Message forensic ..

Abdulcadir, some observations for you.

As it is not clear from which device you have recovered the text message so I have taken the liberty to assume the text was stored on the SIM Card. Below is demonstration material from my SIM Courses

More Messages To Send No
Status Report Indication No
Reply Path No
Originating Address Length 0C
Originating Address type 91
–Type of number International
–Numbering plan identifier E.164
Originating Address 44798021XXXX
Protocol Identifier Default
Data Coding Scheme GSM Default Alphabet
SC Timestamp 10214201358500
decoded 01/12/24 105358
Time Zone GMT+0.00H
User Data Length 4C
decimal 76

To comprehend whether it is an internet originated message or direct from another mobile subscriber, look to the header data from the text message. In particular look at

–Numbering plan identifier E.164
Originating Address 44798021XXXX

An E.164 number, as you know, is analogous to the telephone number one keys in on the phone (see Originating Address above)

However, where Originating Address appears as a sting of hexidecimal characters, this may provide an indication that the message MIGHT be from the internet. Unravelling the hex data can be arduous and time greedy to understand and internet conventions that can be identified from the string of hex data (RFCs etc). It is better to work with the operator to trace back the origin of the message.

However, there can always be the distinction that a named calling party (provided no mistakes have been made and it is not the name from a phoneboook or SDN number is shown in the message) originates from a clandestine source. That has to be proven of course and therefore removing a number of possibilities first can be a very useful exercise.

When dealing with line identification of a calling party it is useful to comprehend whether the conventions adopted by the GSM/3GPP technical standards (TS) or technical reports (TR) are the same as in your case that is before you.

GSM0281 - Line Identification Supplementarty Services

To understand where names can replace the CLI number have a look at

GSM0296 - Name Identification Supplementary Service, which refers to Calling Name Presentation (CNAP) for some background reading. Did you know that the convention that allows for Calling Name Presentation, it allows for a name to be up to 80 characters in length? That is 10 characters more than a UCS2 SMS text message.

Also, look at the Cell Broadcast/Broadcast Control Channel data to make sure you are not seeing a network indicator/identifier.

Do remember Standards change some Standards are updated with newer technical features and/or services, and some Standards are updated by making technical features/services redundant. Finally, don't forget to cross reference the GSM with the 3G standards as operators (for interoperability purposes) can be using both to provide the technical feature or service.

From theere you may want to search the internet to identify organisations that sell SMS services and naming plans to see if the name is one from one of their customers.

The fact that you MAY not find out where the message originated in the internet is one obstacle that can arise. Another annoying obstacle is when you find the person receiving the message modified a text message or sent it to him/herself - now that is a pain.

So some examples of how to investigate are above there are others, and if you decide to follow that route to confirm whether the messages is from a genuine intended source or not, you can then search to find web-based services that allow spoof text messages using spoof names.

Good luck

Hi trewmte & Abdulcadir
I was thinking of using a CDR to first check the network from which such message emanated from and then check to see information type. What do you think? Most message sights on the net these days are used for demarketing processes, and i think a trace will be necessary, anyone with a better idea?