In this issue, data recovery experts from the Key Laboratory of Sichuan Province will introduce base station data extraction methods from Android Radio log. This method is developed on the basis of base station positioning principles. Only when investigators gained access to the location data of the base station can they confirm if the suspects had been near the station, which could provide vital clue for cracking a case.

I Cellphone historical geographic location extraction is an inevitable part of cellphone forensics

Cellphone historical geographic location data ascertains the location of suspects, which is one of the key points of trace forensics (time, location, people, event, and objects) and is inevitable in cellphone forensics. Cellphone, as a kind of mobile devices, stores large amount of geographic data, and the generation of which is closely related to five cellphone locating techniques, i.e. GPS locating, base station locating, WiFi locating, A-GPS locating, and GPS-one hybrid locating.

Base station locating is one of the main methods for locating while we’re outdoor and according to base station locating principles, as shown in picture 1, precise parameters of the current geographic location of the cellphone can be obtained when the cellphone is accessing three or more base stations. When a cellphone is only accessing one base station, we can only conclude that the cellphone is within one hundred meters’ radius of the base station. Thus, analysis of base station information stored in cellphones can give access to geographic location of base stations and help to determine whether the cellphone had been near one specific base station.

1

 Picture 1: Base Station Positioning Principle

II Cellphone historical geographic location can be gained through extracting base station data stored in Android Radio log

Android system has complete and high-efficient log management functions, it records action information for the cellphone during its operation. And those information are automatically categorized and stored in corresponding log buffering areas.

Main, Radio, and Events are the commonly used log types of Android systems and are constantly writing records to the system log through circular buffer. Radio log is the one related to radio frequency and contains SIM card information, STK information, wireless and phone call information, among which includes cellphone base station information.

Through accessing cellphone Radio logs and extraction and analysis of base station information, geographic location data of the cellphone can be obtained.

III Extraction Method

Buffer data stored in cellphone Radio log can be obtained through the following step (picture 2): connect the Android phone to PC using USB cable; enter USB debugging mode; initiate cmd.exe installed in the computer; and execute command adb logcat -b radio -v time -d.

2

Picture 2: Buffer Data in Radio Log

Multiple types of base station information logs are contained in Radio log buffer data and analysis methods of two of them are explained in the following section.

1.  04-11 14:22:12.475 D/RILJ    ( 1372): [3856]< RIL_REQUEST_GET_CELL_INFO_LIST   [CellInfoWcdma:{mRegistered=YES mTimeStampType=oem_ril mTimeStamp=2351418272230ns CellIdentityWcdma:{ mMcc=460 mMnc=1 mLac=61723 mCid=169597624 mPsc=321} CellSignalStrengthWcdma: ss=26 ber=99}]

Header of this log is RIL_REQUEST_GET_CELL_INFO_LIST, and CellIdentityWcdma indicates base station information. CellIdentityWcdma identifies base station information for China Unicom and the field for China Mobile is CellIdentityGsm. Of the CellIdentityWcdma content, mMcc is country code (China as 460), Mnc network type (1 for China Mobile and 0 for China Unicom), mLac location area code for base station, and mCid is serial number for the base station.

2.  10-07 12:35:08.541  3464  3631 D RILJ    : [rild] [-9744]< VOICE_REGISTRATION_STATE {1, 821e, 0000a214, 16, null, null, null, null, null, null, null, null, null, null, null}

Header of this log is VOICE_REGISTRATION_STATE and base station information is contained in the comma-separated data inside the parentheses. If the value of data from the 1st to the 5th is null, related base station belongs to China Mobile or China Unicom. 0000a214 in the log indicates China Mobile location area code LAC, 812e serial number of China Mobile or China Unicom base station CID. If the value of data from the 1st to the 5th is not null, related base station belongs to China Telecom. The 5th data records location area code SID, the 9th records serial number of base station BID, the 10th China Telecom local network number NID.

Enter base station data analysed by following the former step into third-party base station query platforms, such as LBS data warehouse, Haoservice, and Aggregated data, and geographic location of the base station can be obtained to ascertain whether the suspect had been near base station.

Conclusion

As one of the five key points for trace forensics, cellphone geographic location data is an vital for cellphone forensics. Data recovery experts from the Key Laboratory of Sichuan Province provided base station data extraction method from Android Radio log, which could help gain cellphone historical geographic location. This method is currently used in SalvationDATA MTF Mobile Track Visualization Forensic.

Click HERE to learn more about MTF, and HERE to learn more about other mobile forensics products.