The system architecture of a GSM cellular network is very complex. It can generally be divided into three broad parts: the Mobile Station (the cell phone and its SIM), the Base Station Subsystem (which is responsible for handling traffic and signaling between the phone and the Network Switching Subsystem), and the Network Switching Subsystem (which performs the switching of calls between the mobile users and the Public Switched Telephone Network). Phones connect to a GSM network by searching for “cells” within their immediate location. GSM networks have several different “cell” sizes, and depending upon which is being implemented, the coverage area will vary. Regardless of the coverage, a cell phone’s location information could be of significant forensic value.

A. LOCATION INFORMATION
A SIM card contains the LOCI (Location Information) Elemental File which can be found under the GSM Dedicated File (see April/May 2011 Digital Forensic Insider column for information regarding the SIM Card File System). This file contains the Temporary Mobile Subscriber Identity (TMSI), TMSI TIME, Location Area Information/Local Area Identifier (LAI), and the Location Update Status.

1.Temporary Mobile Subscriber Identity (TMSI):
In addition to allowing mobile phones to communicate with each other, the Network Switching Subsystem (NSS) also acts somewhat as a telephone exchange. However, it has additional functionality to deal with the roaming ability of cell phones. A key component of the NSS is the Mobile services Switching Center (MSC) which provides functionality such as registration, location updating, and call routing. When a subscriber roams into the jurisdiction of an MSC, information about the cell phone is stored in a temporary database called the Visitor Location Register (VLR). Since each Base Station in the GSM network is served by one VLR, a subscriber cannot be present in more than one VLR at a time. The VLR assigns the TMSI which ensures privacy since it prohibits tracing of the identity of the subscriber should anyone attempt to intercept the link. The TMSI is assigned for the duration that the subscriber is within the jurisdiction of a particular MSC and combined with the current location area, allows a subscriber to be uniquely identified.

2. Location Area Information/Local Area Identifier (LAI)
The LAI for voice communications is structured hierarchically and uniquely identifies a Location Area (LA) within a GSM network. It consists of three components:

• Mobile Country Code (MCC): consists of three decimal places and is used to identify the country of origin of the SIM card.
• Mobile Network Code (MNC): consists of two decimal places and is used in conjunction with the MCC to identify the SIM card’s network provider.
• Location Area Code (LAC): consists of a maximum of five decimal places.

GSM networks are divided into LAs which are comprised of one or more radio cells. Each of the LAs is uniquely identified within the network by its Location Area Code (LAC). These numbers are stored on the SIM card, thus providing the handset with its location. This also serves as a unique reference for the location of the subscriber as well since the LAI is required before the handset can receive an incoming call. When the subscriber roams into a new LA, the handset also stores the new LAI on the SIM card, adding it to a list of the previous LAIs. After being powered off and then powered back on, the handset will search the list of its stored LAIs until it finds the one it is currently located in, thereby allowing service to resume. Analyzing the SIM card can provide the geographical location(s) where the SIM card, the phone, and the owner of the phone (suspect) may have been.