CellSiteSurvey

Introduction

Some will say that CellSite analysis is not an exact science. To some extent that statement is true, although it is ambiguous and a little misleading. Armed with equipment that provides reliable survey data and with a good understanding of the principals involved. Well structured procedures will lead to the same conclusions time after time. 3gforensics manufacture and supply such equipment and via its training partners, provide comprehensive training to ensure that users can draw valid conclusions from the data gathered.

The text below is a brief introduction to cell site analysis and why it may be useful. This text is not an aid to training and should not be considered a comprehensive guide to Cell Site survey techniques.

Background

Mobile equipment, operating within modern cellular infrastructure, are radio transceivers that use complex modulation techniques, to pass large amounts of data, using relatively low power. In the context of Cell Site Analysis, the important point to note is that, regardless of the complex services they deliver to the end user, modern mobile telephones are radio transmitters and receivers. Radio transmitters and receivers make use of radio waves to transfer information through space, the way in which radio waves behave when moving through space is termed 'Propagation'.

Modern mobile equipment uses a variety of different techniques and protocols to encode information such that it can be carried by radio waves. A quantity of this information is unique to the transmission of data to the mobile equipment. Essentially, cell site analysis is a process of measuring and documenting actual propagation from transmitters within a communications network and linking that information to data recovered from those transmissions that uniquely identifies the transmitter.

A cell site typically consists of multiple transmitter receiver pairs, associated control equipment and antenna. Each set of transmitter receiver pairs will normally have a unique identity or CellID. Though more complex configurations can be employed, a typical cell site might consist of three transmitter receiver sets referred to as Base Stations, each with a unique CellID, each feeding an antenna.

Cell Site antenna can direct radio waves in a particular direction and by careful design, limit the spread of the radio waves, effectively limiting the range and area over which the base station is said to 'cover'. Such an area is referred to as a 'Sector' Normally each sector is served by a base station and since each base station has a unique identity 'CellId' the area of coverage, 'sector' can be referred to by the unique CellId.

A base station propagates radio waves into a defined area, referred to as a sector.

Base stations are rarely at the center of the coverage area 'sector', more often they will be located on one side of the sector. A base station site may consist of more than one base station and associated antenna, configured to give coverage to a geographic area. The base station site maybe located near the geographic center of the total coverage area of the site.

A three sector site.

Here we depict a base station site comprising of three base stations, propagating in three different directions.

It is important to remember that the base station is very rarely at the center of the area of coverage related to that base station antenna 'sector'

When base stations are grouped together to form a cell site, the cell site is often at the center of the area covered by that group of base stations. The area of coverage will comprise of several 'sectors', typically, but not always, three.

Mobile equipment operating within the network infrastructure is designed to operate in a prescribed fashion, the operating conditions are laid down in internationally agreed specifications, such that mobile equipment may roam across many networks internationally without loss of connectivity or functionality.

When a mobile telephone is switched on, it carries out many complex tasks, to ensure that it connects to the correct network and provides the user with the very best service. One of the most basic of tasks that the mobile telephone must carry out is to 'look' for a radio frequency carrying information that will allow the mobile telephone to connect to a valid network and further to authenticate its self with the network, such that the mobile becomes part of the network, enabling it to make and receive calls and provide the user with the services they expect.

Mobile telephones are preprogrammed to 'scan' a set range of radio frequencies , or 'channels', assigned by the network operator or 'service provider', The mobile will scan across many radio frequencies seeking one that is carrying data from a network that it is authorised to use. Once located , the mobile may find many such radio frequencies, the mobile will identify the radio channel that carries information that provides the best quality of service to the user.

The mobile will exchange data with the network using that radio channel during a process called 'registration' and after the required registration and authentication sequences have been successfully completed, the mobile is connected to the network. This whole process takes a very short time and results in the mobile being connected via a specific Base station and thus a specific unique CellId.

During use the mobile may move from one cell site to another, the mobile and network co-ordinate this by the evaluating radio frequency signal level and the resulting quality of service. The network operator keeps track of the mobile to ensure that it can always route calls and services.

The network stores the data related to the mobile point of connection to the network. The data stored by the network will consist of data unique to the mobile equipment, including the CellId of the serving base station and the time and date of calls made / received etc. This log is referred to as the call data record or CDR.

Network operators record detailed call records for billing purposes, the data available to a network includes, but is not limited to, date, call length, inbound, outbound, voicemail, CellID of the serving cell, location of serving cell. Network operators also have detailed information related to the location of their cell sites and the associated antenna configurations.

When building their networks, operators carry out extensive testing to ensure that the coverage offered by their base stations closely follows the estimated coverage based upon complex computer predictions. Operators generally locate their base stations to provide an acceptable quality of service to the user and economical deployment of base station equipment. Computer models are used extensively in the calculation of coverage and quality of service predictions.

It is reasonable to assume that based on the operators knowledge of a mobiles activity within its network, the operator could locate the mobile to within a few meters or tens or meters at any time. This is the case for mobiles being tracked in real time. However where a mobiles location needs to be verified based on historical records, or or where a mobile user claims to be somewhere, other than, where network data might place them, further more detailed network coverage data can help us verify the mobiles location.

From a mobile operators call data records we can establish the Unique ID of the cell site that a mobile was connected to when sending or receiving data to/from the network. The network data may also provide information on the antenna configuration and possibly even estimated coverage of that base station /antenna. From this data we might assume the mobile to have been within the coverage area designated by the network at a particular time. However the network coverage estimates are usually predictions and are often limited to coverage related to quality of service rather than actual coverage. This is especially relevant when the mobile is on the periphery of a predicted coverage estimate.

Location Based Survey

To establish the base station transmitter receiver pair that is providing service to a specifcc location, it is necessary to survey that location with equipment that is capable of receeving and logging the signals propagated by all base stations on a the network of interest or even all networks that cover that site, regardless of the signal strength or quality of service offered by those base stations. Once that data has been collected, best serving cell calculations can be carried out to determine exactly which base stations a mobile would use if at that location.

Note: if on the periphery of coverage, or at a location that has particularly unusual radio frequency characteristics, a mobile may use more than one base station, switching between two or three in quick succession. The protocols used to provide good quality of service, allow for this type of situation and special algorithms are used to ensure that the mobile does not flit back and forth rapidly. In practice a mobile is likely to use a particular base station at any given location. It is commonly accepted that when surveying, the highest six received signals are decoded and used to identify potential serving base stations.

In this way, the best serving cell for a particular location can be established. Secondary and Tertiary serving cells can also be established as can the likely hood of those alternate cells being used when sending or receiving data. This information can be used, along with the Network call data records, to establish the likely hood of a mobile being at or near a specific location at a particular time.

Of course, the mobile could be anywhere within t he coverage area of the CellId relating to the best serving cell, the technique does not pace the mobile at a specific location. However it does place the mobile within the coverage area of the CellId noted on the call data records and most definitely NOT somewhere other than that.

At this point we have a mobile linked to a CellId , by call data records. We have also established that the CellId is that of a base station whose radio frequency propagates over a specific location with such strength and quality that is can be determined to be the best serving base station and thus the one that is most likely to be used by a mobile operating at that location.

Total Coverage Survey

Let us assume that the user of the mobile in question, states that they were many kilometers away from the location of interest. To verify the viability of this possibility, we would need to carry out a survey that will identify:

a) the best serving basestation, CellID, at the location that the mobile user states they were located.

b) a survey that establishes the periphery of coverage by the base station that the call data records show was in use.

We are seeking to identify the actual coverage of the base station that the call data records show was in use. We need to establish whether it extends to the location that the mobile user states they were at the time in question. To achieve this we need to use equipment that will allow us to monitor the extent of coverage provided by one single base station with a given CellId. We will need to travel great distances and gather data related to radio frequency signal from that base station. We will need to monitor the signal until it drops below a predetermined level or ceases to exist at all.....and then some.

Conclusion

Variations of the Location Based Survey and the Total Coverage Survey , along with sound knowledge of the operating parameters of the networks and comprehensive understanding of the protocols used to establish mobile comunications, allow us to clearly identify whether a mobile could or could not have been at or close to a specific location at specific point in time.

In this modern age where mobile communications are at the hub of everyday life, a mobile telephone is likely to be involved in almost every situation, not least crime. With the availability of low cost comprehensive solutions - like CSurv from 3gforensics- for the gathering of mobile related data, it is reasonable to assume that any scene of crime investigation should treat mobile based data - including cell site data - with the same degree of importance as finger prints and DNA.

A note on Csurv

Within this text reference has been made to 3gforensics CSurv. Nothing in this text is specific to CSurv and CSurv provides its users with no information that could not be obtained from other competent survey tools such as Qualcomm CAIT, Ericsson TEMS or Rohde and Schwartz. CSurv is simply the solution available form 3gforensics, designed form ground up to meet the needs of the forensic and law enforcement environment. It is low cost, easy to use, reliable and fully supported with training tailored to the needs of its user base. For more information.

CSurv is a comprehensive tool for recovering network data “off air” from the radio spectrum used for the provision of mobile communications services. The primary role of CSurv is to harvest accurate and real-time data from the networks providing mobile communications services, GSM, UMTS & WiFi. By decoding and understanding this data the CSurv operator is able to map the availability of mobile communications services in a highly accurate manor specific to a location of interest.

Primarily a forensic tool designed for digital investigators, CSurv gives its operator an insight into the coverage of networks, and the infrastructure that manages user traffic. Paired with internal GPS, and a mapping solution, CSurv enables the recording of location and network information for post survey scrutiny.

Described as ‘mapping the DNA of the network’, mobile communications network surveying allows a forensic examiner to understand a network’s vast and sophisticated radio frequency topography and therefore predict where voice or data connections may have been initiated, received, handed off and also the likelihood of these events taking place.

As network operator coverage maps are largely based on theoretical assumptions derived from equipment specifications, CSurv provides an actual and real-time view of the network, which is constantly altered by ever-changing environmental conditions.

Providing the ability to harvest data from the most common publicly accessible radio networks GSM, UMTS & WiFi CSurv is a most comprehensive, compact tool in the forensic examiners armoury.

Location

Contacts