Abstract
A structured investigative approach is essential for an effective production of credible and admissible mobile network evidence. Chapter 2 discussed the ISO/IEC SC27 digital forensic standardization as an effort that helps in developing a robust investigative process, procedures, and methodologies. This chapter applies the ISO/IEC SC27 family of standards for mobile network forensics investigations. Each of the standards is contextualized with the forensic aspects discussed in Chapter 6 together with examples of investigation scenarios, tools, and methods for forensic processing of the mobile network data. These contexts are of practical significance for investigators, elaborating on the approaches for investigative readiness, the techniques and tools for evidence processing from identification to interpretation, and the best practices in handling mobile network evidence data throughout an investigation.
TopApplication Of Iso/Iec 27035:2016 For Mobile Network Forensics
The application of ISO/IEC 27035:2016 in mobile network forensic investigations is summarized in Table 1. The investigative readiness is established by implementing the LI and LALS architecture elaborated in Chapter 6, creating a secure channel for delivery of CDRs, and enabling the OA&M function on the network side. Investigators need to agree on the invocation details for LI and LALS and the protection of the delivery interfaces for IRI and CC between the Internal Interception Function (IIF) and the Law Enforcement Monitoring Facility (LEMF) for mobile network facilitated crimes.
For mobile network targeted attacks, the Key Performance Indicators (KPI) threshold definition need to be agreed upon before the detection, the assessment, and the attack response steps take place. For this purpose, a review of the regular traffic behavior is needed to establish a baseline when a certain KPI threshold is violated (see Chapter 6 – section Infrastructural Information).
Table 1.
Application of ISO/IEC 27035:2016 in mobile network forensic investigations
Investigative readiness phases | Mobile Network Facilitated Crime | Mobile Network Targeted Attacks |
Plan and prepare | Investigative Capabilities | LI and LALS Architecture from Figure 1, 2, and 3 in Chapter 6; Delivery channels for CDRs | OA&M function |
Policies and Procedures | HI1, HI2, and HI3 interconnection; Exchange of ciphering keys; Exchange of LI and LALS invocation information (Lawful Interception Identifiers – LIID, correlation numbers, cell coordinates, localization procedures); | KPI threshold definitions for malicious and irregular traffic (user and signalization) |
Detection and reporting | Activation of LI and LALS (see section Mobile Network Forensic Procedures below); CDR delivery | KPI threshold alarms |
Assessment and decision | KPI historical information, known attacks, reported incidents |
Responses | Network reconfiguration |
Lessons Learned | LI/LALS architectural revision | KPI review, threshold adjustment |
Key Terms in this Chapter
UL: Uplink direction of communication.
GSM: Global system for mobile.
SAC: Service area code.
MSISDN: Mobile subscriber ISDN number.
MAC-LTE: Medium access control LTE.
IMS: Internet multimedia subsystem.
EUTRAN: Evolved UTRAN.
LAC: Location area code.
DoS: Denial of service attack.
LI: Lawful interception.
DNS: Domain name service.
ECID: Enhanced cell ID.
RLC-LTE: Radio link control LTE.
HARQ: Hybrid ARQ.
CID: Communication identifier.
Eps: Evolved packet system.
UTRAN: UMTS radio access network.
HI2: Handover interface 2.
PS: Packet switched traffic.
DL: Downlink direction of communication.
UE: User equipment.
NAS: Non-access stratum signaling.
IIF: Internal interception function.
LIID: Lawful interception identifiers.
ARQ: Automatic repeat request.
HI1: Handover interface 1.
(e)CID: (Evolved) cell ID.
UMTS: Universal mobile telecommunication system.
Wav: Windows audio video.
RRC: Radio resource control.
LTE: Long-term evolution.
LEMF: Law enforcement monitoring facility.
RASTA-PLP: Relative or spectral perceptual linear prediction coefficients.
MAC: Medium access control.
PUSCH: Physical uplink shared channel.
ISDN: Integrated service digital network.
TTFF: Time-to-first-fix.
PUCCH: Physical uplink control channel.
MCC: Mobile country code.
HSS: Home subscriber system.
NID: Network identifier.
PLMN_ID: Public lang mobile network identifier.
IMEI: International mobile equipment identity.
LALS: Lawful access location services.
OA&M: Operations, administration, and maintenance.
UTC: Universal coordinated time.
MSC: Mobile switching center.
MNC: Mobile network code.
MFCC: Mel-frequency cepstral coefficients.
BTS: Base transceiver station.
Cc: Content-of-communication.
IRI: Interception-related information.
RTT: Round trip time.
TAU: Tracking area update.
GTP: Gateway tunneling protocol.
HI3: Handover interface 3.
GPRS: General packet radio service.
PDCP: Packet data convergence protocol.
SRS: Sounding reference signal.
SGSN: Serving GPRS support node.
eNB: Evolved node B.
QoS: Quality-of-service.
NEID: Network element identifier.
TCP: Transmission control protocol.
SMS: Short message service.
GERAN: GPRS radio access network.
EPC: Evolved packet core.
ISO/IEC: International Standardization Organization/International Electrotechnical Commission.
PDP: Packet data protocol.
OAI: Open air interface.
IP: Internet protocol.
AMR: Adaptive multi rate.
RAB: Radio access bearer.
PBR: Prioritized bit rate.