Mobile Technologies & SIM

Every call, text, and mobile data session leaves records in the network — in the tower, the SIM, and the operator's billing systems. Understanding how mobile networks work tells you which records exist, who holds them, and how to request them.

11.1Mobile Network Generations

Mobile networks have evolved through six generations since the 1980s. Each generation brought new capabilities, and from a forensic standpoint, each one also increased the volume and precision of digital evidence available to investigators.

1G — First Generation (1980s). The first commercial mobile networks used analogue radio signals. The dominant standard in North America was AMPS (Advanced Mobile Phone System). Because the signal was analogue, any radio scanner tuned to the right frequency could intercept a call in plain audio. There were no call detail records in the modern sense, and subscriber identity was broadcast unencrypted. Forensic value: almost none by current standards, but historically significant because AMPS's weaknesses drove the move to digital.

2G — Second Generation (1991). 2G introduced digital transmission, which changed everything. The two competing standards were GSM (Global System for Mobile Communications), adopted across Europe, India, and most of the world, and CDMA (CDMA2000/IS-95), used mainly in North America and parts of Asia. Key advances for forensics:

• Voice calls and SMS are now digital, creating structured Call Detail Records (CDRs) on the operator's billing servers.
• The SIM card (Subscriber Identity Module) is introduced with GSM — subscriber identity is stored on a removable card, separate from the handset.
• Encryption was added (GSM's A5/1 cipher for the radio link), though A5/1 has since been broken and is no longer considered secure.

2.5G / 2.75G — Packet data overlays on GSM.

• GPRS (General Packet Radio Service): a packet-switched data overlay on existing GSM infrastructure; typical speeds ~50 kbps. Introduced mobile internet access.
• EDGE (Enhanced Data rates for GSM Evolution, 2.75G): improved modulation giving ~200 kbps. Both GPRS and EDGE generate IP Detail Records in addition to CDRs — the first time mobile data sessions appear as forensic evidence.

3G — Third Generation (2000s). The two main 3G standards were UMTS/WCDMA (used in Europe, India, and most of Asia) and CDMA2000 EV-DO (used in the USA). 3G brought:

• Broadband mobile data at up to ~2 Mbps.
• Video calling (first time video is transmitted over the cellular network).
• India's 3G rollout began around 2008.
• Forensic upgrade: data session logs now include the IP address assigned to the subscriber during each session, mapping internet activity to a phone number.

4G LTE — Long Term Evolution (2010s). LTE is described as all-IP architecture — even voice calls are sent as IP packets (Voice over LTE, VoLTE). There is no traditional circuit-switched voice path. Key forensic implications:

• CDRs for voice calls are replaced or supplemented by IP session records with IP addresses and port numbers.
• Download speeds of 10–100 Mbps enable large data transfers, meaning more evidence may live in the cloud.
• India's 4G rollout ran from approximately 2012 to 2016, with Jio's 2016 launch accelerating mass adoption.

5G — Fifth Generation (2019+). 5G uses millimetre-wave (mmWave) frequencies (very high speed, short range) and sub-6 GHz frequencies (longer range). Key features:

• Network slicing: the physical network can be divided into independent virtual networks for different use cases.
• Massive IoT connectivity: billions of small devices can connect simultaneously.
• Peak speeds exceed 1 Gbps.
• India's 5G rollout began in 2022.
• Forensic note: 5G small cells are densely deployed in urban areas, making cell tower location far more precise — a subscriber can be located to within a city block rather than a broad sector.

The forensic takeaway from generations: 1G leaves no structured records; 2G creates CDRs with cell IDs; 3G/4G add IP session logs; 5G adds near-precise small-cell location data.

11.2GSM Architecture & Call Flow

GSM is the most widely deployed mobile standard in the world and forms the backbone of India's 2G and much of its 3G infrastructure. Understanding its components tells you exactly where to look for records of a subscriber's calls, movements, and identity.

GSM network components:

Mobile Station (MS) — the subscriber's equipment: the handset plus the SIM card. The MS communicates with the network over the radio air interface.

BTS (Base Transceiver Station) — the physical radio tower. It handles the actual radio communication with mobile stations in its cell. A single BTS may cover a cell area of 200 metres (dense urban) to 35 kilometres (rural). The BTS is a dumb antenna and radio unit; all intelligence sits higher up the chain.

BSC (Base Station Controller) — manages a group of BTSs. It handles decisions like which BTS a mobile should be connected to, and coordinates handover (passing an active call from one BTS to another as the subscriber moves).

MSC (Mobile Switching Centre) — the core switch of the GSM network. It connects calls between mobile subscribers and to the PSTN (Public Switched Telephone Network). Each MSC maintains a VLR (Visitor Location Register) containing data about every subscriber currently in its coverage area.

HLR (Home Location Register) — the permanent, authoritative database for all subscribers on that network. It stores:

• The subscriber's MSISDN (the phone number the world dials, e.g. +91 98765 43210)
• The subscriber's IMSI (the internal 15-digit identifier stored on the SIM)
• Service profile (which features the subscriber has subscribed to)
• The address of the subscriber's current serving VLR (used to route incoming calls)

VLR (Visitor Location Register) — a temporary cache, associated with an MSC, that holds a copy of the HLR data for all subscribers currently attached to that MSC's area. When a subscriber moves to a new area, the new VLR fetches the subscriber's data from the HLR and the old VLR discards it. The VLR assigns a TMSI (Temporary Mobile Subscriber Identity) — a randomly allocated short identifier used over the radio link to avoid broadcasting the full IMSI in every message.

AuC (Authentication Centre) — paired with the HLR. For each subscriber, the AuC stores the Ki (a 128-bit secret authentication key), which is also stored in the subscriber's SIM card. When a subscriber tries to register, the AuC generates an authentication triplet: a random challenge (RAND), the expected signed response (SRES), and a session key (Kc). The SIM uses Ki and RAND to compute SRES; if the network's SRES matches the SIM's computation, authentication succeeds. Ki never travels over the radio link.

EIR (Equipment Identity Register) — a database of IMEI numbers divided into three lists:

• White list: valid, permitted devices
• Grey list: devices under monitoring (flagged but not blocked)
• Black list: stolen or banned devices; the network refuses service to calls from blacklisted IMEIs

How a call flows: When a subscriber makes a call, the MS sends the request via the BTS and BSC to the MSC. The MSC queries the HLR to find the current location of the called subscriber (which VLR they are registered with), then routes the call to the MSC serving that subscriber.

Forensic value of GSM architecture:

• HLR/VLR records: show which Location Area (and therefore which group of cells) a subscriber was attached to at any time — even when no call was made, the phone periodically registers with the network.
• MSC CDRs: every call and SMS generates a record containing: timestamp, duration, calling number (A number), called number (B number), and the Cell Global Identity (CGI) of the serving cell — this is location evidence.
• IMSI from HLR: links a phone number (MSISDN) to a SIM card and subscriber identity.

11.3CDMA vs TDMA

Multiple callers cannot all use the same radio channel at the same time without interfering with each other. 2G and 3G networks solved this problem using two different techniques: TDMA and CDMA.

TDMA — Time Division Multiple Access. The radio channel is divided into time slots that repeat in a rapid cycle. Each active caller is assigned one slot per cycle. The calls are interleaved so quickly (every few milliseconds) that neither caller perceives any interruption. GSM uses TDMA with 8 time slots per 200 kHz radio channel. Think of it like a round-table meeting where each person speaks for a fixed slice of time and everyone takes turns so fast the conversation flows naturally.

CDMA — Code Division Multiple Access. Instead of dividing time, CDMA assigns each caller a unique spreading code (a pseudo-random mathematical pattern). All callers transmit simultaneously on the same frequency. To the untrained observer the combined signal looks like noise, but the receiver applies the correct spreading code and extracts only its intended signal, filtering out everyone else's calls as background noise. CDMA was developed by Qualcomm and used in the CDMA2000 standard deployed by some US carriers and a few Indian operators.

Key difference for forensics — subscriber identity:

In GSM (TDMA-based), the subscriber's identity is stored on the SIM card, which is removable. Swapping the SIM moves the phone number and subscriber identity to a different handset. The phone and the subscriber identity are separable.

In older CDMA networks (CDMA2000 / IS-95), there was typically no removable SIM. The subscriber's identity was encoded in the phone's ESN (Electronic Serial Number) or the later MEID (Mobile Equipment Identifier), which are permanently programmed into the device hardware. This means:

• Acquiring a CDMA phone means acquiring the subscriber identity along with the device.
• There is no separate SIM to seize; the device is the subscriber identity.
• CDMA phone changes required the operator to provision the new device — leaving records at the carrier.

Modern note: Both TDMA and CDMA are legacy technologies. 4G LTE and 5G use OFDMA (Orthogonal Frequency Division Multiple Access), which is more spectrally efficient than either. Modern phones are multi-mode (LTE + 3G fallback) and all use SIM/eSIM for subscriber identity, even on networks that evolved from CDMA.

11.4SIM Card Structure & IMEI

The SIM card is both an identity document and a small evidence vault. It contains permanent identifiers, authentication secrets, and fragments of communication history.

What a SIM card stores:

ICCID (Integrated Circuit Card Identifier) — the SIM's own serial number, 19–20 digits. Printed on the SIM card itself and often on the SIM packaging. Identifies the physical SIM hardware and is used by the operator to link the card to an account. When a SIM is seized, the ICCID is the first identifier recorded.

IMSI (International Mobile Subscriber Identity) — a 15-digit number that identifies the subscriber on the mobile network. Structure:

• MCC (Mobile Country Code): 3 digits identifying the country (India = 404 or 405)
• MNC (Mobile Network Code): 2–3 digits identifying the operator (e.g. Airtel, Jio, Vi)
• MSIN (Mobile Subscription Identification Number): remaining digits, unique per subscriber on that network

The IMSI is the network's internal identifier. The public-facing number dialled by friends and colleagues is the MSISDN (the phone number). The operator's HLR translates between them.

Ki (Authentication Key) — a 128-bit secret cryptographic key stored on the SIM's secure element. The same key is stored in the operator's AuC. The Ki is used during the GSM challenge-response authentication process to prove the SIM is genuine. Critically: Ki never leaves the SIM during normal operation. Extracting Ki requires either cooperation of the operator (who has a copy in the AuC) or destructive/specialised hardware attacks on the SIM chip — which is how SIM cloning is performed.

Phonebook (ADN — Abbreviated Dialling Numbers) — contacts stored directly on the SIM (separate from contacts in the phone's internal storage). Forensically useful as they represent contacts the subscriber consciously chose to store on the SIM.

SMS messages — the SIM has a small fixed number of SMS slots (typically 10–40). When those fill, new messages go to the phone's internal storage. SMS on the SIM is often older and may survive factory resets if the SIM is not wiped.

LOCI (Location Information) — the SIM caches the LAI (Location Area Identity) of the last network it registered with, and the TMSI assigned at that registration. This tells you the last network area the SIM was active in, even if the phone is now powered off.

LDN (Last Dialled Numbers) and last numbers received — brief call history stored on the SIM.

IMEI (International Mobile Equipment Identity) — this identifier lives in the handset, not the SIM. It is a 15-digit number that uniquely identifies the physical device:

• TAC (Type Allocation Code): first 8 digits; identifies the model and manufacturer
• Serial Number: next 6 digits; unique within that model
• Check digit: final digit (calculated using Luhn algorithm)

Dial *#06# on any GSM phone to display the IMEI. The IMEI is registered in the network's EIR. If a phone is reported stolen, its IMEI can be blacklisted, preventing calls on any participating network. Forensic investigators request IMEI records from operators to establish which SIM cards a given phone has used — or which phones a given SIM card has been inserted into.

SIM cloning — copying the ICCID, IMSI, and Ki from a genuine SIM onto a blank programmable SIM. The clone receives the same calls and SMS messages as the original. SIM cloning requires extracting the Ki, which is illegal and requires specialised equipment. Evidence of cloning: operator records showing simultaneous activity from the same IMSI on two different IMEIs in different locations.

11.5Bluetooth, WAP & Mobile Protocols

Beyond the cellular network, mobile devices use several short-range and application-layer protocols that generate their own forensic artefacts.

Bluetooth. A short-range radio standard operating on the 2.4 GHz ISM band (the same unlicensed band as Wi-Fi). Defined in IEEE 802.15.1. To resist interference from other 2.4 GHz devices, Bluetooth uses FHSS (Frequency Hopping Spread Spectrum), rapidly switching between 79 sub-channels in a pseudo-random pattern.

Range by class:

• Class 1: up to ~100 metres (used in industrial/headset applications)
• Class 2: ~10 metres (most consumer devices — phones, earbuds, keyboards)
• Class 3: ~1 metre

Every Bluetooth device has a BD_ADDR (Bluetooth Device Address) — a 48-bit identifier similar in structure to a MAC address. The upper 24 bits are the OUI (Organisationally Unique Identifier) assigned to the manufacturer; the lower 24 bits are the manufacturer's serial number for that device. BD_ADDR can be used to identify the manufacturer of a Bluetooth device even before connecting to it.

Bluetooth attacks:

Bluejacking — sending unsolicited short messages to nearby Bluetooth-enabled phones using the Object Push Profile (OPP). The attacker does not gain access to the device; they merely deliver an unexpected message. Nuisance-level attack; low severity.

Bluesnarfing — unauthorised access to a device's data (contacts, calendar, messages) by exploiting a vulnerability in the OBEX (Object Exchange) protocol. The attacker retrieves data without the owner's knowledge or consent. Constitutes unauthorised access under the IT Act §66. Evidence: Bluetooth logs on the victim device, BD_ADDR of the attacking device, timing correlation with the proximity of the suspect.

Bluebugging — the most severe Bluetooth attack. The attacker gains full command-line control of the phone by exploiting a vulnerability that allows sending AT commands (the modem command set). With bluebugging, the attacker can make calls, send SMS, eavesdrop on conversations, and access all data. Affects older devices with unpatched firmware; rare on modern phones.

Bluetooth forensics:

• Modern phones store a paired device history listing every device the phone has ever paired with (device name, BD_ADDR, pairing timestamp). This history survives clearing individual connections.
• If a suspect's phone was in proximity to another device (e.g. a car's Bluetooth system, a crime scene's smart speaker), the BD_ADDR matching can establish that proximity.

WAP (Wireless Application Protocol). An early (late 1990s – early 2000s) standard for delivering web-like content to mobile phones with limited screens and slow connections. WAP sites used WML (Wireless Markup Language) instead of HTML. A WAP gateway on the operator's network translated between the cellular packet network and the internet. Essentially obsolete since smartphones arrived, but the FACT syllabus includes it as a historical reference.

i-Mode. NTT DoCoMo's competing mobile internet standard from Japan (1999). Used a simplified HTML dialect (cHTML). Similar concept to WAP but proprietary to DoCoMo. Also largely obsolete but referenced in syllabuses covering early mobile internet history.

VoLTE and Wi-Fi Calling. In 4G/5G networks, voice calls travel as IP packets rather than through circuit-switched channels. This means:

• Traditional CDRs may be replaced by IP session records that include the IP address and port numbers of both endpoints.
• Location is established through the data-session's serving cell ID rather than a dedicated voice CDR.
• Wi-Fi Calling routes voice over the broadband internet connection; the IP address seen by the operator is the subscriber's home/public IP, not a cell tower ID.