Join Us!

last activated cell...
 
Notifications
Clear all

last activated cell/area SIM card  

  RSS
bigjon
(@bigjon)
Active Member

Good afternoon forum
Is the stored data from an examined SIM card the last event or simply updated and stored as the users travels?
If a person were to use their phone in Leeds city centre, then travel to Manchester without using their phone again, what location data would be on the SIM if it were to be seized from the user in Manchester?
I cannot find the definitive answer anywhere, thank you

Quote
Posted : 04/05/2016 9:06 pm
trewmte
(@trewmte)
Community Legend

Good afternoon forum
Is the stored data from an examined SIM card the last event or simply updated and stored as the users travels?
If a person were to use their phone in Leeds city centre, then travel to Manchester without using their phone again, what location data would be on the SIM if it were to be seized from the user in Manchester?
I cannot find the definitive answer anywhere, thank you

Hello bigjon,

You need to confirm if your discussion is about SIM Card or USIM Card.

Three states you need to identify when discussing data in EFLOCI file when put in context with Leeds City Centre and Manchester

1) was the mobile station switched off in Leeds?
or
2) was the mobile MS station put into Flight Mode in Leeds?
or
3) was the mobile station left switched on in Leeds for the duration of the trip to Manchester?

If 1/2) at power down/Flight Mode in Leeds the data found stored in EFLOCI file should be the last location update.

If 3) the data found stored in EFLOCI file should have been updated either when crossing location boundaries (location areas) for the journey or when periodic location updates are triggered e.g. duration as per EFHPLMN file - whichever comes first.

Can you provide more information?

ReplyQuote
Posted : 04/05/2016 11:24 pm
bigjon
(@bigjon)
Active Member

Good afternoon trew, yes it's a USIM
The scenario (imaginary) is, phone used then left switched on but sends and receives no data, person then travels to Manchester, all the while the data on the USIM is updating.
The importance is the examination of a SIM/USIM being vitally important.
A male and female from Leeds for eg she texts and generally uses her phone whilst in Leeds,
They then travel to Manchester where she is murdered, her belongings are searched, phoned gets switched off and the body and belongings are transported back to Leeds and dumped.
On examination of the handset details (without examining SIM/USIM first) could give us lots of data, going to a SPOC for CDR data they would get information from the CSP but the investigator would not know of the time in Manchester as they only provide the OIC with events.
It was a SPOC trainer who asked me to clarify the above, this he said is information on a phone even he could not give you, hence the importance of SIM first even if it means removing battery etc. To get to it

ReplyQuote
Posted : 05/05/2016 9:34 pm
hcso1510
(@hcso1510)
Active Member

Bigjon,
I have very little knowledge of how the technology works on your side of the pond, but if the MS was an Android and it was tied to a Gmail account you might be able to obtain some location data from them that can either re-enforce existing evidence or enhance things where it could be lacking. Just a thought.

Respectfully,

ReplyQuote
Posted : 06/05/2016 6:40 am
RolfGutmann
(@rolfgutmann)
Community Legend

@bigjon You may look into 3GPP Technical Standard TS 31.102 for flyover if you like to learn

3gpp.org TS 31.102

ReplyQuote
Posted : 06/05/2016 12:15 pm
trewmte
(@trewmte)
Community Legend

A male and female from Leeds for eg she texts and generally uses her phone whilst in Leeds,
They then travel to Manchester where she is murdered, her belongings are searched, phoned gets switched off and the body and belongings are transported back to Leeds and dumped.

but the investigator would not know of the time in Manchester as they only provide the OIC with events.

hello bigjon

The investigator and SPOC need to consider CS and PS states to confirm any auto-updated (or fixed network timers, etc.) of USIM/SIM EFs. As you confirm there is no user-generated traffic and no traffic received by the user then start with these EFs

USIM & SIM modules
==============
EFHPLMN (Home PLMN - check for update timer)
EFLOCI (Location Information)
EFBCCH (Broadcast Control Channel)
EFKc (GSM Ciphering key Kc)
EFKcGPRS (GPRS Ciphering key KcGPRS)
Check DF ProSe
EFCPBCCH (CPBCCH Information)
EFPSLOCI (Packet Switched location information)
EFNETPAR (Network Parameters)
EFOPLMNwACT (Operator controlled PLMN selector with Access Technology)

ReplyQuote
Posted : 06/05/2016 10:00 pm
RolfGutmann
(@rolfgutmann)
Community Legend

#trewmte - you are a top of class expert!

Tiny delayed bit to learn for the case creator, see here SIM and USIM main differencies

Gemalto

ReplyQuote
Posted : 07/05/2016 1:14 pm
bigjon
(@bigjon)
Active Member

Trew,hsco,rolf ,thank you for the input.
I had spoken to SPOC' s when the issue of the use of a Faraday shield was mentioned, this is what lead to the SIM information being discussed and the fact this information could be lost and their investigation through CSP would not bring this as they only recover events

ReplyQuote
Posted : 07/05/2016 1:50 pm
bigjon
(@bigjon)
Active Member

Trew,hsco,rolf ,thank you for the input.
I had spoken to SPOC' s when the issue of the use of a Faraday shield was mentioned, this is what lead to the SIM information being discussed and the fact this information could be lost and their investigation through CSP would not bring this as they only recover events

ReplyQuote
Posted : 07/05/2016 1:51 pm
trewmte
(@trewmte)
Community Legend

#trewmte - you are a top of class expert!

Tiny delayed bit to learn for the case creator, see here SIM and USIM main differencies

Gemalto

Thanks Rolf, kind of you to say so.

I visited the webpage and noted the statement "Although it’s possible to access it with a simple SIM card…" Gemalto is referring to GSM SIM in terms of accessing a UMTS mobile network. I do not know whether the author of that statement had the following in mind when writing it but it is quite possible that point was addressed way back in 2001. The relevant but last standard for UMTS 1 3G TS 22. 100 is Release '99 v3.7.0 (2001-10). Regarding 'Service aspect (Stage 1)' states at


"10 USIM


2) The UMTS mobile terminal shall support phase 2 and phase 2+ GSM SIMs as access modules to UMTS networks. The services that can be provided in this case may be limited to GSM like services provided by that UMTS network. UMTS mobile terminals shall not support 5V SIMs. It shall be up to the UMTS network operator to accept or reject the use of GSM SIM as access modules in its network."

I remember this from past cases where 2G SIM Cards were being used in 3G handsets. From an examination and cell site analysis angle, the mobile station would be examined first. The examiner's report would identify a GSM SIM Card. The cell site analysis would refer to the use of one or two 3G UMTS NodeB having handled calls in addition to GSM BTS following analysis of the call data. Diametrically opposing views arose where one party would say GSM SIM Card impossible to access 3G UMTS and another party would say the user did access 3G UMTS services but didn't know how.

I am not sure the above opposing views (GSM/UMTS) happens these days in evidential terms although I have seen some about GSM/UMTS/LTE. There are occasions where customers complain about / enquire to know why they cannot get certain services via their handsets.

Consideration of a handset should not be limited to its memory storage but also analysis of the handset's RF-Mem and UMTS radio module as well.

ReplyQuote
Posted : 07/05/2016 2:29 pm
RolfGutmann
(@rolfgutmann)
Community Legend

For DF ProSe look here

tech-invite.com

ReplyQuote
Posted : 07/05/2016 2:41 pm
RolfGutmann
(@rolfgutmann)
Community Legend

These opposing views still occur in todays CSP networks. Cases of people using their UE/MS quite less and bought them years ago lead the carriers to still accept the access into UMTS by SIMs to not bother customers. As cell-load is high on 3G/4G and up, carriers are kind of 'happy' having users still being limited into UMTS even they just use voice and messaging and no data services.

Another development brings these 'legacy users' into new USIMs. If buying new devices having smaller "SIM"-trays like iPhones they get pushed to replace their SIMs by getting appropriate USIMs (mini, micro, nano or tech. 2FF, 3FF, 4FF).

I was involved in an Iranian case and their SIMs by all carriers still run smoothly and do not get pushed back by no service in UMTS cells.

The problem on having multiple RAN mixed and multi-Gen cells on cell towers leads to more complexity as traffic offloading (mainly data and time-critically) are offloaded to either SmallCells (WiFi-based APs) or looming StreetConnect cells. But their it also depends on the carrier settings (baseband configs) to the UE/MS by setting up or after switching USIMs and getting new either silent or visible USSD-codes mostly still for MMS or browsing.

Conclusively I expect still cases having opposite views but good chance to view traffic LI-logs to see
if just was connected by drive-by and not traffic or actively running services e.g. voice.

Worthy to say, that manufacturers sometimes not fully mapp 3GPP TSs into their code running on Net Elements and controlled by their Network Management Systems (NMS).

Heavyly depends on the Mobile Network Operator (MNO).

ReplyQuote
Posted : 07/05/2016 3:15 pm
trewmte
(@trewmte)
Community Legend

This is excellent feedback; thank you Rolf the expert.

These opposing views still occur in todays CSP networks. Cases of people using their UE/MS quite less and bought them years ago lead the carriers to still accept the access into UMTS by SIMs to not bother customers. As cell-load is high on 3G/4G and up, carriers are kind of 'happy' having users still being limited into UMTS even they just use voice and messaging and no data services.

Yes, I can imagine that would be so as to avoid customer churn.

Another development brings these 'legacy users' into new USIMs. If buying new devices having smaller "SIM"-trays like iPhones they get pushed to replace their SIMs by getting appropriate USIMs (mini, micro, nano or tech. 2FF, 3FF, 4FF).

The iPhone card slot-in is small, but the amount of promotions by MNO/VMNO SIM Card only subscriptions and prepaid has risen in the UK so that users are retaining their legacy handsets. Also Samsung and other manufacturers haven't really joined iPhone model and really iPhone's ultra small card will be more of a frustration to customers who decide not to use iPhone handsets. If form-factor should have a global impact for manufacturers then I would imagine embedded UICC (eUICC) would be their choice. Problematical even with that though is people may not want to have to buy a handset/eUICC every time the user wishes to choose a different network to get another phone/eUICC.

I was involved in an Iranian case and their SIMs by all carriers still run smoothly and do not get pushed back by no service in UMTS cells.

Which is indicative then of evolution and development of techniques in mobile networks since 2001.

The problem on having multiple RAN mixed and multi-Gen cells on cell towers leads to more complexity as traffic offloading (mainly data and time-critically) are offloaded to either SmallCells (WiFi-based APs) or looming StreetConnect cells. But their it also depends on the carrier settings (baseband configs) to the UE/MS by setting up or after switching USIMs and getting new either silent or visible USSD-codes mostly still for MMS or browsing.

Talking of installations you may enjoy browsing through these documents created by the then Office of the Deputy Prime Minister (John Prescott) which I have from 11 years ago. The old ODPM website is no longer available. They are helpful documents defining the way forward with small cells vis-à-vis existing installations

https://www.dropbox.com/s/uibqptlha71t8g6/odpm_plan_606401.pdf?dl=0
https://www.dropbox.com/s/q4a4tvxb3ezgxos/odpm_plan_606402.pdf?dl=0
https://www.dropbox.com/s/jw0am28bnwbm0cc/odpm_plan_606403.pdf?dl=0
https://www.dropbox.com/s/vi6anpkkvxzc4vf/odpm_plan_606404.pdf?dl=0
https://www.dropbox.com/s/w9kj13xqotmmzvq/odpm_plan_606405.pdf?dl=0
https://www.dropbox.com/s/ox1hpfgoaq6wyks/odpm_plan_606406.pdf?dl=0

Conclusively I expect still cases having opposite views but good chance to view traffic LI-logs to see if just was connected by drive-by and not traffic or actively running services e.g. voice.

Given the laws and regulations in the UK the requirement of proportionality would need to be justified first before access to such logs may take place. Also, a cell site analysis is largely historical LI-logs wouldn't be available as the OIC would be dealing with mobile network past event.

Worthy to say, that manufacturers sometimes not fully mapp 3GPP TSs into their code running on Net Elements and controlled by their Network Management Systems (NMS).

Heavyly depends on the Mobile Network Operator (MNO).

Enjoyed the discussion , once again thanks Rolf.

ReplyQuote
Posted : 07/05/2016 4:53 pm
RolfGutmann
(@rolfgutmann)
Community Legend

Thank you for the dropb docs I will enjoy to study, the pleasure is on my side -)

ReplyQuote
Posted : 08/05/2016 4:23 pm
Share: