I know most people here are in forensic analysis of devices, but does anyone have any experience of telecommunications and cell tower data?
In the UK communications data is retained for a year on calls and SMS, about which number to and from, the date/time and duration and also the LOCATION.
What is the exact information on the location that is recorded and retained?
Specifically, I need to know if someone has a UK sim card and they are overseas and they send/receive an SMS with someone in the UK, what information will the UK mobile provider have about the location of the sender/receiver overseas?
The location where the User Equipment UE (tech. Mobile Station MS) was signed in a cell tower is known in general (home or abroad) by the Home Location Register HLR. If a MS is abroad and covered by roaming agreements of the the two carriers the MS is abroad known by the Visitor Location Register (which requests the crypto credentials for the 'foreign' MS from the HLR which at this time get informed about the current VLR 'his child' is residing actually.
Here some SMS explainations on slideshare
The home carrier runs his Short Message Service Center SMSC and so the roaming partner. The tech. parameter you should focus on is SMS-DELIVER-REPORT a Transfer Protocol Data Unit TPDU out of the Short-Message Transfer-Layer SM-TL (~ page 50 of below doc)
I know you focus on the location Cell towers split their coverage into Tracking Area Codes TAC or Location Area Codes LAC. These are sub-areas of the bigger cell-coverage-area, so the smallest parameter to get the location without extra running triangulation (explain later).
In the Mobile Networks Operators MNO systems the 'foreign' MS gets the Mobile Country Code MCC and the the MNOs nation-based code, called Mobile Network Code MNC based on the roaming (at home MCC and MNC are the home carriers parameters, typically printed on the blister holding the Universal SIM USIM at buying). MCC, MNC and TAC together build the Tracking Area Identity TAI.
So the TAI parameter at a certain timestamp has to be asked the roaming MNO. Be aware that the TAI can be two-fold own home USIM or foreign USIM if replaced for cost saving purposes e.g.
If LAC or TAC are not precise enough a Cell Tower Investigation CTI has to be run to 'ask' three cell towers about their Radio Frequency RF signal strength logs at a certain time.
To conclude I assume you hoped that the home MNO knows the location, but cannot. This data is only known by the roaming carrier.
Sorry for heavy technical expression, may check here 3GPP TS 23.040 v13.1 Rel. 13
http//
Be aware that in LTE networks different net elements are named different but the Short Message Service SMS still runs over these physical or emulated (virtual) entities.
Thank you very much for your detailed reply.
To summarise and confirm if I have understood you correctly, say you have a UK sim on Vodafone that you take to the USA.
-Once in the USA the sim connects to AT&T roaming.
-Vodafone UK sends a roaming message to the sim saying 'Welcome to America'.
-Vodafone UK does not have any location data when this SMS is received - only AT&T does and this is not forwarded to the UK carrier. Is this correct so far?
If so, does the SMS have a record of which country it was sent to?
Correct, the SMS itself does not have a record about the country it was sent to. The 'home' Short Message Service Center SMSC knows to which 'foreign' SMSC it sent the message.
Be aware as SMS are sent, stored and forwarded its a service to deliver.
If the sender activated to get a 'delivered' confirmation (not the roaming welcome message) therein the time is given. By asking the roaming partner (e.g. AT&T) on which Location Area Code the Mobile Station MS was at the 'delivery' time, you should get out the location area
Correct, the SMS itself does not have a record about the country it was sent to. The 'home' Short Message Service Center SMSC knows to which 'foreign' SMSC it sent the message.
Be aware as SMS are sent, stored and forwarded its a service to deliver.
If the sender activated to get a 'delivered' confirmation (not the roaming welcome message) therein the time is given. By asking the roaming partner (e.g. ATT) on which Location Area Code the Mobile Station MS was at the 'delivery' time, you should get out the location area
Thanks again, I really appreciate your expertise.
Now if I could just continue my scenario one step further, if Vodafone sends the roaming welcome message SMS to the number - the Vodafone SMSC knows to which foreign country it was sent but that's all the location information they have - AT&T holds the location data for the SMS received.
BUT while that sim card is in the USA if another USA mobile number sends an SMS - does ONLY AT&T and the other USA sim provider have the data relating to the SMS send/receive - or is the SMS routed through the UK mobile provider as an intermediary?
To ask this another way, when someone takes their UK sim overseas and is sending/receiving SMS and calls to other foreign mobile numbers, does the UK mobile provider have no record of these records thus the only clue would be the roaming message and which country it was sent to? Or no matter where you take a sim card and no matter what foreign country numbers are sent/received will they always be routed through the UK provider and hence the record of to what number and when will always exist, just not the attached location data?
Now if I could just continue my scenario one step further, if Vodafone sends the roaming welcome message SMS to the number - the Vodafone SMSC knows to which foreign country it was sent but that's all the location information they have - AT&T holds the location data for the SMS received.
correct.
BUT while that sim card is in the USA if another USA mobile number sends an SMS - does ONLY AT&T and the other USA sim provider have the data relating to the SMS send/receive - or is the SMS routed through the UK mobile provider as an intermediary?
The SMS is not routed through the UK mobile provider.
To ask this another way, when someone takes their UK sim overseas and is sending/receiving SMS and calls to other foreign mobile numbers, does the UK mobile provider have no record of these records thus the only clue would be the roaming message and which country it was sent to?
The UK mobile provider logs a record if calling is involved although the call itself is not routed over UK. Calling service is completely different than SMS as its connection-oriented and variable cost involved, means if uk_SIM_in_US calls us_SIM_in_US the UK's mobile provider's Police Rules and Charging Function (PRCF) is touched e.g. for accounting and debit remaining.
Or no matter where you take a sim card and no matter what foreign country numbers are sent/received will they always be routed through the UK provider and hence the record of to what number and when will always exist, just not the attached location data?
No, routed onyl through the involved us_Provider's infrastructure e.g. AT&T. The UK provider logs the record of the calls (Call Data Record CDR). Traffic (content) is not the same as record logs.
SMS is unique if abroad and received. If SMS sent or calling involved the Home Subscriber Server uk_HSS is involved and gets a location update.
Please study the graphical overview on page 34 top of TS 23.040 v13.1 (2016-04) for better understanding (shows SM-MT process after 'passing' the SMSC.
'sending' an SMS = SM-MO Short Message Mobile Originated
'receiving' an SMS = SM-MT Short Message Mobile Terminated
SMS can be operated over several mobile technologies like Circuit-Switched CS or Packet-Switched PS, SMS over IP, SMS over LTE. Due to this different intermediary entities are involved combined with SMSC. Today legacy physical entities are mostly realized as logical entities in software and highly virtualized (Software Defined Networking SDN and Network Function Virtualization NFV).
What is the exact information on the location that is recorded and retained?
This is a basic overview because there are many aspects to this matter and it is a far too lengthy process to simply guess at it. Rolf has provided helpful guidance to you and which the below can be added to that.
There are numerous arrangements. If the operator is e.g. Vodafone UK and Vodafone USA then it can be same amount of data is the same on both sides. However, if the operators are e.g. Vodafone UK and T-Mobile USA then each operator will record the call details as to their own requirements.
There are many mistakes made in the area of assuming what operators will capture at the time of an originated/terminated call. The amount of info captured depends on what the switch manufacturer was required to provide. If you speak with switch manufacturers they will tell you they can record virtually anything that flows through the switch but it is whether the operator wants those recording mechanisms switched on.
The above is all well good but creates no common standard. This has been overcome by an internationally agreed account format (TAP) that is transferred for reconciliation through a clearing house. In order to understand which network services are to be shared with the subscriber account your first port of call is to know the terms and services to be provided under the roaming services agreed within an international roaming agreement (IRA).
Once this is known then it will assist when obtaining the version of TAP file containing the internationally agreed account format as to what information might be recorded in it. Information, such as IMSI, IMEI, numbering plan, called number, service type, service code, radio channel requested, radio channel used, MSC ID, location area, Cell ID, MSCM, charging date, charging time, UTC Time Offset Code etc. can be available.
It maybe worth determining the radio transmission technology used for the call first (e.g. GSM etc.) and whether the UK account was post-paid or prepaid. There are GSM/3GPP standards that set out requirements for enabling services whilst roaming so worth getting some background information
CAMEL - Customised Applications for Mobile network Enhanced Logic (CAMEL); Service description; Stage 1 http//
DID YOU KNOW? 20th Anniversary 2012/13 for SMS Texting - http//
For mobile circuit switched SMS messaging as an investigator reviewing the various typical transfer Cases (A-F) to see which applies to the evidence is important. Considering transfer conditions are also undertaken for GPRS and WCDMA.
Case A Mobile originating short message transfer, no parallel call.
Case B Mobile terminating short message transfer, no parallel call.
Case C Mobile originating short message transfer, parallel call.
Case D Mobile terminating short message transfer, parallel call.
Case E Mobile terminating short message transfer together with Inter‑MSC hand over, parallel call.
Case F Mobile terminating short message transfer on SDCCH channel together with Inter‑MSC hand over.
Overall, there are many standards, guides and documents that cover this area so as an observation be patient in seeking information as the information can be construed as commercial in confidence.
Todays eBanking solutions based on Two-Way-Authentication (TWA) include often an SMS with the mTAN mobile TransAction Number inside, the analysis of the Correlation ID (MCC+MNC+Sender ID) detects 'faked' SMS.
The Correlation ID requires an SMS Router or IP-SM-GW Internet Protocol Short Message GateWay in use (3GPP TS 23.040, 3.2.7a). The Sender ID (TS 23.840) consists of 9 digits randomed.
Just in case you want to learn more -)
Thank you guys for the info. Gutmann - you really outdo yourself on your knowledge on this.
Now if I'm talking from the perspective of someone in UK law enforcement making a request to the communications provider for communications data
1) If person takes their UK sim overseas, there will be no data pertaining to any received SMSs
- Correct?
2) If so, will there be data pertaining to the roaming message sent from the provider that will show the country where the sim was activated that could thus give some clues for making enquiries with overseas providers? Or is the roaming message not logged in the same way that can be retrieved and provided by the provider to law enforcement?