Chapter 10. Mobile Network Investigations
Dario Forte and Andrea de Donno
Contents
Introduction517
Mobile Network Technology518
Investigations of Mobile Systems522
Types of Evidence524
Where to Seek Data for Investigations533
Interception of Digital Evidence on Mobile Networks537
References557
Introduction
The use of mobile devices is increasing rapidly, with devices like the BlackBerry, iPhone, and G1 providing a wide variety of services, including communication (e.g., voice, SMS, e-mail), Internet access (web browsing), and satellite navigation (GPS). These technological advances create new opportunities for criminals while providing valuable sources of evidence. The bombs in the 2004 train bombings in Madrid apparently used cellular telephones as timers. The terrorists in the recent Mumbai attacks communicated using satellite telephones. Drug dealers and organized criminals are heavily dependent on inexpensive prepaid cellular telephones that are essentially anonymous and disposable.
Mobile network investigations are also commonly performed for “conventional crimes,” often focusing on location information, logs of telephone calls, printouts of SMS messages, and associated metadata.
The Criminal Court of Perugia examined data from mobile networks and devices while investigating the murder of Meredith Kercher, the English student killed between November 1 and 2, 2007. In this case, the specialized Police Unit made several technical investigations including mobile traffic and SMS analysis. In this particular case, only the analysis of the SMS enabled the police to determine the innocence of an unjustly accused suspect, Patrick Lumumba.
A mobile device is generally defined as any instrument that can connect to and operate on a mobile network, including cellular telephones, wireless modems, and pagers. Although a significant amount of useful digital evidence associated with mobile devices like cellular telephones is stored in embedded flash memory as detailed in Chapter 8, “Embedded System Analysis,” the associated network is also a rich source of evidence. Compared with the wide variety of mobile devices, the supporting network technologies are reasonably consistent. The core mobile networks have similar components, the network service provider (NSP) will maintain usage logs and billing records, and investigators can intercept network traffic from mobile devices. Therefore, it is useful for investigators to understand the underlying network technologies, the types of data than can exist on mobile networks, and approaches to collecting and analyzing these sources of digital evidence.
This chapter begins with an overview of mobile networks and how they can be useful in digital investigations. This chapter concentrates on cellular and PCS technologies, but does not address satellite telephone networks. Methods of obtaining location information from mobile networks are described. The content and analysis of usage logs and billing records are covered, and the usefulness of text and multimedia messaging are demonstrated. The remainder of the chapter focuses on techniques and tools for capturing and analyzing traffic on mobile networks, culminating with a discussion of the legal and operational implication of interception.
Mobile Network Technology
In the late 1980s, the mobile telephony system in Europe was based exclusively on the ETACS network created by various telephone companies and consisting of analog radio links operating at the frequency of 800MHz. Although at the time it was considered to be the start of a revolution, few would have imagined how quickly the phenomenon would burgeon both into a fad and into a system for keeping close track of individuals.
The weak points of the ETACS network were the lack of coverage abroad, continuing interference with other users, and the ease of cloning. It often happened that some unknown party obtained possession of the serial number of a mobile device, combined it with a new account to elude the NSP and generated telephone traffic paid for by the unwitting victim. In the mid-1990s, the GSM network was introduced. It operated at a frequency of 900MHz and later 1.8GHz. GSM was introduced precisely to eliminate once and for all the problem of interference among radio links and, being digital, to make conversations more secure.
The next revolution in mobile network technology came about in 2003 when the Japanese colossus Hutchinson Whampoa entered the European market with H3G, the third generation of mobile telephony. The telephone now became a video-telephone, using the 2.1GHz band.
In the area of electronic communication services, it is necessary to distinguish between “telephony” and “telematic” services as shown in Table 10.1.
Components of Mobile Networks
Mobile networks generally have the following components, as shown in Figure 10.1.
 |
| Figure 10.1 Common components of mobile networks (Gibbs & Clark, 2001). |
The wireless portion of mobile networks uses Time Division Multiple Access (TDMA) or Code Division Multiple Access (CDMA) technology to transfer data via radio frequency. Fundamentally, CDMA is a spread-spectrum technology to enable data from multiple devices to be multiplexed on a single physical channel, whereas TDMA breaks the transmission signal into discrete timeslots for each device.
TDMA is digital transmission technology that allows a number of users to access a single radio-frequency (RF) channel without interference by allocating unique time slots to each user within each channel. The TDMA digital transmission scheme multiplexes three signals over a single channel. The current TDMA standard for cellular divides a single channel into six time slots, with each signal using two slots, providing a 3 to 1 gain in capacity over advanced mobile-phone service (AMPS). Each caller is assigned a specific time slot for transmission. (IEC, 2007)
All the mobile network components in Figure 10.1 can be important in a digital investigation. Mobile devices connect to a base station (a.k.a. Base Transceiver Station) over a radio link using TDMA or CDMA technology. Each base station has at least one radio transceiver that provides radio coverage of a specific geographical region (a.k.a. cell).
Some mobile network technologies (including GSM but not IS-136) use base station controllers (BSC/CBSC) to control communication between base stations. For instance, the BSC coordinates the transfer of a device from one base station to another, enabling continuity of communication as a mobile device moves to different places within a given Location Area. 1 The wireless portion of mobile networks connect to a switching system, typically including a Mobile Switching Center (MSC), to perform call processing within the system and connect to other wireless networks and land lines. For instance, the MSC delivers call and SMS messages to mobile devices in its jurisdiction, and coordinates handovers of ongoing communications as a mobile device moves between Location Areas.
1A group of base stations and controllers in a given region is commonly referred to as a Location Area.
Because MSCs are the crux of communications between base stations and the core network, they generate a wealth of information about mobile network activities that can support digital investigations, including usage logs and charging detail records. Furthermore, all mobile devices that are currently being handled by a given MSC are listed in a Visitor Location Register (VLR) database associated with that MSC.
In addition to MSCs, mobile networks have systems called the Interworking Functions (IWF) that operate as a gateway to external data network like the Internet. An IWF is “essentially a bank of modems (ISDN, analog, etc.) and equipment to perform, if necessary, protocol conversions to connect the MSC to other data networks” (Gibbs & Clark, 2001).
Information about the individual subscriber, their billing details, and services they can use on the mobile network is contained in the Home Location Register (HLR) of their NSP. The current location of a given mobile device is also stored in the HLR. The HLR also contains the subscriber's encryption keys and supports billing. Information in the HLR is also used by an Authentication Center (AuC), which restricts access to the network and services to authorized subscribers, to provide security and prevent fraud.
At the heart of a mobile network, NSPs have one or more centers of operation to maintain and monitor their systems. These centers of operation provide access to data for billing or investigative purposes, and support interception of mobile traffic.
There are other service-specific systems in the core network that may contain data of relevance to an investigation. For instance, text messages are processed by a Short Message Service Center (SMSC). Although an SMSC may only retain messages for a short period, it can be a fruitful source of evidence depending on the policy of the operator. Voicemail stored on the provider network can be another useful source of evidence.
NSPs may also maintain additional information about activities relating to mobile devices and subscribers, including a blacklist of devices in their Equipment Identity Register (EIR) that have been reported stolen or have been flagged as bad for some other reason.
Another important aspect of mobile networks is the Signaling System 7 (SS7). This system provides the control link needed to support call establishment, routing, and information-exchange functions. For instance, SMS text messages can be transmitted over this link, thus providing communication services even when a call is not established. Investigators should be aware of SS7 because it releases information that is very useful as a correlation point.
Another number useful to obtain is the International Mobile Equipment Identifier (IMEI), which is a unique number associated with a particular device. The IMEI allows digital investigators to obtain valuable digital evidence associated with a particular mobile device even if a subject uses different NSPs or accounts with the same device. In addition to obtaining stored data from NSPs, digital investigators can use the IMEI to monitor telephone traffic associated with a particular device, obtaining voice communication, attempted calls, SMS, MMS, and video calls.
A mobile device begins to leave its traces on the mobile network the moment it is turned on. When a device is powered on it announces itself to the mobile network, generating a refresh of the authentication process. Like every technical device, a mobile device also releases technically sensitive information. For example, an International Mobile Subscriber Identity (IMSI) is essentially a unique number that is associated with a particular subscriber on a GSM or UMTS mobile network. The IMSI is stored on the SIM card in a mobile device and is used to authenticate the device on the mobile network and to control the other details such as HLR (Home Location Register) or copied locally in the VLR (Visitor Location Register). In order to avoid interception of this sensitive number, the IMSI is not directly sent over the network. It is substituted by a TMSI (Temporary Mobile Subscriber Identity), which is a temporary number, usually created for a single session. At the request of digital investigators, NSPs can use these unique identifiers to query their systems for all activities relating to a particular subscriber account, as detailed in Chapter 8, “Embedded Systems Analysis.”
Investigations of Mobile Systems
Investigations used to be carried out exclusively by people. In the pure spirit of investigation, you started from information obtained through an undercover agent followed by operations involving trailing suspects and intercepting ordinary mail. Without the help of technological systems, these investigations tended to last much longer than their more modern counterparts.
Today, the initiation of an investigation may involve, in addition to verbal information, an anomalous bank record, an image from a surveillance camera, or of course highly visible crimes such as theft or murder.
The first phase of the investigation involves interviewing people who may have relevant information and continues with monitoring the means of communication of suspects or others associated in some way with the case. In addition to the traditional telephone, there are other monitoring points such as electronic mailboxes, places visited by the suspect, Telepass accounts (devices used for automatic highway toll payment), credit card accounts, and other financial operations.
Nowadays, investigations are supported by software that is customized to meet different requirements. The investigator enters all the data available on a subject into the interception system and the server performs a thorough analysis, generating a series of connections via the mobile devices involved, the calls made or received, and so on, providing criminal police with a well-defined scheme on which to focus the investigation, and suggesting new hypotheses or avenues that might otherwise be hard to identify. Obviously, thanks to the support of the NSP, the data can be supplemented with historical information or other missing data such as other mobile devices connected to a given BTS on a given date and time. Data can also be provided for public payphones, which are often used to coordinate crimes. Again, thanks to a connection with the NSP, it is possible to obtain a historical record of telephone calls made and the location of the payphone with respect to other mobile devices. The same sort of record may also be obtained for highway travel using Telepass (conventional name for automatic wireless toll payment), including average speed and stops.
Having historical data of various kinds relating to an investigation accessible in a database can greatly assist the initial examination of a newly acquired mobile device. By extracting all telephone numbers in the phonebook of a mobile device seized during a search and entering names and numbers into the electronic system, digital investigators perform powerful analysis even in the initial phases of the investigation thanks to cross-referencing capabilities. For instance, investigative tools support advanced entity and relation searches, including the nicknames from phonebooks to locate additional related activities. In addition, some investigative tools enable digital investigators to perform traffic analysis, including georeferenced data and diagram generation as shown in Figure 10.2.
 |
| Figure 10.2 |
It is thus very important to have investigation software that can quickly import data online (secure and confidential connection with the MC) or from optical media, and that offers flexibility in subsequent processing.
Types of Evidence
Mobile networks can provide information of relevance to an investigation, including the location of a mobile device, the past usage associated with a particular device or subscriber, as well as context of communications.
Localization Parameters
The term localization parameters describes information that can be combined to localize an active mobile device and its related user. These localization parameters can be useful to track the position of a mobile device user, for several purposes, both for prosecution and defense.
Determining the Position of a Given Mobile Device
The simple act of turning on a device and leaving it in an idle state will generate data on the network that can be used to determine its approximate location. As a mobile device is moved from one location to another, it updates the network. Basically speaking, there is a timeframe where the mobile device “announces” itself to the network. The possible alternatives are as follows:
▪ Cell identification: The mobile device can be reached by looking at the cell to which it is currently connected. There is a range of accuracy that starts from a few hundred meters in urban areas, up to 32km in suburban areas and rural zones. The accuracy depends on the known range of the particular base station serving the mobile device at the time of positioning. The poor value of 32km can be enhanced with the use of the so-called Enhanced Cell Identification (general accuracy of 550 meters).
▪ Time difference of arrival (TDOA): This method, also referred to as multilateration, measures the time it takes for a signal to travel from a mobile device to multiple base stations to estimate the device location. “It is a method commonly used in civil and military surveillance applications to accurately locate an aircraft, vehicle or stationary emitter by measuring the time difference of arrival (TDOA) of a signal from the emitter at three or more receiver sites.” (Wang et al., 2008)
▪ Time of arrival (TOA): This approach is effectively the same as TDOA, but this technology uses the absolute time of arrival at a certain base station rather than the difference between multiple stations.
▪ Enhanced Observed Time Difference (E-OTD): This method is similar to TDOA, but in this case the position is calculated by the mobile device, not the base station. In essence, the mobile device receives signals from multiple base stations at the same time that a specially placed receiver receives the signals. The precision of this method can vary from 50 to 200m.
▪ Assisted-GPS: A third-party service that generally relies on the Cell Identification.
Determining the location of a mobile device can be important for assessing alibis of suspects or the whereabouts of victims in the past, and ongoing tracking of the location can be useful in cases of abduction, missing persons, and other ongoing criminal activities.
In March 2006, Tommaso Onofri was kidnapped from his room during a robbery, under the eyes of the parents. After beginning as a mafia investigation, the real kidnappers have been traced and accused as a result of localization of their telephones and the related logs. Unfortunately, the digital evidence did not succeed in tracing the victim, who was found as a result of the confession of those arrested. However, at least the information from the mobile network helped apprehend the culprits.
From a practical perspective, there are tools that perform these techniques and display the results for digital investigators. Some of the information transmitted by the NSP to a monitoring center is the position on the basis of cell and the IMSI code. This is extremely important information in that it makes it possible to track the people responsible for serious crimes as they move.
The cell base looks like a truncated cone on an updated map in the interception server. This is a fundamentally important piece of information because it allows the suspects' position to be displayed on a single screen, giving the police an overall view of the group, possible interactions among its members, and logistics and operations sites, albeit with a large margin of error on the order of 100 to 200 meters if the monitored device is in a city, and 500 meters if it is in open country or sparsely inhabited areas. This difference derives from the fact that the position is determined by triangulation of the BTS. In a city, the GSM stations are located at a spacing of one every 100 to 150 meters (since there is a higher density of mobile devices and greater network demand for simultaneous calls), whereas in less populated areas there are fewer calls and no need for such density of coverage. Obviously, in situations where accuracy on the order of five meters is required, other types of localization systems are used, such as discrete satellite locators. However, we are leaving the realm of classic telephone interception here.
An example of mobile device tracking is provided in Figure 10.2. In this particular case, the investigative console shows two different mobile devices tracked both in terms of position and movements over a given period of time. Depending on the mobile devices and the related software, as many as 20 mobile devices can be tracked at the same time using this type of investigative system.
If the user identity is unknown, one of the ways to capture the IMSI code is to use the mobile GSM Interceptor device. Using new and innovative software, the GSM Interceptor can identify the target registered on the international level. The GSM Interceptor device allows investigators to receive and process digital GSM signals by standing in for the local BTS and “fooling” the mobile devices. Furthermore, via a sophisticated system of radio frequency triangulation, it localizes the position of the intercepted mobile phone. The location is accomplished by triangulation of the position of the GSM target and the BTS cells in the zone. In urban areas where the GSM cells are more numerous, the precision can reach an error margin of ± 2 meters, whereas in rural areas it may be as wide as ± 250 meters.
The device is managed by a Windows-based software and has a simple and intuitive user interface. The portable interceptor operates at the frequencies of 900MHz and 1800 to 1900MHz. It intercepts the conversation between two GSM users with the option of automatic or manual recording. The audio file is saved in standard formats that are compatible with WAV files.
Remote Activation of Electronic Devices
Once, organized crime just used old-fashioned weapons. Now, with a mobile device and an Internet connection many more crimes can be committed. From the massacres of the 1990s to the latest terrorist attacks, mobile devices have played a fundamental role in the organization of crimes. With a ring or an SMS containing a code it is possible to activate or deactivate an electronic device in any part of the world. This is why the ability to trace an SMS or even a simple ring signal is particularly important, along with the refinement of technology for capturing any signal or use, even if apparently innocuous, of mobile phones.
Unfortunately, organized criminal groups, having considerable financial resources, enjoy various advantages in terms of budget and decision-making speed in undertaking countermeasures to thwart the various investigation and law-enforcement bodies. They hire experts in technology as well as researchers who spend their days seeking out the latest solutions in terms of protection.
When criminal figures meet for business, they often protect their privacy by jamming signals in the area around their meeting place. This prevents mobile devices from linking to the BTS and thus connecting to the network. This prevents investigators from connecting to the cell and getting an idea of the geographical location of the meeting. The jamming mechanism also temporarily interrupts the operation of mobile phones in the area that might represent a threat of interception.
A mobile device jamming system emits a signal to prevent the use of mobile phones within a certain radius. It emits a wide band radio signal at the same frequency range used for transmitting signals from the BTS to the mobile phones. This signal prevents the mobile device from decoding the network signal and thus causes the mobile device to disconnect from the network.
The transmission power can be regulated depending on need. Some of the technical specifications are listed in Table 10.2.
Usage Logs/Billing Records
The logs maintained by an NSP can help digital investigators determine past usage of a mobile device, as well as communications between individuals. These logs are generated from Call Detail Records (CDR) maintained for billing purposes. The data in the resulting logs that are commonly provided to investigators are summarized here:
▪ Telephone number of user
▪ Numbers called
▪ IMEI number of mobile device
▪ Information about the cell: provides information about the location of the calling phone on the basis of the BTS where the connection was made
▪ SMS sent: excluding the text, which is available only via decodification using a telephone signal interception system (discussed later in this chapter)
▪ Date, time, and duration of calls
Depending on the equipment used, the logs generated on a particular mobile network may include a variety of other details. To give digital investigators a better sense of what details these logs can contain, a generic example of a CDR from a GSM MSC is shown in Table 10.3.
Example: Mobile originated call (MOC) CDR HEADER CALL REFERENCE NUMBER OF SUPPLEMENTARY SERVICE RECORDS CALLING IMSI CALLING IMEI CALLING NUMBER CALLING CATEGORY CALLED IMSI CALLED IMEI CALLED NUMBER DIALED DIGITS CALLING SUBSCRIBER FIRST LOCATION AREA CODE CALLING SUBSCRIBER FIRST CELL ID CALLING SUBSCRIBER LAST LOCATION AREA CODE CALLING SUBSCRIBER LAST CELL ID OUT CIRCUIT GROUP OUT CIRCUIT BASIC SERVICE TYPE CHARGING START TIME CHARGING END TIME CAUSE FOR TERMINATION ORIGINATING CALL CHARGE TYPE ORIGINATING CALL TARIFF CLASS CONNECTED TO NUMBER CHARGE NUMBER CHARGE NATURE CARRIER SELECTION SPEECH VERSION INTERMEDIATE CHARGE CAUSE CLOSED USER GROUP INFORMATION |
The Oracle Communications Services Gatekeeper is used by many NSPs worldwide for service delivery platform (SDP) infrastructure in a controlled, optimized, and automated way. The data in Table 10.4 provide an example of the CDR information that is maintained by such a system.
| Element | Represents |
|---|---|
| transaction_id | The Oracle Communications Services Gatekeeper transaction sequence number |
| service_name | The communication service whose use is being tracked |
| service_provider | The Service Provider ID |
| application_id | The Application ID |
| application_instance_id | The username of the Application Account; this is a string that is equivalent to the 2.2 value: Application Instance Group ID |
| container_transaction_id | The transaction ID from WebLogic Server, if available; this identifies the thread on which the request is executed |
| server_name | The name of the server in which the CDR was generated |
| Timestamp | The time at which the event was triggered (in milliseconds from midnight 1 January 1970) |
| service_correlation_ID | An identifier that allows the usage of multiple service types to be correlated into a single charging unit |
| charging_session_id | An ID correlating related transactions within a service capability module that belong to one charging session; for example, a call containing three call legs will produce three separate transactions within the same session |
| start_of_usage | The date and time the request began to use the services of the underlying network |
| connect_time | The date and time the destination party responded. Used for Call Control traffic only |
| end_of_usage | The date and time the request stopped using the services of the underlying network |
| duration_of_usage | The total time the request used the services of the underlying network |
| amount_of_usage | The used amount; used when charging is not time dependent, for example, as in flat-rate services |
| originating_party | The originating party's address |
| destination_party | The destination party's address; this is the first address in the case of send lists, with all additional addresses placed in the additional_info field |
| charging_info | A service code added by the application or by policy service |
| additional_info | If the communication service supports send lists, all destination addresses other than the first, under the key destination party; in addition any other information provided by the communication service |
Many external operators, including police units, have direct access to mobile network usage data via the Oracle Communications Services Gatekeeper solution, which is based on information technology, web and telecommunications industry standards such as Java Platform, Enterprise Edition (Java EE), web services, Session Initiation Protocol (SIP), IP Multimedia Subsystems (IMS), Simple Object Access Protocol (SOAP) and Representational State Transfer (REST). Investigators will find this data interesting for their activity.
Up to a few years ago, the analysis of usage logs was performed manually, reviewing the various elements present in the documentation sent by the NSP. Now this all happens in an almost completely automatic way using sophisticated software that can project all interrelations among a group of users and display the results on special maps. For example, these analysis tools could quickly show that mobile device number 330123456 called the number 331654321 a total of 23 times, of which 20 times were at the same time and from the same point (with a maximum error of 150 meters in an urban center). Using location data, digital investigators could then determine that another person of interest with the phone number 323555555 was also located in the same neighborhood one year ago. This type of linkage analysis can be very powerful in any investigation involving mobile devices.
Text/Multimedia Messages
A common use of mobile devices is to send messages in text or multimedia format. The Short Message Service (SMS) communication service, which has been in use for some fifteen years, allows transmission of a limited number of text characters using the telephony channel. The advantages of the service include the possibility of transmitting messages even in areas of very low GSM signal coverage, where a voice call would be disturbed or fail due to insufficient signal strength, and even when the voice channel is being used for a conversation. SMS messages are intercepted using the same systems as used for intercepting voice calls. These systems not only record the telephone numbers of the originator and the recipient, but also the entire text of the message. On some networks, the SMS messages are archived for extended periods.
Although network service providers generally only store text messages for weeks to ensure proper delivery, the case of the former mayor of Detroit demonstrates that some services archive text messages indefinitely. Kilpatrick resigned as part of a plea agreement in the perjury case against him that relied heavily on tens of thousands of text messages between him and his chief of staff that were archived by Skytel's SkyWriter service that Detroit City had selected for official business mobile devices (Linebaugh, 2008).
The Multimedia Message Service (MMS) is a more evolved form of SMS, where it is possible to attach other multimedia content to a classic text message, such as an audio, video, or photo file. Current interception systems also capture the multimedia content, saving it to a special folder for display or listening.
Although these forms of communication can be important to an investigation, they are maintained on core network only for a limited time. Therefore, it is more effective to capture these in transit during an investigation as detailed in the next section. The structure of intercepted SMS/MMS is easy to understand. Generally, the intercepted SMS content is presented with the Sender, Receiver, time and date, and content (text). Some interception platforms are also able to provide the location of mobile devices. MMS also has the graphical content that has been intercepted. In an investigation involving mobile devices, these kinds of intercepted information are usually correlated with the contents of mobile devices that were collected during the investigation.
Intercepted Data
Some investigations of mobile networks require the interception of data, including SMS, MMS, and voice signals. Interception is defined as the capture of transiting information, which may be part of a conversation or some other form of communication, by a covert third party using mechanical or electronic means and without the awareness of the parties engaged in a supposedly private exchange.
The term interception frequently connotes and is perceived as an infringement on personal liberty, a vulnus to privacy. Interceptions are permitted by law in some cases but there are many limits designed to protect the rights of the individual. Abuses such as those recently in the European news, where there was serious and widespread misuse of the information in one EU country, may have significant negative impacts in the private sphere of a suspect, and perhaps violate specific codes of secrecy proper to certain activities, relations, or professions. Although Italy is not the only country where such episodes occur, the recent case of the top Italian telephone carrier, Telecom Italia, demonstrates the privacy risks associated with interception. Flaws in its legitimate interception system, called Radar, allowed individuals within their organization to perform unauthorized surveillance without anyone knowing (Edri, 2006). Extensive evidence of misuse was apparently found on the computers of several key employees.
In 2005, it was discovered that someone had compromised a BSC/MSC system on the Vodafone Greece network, and had been intercepting communications of the Greek prime minister and many other political figures for many months. The malicious eavesdroppers had altered the legitimate interception software used for performing authorized wiretaps, called remote-control equipment subsystem (RES), that was running on an Ericsson AXE system Vodafone used as a BSC and MSC. Investigators were ultimately unable to determine who was responsible (Prevelakis & Spinellis, 2007).
There are different methods, techniques, and positions of interception depending on the case, the country, or the purpose. The interception of electronic or telematic communications represents a particular case. In some nations, for example, the judicial authorities may also authorize operations being carried out using privately owned devices and/or systems. The involvement of private concerns opens up the possibility of nonstandard implementations, which does anything but make things simple. In telematic communications, for example, there are additional and more specific areas of criticality than in “traditional” telephone conversations, in that a factor apparently external to the communication (e.g., a web page or destination IP address) often identifies or reveals the content of the communication. It may be possible, therefore, not only to reconstruct personal and social relations, but also to support conclusions regarding the political orientation, ideological convictions, or habits of the interceptees.
Where to Seek Data for Investigations
An investigator working with mobile networks has to find pertinent information not only directly from the networks within his or her purview, but also from third parties. This is why the various NSPs have to be able to provide this information. Thus there exists an additional service provider that is obliged to retain traffic data. This provider makes electronic communications services available to the public on public communications networks. This is an extremely important distinction to understand, since the investigator may not always know where to look for these data.
In certain states, for example, the following are not included in the commonly accepted concept of service provider:
▪ Subjects offering electronic communications services directly to limited groups of people (e.g., public or private subjects that allow only their employees or collaborators to communicate using the subjects' telephone or telematic services). These services, while falling within the general definition of “electronic communications services,” cannot be considered publicly available. However, when the communication is with a user outside of the private network, the traffic data generated for that communication are subject to retention.
▪ Subjects who, while offering publicly available electronic communications services, do not directly generate or process the related traffic data.
▪ Owners or managers of public enterprises or private associations of any type whose sole purpose is providing the public, their customers, or their partners with terminals that can be used for communications, telematic or otherwise. An example of this is an Internet access point using wireless technology; excluded are public pay telephones enabled exclusively for voice telephony.
▪ Administrators of search engines. The telematic traffic data processed by these administrators, allowing easy traceability of operations performed by the user on the network, may in any case be qualified as “content.” The concept of content is a hotly debated theme and much depends on the national context. In the United States, for example, these data have to be rendered available, whereas certain countries in Europe, especially in the more conservative states, are far from affirming this principle.
Digital investigators with proper legal authorization may request information from NSPs using dedicated software on a shared platform, the Request Type and Service Type. In some situations, information can be obtained by authorities with dedicated user accounts and passwords that enable them to connect to the NSP's system directly and use special search software. Requests can be for localization information, historic usage logs, and complete traffic interception. The request may focus on a particular telephone number, equipment identifier (e.g., IMEI), or subscriber identifier (e.g., IMSI). When requesting traffic data, digital investigators can also specify a particular base station or geographical area (address, municipality, etc.) as indicated on the warrant. In such a case, the NSP must determine which base stations cover the geographical area in question and provide traffic data from each of them. It is also possible to define, per the warrant, the type of calls to investigate (e.g., incoming and/or outgoing), as well as whether digital investigators require addition personal information like subscriber details about users in the investigated traffic data report.
In all cases, the request must contain the report and interception register number (RTAB or RINT), and must specify the start date for authorized gathering of data as specified in the warrant (include end date when applicable), and whether the number to monitor is a national account or originated with a foreign NSP offering roaming capabilities. In addition, the request should contain contact information for digital investigations, including a telephone number and/or e-mail address where messages containing localization data can be sent.
Traffic Data that Generally Must be Retained
The obligation to retain data about telephony traffic data, including unanswered calls and data regarding telematic traffic, excluding in any case the content of the communications. In particular, the obligation of retention extends to data that the NSPs process in order to transmit the communication and for billing purposes. Thus, the NSPs have to retain, for the exclusive purposes of detecting and prosecuting crime, only the traffic data that derive from technical operations serving the purposes of providing services and billing them.
A limitation stating that the data retained by law may be used exclusively for the investigation, detection, and prosecution of specified crimes is in force in many countries. It imposes precise obligations for NSPs in the event that they receive requests serving other purposes. For example, the NSPs must not comply with requests for data if such requests are made within the context of civil, administrative, or financial litigation.
How Data May Be Acquired
Various laws have been enacted to define how traffic data retained by NSPs may be acquired. Therefore, it is essential for investigators to be familiar with the legislation in force in the country or jurisdiction in which they are operating. In certain countries, for example, the defendant's counsel or suspect's lawyer has the right to request directly from the NSP only those traffic data that refer to the “accounts registered in the name of the client.”
In other countries, on the other hand, there are authorities specifically assigned by law to identify measures for guaranteeing the rights of the parties involved in questions of telephone and telematic traffic data retention for the purposes of detecting, investigating, and prosecuting crime. Precisely for this reason, anyone accessing or processing these data must adhere to certain principles:
▪ The legislated requirement to provide specific safeguards regarding the type and quantity of data to protect and the risks correlated with said protection. Providers are already required to prevent said risks by upholding common security obligations that go beyond merely the minimum measures required by law or regulation. These risks are then assumed by those who receive the data.
▪ The advisability of identifying, given the current situation, protective measures to be implemented in the processing of data by all providers so that the integrity of said data can be verified in an inspection (and admissible in dealings with the suspect or defendant's counsel) to ensure more effective security for telephone and telematic traffic data.
▪ The need to keep in mind the costs deriving from the implementation of the measures in the various countries or jurisdictions, also regarding the different technical and financial capacities of the parties involved.
▪ The transnational legislative context, especially in light of the opinions expressed by the various groups working to protect personal privacy.
▪ The technological state of the art, meaning that the various measures have to be periodically updated.
These are important matters with which to be familiar, especially in the field of cross-border investigations and litigation.
European Legislation
Although US legislation has been discussed many times in a variety of legal publications, the increase in cross-border litigation and investigations obliges us to be familiar with what goes on in the Old World as well.
European Directive 2002/58/EC, on privacy and electronic communications, obliges EU Member States to protect the privacy of electronic communications and prohibits the retention of traffic data generated during the communication, with the exception of what is expressly authorized for the purposes indicated in the Directive.
The Directive regards the processing of personal data in connection with the provision of publicly available electronic communications services on public communications networks in the Community (Art. 3). Traffic data are defined here as “any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof” (Cf. Article 2 and Premise 15 of Directive 2002/58/EC).
In obliging EU Member States to enact national laws to ensure the confidentiality of communications over a public communications network and publicly available electronic communications services, the Directive places the accent on traffic data generated by the same services (Art. 5). These data, processed and/or stored by the NSP for the public network or the public electronic communication service, must be deleted or rendered anonymous when they are no longer necessary for the purposes of transmission of communications, with only certain specific exceptions (Art. 6, Par. 2, 3 and 5, and Art. 15, Par. 1; see Opinion no. 1/2003 on the storage of traffic data for billing purposes adopted on January 29, 2003 by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data).
Article 15, Paragraph 1 of the Directive allows Member States to “adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system.” To this end, the Member States may, among other options, adopt legislative measures that provide for data being retained for a limited period of time.
Another EU Regulation: Directive 2006/24/EC
European Directive 2006/24/EC was drawn up by the European Parliament and Council on 15 March 2006 with the goal of harmonizing the regulations and legislative measures of the Member States regarding retention of traffic data for the purposes of investigation, detection, and prosecution of serious crime. The Directive was to be transposed into national law no later than 15 September 2007.
The Directive contains specific indications on the result agreed at the Communitarian level regarding both traffic data retention time limits (from a minimum of six months to a maximum of two years) and the appropriate and uniform specification of the “categories of data to be retained” (listed in Article 5) in relation to the specified services: fixed network telephony, mobile telephony, Internet access, Internet e-mail and Internet telephony.
This necessitates specifying the field of application of the various measures regarding the obligation to retain data.
Interception of Digital Evidence on Mobile Networks
The remainder of this chapter delves into the complex world of traffic interception in mobile networks investigations, starting with privacy implications, progressing into the technical details, and concluding with related legal framework.
Privacy and Mobile Network Interception
In general, the freedom and confidentiality of personal communications are inviolable rights that can be compromised only if authorized by judicial authorities and with all the guarantees provided by law. In enacting laws in this regard, the legal systems in different countries or jurisdictions are rushing to dictate a series of limitations regarding the admissibility of interceptions:
▪ Interceptions are allowable only in cases involving certain specific crimes.
▪ Interceptions must be authorized.
These requirements are softened somewhat, as may be obviously desirable, in investigations regarding organized crime or international terrorism. In responding to what may be considered society's greatest ills, the possibility is granted to intercept telephone and electronic communications with the sole aim of preventing the commission of certain types of crimes. These are known as preventive interceptions and are considered constitutionally illegitimate in much of legal doctrine. In any case, depending on the legal system from which we operate our investigation, information acquired during preventive interceptions cannot be admitted in court as evidence or kept as such, cannot be cited in investigation documents, and cannot be made public.
Because interception can expose the most private types of information on a mobile network, in certain countries, the regulatory authorities have required higher security levels for information exchange between MC and JA. These security measures generally include:
▪ Operator authentication systems for access to data
▪ Immediate deletion of data after they are transmitted to the JA
▪ Encryption of data while in MC databases
▪ Technologically secure channels for data transmission
▪ Limited selection of operators authorized to process sensitive data
▪ Separation between accounting data and those produced per JA request
The goals of this combination of technical controls, operational oversight, and auditing are to reduce the risk of abuse and increase the chance that any misuse will be detected quickly. The next sections describe a number of shared features of the various laws and regulations in force at the international level.
Authentication Systems
Processing of telephone and telematic traffic data by NSPs must be allowed only by authorized persons who are granted access by means of specific IT-based authentication systems using strong authentication techniques, consisting of the simultaneous use of at least two different authentication technologies, regardless of whether access to data for processing purposes is gained locally or remotely. As a corollary, access must be prevented unless the person has met the requirements of such an IT-based authentication system.
Regarding traffic data retained for the exclusive purpose of detecting, investigating, and prosecuting crime (i.e., those existing for more than six months postgeneration, or all data processed for this purpose if they have been stored, from the moment they are generated, separately from data processed for other purposes), one of these authentication technologies must be based on biometric characterization of the person in question, so as to ensure the physical presence of this person at the workstation used for the processing of the data.
Such methods of authentication must also be applied to all technical personnel (system, network or database administrators) who may have access to the traffic data stored in the NSP's databases.
Regarding authorization systems, specific procedures must be implemented to guarantee the strict separation of technical functions for assigning authentication credentials and identifying authorization profiles from those for the technical management and operation of the systems and databases. These different functions cannot be assigned to the same person at the same time.
Separate Data Storage
Traffic data retained for the exclusive purpose of detecting, investigating, and prosecuting crime must necessarily be processed using information systems that are physically distinct from those used to process or store traffic data for other purposes. This refers to both processing devices and storage devices.
More specifically, the information systems used to process traffic data retained for the exclusive purposes of law enforcement must be different from those used for other company functions such as billing, marketing, fraud prevention, and so on, and also must be protected against the threat of intrusion by means of appropriate perimeter protection devices and tools that protect the communications network and the storage resources involved in the processing.
Traffic data retained for six months or less from their generation (which is often greater than the average limit established by law in the various countries), on the other hand, may be processed for the purposes of law enforcement either by using the same processing and storage systems used for general data processing, or by duplicating said data and storing them separately from the traffic data processed for “ordinary” purposes, so that they can be processed using systems specifically dedicated to this type of processing.
This prescription leaves NSPs the faculty of choosing, on the basis of their specific organizational model and technological endowment, the most appropriate IT architecture to use for the obligatory retention of traffic data and for all other company purposes. It permits, in fact, that the traffic data retained for up to six months from their generation can be processed, for purposes of law enforcement, with information systems that are not exclusively reserved for that type of processing; or else, that the data may be duplicated for processing using distinct systems dedicated exclusively to purposes of law enforcement. This is a very important point in that both the investigators and the defense counsel may request and obtain information from various points on the network of NSPs.
Regarding chain of custody, keep in mind that the laws in force affirm the principle whereby information systems used to process traffic data for the exclusive purpose of law enforcement must be located within restricted access areas (i.e., reserved exclusively to specifically authorized personnel for the performance of specifically assigned tasks) and outfitted with electronic control devices or security procedures that involve the registration of identification data for all persons admitted, including the times and dates of access.
Deletion of Data
This is important for the investigation timeline. In many countries, at the expiration of the terms provided for by the regulations in force, the traffic data are rendered unavailable for processing or consultation. They are deleted or otherwise rendered anonymous without delay (within a technically feasible timeframe) in the databases, processing systems, and in systems and media used to create backup or disaster recovery copies, even if these copies have been created by the provider as required by law or regulation. These deletion or anonymization operations must be documented within 30 days at the latest from the expiration as provided by law. This is a rule applied particularly in certain European countries.
Forensic Considerations
As with any form of digital evidence, and particularly when dealing with complex interception systems, it is important to maintain information that supports the chain of custody and data integrity of the acquired data.
Audit Logs
Information technology measures must be implemented that are appropriate for ensuring oversight of operations performed on traffic data by each person who processes them, regardless of the qualification, competencies, or sector of operations of this person or purpose of said processing. The oversight must be effective and produce detailed records or logs, even for the processing of single data elements located in the different databases used.
These measures entail the recording in a special audit log of all operations performed, directly or indirectly, on the traffic data or on other personal information related to them. This is true regardless of whether the data derive from system-user interaction or are generated automatically by computer programs.
The audit log systems must ensure the completeness, inalterability, and authenticity of the records contained in them, with reference to all processing operations and all events relating to information security and subjected to the auditing process. To this end, data storage systems recording data onto nonalterable (i.e., read-only) media must be used for the conservation of auditing data. This may be done in a centralized way for each processing system or datacenter. Before being written, the data or groups of data have to be subjected to procedures based on the use of cryptographic technologies to attest to their integrity (e.g., generation of hash values).
Information System Documentation
The information system used for processing traffic data must be accompanied by appropriate documentation adhering to accepted principles of software engineering. Documents that do not meet broadly accepted standards of description are not acceptable.
The description has to include, for each system, the logical and functional architecture, the overall architecture and the structure of the systems used for data processing, the input/output flow of the traffic data from/to other systems, the architecture of the communications network, and indications of the subjects or classes of subjects having legitimate access to the system.
The documentation must be accompanied by system and application diagrams, which must illustrate the exact position of the systems where data are processed for the purposes of detection, investigation, and prosecution of crime.
The technical documentation must be updated and made available to the authorities when and if requested, together with detailed information on subjects having legitimate access to the systems for the processing of traffic data.
Encryption and Data Protection
Traffic data processed exclusively for purposes of law enforcement must be protected using cryptographic techniques, particularly against risk of fortuitous acquisition risks or accidental alteration during maintenance operations on information apparatuses or ordinary system administration operations. In particular, measures must be adopted to ensure that the information residing in the databases and used by processing systems is unintelligible to those lacking the proper access credentials or authorization profiles. This is done by using forms of encryption or obfuscation of portions of the database or indices or by other technical measures based on cryptographic technologies.
Evolution of Interception on Mobile Networks
The earliest telephone interception systems comprised a briefcase-sized device known as multicells, which were fairly expensive, on the order of $15,000. They consisted of a high powered transceiver with an analog C7-format local recorder. This system permitted the user to monitor a mobile phone, obtain its telephone number, and eavesdrop on the conversation. It essentially replaced the local phone tower by broadcasting at higher power.
The advent of GSM ushered in a period in which interception systems, not yet updated to the new protocols and still using the old technology, were rendered ineffective, thus leaving criminals completely undisturbed in their telephone communications.
Similarly, with the emergence of H3G in Europe, in spite of the fact that it had been in use in the east for some time, there was another technological gap regarding interception technology. The new protocols had to be released by H3G before the private companies that produce interception systems could begin the process of updating their servers and testing out their telephone interception systems. So here as well, the more advanced segments of the criminal world were well aware of this temporary advantage and did not hesitate to exploit its potentials. Nowadays, any multimedia content for a telephone can be intercepted, from video to audio, but investigative systems will always lag technological advances.
How Telephone Interception Works
This section provides detailed information on how telephone (and telematic) interception works. Protocols naturally change from country to country, but they all share some common features. It is important to be familiar with this information since there is much discussion in the legal arena about the methods used to acquire evidence.
It bears mentioning at the outset that each NSP has an office that handles all requests for interception for the purposes of investigation.
The NSP never gains knowledge of the contents of the tapped telephone calls. Its role is limited to duplicating a suspect's communication line and deviating it to a Telephone Interception Center (TIC) specified in a warrant by the Judicial Authorities (JA). The tapped line is then handled by means of equipment provided by the telephone company or by a private company authorized by the JA. These companies are specialized in telephone interception systems, which we will talk about later. The subject handling the intercepted line will be referred to as a Monitoring Center (MC).
The MCs gather and process a large amount of data on the suspects and third parties with whom the suspects communicate, including the identity of the intercepted subject, and telephone traffic data such as numbers called, date, time and duration of the conversation. Other collected data include calls received, attempted calls, SMS texts, MMS contents, and the geographical location of the intercepted subject.
The MC may also provide personal information, service logs and past traffic records for the suspect, and suspend service for a particular subscriber or device if necessary.
Anatomy of an Interception System
Mobile network interception systems are powerful systems with database backends that provide digital investigators with flexible access to captured content. These systems enable digital investigators to eavesdrop on conversations directly, watch video calls, review and print G3 and Super G3 faxes (zoom and rotation), and display localization details. Telematic information like e-mail and Internet chat can also be monitored.
Intercepted calls of a specific target can be duplicated in real time, sending the conversation to a mobile phone used by digital investigators to eavesdrop on conversations. Digital investigators can also receive an SMS notification of call intercept of a specific target, and the SMS may be customized to include the caller location.
In addition to real-time monitoring, digital investigators can search through previously recorded traffic. For instance, digital investigators can obtain a list of recordings using multiple search filters like the telephone number (whole or partial), warrant number, originator/recipient, user/interlocutor, account owners, date and time, duration, draft or final transcription keyword, and geographic location.
A typical interception system is composed of a server and peripheral units known as clients, which display data and carry out subsequent processing steps (eavesdropping and transcription). The interception server is connected by fixed line to the network operator, which passes information between the MC's system and the TIC. The server may be the size of a desktop computer for installation at a single police station or the size of a cabinet for multiline interception systems installed at large law enforcement facilities, as shown in Figure 10.3. A server may handle up to 500 lines simultaneously and runs sophisticated antivirus systems.
The system is modular and thus custom installations are possible to provide a broad range of interception capabilities, including:
▪ Supported interception interfaces: Analog, E1, T1, PRI, SS7, CAS, POS STM-16/64, ATM, GPRS, UMTS, TIIT, and ETSI HI-1, 2, 3 interfaces
▪ Nonintrusive TE and high impedance interfaces: ETSI, CALEA, and HI 1, 2, 3
▪ Simultaneous support of multiple interception taps
▪ Multiswitching/producer support
▪ Monitoring of tap system
▪ Encrypted transmission of interceptions
The Monitoring Center processes are subdivided into separate software modules. These software modules can be installed on a single server, distributed over a plurality of servers, each may be given its own dedicated server, or it is possible to have a plurality of servers running the same module. The distribution of the software modules depends on the simultaneous interception capacity needed, and the levels of security desired to ensure total functionality in the event of a breakdown in any component of the system.
As an example of a Monitoring Center, the monitoring system shown in Figure 10.4 runs on a Windows server operating system and has the following features:
▪ SQL professional database backend
▪ Up to100 voice channels per server (depending from the configuration)
▪ Connection between central database and multiple servers
▪ Remote operation of telecommunications servers and centralization of the database
▪ Remote eavesdropping stations
▪ Mobile eavesdropping stations via UMTS (currently under development)
▪ No limit to simultaneous targets
▪ Target activation via telephone number, IMSI, IMEI, MSISDN, IP address, or e-mail address
▪ Voice, fax, and SMS decoding
▪ Decoding of audio-video for UMTS video calls
▪ VoIP decoding
▪ Decoding of HTTP, POP3, SMTP, FTP, Chat, Skype, Peer-to-peer (E-Mule), and others
▪ Taps on RADIUS, DHCP, and other protocols
▪ Eavesdropping in real time
▪ Map location and tracing
▪ External deviation of intercepted calls
▪ Teleconferencing option
▪ Decoding of TIM, Vodafone, H3G, “Telecom” “Infostrada”, Wind, Cable and Wireless, Wind Internazionale, Teleconomy Internazionale, and other carrier protocols
▪ Total compatibility with future ETSI protocols already in operation
▪ Voice library containing fragments of recordings of recognized voices
▪ Specification of language of intercepted conversation, used also as filtering criterion
▪ Automatic archiving of interceptions
▪ Full backup on DLT tape for security and disaster recovery
▪ Multilingual operator interface
The system is able to simultaneously acquire voice, traffic, location, SMS, and fax data for all national and international landline and mobile telephone operators. The data may be stored in a single central database or in a distributed database with controlled access and credentials that can be configured for individual investigators or teams of investigators.
Additional features that may be available in interception systems include:
▪ Interception Optimization: IMEI number interception optimization on a single channel for movement from cell to cell (roaming); optimization of interception of international calls on a single channel even in the event of multiple telephone service providers.
▪ Review Tools: Automatic decoding and association of received logs and SMS. Transcription, summary, and note editor with graphic display of audio, and audio filters for equalization and removal of background noise, voice speed control, loop functions, fast forward, and rewind with complete keyboard and mouse control. Dedicated software for standalone review of data on storage media.
▪ Voice Recognition: Central database for storage of recognized voices complete with sample recordings and personal notes.
▪ Archive/Integrity: Centralized storage on a CD or DVD jukebox with data integrity control for the raw contents of the intercepted calls. Complete or partial copy to CD and DVD for police reports at each workstation and possibility to export individual recordings.
▪ Technical Access Controls: Management of single investigators or groups of investigators. Password access for recording of single lines and/or of single warrants, or for groups assigned to specific cases. Access credential assignment, modification, CD/DVD burning, and configuration of lines and warrants selected on the basis of preset (Administrator, Super User, Interpreter, Police Operator) or customized investigator classes.
▪ Administration Features: Automatic generation of interception request to NSPs. Generation of SMS messages with detailed reports in real time to the system administrator or technical support team in the event of failures or malfunctions.
▪ Analysis of Target Behavior: Predictive target behavior analysis, and graphic analysis for interactions among targets.
In addition, digital investigators can mark high priority recordings, possibly to specify which conversations to translate or transcribe. Furthermore, recordings that have been translated or transcribed can be classified by spoken language.
Standard Item Report Layout
In response to an interception request, digital investigators may receive intercept related information (IRI) in a standard report format (a.k.a. item report). The IRI details can include data associated with successful and unsuccessful communications, as well as location information. All information in a report is transmitted to digital investigators along with the content of captured communications. Therefore, it is important that digital investigators understand the information in these standard reports. Generally, IRI item reports are formatted as shown in Table 10.5, with the monitored number (e.g., MSISDN, IMEI, IMSI) and time of the event.
Brief descriptions of the fields that may be present in an IRI record are described in Table 10.6. For further information, consult the ETSI and 3GPP specifications, available on www.etsi.org and www.3gpp.org.
The format of IRI records produced for older CS Network and ASN.1-Text networks are also described next. These report formats are still useful to know, because there are still “old” format report versions/schemes available. The data in these reports could be useful for international investigations in Africa and other parts of the developing world.
In an IRI record, the call types are categorized as Originating (the target originated a call or SMS) or Terminating (the target received a call or SMS). IRI records (a.k.a. item reports) having the same Communication Identity Number refer to the same interception event. The events are collected for single days and individual targets by means of the following format MSISDN/IMSI/IMEI_YYYYMMDD (e.g., 393291234567_20060101)
Cell Information IRI Record Format (GSM/UMTS)
An algorithm has been implemented to analyze every IRI record passing through the formatting system. The algorithm looks at the globalCellID field (see Table 10.6) and correlates it with the information contained in the NSP systems where the cell is described. The information is saved in a separate file with the structure shown in Table 10.5. The field name is indicated on the left side of every IRI record and the value on the right. The “value” field may be delimited by the superscript character (ASCII 39). The fields found in an IRI record from the mobile network are summarized in Table 10.7
The Communication-Identity-Number field is used to correlate cell information with interception events described earlier. The BTS localization field format is as follows:
▪ Latitude “AA<space>BB<space>CC.DD” referenced to geographic north—WGS84 reference
AA (degrees)
BB (minutes)
CC (seconds)
DD (hundredths of seconds)
▪ Longitude “AA<space>BB<space>CC.DD<space>T”—WGS84 reference
AA (degrees)
BB (minutes)
CC (seconds)
DD (hundredths of seconds)
T (E or W)
If available, a file containing related cell information is added to data gathered for a given day.
Packet Switched Network IRI Record Format (GSM/UMTS)
The IRI record format for ITI records associated with packet switched data networks is the same as shown in Table 10.5. Four types of events will generate IRI records that are sent to the Law Enforcement Monitoring Facility:
▪ IRI-Begin: Produced at the first attempt to initiate communication. It opens the transaction.
▪ IRI-Continue: Produced to indicate a further event in an attempt at communication.
▪ IRI-End: Produced at the end of the communication. It closes the transaction.
▪ IRI-Report: Generated for an event not related to a communication event.
The type of IRI records produced for each event type is provided in Table 10.8.
The meaning of fields found in every item report generated in a Monitoring Center are provided in Table 10.9.
| Item Report Field | Meaning |
|---|---|
| APN | Access Point Name (APN) |
| GPRSevent | GPRS event (see Table 10.8) |
| GeneralizedTime | Date and time of event |
| globalCellID | Target localization |
| IMEI | IMEI of target |
| IMSI | IMSI of target |
| MSISDN | MSISDN of target |
| IRIversion | Set to value: version2 |
| MCC | Mobile Country Code |
| MNC | Mobile Network Code |
| Network-Element-Identifier | Provides the identity of the network element |
| Operator-Identifier | Provides the identity of the operator |
| WinterSummerIndication | Daylight savings or standard time: “summertime” or “wintertime” |
| TYPE | |
| IP-type | IP network type (IPv4, IPv6) |
| IP-value | IP address assigned to user at PDP-Context-Activation |
Mobile Encrypted Phone
A valid alternative to the use of normal GSM phones are encrypted telephones or “crypto phones.” They use the normal telephone network but encrypt the transiting information.
The technical principle is based on breaking up the emitted voice message and recomposing it upon reception based on a particular encryption system. Practically speaking, each message is analyzed digitally and broken up into a certain number of packets of preset duration. The packets are then mixed up on the basis of a session key and transmitted to the recipient. An agent intercepting the call will hear only a sequence of disjointed frequencies that are completely incomprehensible to the human ear and completely undecipherable by any computerized voice analysis system. The recipient receives the call as an analog signal that is recomposed into comprehensible information by use of the same session key.
Security is further enhanced by continuous and automatic variation of the session key according to a specially designed algorithm. The session keys are varied automatically at the start of every conversation and at fixed intervals during the conversation itself.
A crypto phone has two separate channels, one for transmission and one for reception, and each is codified with a different sequence. In order to be able to communicate, the devices on either end of the communication have to know the session key. This key is never transmitted so interception is not possible. Instead, the serial numbers are transmitted so that the session keys can be obtained from the onboard memories of each crypto phone. Certain phones allow the user to select the keys from a field of 1016 (10 quadrillion) possibilities.
A would-be interceptor, having an analogous device, or else via computerized analysis of the encrypted signal, would have to try out all possible combinations in order to decode just a fraction of the signals over the two channels. The time necessary to do that is estimated at approximately 3 × 109 seconds, or 34,700 days for every minute of conversation. Obviously decryption of an entire conversation is impossible. This currently represents a limit for investigations, and it will become increasingly difficult to overcome.
It is also possible for a group of users to create a private network in which a customized encryption algorithm will be used. Thus only those users who are part of the private network and thus possess the same customized session key will be able to use it.
The latest devices on the market have double encryption: software and hardware. The encryption method can be activated easily from the user menu. A powerful algorithm based on a 128-bit private key provides effective protection for communications, ensuring privacy and the authentication of the recipient. They use technology at 4800bps for high-quality sound in encrypted communications.
Typical technical characteristics include:
▪ Normal or encrypted calls to other mobile or landline phones
▪ Proprietary (unpublished) symmetrical algorithm with 128-bit private keys
▪ Secure folder
▪ 100 traffic keys that allow the creation of responder groups
▪ BSO 900/1800/1900 tri-band
▪ High-resolution screen, QVGA, 256,000 colors, 240 × 320 pixels
▪ Integrated technologies: hi-fi ringer, MP3, SMS, MMS, WAP, GPRS, Bluetooth, MP3 player, and video camera, all with up to 40MB of storage capacity
Figure 10.5 shows a common architecture for encrypted mobile/fixed phones. This figure shows that encrypted cellular telephones can perform a variety of functions, not just encrypted voice communication. With the necessary software or hardware, encrypted mobile phones can exchange data with nonencrypted devices and computers.
The key exchange process for encrypted mobile devices can rely on standard public key infrastructures, to integrate with an enterprise environment. In such cases, as with any network investigation, it may be necessary to obtain logs from servers (e.g., RADIUS, key servers). However, encrypted mobile devices significantly hinder interception. Figure 10.6 represents the practical way the keys are exchanged between phones. Naturally, the illustrated situation is just a snapshot of a specific instant since the session keys are changed in every conversation. To decipher captured communications involving this type of system, it would be necessary to obtain all the private encryption keys.
Analysis of Usage Logs
Usage logs represent information analytically and compactly, and contain a variety of attributes that can be useful in an investigation. This dense representation of information can often be difficult for digital investigators to read and interpret. Therefore it is generally useful to employ log analysis tools that can reorganize and cross-reference information on the basis of specific needs. A detailed analysis of the logs, known as “content analysis,” allows the data to be classified according to specific criteria. The most important elaboration methods for processing logs are summed up:
▪ Data selection and project algorithms: Applied to a particular investigation. Only given data groups are selected.
▪ Targeted queries: Queries that cannot be defined as standard. They are targeted to particular investigative needs and are implemented by the investigators on a case-by-case basis.
▪ Cross-referenced data selection algorithms to classify the data according to complex criteria: Needed when particular correlations must be conducted.
▪ Statistical processing algorithms: Used, for example, when a particular amount of phone calls between mobile devices—for example before or after a homicide—must be demonstrated.
Analysis of Mobile Phone Traffic
One of the current trends in this field is using a centralized platform for gathering and analyzing telephone traffic log files and other historical data for purposes of recording, storing, and analyzing telephone and Internet traffic data.
The system has been designed for ISPs, data centers, telecommunications operators, and companies using shared resources for telephone and Internet communications.
Basically speaking, it is a product that allows users to monitor company resource use and easily manage different types of data (logs), whose analysis otherwise often entails long and complex operations.
One of the main features of this tool is that it should be capable of gathering data from a variety of different sources, including but not limited to:
▪ Telephone exchanges (PABX)
▪ Mail servers
▪ RADIUS servers
▪ Proxies
These data are then stored in a shared database to ensure homogeneous processing and aggregation and correlation operations for statistics, billing, auditing, or other purposes.
The system should be capable of processing large quantities of data by means of user-friendly search masks, thus facilitating the identification and correlation of important information that may derive from previous months or years.
Advanced analyses are usually performed on normalized data using data-mining applications. The identified data can easily be printed or exported in electronic format.
The data saved to the central database are confidential by nature and thus defined as “sensitive data,” hence their secrecy must be ensured. System access and data processing protocols fully comply with laws and regulations in force regarding personal privacy.
This type of tool is a fundamental element in a complete security plan to protect the company network and all its shared resources. Its forensically compliant processes also ensure the validity of data for legal purposes. Its functions include:
▪ Manual or automatic file acquisition via standard or proprietary acquisition interfaces
▪ Normalization and storage of information contained in the files
▪ Archive management via data export and backup processes
Usually, a server includes the following modules, all of which are customizable:
▪ Acquisition
▪ Normalization
▪ Web application
Acquisition
The tool should be able to interact with peripheral devices or systems that generate log files via local network or geographic connections using File Transfer (FTP, sFTP, etc.) or resource sharing (NFS, Microsoft network sharing, etc.) network protocols.
The system is also capable of acquiring files from optical media such as CDs and DVDs.
Normalization
This type of module is usually equipped with a special process for synchronizing and scheduling the system analysis operations.
The main management issue is recognizing multiple log formats, including the proprietary formats of the principal telephone and network systems. Other formats can easily be added to meet specific needs.
The system produces preformatted reports, aggregating data on the basis of time intervals, originator of communication, type and quantity of traffic, and so on.
Web Application
This module allows access to the system by web clients connected using the secure protocol (HTTPS) via Internet/intranet or standard browsers (Internet Explorer, Netscape Navigator, etc.).
A good system should be completely configured and operated via web interface.
With a common browser it is possible to:
▪ Configure and administrate the system
▪ Manage user profiles and privileges
▪ Generate normalized files
▪ Carry out filtered searches (username, telephone number, IP address, URL, etc.)
▪ Display the results and chronology of operations
Semantic Intelligence
A further development in investigative software is represented by Semantic Intelligence. This is a particularly complex sort of software for analyzing unstructured data. Once everything available in electronic format (scanned documents, Word files, web documents, etc.) has been imported into the system, it permits keyword searches by definition and groups subjects present in different investigations (cases) even if they use aliases or nicknames.
Thanks to semantic searches, the law enforcement agents are able to obtain a significantly more complete picture, minimizing the likelihood of overlooking some historical detail due to human error. The prosecutor can also use it in an indictment, avoiding the need to leaf through paper documents to find the record needed in a specific moment or compare records for different years.
A drawback of this technology consists first of all in the high cost of use due to years of research and development on the part of some of the world's best software developers as well as the continual upgrading with new features and functions and translations into new languages (e.g., Arabic, Chinese). Another difficulty lies in the large and necessary job of transforming paper case documents into electronic documents needed to perform word searches.
References
EDRI, Telecom Italia wiretapping scandal, Available on EDRI Onlinewww.edri.org/edrigram/number4.15/italy (2006).
Gibbs, K.E.; Clark, D. F, In: (Editor: Casey, E.) Handbook of computer crime investigation (2001) Academic Press.
International Engineering Consortium, Time Division Multiple Access (TDMA). (2007) ; Available online atwww.iec.org/online/tutorials/tdma/index.asp.
Linebaugh, K., Detroit mayor kilpatrick to resign in plea agreement, The Wall Street Journal (2008); Available online athttp://online.wsj.com/article/SB122053339750899459.html#printMode.
Prevelakis, V.; Spinellis, D., The Athens affair, IEEE spectrum. (2007) ; Available atwww.spectrum.ieee.org/jul07/5280.
Wang, S.; Min, J.; Yi, B. K, In: Location based services for mobiles: technologies and standardsIEEE International Conference on Communication (ICC). Beijing, China. (2008).
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.