Forensic Radio Survey Techniques for Cell Site Analysis E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright Page

Dedication Page

About the Author

Preface

Acknowledgements

Acknowledgements for the 2nd Edition

Glossary

1 Forensic Radio Surveys for Cell Site Analysis

1.1 Cell Site Analysis

1.2 Forensic Radio Surveying

2 Radio Theory

2.1 RF Propagation

2.2 Carrying Information on a Radio Signal

2.3 Radio Spectrum

2.4 RF Measurements

References

Note

3 Wireless Technologies and Deployments

3.1 Coordinating Cellular Development

3.2 Evolution from 0G to 5G

3.3 3GPP Network Types

3.4 3GPP2 Network Types

3.5 Other Types of Network

3.6 Deployed Technologies by Region

3.7 Commonly Used Frequency Bands by Region

References

4 Cellular Theory

4.1 Pre‐cellular Radiotelephone Networks

4.2 Radio Cells

4.3 Frequency Reuse

4.4 Cell Size and Coverage

4.5 Duplex Techniques

4.6 Multiple Access Techniques

4.7 Generic Network Architecture

4.8 Mobile Devices and SIMs

4.9 Radio Access Networks

4.10 Core Networks

4.11 Subscriber and Device Identifiers

4.12 Network Databases

4.13 Cell Sites

4.14 Antennas and Azimuths

4.15 Uptilt and Downtilt

4.16 Cell Types and Sizes

4.17 Cell Site Types and Uses

4.18 Single and Multi‐frequency Networks

4.19 Cell Coverage Concepts

4.20 Small Cells and Closed Subscriber Groups

4.21 Network Activities

4.22 Idle Mode and Connected Mode

4.23 Cell Access Control

4.24 Location Updating (Idle Mode Mobility)

4.25 Handover (Connected Mode Mobility)

4.26 Network Sharing

References

5 3GPP Network Types

5.1 2G GSM Networks

5.2 3G UMTS/HSPA Networks

5.3 4G LTE Networks

5.4 5G NR Networks

References

6 Other Cellular Network Types

6.1 2G IS‐95/cdmaOne

6.2 3G IS‐2000/CDMA2000 1x RTT

6.3 3G CDMA2000 EV‐DO

6.4 Surveying Other Technologies

6.5 Global Navigation Satellite Systems

References

7 Forensic Radio Surveys

7.1 Forensic Radio Survey Objectives

7.2 Forensic Radio Survey Terminology

7.3 Forensic Radio Survey Types and Techniques

7.4 Idle Mode versus Connected Mode Surveys

7.5 Additional Survey Techniques

7.6 Survey Preparation

7.7 Typical Survey Actions and Procedures

7.8 Survey Results: Checking and Confirmation

7.9 Survey Notes and Progress Maps

7.10 Survey Equipment Types

7.11 Raw Survey Results

7.12 Processing Survey Results

7.13 Understanding Survey Results

7.14 Storage of Survey Data

7.15 Quality and Best Practice

7.16 Summary of Typical Survey Results

References

8 Cell Site Analysis

8.1 Cell Site Concepts

8.2 Uses and Limitations of Cell Site Evidence

8.3 Regulation of Cell Site Analysis

8.4 Components of Cell Site Analysis

8.5 Call Detail Records

8.6 Sources of Cellular Coverage Data

8.7 Forensic Radio Surveys

8.8 Cell Site Reports

8.9 Call Schedules

8.10 Maps and Graphics

8.11 Report Checking and Peer Review

8.12 Professional and Expert Witnesses

8.13 Court Presentations

8.14 Support for ‘Live’ Investigations

8.15 Cell Site Analysis and Forensic RF Surveys

References

9 Summary and Practical Activities

9.1 Radio and Cellular Concepts

9.2 Cellular Identifiers

9.3 Cellular Network Types

9.4 Forensic Radio Surveys

9.5 Survey Results: Checking and Confirmation

9.6 Survey Notes and Progress Maps

9.7 Survey Results

9.8 Cell Site Analysis

9.9 End‐to‐End Process

9.10 Overall List of Events/Locations

9.11 Source Files Attribution List

9.12 Normalise Call Data into a Standard Format

9.13 Create an Overall Cell List

9.14 Creating a Case Overview Map

9.15 Compile Radio Survey Summary Tables

9.16 Creating Call and Cell Labels

9.17 Cell Site Mapping Presentations

9.18 Summary

9.19 Further Reading

References

Index

End User License Agreement

List of Tables

Chapter 2

Table 2.1 SI units related to radio signal measurements.

Table 2.2 Cellular radio bands.

Table 2.3 Typical decibel values.

Table 2.4 Linear mW values compared to exponential dBm values.

Table 2.5 Examples of common cellular dBm values.

Table 2.6 Example of mapping signal strength values into simple description...

Chapter 3

Table 3.1 Regional deployment of popular wireless technologies.

Table 3.2 Commonly used cellular frequency bands by region (Spring 2023)....

Chapter 4

Table 4.1 Examples of United Kingdom MCC and MNC.

Table 4.2 Comparison of decimal, binary and hexadecimal notation.

Table 4.3 Highest and lowest hexadecimal CI values in GSM and UMTS.

Table 4.4 3GPP SIM ACC.

Chapter 5

Table 5.1 GSM ARFCN ranges.

Table 5.2 Comparison of decimal and hexadecimal CI.

Table 5.3 RXLEV reporting values.

Table 5.4 UMTS ARFCN assignments.

Table 5.5 3GPP defined operating bands for LTE (as of Release 18, Spring 20...

Table 5.6 3GPP defined operating bands for NR (as of Release 18, Spring 202...

Chapter 6

Table 6.1 cdmaOne and CDMA2000 generations and variants.

Table 6.2 CDMA2000 band classes and channel numbering.

Table 6.3 EV‐DO variants.

Table 6.4 3GPP2 technical specifications.

Table 6.5 TD‐SCDMA radio survey parameters.

Table 6.6 802.11 WIFI variants and frequency bands.

Table 6.7 802.11 Overlapping channel count and bandwidth options.

Chapter 7

Table 7.1 Example of an all‐network profile.

Table 7.2 Spot/location survey raw data table.

Table 7.3 Cell coverage survey raw data table.

Table 7.4 Route profile raw data table.

Table 7.5 Spot/location survey raw data table.

Table 7.6 Example of all‐network profile report.

Table 7.7 Example of coverage survey results raw data, showing details of o...

Table 7.8 Example of route survey results raw data showing a succession of ...

Chapter 8

Table 8.1 Example of a case details table from a hypothetical cell site rep...

Table 8.2 Example of a continuity table from a hypothetical a cell site rep...

Chapter 9

Table 9.1 Typical decibel values.

Table 9.2 Linear mW values compared to exponential dBm values.

Table 9.3 Cellular radio bands.

Table 9.4 Commonly used cellular frequency bands by region.

Table 9.5 Comparison of decimal, binary and hexadecimal notation.

Table 9.6 Mobile country code list.

Table 9.7 Basic characteristics of 2G GSM.

Table 9.8 2G GSM radio bands and channel numbering.

Table 9.9 Basic characteristics of 3G UMTS.

Table 9.10 3G UMTS radio bands and channel numbering.

Table 9.11 Basic characteristics of 2G cdmaOne and 3G CDMA2000.

Table 9.12 2G cdmaOne and 3G CDMA2000 band classes and channel numbering....

Table 9.13 Basic characteristics of 4G LTE.

Table 9.14 4G LTE radio bands and channel numbering.

Table 9.15 Basic characteristics of 5G NR.

Table 9.16 5G NR radio bands and channel numbering.

Table 9.17 Example of an all‐network profile.

Table 9.18 Example of all‐network profile report.

Table 9.19 Example of coverage survey results raw data, showing details of ...

Table 9.20 Example of route survey results raw data showing a succession of...

Table 9.21 Example of locations/events list.

Table 9.22 Example ‘phones/attributions’ table.

Table 9.23 Overall cell list.

List of Illustrations

Chapter 2

Figure 2.1 Alternating current.

Figure 2.2 Generating a radio wave.

Figure 2.3 The frequency, wavelength and amplitude of a signal.

Figure 2.4 Bandwidth of a radio channel.

Figure 2.5 Radio propagation modes.

Figure 2.6 Multipath transmission.

Figure 2.7 Multipath combining.

Figure 2.8 Analogue transmission.

Figure 2.9 Digital transmission.

Figure 2.10 Digital modulation techniques.

Figure 2.11 Radio bands and channels.

Figure 2.12 Frequency versus distance.

Figure 2.13 Traditional cellular radio bands.

Figure 2.14 Extended cellular radio bands.

Chapter 3

Figure 3.1 3GPP members.

Figure 3.2 First‐generation mobile networks.

Figure 3.3 Second‐generation mobile networks.

Figure 3.4 Third‐ and fourth‐generation mobile networks.

Figure 3.5 Cellular download speed increases over time.

Figure 3.6 3GPP networks.

Chapter 4

Figure 4.1 Single transmitter coverage.

Figure 4.2 Cellular network coverage.

Figure 4.3 Cellular network operation.

Figure 4.4 Co‐channel and adjacent channel interference.

Figure 4.5 Example of a frequency reuse pattern.

Figure 4.6 Cell size and frequency (not to scale).

Figure 4.7 Duplex techniques.

Figure 4.8 Multiple access technologies.

Figure 4.9 MIMO, CA and DC.

Figure 4.10 Generic network architecture.

Figure 4.11 Omnidirectional site and sectorised site base stations.

Figure 4.12 Location areas.

Figure 4.13 Multi‐RAT base stations.

Figure 4.14 C‐RAN.

Figure 4.15 Traditional aggregated RAN.

Figure 4.16 Disaggregated RAN.

Figure 4.17 2G/3G core networks.

Figure 4.18 4G core networks.

Figure 4.19 5G core networks.

Figure 4.20 SRVCC.

Figure 4.21 IPX and Data Interconnects.

Figure 4.22 The MSISDN.

Figure 4.23 The International Mobile Subscriber Identity (IMSI).

Figure 4.24 Structure of the IMEI and IMEISV.

Figure 4.25 Channels and carriers.

Figure 4.26 Cellular configurations.

Figure 4.27 Omnidirectional transmit, sectorised receive.

Figure 4.28 Cellular capacity.

Figure 4.29 Cell identifiers.

Figure 4.30 Horizontal radio beam coverage from an antenna.

Figure 4.31 The azimuth of an antenna.

Figure 4.32 Uptilt and downtilt.

Figure 4.33 Cell types and sizes.

Figure 4.34 Cell types and uses.

Figure 4.35 Single‐frequency networks.

Figure 4.36 Multi‐frequency networks.

Figure 4.37 Multi‐carrier single‐frequency networks.

Figure 4.38 Dominant cell coverage.

Figure 4.39 Non‐dominant cell coverage.

Figure 4.40 Poor cell coverage.

Figure 4.41 Cell selection.

Figure 4.42 Attach (in GSM networks).

Figure 4.43 Idle mode and connected mode.

Figure 4.44 Reselection offsets.

Figure 4.45 Timing advance concept.

Figure 4.46 Location updating.

Figure 4.47 Types of handover.

Chapter 5

Figure 5.1 Base station subsystem.

Figure 5.2 Time division multiple access.

Figure 5.3 Typical logical channel distribution.

Figure 5.4 C1 equation.

Figure 5.5 C1 calculation.

Figure 5.6 C2 equation.

Figure 5.7 C2 calculation.

Figure 5.8 BA list and distribution of BCCH carriers.

Figure 5.9 Typical 3 + 3 + 3 carrier deployment.

Figure 5.10 GSM frequency division duplex and ARFCNs.

Figure 5.11 2G cell ID.

Figure 5.12 Cell discrimination using BSICs.

Figure 5.13 UTRAN interfaces and elements.

Figure 5.14 Code division multiple access.

Figure 5.15 CDMA ‘chip’ transmission.

Figure 5.16 The UMTS S cell selection equations.

Figure 5.17 UMTS R cell reselection equations.

Figure 5.18 Active and monitored cells.

Figure 5.19 Multilayer networks.

Figure 5.20 Soft handover.

Figure 5.21 Softer, hard, and intersystem handover.

Figure 5.22 Cell breathing.

Figure 5.23 Measurement parameters.

Figure 5.24 Comparison of 2G and 3G Cis.

Figure 5.25 Determining 3G Cis.

Figure 5.26 Service area codes.

Figure 5.27 UMTS cell deployment.

Figure 5.28 Multicarrier HSPA.

Figure 5.29 Evolved universal terrestrial radio access network.

Figure 5.30 Evolved universal terrestrial radio access network tracking area...

Figure 5.31 Orthogonal frequency division multiple access.

Figure 5.32 Scalable bandwidth.

Figure 5.33 4G handovers.

Figure 5.34 Multiband operation.

Figure 5.35 Physical cell IDs.

Figure 5.36 LTE cell deployment.

Figure 5.37 LTE voice options.

Figure 5.38 4G with 5G NSA.

Figure 5.39 5G NSA and SA modes.

Figure 5.40 5G next generation—radio access network.

Figure 5.41 5G core network.

Figure 5.42 5G identifiers.

Figure 5.43 Basic OFDMA characteristics.

Figure 5.44 OFDMA symbol rate vs subcarrier bandwidth.

Figure 5.45 FR1 and FR2 channel bandwidths.

Figure 5.46 5G CA and DC options.

Figure 5.47 5G cell configurations.

Figure 5.48 NR cell deployment.

Figure 5.49 5G network slicing.

Chapter 6

Figure 6.1 CDMA2000 1x network architecture.

Figure 6.2 CDMA2000 SID and NID.

Figure 6.3 CDMA2000 identifiers.

Figure 6.4 3GPP2 CDMA concepts.

Figure 6.5 Code Offset concepts.

Figure 6.6 3GPP2 Handoff concepts.

Figure 6.7 CDMA2000 physical layer cell discrimination.

Figure 6.8 BSID numbering schemes.

Figure 6.9 Sector Transmit/Receive Configurations.

Figure 6.10 EV‐DO carrier configuration options.

Figure 6.11 WIFI Roaming.

Figure 6.12 Voice over WIFI.

Figure 6.13 WIFI surveys.

Chapter 7

Figure 7.1 Spot/location survey.

Figure 7.2 Hypothetical spot survey – not to scale.

Figure 7.3 Local coverage survey.

Figure 7.4 Typical cell coverage profile.

Figure 7.5 Derived Service Area map.

Figure 7.6 Typical route profile.

Figure 7.7 Multiple device surveys.

Figure 7.8 Test call patterns.

Figure 7.9 Cell locks.

Figure 7.10 Orbit test.

Figure 7.11 Target cell list.

Figure 7.12 Cell location map.

Figure 7.13 Spot/location surveys.

Figure 7.14 Cell coverage surveys: outline survey.

Figure 7.15 Cell coverage surveys: full detail survey.

Figure 7.16 Non‐contiguous cell coverage.

Figure 7.17 Surveying near a LAC boundary.

Figure 7.18 Annotated CSurv 2G data.

Figure 7.19 Annotated Lima CM 2G data.

Figure 7.20 Annotated Lima CM 3G data.

Figure 7.21 Annotated Lima CM 4G data.

Figure 7.22 Annotated Lima CM 5G data.

Figure 7.23 Lima CM CSV data.

Figure 7.24 Example of the NEMO Handy .nmf format.

Figure 7.25 Example of Lima CM WIFI survey output format.

Figure 7.26 Spot/location survey results.

Figure 7.27 Cell coverage survey map.

Figure 7.28 Route profile survey map.

Figure 7.29 Survey results with non‐serving strong cells.

Figure 7.30 Example of survey with ‘Missing’ Cell IDs.

Chapter 8

Figure 8.1 Cell site analysis.

Figure 8.2 Simple cell site conclusion.

Figure 8.3 High‐level cell site analysis.

Figure 8.4 Low‐level cell site analysis.

Figure 8.5 Analysing calls in isolation and in clusters.

Figure 8.6 Voice/SMS CDRs.

Figure 8.7 GPRS/PS data CDRs.

Figure 8.8 Generic voice/SMS CDR content.

Figure 8.9 Generic GPRS/PS data CDR content.

Figure 8.10 Generic cell location report content.

Figure 8.11 Cell site conclusions.

Figure 8.12 Mapping presentations.

Figure 8.13 Call tables. CSAS data format, used with permission from Forensi...

Figure 8.14 Timing advance concept.

Figure 8.15 Overlapping timing advance arcs.

Figure 8.16 CDMA ‘chip’ transmission.

Chapter 9

Figure 9.1 The frequency, wavelength and amplitude of a signal.

Figure 9.2 Spot/location survey.

Figure 9.3 Target cell list.

Figure 9.4 Cell location map.

Figure 9.5 Spot/location survey results.

Figure 9.6 Cell coverage survey map.

Figure 9.7 Route profile survey map.

Figure 9.8 NationalCell CDR format.

Figure 9.9 MetroCell CDR format.

Figure 9.10 Normalised format.

Figure 9.11 Radio survey results table.

Figure 9.12 Survey summary table.

Figure 9.13 Cell coverage survey map.

Figure 9.14 Route profile survey map.

Figure 9.15 Example cell site map.

Figure 9.16 Cell detail labels.

Figure 9.17 Cell detail labels.

Figure 9.18 Location detail map.

Figure 9.19 Travel between locations map.

Figure 9.20 General pattern of travel map.

Guide

Cover Page

Table of Contents

Title Page

Copyright Page

Dedication Page

About the Author

Preface

Acknowledgements

Acknowledgements for the 2nd Edition

Glossary

Begin Reading

Index

WILEY END USER LICENSE AGREEMENT

Pages

iii

iv

v

xvii

xix

xxi

xxiii

xxi

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

21

22

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

Forensic Radio Survey Techniques for Cell Site Analysis

Second Edition

This edition first published 2024© 2024 John Wiley & Sons Ltd

Edition HistoryForensic Radio Survey Techniques for Cell Site Analysis (1e, 2015); John Wiley & Sons Ltd. (1e, 2015)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Joseph Hoy to be identified as the author of this work has been asserted in accordance with law.

Registered OfficesJohn Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USAJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book

Limit of Liability/Disclaimer of WarrantyWhile the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging‐in‐Publication DataNames: Hoy, Joseph, author.Title: Forensic radio survey techniques for cell site analysis / Joseph Hoy.Description: Hoboken, NJ : Wiley, 2024. | Includes index.Identifiers: LCCN 2023032891 | ISBN 9781394197170 (hardback) | ISBN 9781394197187 (adobe pdf) | ISBN 9781394197194 (epub)Subjects: LCSH: Mobile device forensics. | Electronic evidence. | Computer networks. | Electronics in criminal investigation.Classification: LCC TK5103.4837 .H69 2024 | DDC 363.25/2–dc23/eng/20230809LC record available at https://lccn.loc.gov/2023032891

Cover Design: WileyCover Image: © travenian/Getty Images

For Nicola, Ellie and Isabel, who always find much more interesting things for me to do when I should be writing.

About the Author

Joseph Hoy has a background in telecom engineering and training. Gaining experience initially as an IT and telecoms engineer with BT, NCR and AT&T, Joseph moved across to cellular telecoms and worked on a variety of engineering and training projects for Nokia around the world.

He has also worked as a cell site analyst and expert witness, compiled forensic reports for a variety of police forces and agencies and presented them in a range of courts, including the Old Bailey in London.

Joseph specialises in cellular and forensic telecoms training and is co‐founder and Chief Product Officer of Forensic Analytics, which has developed a suite of software applications that automate many of the processes involved in cell site analysis and forensic RF surveying.

He is a member of the Institution of Engineering and Technology (IET) and has been a member of the United Kingdom Forensic Science Regulator's cell site analysis working group. Joseph was the winner of the prestigious techUK President's Award for ‘contribution to society’ in 2023.

Joseph lives in the United Kingdom with his wife and two daughters.

Preface

This book is intended to serve two purposes: to provide a coherent explanation of the theories and procedures that underpin forensic radio surveying and of the network technologies that are being surveyed in a form that can be read cover to cover as a textbook, but also to act as a reference resource that can be dipped into as needed.

Forensic radio surveying is undertaken in support of the digital forensics discipline of cell site analysis and is, on the face of it, a very simple process: ‘go to a location, switch on the survey device, capture measurements, go back to the office and process the results’. But without a proper understanding of the operation of the cellular networks that are being surveyed, of the issues related to different networks or technologies and without knowledge of the things that can go wrong with surveys (and their remedies), survey results will not be as accurate or useful as they could be.

The ability to demonstrate a full understanding of the fundamental cellular technologies and forensic radio surveying techniques is also of use if surveyors are called to court to explain their evidence. A lack of technical knowledge or understanding may be quickly discovered under cross‐examination and will be used to undermine the credibility of any cell site evidence being presented.

In general, the aims of this book are to provide a readily understandable introduction to the topic for those who are new to forensic radio surveying and to act as an aide memoire to remind more experienced forensic radio surveyors of information related to surveying that they have learned on training courses but may sometimes have trouble remembering.

The second edition of this book has been fully overhauled and updated to include new technologies (such as 5G) and techniques that have been developed since the first edition in 2015. It has also benefited from a huge and very welcome amount of feedback from readers.

The forensic disciplines of cell site analysis and radio surveys are dynamic and challenging.

New technologies, updated techniques and evolving networks ensure that the specific details of the topic change over time. We endeavour to keep up with these changes and will update the information in this book at regular intervals.

We recognise, however, that we will not always get everything right and may not always be quick enough to amend outdated material, so we welcome comments or criticism from readers. We will be happy to debate the topics and issues raised, provide further information and generally engage with the forensics community as required to ensure that this book is as accurate, comprehensive and up‐to‐date as possible.

Questions, comments and feedback can be sent to: [email protected]

Acknowledgements

A great number of people have helped with the development of this book, including:

My co‐founders at Forensic Analytics, Martin Griffiths and Andrew Hausler.

Ian Clark, David Bell and Tom Hoy at Lynross Training. Much of the basic network overview content in Chapters 4 and 5 is based on material that we jointly developed for Lynross courses, and they kindly gave me permission to adapt it for this book.

My former colleagues at LGC Forensic – Ceri Walsh, Sue Carter, Sue Delahaye, Nick Chandler and Mick Shelley – who helped me to understand what cell site is all about.

David Bristowe and Professor Jan Stuart, who were instrumental in developing the discipline of cell site analysis.

Dr Matthew Tart and Dr Iain Brodie of CCL Group Ltd (both formerly of the Forensic Science Service) for suggestions and ideas and also for their 2010 paper ‘Historic cell site analysis – Overview of principles and survey methodologies’, which they co‐authored with Nicholas Patrick‐Gleed and James Matthews when they were all working for the Forensic Science Service.

Fellow cell site experts and practitioners who provided comments that were used in the precursor document to the first edition of this book, including Dominic Kirsten, Ben Spencer, Thea Selby, Phil Gardiner, Vicki Meaton, Mark Johnson, Greg Smith, Nicky Haigh, Peter Brown and Duncan Brown.

Chris Cox, of Cox Communications, gave advice on presenting the mathematics of radio systems in Chapter 2. Professor Berthold K.P. Horn at MIT, Bruno Xavier of CelPlan, Brazil and Don Hill of Proactive Technical Solutions, Inc, who provided information about CDMA2000 in Chapter 6.

Tom Hoy and Ian Church for proofreading and grammatical advice. Anna Smart, Sandra Grayson, Clarissa Lim, Alan Mill and Radjan Lourde Selvanadin at Wiley.

Acknowledgements for the 2nd Edition

I received a great deal of very useful feedback and suggestions from readers of the first edition, some of which took a reasonable amount of discussion with them and research for me to include aspects of it in the 2nd edition.

As well as my co‐founders at Forensic Analytics Ltd – Martin Griffiths and Andrew Hausler – I had a great deal of help and encouragement from other colleagues, including Steve Rick, Darran Fletcher, Dave Cutts, Sue Carter, Paul Kilby, Will Metters, Jon Cornish, June Woodland and Isabel Duncan. Gareth Howell and Jamie Fleming, who both have PhDs in Physics, also helped me unpick the mathematics associated with overlapping annuli (which is apparently the correct technical term for overlapping arcs). I'd also like to thank Gerry McQuade, our chairman, and the board of Forensic Analytics for allowing me to take a sabbatical to work on this second edition.

I interviewed a number of practitioners and expert witnesses in the course of preparing the 2nd Edition and would like to thank the following individuals and groups for their patient assistance: Olof Lundberg, formerly of Inmarsat; Peter Brown, Duncan Brown, Nicky Haigh, Adam Munday, Dominic Kirsten and Richard Baxter of Forensic Partners Ltd.; Matt Tart, Iain Brodie, Brian Edwards, and the cell site team at CCL Solutions Group Ltd; Rick Yeomans and Steph Curwen of Intaforensics Ltd; Jon Heathcote of Staffordshire Police and the College of Policing's RF Development User Group; Chad Fitzgerald of the FBI CAST team; Joo Jung and his team from Ottawa Provincial Police; Farid (Sal) Salehroa of Advanced Concepts Exploitation LLC; Brian Bisceglia of Worcester Police, MA; Simon Hudson of BT plc. Any errors or inaccuracies are my own and do not reflect the advice I was given.

The 2nd Edition contains descriptions of a wider set of forensic radio survey devices and of CDR and RF data processing tools than the 1st Edition did. I would like to thank the following representatives of the companies who agreed to allow me to describe their products: Wim Fokke of Group 2000 Ltd; Shaun Desmond of Keysight Technologies; Kevin Parma of Infovista SAS; David Stewart and Charles Amoury of Gladiator Forensics LLC; Jim Cairns of Technical Solutions Group Ltd, representing QRC Technologies LLC.

Thanks also to Sandra Grayson, Becky Cowan, Kavipriya Ramachandran and Sindhu Raj Kuttappan at Wiley.

A number of figures and tables in this book were taken from various 3GPP Technical Specifications (TSs) or Technical Reports (TRs). In relation to this content: © 2023. 3GPP TM TSs and TRs are the property of ARIB, ATIS, CCSA, ETSI, TSDSI, TTA and TTC, who jointly own the copyright in them. They are subject to further modifications and are therefore provided to you ‘as is’ for informational purposes only. Further use is strictly prohibited.

A number of tables in the book were taken from various 3GPP2 Technical Specifications. In relation to this content: COPYRIGHTED MATERIAL reproduced and distributed by John Wiley & Sons under written permission of the Organisational Partners of the Third Generation Partnership Project 2 (3GPP2).

Glossary

0G

Pre‐cellular radiotelephone networks

1G

First Generation mobile networks

2G

Second Generation mobile networks, e.g. GSM

2.5G

Enhanced 2G networks, e.g. GPRS

2.75G

Enhanced 2G networks, e.g. EDGE

3G

Third Generation mobile networks, e.g. UMTS

3.5G

Enhanced 3G networks, e.g. HSPA/HSPA+

3GPP

Third Generation Partnership Project – global standards body

3GPP2

3GPP mark 2 – United States standards body

4G

Fourth Generation mobile networks, e.g. LTE

4.5G

Enhanced 4G Networks, e.g. LTE‐Advanced

4.75G

Enhanced 4G Networks, e.g. LTE‐Advanced Pro

5G

Fifth Generation of mobile networks, e.g. NR

5.5G

Enhanced 5G networks, e.g. 5G‐Advanced

5GC

5G Core network

5QI

5G Quality of Service Identifier

6G

Sixth Generation of mobile networks

6LowPAN

IPv6 over Low Power Access Networks

802

IEEE family of networking standards

802.11

IEEE WiFi standards family

802.15

IEEE Wireless Speciality Network standards family

802.16

IEEE WIMAX standards family

λ

(lambda) Wavelength

A

A2DP

Advanced Audio Distribution Profile

AAU

Active Antenna Unit

AC

Access Category

ACB

Access Class Barring

ACC

Access Control Class

Active

a 3G cell currently selected to serve a mobile device's Connected Mode connections

ADC

Analogue to Digital Conversion

AGCH

Access Grant Channel

A‐GPS

Assisted GPS

ALPR

Automatic License Plate Recognition

AM

Amplitude Modulation

AMF

Access and Mobility Management Function

AMP

Additional MAC and PHY

AMPS

Advanced Mobile Phone System

ANPR

Automatic Number Plate Recognition

ANSI

American National Standards Institute

AO

Authorising Officer

AOA

Angle of Arrival

API

Application Programming Interface

APCO

Association of Public Safety Communications Officials

AP

Access Point

APN

Access Point Name

ARFCN

Absolute Radio Frequency Channel Number in 2G

ARIB

Association of Radio Industries and Businesses

ARP

Allocation and Retention Priority

AS

Access Stratum

ATIS

Alliance for Telecommunications Industry Solutions

AuC

Authentication Centre

AUSF

Authentication Server Function (in 5G)

AUTN

Authentication Token (Network)

B

BA List

BCCH Allocation List – neighbour cell list in 2G

BCC

Base Station Colour Code (part of BSIC)

BCCH

Broadcast Control Channel

BER

Bit Error Rate

BGAN

Broadband Global Area Network

BID

Base Station ID

BLE

Bluetooth Low Energy

BLER

Block Error Rate

BPSK

Binary Phase Shift Keying

BSC

Base Station Controller (in 2G)

BSIC

Base Station Identity Code (in 2G)

BSID

Base Station ID (in CDMA2000)

BSS

Base Station Subsystem

BSSID

Broadcast Service Set Identifier

BT

Bluetooth

BTS

Base Transceiver Station (in 2G)

BWA

Broadband Wireless Access

C

c

Speed of light

C1

Cell Selection algorithm (in 2G)

C2

Cell Reselection algorithm (in 2G)

CA

Carrier Aggregation

CAG

Closed Access Group (in 5G)

Camp On

To select a cell as the serving cell in Idle Mode

CC

Component Carrier (in Carrier Aggregation)

CCCH

Common Control Channel

CCDC

Covert Communications Data Capture

CCH

Control Channel

CCTV

Closed Circuit Television

CCSA

China Communications Standards Association

CDG

CDMA Development Group

CDR

Call Detail Record

CDMA

Code Division Multiple Access

CDMA2000

3G network type

cdmaOne

2G network type

CELL_DCH

Cell Dedicated Channel state (in 3G)

CELL_FACH

Cell Forward Access Channel state (in 3G)

CELL_PCH

Cell Paging Channel state (in 3G)

CF

Call Forward

CGI

Cell Global ID

CI

Cell ID

CINR

Carrier to Interference and Noise Ratio

CIoT

Cellular IoT

CLOUD

Clarifying Lawful Overseas Use of Data Act

Connected Mode

The state a mobile device is in when a connection has been established to a base station and traffic flow is possible

CoP

Code of Practice

CoP

College of Policing

COPO

Crime (Overseas Production Orders) Act

CPIA

Criminal Procedures and Investigations Act

CPICH

Common Pilot Channel (in 3G)

CPS

UK Crown Prosecution Service

C‐RAN

Centralised RAN/Cloud RAN

CRH

Cell Reselection Hysteresis

CRS

Cell‐specific Reference Signal (in 4G, 5G)

CS

Circuit Switched, e.g. traditional voice telephony service

CSA

Cell Site Analysis

CSAS

Cell Site Analysis Suite

CSFB

Circuit Switched Fallback

CSG

Closed Subscriber Group (for 3G/4G femtocells)

CSI

Channel State Information

CSI

Crime Scene Investigator

CSLI

Cell Site Location Information

CSP

Cellular Service Provider

CSP

Cell Selection Priority

CSS

Cell Site Simulator

CSV

Comma Separated Values

CU

Central Unit

C‐V2X

Cellular – Vehicle to Anything

D

D2D

Direct 2 (to) Device

DAA

Data Access Agreement

DAC

Digital to Analogue Conversion

D‐AMPS

Digital Advanced Mobile Telephone System

DAS

Distributed Antenna System

dB

decibels

dBm

decibel milliwatts

dBW

decibel watts

dBi

decibel isotropic

DC

Dual Connectivity

DC‐HSPA

Dual Carrier HSPA

DDR

Device Data Record

DECT

Digital Enhanced Cordless Telephone

Dedicated Mode

Original term for Connected Mode used in GSM

DCS

Digital Communications Service

DL

Downlink

DNN

Data Network Name

DOCSIS

Data Over Cable Service Interface Specification

DPA

Data Protection Act

DRVCC

Dual Radio Voice Call Continuity

DRX

Discontinuous Reception

DSA

Derived Service Area

DSL

Digital Subscriber Line

DSP

Digital Signal Processor

DSRC

Dedicated Short Range Communications

DSS

Dynamic Shared Spectrum

DU

Distributed Unit

E

E.164

ITU international phone number standard

E.212

ITU network numbering (MCC + IMSI) standard

EARFCN

Evolved Absolute Radio Frequency Channel Number (in 4G)

Ec/Io

Energy per chip/Interference – signal‐‐to‐noise ratio measurement (in 3G)

Ec/No

Energy per chip/noise – signal‐to‐noise ratio measure (in 3G)

ECGI

EUTRAN Cell Global Identifier (in 4G)

ECI

EUTRAN Cell ID

EC‐GSM‐IoT

Enhanced Coverage GSM for IoT

ECM

EPS Connection Management (in 4G)

EDGE

Enhanced Data Rates for Global Evolution, PS data for 2G networks

E‐GSM

Extended GSM900 band

EIR

Equipment Identity Register

EIRENE

European Integrated Radio Enhanced Network

EIRP

Effective Isotropic Radiated Power

EM

Electromagnetic

eMLPP

Enhanced Multilevel Precedence and Pre‐emption

eNB

EUTRAN Node B (also Evolved Node B) – 4G base station

eNB ID

eNB Identifier

EN‐DC

EUTRA‐NR Dual Connectivity (in 5G NSA)

EPC

Evolved Packet Core (4G core network)

EPS

Evolved Packet System (4G network)

EPLMN

Equivalent PLMN

eSIM

Embedded SIM card

ESN

Electronic Serial Number

ESN

Emergency Services Network

ETSI

European Telecoms Standards Institute

EUTRAN

Evolved Universal Terrestrial Radio Access Network (in 4G)

EV‐DO

Evolution – Data Optimised (or Data Only)

F

F

Frequency

FACCH

Fast Associated Control Channel

FAT

Frequency Allocation Table

F‐BCCH

Forward Broadcast Control Channel

FCH

Frequency Correction Channel

FDD

Frequency Division Duplex

FDMA

Frequency Division Multiple Access

Femtocell

A small‐scale cell/base station designed to be deployed at a user's home or office, which provides a small bubble of network service

FF

Form Factor (in relation to SIM cards)

FHSS

Frequency Hopping Spread Spectrum

FM

Frequency Modulation

F‐PCH

Forward Paging Channel

F‐PICH

Forward Pilot Channel

FR

Frequency Range

FR1

5G frequency range below 6 GHz

FR2

5G frequency range above 6 GHz

FRMCS

Future Railways Mobile Communications System

FSS

Fixed Satellite System

FSR

Forensic Science Regulator

F‐SYNC

Forward Synchronisation Channel

FWA

Fixed Wireless Access

G

GAP

Generic Access Profile

GEO

Geosynchronous Earth Orbit/Geostationary Earth Orbit

GERAN

GSM/EDGE Radio Access Network

GGSN

Gateway GPRS Support Node

GHz

Gigahertz (billions of cycles per second)

GIS

Geographical Information System

gNB

5G Node B (5G base station)

GNSS

Global Navigation Satellite System

GPRS

General Packet Radio Service, PS data for 2G networks

GPS

Global Positioning SystemGSCNGlobal Synchronisation Channel Number

GSM

Global System for Mobile, 2G network type

GSMA

GSM Association

GSM‐R

GSM for Railways

GUAMI

Globally Unique AMF ID

GUMMEI

Globally Unique MME ID

GUTI

Globally Unique Temporary Identifier

H

Handover

The process of passing the active connections for a mobile device in Connected Mode from one cell/base station to another

HARQ

Hybrid ARQ (Automated Retransmission Request)

HBO

Home Breakout

HCR

High Chip Rate

HD‐FDD

Half Duplex – Frequency Division Duplex

HF

High Frequency

HFP

Handsfree Profile

HHO

Hard Handover

HLR

Home Location Register

HPLMN

Home PLMN

HSDPA

High Speed Downlink Packet Access

HSPA/HSPA+

High Speed Packet Access, fast PS data for 3G networks

HSS

Home Subscriber Server (evolved form of HLR)

HSUPA

High Speed Uplink Packet Access

Hysteresis

A process that attempts to prevent an Idle Mode mobile device from reselecting to a new cell too quickly after a previous reselection

Hz

hertz (cycles per second)

I

ICCID

Integrated Circuit Card Identification Number

iDEN

Integrated Digital Enhanced Network

Idle Mode

A state where a mobile device is powered on and attached to a network but has no active control or traffic connections

IEEE

International Electrical and Electronics Engineers

IFAST

International Forum on ANSI‐41 Standards Technology

IMEI

International Mobile Equipment Identifier

IMEISV

IMEI and Software Version number

IMS

IP Multimedia Subsystem

IMSI

International Mobile Subscriber Identifier

IMTS

Improved Mobile Telephone Service (0G network)

IoT

Internet of Things

IP

Internet Protocol

IPA

Investigatory Powers Act

IPX

IP Exchange

IRAT

Inter‐Radio Access Technology

IS

Interim Standard

IS54

D‐AMPS/TDMA 2G system

IS95/A/B

cdmaOne 2G system

IS136

Enhanced D‐AMPS/TDMA 2G system

IS2000

CDMA2000 system

ISDN

Integrated Services Digital Network

ISHO

Inter System Handover

ISM

Industrial, Science and Medical radio bands

ISO

International Standards Organisation

ITS

Intelligent Transport Services

ITU

International Telecommunications Union

K

K

Subscription‐specific secret security key

kHz

kilohertz (thousands of cycles per second)

L

LA

Location Area (in 2G and 3G)

LAA

Licence Assisted Access

LAC

Location Area Code

LAI

Location Area Identifier (LAC plus country code, network code)

LAU

Location Area Update

LBO

Local Breakout

LBS

Location‐Based Services

LCI

Local Cell ID

LCR

Low Chip Rate

LCS

Location Server

LEA

Law Enforcement Agency

LEO

Low Earth Orbit

LF

Low Frequency

LI

Lawful Intercept

LIG

Lawful Intercept Gateway

LMDS

Local Multipoint Distribution Service

LMF

Location Management Function

LOS

Line of Sight

LTE

Long Term Evolution, a 4G network type

LTE‐A

LTE‐Advanced

LTE‐M

LTE for Machine Type Communication

LTE‐U

LTE deployed in unlicensed radio bands

LW

Long Wave

LWPA

Low Power Wide Area

LWPAN

LPWA Network

M

M2M

Machine 2 (to) Machine

MAC

Medium Access Control

Mbps

Megabits per second

MC

Mission Critical

MC

Multiple Connectivity

MCS

Modulation and Coding Scheme

MCC

Mobile Country Code, e.g. 234 for the UK

MC‐HSPA

Multi‐Carrier HSPA

MCL

Maximum Coupling Loss

Mcs

Megachips per second

MDG

Mobile Development Group

MDN

Mobile Directory Number

MDT

Minimisation of Drive Testing

ME

Mobile Equipment

MEID

Mobile Equipment ID

MeNB

Master e Node B (in Dual Connectivity)

MEO

Medium Earth Orbit

MF

Medium Frequency

MFN

Multi Frequency Network

MGW

Media Gateway

MgNB

Master G Node B (in Dual Connectivity)

MHz

Megahertz (millions of cycles per second)

MIB

Master Information Block

MIMO

Multiple Input Multiple Output

MMDS

Multi‐channel Multipoint Distribution Service

MME

Mobility Management Entity (in 4G)

MMS

Multimedia Messaging Service

mmWave

Millimetre Wave (radio band)

MNC

Mobile Network Code, e.g. 10 for O2 UK

MNO

Mobile Network Operator

MORAN

Multiple Operator Radio Access Network

MPS

Multimedia Priority Service

MS

Mobile Station, a 2G mobile device

MSC

Mobile Switching Centre (2G/3G CS core network node)

MS‐ISDN

Mobile Subscriber/Station International Subscriber Directory Number – mobile phone number

MSIN

Mobile Subscriber Identification Number

MSS

MSC Server

MSS

Mobile Satellite System

MTC

Machine Type Communication

MTPAS

Mobile Telephony Privileged Access Scheme

MTS

Mobile Telephone Service (0G network)

MuNST

Multi Network Survey Tool, as CSurv device

MVNA

Mobile Virtual Network Aggregator

MVNE

Mobile Virtual Network Enabler

MVNO

Mobile Virtual Network Operator

mW

milliwatts

MW

Medium Wave

N

NAI

Network Access Identifier

NAS

Non‐Access Stratum

NB‐IoT

Narrowband IoT network

NCC

Network Colour Code (part of BSIC)

NCI

NR Cell ID

NCGI

NR Cell Global Identifier

NCL

Neighbour Cell List (in 3G and 4G)

NFC

Near‐Field Communications

NFV

Network Function Virtualisation

NG‐RAN

Next Generation – Radio Access Network (in 5G)

NGSO

Non‐Geostationary Orbit

NID

Network ID

NLOS

Non‐Line of Sight

NMT

Nordic Mobile Telephone

NR

National Roaming

NR

New Radio

NR‐ARFCN

New Radio Absolute Radio Frequency Channel Number

NSA

Non‐Standalone

NSSF

Network Slice Selection Function (in 5G)

NTN

Non‐Terrestrial Network

O

OCDA

Office for Communications Data Authorisations

ODTOA

Observed Difference in Time of Arrival

OFDM

Orthogonal Frequency Division Multiplexing

OFDMA

Orthogonal Frequency Division Multiple Access (in 4G/5G/WIFI)

Ofcom

Office of the Communications Regulator

O‐RAN

Open RAN

OTSR

Omni‐directional Transmit, Sectorised Receive

OTT

Over the Top

P

P25

Project 25 – emergency services network type in USA

P‐ANI

Private header – Access Network Information

PAYG

Pay‐as‐you‐go

PBAP

Phone Book Access Profile

PCCH

Paging Control Channel

PCell

Primary Cell (in Carrier Aggregation)

PCH

Paging Channel

PCI

Physical‐layer Cell ID (in 4G)

PCS

Personal Communications System

PD

Propagation Delay

PDC

Personal Digital Cellular

PDN‐GW

Packet Data Network Gateway (4G core network node)

PDP

Packet Data Protocol

PDSN

Packet Data Service Node

PEI

Permanent Equipment Identifier

P‐GSM

Primary GSM900 band

PGW

Packet Data Network Gateway (4G core network node)

PHS

Personal Handyphone System

PKI

Public Key Infrastructure

PLMN

Public Land Mobile Network

P_MAX

Maximum permitted uplink transmit power

PN

Pseudo Noise

POI

Period of Interest

PR

Probe Request/Probe Response

PRB

Physical Radio Block

PRL

Preferred Roaming List

PRS

Positioning Reference Signal

PS

Packet Switched, e.g. the data transmission mechanism used by data networks like the Internet

PSC

Primary Scrambling Code (in 3G)

PSCell

Primary Secondary Cell (in Dual Connectivity)

P‐SCR

Primary Scrambling Code – alternative abbreviation (in 3G)

PSS

Primary Synchronisation Signal (in 4G)

PSTN

Public Switched Telephone Network

P‐TCH

Packet switched Traffic Channel (n 2G)

P‐TMSI

Packet switched Temporary Mobile Subscriber Identifier (in 2G and 3G)

PTT

Press to talk/Push to talk

Q

QAM

Quadrature Amplitude Modulation

QCI

QoS Class Identifier

QoS

Quality of Service

QPSK

Quadrature Phase Shift Keying

R

R

Cell Reselection algorithm (in 3G, 4G and 5G)

R99

Release 99 (3GPP specification set)

RA

Routing Area (in 2G and 3G)

RAC

Routing Area Code

RACH

Random Access Channel

RAI

Routing Area Identifier

RAU

Routing Area Update

RAN

Radio Access Network

RAND

Random number used in authentication

RAT

Radio Access Technology

RB

Resource Block (in 4G/5G)

RE

Resource Element (in 4G/5G)

RES

Response sent during authentication

Reselection

In Idle Mode, the process by which a mobile device selects the serving cell that it will camp on

RF

Radio Frequency

RFID

Radio Frequency ID

RFSS

Radio Frequency Sub‐System

RFPS

Radio Frequency Propagation Survey

RIC

RAN Intelligent Controller

RIPA

Regulation of Investigatory Powers Act

RNA

RAN‐Based Notification Area

RNAU

RNA Update

RNC

Radio Network Controller (in 3G)

RNC ID

RNC Identifier

RNS

Radio Network Subsystem (in 3G)

RRC

Radio Resource Control

RRH

Remote Radio Head

RRM

Radio Resource Management

RRU

Remote Radio Unit

RS

Reference Signal

RSCP

Received Signal Code Power (in 3G)

RSRP

Reference Signal Received Power (in 4G/5G)

RSRQ

Reference Signal Received Quality (in 4G/5G)

RSSI

Received Signal Strength Indicator

RTT

Radio Transmission Technology

RTT

Round‐Time Trip

RXLev

Received Signal Level (in 2G)

RXQUAL

Received Signal Quality (in 2G)

S

S

Cell selection algorithm (in 3G, 4G and 5G)

SA

Standalone

SAC

Service Area Code (in 3G)

SAE

System Architecture Evolution

SACCH

Slow Associated Control Channel

SAP

SIM Access Profile

SCell

Secondary Cell (in Carrier Aggregation)

SC‐FDMA

Single Carrier Frequency Division Multiple Access (in 4G)

SCH

Synchronisation Channel (in 2G)

SDCCH

Standalone Dedicated Control Channel

SDL

Supplementary Downlink

SDN

Software Defined Network

SDP

Session Description Protocol

SDR

Software Defined Radio

SeNB

Secondary e Node B (in Dual Connectivity)

Serving

Term applied to the cell that an Idle Mode device is currently camped on or that a Connected Mode device is connected to

SF

Spreading Factor

SFN

Single Frequency Network

SFR

Streamlined Forensic Report

SgNB

Secondary g Node B (in Dual Connectivity)

SGSN

Serving GPRS Support Node (2G/3G PS core network node)

S‐GW

Serving Gateway (4G core network node)

SHO

Soft Handover (in 3G)

SI

International System of Units

SIB

System Information Block

SID

System ID

SIG

Special Interest Group

SIM

Subscriber Identity Module

SIP

Session Initiation Protocol

SINR

Signal to Interference and Noise Ratio

SMF

Service Management Function (in 5G)

SNR

Serial Number

SMS

Short Message Service

SMSC

Short Message Service Centre

Sng‐eNB

Secondary Next Generation e Node B (in Dual Connectivity)

SNR

Signal‐to‐Noise Ratio

SNR

Serial Number (part of an IMEI)

SOCO

Scene of Crime Officer

SON

Self‐Optimising Network

SPoC

Single Point of Contact

SR

Spreading Rate

SRD

Short Range Device

SrHO

Softer Handover (in 3G)

SRVCC

Single Radio Voice Call Continuity

SSID

Service Set ID

SSS

Secondary Synchronisation Signal (in 4G)

S‐TMSI

Serving Temporary Mobile Subscriber Identifier (in 4G/5G)

STSR

Sectorised Transmit Sectorised Receive

SUCI

Subscription Concealed Identifier

SUL

Supplementary Uplink

SUPI

Subscription Permanent Identifier

SVDO

Simultaneous Voice and Data

SVN

Software Version Number (part of an IMEI)

T

TA

Timing Advance

TA

Tracking Area (in 4G)

TAC

Tracking Area Code

TAC

Type Allocation Code (part of an IMEI)

TACS

Total Access Communications System

TAI

Tracking Area Identifier

TAU

Tracking Area Update

TCH

Traffic Channel (in 2G)

TDD

Time Division Duplex

TD‐LTE

TDD version of LTE

TDMA

Time Division Multiple Access

TD‐SCDMA

Time Division – Synchronous Code Division Multiple Access

TETRA

Terrestrial Trunked Radio

T‐GSM

TETRA

THF

Tremendously High Frequency

THz

Terahertz (Trillions of cycles per second)

TIA/EIA

Telecoms Industry Association/Electronics Industries Alliance

TMSI

Temporary Mobile Subscriber Identifier

TO

Telecoms Operator

TO

Temporary Offset

TOA

Time of Arrival

TRX

Transceiver or Transmitter‐Receiver

TS

Technical Standard

TSDSI

Telecommunications Standards Development Society, India

U

UAC

Unified Access Control

UARFCN

UMTS Absolute Radio Frequency Channel Number

UDM

Unified Data Management function (in 5G)

UE

User Equipment (in 3G, 4G and 5G)

UHF

Ultra High Frequency

UIC

Union International des chemins de fer (International Railway Union)

UICC

Universal Integrated Circuit Card

UL

Uplink

UMTS

Universal Mobile Telecommunications System, a 3G network type

UMTS

HCR

High Chip rate version of UMTS (e.g. standard UMTS)

UMTS‐FDD

FDD version of UMTS

UMTS

LCR

Low Chip rate version of UMTS (e.g. TD‐SCDMA)

UMTS‐TDD

TDD version of UMTS

UPF

User Plane Function (in 5G)

URA_PCH

UTRAN Registration Area Paging Channel (in 3G)

USIM

Universal SIM

USRAN

Universal Satellite Radio Access Network (in 3G)

UTRA

Universal Terrestrial Radio Access (in 3G)

UTRAN

Universal Terrestrial Radio Access Network (in 3G)

UWB

Ultra‐Wide Band

V

V2I

Vehicle to Infrastructure

V2P

Vehicle to Pedestrian

V2V

Vehicle to Vehicle

V2X

Vehicle to anything

VHF

Very High Frequency

VLF

Very Low Frequency

VLR

Visitor Location Register

VM

Voicemail

VoIP

Voice over IP

VoLTE

Voice over LTE

VoNR

Voice over NR

VoWIFI

Voice over WIFI

W

W

watts

WACN

Wide Area Communications Network ID

WAVE

Wireless Access in Vehicular Environments

WCDMA

Wideband Code Division Multiple Access

WIFI

Wireless Fidelity

WIMAX

Wireless Interoperability for Microwave Access

WLAN

Wireless Local Area Network

WLL

Wireless Local Loop

WPAN

Wireless Personal Area Network

WRC

World Radio Conferences

WSN

Wireless Speciality Network

X

XRES

Expected Response during authentication

1Forensic Radio Surveys for Cell Site Analysis

1.1 Cell Site Analysis

Cell site analysis attempts to provide evidence of where a mobile phone may have been located when certain significant calls were made, or where it is currently located for some types of live investigation.

Cell site analysis is generally interested in just four things in relation to a technology or network type:

What useful information does the usage or billing data contain?

What radio resources does the technology or network use?

How can those resources be measured?

What conclusions can we draw?

This book examines the range of network types that are currently available, cellular or otherwise and attempts to provide the answers to each of those questions for each network or technology type discussed.

Mobile phone networks consist of a large number of radio ‘cells’, each of which covers a limited geographical area. Each cell is assigned a unique ‘Cell ID’, which is captured in the billing record (CDR or Call Detail Record) when calls are made.

Network operators are able, under tight regulatory guidelines, to provide details of the calls made by ‘target’ phones and can also provide details of the locations of the cells used by those phones.

Cell site analysis is designed to enable an investigator to determine whether calls made at or around the time of an incident or offence used cells that are located near the location of that offence.

1.2 Forensic Radio Surveying

Forensic radio surveys are designed to provide solid evidence to back up the assumptions made by investigators and cell site analysts.

Forensic radio survey equipment captures details of the cells that can be detected at a location and can indicate which cells would be selected for use by a phone being used at those locations.

Forensic radio survey results can be used to prove that particular cells provide coverage at significant locations and can, therefore, indicate whether it is possible for a phone using those cells to have been at or near those locations when particular calls were made, assuming that the cell coverage at the time of the calls was the same as at the time of the radio survey.

The only totally definite conclusion that can be drawn from cell site analysis is that the use of a particular cell by a target phone means that the phone must have been within the serving coverage area of that cell at the time.

Forensic radio surveys can set approximate limits to the area within which the target phone might have been located. This type of evidence can be very useful when attempting to prove or disprove an alibi or other statement.

Overall, forensic radio surveys add empirical rigour to an area of investigation that would otherwise fall prey to assumptions and wishful thinking.

Cell site analysis, based on a combination of CDRs, cell location details and forensic radio survey results, can provide compelling evidence to support the allegations made by investigators.