Cell Investigations
Tracking a phone or cell number is very difficult only for the authorities, you cannot do it because there is no access to data and information from these protocols such as GSM, LTE, UMTS and law. You can do that but in a small radius or frequency (certain) For example
HackRF: HackRF One is an SDR (Software-Defined Radio) device that can capture and transmit signals from 1 MHz to 6 GHz. This means it can capture signals from most radio frequencies used in mobile communications, including GSM, UMTS, LTE, and 5G. HackRF is more advanced and has a wider frequency range compared to RTL-SDR, as well as transmission capabilities, allowing for further experimentation
RTL-SDR: RTL-SDR is a more affordable SDR receiver and generally works in a frequency range from about 500 kHz to 1.7 GHz. This allows RTL-SDRs to capture many radio signals, including some cellular frequencies such as GSM and some 3G/4G frequencies. However, as the frequency range is more limited, RTL-SDRs may not be able to capture all the higher frequencies used in the latest protocols such as 5G
On this case you can use like sigploit for simulation or other tool, you can see on the refference on the bottom
You can perform several techniques to profile a phone number, note that this is not tracking a location in real time but you can find information about the phone number such as who owns it? Where are they registered? Is this number still active? If you find a number then you can do as below:
- Phone number lookup like reverse phone number and other
- Check the contact name on the phone book, get contact, true call or other
- Check the e wallet
- Check the reset password on social media or email address
- HLR lookup
- SMS Ping
- Fraud checking
- Try search on data breach or data broker
- Dork the phone number
- Search phone number on social media
- Carrier info such as what is provider, MNC, MCC and country
- Check BANK register on their phone number
- Lookup on Telegram or other platform
A SIM card (Subscriber Identity Module or Subscriber Identification Module; lit: “Subscriber Identity Module” or ‘Subscriber Identification Module’) is an internal integrated circuit (ICC) physical electronic device that securely identifies and authenticates between a user and a wireless carrier. The subscriber is identified with an IMSI, International Mobile Subscriber Identity, and phone number
ICCID - Integrated circuit card identifierICCID stands for Integrated Circuit Card Identification, which is a unique serial number that identifies a SIM card. It can be seen on the back of the sim card, there are 19-22 digits
GSM technology stands for Global System for Mobiles, and its foundation can be credited to Bell Laboratories in the 1970s. This technology uses a circuit-switched system and divides each signal of 200 kHz into 8 time slots of 25 kHz, operating in the 900 MHz, 800 MHz, and 1.8 GHz bands. It utilizes narrowband transmission techniques—essentially Time Division Multiple Access (TDMA). Data transfer speeds vary from 64 kbps to 120 kbps.
CDMA stands for Code Division Multiple Access, which describes a communication channel principle that uses spread-spectrum technology and a special encoding scheme, which is a combination of time division multiplexing and frequency division multiplexing.
eSIM or digital SIM is a technology that allows users to use mobile plans without the need to use a physical SIM card. eSIM is a chip that is embedded directly inside an electronic device, such as a smartphone or tablet. Some of the advantages of eSIM compared to a physical SIM card include:
-
No need to change SIM cards to change numbers
-
Can store multiple carrier profiles in one device
-
Easier to switch between networks
-
Higher security as there is no risk of physical card loss or theft
-
Smoother connectivity when traveling or using multiple services simultaneously
One of the most important functions of a SIM card is to identify you as the original subscriber. So, when you make a call, send a text, or share photos or videos, the SIM informs the phone which network is being used. It also informs the network to bill you for the services you use
This is possible thanks to the IMSI (International Mobile Subscriber Identity) number and an authentication key that validates the IMSI. Think of this as your login details
When you turn on your phone, the IMSI is retrieved from the SIM and sent to your network. Your network then looks up the IMSI in its internal database and also retrieves your IMSI's authentication key
Identifying Customers
The IMSI programmed on the SIM card serves as the customer’s identity. Each IMSI is mapped to a phone number and stored in the HLR (Home Location Register) to allow the customer to be identified
Customer Authentication
This is the process where, using authentication algorithms on the SIM card, a unique response is provided by each customer based on the IMSI (stored on the SIM) and RAND (provided by the network). By matching this response with a value calculated by the network, legitimate customers gain access to the network and can use services from the mobile service provider. The SIM card becomes a key feature for mobile operation
Storage
It stores phone numbers and SMS messages
Applications
The SIM Toolkit or the GSM 11.14 standard enables the creation of applications on the SIM, providing basic information about requests and more
In the image of the SIM card above, you will see it divided into several parts. Did you know that each individual part, called a pin, has its own function?
Pins on a SIM Card
C1 - VCC (Power)
Function: Provides power supply to the chip inside the SIM card. Without VCC, the chip will not function
C2 - RST (Reset)
Function: Used to reset the SIM chip. If the chip needs to be restarted, this reset signal initiates the process
C3 - CLK (Clock)
Function: Provides a clock signal for the chip, helping to synchronize internal operations and communication with the mobile device
C4 - D+ (USB PAD OPTIONAL)
Function: This pin is for data communication, specifically in USB interface. This pin is optional and can be used if the SIM card supports USB connection
C5 - GND (Ground)
Function: Provides a ground path necessary to complete the electrical circuit, ensuring that the device operates safely and stably
C6 - VPP (Voltage Programming Power)
Function: Supplies additional power required during the programming of the chip SIM. Typically used when the SIM card is manufactured or updated
C7 - I/O (Input / Output)
Function: This pin is used for data communication between the SIM card and the mobile device. It allows the exchange of information, such as sending and receiving data
C8 - D- (USB PAD OPTIONAL)
Function: Similar to D+, this is another data communication pin for the USB interface. It is also optional and used if the SIM card supports USB connection
SIM card in nutshell
Each pin on a SIM card has a specific function that contributes to the operation and communication between the SIM card and the mobile device. These pins enable the SIM card to perform its tasks in user identification, authentication, and data storage
The Home Location Register (HLR) is a database that contains data related to customers authorized to use the Global System for Mobile Communications (GSM) network
Some of the information stored in the HLR includes the International Mobile Subscriber Identity (IMSI) and the International Mobile Subscriber Directory Number (MSISDN) of each subscription
HLR is a mobile network information database. HLR is an integral component of GSM, CDMA, and TDMA networks. This method is not a method for tracking location, but rather the area where a cellphone number comes from based on a unique code set by each cellular operator
HLR will never be accurate. HLR will only show the location of the city where the number was issued or registered, not the location where we are now
-
HLR is updated whenever the SIM is transferred to another location area
-
HLR also plays a crucial role in the delivery of Short Message Service (SMS) messages
-
Before an SMS company forwards a message to the intended recipient, it scans through the HLR to find the recently used Mobile Switching Center (MSC)
-
If the target MSC reports that the recipient's phone is unavailable, a message waiting flag is set in the HLR
-
If the recipient appears in another MSC (for example, when traveling to another city), they still receive the message because the MSC notifies the HLR once the recipient is detected within its jurisdiction
-
Other mobile components actively working with the HLR include the Gateway Mobile Switching Center (G-MSC), Visitor Location Register (VLR), and Authentication Center (AUC)
The IMSI uniquely identifies each Subscriber Identity Module (SIM) and serves as the primary key for each record in the HLR
MSISDN (also known as Mobile Station International Subscriber Directory Number aka phone number) is a list of telephone numbers for each subscription e.g +62XXXXXXXXXX
IMEI (International Mobile Equipment Identity) is a unique serial number consisting of a 15-digit number used to identify mobile telecommunication devices, such as cell phones, tablets, and handheld computers. IMEI has several functions, including:
-
Activating GSM networks
-
Blocking lost or stolen devices
-
Ensuring the legality of telecommunication devices
-
Knowing complete information about the cell phone, such as type, brand, and production date
-
Checking the warranty period of the device
Only authorities such as authorities, law enforcement and providers
Yupsss, IMEI (International Mobile Equipment Identity) can be used to track a lost cell phone:
-
IMEI is a unique number that every cell phone device has
-
The IMEI number cannot be changed
-
The IMEI remains intact even if the phone runs out of battery, the mobile network is turned off, or the GPS is turned off
To track your phone with IMEI, you can:
-
Record the phone's IMEI number
-
Report the lost phone to the police and SIM card provider
-
The authorities will do the tracking using the IMEI number
To find your phone's IMEI number, you can:
-
Type *#06# in your phone's "Call" menu
-
Go to your phone's "Settings" menu and select "About Phone"
-
On you box phone there is a IMEI
For successful IMEI tracking, make sure your phone is connected to the internet or GPS and is on. Immediately do the tracking after the cell phone is lost so that the chances of tracking it are greater
- The IMEI number is a unique 15-digit code that allows law enforcement to locate a phone by triangulating signals from nearby cell towers
- Collaboration with mobile network operators e.g (XL, TSEL, IM3). The law enforcers work with mobile network operators to access the network's database and identify the cell tower a device is connected to
-
One challenge is that IMEI numbers can be changed
-
Legal restrictions. Law enforcement usually needs a warrant based on probable cause to track a cell phone
To help the law enforcers recover a stolen phone, you can provide them with the IMEI number and other technical information. You can also take these steps to protect your phone:
-
Use a strong PIN, passcode, password, or pattern
-
Set up a tracking app on your phone
-
Turn off message previews
-
Back up your phone data regularly
-
Set up two-factor authentication codes
Idk (I don't know) the details yet, but from several articles I've read, it's possible. But this is illegal, there may be impacts, I haven't studied this in detail
A base transceiver station (BTS) or a baseband unit[1] (BBU) is a piece of equipment that facilitates wireless communication between user equipment (UE) and a network. UEs are devices like mobile phones (handsets), WLL phones, computers with wireless Internet connectivity, or antennas mounted on buildings or telecommunication towers. The network can be that of any of the wireless communication technologies like GSM, CDMA, wireless local loop, Wi-Fi, WiMAX or other wide area network (WAN) technology
BTS is also referred to as the node B (in 3G networks) or, simply, the base station (BS). For discussion of the LTE standard the abbreviation eNB for evolved node B is widely used, and GNodeB for 5G
Though the term BTS can be applicable to any of the wireless communication standards, it is generally associated with mobile communication technologies like GSM and CDMA. In this regard, a BTS forms part of the base station subsystem (BSS) developments for system management. It may also have equipment for encrypting and decrypting communications, spectrum filtering tools (band pass filters) and so on. Antennas may also be considered as components of BTS in general sense as they facilitate the functioning of BTS. Typically a BTS will have several transceivers (TRXs) which allow it to serve several different frequencies and different sectors of the cell (in the case of sectorised base stations). A BTS is controlled by a parent base station controller via the base station control function (BCF). The BCF is implemented as a discrete unit or even incorporated in a TRX in compact base stations. The BCF provides an operations and maintenance (O&M) connection to the network management system (NMS), and manages operational states of each TRX, as well as software handling and alarm collection. The basic structure and functions of the BTS remains the same regardless of the wireless technologies
Curiulation in Cell Phone Tracking:
Triangulation is a mathematical technique used to determine the location of an object using information from at least three known reference points. In the context of cell phone tracking, triangulation involves using data from multiple sources, such as cellular signals, GPS, and Wi-Fi, to determine a cell phone's location with fairly high accuracy. Not just anyone can do it because it requires sensitive data such as IMEI, LAC, CID, etc. which are only accepted by the provider/network provider. However, it can still be used by the police because they are the authorities.
Triangulation is so named because conceptually it looks like forming a triangle using three BTS towers that are simultaneously connected to our cellphone
Each BTS tower is divided into three sectors, which we can call the Alpha, Beta and Gamma sectors (α, ß, Y). Each sector is used to measure the distance from the user's location to the BTS tower
Mobile Country Codes (MCC) and Mobile Network Codes (MNC). Mobile Country Codes (MCC) are used in wireless telephone networks (GSM, CDMA, UMTS, etc.) in order to identify the country which a mobile subscriber belongs to. In order to uniquely identify a mobile subscribers network the MCC is combined with a Mobile Network Code (MNC). The combination of MCC and MNC is called HNI (Home network identity) and is the combination of both in one string (e.g. MCC= 262 and MNC = 01 results in an HNI of 26201). If you combine the HNI with the MSIN (Mobile Subscriber Identification Number) the result is the so called IMSI (integrated mobile subscriber identify). Below you can browse/search the list of countries and their MCCs for free in order to identify any MCC, MNC or HNI of the world
Example MCC & MNC on Indonesian and the provider list
Cell Data Record (CDR) or Call Detail Record is a data record that contains information about phone calls or other telecommunication transactions. CDR can be used by cellular service providers for various purposes, such as billing, coverage, and analysis. Here is some of the information recorded in a CDR:
-
Caller's name and phone number
-
Name and phone number of the caller
-
Date and time of the call
-
Duration of the call
-
Call completion status
-
Features was used
-
Call termination reason
-
ID of the cell tower traversed
CDRs are collected periodically for processing into usage, capacity, performance and diagnostic reports
CellMapper is an app that can show you the cellular coverage available through a cellular service provider's frequency range. It gives you detailed information about the networks closest to you and even allows you to help by using your own information. You can use apps like NetMonster, SMSping for tester and you can search the location using OpencellID or Cellmapper on this repo
Example
MCC : 510 [Indonesia]
MNC : 10 [PT Telekomunikasi Selullar]
LAC : 5530 [Location Area Code]
CELLID : 36246472 [BTS Unique Identifier]
The LAC CID information can be legally obtained by Law Enforcement through Call Data Record (“CDR”) which is stored by each telecommunication operator for a period of 3 months. Some operators even store CDR for up to 6 months. The Cell ID is usually used as a clue to find out the location of the SMS sender
Tracking phone number not easy, there is law and if you want try you can use NetMonster, SMSping, SDR, Sigploit for simulatioun. I will make changes to the article here and review it and add case study examples
VLR, IMSI, MSISDN, MRSN, Signaling, Teclo, VOIP, GSM, MCC, MSIN, SS7, HLR, VOIP, AOL Signal Int (SIGINT)