Greg,
As the EFLOCI File data changes are the previous values just overwtitten or does the U SIM Card have the ability to store multiple values?
Additionally, can you describe how a TMSI (Temporary Mobile Subscriber Identity) might be utilized to determine the historical location of an MS. (Assuming that it can?) How does the network assign a TMSI?
Hi Ed
Well done for keeping the flow of discussion going.
As the EFLOCI File data changes are the previous values just overwtitten or does the U SIM Card have the ability to store multiple values?
The values are updated, thus overwritten. I am not aware that a (U)SIM has the ability in the EFLOCI file to store multiple records containing the values for e.g. LAI/TMSI etc at any one time. That doesn't means to say a mobile network operator is prevented having Cust_Files to achieve that result.
There are occasions when values in the EFLOCI file can be prevented from being updated due to invalidation caused by Call Control in SIM e.g. BDN, FDN
Additionally, can you describe how a TMSI (Temporary Mobile Subscriber Identity) might be utilized to determine the historical location of an MS. (Assuming that it can?) How does the network assign a TMSI?
The network issues on a temporary basis a TMSI for the purposes of confidentiality in a particular radio area, which we commonly reference to a geographical area; an historical reference to an MS's location can be possible, but TMSI cannot precisely locate within a particular radio area to a specific geographical point. TMSI is allocated and works hand-in-hand to unqiuely identify the MS within the LAI. Assignment of the TMSI follows validation and authenication of the subscriber identity and is used in place of the IMSI, unless factors mitigate otherwise. The allocation of a TMSI occurs after ciphering and location update has been successful implemented.
Utilising TMSI for historical location of an MS means identifying which TMSI would be relevant to an investigation. As you know there is the CS (circuit switched) network and the PS (packet switched) network. Identifying both TMSI and P-TMSI recorded in the (U)SIM can assist enquires to identify information stored about them in the HLR/VLR and SGSN. However, as mentioned in a previous comments in this thread TMSI/P-TMSI require utilising other information stored in the (U)SIM. For instance, where a TMSI is recorded we know an LAI should be relevant. As the EFLOCI file can contain the old LAC and new LAC code the detail in the EFLOCI file can form part of the information in an enquiry to a service provider. Moreover, information to be found in the EFBCCH (regarding radio frequencies detected by the MS and recorded) can help define an improved historical location search that the service provide can use to see which cells used those frequencies in a particular location area. Where frequency reuse is minimal in a geographical area this can point to a group of cells (e.g. towers/masts propagating radio coverage at those frequencies in a particular area?).
I mentioned TMSI and P-TMSI. Do remember TMSI is a unique identifier with a location area. The MCC, MNC and Location Area Code (LAC) are specified in combination with the TMSI to ensure that the UE identity is unique globally. A P-TMSI is unique within a routing area. The MCC, MNC, LAC and Routing Area Code (RAC) are specified in combination with the P-TMSI to ensure that the UE identity is unique globally. It is usual to reallocate the TMSI as part of the location area update procedure and to reallocate the P-TMSI as part of the routing area update procedure. The encoding of TMSI is left to network operator to decide.
Historical location should be understood in the context of historical (time frame) and should be assisted from particular sources where call data should be available. Moreover the context of location requires awareness because the seizure of a switched OFF MS may mean the mobile can be switched OFF in one geographical area and found in another geographical area. By this it is meant the radio area may have changed. So the value of historical EFLOCI etc needs to be weighed up in those terms.
Of course with the 3G USIM, as opposed to GSM SIM, there are additional EFs to be considered e.g. EFNETPAR and the relevant EFHPLMNwACT etc.
Moreover, the profile of the handset is as equally important as (U)SIM in that it has the power to influence what is recorded in (U)SIM EFs e.g allowing the user to profile which radio access can be used. By way of illustration, GSM WCDMA and LTE. It is known that as LTE is being rolled out it has been found that some users of say iPhone 5 (etc) the handset can ping-pong between WCDMA and LTE. The user can profile for LTE to be disabled, thus LTE parameters and values may not be recorded in USIM. Provided the CSA examiner has checked the handset then it means the CSA (pre)survey can be better prepared and understood.
This quick, potted version of TMSI etc is produced for easy reference. There are many more aspects I haven't mentioned because it would take too long at this moment in time.
Moreover, information to be found in the EFBCCH (regarding radio frequencies detected by the MS and recorded) can help define an improved historical location search that the service provide can use to see which cells used those frequencies in a particular location area. Where frequency reuse is minimal in a geographical area this can point to a group of cells (e.g. towers/masts propagating radio coverage at those frequencies in a particular area?).
I forgot to add the link to BCCH data uncovered - http//
Examination and Evidence from SIM and USIM Cards. Now an open blog - http//sim2usim.blogspot.co.uk/
Tre,
Thanks for this post, does it discuss "junk science"`
Examination and Evidence from SIM and USIM Cards. Now an open blog - http//sim2usim.blogspot.co.uk/
Tre,
Thanks for this post, does it discuss "junk science"`
Examination and Evidence from SIM and USIM Cards. Now an open blog - http//sim2usim.blogspot.co.uk/
Good point, armresl. The content at the blog, it is intended, is aimed at covering many discussions. Examples of discussions appearing and to appear will be
(a) exposure of data, interpretation of it, and possible use as evidence
and
(b) identify myths or where there has been misunderstanding about (U)ICC/(U)SIM and its content.
There is always differing views and opinions about (U)ICC/(U)SIM and the very best I can do is expose what is there. I will leave it to others to make up their own minds and decide whether evidence from (U)ICC/(U)SIM is junk science or not.
(U)ICC/(U)SIM Script Commands and Responses - http//
Greg,
Is anyone suggesting the data from the SIM/USIM is in some way junk science? I'm sort of thinking this post has changed course slightly from what was originally posted? Not that it's a bad thing….
Earlier on Armresl mentioned Cherry Biometrics. Their website is obviously impressed with the work of one of their "experts." I recently attended a training class in Davidson County, TN and I had an assistant ADA laugh when they saw the court opinion from the website. While that judge may have thought their "expert" was a super genius this ADA stated the Davidson County judge didn't think so by a long shot.
The bottom line here is whether or not law enforcement is over reaching when it attempts to determine the historical location of an MS. Hypothetically, I wonder what the defenses argument would be if LE only testified to cell site and sector and never mentioned RTT, PCMD or AT&T's MLT?
At that point you are only testifying to the data and staying pretty conservative IMO?
The big issue is when you add in some of the enhanced ranging data and try to make historical predictions LE can't really say how the data was compiled, or what the error rates might be. It's not something the analyst on the other end of the phone can tell you and the telco's do a pretty good job of keeping their people that are "in the know" insulated.
I will go to my grave stating, as I have in many other posts, that we need a National Standard in how we testify to this data. Any standard attempted by LE will be called into question, as it should, but I don't see the private sector as being the driving sector in this as they don't have as much, if any, access to the data.
Is anyone suggesting the data from the SIM/USIM is in some way junk science?
Ed, as you have read in this thread SIM/USIM examination and data have both been discussed in it. The fact that SIM/USIM was disucssed in the thread leaves open the notion that this community may think SIM/USIM examination and evidence is junk science.
My continuing posts are and have always been to simply dis-spell a junk-science notion and to invite readers to consider (or reconsider) SIM/USIM beyond automated data recovery processing tools and a few identifiers
- To get readers to question how much they really know about SIM/USIM
- To illustrate examiners' SIM/USIM knowledge/skillsets/experience are not limited to pushing a button
- To illustrate avenues of investigation, identify information recorded/stored and reveal processing or procedures which may be useful
…. and so on
However, this thread has also included other mobile topics, too, and why it has rumbled-on containing various discussions.
that we need a National Standard in how we testify to this data.
How that would work in practice?
Any standard attempted by LE will be called into question, as it should, but I don't see the private sector as being the driving sector in this as they don't have as much, if any, access to the data.
From what you say, and have suggested in previous posts, it would appear in the US neither sections of your law enforcement and the private sector have access to data. I got the impression this was down to (a) knowledge by the individual as to what was/is available or (b) data known to be available came down to cost in the obtaining.
I would make a distinction between "junk science" and "charlatans".
Junk science, is some activity that purported as science, yet it is not. The non-science part may come in with lack of systematic study, observation, or experimentation. Furthermore, the junk part appears when the studies, observations or experimentation are performed, if at all, with inappropriate methods, falsifications, obfuscation, secrecy or similar.
The diet product industry comes to mind with their magic pills to lose weight. From some far away place a root was dug up by some natives. It was then chewed by rare species of meerkats, collected by blind, left handed orphans - but only when the moons align appropriately. None of the information can ever be verified, tested, or reviewed. The "research" presented are usually a page or two of more marketing material.
Charlatans are who pile on to existing science, or claim to have special knowledge or skill, in this thread understanding of SIM/USIM.