ­Radio Cells The radio service in each cell in a network is supplied by a base station which, depending upon the type of network, can also be known as a BTS (Base Transceiver Station), Node B, eNode B (Evolved Node B or eNB) or gNode B (5G Node B or gNb). Each base station will be allocated one or more radio channels to use for customer connections in its cells. The base stations in a network are all connected to a ‘core network’ and, in earlier network types, may be connected to a local ‘access network’ controller, which is employed to handle users’ calls and control the main functions of the access network. Many cellular network designs use a Frequency Division Duplex (FDD) air interface service, in which each cell supplies separate uplink (transmit path from mobile to base station) and downlink (receive path from base station to mobile) radio channels to serve users, although a significant number of network types can instead use Time Division Duplex (TDD), where uplink and downlink signals share a single radio channel. To simplify network radio planning, FDD uplink and downlink channels are usually implemented as a ‘matched pair’ of radio channels, so whichever uplink channel a phone is allocated in a cell, it will always use the specific corresponding downlink channel. The basic concepts of cellular network operation are summarised in Figure 4.3.

Forensic Radio Survey Techniques for Cell Site Analysis, Second Edition. Joseph Hoy. © 2024 John Wiley & Sons Ltd. Published 2024 by John Wiley & Sons Ltd.

34

4  Cellular Theory

50 km +

Figure 4.1  Single transmitter coverage. Urban area

Base station Rural area

Radio cell

Figure 4.2  Cellular network coverage. Figure 4.3  Cellular network operation. Downlink channel

Neighbour base stations

Uplink channel Serving base station

User mobility presents a number of problems to a telecoms network. The network needs to be able to track a user’s location as they move around to ensure that incoming calls can be quickly routed to their phones. Mobile networks therefore employ special databases to store and process user location information. A ‘location update’ is sent to these databases when a mobile phone moves into a different area of the network, even when there is no call in progress. Mobility also causes a problem for the user’s phone and the network’s base stations when a call is in progress. When a cellular customer makes or receives a call on their phone, the network will allocate them a radio cell to use for their connection. If the user is mobile, they may eventually move out of range of the cell they are currently using. To ensure that the call can continue, the phone needs a radio channel to be allocated to it in the cell they are moving into. This process is known as ‘handover’ (or ‘handoff’) and is controlled by the network. Whilst a call is in progress, a mobile phone will be taking a series of ‘received signal strength’ measurements of the channel currently being used and also of channels in neighbouring cells. Each phone reports these measurements to the network at regular intervals. When the network decides that one of the neighbour channels reported by a phone could provide a better-­quality connection, the phone is sent a handover instruction informing it of the details of the new channel. The process of call handover should be transparent to the user (unless something goes wrong) and take place automatically.

4.3 ­Frequency Reus

In addition to the ‘traffic channels’ that carry user calls, a variety of ‘control channels’ are defined in each cell which are used to carry administrative information such as handover instructions, measurement reports and call setup information between the phone and the network.

4.3 ­Frequency Reuse The major potential disadvantage of a cellular system, in which large numbers of cells are deployed in close proximity to each other, is that of interference. If two neighbouring base stations use the same radio channel, the users in those cells would experience interference. This would be classed as ‘co-­channel’ interference. An example of this could be that Cell A and Cell B are neighbours, both use Channel 1 and both experience co-­channel interference from each other. It is also possible to experience ‘adjacent channel’ interference, which is caused by the use of neighbouring channels (in spectrum terms) in close proximity. An example of this could be that Cell A and Cell B are neighbours, Cell A uses Channel 1 and Cell B uses Channel 2 and both experience ‘adjacent channel’ interference from each other. These scenarios for co-­and adjacent channel interference are summarised in Figure 4.4. They are issues for all generations of mobile technology but are especially problematic for some 2G (second generation) network types such as GSM (the Global System for Mobile Communications). Other 2G network types such as cdmaOne and most 3G (third generation), 4G (fourth generation) and 5G (fifth generation) systems have been provided with the means to operate effectively in the presence of such interference, but some types of system are unable to function properly if there is too high a level of interference. To minimise this problem for susceptible network types, sophisticated network frequency planning tools are employed to ensure that neighbouring cells are not allocated the same (or adjacent) radio channels. However, as the radio signals from low-­power base stations only travel a limited distance, the channels used in one cell can be used again but in cells that are further away in the network. The ‘frequency reuse’ provided by this concept allows cellular systems to operate effectively and efficiently even in circumstances in which network operators have only been allocated a limited amount of radio spectrum. Generally, there are a limited number of frequencies available to each network operator and they must be distributed between all cells to ensure a balanced coverage is achieved throughout the network. If the channels in a cellular system are not properly distributed, the result can be a high level of interference caused by overlapping deployments of the same frequencies. To avoid this, many network types, including 2G GSM networks, include specifications that define frequency reuse patterns, an example of which is presented in Figure 4.5.

Figure 4.4  Co-­channel and adjacent channel interference. Cell A Channel 1

Cell A Channel 1

Cell B Channel 2

Cell B Channel 1

Co-channel (same channel) interference

Adjacent channel (neighbour channel) interference

35

36

4  Cellular Theory

9

1

11

6

12 8

2 5

4 10

3

1

9

12 2

7

6 8

5

3

Channel numbers 1–12 reused within a cluster

Figure 4.5  Example of a frequency reuse pattern.

Cells in this type of access network are gathered into ‘clusters’ and the same frequency will not be repeated within a cluster. Network planners will attempt to use and reuse the cluster plan in a ‘cookie cutter’ fashion across an area of the access network, safe in the knowledge that a sufficiently large cluster should ensure that a minimum frequency reuse distance is always maintained between repetitions of the same channel. 3G, 4G and 5G networks use radio techniques that more successfully mitigate the effects of co-­ and adjacent channel interference and are capable of operating as ‘single frequency networks’, where the same channels can be in use in all neighbouring cells in the network. These network types employ other methods to differentiate between the signals relating to individual mobile devices or cells, and those methods often use techniques that are analogous to frequency reuse planning.

4.4  ­Cell Size and Coverage A low-­frequency radio signal can typically be received from further away than a signal with a higher frequency transmitted at the same power level. Therefore, a comparatively low frequency of 900 MHz can provide cellular coverage to a larger area than a cell transmitted on a higher frequency of 1800 MHz, which means that the lower 900 MHz band is ideal for creating large cells to serve rural areas. Conversely, a cell using a radio frequency of 1800 MHz would be more suited to providing small cells in a densely populated city, as smaller cells enable operators to reuse frequencies much more often. Figure 4.6 illustrates the difference in general cell coverage areas for a range of common cellular frequencies. This is an illustration only and is not intended to provide an exact guide to the differences in actual coverage areas for the different frequency bands indicated. Lower frequency radio signals can form large ‘macro’ cells; however, such cells potentially provide coverage across a large area and their capacity may have to be shared by large numbers of users. That means each cell might allow only a small proportion of served users to make simultaneous calls. A network (or a region of a network) based on large cells may therefore offer a relatively low user capacity but could be deployed and maintained comparatively cheaply. Higher frequency radio signals are usable over shorter distances and are therefore commonly used to produce smaller ‘micro’ cells. A small cell might have the same capacity as a large cell, in terms of the number of simultaneous calls that can be carried, but this capacity will be focused in a much smaller area. To provide contiguous coverage across a region using smaller cells, the network will be required to deploy a large number of cell sites, meaning that, overall, a network (or region of a network) that is based on small cells may offer very high user capacity but conversely would cost a lot of money to deploy and maintain. There are generally more radio channels available in the higher frequency bands (especially for 5G, where the bands above 6 GHz have many times more channels available than the sub-­6 GHz bands do) so networks based in higher frequency bands often have greater amounts of radio capacity available, allowing them to deploy more channels to each cell site and cover densely populated areas more effectively. Figure 4.6  Cell size and frequency (not to scale). 900 MHz

450 MHz

2100 MHz

1800 MHz

4.5 ­Duplex Technique

This further means that, as a general rule, networks based on higher radio frequency bands  – those using 1800 or 2600 MHz for instance  – will typically provide more capacity for subscribers than networks based on frequencies of 900 MHz or lower due to the greater number of available channels and the increased potential for frequency reuse associated with the use of small cells. There are, however, techniques available to improve the capacity and reuse potential even of low-­frequency networks, so this should only be taken as a guideline rather than a rule. Many networks employ a mix of frequency bands: low frequency 900 MHz cells (or 700 or 850 MHz cells, depending upon the region in which they operate) are used for rural coverage and also provide wide-­area ‘umbrella’ cell coverage across urban areas, while 2100 MHz cells (or 1800, 2300 or 3500 MHz cells, again depending upon region) are used to provide high-­capacity coverage in towns and other high demand areas. An unofficial naming convention has sprung up associated with cell sizes: ‘macro’ cells cover large areas and are generally said to be anything over 1 km in radius; ‘micro’ cells are generally considered to offer coverage to a radius of 100 m to 1 km; ‘pico’ cells are usually defined as being deployed and operated by a network to provide indoor coverage to small areas ( noise)

5.4 ­5G NR Network

or negative (if signal ) or incoming ( >

20:01:42 20:14:49 20:15:59 20:38:09 20:44:15 20:57:22 21:38:11

0991 SMS > 6135 Voice < 0187 SMS > 0991 SMS < 0187 SMS > 6135 Voice > 9010 SMS
< > > > > >

Map 7

Figure 8.12  Mapping presentations. Source: Microsoft AutoRoute used with permission from Microsoft, CSAS map format used with permission from Forensic Analytics Ltd.

Figure 8.13  Call tables. CSAS data format, used with permission from Forensic Analytics Ltd.

8.12  ­Professional and Expert

Witnesse

Further labels could be included in mapping slides to provide details of significant events that occurred during the period covered by the map. Additional graphics are used to provide explanations for complex concepts. For example, if cell coverage or route surveys were undertaken as part of the case, then maps illustrating the results of these surveys can be included in the mapping presentation. If the maps to be displayed in court are created using a presentational application such as Microsoft PowerPoint, the call and cell labels and icons can be animated so that they appear on each map slide in the order in which the calls were made and the cells were used. The animated progression of call and cell details can make it easier for the court and for members of the jury to grasp the relationship between the calls and the significant events in the case.

8.11  ­Report Checking and Peer Review Cell site reports can develop into enormously complex collections of documents, especially if a case involves multiple handsets over an extended period of time, and it is to be expected that the writers and compilers of these reports will make at least one mistake somewhere within them. It is therefore absolutely vital that each report is fully proofread and fact-­checked once it has been completed. The main aspects that need to be checked include: ●● ●● ●● ●●

●●

●●

●●

Case details and continuity information are complete and correct. Details of survey locations and survey results are complete and correct. Attribution and colouration details for each target phone are correct. Within the body of the report, the paragraphs relating to each examined group of calls should be checked to make sure that the call times, used cell details, location details and forensic survey results mentioned are correct. Each conclusion should be checked back against the source data to ensure that it is sound and supported by the evidence. A check for alternative interpretations should also be made, as should a check of any defence statement or alibi that has been provided. Call schedules should be checked back against the source CDR data to make sure that no errors were introduced during the ‘cleansing’ process. Maps should be checked to ensure that the marked locations of addresses and cell sites are correct, that cell labels contain the correct cell details, that the correct set of call labels are listed for each cell and that any azimuths are correct (both in the cell labels and in the orientation of the cell icons).

Once the report writer has fully checked (and, if necessary, corrected) their work, the report should be passed to at least one equally qualified and competent peer reviewer, who should go through the whole checking process again. Peer reviews are an essential quality assurance tool as they help to overcome any issues associated with over-­familiarity with the case details. When working on a cell site case, analysts and experts become steeped in the details and often find it difficult to recognise when they have missed out important facts that would help someone less familiar with the case to understand key events. There is also a danger of confirmation or cognitive bias creeping into the analyst’s or expert’s work, again largely due to over-­familiarity with the case details. To be truly effective, a peer reviewer should have had no involvement with the case that they are reviewing, which should ensure that any ‘omissions due to familiarity’ will be detected and can be corrected.

8.12  ­Professional and Expert Witnesses Cell site and forensic survey evidence is typically presented in court by one of two types of witness: professional witnesses or expert witnesses. United Kingdom courts (and courts in many other jurisdictions) draw a distinction between a professional ‘witness of fact’ and an expert ‘witness of opinion’. The distinction between ‘witness of fact’ and ‘witness of opinion’ outlined below may also be one that is not recognised in all countries; again, it is included here to provide an indication of the differences between types of evidence that forensic radio surveyors would be expected to provide compared the type of evidence that a cell site expert would offer.

295

296

8  Cell Site Analysis

8.12.1  Witness of Fact A Witness of Fact is typically regarded as being a ‘professional witness’ and is able to give evidence related only to things they have observed or to processes that they have undertaken [24]. A police officer who has been trained to undertake the tasks associated with forensic radio surveys, for example, would be able to give factual evidence related to surveys that had been undertaken and the results that had been obtained. Such a witness would, for example, be able to state as a fact that ‘Cell 1234 was detected as a serving cell at Location A in the survey that I undertook’ but would not be permitted to offer an opinion as to, for example, why Cell 1234 served when Cell 2345 did not.

8.12.2  Witness of Opinion A Witness of Opinion is an ‘expert witness’ who has been accepted by the court as an expert in their field and is therefore permitted to provide opinions related to the evidence or facts that have been put before them [25]. A cell site expert witness is able to review the call records and radio survey results presented in evidence and would be permitted to draw conclusions as to whether the use of certain cells supports or undermines the contention that the user of a target phone was located at or near a significant address when calls using those cells were made. Forensic radio surveyors who appear in court as professional witnesses of fact would be expected to provide an account of the surveys they had undertaken and the results they had obtained, it would usually be the job of a cell site expert to offer an opinion as to whether the evidence in the case supported the prosecution’s allegations or not. Expert witness can, of course, also be retained by the defence, in which scenario their role would be to scrutinise the prosecution case and test the conclusions that were reached.

8.12.3  Duties of an Expert Witness In the United Kingdom, rules on the use of expert evidence, including guidance on the expert’s duty to the court and on the content of an expert’s report, are detailed in Part 19 of the Criminal Procedure Rules and Practice Directions 2020 legislation [13]. Guidance is also provided in the CPIA [14] and Forensic Science Regulator’s Codes of Practice [1]. The Crown Prosecution Service provides advice  [26] and a guidance booklet for experts, ‘CPS Guidance for Experts on Disclosure, Unused Material and Case Management’ [22], mentioned earlier in Section 8.8 is based on the Part 19 rules. Collectively the guidance for experts is often summarised as the 3Rs – ‘Record: Reveal: Retain’ – as described below. The Part 19 rules describe an expert witness as ‘a person who is required to give or prepare expert evidence for the purpose of criminal proceedings’. It goes on to describe the duties of an expert to the court (whether they are working for the prosecution or the defence). These can be summarised as: ●●

●● ●●

An expert must help the court to achieve the overriding objective by giving objective, unbiased opinion on matters within his (or her) area of expertise. This duty overrides any obligation to the person from whom he/she receives instructions or by whom he/she is paid. This duty includes an obligation to inform all parties and the court if the expert’s opinion changes.

The Part 19 rules (at section  19.4) also make mention of the required content of an expert’s report and/or statement, which must: ●● ●● ●●

●● ●● ●● ●● ●● ●●

Give details of the expert’s qualifications, relevant experience and accreditations. Give details of any literature or other information that the expert has relied upon. Contain a statement setting out the substance of all facts given to the expert which are material to the opinions expressed in the report. Make clear which of the facts stated in the report are within the expert’s own knowledge. Say who carried out any examinations, measurements, tests or experiments which the expert has used for the report. Where there is a range of opinion, provide a summary of those opinions and state their own opinion. Contain a summary of the conclusions reached. Contain a statement that the expert understands their duty to the court. Contain the same declaration of truth that is given in a witness statement.

8.13  ­Court Presentation

If an expert’s report can be shown not to be in accordance with the Part 19 rules, then it could be excluded from the ­evidence in a case.

8.12.4  Defence Cell Site Reports In most jurisdictions, a defendant has the right to appoint a defence lawyer/barrister/advocate. The process of ‘disclosure’ or ‘discovery’ typically means that the defence are entitled to see in advance of the trial all of the evidence that is to be put forward in the case, including any expert evidence such as a cell site report and any raw or source data used to compile it. If the prosecution has had the benefit of advice from a cell site expert, the defence is typically given the opportunity to appoint an expert of their own, who will be expected to produce a defence cell site report – although in the United Kingdom, there is no obligation on the defence to disclose its defence cell site report to the prosecution. The role of the defence cell site report is to examine and challenge the prosecution report to ensure that it has been conducted in a technically rigorous manner and that its conclusions stand up to scrutiny. Defence reports are also often used to test the cell site evidence against alibis and alternative interpretations of the call records. Most defence reports begin with a point-­by-­point commentary on the prosecution report, highlighting instances where the defence expert agrees or disagrees with the prosecution expert, they then move on to examine disputed or contentious aspects of the case in more detail and sometimes conclude by putting forward alternative scenarios or interpretations. The best defence reports are those that tease out any inaccuracies or inconsistencies in the prosecution case and ensure that the prosecution expert has conducted a rigorous investigation; the worst defence reports simply put forward a blanket objection to every point made by the prosecution, whether the objection has technical merit or not, and seek by any means to undermine the evidence provided in the hope of having it excluded from the case. This second type of report could be said to be non-­compliant with the requirements for expert reports outlined in the Part 19 rules. It is often said of court cases in general that a robust and principled defence is necessary to ensure that the prosecution offers its best possible case, and this is equally true of cell site evidence. Indeed, many independent cell site experts work on both sides of the industry, providing reports for the prosecution in some cases and working for the defence in others.

8.13  ­Court Presentations The procedural examples provided in this chapter have all been based on United Kingdom law and court procedures, as the author is based in the United Kingdom and mainly has experience in that jurisdiction. The information provided in this chapter is not intended to reflect the processes and procedures in all jurisdictions and is included only to provide an insight into the end result of a cell site and forensic radio investigation. The United Kingdom, as with many other jurisdictions, employs an ‘adversarial’ court system, in which prosecution and defence present opposing views and ask the jury to decide which is more convincing. It has come to be recognised that presenting juries with opposing views on complex technical topics, with presentations by prosecution and defence expert witnesses, will often not achieve the best results, as jury members cannot be expected to understand the nuances of the different technical arguments. It has become much more common in recent years, in cases where there is complex forensic evidence, for judges to ask the prosecution and defence expert witnesses to meet and devise a set of facts or interpretations that both sides can agree on. The jury are then presented with one set of ‘agreed’ facts and do not have to try and choose between competing technical interpretations. The following sections outline the processes that are followed if an agreed position cannot be reached.

8.13.1  Evidence-­in-­Chief Evidence-­in-­chief is the term used in United Kingdom courts to describe a witness’s presentation of evidence for the ‘side’ that called them. For example, a witness called by the prosecution would give their evidence-­in-­chief under examination from a prosecution barrister (the UK term for an advocate or trial lawyer) and may then be subject to further cross-­ examination by the defence barrister. A witness called by the defence, conversely, would give their evidence-­in-­chief to the defence and would be cross-­examined by the prosecution. Evidence-­in-­chief sessions relating to cell site evidence can be made more engaging and understandable for a jury by the addition of graphics and other presentation aids if the witness is permitted to employ them. The rules on whether a witness, even an expert witness, can take detailed notes into the witness box with them vary between jurisdictions; in some, witnesses

297

298

8  Cell Site Analysis

can take detailed notes into the box to refer to while giving evidence, but in others, notes are not permitted. A forensic radio surveyor or cell site expert will usually prepare some or all of the following elements for a court presentation: ●● ●● ●● ●●

●●

●●

Detailed cell site report – distributed to the barristers and judge only. Summary cell site report – provided in the jury ‘bundle’ of evidence documents and to barristers, judge and defendant(s). Call schedule booklet – printed on A3 paper and provided in the jury ‘bundle’ and to barristers, judge and defendant(s). Mapping presentation booklet  –  printed on A4 paper and provided in the jury ‘bundle’ and to barristers, judge and defendant(s). Mapping presentation in Microsoft PowerPoint or directly from a cell site analysis tool such as CSAS – to present via screens or a projector in court. Cell site overview presentation in Microsoft PowerPoint – to present via screens or projector in court.

The process of giving expert cell site evidence usually follows a fairly predictable routine: ●● ●●

●●

●●

●●

The witness (a forensic radio surveyor or cell site expert) is sworn in (or affirms). The witness’s background and experience are described, which provides the jury with details of how and why they should be considered to be an expert in their field. The defence have the opportunity to challenge the expert status of a witness and if the challenge is accepted by the judge, the witness may be subjected to a ‘voir dire’, which is a ‘hearing within a hearing’ designed to assess the witness’s competency. This is not a common procedure for professional witnesses and is rare even for expert witnesses. A professional witness of fact, such as a forensic radio surveyor, will then usually be led through a presentation of the surveys that they have performed and the results they have obtained. These witnesses should not be asked to provide opinions on the results they have obtained but may be required to explain and defend the methods they employed to obtain or process them. A cell site expert witness will usually be asked to provide a brief overview of mobile phone technologies and cell site analysis for the jury. This is often achieved by using a simple PowerPoint presentation or an animated video and should not take more than 5 or 10 min. The prosecution barrister then usually leads the expert through their cell site report section by section, highlighting the allegations being made in respect of each relevant defendant. The format for this part of the evidence is usually: –– Set the context for the calls, in relation to alleged events, for example ‘these calls were made at the time that the Crown alleges that the user of the phone was on his way the robbery location’. –– Describe the calls, the significant phone numbers involved, the durations of the calls and the cells that were used. –– If the allegation relates to the calls potentially having been made at a specific location, and if a forensic radio survey was undertaken at that location, details of whether the used cells provide coverage at that location will be described, for example, ‘Cell ID 1235, as used by the Blue-­1234 phone, serves an area that includes location A’. –– Present the cell site conclusions related to the set of calls, for example ‘the cell used for the call at hh:mm:ss has a surveyed service area that includes Location A, meaning that the phone could have been there at that time, but could equally have been elsewhere within the cell coverage area’. –– If presentation aids (screens or a projector) are available and are permitted to be used, it helps to show the cell map(s) associated with each set of calls while they are being discussed. –– Once the main cell site report has been presented, the prosecution barrister may move on to cover other matters investigated by the expert such as alternative interpretations of specific calls, cell or route coverage profiles and so on. –– Once the prosecution concludes the evidence-­in-­chief, the defence has the opportunity to cross-­examine

In general, there are some things that should be said by a cell site expert when giving evidence and some things that should not be said. Cell site experts should always ensure that a jury is made aware of the limitations of cell site evidence, that this form of evidence generally cannot pinpoint the location of a phone when a call was made and that it usually only indicates that it is possible for a phone to have been at a location, it is not guaranteed that it was there. Cell site experts should never (unless there is definitive evidence) attempt to suggest that their interpretation of calls and their estimation of the location of a phone is the only possible interpretation. They should never get led, by examination or cross-­examination, into a situation where they agree with a statement that they know cannot be supported by the facts, as can sometimes happen if the examining barrister is unaware of the technical limitations of cell site analysis.

8.13  ­Court Presentation

8.13.2  Typical Cross-­Examination Questions The use of cell site analysis by law enforcement agencies has presented them with a powerful investigative tool, but the uncertainty involved in reaching conclusions based on cell site evidence leaves it vulnerable to challenge from the defence in a case. Some typical avenues of attack employed by defence barristers include: ●●

●●

●●

●●

Attribution – the point is often made that cell site analysis provides details of where a phone may have been located but does not necessarily prove in whose hand the phone was at the time. This is true and without supporting evidence or solid attribution cell site evidence cannot successfully prove that a specific individual could have been at a location. This is why it is usually sensible to limit cell site evidence to discussing the location of the phone not the individual. Uncertainty – another common point made is that cell site evidence generally only shows that it is possible that a phone could have been at an alleged location when specific calls were made. The phone might equally have been anywhere else within the coverage area of the cell(s) used during that period. This is also true, up to a point. If calls are analysed in isolation from each other, it is not usually possible, without other types of evidence, to be specific about exactly where in a cell’s coverage area the phone was located. However, in some cases when a series of calls is analysed it is possible to be more emphatic. For example, if a series of calls is made in quick succession using a set of different cells, and if the only area where all of the cells that were used provide overlapping coverage is at or near the alleged location, then the defence argument falls down. In this scenario, to have used the set of cells that were used in quick succession, the target phone must be in an area where all of the used cells overlap, which potentially narrows down the area within which the phone must have been located. Defence barristers, in this situation, will sometimes try to insist that the expert answers questions related to individual calls only, rather than answering questions related to the whole sequence of calls; in such a scenario, the expert witness should resist the attempt to focus on individual calls and should make the jury aware that interpretation of a wider set of calls will lead to a better understanding of the evidence. Network Change – the question is often asked: ‘How do you know that the network had not changed between the time of the offence and the time you conducted your radio survey?’ Operators undertake regular maintenance on their networks. One form of maintenance is known as ‘optimisation’ and is designed to improve the coverage or service offered by a site. This may involve moving (or ‘reorientating’) the site antennas to point in a different direction. If such a procedure takes place after significant calls were made but before a forensic radio survey is conducted, then the results of the survey might not match the coverage provided when the significant calls were made. To avoid this problem, it is recommended that surveys are taken as soon as possible after an offence or incident has taken place, even if no suspect has yet been identified. An early All-­Network Profile or scene preservation survey should cover any eventualities. If faced with a situation where a long gap exists between the offence and any RF surveys being captured, the expert should attempt to find supporting evidence, such as historical surveys taken in the area of the offence closer to or earlier than the offence time. If no such supporting evidence is available, however, often the only honest and ethical response the expert can make is to agree that their survey results may not reflect the coverage that was available at the time of the offence. Network Busy – the question often asked is: ‘If this cell is busy, the call will be handled by a neighbouring cell which could be even further away from the alleged location, is that correct?’. Theoretically, that is true, but such a question indicates that the questioner is failing to understand the difference between a cell site’s location and the coverage area of the cells that it broadcasts – coverage extends far beyond the tower location. There was a 2G/3G feature called ‘network directed retry’ which can push calls from busy cells to ones close by which are less busy. This was an optional setting by a network and the surveyor would not know if this had been enabled or not. However, a call can only be redirected to a cell which serves or provides strong coverage at the phone’s current location, so any alternative cell used is likely to appear high on the list of serving or neighbour cells in any forensic radio survey conducted at that location, allowing normal cell site conclusions to be reached. Most modern networks, and especially 4G and 5G networks that support VoLTE/VoNR calling, avoid the need for a network-­directed retry facility by ensuring that there is enough capacity available in each cell to deal with more than the predicted peak demand.

More general cross-­examination questions relate to topics such as the general limitations of cell site analysis; the limitations and different handling of GPRS/mobile data CDRs; GPRS ‘phantom sessions’; whether it is possible to tell if a mobile device was switched on or off during certain periods of time; whether the weather has an effect on mobile propagation; the witness’ accreditation status, in countries that require accreditation to a standard such as ISO17025; the validity of ‘local area’ surveys instead of ‘spot location’ surveys; and many others, all of which have been addressed at some point in this text.

299

300

8  Cell Site Analysis

In general, the cross-­examination of professional and expert witnesses can be characterised into three distinct methods of attack, depending upon the defence lawyers’ estimate of the strength of the expert evidence. The phases or levels of cross-­examination can be summarised as the 3Ms – ‘attack the material; attack the method; attack the man’ (with apologies for the obvious sexism implied on the third M). ‘Attack the material’ refers to standard cross-­examination actions to test and scrutinise the content of the professional or expert witness’ report looking for errors, inconsistencies or contradictions. If no significant errors can be found in the report, the focus of the cross-­examination often turns to examining the methods employed to compile the report. This generally focuses on the reliability of RF survey results, the accuracy of any call schedules or maps that have been produced or on any mathematical tools employed to calculate results. This phase of a cross-­examination will often also examine the continuity of evidence and the strength of the handset attribution data. If no significant problems can be found with the methods employed to compile a report, the cross-­examination may focus on the ‘man’ (or woman), meaning that the credibility of the professional or expert witness is examined. It is comparatively rare for a cross-­examination to move into this phase, as the defence would have had the entire pre-­trial period to raise any objections to the expert status of any witnesses. However, the ‘attack the man’ phase can happen and may result in the court requiring the expert to undergo a voir dire hearing. Among expert witnesses, it is often said that if the defence go straight to the ‘attack the man’ phase it should be interpreted as a good sign, as it means that they have found no significant errors or omissions in either the material or the method.

8.14  ­Support for ‘Live’ Investigations The majority of the techniques discussed so far in this chapter relate to the use of cell site techniques in support of historical investigations; techniques that are designed to answer the question ‘where was the subject phone when this call was made?’ Some of the techniques so far discussed, plus a number of additional ones, can also be used in support of live, ongoing investigations and can be used to answer the question ‘where is this phone now?’ Many of the techniques employed for ‘live’ positioning of mobile devices were developed or enhanced to support the US Government’s ‘E-­911’ legislation, which places a requirement on cellular providers to automatically determine the location of cellular devices that make an emergency 911 call to within 50 m [27]. Those techniques can, of course, be repurposed to also provide granular positioning data for devices in other scenarios. It must be stated that some of the techniques to be discussed in this section are sensitive and are regarded in some countries as being ‘protected methodologies’, which should not be discussed in a public forum; consequently, some of the details of the technologies and/or investigative techniques employed by these methods have been omitted or obscured and the level of detail provided below should not exceed the information that could be gleaned from a small amount of Internet searching.

8.14.1  Real-­time Usage Data The key component of ‘historical’ cell site analysis is the CDR; disclosed data showing the calls and other connections employed by a subject device. A CDR is only transmitted to the billing system (and is therefore only available to be disclosed) after the connection or event has terminated, or, in the case of mobile data services, when a ‘part billing’ trigger has been reached. It generally takes a small amount of time for the data contained in a CDR to be transmitted to the billing system, processed and made available for disclosure; the actual time taken might be different for different networks, so a general rule of thumb value might be that CDR data is available up to 15 min after the event, which might not seem like a long time in other scenarios, but is still ‘historical’ and could be significant in investigative terms, such as when looking for a suspect who is travelling in a vehicle. Many networks offer law enforcement agencies the option of requesting, subject to authorisation, a continually updated feed of CDR data for a subject phone; in the United Kingdom this is known as ‘forward facing’ data and might cause an updated CDR to be released at fixed intervals (e.g. every 15 min, once an hour or once a day depending on what interval was requested) or only when there is new data to disclose. Forward-­facing data gives investigators an opportunity to maintain a close to real-­time view of the activities of a subject device, which then allows the use of cell site analysis techniques to determine where that device was very recently when those connections were made. Every cellular network theoretically supports a LIG or Lawful Intercept Gateway, which offers a standardised method of applying communications intercepts or ‘wiretaps’. The modern equivalent of what is historically known as a wiretap is a

8.14  ­Support for ‘Live’ Investigation

full intercept, where a live stream of each ongoing phone call, text message or data session is supplied via the LIG to an authorised agency. The LIG can also provide a more basic, possibly less intrusive form of intercept, which just reports the metadata for a subject phone’s activities; the metadata, which is provided using the ‘Trace’ facility described earlier in this chapter, provides an indication each time the subject phone is in use. A typical metadata message, known as CSLI, will identify the subject phone, show details of the recent transaction (call, text, data session, etc), mention the ‘other’ party number if applicable and show details of the cell(s) the phone used. LIG metadata updates are generally delivered to the requesting agency almost immediately and, as they contain used cell details, provide almost real-­time information on approximately where a device is currently located. Taken together, forward-­facing data and, in jurisdictions where its use is permitted, CSLI metadata, often form the raw material for the cell site component of live investigations.

8.14.2  Location-­Based Services Infrastructure The facilities that enable cellular networks to infer the approximate current location of connected devices have been historically known as ‘location-­based services’ (LBS) and are commonly called ‘positioning’ services in more recent specifications. Authorised users or systems in a network can issue requests to a centralised positioning system, which will then attempt to determine the subject device’s location to send back to the requestor contained in a positioning response. In earlier 3GPP specifications, the network element responsible for location-­based services was the LCS (Location Services) Server [28]; in more recent specifications this job is undertaken by the LMF (Location Management Function) or ‘positioning server’ [29]. Both network nodes employ different sets of techniques, some of which are supported only by base stations (for network-­derived positioning) and others that are supported by a combination of base stations and the subject device (for UE-­assisted positioning). In order to offer location-­based services, as well as deploying the central positioning elements, the network’s base stations must support one or more positioning techniques, each of which would possibly attract an additional licence fee from the base station vendor, so it is not a given that all base stations will support all positioning methods. Finally, the mobile devices must also support some of the positioning technology options, if UE-­assisted techniques are to be used; again, not every device will necessarily support every positioning technique.

8.14.3  Device Location Requests Near real-­time usage data can help to locate a subject device, but only if it is being used; if there is no traffic, then there is no usage data upon which to base a geolocation estimate. If a device is attached/registered with a network but is not currently being used, it is possible to employ the network’s location-­based services facilities to silently (e.g. in a way that does not alert the device’s user) interrogate the device to determine its current whereabouts. In some jurisdictions, cellular operators are required to support a facility that allows an authorised agency to request the network to provide live location details for a subject device – this facility is sometimes known as a ‘real-­time ping’ or a ‘GPS ping’. In reality, ‘pings’ are most often based on LBS positioning techniques and do not use GPS  –  indeed some ‘ping response’ message templates explicitly include a disclaimer stating that device GPS was not employed. Agencies can request a one-­off ping or, in some countries, they can request a regularly updated (i.e. every 15 min, once an hour, etc.) automatic ping that is repeated for a period of time. An authorised agency can issue device location Ping requests, which must generally be supported by a warrant or court order. Ping requests are managed via the network’s LCS/LMF infrastructure, responses are emailed back to the requesting agency and provide the device’s location in a latitude/longitude format and generally also contain a ‘radius of uncertainty’ within which the device can be assumed to be. The reasons for this uncertainty are determined by the positioning method that was used, whether the positioning was network-­derived or UE-­assisted, the radius and beamwidth of the cell(s) being used, the depth of the timing advance steps and several other possible factors. If the objective of using cell site techniques is to determine the current location of a mobile device, then a real-­time ping can offer a reasonably accurate positioning method, depending upon which positioning technique is employed. This facility is not supported in all jurisdictions, however, and might not be authorised for all types of investigation due to the civil liberties implications even where it is supported. There are several different positioning techniques that could be employed.

301

302

8  Cell Site Analysis

8.14.4  2G/4G/5G Timing Advance Timing Advance was discussed in Chapter 4 and offers a simple, but less granular method for determining the potential location of a mobile device. Each technology that employs timing advance is provided with a set of timing advance ‘steps’; the distance covered by each step is proportional to the symbol rate on the channel and advances or retards the uplink transmission time by a set number of symbols; each step equates to a physical distance. This is illustrated in Figure 8.14. In GSM900/1800/1900, there are 63 timing advance steps, each of 553.5 m which is based on one symbol period – the maximum Cell A TA step of 63 leads to a theoretical maximum cell size of just under Arc depth = TA 35 km. GSM400, which was designed to work over much longer step size distances (but is no longer deployed), has 219 timing advance steps, each step still equates to the same distance but cells can be Device’s much larger, with a greater number of TA steps [30]. approx. In LTE, the timing advance is calculated based on a more comdistance from plex calculation, but it is still ultimately proportional to multiples tower of the symbol period, with one timing advance step equating to 78 m distance from the base station [31]. In NR, things are more complicated, as the symbol period is variable depending on frequency range and channel bandwidth; for an NR channel that is using the same 15 kHz subcarrier spacing as LTE (remembering, as discussed in Chapter  5, that subcarrier Timing spacing is inversely proportional to symbol period, so as the spacadvance arc ing increases the symbol period decreases), the timing advance steps are equal to 78 m; with a subcarrier spacing of 30 kHz the step distance reduces to 39 m; at 60 kHz spacing the timing advance Figure 8.14  Timing advance concept. distance is 19.5 m; 120 kHz equals 9.7 m, with the TA step distance decreasing as subcarrier spacing increases/symbol period gets shorter. As wider 5G channel bandwidths are likely to be used in Cell A higher frequency bands and as higher frequency carriers are often used to generate smaller cells, the combination of a small cell and a small TA step could lead to very accurate estimates of a device’s location [32]. The timing advance information given in the reference specifications is complex and often does not explicitly state the TA step values, but there are numerous ‘timing advance calculators’ available on the Internet that will use the calculations and provide the step values. If timing advance is reported for a mobile device, either live or historically, it can be visualised as an arc extending across the Area of overlap assumed sector fan of the cell, as shown in Figure 8.14; the ‘depth’ of the arc is determined by the TA step size. If TA data for the same phone can be obtained for multiple events that occurred within a short space of time, the overlapping TA arcs can provide a more accurate idea of the area the device may have been located within, as shown in Figure 8.15. The positioning accuracy of Timing Advance data is in part limited by the depth of the TA ‘arc’ and the number of overlapping Cell B arcs that can be calculated. For example, with one TA response, showing the device’s approximate distance from just one base station, GSM offers an arc with a depth of around 550 m  –  if we Figure 8.15  Overlapping timing advance arcs. assume the TA distance is 3.3 km (7 TA steps) from the base

8.14  ­Support for ‘Live’ Investigation

station, and the sector has an arc of 120°, that gives a TA arc (or ‘annulus’) with an area of roughly 4.15 km2 within which the subject device might be located; two overlapping TA arcs in GSM reduces the area of uncertainty (where two arcs intersect perpendicular to each other) to less than 500 m2 or even less for other forms of intersection. Similar calculations for LTE (with an arc depth of 78 m) offer an area of uncertainty of 500 m2 with one arc and an area of less than 100 m2 for two overlapping arcs. In most networks, TA data is ‘ephemeral’, meaning that it is generated at a point in time but is not stored or saved and so is immediately overwritten by the next set of data. Ephemeral data can be made available in live investigations, but it often requires a cellular network engineer to log in to a base station or other access network node and capture the live data for the investigator as it is being generated. Some network operators, most notably in North America, do capture and save TA measurement data to a database and can disclose it alongside historical CDR data, allowing investigators to plot timing advance ‘arcs’ for subject devices as part of a cell site analysis investigation.

8.14.5  3G Propagation Delay Not all network types support Timing Advance – CDMA-­based networks, for example, do not generally use a time division-­ based ‘shared and slotted’ air interface in which traffic from different phones is always required to slot into predetermined radio frame slots; in CDMA, each phone transmits its own individual signal, separated from other phones’ traffic by the use of specific spreading/scrambling codes. There are requirements, however, even for 3G networks, for control messages to arrive within set periods and there are some kinds of shared channel, mostly used for packet data exchanges, in which traffic must arrive in the correct time period. 3G UMTS does therefore support a system that is similar to Timing Advance, known as Propagation Delay or PD, which is also sometimes referred to as ‘chip delay’ [33]. The CDMA-­based UMTS air interface transmits traffic in two layers – the upper layer consists of the signalling and user plane traffic transmitted to and from active mobile devices: traffic at this layer can run at varying speeds and data rates, depending on the requirements of the user or application. The lower layer consists of a fixed data rate stream of code ‘chips’; chips are really just sequences of 1s and 0s, but groups of chips of varying lengths are used to represent the data being transmitted in the upper layer. If the upper layer is sending low bit rate data, the transmitted data will consist of a small number of coded symbols, each consisting of many chips; if the upper layer is transmitting a large amount of data, the lower layer signal will consist of a large number of coded symbols, each consisting of a small number of chips. The number of chips per symbol can vary, but the overall number of chips transmitted per second cannot; in standard UMTS, using fixed 5 MHz wide radio channels, the lower layer coded chip signal runs at a fixed rate of 3.84 million chips per second (3.84 Mchip/s or Mcs). The relationship between the transmitted user data and the chip signal that carries it is shown in Figure 8.16. 3G propagation delay, as measured by the network, compares the arrival time of particular chips in the stream – every 3rd chip – against a synchronisation reference and assigns a PD value to the connection based on the lag between the expected chip arrival time and the actual arrival time. 3G UMTS Timing Advance messages can instruct a device to advance or retard transmission time based on the PD measurement. Each 3G PD step equates to an additional 234 m distance from the base station.

One ‘bit’

Low data rate 1

User data

0

1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0

Spreading code

High data rate 1

0

0

1

0

1

1

1

1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1 0 1 1 0 1 0 0 1 1 0 0 1 1 0 0 1

User data Spreading code

One ‘chip’

Figure 8.16  CDMA ‘chip’ transmission.

303

304

8  Cell Site Analysis

Timing advance is potentially less critical in 3G than in other network types and is discussed far less commonly. Networks that capture, store and disclose live or historical TA data for 2G/4G/5G networks might also be able to provide PD or ‘chip delay’ data for 3G networks, meaning that the approximate locations of 3G devices can also be estimated.

8.14.6  Other Location-­Based Techniques Device location estimation based on Timing Advance can be seen as a ‘broad brush’ approach to geolocation and may not meet the requirements of either legislation, such as E-­911, which requires location resolution of less than 50 m, or of apps and services that need an accurate understanding of a device’s location. More granular location-­based techniques are available in many networks, most of which are based on the observation of signals sent by base stations or on some form of ‘round trip time’ or RTT calculation [28, 29]. One method that can be more accurate than TA/PD estimates is OTDOA or Observed Time Difference of Arrival. This is a UE-­assisted technique – meaning that the subject device is required to take a series of measurements and send them back to the positioning system for analysis – in which the device takes measurements of signals sent by two or more local base stations and calculates the tiny time differences in the arrival of fixed elements in their downlink signals. This is, in essence, a very similar technique to that used by GPS receivers, which look at the difference in arrival time of signals from several different satellites. The measured delay information is sent back to the positioning system for analysis, which then calculates the device’s approximate position based on a knowledge of the locations of the contributing base stations. The measured delay from each contributing base station allows the positioning system to calculate the approximate distance from each of them to the subject device, the location of which can be estimated by calculating the overlap point of the various distance arcs or ‘hyperbole’. Where OTDOA is used in 4G and 5G networks, the ‘measured element’ transmitted by the base stations is known as a PRS (Positioning Reference Signal), and it is the different arrival times of PRS sent by different local base stations that is measured by the subject device. In LTE networks, OTDOA is expected to have an accuracy of less than 150 m, possibly as low as 50 m. OTDOA can only work if the subject device can reliably detect signals from two or more different base stations, which may be difficult in areas of single-­site dominance; also the base stations must be very tightly synchronised with each other and must all transmit the signal elements that are measured by the subject devices at exactly the same point in time – wide-­ area synchronisation of this kind is technically complex and might be expensive to configure, so it’s not a given that all networks will support the OTDOA positioning method. RTT or Round-­Trip Time calculations offer a simpler, but possibly less accurate, positioning method, with the ability to estimate a device’s position with an accuracy of around 150 m. The RTT process sends a request to the subject UE, which takes a fixed time to process it and send a response – the network measures the total elapsed time, subtracts the fixed processing time, divides the remaining time by two and multiplies it by the speed of light to get an approximate distance between the phone and the transmitting base station. The requirement to have a fixed time interval between the subject device receiving the request and sending its response could interfere with the normal flow of traffic for a device that is in Connected Mode, so the network will usually assign a series of ‘measurement gaps’, when the traffic flow is momentarily stopped to allow the positioning exchange to take place. Accuracy can be improved by requiring the subject device to participate in measurement sessions with two or more base stations, in what is known as a Multi-­RTT positioning event. An additional technique that can be employed to improve the accuracy of network-­derived positioning techniques is provided by AOA or Angle of Arrival calculations. AOA uses measurements collected from a base station’s receiving antenna to attempt to calculate the angle at which the received signal from a subject device arrived, which can then be used to calculate a bearing back to the device. AOA can be used to improve the accuracy of a single TA, OTDOA or RTT arc, by indicating the general area within the arc in which the device might be located, but it offers more accuracy if used with multiple overlapping positioning arcs. Cellular network positioning can also take advantage of data provided by the cellular network itself and by other types of network; for example, the Assisted GPS method, requires each base station to transmit its own GPS coordinates on the BCCH, allowing devices monitoring that control channel to know where the tower is, which then gives them more a more accurate estimate of their own position in relation to that tower. It is also theoretically possible for cellular positioning systems to derive locations based on WIFI (or WLAN, Wireless Local Area Network) or Bluetooth signals reported by a

8.14  ­Support for ‘Live’ Investigation

device, but only if the network’s positioning system has prior knowledge of the locations of the reported WIFI hotspots or Bluetooth beacons, which can be gained from the use of MDT data and open-­source data such as Wigle [34].

8.14.7  MDT – Minimisation of Drive Testing Cellular networks have a need to understand the coverage areas of their cells, to ensure that the actual coverage matches the planned coverage, for example, and have historically employed very similar RF survey techniques to those used for cell site analysis. Cellular network engineers undertake location and cell coverage surveys, make test calls and process the data into coverage maps, using scanner and phone emulator survey devices, often spending hours and days conducting drive surveys. At some point in the recent past, it was realised that much of this RF survey activity may be unnecessary, as cellular networks have got access to almost unlimited quantities of cell coverage data for almost no cost; the networks can ask users’ phones to undertake the surveys for them and thereby minimise the amount of drive testing that needs to be performed. MDT, or Minimisation of Drive Testing [35], co-­opts user devices to periodically capture cell coverage data on behalf of the network operator. All cellular devices take hundreds of radio measurements per second as part of the normal cell selection/ reselection and handover processes, MDT simply captures those measurements and makes use of them. Phones in Connected Mode send their RF measurements to the base station anyway, to allow the network to evaluate handover choices; phones in Idle Mode usually keep their measurements to themselves and do not store them. When MDT is enabled, phones in Idle Mode are instructed to store their measurements and transmit the logged MDT data to the network when they next connect (which is known as MDT ‘logged’ mode), and base stations are asked, via the ‘trace’ mechanism, to pass those measurements and also the ones sent to them by phones in Connected Mode (which are known as MDT ‘immediate’ mode measurements) to the MDT service. There are then nine optional MDT reports (M1-­M9) that can be requested, the most applicable to cell site analysis of which is report M1, which captures received signal strength details for detected cells. Each measurement report will contain a timestamp and a geolocation for the device at the time the measurement was taken; a GPS fix, if one is available, and/ or the CGI of the current serving cell. The data that a device is instructed to capture when MDT is enabled includes, in additional to details of the current ‘camped’ or serving cell, details of: up to 6 intra-­frequency (same channel) neighbours; 3 inter-­frequency (different channel) neighbours; 3  neighbours from each detected cellular technology other than the one currently being used; up to 32 WIFI SSIDs; up to 32 Bluetooth beacons. The captured measurement data will consist of carrier frequency and physical layer cell ID for each cell, SSID and BSSID for WIFI or MAC address for Bluetooth; RXLEV for GSM; Ec/NO and RSCP for UMTS; RSRQ and RSRP for LTE/NR; and RSSI for WIFI and Bluetooth. MDT mode is optional, individual UEs must be explicitly instructed by the network to start taking MDT measurements and be provided with logging configuration instructions; it can be entirely free running, with the MDT device reporting on any cells it finds, or it can be enabled on a Location/Tracking Area basis (if the device is given a list of specific LA/TAs to survey), or the device can be instructed to measure specific cells. Measurements are captured until the device is instructed to stop or until the amount of memory the device has set aside for MDT logs is full. Although MDT is defined in 3GPP specifications, it is not obligatory for handset or network equipment manufacturers to support it: Apple iPhones do not support MDT at all and some flavours of Android remove the device location data from reports before they are sent. An estimate provided by one cellular network operator indicates that only around 4% of connected devices in their network support MDT, and most of those are older Android models. Not all networks make use of the facilities provided by MDT, but those that do and that have stored the logged MDT measurements may be able to disclose them. If MDT logs exist for a specific device, if those logged measurements have been stored in a way that allows them to be correlated to the source device and if they contain a GPS fix for the device at the time of the measurements, the MDT data may be useful as a way of geolocating the device, especially if measurements were captured close to a period of interest in a case. In some scenarios, location data derived from MDT may be disclosed to authorised agencies, possibly as part of the Timing Advance data provided by an operator. The actual measurements captured in the logged MDT reports may be considered to be of lesser investigative value than any device location information, but if a GPS fix is not provided and the measurement location is limited to just a serving cell ID, then reported signal strengths may become more important, as a way of estimating the coverage area of a cell of interest or a device’s distance from the cell tower.

305

306

8  Cell Site Analysis

8.14.8  Cell Site Simulators Network-­based positioning systems can provide device locations that are accurate to a few tens of metres – some are able to position a device within the 50m accuracy required to meet the requirements of the E-­911 legislation. But what if the requirement is to locate a device even more accurately and immediately, maybe to answer a question such as ‘is the phone currently in that house?’ or ‘is the phone currently in that car?’; in these circumstances, it may be necessary to employ more targeted techniques. A cell site simulator (or CSS), as the name suggests, is a device that is designed to simulate the transmitted signals of a base station or cell; the purpose of this is to convince local cellular devices to connect to the simulator instead of connecting to a legitimate cell, in order to force those devices to reveal their identities, specifically their IMSI. For this reason, CSSs are also commonly known as ‘IMSI catchers’ or ‘IMSI grabbers’ and their use has been controversial in many countries, including the United Kingdom, where these techniques are known as CCDC (Covert Communications Data Capture). In some jurisdictions, the operational deployment of a CSS requires specific authorisation and may require a court order or warrant, and official guidance on the use of such techniques has also been provided in documents such as Ref. [36], issued by the US Department of Justice. The US DoJ guidance states, for example, that CSS-­type devices should not attempt to intercept calls or interfere with the subject device or its contents. CSSs and IMSI grabbers/catchers are actually slightly different devices – a CSS is usually an ‘active’ device that transmits a simulated cellular signal, whereas an IMSI grabber/catcher is often a passive device that passively ‘listens’ to a ‘real’ cell’s control channels and notes the IMSIs and other identifiers (IMEI, TMSI/GUTI) of any devices that connect to that cell. Before a CSS is deployed, it is usually necessary to undertake an RF survey to capture details of the local cells that are currently ‘on air’ that may need to be simulated – some CSS devices will undertake this survey function themselves, in other cases, the initial survey may need to be performed using an RF survey device that captures and decodes the monitored cells’ BCCH information. Networks can apply a set of ‘cell selection priority’ values to control the idle mode cell selection activities of devices, these values are included in the BCCH and can instruct devices to treat some cells, frequency layers or technologies as having a higher reselection priority than others. CSS operators will, where possible, select a local cell that has the highest selection priority to simulate, as it is more likely that devices will reselect to the simulated cell if it is of a higher priority than the cells they are currently camped on. Once one or more cells are selected, the simulator is configured with matching parameters – it will use the same channel number, the same cell ID and the same general set of BCCH parameters as a ‘real’ cell, although a simulated cell will often be configured with a different physical layer cell ID (BSIC/PSC/PCI) to differentiate it from the ‘real’ version of the cell in any measurements the operators of the simulator might take. More sophisticated simulators might be able to adjust the simulated cell’s BCCH to transmit an amended set of ‘cell selection priority’ values in its neighbour cell list, reduce the attractiveness of neighbour cells and make local devices less likely to attempt to reselect away from the simulated cell. When the simulated cell is ready, the CSS begins to transmit it, but generally at a higher power level than was provided by the original version of the cell in that area; this has the effect of making the simulated cell instantly much more attractive to local devices than any of the ‘real’ local cells, especially if the chosen cell has the highest cell selection priority, and those devices will quickly reselect to the new ‘strongest’ cell, which is actually being transmitted by the simulator. The signals generated by a CSS only have to be stronger than other local cells from the perspective of devices located in that same area as the CSS and the resulting simulated cells will generally only be detectable by devices in a very limited area; the CSS will not usually have an effect over a wide area. Some CSS devices attempt to simulate cells on all available local carriers, to maximise the chance of finding the subject device, and may therefore contain multiple radios, capable of simulating multiple cells concurrently. In order for the CSS to ‘grab’ the IMSIs of local devices, it must first make the devices transmit them. In normal operation, a cellular device transmits its associated IMSI only when first attempting to attach/register with the network after being disconnected for a period of time, the rest of the time, the device uses the TMSI/GUTI allocated to it by the core network to identify itself. The CSS uses techniques to indicate to local devices that the current attachment session has failed in some way and that it needs to reidentify itself to the network. When this happens, each device initiates a fresh attach/ registration and transmits its IMSI – the CSS is then able to capture and log those IMSIs. Some versions of CSS also contain a radio DF or ‘direction finder’ capability, allowing them to provide an approximate bearing to the subject device once its IMSI has been detected. 5G networks were designed with additional security features that removed the ‘unencrypted IMSI’ vulnerability by offering the option to encrypt the IMSI before transmitting it – more accurately, 5G SA allows the SUPI, of which the

8.14  ­Support for ‘Live’ Investigation

IMSI is one possible type, to be encrypted and transmitted as a SUCI. Without the required ‘private’ encryption key (which is held securely in the home network’s UDM), the SUCI cannot be decrypted and the IMSI theoretically cannot be grabbed. If a CSS was deployed in order to check if a specific, known IMSI was present in an area, or if the vehicle the device was travelling in was identified, then the process outlined above should provide that information and the CSS could be disabled as soon as the subject IMSI was detected; this has led to some practitioners describing the role of the CSS as F3 – find (the subject device), fix (its location) and finish (disable the CSS). If the CSS operation was intended to capture details of all IMSIs in use in an area, the simulation may be required to run for some time, which may have consequences for the usability of the cellular network in that location.

8.14.9  MAC Grabbers and Emulators The general principles of MAC Grabber and MAC Emulator devices were discussed in Chapter 6, but a brief summary follows. A MAC Grabber passively monitors WIFI channels and captures details of the device MAC addresses it detects being transmitted to and from access points (or ‘hotpots’) and in ‘probe’ messages. A MAC Emulator is configured to use the same SSID as a real access point in an attempt to solicit probe and connection requests from devices that have previously used that access point. Both of these methods have applications for law enforcement. MAC Grabbers can be used in two main ways: the first use case is to sample the WIFI environment at a location to compile a list of all MAC addresses that were detectable there. This can be used to provide evidence that particular previously known devices were active at a location, possibly devices known to be used by specific suspects; or it could be used to generate investigative leads by listing MAC addresses for unknown devices that were used in a vicinity. MAC Emulators can be set to emulate any hotspot by copying their SSID (access point name) and, in some cases, BSSID (access point MAC address); the intention is to induce devices that have previously connected to the original (or ‘donor’) hotspot to communicate with the emulated hotspot by sending it connection requests or probe requests.

8.14.10  Social Media Takeout and Geofence Data The more popular social media and Internet services can number their registered users in the hundreds of millions or even billions, often with many millions of concurrently active users at any one time; many, possibly the majority, of those users will be accessing those services via smartphones, the majority of which will be equipped with GPS receivers. If a social media app needs to know where an active user is, to configure a map-­based or location-­based service for example, instead of using the techniques described above to infer the device’s location, the app can use the much simpler expedient of simply asking the device where it is (if the device’s user has given that app permission to access location data). Much of this location data is stored either within the app or in the provider’s servers, which potentially makes it accessible and disclosable to law enforcement. In most jurisdictions, access to this type of data will be regulated by Data Protection legislation and agencies would usually require a warrant or a court order to access it, but once access is granted, the disclosed data can be incredibly rich in historical geolocation information. Historical disclosures of social media data are often referred to as ‘takeout’ data as users are able to request a copy of their own data to ‘take out’ of or download from the online system – see Google Takeout as an example [37]. Takeouts can also be requested by duly authorised law enforcement agencies and form the basis of many social media disclosures. Some providers may also be able to provide ‘live’ location data for a subscriber, again generally in a way that is regulated by data protection rules. Information on the current location of a particular user might be available if requested, but by extension, it is sometimes possible to request details of all users that are currently or were historically active within a defined area – this type of disclosure is known as a ‘geofence’ and can be thought of as the social media equivalent of a cell or tower dump. Google’s geofence data, for example, is taken from their internal SensorVault database of reported device locations, see [38] for a wider discussion of the practice of requesting geofence data. Geofence and takeout data can be extremely rich in evidence and intelligence material, but the ability to correlate that data with an individual user or device is often not straightforward. Most social media apps and services use their own set of identifiers for their users, few of them correlate a user account to, say, a cell phone number, an IMSI or an IMEI. Many social media and Internet providers identify subscribers via an anonymised identifier called an ‘advertising ID’. Particularly in relation to geofence data, a disclosure may provide details about hundreds or even thousands of individual app users

307

308

8  Cell Site Analysis

who are currently active, or who were historically active in the case of a retrospective disclosure, in an area, but as those individuals are only identified by their advertising ID there would need to be at least one more investigative step involved to link an advertising ID to a more personal identifier.

8.15  ­Cell Site Analysis and Forensic RF Surveys In this book, we have explored the technical aspects of how radio works and how cellular networks operate, we have looked at the technologies and processes that support mobile communication and have attempted to unravel the many ways in which the usage logs generated by those networks can be examined in support of criminal investigations. The CDRs generated and lawfully disclosed by cellular networks, along with other types of data, provide the source evidence in cell site investigations. Analysis of this data can provide an insight into the communications habits of subject individuals, offer evidence as to their set of associates and also provide insight into the locations and areas the subject visited. Careful, considered and open-­minded examination of CDR data can lead analysts and experts to reach conclusions and draw inferences that can be of benefit in investigations. In general, it is less helpful to examine the individual call records in a CDR in isolation and much more effective to deal with groups and sequences of records that provide a more detailed overview of the broad sweep of the subjects’ activities. As has, hopefully, been made abundantly clear in this text, forensic RF surveys can only provide a snapshot of the cellular coverage that was available at the time the survey was undertaken; RF survey results cannot, and should not be expected to, provide a view of the exact cellular conditions that obtained when a subject device’s calls were made. The fact that a cell is found to provide coverage at a surveyed location is evidence that a call that used that cell could have been made from that location; it should never be treated as proof that the call was made from there. Cell site analysis should be considered as one part of a wider set of analytical and investigative techniques and should be conducted with the same degree of scientific rigour as other forensic disciplines. The limitations of cell site analysis – that it can generally only indicate that a significant location is or is not within the area served by a specific cell – should always be made clear in any reports and every effort should be made to consider alternative inferences and conclusions for any set of source data. If all of the above caveats are taken into consideration and practitioners continue to be aware of the potential for bias in its various forms – confirmation, prosecution, unconscious – and transposed conditionals (‘the cell serves at the offence location, therefore any phones using that cell were at that location’), then cell site analysis can be an immensely valuable investigative tool, of use to both the prosecution and the defence. The continual evolution of communications technologies leads to some aspects of the analysis of those technologies getting simpler – the move to ever smaller cells reduces the amount of uncertainty involved in ascribing a potential location to a cellular device – whilst others become more complex – the switch to using Internet-­based ‘over the top’ communications apps like WhatsApp means that fewer substantive events appear in cellular CDRs; the techniques employed in cell site analysis and forensic RF surveying will, however, also evolve and will continue to offer investigative benefits through 5G and beyond.

­References 1 UK Forensic Science Regulator (2023) Code of Practice, https://assets.publishing.service.gov.uk/government/uploads/ system/uploads/attachment_data/file/1141863/FINAL_Code_of_Practice.pdf, Section 110 (accessed 19 May 2023). 2 UK Government (2023) Regulation of Investigatory Powers Act 2000, http://www.legislation.gov.uk/ukpga/2000/23/contents (accessed 2 June 2014). 3 UK Government (2023) Investigatory Powers Act 2016, https://www.legislation.gov.uk/ukpga/2016/25/contents/enacted (accessed 26 May 2023). 4 UK Government (2023) Office for Communications Data Authorisations, https://www.gov.uk/government/organisations/ office-­for-­communications-­data-­authorisations (accessed 26 May 2023). 5 UK Government (2023) Data Protection Act 2018, https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted (accessed 26 May 2023). 6 Interpol (2023) homepage, https://www.interpol.int/en (accessed 09 June 2023).

  ­Reference

7 UK Government (2022) UK-­US Data Access Agreement: factsheet, https://www.gov.uk/government/publications/uk-­us-­data-­ access-­agreement-­factsheet (accessed 09 June 2023). 8 International Standards Organisation (2023) ISO 17020, https://www.iso.org/standard/52994.html (accessed 19 May 2023). 9 International Standards Organisation (2023) ISO17025 https://www.iso.org/ISO-­IEC-­17025-­testing-­and-­calibration-­ laboratories.html (accessed 19 May 2023). 10 International Standards Organisation (2023) ISO 21043 https://www.iso.org/ics/07.140/x/ (accessed 26 May 2023). 11 US Supreme Court (2022) Federal Rules of Evidence 2022, https://www.uscourts.gov/sites/default/files/federal_rules_of_ evidence_december_1_2022_0.pdf (accessed 26 May 2023). 12 American Bar Association (2023) Daubert sets standard for court’s scientific method, https://www.americanbar.org/groups/ law_students/resources/on-­demand/quimbee-­daubert-­v-­merrell-­dow-­pharmaceuticals-­inc/ (accessed 26 May 2023). 13 UK Government (2020) Criminal Procedure Rules and Practice Directions 2020, https://www.gov.uk/guidance/rules-­and-­ practice-­directions-­2020 (accessed 26 May 2023). 14 UK Government (2023) Criminal Procedures and Investigations Act 1996, https://www.legislation.gov.uk/ukpga/1996/25/ contents (accessed 26 May 2023). 15 Casemine (2017) R v Calland, https://www.casemine.com/judgement/uk/5b2897a72c94e06b9e197fbf (accessed 09 June 2023). 16 Coventry University (2021) Cell site analysis: use and reliability of survey methods, Tart, Brodie, Patrick-­Gleed, Edwards, Weeks, Moore, Haseler, https://pure.coventry.ac.uk/ws/portalfiles/portal/55114871/Post_Print.pdf (accessed 09 June 2023). 17 Coventry University (2020) Opinion evidence in Cell Site Analysis, MS Tart, https://pure.coventry.ac.uk/ws/portalfiles/ portal/53101340/Binder16.pdf (accessed 09 June 2023). 18 ScienceDirect (2022) An investigation into the accuracy of follow-­on GPRS/mobile data CDRs (Isabel Duncan), https://www. sciencedirect.com/science/article/pii/S1355030622000211?dgcid=author (accessed 26 May 2023). 19 IEEE Xplore (2023), Analysis of Mobile Phone Geolocation Methods Used in US Courts (Jovanovic & Cummings) https://ieeexplore.ieee.org/document/9729192 (accessed 26 May 2023). 20 CloudRF (2023) CloudRF website, https://cloudrf.com (accessed 26 May 2023). 21 Abigayil Hopkins-­Flanagan (2018) A Preliminary Investigation into the Accuracy and Consistency of Radio Frequency Surveys Across a Loaded and Unloaded Network and Between a Rural and Urban Location, https://www.forensicanalytics.co.uk/ new-­ucl-­msc-­crime-­forensic-­science-­research-­radio-­frequency-­surveys/ (accessed 19 May 2023). 22 UK Crown Prosecution Service (2019) CPS Guidance for Experts on Disclosure, Unused Material and Case Management, https://www.cps.gov.uk/legal-­guidance/cps-­guidance-­experts-­disclosure-­unused-­material-­and-­case-­management (accessed 26 May 2023). 23 UK Crown Prosecution Service (2021) Streamline Forensic Reporting Guidance and Toolkit, https://www.cps.gov.uk/ legal-­guidance/streamlined-­forensic-­reporting-­guidance-­and-­toolkit (accessed 26 May 2023). 24 UK Ministry of Justice (2023) Factual Evidence, https://www.justice.gov.uk/courts/procedure-­rules/civil/standard-­ directions/general/evidence (accessed 26 May 2023). 25 UK Ministry of Justice (2023) Expert Evidence, https://www.justice.gov.uk/courts/procedure-­rules/civil/standard-­directions/ general/experts (accessed 26 May 2023). 26 UK Crown Prosecution Service (2022) Expert Evidence, https://www.cps.gov.uk/legal-­guidance/expert-­ evidence#:~:text=The%20general%20rule%20is%20that,in%20relation%20to%20expert%20evidence. (accessed 26 May 2023). 27 FCC (2023) Fourth Report and Order, In the Matter of Wireless E911 Location Accuracy Requirements, PS Docket No. 07-­114, Federal Communications Commission, Washington, D.C., February 3, 2015. -­https://docs.fcc.gov/public/attachments/ FCC-­15-­9A1.pdf (accessed 26 May 2023). 28 3GPP Technical Specification (1999) Report on Location Services (LCS), TS 25.923 v1.0.0 www.3gpp.org (accessed 19 May 2023). 29 3GPP Technical Specification (2023) UE Positioning in NG-­RAN, TS 38.305 v17.4.0 www.3gpp.org (accessed 19 May 2023). 30 3GPP Technical Specification (2022) GSM/EDGE Radio Subsystem Synchronization, TS 45.010 v17.0.0 Section 5.4, 5.5 www.3gpp.org (accessed 26 May 2023). 31 3GPP Technical Specification (2023) EUTRA Physical Layer Procedures, TS 36.213 v17.5.0 Section 4.2.3 www.3gpp.org (accessed 26 May 2023). 32 3GPP Technical Specification (2023) NR Physical Layer Procedures for Control, TS 38.213 v17.5.0 Section 4.2 www.3gpp.org (accessed 26 May 2023).

309

310

8  Cell Site Analysis

33 3GPP Technical Specification (2022) UTRAN Iub Interface user plane protocols for Common Transport Channel data streams TS 25.435 v17.0.0 Section 6.2.7.5 www.3gpp.org (accessed 26 May 2023). 34 Wigle.net (2023) homepage, https://wigle.net/ (accessed 10 June 2023). 35 3GPP Technical Specification (2023) Minimization of Drive Tests: Overall Description TS 37.320 v17.3.0 www.3gpp.org (accessed 26 May 2023). 36 US Department of Justice (2015) Policy Guidance: Use of Cell-­Site Simulator Technology https://www.justice.gov/d9/ press-­releases/attachments/2015/09/03/doj_cell-­site_simulator_policy_9-­3-­15.pdf (accessed 14 June 2023). 37 Google (2023) Google Takeout, https://takeout.google.com (accessed 26 May 2023). 38 ProQuest (2020) Google Warrants: Challenging Digital Dragnets, https://www.proquest.com/openview/ 51da9118ec46305bf1696887c399e4a3/1?pq-­origsite=gscholar&cbl=35991 (accessed 10 June 2023).

311

9 Summary and Practical Activities The preceding chapters have outlined a variety of techniques that are applicable to forensic radio surveying and cell site analysis. They have also provided details on a number of basic radio and cellular topics. This chapter attempts to provide a simple overview of the practical activities and techniques mentioned so far to allow readers who are new to these topics to cement their understanding of them. It also restates some of the basic radio and cellular information that has previously been provided. Each of the following sections provides a table to summarise key concepts or offers bulleted lists of the steps, actions or considerations required to perform each of the featured practical activities.

9.1  ­Radio and Cellular Concepts 9.1.1  Basic Radio Terminology Basic radio terminology is summarised in Figure 9.1.

9.1.2  Decibels The standard notation employed for base 10 dB values is as follows: dB 10 log10 (value ) Using generic values (power at transmitter = 100 mW, power at receiver = 0.000 001 mW), the benefit of using the dB scale becomes clear: 100 mW 10 log10 (100 mW ) 10 2 20 dBm 0.000001mW 10 log10 (0.000001mW ) 10

6

60 dBm

The power loss experienced during transmission is therefore the ratio of the transmitted and received values: 100 / 0.000 001 mW 1 100 000 000 Using the law of powers with the decibel values (where exponential dB values are subtracted, as opposed to the division that would be performed on linear values): 20 ( 60) 80 dB This shows the received signal experienced a loss of 80 dB compared to the transmitted signal, which equates to it being 100 million times less powerful. As illustrated in Table 9.1, every time a measured power level doubles, 3 dB is added and each time a power level halves, 3 dB is subtracted.

Forensic Radio Survey Techniques for Cell Site Analysis, Second Edition. Joseph Hoy. © 2024 John Wiley & Sons Ltd. Published 2024 by John Wiley & Sons Ltd.

312

9  Summary and Practical Activities

Figure 9.1  The frequency, wavelength and amplitude of a signal.

1 cycle/1 Hz

Amplitude

c = fλ Wavelength (λ)

1 second

Frequency (f) = 6 cycles per second (6 Hz)

Velocity (c) = speed of light, 300 000 km/s

Table 9.1  Typical decibel values. Ratio of transmitted to received signal power

Decibels (dB)

10 000

40

1000

30

100

20

10

10

2

3

1 ½

0 −3

1/10

−10

1/100

−20

1/1000

−30

1/10 000

−40

9.1.3  Decibel Milliwatts Where dB will show the comparative difference between two values, the dBm (decibel milliwatts) scale will provide a result that can be mapped to a specific or ‘absolute’ milliwatt value. dBm employs the same logarithmic scale as dB and is calibrated around a value of 1 mW, which is equal to 0 dBm. This is shown in Table 9.2.

9.1.4  Cellular Radio Bands The set of radio bands employed to support cellular services in various regions around the world is detailed in Table 9.3.

9.1.5  Cellular Radio Bands by Region Each of the three WRC regions has its own subsets of radio bands dedicated to carrying cellular services, and there are also some bands that are available in most parts of the world. Table 9.4 provides an overview of the usage patterns of the most commonly deployed cellular frequency bands around the world.

Table 9.2  Linear mW values compared to exponential dBm values. Linear power level (mW)

Decibel milliwatts (dBm)

100 000 (100 W)

50

10 000 (10 W)

40

1000 (1 W)

30

100

20

10

10

2

3

1

0

0.5

−3

0.1

−10

0.01

−20

0.001

−30

0.000 1

−40

0.000 01

−50

To convert mW to dBm: dBm = 10Log10(mW). To convert dBm to mW: mW = 10(dBm/10).

Table 9.3  Cellular radio bands. Frequency band (MHz)

Network types

Characteristics

Long distance, wide area cellular coverage

300

Public safety networks

400

2G, 4G

600

4G, 5G

700

2G, 3G, 4G, 5G

800

2G, 3G, 4G, 5G

900

2G, 3G, 4G, 5G

1400

3G, 4G, 5G

1500

2G, 3G, 4G, 5G

1600

4G, 5G

1700

2G, 3G, 4G, 5G

1800

2G, 3G, 4G, 5G

1900

2G, 3G, 4G, 5G

2000

4G, 5G

2100

3G, 4G, 5G

2300

4G, 5G

2400

4G, 5G

2500

3G, 4G, 5G

2600

3G, 4G, 5G

3300

4G, 5G

3400

3G, 4G, 5G

3500

3G, 4G, 5G

3600–3800

4G, 5G

4400

5G

5000–5900

4G, 5G

6400

5G

24000–29000

5G

37000–43000

5G

47000–48000

5G

57000–71000

5G

Medium distance, medium area coverage

Short distance, local area coverage

Millimetre wave bands

314

9  Summary and Practical Activities

Table 9.4  Commonly used cellular frequency bands by region.

Africa

Eastern Europe and CIS

Western Europe

Middle East

North America & Caribbean

South and Central America

Asia Pacific

450

✓

✓

✓

✓

—­

✓

✓

600

✓

—­

—­

✓

✓

✓

✓

700

✓

✓

✓

✓

✓

✓

✓

800

✓

✓

✓

✓

✓

✓

✓

900

✓

✓

✓

✓

—­

✓

✓

Band (MHz)

1500

—­

✓

✓

✓

—­

—­

✓

1600

—­

—­

—­

—­

✓

✓

✓

1700

—­

—­

—­

—­

✓

✓

✓

1800

✓

✓

✓

✓

✓

✓

✓

1900

—­

—­

—­

—­

✓

✓

✓

2000

—­

—­

✓

—­

✓

✓

✓

2100

✓

✓

✓

✓

✓

✓

✓

2300

✓

✓

✓

✓

✓

✓

✓

2500

—­

✓

—­

—­

✓

—­

✓

2600

✓

✓

✓

✓

✓

✓

✓

3300–4200 C-­band

✓

✓

✓

✓

✓

✓

✓

3500

✓

✓

✓

✓

✓

✓

✓

3700

✓

✓

✓

✓

—­

✓

✓

4900

—­

✓

—­

—­

—­

—­

✓

24250–27500

—­

✓

✓

✓

✓

✓

✓

26500–29500

—­

✓

✓

✓

✓

✓

✓

39500–43500

—­

—­

✓

—­

✓

✓

✓

Sources: GSM Association [1], CDMA Development Group [2] and 5G Americas [3], www.spectrummonitoring.com [4].

9.1.6  Decimal, Binary and Hexadecimal As shown in Table 9.5, hexadecimal (or ‘hex’) is a numbering system of 16 characters: 10 digits and 6 letters. It is used to condense the long strings of zeroes and ones in large binary numbers into a more manageable form. This base-­16 numeric notation is frequently used to specify addresses in computer memory, as it makes life simpler for programmers. The decimal numbers 0–9 are represented by the decimal digits 0–9 and the decimal numbers 10–15 are represented by the letters A–F.

9.2  ­Cellular Identifiers 9.2.1  Mobile Country Code List The MCC (Mobile Country Code) number uniquely identifies the country in which a PLMN operates. MCC numbers are issued and controlled by the ITU (International Telecommunications Union), which is an agency of the UN that coordinates global telecoms activities. MCC assignments are listed in Table 9.6. MNCs (Mobile Network Codes) are generally administered by each individual country’s telecoms regulator and uniquely identify a network within an MCC area. The set of MNCs is too numerous and subject to change to list in this publication. There are multiple sources of information regarding current MNC assignments on the Internet.

9.2  ­Cellular Identifier

Table 9.5  Comparison of decimal, binary and hexadecimal notation. Decimal (base 10)

Binary (base 2)

Hexadecimal (base 16)

0

0000

0

1

0001

1

2

0010

2

3

0011

3

4

0100

4

5

0101

5

6

0110

6

7

0111

7

8

1000

8

9

1001

9

10

1010

A

11

1011

B

12

1100

C

13

1101

D

14

1110

E

15

1111

F

Table 9.6  Mobile country code list. Alpha-­3 code

Name

MCC-­1

MCC-­2

MCC-­3

MCC-­4

ABK

Abkhazia

289

—­

—­

—­

AFG

Afghanistan

412

—­

—­

—­

ALB

Albania

276

—­

—­

—­

DZA

Algeria

603

—­

—­

—­

ASM

American Samoa

544

—­

—­

—­

AND

Andorra

213

—­

—­

—­

AGO

Angola

631

—­

—­

—­

AIA

Anguilla

365

—­

—­

—­

ATG

Antigua and Barbuda

344

—­

—­

—­

ARG

Argentina

722

—­

—­

—­

ARM

Armenia

283

—­

—­

—­

ABW

Aruba

363

—­

—­

—­

AUS

Australia

505

—­

—­

—­

AUT

Austria

232

—­

—­

—­

AZE

Azerbaijan

400

—­

—­

—­

BHS

Bahamas

364

—­

—­

—­

BHR

Bahrain

426

—­

—­

—­

BGD

Bangladesh

470

480

—­

—­

BRB

Barbados

342

—­

—­

—­

BLR

Belarus

257

—­

—­

—­

BEL

Belgium

206

—­

—­

—­ (Continued )

315

316

9  Summary and Practical Activities

Table 9.6  (Continued) Alpha-­3 code

Name

MCC-­1

MCC-­2

MCC-­3

MCC-­4

BLZ

Belize

702

—­

—­

—­

BEN

Benin

616

—­

—­

—­

BMU

Bermuda

350

—

—

—

BTN

Bhutan

402

—­

—­

—­

BOL

Bolivia

736

—­

—­

—­

BIH

Bosnia and Herzegovina

218

—­

—­

—­

BWA

Botswana

652

—­

—­

—­

BRA

Brazil

724

—­

—­

—­

BRN

Brunei Darussalam

528

—­

—­

—­

BGR

Bulgaria

284

—­

—­

—­

BFA

Burkina Faso

613

—­

—­

—­

BDI

Burundi

642

—­

—­

—­

KHM

Cambodia

456

—­

—­

—­

CMR

Cameroon

624

—­

—­

—­

CAN

Canada

302

—­

—­

—­

CPV

Cape Verde

625

—­

—­

—­

CYM

Cayman Islands

346

—­

—­

—­

CAF

Central African Republic

623

—­

—­

—­

TCD

Chad

622

—­

—­

—­

CHL

Chile

730

—­

—­

—­

CHN

China

460

—­

—­

—­

COL

Colombia

732

—­

—­

—­

COM

Comoros

654

—­

—­

—­

COG

Congo

629

—­

—­

—­

COD

Congo, DR

630

—­

—­

—­

COK

Cook Islands

548

—­

—­

—­

CRI

Costa Rica

712

—­

—­

—­

CIV

Côte d’Ivoire

612

—­

—­

—­

HRV

Croatia

219

—­

—­

—­

CUB

Cuba

368

—­

—­

—­

CUW

Curaçao

362

—­

—­

—­

CYP

Cyprus

280

—­

—­

—­

CZE

Czech Republic

230

—­

—­

—­

DNK

Denmark

238

—­

—­

—­

DJI

Djibouti

638

—­

—­

—­

DMA

Dominica

366

—­

—­

—­

DOM

Dominican Republic

370

—­

—­

—­

ECU

Ecuador

740

—­

—­

—­

EGY

Egypt

602

—­

—­

—­

SLV

El Salvador

706

—­

—­

—­

GNQ

Equatorial Guinea

627

—­

—­

—­

ERI

Eritrea

657

—­

—­

—­

EST

Estonia

248

—­

—­

—­

9.2  ­Cellular Identifier

Table 9.6  (Continued) Alpha-­3 code

Name

MCC-­1

MCC-­2

MCC-­3

MCC-­4

ETH

Ethiopia

636

—­

—­

—­

FRO

Faroe Islands

288

—­

—­

—­

FJI

Fiji

542

—­

—­

—­

FIN

Finland

244

—­

—­

—­

FRA

France

208

—­

—­

—­

PYF

French Polynesia

547

—­

—­

—­

GAB

Gabon

628

—­

—­

—­

GMB

Gambia

607

—­

—­

—­

GEO

Georgia

282

—­

—­

—­

DEU

Germany

262

—­

—­

—­

GHA

Ghana

620

—­

—­

—­

GIB

Gibraltar

266

—­

—­

—­

GRC

Greece

202

—­

—­

—­

GRL

Greenland

290

—­

—­

—­

GRD

Grenada

352

—­

—­

—­

GLP

Guadeloupe

340

—­

—­

—­

GUM

Guam

310

311

—­

—­

GTM

Guatemala

704

—­

—­

—­

GGY

Guernsey

234

—­

—­

—­

GIN

Guinea

611

—­

—­

—­

GNB

Guinea-­Bissau

632

—­

—­

—­

GUY

Guyana

738

—­

—­

—­

HTI

Haiti

372

—­

—­

—­

VAT

Vatican City

225

—­

—­

—­

HND

Honduras

708

—­

—­

—­

HKG

Hong Kong

454

—­

—­

—­

HUN

Hungary

216

—­

—­

—­

ISL

Iceland

274

—­

—­

—­

IND

India

404

405

—­

—­

IDN

Indonesia

510

—­

—­

—­

IRN

Iran

432

—­

—­

—­

IRQ

Iraq

418

—­

—­

—­

IRL

Ireland

272

—­

—­

—­

IMN

Isle of Man

234

—­

—­

—­

ISR

Israel

425

—­

—­

—­

ITA

Italy

222

—­

—­

—­

JAM

Jamaica

338

—­

—­

—­

JPN

Japan

440

—­

—­

—­

JEY

Jersey

234

—­

—­

—­

JOR

Jordan

416

—­

—­

—­

KAZ

Kazakhstan

401

—­

—­

—­

KEN

Kenya

639

—­

—­

—­ (Continued )

317

318

9  Summary and Practical Activities

Table 9.6  (Continued) Alpha-­3 code

Name

MCC-­1

MCC-­2

MCC-­3

MCC-­4

KIR

Kiribati

545

—­

—­

—­

PRK

North Korea

467

—­

—­

—­

KOR

South Korea

450

—­

—­

—­

UNK

Kosovo

221

—

—

—­

KWT

Kuwait

419

—­

—­

—­

KGZ

Kyrgyzstan

437

—­

—­

—­

LAO

Laos

457

—­

—­

—­

LVA

Latvia

247

—­

—­

—­

LBN

Lebanon

415

—­

—­

—­

LSO

Lesotho

651

—­

—­

—­

LBR

Liberia

618

—­

—­

—­

LBY

Libya

606

—­

—­

—­

LIE

Liechtenstein

295

—­

—­

—­

LTU

Lithuania

246

—­

—­

—­

LUX

Luxembourg

270

—­

—­

—­

MAC

Macao

455

—­

—­

—­

MKD

Macedonia

294

—­

—­

—­

MDG

Madagascar

646

—­

—­

—­

MWI

Malawi

650

—­

—­

—­

MYS

Malaysia

502

—­

—­

—­

MDV

Maldives

472

—­

—­

—­

MLI

Mali

610

—­

—­

—­

MLT

Malta

278

—­

—­

—­

MHL

Marshall Islands

551

—­

—­

—­

MTQ

Martinique

340

—­

—­

—­

MRT

Mauritania

609

—­

—­

—­

MUS

Mauritius

617

—­

—­

—­

MEX

Mexico

334

—­

—­

—­

FSM

Micronesia

550

—­

—­

—­

MDA

Moldova

259

—­

—­

—­

MCO

Monaco

212

—­

—­

—­

MNG

Mongolia

428

—­

—­

—­

MNE

Montenegro

297

—­

—­

—­

MSR

Montserrat

354

—­

—­

—­

MAR

Morocco

604

—­

—­

—­

MOZ

Mozambique

643

—­

—­

—­

MMR

Myanmar

414

—­

—­

—­

NAM

Namibia

649

—­

—­

—­

NRU

Nauru

536

—­

—­

—­

NPL

Nepal

429

—­

—­

—­

NLD

Netherlands

204

—­

—­

—­

NCL

New Caledonia

546

—­

—­

—­

NZL

New Zealand

530

—­

—­

—­

9.2  ­Cellular Identifier

Table 9.6  (Continued) Alpha-­3 code

Name

MCC-­1

MCC-­2

MCC-­3

MCC-­4

NIC

Nicaragua

710

—­

—­

—­

NER

Niger

614

—­

—­

—­

NGA

Nigeria

621

—­

—­

—­

NIU

Niue

555

—­

—­

—­

NFK

Norfolk Island

505

—­

—­

—­

NOR

Norway

242

—­

—­

—­

OMN

Oman

422

—­

—­

—­

PAK

Pakistan

410

—­

—­

—­

PLW

Palau

552

—­

—­

—­

PSE

Palestine

425

—­

—­

—­

PAN

Panama

714

—­

—­

—­

PNG

Papua New Guinea

537

—­

—­

—­

PRY

Paraguay

744

—­

—­

—­

PER

Peru

716

—­

—­

—­

PHL

Philippines

515

—­

—­

—­

POL

Poland

260

—­

—­

—­

PRT

Portugal

268

—­

—­

—­

PRI

Puerto Rico

330

—­

—­

—­

QAT

Qatar

427

—­

—­

—­

REU

Réunion

647

—­

—­

—­

ROU

Romania

226

—­

—­

—­

RUS

Russian Federation

250

—­

—­

—­

RWA

Rwanda

635

—­

—­

—­

KNA

Saint Kitts and Nevis

356

—­

—­

—­

LCA

Saint Lucia

358

—­

—­

—­

SPM

Saint Pierre and Miquelon

308

—­

—­

—­

VCT

Saint Vincent and the Grenadines

360

—­

—­

—­

WSM

Samoa

549

—­

—­

—­

SMR

San Marino

292

—­

—­

—­

STP

Sao Tome and Principe

626

—­

—­

—­

SAU

Saudi Arabia

420

—­

—­

—­

SEN

Senegal

608

—­

—­

—­

SRB

Serbia

220

—­

—­

—­

SYC

Seychelles

633

—­

—­

—­

SLE

Sierra Leone

619

—­

—­

—­

SGP

Singapore

525

—­

—­

—­

SXM

Sint Maarten

362

—­

—­

—­

SVK

Slovakia

231

—­

—­

—­

SVN

Slovenia

293

—­

—­

—­

SLB

Solomon Islands

540

—­

—­

—­

SOM

Somalia

637

—­

—­

—­ (Continued )

319

320

9  Summary and Practical Activities

Table 9.6  (Continued) Alpha-­3 code

Name

MCC-­1

MCC-­2

MCC-­3

MCC-­4

ZAF

South Africa

655

—­

—­

—­

SSD

South Sudan

659

—­

—­

—­

ESP

Spain

214

—­

—­

—­

LKA

Sri Lanka

413

—­

—­

—­

SDN

Sudan

634

—­

—­

—­

SUR

Suriname

746

—­

—­

—­

SWZ

Swaziland

653

—­

—­

—­

SWE

Sweden

240

—­

—­

—­

CHE

Switzerland

228

—­

—­

—­

SYR

Syrian Arab Republic

417

—­

—­

—­

TWN

Taiwan

466

—­

—­

—­

TJK

Tajikistan

436

—­

—­

—­

TZA

Tanzania

640

—­

—­

—­

THA

Thailand

520

—­

—­

—­

TLS

Timor-­Leste

514

—­

—­

—­

TGO

Togo

615

—­

—­

—­

TON

Tonga

539

—­

—­

—­

TTO

Trinidad and Tobago

374

—­

—­

—­

TUN

Tunisia

605

—­

—­

—­

TUR

Turkey

286

—­

—­

—­

TKM

Turkmenistan

438

—­

—­

—­

TCA

Turks and Caicos Islands

338

—­

—­

—­

TUV

Tuvalu

553

—­

—­

—­

UGA

Uganda

641

—­

—­

—­

UKR

Ukraine

255

—­

—­

—­

ARE

United Arab Emirates

424

—­

—­

—­

GBR

United Kingdom

234

235

—­

—­

USA

United States of America

310

311

313

316

URY

Uruguay

748

—­

—­

—­

UZB

Uzbekistan

434

—­

—­

—­

VUT

Vanuatu

541

—­

—­

—­

VEN

Venezuela

734

—­

—­

—­

VNM

Viet Nam

452

—­

—­

—­

VGB

Virgin Islands, British

348

—­

—­

—­

YEM

Yemen

421

—­

—­

—­

ZMB

Zambia

645

—­

—­

—­

ZWE

Zimbabwe

648

—­

—­

—­

International

901

—­

—­

—­

Test

001

—­

—­

—­

Source: From ITU Report No. 1005 [5], used with permission from ITU.

9.3  ­Cellular Network Type

Most countries have just one MCC, but some – such as the United States, India, United Kingdom and others – have more than one assigned to meet the demand for networks in those countries. Some countries, mainly in the Caribbean, have networks deployed using multiple MCCs or using MCCs that are assigned to a network’s parent company that operates in a different country. An example of this is Bermuda, which has two networks deployed using the Bermuda MCC (350), one network using the Jamaican MCC (338) and one using a United States MCC (310). In these circumstances, the individual networks have been identified in Table 9.6 using a combination of their MCC and MNC. Alpha-­3 codes are assigned by the ISO (International Standards Organisation) and provide a common three-­letter abbreviation for countries and territories.

9.3  ­Cellular Network Types 9.3.1  2G GSM Networks The basic characteristics of 2G GSM networks are shown in Table 9.7. 9.3.1.1  Assigned Radio Bands

The radio bands and channel numbering employed by 2G GSM are shown in Table 9.8.

9.3.2  3G UMTS Networks The basic characteristics of 3G UMTS networks are shown in Table 9.9. 9.3.2.1  Assigned Radio Bands

The radio bands and channel numbering employed by 3G UMTS are shown in Table 9.10. Table 9.7  Basic characteristics of 2G GSM. Sub-­generations/variants

2G GSM – basic voice, SMS and dial-­up data 2.5G GPRS – packet switched data 2.75G EDGE – faster PS data 2.75G EDGE Evolution – faster PS data

Air interface method

TDMA

Channel size

Nominally 200 kHz wide (actually 270 kHz) EDGE Evolution can aggregate two carriers

Duplexing options

FDD only

Frequency reuse

Yes – no single frequency network option

Channel numbering

ARFCNs – see Table 9.8

Physical layer ID

BSIC – six-­bit identifier (64 BSICs in total)

Cell discrimination

ARFCN + BSIC

Cell ID format

CGI – MCC-­MNC-­LAC-­Cell ID

Timing advance steps

553.5 m

Key measurements

RXLev in dBm Measurements taken of BCCH (idle), TCH (connected)

Typical values

Very strong > −84 dBm Very weak < −100 dBm

321

322

9  Summary and Practical Activities

Table 9.8  2G GSM radio bands and channel numbering. DL UARFCN Band name

Uplink range (MHz)

Downlink range (MHz)

Low

High

Deployment

GSM450

450.4–457.6

460.4–467.6

259

293

Not used

GSM480

478.8–486.0

488.8–496.0

306

340

Not used

GSM710

698.0–716.0

728.0–746.0

Dynamic

GSM750

747.0–763.0

777.0–793.0

438

GSM850

824.0–849.0

869.0–894.0

128

E-­GSM900

880.0–890.0

925.0–935.0

0, 975

P-­GSM900

890.0–915.0

935.0–960.0

1

GSM-­R

873.0–890.0

918.0–935.0

940

GSM-­R

Not used 511

Not used

251

Americas

1023

Global

124

Global

1023

Europe

890.0–915.0

935.0–960.0

0

124

Europe

GSM1800

1710.0–1785.0

1805.0–1880.0

512

885

Global

GSM1900

1850.0–1910.0

1930.0–1990.0

512

810

Americas

Source: Based on 3GPP TS 45.005:2 [6], used with permission from 3GPP.

Table 9.9  Basic characteristics of 3G UMTS. Sub-­generations/variants

3G UMTS – voice, SMS, medium fast PS data 3.5G HSPA – voice, SMS, faster PS data 3.5G HSPA + – voice, SMS, very fast PS data UMTS-­FDD UMTS-­TDDHCR UMTS-­TDDLCR (TD-­SCDMA)

Air interface method

WCDMA

Channel size

Typical 5 MHz 1.6 and 10 MHz options also exist HSPA + can aggregate up to eight carriers

Duplexing options

FDD and TDD versions

Frequency reuse

No, deployed as multiple single-­frequency network layers

Channel numbering

UARFCN – see Table 9.10

Physical layer ID

PSC (Primary Scrambling Code) – 512 available

Cell discrimination

UARFCN + PSC

Cell ID format

CGI – MCC-­MNC-­LAC-­Cell ID

Propagation delay steps

234 m

Key measurements

RSCP – wanted signal in dBm RSSI – channel noise in dBm Ec/No – signal-­to-­noise quality ratio in dB Measurements taken of cell CPICH

Typical values

Ec/No – good quality > −5 dB Ec/No – poor quality  −6 dB Ec/Io – very weak, < −28 dB

Table 9.12  2G cdmaOne and 3G CDMA2000 band classes and channel numbering. Band class

Forward link frequencies

Reverse link frequencies

Channel numbers

Description

0

860–894

815–849

1–1323

800 MHz band

1

1930–1990

1850–1910

0–1199

1.8–2.0 GHz PCS band

2

917–960

872–915

0–2108

872–960 MHz TACS band

3

832–870

887–925

1–1600

832–925 MHz JTACS band

4

1840–1870

1750–1780

0–599

1.75–1.87 Korean TACS band

5

420–493

410–483

1–2108

450 MHz NMT band

6

2110–2170

1920–1980

0–1199

2 GHz IMT2000 band

7

746–758

776–788

0–240

Upper 700 MHz band

8

1805–1880

1710–1785

0–1499

1800 MHz band

9

925–960

880–915

0–699

900 MHz band

10

851–940

806–901

0–919

Secondary 800 MHz band

11

420–493

410–483

0–2016

400 MHz European PAMR band

12

915–921

870–876

0–239

800 MHz PAMR band

13

2620–2690

2500–2570

0–1399

2.5 GHz IMT2000 band

14

1930–1995

1850–1925

0–1299

US 1.9 GHz PCS band

15

2110–2155

1710–1755

0–899

AWS band

16

2624–2690

2502–2568

140–1459

17

Not specified

US 2.5 GHz band US 2.5 GHz Forward link only band

18

757–769

787–799

0–240

700 MHz public safety band

19

728–746

698–716

0–360

Lower 700 MHz band

20

1525–1559

1626.5–1660.5

0–680

L-­band

21

2180–2200

2000–2020

0–399

S-­Band

Source: Based on 3GPP2 Specification C.S0057-­E [8], used with permission from 3GPP2.

9.3  ­Cellular Network Type

Table 9.13  Basic characteristics of 4G LTE. Sub-­generations/variants

4G LTE – fast PS data 4G – LTE-­Advanced – very fast PS data 4G – LTE-­Advanced Pro LTE-­FDD/FD-­LTE LTE-­TDD/TD-­LTE

Air interface method

OFDMA (downlink), SC-­FDMA (uplink) OFDMA (downlink & uplink)

Channel size

Scalable from 1.4 to 20 MHz

Duplexing options

FDD and TDD options exist

Frequency reuse

Yes, and can also be deployed as multiple single-­frequency network layers

Channel numbering

EARFCNs – see Table 9.14

Physical layer ID

PCI (Physical-­layer Cell ID) – 504 available

Cell discrimination

EARFCN + PCI

LTE-­A can aggregate up to five carriers

Cell ID format

eCGI – MCC-­MNC-­[eNB ID-­Cell ID]

Timing advance steps

78 m

Key measurements

RSRP – wanted signal in dBm RSSI – channel noise in dBm RSRQ – signal-­to-­noise quality ratio in dB Measurements taken of reference signals

Typical values

RSRQ – good quality > −5 dB RSRQ – poor quality < −25 dB

Table 9.14  4G LTE radio bands and channel numbering. Band

Uplink range

Downlink range

Duplex mode

DL Channel numbers

1

1920–1980

2110–2170

FDD

0–599

2

1850–1910

1930–1990

FDD

600–1199

3

1710–1785

1805–1880

FDD

1200–1949

4

1710–1755

2110–2155

FDD

1950–2399

5

824–849

869–894

FDD

2400–2649

6

830–840

875–885

FDD

2650–2749

7

2500–2570

2620–2690

FDD

2750–3449

8

880–915

925–960

FDD

3450–3799

9

1749.9–1784.9

1844.9–1879.9

FDD

3800–4149

10

1710–1770

2110–2170

FDD

4150–4749

11

1427.9–1447.9

1475.9–1495.9

FDD

4750–4949

12

699–716

729–746

FDD

5010–5179

13

777–787

746–756

FDD

5180–5279

788–798

758–768

FDD

5280–5379

14 15

Reserved

16

Reserved

17

704–716

734–746

FDD

5730–5849

18

815–830

860–875

FDD

5850–5999 (Continued )

325

326

9  Summary and Practical Activities

Table 9.14  (Continued) Band

19

Uplink range

830–845

Downlink range

875–890

Duplex mode

FDD

DL Channel numbers

6000–6149

20

832–862

791–821

FDD

6150–6449

21

1447.9–1462.9

1495.9–1510.9

FDD

6450–6599

22

3410–3490

3510–3590

FDD

6600–7399

23

2000–2020

2180–2200

FDD

7500–7699

24

1626.5–1660.5

1525–1559

FDD

7700–8039

25

1850–1915

1930–1995

FDD

8040–8689

26

814–849

859–894

FDD

8690–9039

27

807–824

852–869

FDD

9040–9209

703–748

758–803

FDD

9210–9659

717–728

SDL

9660–9769

28 29

No uplink

30

2305–2315

31

452.5–457.5

32 33

No uplink

2350–2360

FDD

9770–9869

462.5–467.5

FDD

9870–9919

1452–1496

1900–1920

SDL

9920–10359

TDD

36000–36199

34

2010–2025

TDD

36200–36349

35

1850–1910

TDD

36350–36949

36

1930–1990

TDD

36950–37549

37

1910–1930

TDD

37550–37749

38

2570–2620

TDD

37750–38249

39

1880–1920

TDD

38250–38649

40

2300–2400

TDD

38650–39649

41

2496–2690

TDD

39650–41589

42

3400–3600

TDD

41590–43589

43

3600–3800

TDD

43590–45589

44

703–803

TDD

45590–46589

45

1447–1467

TDD

46590–46789 46790–54539

46

5150–5925

TDD

46a

5150–5250

TDD

46b

5250–5350

TDD

46c

5470–5725

TDD

46d

5725–5925

TDD

47

5855–5925

TDD

54540–55239

48

3550–3700

TDD

55240–56739

49

3550–3700

TDD

56740–58239

50

1432–1517

TDD

58240–59089

51

1427–1432

TDD

59090–59139

52

3300–3400

TDD

59140–60139

53

2483.5–2495

TDD

60140–60254

54

1670–1675

65

1920–2010

2110–2200

TDD

60255–60304

FDD

65536–66435

9.3  ­Cellular Network Type

Table 9.14  (Continued) Band

Uplink range

Downlink range

Duplex mode

DL Channel numbers

66

1710–1780

2110–2200

FDD

66436–67335

67

No uplink

738–758

SDL

67336–67535

68

698–728

753–783

FDD

67536–67835

69

No uplink

738–758

FDD

67836–68335

70

1695–1710

1995–2020

FDD

68336–68585

71

663–698

617–652

FDD

68586–68935

72

451–456

461–466

FDD

68936–68985

73

450–455

460–465

FDD

68986–69035

74

1427–1470

1475–1518

FDD

69036–69465

75

No uplink

1432–1517

FDD

69466–70315

76

No uplink

1427–1432

FDD

70316–70365

85

698–716

728–746

FDD

70366–70545

87

410–415

420–425

FDD

70546–70595

88

412–417

422–427

FDD

70596–70645

103

787–788

757–758

FDD

70646–70655

Source: Based on 3GPP TS 36.104:5.2 [9], reproduced with permission from 3GPP.

Table 9.15  Basic characteristics of 5G NR. Sub-­generations/variants

5G NR – very fast PS data 5G – Advanced – very fast PS data

Air interface method

OFDMA (downlink & uplink)

Channel size

Scalable from 5 to 100 MHz (FR1) 50 to 400 MHz (FR2) NR can aggregate up to five carriers

Duplexing options

FDD and TDD options exist

Frequency reuse

usually deployed as multiple single-­frequency network layers

Channel numbering

NR-­ARFCNs – see Table 9.16

Physical layer ID

PCI (Physical-­layer Cell ID) – 1008 available

Cell discrimination

NR-­ARFCN + PCI

Cell ID format

NR-­CGI – MCC-­MNC-­[gNB ID-­Cell ID]

Timing advance steps

78 m – 9.7 m depending on subcarrier spacing

Key measurements

SS-­RSRP – wanted signal in dBm RSSI – channel noise in dBm SS-­RSRQ – signal-­to-­noise quality ratio in dB Measurements taken of synchronisation signals

Typical values

SS-­RSRQ – good quality > −8 dB SS-­RSRQ – poor quality < −30 dB

327

328

9  Summary and Practical Activities

Table 9.16  5G NR radio bands and channel numbering.

Band

Uplink range (MHz)

Downlink range (MHz)

Duplex mode

Downlink NR-­ARFCN range or uplink range for SUL

FR1 (below 7 GHz) n1

1920–1980

2110–2170

FDD

422000–434000

n2

1850–1910

1930–1990

FDD

386000–398000

n3

1710–1785

1805–1880

FDD

361000–376000

n5

824–849

869–894

FDD

173800–178800

n7

2500–2570

2620–2690

FDD

524000–538000

n8

880–915

925–960

FDD

185000–192000

n12

699–716

729–746

FDD

145800–149200

n13

777–787

746–756

FDD

149200–151200

n14

788–798

758–768

FDD

151600–153600

n18

815–830

860–875

FDD

172000–175000

n20

832–862

791–821

FDD

158200–164200

n24

1626.5–1660.5

1525–1559

FDD

386000–399000

n25

1850–1915

1930–1995

FDD

305000–311800

n26

814–849

859–894

FDD

171800–178800

703–748

758–803

FDD

151600–160600

717–728

SDL

143400–145600

n28 n29

No uplink

n30

2305–2315

FDD

470000–472000

n34

2010–2025

TDD

402000–405000

n38

2570–2620

TDD

514000–524000

n39

1880–1920

TDD

376000–384000

n40

2300–2400

TDD

460000–480000

n41

2496–2690

TDD

499200–537999

n46

5150–5925

TDD

743334–795000

n48

3550–3700

TDD

636667–646666

n50

1432–1517

TDD

286400–303400

n51

1427–1432

TDD

285400–286400

n53

2483.5–2495

TDD

496700–499000

n65

1920–2010

2110–2200

FDD

422000–440000

1710–1780

2110–2200

FDD

422000–440000

738–758

SDL

147600–151600

n66 n67

No uplink

2350–2360

n70

1695–1710

1995–2020

FDD

399000–404000

n71

663–698

617–652

FDD

123400–130400

1427–1470

n74

1475–1518

FDD

295000–303600

n75

No uplink

1432–1517

SDL

286400–303400

n76

No uplink

1427–1432

SDL

285400–286400

n77

3300–4200

TDD

620000–680000

n78

3300–3800

TDD

620000–653333

n79

4400–5000

TDD

693334–733333

n80

1710–1785

No downlink

SUL

342000–357000

n81

880–915

No downlink

SUL

176000–183000

9.4  ­Forensic Radio Survey

Table 9.16  (Continued)

Band

Uplink range (MHz)

Downlink range (MHz)

Duplex mode

Downlink NR-­ARFCN range or uplink range for SUL

n82

832–862

No downlink

SUL

166400–172400

n83

703–748

No downlink

SUL

140600–149600

No downlink

SUL

384000–396000

FDD

145600–149200

n84

1920–1980

n85

698–716

n86

1710–1780

No downlink

SUL

342000–356000

n89

824–849

No downlink

SUL

164800–169800

728–746

n90

2496–2690

TDD

499200–537999

n91

832–862

1427–1432

FDD

285400–286400

n92

832–862

1432–1517

FDD

286400–303400

n93

880–915

1427–1432

FDD

285400–286400

1432–1517

FDD

286400–303400

No downlink

SUL

402000–405000

TDD

795000–875000

SUL

460000–480000

n94

880–915

n95

2010–2025

n96

5925–7125

n97

2300–2400

No downlink

n98

1880–1920

No downlink

SUL

376000–384000

n99

1626.5–1660.5

No downlink

SUL

325300–332100

n100

874.4–880

n101

1900–1910

919.4–925

FDD

183880–185000

TDD

380000–382000

n102

5925–6425

TDD

796334–828333

n104

6425–7125

TDD

828334–875000

n105

663–703

FDD

122400–130400

n257

26500–29500

TDD

2054166–2104165

n258

24250–27500

TDD

2016667–2070832

n259

39500–43500

TDD

2270833–2337499

n260

37000–40000

TDD

2229166–2279165

n261

27500–28350

TDD

2070833–2084999

n262

47200–48200

TDD

2399166–2415832

n263

57000–71000

TDD

Complex range

612–652 FR2 (above 7 GHz) – mmWave

Source: Based on 3GPP TS 38.104:5.2 & 5.4 [10], used with permission from 3GPP. Further data from www.spectrummonitoring.com [4], used with permission.

9.4  ­Forensic Radio Surveys A recap of forensic radio survey techniques follows.

9.4.1  Spot/Location Surveys ‘Spot’ or location surveys are designed to capture details of the set of serving and non-­serving cells that provide coverage at or near a given location. Generally, the locality chosen for the survey is the address where an incident or offence has occurred or where a person of interest in an investigation lives, works or has put forward as an alibi location. The basic concepts related to spot and location surveys are illustrated in Figure 9.2.

329

330

9  Summary and Practical Activities Incident location

Figure 9.2  Spot/location survey.

Cell serves at location

RFPS survey taken at location Neighbour cells at location

9.4.1.1  Spot/Location Survey Actions

The set of individual surveys to be conducted at a location will vary depending upon the networks/technologies to be ­surveyed, which is dictated by the networks and technologies used by the case’s target phones as detailed in their call records, the geography of the location, the type of survey device to be employed and the circumstances of the case, but the full set of captures that might be undertaken using a phone emulator survey device for spot or location surveys could include the following, per network: ●●

Per required network: –– Free running survey with no technology or band locks, which might provide an insight into the idle mode behaviour settings in the area and the actions of a ‘normal’ phone –– Free running 2G survey (if 2G networks are still operational in the area), with survey device technology locked to 2G –– Free running 3G survey (if 3G networks are still operational in the area), with survey device technology locked to 3G –– Additional 3G surveys with band or channel locks in place if the network employs Idle Mode behaviour settings that make surveys of HSPA ‘data’ channels difficult –– Free running 4G survey, with survey device technology locked to 4G –– Additional 4G surveys with band or channel locks in place if the network employs Idle Mode behaviour settings that make surveys of some channels difficult –– Free running 5G survey (if 5G SA or Standalone mode networks have been deployed in the area), with survey device technology locked to 5G –– Additional 5G surveys with band or channel locks in place if the network employs Idle Mode behaviour settings that make surveys of some channels difficult

Multiple 3G, 4G and 5G surveys are suggested due to the possibility (indeed, the strong likelihood) that operators will employ some form of Idle Mode behaviour control to limit mobile devices to camping on a specific frequency layer when idle. Band lock surveys therefore allow the surveyor to guarantee that they capture cell coverage details of the non-­camping bands. If band locks are applied to surveys, then this should be noted in the surveyor’s report. The set of surveys suggested above would be conducted in Idle Mode but could also each include a set of Connected Mode test calls or test pings if required. Obviously, such an extended set of surveys could take a considerable amount of time using a limited number of handset-­ based survey devices, and surveyors may be able to reduce the intensity of surveys by conducting just ‘free running’ Idle Mode surveys on each network/technology first and then supplementing these with ‘channel lock’ or ‘band lock’ surveys and Connected Mode test calls if required. The use of multi-­device survey equipment such as Lima CM, NEMO Walker Air or TEMS backpack or scanner/SDR-­based survey devices can help to significantly reduce the time taken to capture a full set of survey results.

9.4  ­Forensic Radio Survey

9.4.1.2  Spot/Location Survey Procedures

The suggested set of procedures for a spot/location survey includes the following: ●●

●● ●●

●●

●●

●●

●●

●●

For phone emulator surveys, ensure that each survey device or submodule in the case of multi-­receiver devices has the appropriate network’s SIM inserted (or the appropriate network selected in the case of roaming/programmable SIMs), the appropriate technology lock in place and that any further channel or band locks are set if required. Conduct the survey as a non-­static location survey rather than a static spot survey if possible (and if safe or practical). Spend at least 5 min in the immediate vicinity of the surveyed address, but then extend the survey up to 50–150 m in all directions from the target address (if practical). If undertaking the survey with a limited number of phone emulator survey devices, conduct the surveys in free-­running Idle Mode first and perform additional locked surveys or Connected Mode test calls (or test data sessions) only if the necessary information was not captured in unlocked or Idle Mode. For phone emulator surveys, if possible, capture more than one simultaneous survey of each network/technology/band, using different devices or even different types of device to ensure a more broadly representative set of survey results – results from different devices can be combined into one overall set of results during post-­processing. For phone emulator 3G surveys make each test call last for an extended period – 1 min, for example – to ensure that a representative range of soft handover servers are captured. For 3G, 4G and 5G phone emulator surveys, if the survey equipment does not automatically capture neighbour Cell IDs, consider recording a ‘lock file’ or ‘channel scan’ to ensure that Cell IDs for neighbour cells are captured. Make sure that GPS fixes of the locations(s) of the survey are captured as evidence that the surveys were conducted in the reported location; possibly also take a photo of the survey address or location, if this can be done safely and without causing distress to victims or witnesses.

9.4.2  All-­Network Profiles Spot/location surveys are typically undertaken to gather evidence related to a specific set of target phones and are therefore often conducted on just a subset of networks or technologies at a time. All-­network profiles or scene preservation surveys are usually undertaken on all networks and all technologies at a spot or location and can be thought of as a linked set of location surveys. An example of an All-­network profile is shown in Table 9.17. Table 9.17  Example of an all-­network profile. Network 1 Channel/ PCI

2G

Cell ID (status)

Network 2 Ave. signal

Channel/ PCI

Ave. Signal

45/27

20 456 (s)

−82.34

23 12

234 (s)

−75.12

47/29

30 456 (s)

−87.23

67 13

345 (n)

−98.12

97 16

12 765 (n)

−100.67

105/23

10 456 (n)

−93.87

51/23

38 765 (n)

−99.56

10 637/145

10 987 (s)

−4.56

10 637/146

20 987 (n)

−14.56

2G

Cell ID (status)

Network 3 Channel/ PCI

2G

3G

10 712 87

32 154 (s)

−7.38

3G

787/34

45 398 (s)

−82.04

2123 (n)

−87.38

698/31

54 901 (s)

−88.13

670/32

19 801 (n)

−90.87

20 700 (n)

−91.45

10 836/198

56 901 (n)

−5.78

10 811/198

55 901 (s)

−6.87

10 811/199

55 902 (s)

−9.21

10 836/198

56903 (n)

−5.78

10 836/199

56 902 (n)

−12.72

8790 (n)

−16.87

10 761/14 4G

6400/31

10 976 542 (s)

−8.32

6400/32

10 976 543 (n)

−14.34

4G

6300 121 6300 122 2850 21

435 213 (s)

−7.02

435 212 (s)

−11.59

143 256 764 (n)

−18.34

4G

Ave. Signal

821/42

701/36 3G

Cell ID (status)

1617/341

62541 (s)

−8.3

331

332

9  Summary and Practical Activities

9.4.3  Cell Coverage Surveys Cell coverage surveys are intended to determine the extent of serving coverage of a particular cell in a way that allows the approximate ‘footprint’ of the cell’s service area to be mapped – this technique is consequently also known as a ‘cell mapping’ survey. This type of survey is generally performed as a drive survey, and the results provide a snapshot of cell coverage at the time the survey was taken. 9.4.3.1  Coverage Survey Procedures

The recommended procedures to be followed during a coverage survey include: ●●

●●

●●

●●

●●

●●

●●

For phone emulator surveys, ensure that each survey device or submodule in the case of multi-­receiver devices has the appropriate network’s SIM inserted (or that programmable SIMs are selected to the correct network) and the appropriate technology, band or channel lock in place. Cell locks or Connected Mode surveying for cell coverage surveys are not recommended, as the purpose of the survey is to map the natural boundary of the cell’s Idle Mode serving coverage. Setting a cell lock for the target cell would force the survey device to continue to treat it as the serving cell and could drag it way beyond the point where a free-­running device would have reselected to a neighbour cell. A cell lock can therefore distort the results of the survey. Ensure that the device’s GPS receiver is online and that GPS fixes are being captured. Coverage survey data is valueless without accurate location information. Follow the drive survey safety recommendations; drive surveys should always be a two-­person job if there is any requirement to monitor the survey data onscreen as it is being captured. Work out the route to be driven in advance and record the route as it is being driven (some survey devices provide a live map with the driven route overlaid on it to aid surveyors). This avoids unnecessary duplication and can shorten the survey time. If the survey is intended to capture details of only specific sectors of a site rather than all coverage, then it might be beneficial to confirm the azimuth of the required sectors first to avoid driving in unnecessary directions. This can be achieved by ‘spinning the site’ or by using a crowd-­sourced cell coverage data provider to confirm the general cell coverage area and direction. For phone emulator surveys, consider using multiple survey devices simultaneously, especially if the survey instructions require the surveyor to capture details of stacked cells on the same site that share the same sector azimuth, as would be the case in a 3G/4G/5G multi-­layer single-­frequency network. In this case, each survey device might need to have the appropriate technology lock in place to ensure that it captures details of the correct frequency layer.

In some cases, the surveyor may be required to undertake surveys of cells belonging to different networks that happen to be broadcast from base stations that are sharing the same site. The site and network-­sharing agreements between operators in many countries mean that this scenario is becoming increasingly common. In these cases, it is possible to capture details of multiple cells belonging to different networks during just one drive survey if multiple survey devices (each set to a different network/technology/band) or a scanner-­based device are used. One final recommendation relates to the post-­processing of survey data to create coverage maps. In a large majority of cases, if cell coverage surveys are required, the cell site analyst will request survey data for multiple cells that are located in the same general area. Surveyors would typically complete the whole survey set by conducting individual drive surveys for each cell or sector on their list, but some or all of these surveys may include overlapping areas. Given the potential that exists for cells to provide non-­contiguous patches of coverage beyond the main contiguous coverage area – for there to be small ‘islands’ of coverage separate from the main area of coverage – it is considered sensible to ‘pool’ the results of all of the surveys before extracting details of each individual cell to be mapped.

9.4.4  Route Profiles A route profile survey is an example of a ‘scenario testing’ survey that employs similar methods to a cell coverage survey but, whereas a coverage survey seeks to determine the area served by a single cell, a route profile attempts to represent the progression of cells that serve along a given route. 9.4.4.1  Route Profile Actions

The usual methodology for a route profile survey is really no more complicated than that outlined in the previous paragraph: ●●

For a phone emulator survey, ensure that each survey device or submodule in the case of multi-­receiver devices has the appropriate network’s SIM inserted (or that the required network is selected in the case of roaming/­programmable SIMs) and the appropriate technology lock is in place, and that any further channel or band locks are set if required.

9.4  ­Forensic Radio Survey ●●

●●

●●

●●

●●

●●

Ensure that the device’s GPS receiver is online and that GPS fixes are being captured. Route profile survey data is valueless without accurate location information. Follow the drive survey safety recommendations; drive surveys should always be a two-­person job if there is any requirement to monitor data onscreen as the survey is underway. Work out the route to be driven in advance and stick to it; unscheduled deviations from the prescribed route could cause inaccurate results. Try to drive the route at the slowest speed that is practicable and safe; this should ensure that a greater amount of detail is captured at each point along the route. Survey accuracy can also be improved by stopping at regular intervals, for 1–2 min at a time, to allow the survey device to capture long-­term variations in coverage. Alternatively, consider driving the route multiple times, or drive it in both directions, or use multiple survey devices simultaneously to broaden the depth of information captured. If target phones were connected to different networks or used different technologies, consider using multiple devices, each set to capture a different network/technology, or a scanner-­based survey device to minimise the number of repeat drives along the route that need to be taken.

Typically, when compiling route profile data, only details of the serving cell at each location are required; details of neighbour cells are usually only examined if the serving cell data fails to detect an expected cell or a cell that was used by a target phone for a significant call.

9.4.5  Survey Specifications Before undertaking a forensic radio survey, it is considered good practice for the surveyor to have an indication of the cells that are expected to be found at each location or along a surveyed route. In the UK, the Forensic Science Regulator’s Code of Practice describes this as developing a ‘survey strategy’. A cell site analyst will use the call records for each target phone to draw up a list of the cells used by those phones at times when the users of those phones were suspected of being at locations of interest. They will use this information to draw up a target cell list for each location, area or route to be surveyed. An example target cell list might include some of the following information: ●● ●● ●● ●●

●●

●● ●● ●●

●●

●●

Location/cell coverage area/route to be surveyed. Networks and technologies to be surveyed. List of cells of interest (based on Cell ID) that are expected to be detected on each network/technology at that location. Additional information, such as ‘cell X was only used for data sessions’, ‘end cell only’ or ‘cell Y was used extensively’ can aid the surveyor’s understanding of the objectives of the survey and the relative importance of each cell. An indication of whether an attempt should be made to arrange for the survey to be conducted inside an address. This would be an issue in cases where the suspected user of a target phone was assumed to have been indoors when calls were made and is especially relevant to locations such as flats and apartments, where an outdoor survey would have difficulty replicating the coverage provided at altitude. Any potential dangers or sensitivities that should be taken into consideration by the surveyor. Cell address/location details for expected cells, including cell azimuth details. Cell and survey location map, which would usefully include details of the cell locations and azimuths in relation to the survey location. Cell coverage maps for particularly important cells created using crowd-­sourced cell coverage data – this can be very useful for coverage surveys as it provides an indication of the expected boundaries of the drive survey. Providing extracts of the relevant CDRs (Call Detail Records) that show the calls made using the cells to be surveyed can also be useful. This can add useful context for a surveyor by indicating, for example, the sequence and rapidity with which particular cells were used. An example target cell list is shown in Figure 9.3, and the accompanying cell location map is shown in Figure 9.4.

9.4.6  Preparing Survey Devices Each type of forensic radio survey has its own generic actions and activities, but the specific actions to be performed for each individual survey are typically dictated by the type of survey devices to be employed, by the circumstances of the case, by the location at which the survey is to be based and by the surveyor’s personal preferences.

333

334

9  Summary and Practical Activities

Figure 9.3  Target cell list. Source: CSAS Target Cell List reproduced with permission from Forensic Analytics Ltd.

Cell IDs: 20234/30234 Azimuths: 120° / 240° Cell ID: 6776 Azimuth: 120°

Cell ID: 4144 Azimuth: 240°

Survey location

Cell ID: 13423 Azimuth: 20°

Cell IDs: 10298/30298 Azimuths: 0° /240°

Cell IDs: 244/245 Azimuths: 0° /240°

Figure 9.4  Cell location map. Source: Microsoft AutoRoute map reproduced with permission from Microsoft, Reproduced with permission from Forensic Analytics.

9.4  ­Forensic Radio Survey

It is therefore difficult to draw up a set of suggested activities and guidelines that are relevant in all scenarios and that match with every surveyor’s preferences. The following suggested actions and activities should therefore be seen as at least partly subjective, as they are based on the author’s experience and preferences. Before commencing each new survey, it is recommended that surveyors check the following: ●● ●●

●●

●●

●●

Make sure the survey device has sufficient charge for the predicted survey duration (if not on external power). Make sure the survey device has sufficient free memory or enough spare data cards to store the expected survey data file(s) and that any external data cards have been cleared of any previous data. For phone emulator devices, make sure any previously applied network, technology, band, channel or cell locks have been reset if not required for the new survey. Again, for phone emulator devices, make sure the required network, technology, band, channel or cell locks for the new survey are set. Make sure that the ‘save as’ filename for the survey is correct and reflects the survey being undertaken  –  this could include making sure that the correct location, network and technology are listed in the filename if a specific file naming convention is being employed.

Failure to perform these simple checks can lead to surveys failing to capture the required information, meaning that they may have to be rerun at extra cost.

9.4.7  Survey Safety Forensic radio surveys can be hazardous for a number of reasons. Spot and all-­network surveys, for example, are generally undertaken outside, often close to roads and usually require the surveyor to concentrate on the information being displayed on the test equipment. Location surveys are often undertaken as walk surveys but also require the surveyor to devote at least part of their attention to the output displayed on the survey device’s screen. Care should be taken to maintain an awareness of the surveyor’s surroundings. Cell coverage and route profile surveys are usually undertaken as drive surveys. It is strongly recommended that at least two people should be involved in a drive survey: one to drive the vehicle and one to operate the survey equipment. Although some survey devices can be set with a ‘target cell’ and will provide audio feedback when they move into or out of the cell’s coverage area, lone working surveyors are potentially exposing themselves and other road users to danger due to driving without due care and attention whilst also attempting to monitor or operate their survey equipment. The circumstances surrounding a forensic radio survey should also be borne in mind: surveys are often undertaken at locations where traumatic events have taken place or near the addresses of witnesses, victims or suspects in a case or their families. A surveyor may unwittingly cause further distress to victims or their families if the reason for their presence at a location is guessed. Additionally, especially related to surveys near the addresses of suspects or defendants, there is a danger of attack from the suspect or their family or friends. A further risk is related to the surveyor’s use of expensive survey equipment in a public area, which might make them a target for mugging or lead to their vehicle being broken into. The reason for a surveyor’s presence at a location is often guessed due to the nature of the survey equipment they are carrying and the amount of time it is necessary to spend at or around a location in order to capture spot or location survey data. Experience has shown that the risk of being discovered increases greatly if the surveyor elects to take a photo of the survey location to act as proof that they surveyed at the correct location. If a photo is required then it is usually a good idea to take it after the survey has been completed, just as the surveyor is leaving. Some surveyors decide to provide themselves with an ‘alibi’ for being at a location, sometimes using false identification credentials so that they can claim to be from a mobile phone company or a public utility. Some surveyors, including the author, have gone to the length of acquiring false ID cards or even branded work clothing (such as a high-­visibility jacket) from the organisation they wish to claim to be working for so they can ‘hide in plain sight’.

335

336

9  Summary and Practical Activities

To ensure the surveyor’s safety during a survey, it is recommended that they: ●● ●●

●● ●●

●● ●● ●● ●●

Always let colleagues know where they are planning to survey and when. Consult the investigators in the case to determine if there are any specific risks or sensitivities related to any survey locations. Arrange a police escort for particularly dangerous or sensitive locations. Conduct a local coverage survey (where the surveyor moves around), which is less likely to attract attention than a static spot survey (where they stay still in one place). Keep survey equipment out of sight if at all possible. Only take site photos if they are sure it is safe. Maintain awareness of their location, especially if near a road or other hazards. Use a driver when conducting drive surveys.

9.5  ­Survey Results: Checking and Confirmation 9.5.1  Confirming the Expected Results When a survey is underway, most types of survey equipment provide an on-­screen list of the cells currently being detected and measured. The forensic surveyor will use this output to check the progress of a survey against their target cell list. As mentioned above, some survey devices can also transmit a live feed of the survey to a central system, allowing the data to be viewed in real time by the instructing analyst or expert as well. If all of the cells listed in the target cell list are detected, the survey can be deemed a success.

9.5.2  Expected Results Not Found If one or more of the cells on the target cell list fail to be detected, the forensic surveyor has a number of options: ●●

●●

●●

●●

●●

●● ●●

●●

If the survey device supports channel or cell locking, they could lock to the relevant channel or Cell ID and see if the ‘missing’ cell is detectable that way, although this would be done purely to determine whether the ‘missing’ cell was on air or not and would not be used as the basis for radio measurements of that cell – measurements taken with a cell lock in place cannot be regarded as being representative of a phone’s normal operation. They could try making test calls to see if the ‘missing’ cell is used in Connected Mode – this is particularly relevant in 3G mode, where some cells may only show up during soft handover, and so it is important that test calls are considered. If the survey equipment supports a ‘band scan’ or ‘channel scan’ function, which scans through all channels in a radio band and identifies the cells that are detected, the surveyor could run this test to see if the missing Cell ID appears. If the survey equipment provides only details of the cells that are currently being detected, it might be that the ‘missing’ cell is appearing in the data only intermittently and too quickly for the equipment to register onscreen. If the surveyor is able to review or process the captured survey data after the survey period has ended, the ‘missing’ Cell ID might appear in a summary of the collated data. If cell tower address details have been provided, the surveyor could walk or drive towards the cell site to see if a signal can be detected as they move closer (noting the location at which a signal is eventually detected), bearing in mind the drive survey safety recommendations mentioned above. They could visit the cell address to check that the site is still there and still ‘on air’. They could perform an ‘orbit’ test of the site in an attempt to determine the current orientation (azimuth) of the cell sectors to see if they agree with the information provided (making a note of any revised azimuth estimations they calculate). If they are working for a law enforcement agency, they could ask their service provider liaison department to check with the network operator to determine why the cell is not being detected. This would include asking for details of if/when a site had been reoptimised, reorientated, relocated or retired.

In all cases, if an expected significant cell is not detected, the surveyor should make a note of the steps taken to try to detect it, and if the cell is still not discovered, a note to this effect should be made in the post-­survey report.

9.7  ­Survey Result

9.6  ­Survey Notes and Progress Maps In some or most jurisdictions, forensic radio surveyors are under the same obligation to make contemporaneous notes during the course of their investigations as any other forensic investigator. These notes must be retained, as they could be requested by the court when the case comes to trial. Contemporaneous notes for cell site surveys usually take the form of a series of notes indicating: ●● ●●

●● ●● ●● ●● ●● ●●

●● ●●

The location or address being surveyed, possibly including a GPS fix A note of the specific spot at which the survey was taken (e.g. balcony outside Flat 7) for a static spot survey or a basic description of the route followed (e.g. walked around the perimeter of the building) during a non-­static location survey. The time and date the survey started. Details of the equipment used and its serial number/IMEI. An indication of any extreme weather conditions and any other significant factors that might affect the survey results. The network and technology being surveyed. Details of any band, channel or cell locks applied before or during the survey. An indication of whether additional survey types were captured (e.g. lock files, channel scans) or whether multiple devices were used simultaneously If any specific conclusions were reached during the survey, then these should be noted for future reference. Details of any expected but missing cells should be noted, as should the steps taken by the surveyor to determine whether the missing cell was actually on air or not.

It can be argued that if the surveyor is using a forensic survey device that automatically captures and records survey details, then it may not be necessary to manually record some of the details listed above (such as the device serial number). Information such as a description of the survey location, the weather conditions and the types of survey undertaken should always be recorded in the surveyor’s contemporaneous notes, as should details of any specific conclusions and actions taken to ‘find’ a ‘missing’ cell.

9.7  ­Survey Results 9.7.1  Spot/Location Survey Results Several types of survey device produce their output in a tabulated format that shows, for each measurement event, the serving and neighbour cells, their identities and radio signal strengths, along with a timestamp and a GPS fix. Although the tabulated form of results data has its uses, it does not help to provide an immediate understanding of which cells, in areas of non-­dominance, serve most often or offer the most consistently strong signals. A summarised table is much more useful for this kind of understanding and analysis. An example of a set of processed and summarised spot/location survey results is shown in Figure 9.5. A typical summarised survey results table will provide some or all of the following types of information: ●● ●● ●● ●● ●●

Survey location, start date/time of survey and surveyor name. Duration of survey GPS fix (or average GPS fix) of survey location or locality Network and technology surveyed List of detected cells, ranked in order of signal strength, showing: –– Cell ID –– Possibly, cell site name details (if known) –– Channel number and physical layer cell identifier (BSIC/PSC/PCI/PN Offset) –– Average signal strength or quality (RXLev, Ec/No, RSRQ and Ec/Io) –– Number of times the cell was detected in total and the number of times it was selected as serving –– Indication of whether the cell served in Idle Mode –– Indication of whether the cell served during a test call

337

338

9  Summary and Practical Activities

Figure 9.5  Spot/location survey results. Source: CSAS RF Survey module, reproduced with permission from Forensic Analytics Ltd.

This type of summarised table is often the forensic radio survey ‘product’ that is passed to the case investigators or cell site analysts and is therefore used to enable them to form conclusions on the potential locations of target phones during significant calls.

9.7.2  All-­Network Profile Results An all-­network profile is essentially a ‘summary of summaries’ for each surveyed spot or location and is designed to draw together the summary data for each separate network/technology survey into one overall coverage summary table. An example of an all-­network profile report – taken in a hypothetical country that has three network operators who offer 2G, 3G and 4G services, is shown in Table 9.18. A typical all-­network profile presents an abbreviated set of details for each network and technology that was surveyed and will typically show, for each network and each technology, the set of detected cells ranked in order of average signal strength along with these features of each cell: ●● ●● ●●

Channel number and physical layer ID (BSIC, PSC, PCI or PN Offset) Cell ID (or Base ID) and status (serving or neighbour) Average signal strength or quality (RXLev, RSCP, Ec/No, RSRP, RSRQ or Ec/Io).

All-­network profile reports are often undertaken to allow investigators to capture a scene preservation ‘snapshot’ of network coverage at a crime scene or other significant location in the immediate aftermath of an event. This allows them to preserve evidence of the cellular coverage at the site as it was at around the time of the event and guards against changes in network configuration affecting the accuracy of any cell site reports or conclusions that are reached later in the investigation.

9.7.3  Coverage Survey Results The output of a coverage survey will usually be a map showing the route driven and indicating measurement locations that selected the target cell as serving (and optionally another set of markers showing where the target cell was the first neighbour).

9.7  ­Survey Result

Table 9.18  Example of all-­network profile report. Network 1 Channel PCI

2G

3G

45 27

Cell ID (status)

20 456 (s)

Network 2 Ave. signal

−82.34

Channel PCI

2G

Cell ID (status)

23 12

234 (s)

Network 3 Ave. Signal

−75.12

Channel PCI

2G

787 34

Ave. Signal

45 398 (s)

−82.04

47 29

30 456 (s)

−87.23

67 13

345 (n)

−98.12

821 42

2123 (n)

−87.38

105 23

10 456 (n)

−93.87

97 16

12 765 (n)

−100.67

698 31

54 901 (s)

−88.13

51 23

38 765 (n)

−99.56

670 32

19 801 (n)

−90.87

701 36

20 700 (n)

−91.45

10 637 145

10 987 (s)

−4.56

10 637 146

20 987 (n)

−14.56

3G

10 712 87

32 154 (s)

−7.38

3G

10 836 198

56 901 (n)

−5.78

10 811 198

55 901 (s)

−6.87

10 811 199

55 902 (s)

−9.21

10 836 198

56903 (n)

−5.78

10 836 199

56 902 (n)

−12.72

8790 (n)

−16.87

10 761 14 4G

Cell ID (status)

6400 31

10 976 542 (s)

−8.32

6400 32

10 976 543 (n)

−14.34

4G

6300 121

435 213 (s)

−7.02

6300 122

435 212 (s)

−11.59

143 256 764 (n)

−18.34

2850 21

4G

1617 341

62 541 (s)

−8.3

The raw material for such a map is a set of GPS coordinates followed by details of the serving cell (and optionally the first neighbour cell) from the measurement events captured at each surveyed point along the driven route. An example of the raw results data table for a coverage survey is shown in Table 9.19. Such a data set could then be manually filtered, so that only events that showed the target cell as serving or first neighbour are retained, and the filtered results could be imported into a mapping tool such as Google Earth or QGIS or mapped in a dedicated cell site analysis tool such as CSAS RF Survey module. Table 9.19  Example of coverage survey results raw data, showing details of only the ‘target’ cell. Longitude

Latitude

Cell ID

Status

−1.463 342

52.521 378

27 165

0 – serving

−1.463 342

52.521 378

27 165

0 – serving

−1.463 257

52.521 317

27 165

0 – serving

−1.463 257

52.521 317

27 165

0 – serving

−1.463 257

52.521 317

27 165

0 – serving

−1.463 257

52.521 317

27 165

0 – serving

−1.463 257

52.521 317

27 165

0 – serving

−1.463 170

52.521 255

27 165

0 – serving

−1.463 170

52.521 255

27 165

0 – serving

−1.463 170

52.521 255

27 165

1 – 1st neighbour

−1.463 170

52.521 255

27 165

1 – 1st neighbour

−1.463 170

52.521 255

27 165

1 – 1st neighbour

−1.463 085

52.521 198

27 165

1 – 1st neighbour

−1.462 998

52.521 141

27 165

0 – serving

339

340

9  Summary and Practical Activities

Depending upon the level of detail required in the coverage map, it may be necessary to import three separate data sets into each manually created cell coverage map: ●●

●●

●●

●●

The first data set shows the entire route driven during the survey and consists of just the GPS latitude/longitude data for the survey. The route would usually be represented on the map using small pushpins in a neutral colour. The second data set shows the locations of survey measurements where the target cell was detected as the first neighbour cell. These locations would usually be shown on the map using a larger pushpin and a different colour to the route pins. The last data set shows the locations of survey measurements where the target cell was detected as the serving cell. These locations would use the same size pushpins as for first neighbour locations but would be in a third colour. The map should contain a legend indicating the significance of each type and colour of pushpin shown.

An example of a completed cell coverage survey map where all three levels of data have been imported is shown in Figure 9.6. This type of map is usually the form in which the forensic radio survey product for cell coverage surveys is passed to the investigators or cell site analysts in a case and allows them to draw conclusions as to the area within which a target phone could have been located when making significant calls via that cell. Sometimes an outline or polygon is placed around the serving coverage area to make the derived service area explicitly clear.

Cell site location and approximate sector azimuth Route driven Target cell serves

Figure 9.6  Cell coverage survey map. Source: Microsoft AutoRoute map reproduced with permission from Microsoft.

9.7  ­Survey Result

9.7.4  Route Profile Results Like coverage survey results, the processed output of a route survey is usually a data set containing GPS fixes and serving cell details, which can then be turned into a map that indicates the progression of serving cells detected along a route. Unlike coverage survey data, which details the locations at which a specific target cell was selected as serving, route profile data usually lists numerous serving cells, depending upon the length of the surveyed route and the progression of coverage encountered along that route. Table 9.20 provides a generic example of a route profile raw data table. The raw data contained in such a table can then be converted into a more visual representation of serving coverage along a route by importing it into a mapping application such as Google Earth or QGIS or a dedicated cell site analysis tool like the CSAS RF Survey module. Depending upon the level of detail required in the route profile map, it may be necessary to import two separate data sets into each map: ●●

●●

The first data set shows the entire route driven during the survey and consists of just the GPS latitude/longitude data for the survey. The route would usually be represented on the map using small pushpins in a neutral colour. The second data set shows the locations of survey measurements where cellular coverage was detected and should ­indicate the details of the serving cell at each point. These locations would usually be shown on the map using a larger pushpin and a different colour for each different serving Cell ID.

An example of a completed route profile survey map where both levels of data have been imported is shown in Figure 9.7. This type of map is usually the form in which forensic radio survey product for route profile surveys is passed to the investigators or cell site analysts in a case and allows them to draw conclusions as to the parts of a route within which a target phone could have been located when making particular significant calls.

9.7.5  Summary of Survey Best Practice A summary of the suggested best practice for forensic radio surveys is as follows: ●● ●●

Survey safety recommendations should be followed at all times. Detailed survey preparation information should be available to the surveyor, including target cell list, cell addresses and azimuths and a cell locations/crowd-­sourced coverage map.

Table 9.20  Example of route survey results raw data showing a succession of serving cells along a surveyed route. Longitude

Latitude

Cell ID

Status (serving)

−1.462 905

52.521 084

27 165

0

−1.462 897

52.521 064

27 165

0

−1.462 894

52.521 057

6785

0

−1.462 871

52.521 062

6785

0

−1.462 862

52.521 067

6785

0

−1.462 859

52.521 076

6784

0

−1.462 848

52.521 071

6784

0

−1.462 834

52.521 068

6785

0

−1.462 832

52.521 055

6784

0

−1.462 832

52.521 051

6784

0

−1.462 825

52.521 043

6784

0

−1.462 817

52.521 039

33 145

0

−1.462 811

52.521 032

33 145

0

−1.462 802

52.521 028

33 145

0

341

342

9  Summary and Practical Activities

Cell 5432 serving

Cell 9876 serving Cell 2468 serving

No network coverage

Cell 1234 serving

Figure 9.7  Route profile survey map. Source: Microsoft AutoRoute map reproduced with permission from Microsoft.

●●

●●

●●

●● ●●

●● ●●

●● ●●

●● ●●

●●

Idle Mode should be employed for spot/location surveys, supplemented by Connected Mode test calls/pings if the expected serving cells are not detected in Idle Mode. Connected Mode test calls/pings can also be made at locations to prove specific points, such as the use of cells as ‘end cells’ and the likelihood of them being used for handovers. 3G test calls should last for up to 1 min (if call length is controllable) to provide a decent opportunity for any ‘soft handover only’ cells to be selected. ‘Static’ location surveys are likely to be less representative than non-­static ‘location coverage’ surveys. Surveys should capture measurements of the same network/technology using multiple devices, if possible, and then combine the results into one overall set of measurements. Location surveys will be more representative if captured over a relatively long duration of at least 10 min. If spot/location surveys are conducted using a drive survey, the vehicle should spend a reasonable proportion of the survey duration in the immediate vicinity of the address being surveyed. Expected but non-­detected cells should be investigated by visiting the cell site if necessary. Lock-­on or channel scan surveys could be undertaken if required (and if supported by the survey device) to capture Cell ID details of 3G/4G/5G neighbours and other ‘missing’ Cell IDs and to provide a general audit of detected cells. Cell coverage surveys should be undertaken in Idle Mode only. Route Profile surveys should be undertaken in Idle Mode, supplemented by Connected Mode test calls/pings in specific circumstances, such as to prove the use of ‘end cells’. Contemporaneous notes should be taken and post-­survey reports compiled.

9.8  ­Cell Site Analysi

9.8  ­Cell Site Analysis Cell site analysis (or cell tower tracking, as it is sometimes known in the United States) attempts to provide evidence of approximately where a mobile phone may have been located when certain calls were made or, for live investigations, cell site analysis can provide an indication of approximately where a phone is currently located. It is a useful tool for investigators and is based on a combination of network-­provided CDR data and forensic radio survey results.

9.8.1  Limitations of Cell Site Analysis Cell site evidence often works best as supporting evidence or as evidence that links and amplifies other evidence. On its own, cell site evidence is generally considered to be too open to interpretation to be used as the sole or the primary evidence in a case, if the allegations in the case are attempting to link a suspect to a specific location at a specific time. There have been cases where the cell site evidence was so strong that it could be used as the primary evidence, and there are scenarios discussed below in which this is explored, but there are dangers inherent in using cell site evidence in this way.

9.8.2  Components of Cell Site Analysis A summary of the main types of input and output information related to cell site analysis was provided at the start of this chapter. The following sections outline some of these elements in more detail and deal with the input forms of source information – call records, cell address details and forensic radio survey results – and also look at the output cell site analysis ‘product’ of cell site reports, call schedules and map presentations. 9.8.2.1  Call Detail Records

CDRs are generally produced every time a user makes or receives a call, sends or receives a text message (as long as they used traditional cellular voice call and SMS services; calls/texts sent via an ‘over the top’ Internet messaging app such as WhatsApp won’t appear in cellular CDRs), or connects to a data service. Some records might also be produced in relation to network events such as attaches, location updates and detaches. Network operators provide CDRs in a wide variety of different formats, and the formats employed by different operators provide a wide variety of information. Generally, each CDR contains some or all of the following: ●● ●● ●● ●● ●● ●●

●● ●● ●● ●●

Date and time of start of call/text/data session Duration of call/data session Type of Service, for example, voice call, SMS, MMS, data and so on Originating MS-­ISDN (the ‘A’ or ‘Calling’ number) Terminating MS-­ISDN (the ‘B’ or ‘Called’ number) International Mobile Subscriber Identifier (IMSI) and International Mobile Equipment Identifier (IMEI) – not always provided Serving Cell ID and LAC (at start of call) Serving Cell ID and LAC (at end of call) – not always provided Cell site names, postcodes, GPS coordinates or map reference – not always provided. Cell Azimuth – not always provided

GPRS (or data) CDRs often use a different format but provide much the same level of information as voice CDRs and may also contain details of the IP address assigned to the phone for the data session. They may also provide details of the APN (Access Point Name) or DNN (Data Network Name) used for each session. 9.8.2.2  Cell Address Details

As with CDR formats, operators have a wide variety of reporting formats used to supply cell address details; typically, however they will supply some or all of the details listed below: ●● ●● ●●

Cell ID or full CGI (MCC, MNC, LAC, CI) Site name Site address and post/zip code

343

344

9  Summary and Practical Activities ●● ●● ●● ●● ●●

Site GPS latitude/longitude or map grid reference Cell azimuth and beamwidth Cell technology (2G, 3G, 4G, 5G, WIFI) Cell type – macro, micro, femto Date on which this set of details became valid

Investigators often request details for multiple cells as part of the same enquiry and the results are often batched into one report or spreadsheet. 9.8.2.3  Cell Site Reports

The structure of a full cell site report is largely down to the personal preference of the analyst or expert responsible for ­writing it, but most reports follow a similar pattern, the sections of which are outlined below: ●● ●● ●● ●● ●● ●● ●● ●● ●● ●● ●●

Introduction Case Details Executive Summary or Critical Findings Summary Cell Site Explanation Summary of Source Data Continuity Statement Significant Locations Forensic Radio Survey Details Main Report Section Conclusions Summary and Declaration.

9.8.2.4  Call Schedules

Cell site reports are usually enhanced by the preparation of call tables or call schedules. These collate the relevant call records from the target phones in the case and present them in a combined and coherent document. Each network operator provides call records in their own format, and the formats used by the operators can be very different. This makes it difficult to compare calls made by phones belonging to different networks, so cell site analysts often spend large proportions of their time processing (also known as ‘normalising’, ‘cleansing’, ‘tidying’ or ‘parsing’) call records into a common format. This process can be very time-­consuming if conducted manually (and is also open to inevitable human error), so many organisations have developed their own data processing tools and macros or use a commercial data cleansing product such as Forensic Analytics’ CSAS or Chorus Intelligence’s Chorus Intelligence Suite software application to process call data automatically. Call tables are usually prepared using Microsoft Excel and are often presented in court in printed A3-­sized booklets. Colours are usually assigned to each significant phone number, and that colouration is employed to make the phones more identifiable in the call tables. As cell site evidence works to identify the possible locations of a mobile device, rather than attempting to identify the user of that device, many report writers attempt to separate the subject phone from the alleged user – this also provides an additional method for avoiding the possibility of confirmation bias. To achieve this, instead of referring to a phone or phone number as ‘the Smith phone’ or ‘Smith-­1234’, significant phone numbers are sometimes identified using a combination of the colour assigned to the phone and the last three or four digits of the mobile number, ‘Blue-­1234’ or ‘Red-­2468’ for example. Other common methods for referring to subject phone numbers in an anonymised way include showing them as the letter T (for ‘telephone’) followed by the last three or four digits – T1234 or T246, for example. In cases that cover multiple phones, where several phones might be attributed to the same individual, analysts often assign a ‘colour per person’ to allow phones attributed to the same individual to be easily grouped and identified. 9.8.2.5  Maps and Graphics

Mapping, graphics and animation presentations are often used to make the evidence presented in cell site reports simpler to understand.

9.8  ­Cell Site Analysi

Many experts use a set of graphical slides to provide juries with a basic overview of cell site concepts, which usually mirrors the information presented at the start of the expert’s report and is often presented to the jury at the start of the expert’s evidence. The substantive part of a mapping presentation often begins with a slide that provides an overview of the significant locations in the case and their geographical relationship to each other. An analyst or expert witness will then usually produce a separate map to represent each batch of calls dealt with in the accompanying report. The map will be zoomed in to the general area of the cell sites used by each batch of calls and will typically have icons showing the cell locations, labels detailing the cell name and Cell ID and call labels providing basic details of the calls under discussion. Cell icons and cell details labels are often coloured to match the attribution colour assigned to the target phone that used that cell – so, for example, the cell label for a cell used by the Blue-­1234 phone would be coloured blue. Maps that detail the cell usage of several target phones might maintain this convention or might colour the cell labels in a neutral colour to indicate that they were used by multiple phones. Call labels are included in maps to tie the information presented in the map to the cell site report and the call schedule. Different experts and agencies favour their own preferred label format, but the example shown in Figure 8.12 has labels that contain the following data: ●● ●● ●● ●● ●● ●●

Call index number (based on call schedule numbering) Index number is coloured to show the target phone to which the event relates Time of call start Abbreviated ‘subject party’ and/or ‘other party’ numbers Event type – SMS, Call, GPRS Indication of whether the event was outgoing (>) or incoming ( 21 21:45:51 4228 Voice >

20:01:42 20:14:49 20:15:59 21:38:09 20:44:15 20:07:22 21:38:11

0991 6135 0187 0991 0187 6135 9010

SMS Voice SMS SMS SMS Voice SMS

> < > < > >
< > > > > >

Map 7

Figure 9.15  Example cell site map. Source: Microsoft AutoRoute map reproduced with permission from Microsoft, CSAS map content reproduced with permission from Forensic Analytics Ltd.

9.17  ­Cell Site

Mapping Presentation

The content of a cell label might differ depending on the type of map slide that it is being created for. In the case of maps that show details of target phones when they are London East London East alleged to have been located at a particular address and E1 7SD (28762) Cell ID 28762 (240°) which show details of only the cell(s) that serve at that address, cell labels are generally very detailed and might, Detailed label Abbreviated label for example, show cell name, postcode, Cell ID and azimuth. This is illustrated in the left-­hand label in Figure 9.16. Figure 9.16  Cell detail labels. Source: CSAS cell labels Labels for maps designed to show the potential movement reproduced with permission from Forensic Analytics Ltd. of target phone(s) around an area that contains details of several cell sites might use the more abbreviated format shown Call Other Call Start Direction in the example on the right-­hand side of Figure 9.16. type phone index time In all cases, the cell label is there to provide context for the calls and to indicate the location of the cell sites used by the 8 20:01:42 0991 SMS > 8 20:01:42 target phones. It should be noted that the information shown 9 20:14:49 6135 Voice < 9 20:14:49 on cell site maps almost always shows the location of the cell 10 20:15:59 0187 SMS > 10 20:15:59 12 21:38:09 0991 SMS < 12 21:38:09 sites used by target phones; they do not usually indicate the 15 SMS > 15 20:44:15 20:44:15 0187 location of the target phone itself when those calls were made. 16 20:07:22 6135 Voice > 16 20:07:22 Call labels are designed to provide details of the calls that 20 21:38:11 9010 SMS < 20 21:38:11 take place during the period covered by a map slide. As Detailed version Abbreviated version shown in Figure 9.17, analysts can choose between a variety of designs and styles of label, which offer more or less Figure 9.17  Cell detail labels. Source: CSAS cell labels reproduced information depending upon the scale of the map they are with permission from Forensic Analytics Ltd. intended to be displayed on. Typically, the minimum amount of information contained in a call label is the call index number and the time. The identity of the target phone to which the call relates is usually inferred from the colour applied to the call index number, which will match the colour assigned to that phone. Less abbreviated formats might also include details of the type of event (call, SMS, GPRS), the other phone number involved in the call and the direction of the call (using ‘>’ to signify an outgoing call and ‘ 21 21:45:51 4228 Voi ce >

20:01:42 20:14:49 20:15:59 21:38:09 20:44:15 20:07:22 21:38:11

0991 6135 0187 0991 0187 6135 9010

SMS Voice SMS SMS SMS Voice SMS

> < > < > >
< > > > > >

Map 3

Figure 9.18  Location detail map. Source: Microsoft AutoRoute map reproduced with permission from Microsoft, CSAS map content reproduced with permission from Forensic Analytics Ltd.

R v Smith, Jones, Williams & Johnson

Exhibit Ref: JLH1

West Ham 31008

Red Lion pub car park

24 22:06:31 5876 27 22:58:11 9010

>


Flat 16, 24 Matlock St

Royal Docks 7816/7817 25 22:07:16 5876




Map 4 Figure 9.19  Travel between locations map. Source: Microsoft AutoRoute map reproduced with permission from Microsoft, CSAS map content reproduced with permission from Forensic Analytics Ltd.

R v Smith, Jones, Williams & Johnson

Exhibit Ref: JLH1

14 Preston Hill

Flat 16, 24 Matlock St

292 Chapter Rd

Red Lion pub car park

Map 2 Figure 9.20  General pattern of travel map. Source: Microsoft AutoRoute map reproduced with permission from Microsoft, CSAS map content reproduced with permission from Forensic Analytics Ltd.

362

9  Summary and Practical Activities

9.18  ­Summary Cell site analysis can provide compelling additional evidence to criminal investigators. It can highlight the possible locations of target/subject phones during significant phone calls and can be used to support or cast doubt on alibis and witness accounts. Call record data on its own is generally too imprecise to be used for anything more than a high-­level analysis of a case – for example, it can answer broad questions such as ‘was this phone in the east of London during this call?’ For cell site analysis to be able to answer low-­level questions  –  such as ‘could this phone have been at this specific address?’ – investigators also need to employ forensic radio survey techniques. Forensic radio surveys add detail and depth to the investigator’s understanding of where target phones may have been located. The data provided by radio surveys adds forensic rigour to the discipline and ensures that the conclusions drawn by investigators can be backed up with testable evidence. Cell site analysis has a number of limitations in the accuracy and certainty it can provide in its conclusions, but those limitations are rendered less severe by the addition of forensic radio survey evidence to a case. It should be borne in mind that cell site analysis is a technique that can be as useful to the defence as it is to the prosecution and that it has as much power to support a person’s alibi as it does to indicate their potential involvement in a crime.

9.19  ­Further Reading Multiple technical specifications have been referenced throughout the preceding text; those specifications and selected others are presented below, along with a short bibliography of reference works.

9.19.1  3GPP Technical Specifications 3GPP specifications are available from https://www.3gpp.org/ftp/Specs/latest/ General 21.905 Vocabulary for 3GPP Specifications – 3GPP glossary 22.011 Service Accessibility – Access Class Barring 23.002 Network Architecture – overview of architecture 23.003 Numbering, Addressing and Identification – node names and identifier formats 23.122 NAS functions in Idle Mode – all generations, cell selection/reselection 25.923 Report on Location Services – overview of location-­based services 37.320 Minimisation of Drive Testing – MDT Overview 37.900 Multi-­RAT base stations – single RAN base stations 2G GSM 43.022 Functions related to MS in Idle Mode – C1, C2 processes 45.001 Physical Layer on the Radio Path – TDMA air interface 45.005 Radio Transmission & Reception – channels, ARFCNs 45.008 Radio Subsystem Link Control – radio procedures 3G UMTS 25.101 UE Transmission and Reception – maximum UE transmit power 25.104 BS Transmission and Reception – channels, bands, UARFCNs 25.133 Requirements for Radio Resource Management – 3G idle & connected modes 25.215 Physical Layer Measurements – RSCP, Ec/No 25.304 UE Procedures in Idle Mode – S and R algorithms 25.331 Radio Resource Control – 3G RRC, BCCH, SIBs 25.401 UTRAN Overall Description – 3G RAN overview 25.707 Multi-­carrier Enhancements for UMTS – 3G carrier aggregation

  ­Reference

4G LTE 22.179 Mission Critical Push to Talk – emergency services network features 23.216 Single Radio Voice Call Continuity – SRVCC 23.272 Circuit Switched Fallback – CSFB 23.228 IP Multimedia Subsystem – IMS 23.401 GPRS Enhancements for EUTRAN Access – 4G core network overview 23.402 Non-­3GPP Access – WIFI and VoWIFI access 24.229 IP Multimedia Call Control – SIP and SDP in IMS 24.301 Non-­Access Stratum Signalling – NAS signalling for 4G 36.211 Physical Channels and Modulations – PCIs, modulation schemes 36.213 Physical Layer Procedures – cell and radio procedures 36.214 Physical Layer Measurements – RSRP, RSRQ 36.104 BS Radio Transmission and Reception – channels, bands, EARFCNs 36.300 EUTRA and EUTRAN Overall Description – 4G RAN overview 36.304 UE Procedures in Idle Mode – S and R algorithms 36.321 E-­UTRA MAC Protocol – MAC scheduler 36.331 Radio Resource Control-­4G RRC, BCCH, SIBs 36.413 S1 Application Protocol – 4G access network signalling 5G NR 23.501 System Architecture for 5G System – overall architecture 24.501 Non-­Access Stratum Signalling for 5G – 5G NAS signalling 28.530 Network Slicing use cases and requirements – network slicing overview 33.501 Security Architecture and Procedures for 5G System – SUPI/SUCI process 37.340 EUTRA and NR Multi-­connectivity – Dual Connectivity 38.211 Physical Channels and Modulations – PCIs, modulation schemes 38.215 Physical Layer Measurements – SS-­RSRP, SS-­RSRQ 38.104 BS Radio Transmission and Reception – channels, bands, NR-­ARFCNs 38.300 NG-­RAN Overall Description – 5G RAN overview 38.304 UE Procedures in Idle Mode – S and R algorithms 38.305 UE Positioning in NG-­RAN – 5G location-­based services 38.331 Radio Resource Control – 5G RRC, BCCH, SIBs 38.401 NG-­RAN Architecture Description – 5G RAN nodes and functions 38.413 NG-­RAN: NG Application Protocol (NGAP) – 5G access network signalling

9.19.2  Bibliography GSM Switching, Services and Protocols – Eberspacher, Vogel, Bettstetter – Wiley 2001 WCDMA for UMTS: HSPA Evolution and LTE – Holma, Toskala – Wiley 2010 An Introduction to LTE – Cox – Wiley 2014 LTE in Bullets – Johnson – CreateSpace 2012 An Introduction to 5G – Cox – Wiley 2020 NR in Bullets – Johnson – Independently published via Amazon 2019

­References 1 GSM Association: GSMA Intelligence (2023) Home Page, https://gsmaintelligence.com (accessed 12 February 2023). CDMA Development Group (2023) Worldwide Deployments (dormant), http://cdg.org/worldwide/index.asp (accessed 2 12 February 2023). 3 5G Americas (2023) 5G & LTE Deployment Status, https://www.5gamericas.org/resources/deployments/ (accessed 12 February 2023).

363

364

9  Summary and Practical Activities

4 www.spectrummonitoring.com (2023), Frequency use by market (subscription required), https://spectrummonitoring.com (accessed 17 April 2023). 5 ITU-­T Operational Bulletin (2012) Operational Bulletin 1005, https://www.itu.int/pub/T-­SP-­OB.1005-­2012 (accessed 14 April 2023). 6 3GPP Technical Specification (2022) GSM/EDGE Radio Transmission and Reception, TS 45.005 v17.0.0 Section 2.0, www.3gpp.org (accessed 17 April 2023). 7 3GPP Technical Specification (2023) Base Station (BS) radio transmission and reception (FDD), TS 25.104 v17.0.0 Section 5, www.3gpp.org (accessed 17 April 2023). 8 3GPP2 Technical Specification (2010) Band Class Specification for cdma2000 Spread Spectrum Systems Revision E, C.S0057-­E v1.0, www.3gpp2.com (accessed 29 July 2014) – further access attempted 13 May 2023 but website was down and does not seem to be maintained any longer. 9 3GPP Technical Specification (2022) Evolved Universal Terrestrial Radio Access (E-­UTRA); Base Station (BS) Radio Transmission and Reception, TS 36.104 v18.0.0 Section 5.5, www.3gpp.org (accessed 22 April 2023). 10 3GPP Technical Specification (2023) NR; Base Station (BS) Radio Transmission and Reception, TS 38.104 v17.3.0 Section 5.2, www.3gpp.org (accessed 21 April 2023).

365

Index a

amplitude  5, 9, 140, 312 analogue transmission  8, 23

b

bandwidth  5, 11, 39, 106, 120, 140, 145, 174 binary & hexadecimal  65, 314 Bluetooth  178, 181, 233, 304 Bluetooth Classic  178 Bluetooth Low Energy (BLE)  178, 181 Bluetooth Profiles  179

c

call detail records (CDR)  1, 49, 54, 115, 131, 259, 264, 271, 278, 300, 308, 343, 348 cell address details  280, 287, 343, 346, 352 cell/tower dumps  281, 307 device data record (DDR)  79, 273, 280 GPRS/PS data CDRs  272, 274–79, 299, 343 normalising CDRs  270, 348–52 phantom GPRS sessions  278, 299 voice CDRs  272 CDMA concepts cell breathing  111 channelisation codes  105, 112, 161 chips  105, 171, 303 CPICH  112, 322 pilot channel  112, 162–64, 324 scrambling codes  64, 72, 105–6, 113, 116, 161, 303, 322 spreading codes  105, 303 walsh codes  161 cell confidence  277 cell discrimination 2G cell global identities  64, 66, 87, 101, 115, 321 3G cell global identities  64, 66, 114, 322 3G SAC  115 4G evolved CGI  65, 66, 127, 325 5G new radio CGI  65, 66, 148–50, 327 BSIC  62, 64, 97–98, 100–2, 254, 306, 321, 337

BSID/BID  65, 159, 164–66, 324 CDMA2000 cell global identities  64, 164 cell discrimination  64, 102, 117, 128, 149, 165, 168, 321, 322, 324, 325, 327 PCI (4G)  127–29, 225 PCI (5G)  148–50, 256, 325, 327 physical layer cell IDs (generic)  64, 71–72, 211, 225 PN offset  161–66, 255, 324 primary scrambling code (PSC)  64, 72, 106, 116–17, 226, 247, 255, 322 cell selection/reselection BA lists  94, 97, 203 C1 algorithm  77, 81, 94–95, 99, 103, 169 C2 algorithm  81, 96–97, 99, 103, 169, 205, 246 cell selection priority  82, 203, 306 Idle Mode behaviour  73, 82, 108, 203, 210, 217, 226, 246 neighbour cell lists (NCL)  82, 97, 110, 203, 246 PLMN selection  76, 94 R algorithm  81, 107, 122, 143 S algorithm  77, 106, 121, 142 cell site analysis  1, 191, 198, 250, 259 attribution  191, 266, 299, 348 batching calls for analysis  288 call cluster analysis  262 combining with other evidence  264 high‐level analysis  67, 261, 285, 346 limitations  260, 282, 285, 287, 298, 308, 343, 362 low‐level analysis  262, 352, 362 regulation  267 cell site analysis reports  286 call schedules  260, 291, 343, 344 case details table  286, 344 cell site maps  198, 213, 222, 228, 260, 270, 292, 344, 352, 359 cell site reports  286–91, 297, 298, 344 conclusions  1, 195, 260, 262, 276, 289–90 creating call & cell labels  358–59 creating mapping presentations  359–61 defence reports  297

Forensic Radio Survey Techniques for Cell Site Analysis, Second Edition. Joseph Hoy. © 2024 John Wiley & Sons Ltd. Published 2024 by John Wiley & Sons Ltd.

366

Index

cell site analysis reports (cont’d) end‐to‐end process  346 events/locations list  347 overall cell map  352 overall cells list  352 peer review  295, 345 source files attribution list  348 streamlined forensic reports  286, 291 cell site analysis software tools  229, 231, 232, 238, 248, 348 cell site analysis techniques  262, 264 cell site simulator  306 cell size  36, 46, 69, 93, 142, 302 cellular bands & channels  10, 12, 30, 61, 312 ARFCN  61, 97–99, 102, 169, 247, 254, 321 band class  61, 163–64, 167, 255, 324 CDMA2000 channel numbers  61, 164, 324 EARFCN  61, 126, 128, 247, 255, 325 UARFCN  61, 100, 113–17, 171, 247, 254, 322 NR‐ARFCN  62, 146–49, 247, 256, 327 cellular network generations  21 0G  22, 25, 183 1G  22, 25, 99 2G  12, 18, 23, 25, 29, 35, 37, 51, 64, 71, 78, 91–102, 131, 157, 168, 169, 170, 254, 302, 313, 321 2.5G  23, 25, 91, 157, 321 2.75G  23, 25, 91, 321 3G  12, 18, 23, 25, 27, 29, 38, 51, 64, 103–17, 131, 158–67, 171, 254, 303, 313, 321, 322–23 3.5G  24–25, 91, 103, 158, 166, 322, 324 4G  12, 18, 24–26, 28, 29, 39, 51, 64, 66, 91, 118–135, 172, 323 4.5G  25, 91, 133 5G  12, 18, 21, 24–25, 28, 29, 52, 134–53, 323 5.5G  25, 91, 153 6G  12, 25, 153 cellular network types 5G Non‐Standalone (NSA)  24, 26, 40, 52, 134–35 5G Standalone (SA)  24, 52, 60, 134–36, 138, 152 AMPS  22 CDMA2000 1x  28, 158–67, 255, 323 cdmaOne/IS95  23, 26, 28–29, 38, 65, 157, 255, 324 Cellular V2X  187 D‐AMPS/IS136  23, 26, 38 EC‐GSM‐IoT  91, 182 EDGE  23, 25, 91, 98, 321 EVDO  121, 157–58, 166–67, 324 FRMCS  28, 134, 153 FWA  27–28, 172 GPRS  23, 25, 51, 55, 91, 274–78, 321 GSM  23, 25, 28, 51, 91–102, 170, 254, 321 GSM‐R  28, 170 HSPA/HSPA+  24–25, 29, 91, 103–18, 322

iDEN  23, 27, 29, 38, 168 LPWA networks  181–83 LTE  21, 24–26, 28, 29, 39, 51, 64, 91, 118–35, 255, 323 LTE‐Advanced  24, 91, 133, 325 LTE‐Advanced Pro  24, 26, 91, 133, 325 LTE‐M  118, 182 LTE‐U  13 NB‐IoT  118, 182 NR  24, 28, 29, 39, 135–53, 255, 323 P25  134, 169 PDC  23, 38, 169 TD‐SCDMA  24, 27, 29, 130, 171, 322 TETRA  28, 29, 100, 134, 169 UMTS  21, 23, 25, 29, 64, 91, 103–17, 171, 254, 321 WIMAX/802.16  24, 27, 29, 39, 118, 172 WLL  28, 29 cellular radio measurements Ec/Io  113, 163, 167, 255, 324 Ec/No  113, 171, 254, 322 RSCP  113, 163, 167, 171, 254, 255, 322, 324 RSRP  121, 129, 150, 255, 325 RSRQ  121, 129, 150, 255, 325 RSSI  18, 81, 103, 113, 129, 150, 169, 170, 171, 172, 176, 179, 254, 255, 256, 322, 324, 325, 327 RXLev  18, 94–95, 102–3, 168, 254, 321 RXQual  103 SINR  129, 151 SS‐RSRP  143, 150, 255, 327 SS‐RSRQ  143, 150, 256, 327 closed access groups  75 closed subscriber groups  75, 202, 246 connected mode  80, 83, 88, 201, 202, 204, 251 continuity of evidence  248, 287–88, 295, 300 core networks  50–52 4G PS core  51, 118, 134, 151 5GC 5G core network  24, 52, 135–38, 144, 151, 153 AMF  44, 52, 60, 138 APN  51, 131, 272, 274, 343 AUSF  52, 137, 139 circuit switched (CS) core  41, 51, 53, 104 EIR  51, 58, 60, 159 DNN  52, 272, 274, 343 HLR/HSS  44, 51, 56, 59, 77, 79, 137, 158 IMS  52, 53, 119, 131, 138, 151, 175, 274, 282 Interconnects  50, 55 IPX  55 GGSN  51, 54, 55, 138, 275 LCS/LMF  301 LIG  54, 300 MME  52, 60, 119, 135, 138 MSC/MSC Server  51, 92, 104, 158, 160, 271 Network slicing  60, 86, 137, 151–53, 246

Index

Non‐terrestial networks (NTN)  29, 186 NSSF  137 PDSN  159 PGW/PDN‐GW  52, 119, 131, 138 Packet Switched (PS) core  41, 51, 104 SGSN  44, 51, 54, 55, 60, 92, 104, 138 SGW  52, 119, 138 SIP/SDP  53 SMF  52, 137–38 SMSC  51, 175, 271 UPF  52, 138 VLR  44, 51, 57, 60, 96, 138, 159, 160 court presentations  297 cross examination  299 evidence‐in‐chief  297 witness of fact  296 witness of opinion  296 CS fallback (CSFB)  130–31, 151, 166, 209, 246 cycle per second see hertz

derived service area  198 extrapolating stacked cell coverage  46, 72, 98, 102, 226 hostile reconaisannce surveys  225 idle mode surveys  203–4, 218, 330 indoor surveys  196 local area surveys  194 lock‐on surveys  97, 109, 211 missing cell actions  226, 247 mixed mode surveys  207 multiple device surveys  208 orbit tests  212 phone emulator devices  192, 202, 203 potential survey issues  225 proactive surveying  225, 250 route profile surveys  199, 223, 243, 332, 341, 356 scanner/SDR devices  192, 201, 203 scene preservation surveys  196, 219, 285, 291, 331, 338 spot/location surveys  193–95, 216, 239–40, 245, 329, 337, 354 survey best practice  250, 252, 253, 341 survey preparation  213, 215, 251, 333 surveys at height  196 survey SIM choices  210 test calls  110, 202, 204–6, 209 test pings  210, 218, 252, 330

d

data bearers concurrent  274 charging IDs  276–77 EPS bearer  52, 119, 131 PDP context  51 QoS flow  52 decibel milliwatts (dBm)  14–19, 94–97, 99, 102–3, 107, 113, 121–22, 129, 143, 150, 163, 168–72, 176, 179, 180, 182, 228, 254–56, 311–13, 321–27 decibels (dB)  14–19, 67, 96, 111, 113, 121, 129, 143, 150, 163, 172, 182, 193, 208, 254–56, 311–12, 322–27 delay spread  7, 141 digital transmission  9–10, 157 dominance & non‐dominance  73–74, 193, 240, 245, 337 Duplex techniques  37–38 FDD  33, 37, 61, 93, 100, 124, 130, 139, 146, 151, 171, 182, 184, 321–25 HD‐FDD  182 TDD  33, 38, 61, 105, 124, 130, 142, 145–47, 151, 171, 182, 322–29

e

Eletronic/offender tagging  245 forensic radio surveys  1, 71, 74, 167, 176, 191–256, 261, 284–85, 287, 308, 329–42 all‐network profile surveys  196–97, 219, 241, 331, 338 band locks  109, 203, 212, 218, 245, 252 cell coverage surveys  197, 219, 242, 245, 332, 338, 355 channel scans  211 connected mode surveys  80, 83, 201–7, 251 crowd‐sourced cell coverage data  200, 219, 251, 284

f

forensic radio survey software tools  248 Forensic science regulator  199, 213, 251, 262, 269, 286, 296, 333 frequency  3–6, 8, 11 frequency reuse  35–37 multi‐carrier SFN  72, 88, 123 multi‐frequency networks (MFN)  71, 88 single frequency networks (SFN)  70–71, 89, 104, 106, 108, 123, 144

g

gigahertz (GHz)  4 global navigation satellite systems (GNSS)  188, 226

h

hertz (Hz)  3

i

idle mode  80, 202 interference adjacent channel  35, 129, 150, 167, 204 co‐channel  35, 113, 204 IMSI catcher/grabber  306 Internet of Things (IoT) communications  180–83 International Forum on ANSI‐41 Standards Technology (IFAST)  159

367

368

Index

k

kilohertz (kHz)  3

l

law of powers  14–15, 113, 311 line of sight (LOS)  6, 284 logarithms  14–17, 113, 312 long wave (LW)  5–6, 11

m

medium wave (MW)  5 megahertz (MHz)  3 mmWave  12, 67, 145 MNO & MVNO  60 modulation schemes  9–10, 50 BPSK  10 QAM  10, 140–41, 174, 182 QPSK  10, 174 multipath  6–8, 141, 193, 217 multiple access techniques  38 Carrier Aggregation  39–40, 62, 123, 133, 144, 151 CDMA  38, 105–6, 113, 157, 161, 303 Dual Connectivity  39–40, 123, 133, 144, 153 FDMA  38 MIMO  39–40, 67 OFDM  39 OFDMA  39, 120, 139–42 PCell, SCell  40, 123, 133–34, 144 SC‐FDMA  119, 139 TD‐SCDMA  24, 27, 29, 38, 130, 171 TDMA  38, 71, 92 WCDMA  104–6, 108

n

near‐field communications (NFC)  180 network activities attach  77 authentication  78 authentication vectors  78 cell access control  85 cell barring  86 detach  77, 79 handover/handoff  83, 88–89 hard handover  110–11, 144 inter‐system handover  39, 110 location updating  34, 79, 87–88 softer handover  89, 110–11, 162 soft handover  89, 109–10 SRVCC  53, 131, 151, 166 network function virtualization (NFV)  46

network identifiers MCC  56–57, 64, 159, 314 MNC  56–57, 64, 159, 314 SID/NID  65, 159–60, 164, 255, 324 non‐line of sight (NLOS)  6

p

Public Land Mobile Network (PLMN)  56–57

r

radio propagation issues  8 licece assisted access (LAA)  13, 124 radio bands  10, 12, 124, 146, 312 radio band letter designations  11 radio cells  33, 43, 64, 69 radio channels  11, 33, 37, 61 radio frequency  4–5 radio spectrum  5, 10–14 radio theory  3–19 raster  99 symbols/symbol periods  10, 141 unlicensed access  13 unlicensed bands  13, 124, 183 radio access networks  43–49 5GC  52 active cells/active set  89, 107 Allocation and Retention Priority (ARP)  50 azimuth  66–67 backhaul  43 base stations  43, 45, 49 beamforming  63 beamwidth  66–67 BCCH  44, 64, 76, 82, 85, 93–94 BSC  49, 92 BSS/GERAN  92 BTS  33, 92 cell types  69–70, 75 cellular antennas  66 Central Unit (CU)  47, 136 Centroid  67 C‐RAN  46 disaggregated RAN  47 distributed unit (DU)  47, 136 downlink/uplink carriers  33, 37, 61 dynamic shared spectrum (DSS)  123, 139 eCPRI  48 eNB  33, 118 EPC  52, 119 EUTRAN  118 forward/reverse links  37, 61, 161

Index

Fronthaul  49, 136 gNB  33, 52, 136 location areas  44, 87 midhaul  49, 136 MORAN  13 Multi‐RAT base stations  39, 45, 118 network‐sharing  89 NG‐RAN  136 node B  33, 104 omnidirectional cells  43, 62–63, 166 open RAN (O‐RAN)  48–49 OTSR/STSR  62–63, 166 PCH/PCCH  93–95, 107 Quality of Service (QoS)  49–50 RNC  49, 104 routing areas  44, 87, 275–76 scheduler  49–50 SDCCH  93 sectors  43, 62 self‐optimising networks (SON)  69 serving cells  73–74, 81 TDMA timeslots  38, 92–94 timing advance  84, 93, 120, 124, 142, 186, 282, 301–3, 321, 325, 327 tracking area lists  88 tracking areas  44, 86, 87, 119, 136, 149, 227 uptilt & downtilt  68 UTRAN  104 resource blocks  120 reference signals  129 RAN‐based notification area (RNA)  80

s

satellite communications  29, 133, 183–86 signal strength descriptions  18–19 SI units of magnitude  4 spectrum  5, 10–14 standards bodies 3GPP  13, 25, 91, 362 3GPP2  21, 26, 42 ARIB  21, 169 ATIS  21 CCSA  21 CDG/MDG  157, 168 ETSI  21, 23, 26, 169, 170, 187 IEEE  27, 172–73, 178, 179, 181, 187 International Telecoms Union (ITU)  21, 29, 56–57, 183, 314 TSDSI  21 World Radio Conferences (WRC)  21, 29, 99

survey devices CSurv  229, 233 Gladiator GAR  232, 238 Infovista TEMS investigation  230, 237 Keysight NEMO handy  229, 236 Lima Cell Monitor  230, 233 QRC Technologies ICS  231, 237 Rohde & Schwaz TSMA  232, 238 survey documentation cell location maps  213, 333 post‐survey reports  253 survey notes  228, 337 survey specifications  213, 333 target cell lists  211, 213–14, 226, 251, 333–34 survey results checking survey results  226, 336 compiling cell coverage data  355 compiling route profile data  356 compiling survey summary tables  353 historical survey database  249, 264 issues related to LAC/TAC boundaries  227 missing cells IDs  226, 247 understanding survey results  245 survey safety  215, 335

t

target phone/subject phone  1, 191 terahertz (THz)  4, 12, 153

u

Ultra High Frequency (UHF)  6, 11–12 user devices & identifiers  55–58 electronic serial number (ESN)  42, 160 GUTI  58, 77, 79, 138, 281 ICCID  42 IMEI/IMEISV  42, 58–59, 179, 267, 282 MDN  161 MEID  160 ME/mobile equipment  41–42 MSISDN  42, 56 PEI  58 TMSI  56–58, 77–78, 160, 281, 306 TMSI clash  79, 281 Type Allocation Code (TAC)  42, 58 SIM/eSIM  41–42, 56, 58, 59, 85, 160, 179 SIM form factors  42 SUCI  56, 79, 139, 307 SUPI  42, 56, 79, 138–39 UICC  42 wearable devices  282–83 ultra‐wide band (UWB)  26, 118, 157, 179–80

369

370

Index

v

vehicle to anything (V2X)  134, 187 very high frequency (VHF)  11, 170 Voice over LTE (VoLTE)  25, 53, 130–33, 151, 203, 252 Voice over NR (VoNR)  53, 131, 151 Voice over WIFI (VoWIFI)  76, 175–76, 206, 282

w

watts  14 wavelength  5, 11, 312 WIFI  27, 173, 238, 256 802.11  27, 173–76, 187 SSID  173–79, 238, 256, 305, 307

WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.