VoLTE runs over DRA (Diameter Roting Agents) in todays mobile broadband RANs (Radio Access Networks). In a carrier traffic log we search for the globally unique ESN (Electronic Serial Number) of a very high value suspect.
IMEI, MEID both are faked (by software manipulation) we found out.
Has anyone focussed on DRA examinations? This is not a typical UE (User Equipment) but an online in-carrier datalogs investigation due to drug trafficking.
Help very much appreciated!
Rolf do you have a name of the company producing the DRA solution?
Greg, the DSC is Ericsson, around Nokia Siemens Networks (NSN) and Core Huawei net elements. We found that MPTCP or SCTP was in use for Primary Entry Point (PEP) to break in and change AVPs (Attribute Value Pairs).
As IMEI and MEID faked I proposed to search for ESN to get closer to suspects mobile unknown. Do you propose a better aproach?
Thank you for all your great contribution and help so many times here at ForensicFocus!
Hi Rolf thanks for your feedback.
Outline looks ok. Will check and get feedback on process.
In the meantime two distractions (just for entertainment) you may want to look at
Sony Future Lab
The prototype is codenamed “N” and is a hands-free wearable device.
The device responds to voice prompts and can be used to receive information, like news alerts or weather forecasts, and to take photos. It also functions as a set of earphones which can be worn with or without in-ear buds.
http//
Global Emergency and Disaster Website
http//
Enjoy!
Great! enjoyed especially the 'take a picture' function Very useful in two ways To turn the cam eye down on "take a picture" and after turning up and hide. From a certain distance no indication of 'hand actions' visible. Second if built into a wearable jacket it gets almost invisible.
Special equipment is available for high prices but COTS devices are better related to availability and mods (we here love to test and elaborate day-and-night).
Link Great aggregated site, wondering if a *.kml is available (to see the feed sources 😉
Rolf haven't forgotten your thread. Where I am at present
- 3GPP TS 29.213 V13.4.0 (2015-12)
- RFC 3588
– DRA has information about the user identity (UE NAI), the APN, the UE IP address(es) and the selected PCRF address for a certain IP-CAN Session
– Unique identification of an IP-CAN session in the PCRF shall be possible based on
• (UE ID, PDN ID)-tuple
•(UE IP Address(es), PDN ID)-tuple
•(UE ID, UE IP Address(es), PDN ID)
Still lots more to do.
D
Diameter also RFC 6733, 5516. For SCTP we hang on RFC2960/3309 (for checksum).
Pls apologize but I ask myself How does the ESN which is in-hardware burned come into UE-NAI and after IP-CAN? Is there a chance to get the ESN? About IMEI, MEID we guess the device did feed in random false-generated IMEIs. They vary from 14-16 digits which means 16 digits is a IMEISV (SV Software Version).
How goes the ESN in general trough the RAN I wonder? Sorry for the case, very confusing but fun to break )
Greg, thanks for your support, you are superb!
We found a possible(!) source of the AVP was attacked here (not confirmed in our case)
We still hang at the ESN. Many software licensing process include the ESN transmitted to the manufacturers license servers (e.g. Viavi (former JDSU) MTS-6000A Network Tester > great to catch wireshark *.pcap files for HEX-analysis).
Who has insight in ESN licensing validation processes like above mentioned?
Where in hardware is the ESN burned-in? Guess EPROM-based somewhere or BIOS-attached?
Meanwhile discovered that 2 'identical' UE/MS (original+clone) were in use at the same time. Somehow the Diameter Signalling Controller (DSC) and respective Diameter Routing Agent (DRA) were confused by the twins (PCRF application shows troubles to indicate, did not block because Access Control Class (ACC) flag was high and therefore priviledged).
What artifacts can be evident to be unique at the original?
No physical device at hand only logs.