Forensics and the GSM Mobile Telephone System

The GSM system has become the most popular system for mobile communication in the world. Criminals commonly use GSM phones, and it is therefore a need for forensic investigators to understand which evidence can be obtained from the GSM system. This paper briefly explains the basics of the GSM system. Evidence items that can be obtained from the Mobile Equipment, the SIM and the core network are explored. Tools to extract such evidence from the components of the system exist, but there is a need to develop more sound forensic procedures and tools for extracting such evidence. The paper concludes with a short presentation on the future UMTS system, which largely builds on the design of GSM. 1.0 Introduction With GSM, systems for mobile communication reached a global scale. In the western world, it seems everyone has their own mobile phone, and GSM has taken more and more of the market. GSM allows users to roam seamlessly between networks, and separate the user identity from the phone equipment. In addition the GSM system provides the functional basis for the 3 generation mobile system, UMTS. All these factors make it important for forensic investigators to understand how the GSM system works, and how evidence can be extracted from it. Criminals took the step into the mobile age a long time ago, and information from the mobile system can give the investigator crucial information on the criminal’s actions. It is however important that the information contained in the system is retrieved with a forensically sound method. It is equally important that the investigator understands the system in order to be able to explain to the courts how the system works. It is the aim of this paper to give forensic investigators an introduction to the current state of GSM forensics, and highlight some of the issues that will have to be solved in the future. 2.0 History of the GSM system In the beginning of the 1980s several different systems for mobile communications were developed in Europe. The need for a common system that allowed roaming between countries was early recognized. In 1982 a number of European countries created a new standardization organisation called “Groupe Speciale Mobile” (GSM). The mandate of this group was to develop a standard to be common for the countries that created it. In 1988 the GSM was included in the European Telecommunication Standards Institute (ETSI), and the standards developed by GSM thus became standards for all telecommunication administrations in Europe. The main work with the GSM took place from 1988 1990 and resulted in 12 series of specifications which in great detail specified the inner workings of GSM. In 1990, when phase 1 of the specifications was finished, there were three dominating automatic systems for mobile communications in the world: www.ijde.org 1 International Journal of Digital Evidence Spring 2003, Volume 2, Issue 1 • American AMPS from 1984, with networks in the US. • British TACS from 1985, with network in Britain. • Nordic NMT from 1981, with networks in the Nordic countries. Unlike these systems, GSM is a fully digital system, allowing both speech and data services and allowing roaming across networks and countries. These features made GSM a very popular system, not only in European countries but also elsewhere. The term GSM has been chosen as a trademark for the system, meaning “Global System for Mobile communications”, whereas the group within ETSI working with the standards has been renamed SMG (Special Mobile Group). Today GSM is the largest system for mobile communications in the world, and exist on all continents. 3.0 Overview of the GSM system The GSM system is specified in 12 series of specifications. For phase 1, these specifications constitute over 4000 pages. In the following, a short overview of the system will be given. 3.1 Entities of the GSM system Fig 1 – Entities in the GSM system The GSM system consists of a number of separate entities [GSM0302]. These are shown in figure 1. The entities are connected through interfaces with their own names according to the specifications, these names are shown on the figure. 3.2 The Mobile Station The Mobile Station (MS) is the user equipment in GSM. The MS is what the user can see of the GSM system. The station consists of two entities, the Mobile Equipment (the phone itself), and the Subscriber Identity Module (SIM), in form of a smart card contained inside the phone. www.ijde.org 2 International Journal of Digital Evidence Spring 2003, Volume 2, Issue 1 Production of Mobile Equipment is done by many different manufacturers, and there will almost always be a wide range of different MEs in a mobile network. Therefore the specifications specify the workings of the ME in great detail. In order to verify the conformal of the specifications by Mobile Stations, equipment must obtain type approval from the standardization body [GSM1110]. The MEs in GSM are independent from networks-providers. The identity of the subscriber is obtained from the SIM that has to be inserted into the MS to make it work. The SIM contains the IMSI (International Mobile Subscriber Identity) which uniquely intentifies the subscriber to the network. It also contains information necessary to encrypt the connections on the radio interface. The ME itself is identified by an IMEI (International Mobile Equipment Identity), which can be obtained by the network upon request. Without the SIM, calls to and from the mobile station is not allowed. The SIM is implemented as a smart card that can exist in two forms; large or small. 3.3 The Base Transciever Station The Base Transciever Station (BTS) is the entity corresponding to one site communicating with the Mobile Stations. Usually, the BTS will have an antenna with several TRXs (radio transcievers) that each communicate on one radio frequency. The link-level signalling on the radio-channels is interpreted in the BTS, whereas most of the higher-level signalling is forwarded to the BSC and MSC. Speech and data-transmissions from the MS is recoded in the BTS from the special encoding used on the radio interface to the standard 64 kbit/s encoding used in telecommunication networks. Like the radio-interface, the Abis interface between the BTS and the BSC is highly standardized, allowing BTSs and BSCs from different manufacturers in one network. 3.4 The Base Station Controller Each Base Station Controller (BSC) controls the magnitude of several hundred BTSs. The BSC takes care of a number of different procedures regarding call setup, location update and handover for each MS. 3.5 The Mobile Switching Centre The Mobile Switching Centre is a normal ISDN-switch with extended functionality to handle mobile subscribers. The basic function of the MSC is to switch speech and data connections between BSCs, other MSCs, other GSM-networks and external non-mobile-networks. The MSC also handles a number of functions associated with mobile subscribers, among others registration, location updating and handover. There will normally exist only a few BSCs per MSC, due to the large number of BTSs connected to the BSC. The MSC and BSCs are connected via the highly standardized A-interface [GSM0808]. However, due to the lack of standardization on Operation and Mangement protocols, network providers usually choose BSCs, MSCs and Location Registers from one manufacturer. 3.6 The Location Registers With each MSC, there is associated a Visitors Location Register (VLR). The VLR can be associated with one or several MSCs. The VLR stores data about all customers who are roaming withing the location area of that MSC. This data is updated with the location update