Mobile Technologies: 2G to 5G, GSM/CDMA, SIM and IMEI

Your journey to becoming a forensic professional starts here.

Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.

Start Free Mock Test Create Your Account

Mobile Technologies: 2G to 5G, GSM/CDMA, SIM and IMEI | ForensicSpot

A mobile examiner who treats the handset as the whole crime scene loses half the case. The handset is one node on a layered radio and signalling network whose every generation, from AMPS in 1983 to 5G NR in 2024, leaves its own evidence in subscriber records, switch logs, base station registers and device identity registries. The SIM card carries four kinds of identifier, only one of which is the phone number a witness will quote. The IMEI carries a Luhn check digit that a junior examiner can verify on a piece of paper before requesting a CEIR block. Indian state cyber cells process SIM-swap fraud almost daily, and the TRAI 24-hour cool-off directive that constrains the fraud playbook is the single most quoted line of regulation in digital forensics vivas.

This topic is the entry point to Module 6 and the foundation under every mobile artefact extraction that follows. It sits before the handset acquisition workflows that cover JTAG, ISP and chip-off, the wireless and mobile network attack patterns that exploit the architecture described here, and the cloud and backup forensics layer that pulls evidence from outside the device. The framing throughout is Indian: DoT Sanchar Saathi requests, CEIR blocking workflow, TRAI port-out rules, BNS 2023 Section 318 cheating provisions read with IT Act Section 66C identity theft, and the kind of subscriber data a Section 91 CrPC notice (now Section 94 BNSS 2023) will pull from an Indian telecom operator.

Key terms

IMSI: International Mobile Subscriber Identity, a 15-digit identifier stored on the SIM that names the subscriber on the network. Format is MCC (3 digits) + MNC (2 or 3 digits) + MSIN. The Indian MCC is 404 and 405.
ICCID: Integrated Circuit Card Identifier, the 19 to 20 digit serial number printed on the SIM card body. Identifies the physical SIM, not the subscriber.
Ki: The 128-bit secret authentication key stored on the SIM and in the operator's Authentication Centre (AuC). Never leaves either party in cleartext under normal use.
IMEI: International Mobile Equipment Identity, a 15-digit identifier of the handset hardware. Format is 8-digit TAC + 6-digit serial + 1-digit Luhn check. Identifies the device, not the SIM.
MSC: Mobile Switching Centre, the GSM core node that routes calls and SMS between the cellular network and the PSTN, and queries the HLR and VLR for subscriber state.
EPC / 5GC: Evolved Packet Core (LTE) and 5G Core (5G NR), the all-IP packet cores that replaced the circuit-switched GSM core. 5GC is service-based, with discrete network functions like AMF, SMF and UPF.

Cellular generations: AMPS to 5G NR

One timeline, one set of capability deltas the syllabus keeps asking about.

The cellular timeline is short enough to memorise and broad enough to anchor most digital forensics questions on mobile technology. 1G was AMPS (Advanced Mobile Phone System), an analog FDMA system that ran in North America from 1983 to its US shutdown in 2008. 2G arrived in 1991 with GSM, a digital TDMA system that introduced the SIM card and the IMSI. In parallel, IS-95 (cdmaOne) brought CDMA to the same generation with a different multiplexing approach. 2.5G added GPRS in 2000, the first packet-switched data path over GSM. 2.75G added EDGE, raising peak data rates to about 384 kbps. 3G arrived with UMTS and WCDMA in 2001, with HSPA and HSDPA layered on top to push the data ceiling past 14 Mbps. 4G LTE landed in 2009, then LTE-Advanced in 2012, both built on OFDMA and an all-IP core. 5G NR launched commercially in 2019, with Sub-6 GHz coverage and mmWave capacity, an EPC successor called 5GC, and three usage families: eMBB (enhanced mobile broadband), URLLC (ultra-reliable low-latency communication) and mMTC (massive machine-type communication for IoT).

Generation	Year	Multiplexing	Peak data rate	Core network
1G AMPS	1983	FDMA (analog)	Voice only, 10 kbps signalling	Analog trunk
2G GSM	1991	TDMA + FDMA	9.6 kbps voice channel

GSM architecture: MS, BTS, BSC, MSC and the registers

Seven boxes and the records each one keeps.

GSM is the cleanest of the cellular architectures to draw because every node has one job. The mobile station (MS) is the handset plus the SIM. The base transceiver station (BTS) is the cell tower's radio. The base station controller (BSC) groups BTSs and handles handovers between them. The mobile switching centre (MSC) is the switch that routes calls and SMS. The home location register (HLR) is the master subscriber database for an operator. The visitor location register (VLR) is a working copy of HLR rows for subscribers currently in the MSC's service area. The authentication centre (AuC) holds the per-SIM Ki keys and runs the A3 and A8 authentication algorithms. The equipment identity register (EIR) keeps IMEI status: white-listed, grey-listed (monitored) or black-listed (blocked).

GSM core architecture with the records each node keeps. The MS authenticates against the AuC via the MSC and VLR. The EIR is the per-network counterpart to India's national CEIR registry.

GSM, CDMA, multiplexing and the protocol stack

Four ways to share a piece of spectrum, one history of which won.

The multiplexing scheme is the line that separates GSM from CDMA in every working examiner discussion. FDMA (frequency division) gives each user a different frequency slice; AMPS used it. TDMA (time division) gives each user the same frequency in different time slots; GSM combined TDMA with FDMA. CDMA (code division) gives each user the same frequency at the same time, distinguished by an orthogonal spreading code; IS-95 and WCDMA used it. OFDMA (orthogonal frequency division) splits the band into thousands of narrow subcarriers and assigns groups of subcarriers to users on a per-symbol basis; LTE and 5G NR use it.

CDMA and GSM differed beyond the air interface. GSM separated subscriber identity (SIM) from the device, so a user could move SIM between handsets. Early CDMA in the US baked the identifier into the handset's R-UIM or directly into the device firmware, which is why CDMA SIMs were uncommon. GSM authentication uses the COMP128 family of algorithms (COMP128-1 was famously weakened by Briceno, Goldberg and Wagner in 1998; COMP128-2 and COMP128-3 patched it). 3G UMTS introduced MILENAGE, a stronger algorithm built on AES, which LTE and 5G inherited. The forensic implication is that a 2G SIM running COMP128-1 is theoretically cloneable with physical access; a 3G+ USIM with MILENAGE is not, under current public cryptanalysis.

The historical-protocol layer the syllabus still asks about: WAP (Wireless Application Protocol) was the early-2000s mobile-optimised web stack that died when smartphones got real browsers; i-mode was NTT DoCoMo's Japan-only equivalent with a similar trajectory. Both are dead in practice but live in textbook question sets.

SIM internals: ICCID, IMSI, Ki and the DF/EF file system

A 30 millimetre card with a documented file tree and APDU command set.

A SIM card is a small Java Card or native-application smart card with a standardised file system, defined by 3GPP TS 51.011 for GSM SIMs and TS 31.102 for USIMs. The hierarchy is three levels: MF (Master File) at the root, DF (Dedicated File, equivalent to a directory) one level down, and EF (Elementary File, the actual data file) at the leaves. DF_GSM, DF_TELECOM and DF_DCS1800 are the named DFs an examiner cares about. Under each, EFs hold the addressable data: EF_IMSI holds the IMSI, EF_ICCID holds the ICCID, EF_LOCI holds the last known location area, EF_ADN holds the abbreviated dialling numbers (the phone book), EF_SMS holds stored SMS, EF_LND holds last numbers dialled, EF_FPLMN holds forbidden PLMNs.

SIM identifier	Length	Where stored	Forensic value
ICCID	19 to 20 digits	Printed on SIM body, EF_ICCID	Names the physical card; matches to operator's issuance log.
IMSI	15 digits (MCC + MNC + MSIN)	EF_IMSI on SIM, HLR record	Names the subscriber on the network; used in CDR joins.
MSISDN	Phone number (E.164)	HLR row, EF_MSISDN sometimes	Human-visible number; tied to KYC at port-in.

IMEI: structure, Luhn check and the CEIR workflow

Fifteen digits, one checksum, one national registry.

The IMEI is the device identity. It is 15 digits in modern handsets: an 8-digit TAC (Type Allocation Code, assigned by the GSMA to a make and model), a 6-digit serial number unique within that TAC, and a 1-digit Luhn check. The check digit is computable on paper. Double every second digit from the right (excluding the check digit itself), sum the digits of the products and the un-doubled digits, then the check digit is whatever makes the total a multiple of 10. An IMEI of 49015420323751 with check digit 8 passes if the Luhn sum of the 14 digits plus 8 is divisible by 10.

Read the IMEI
Dial *#06# on the handset, or read it from the device's about screen, the SIM tray etching, or the original box. A multi-SIM phone returns multiple IMEIs, one per radio.
Verify the Luhn check
Compute the Luhn checksum by hand or with a one-liner. A bad checksum means the IMEI has been tampered with, often via a hex editor or a flashing tool, and the device should be marked for chip-off acquisition.
Resolve the TAC
Query the GSMA TAC database or a public mirror (TACDB, IMEI.info) to confirm the make and model. A TAC that resolves to a different make than the housing claims is a hardware-swap indicator.

SIM swap fraud, IMSI catchers and the TRAI 24-hour cool-off

The fraud playbook, the regulatory speed bump and the forensic trail.

SIM swap is the most common Indian mobile-fraud pattern that crosses into criminal forensic work. The playbook has four steps. The fraudster collects the target's MSISDN, name and a piece of KYC data (often from a leaked database or a phishing site). The fraudster walks into a retailer with a forged ID and requests a SIM replacement, claiming the original is damaged. The retailer files the request with the operator. The operator, after KYC verification, deactivates the original SIM and activates the new one in the fraudster's hand. OTPs for the victim's bank account, UPI app and email then route to the new SIM, and the fraudster drains the accounts within minutes.

The TRAI directive that constrains this playbook is the 24-hour SMS-and-call bar after a SIM replacement. The TRAI Mobile Number Portability Regulations 2009 and subsequent amendments require operators to bar incoming and outgoing SMS and voice on a swapped SIM for the first 24 hours after activation. This is the regulatory speed bump that gives a victim a window to file a complaint and the operator a window to reverse the swap. The fraud succeeds when the victim does not notice for the full 24 hours, which is why most successful Indian SIM swaps are timed for weekends and long holidays.

IMSI catchers, also called Stingrays after the Harris Corporation product, are rogue base stations that impersonate a legitimate BTS to force nearby handsets to register. The handset's natural behaviour is to attach to the strongest signal; a rogue BTS within range with a slightly stronger signal wins. The catcher then reads the IMSI in cleartext during the registration exchange, or downgrades the handset to 2G to defeat MILENAGE authentication. Indian use is documented but not officially acknowledged; civil society reports under RTI have surfaced procurement records for IMSI catcher hardware by several Indian central agencies. For the examiner, the relevance is defensive: a 2G-only attach pattern in a handset's last-cell logs, in an area with 4G coverage, is a possible IMSI-catcher indicator. Detection tools include AIMSICD (Android IMSI Catcher Detector) and SnoopSnitch on rooted Android.

Worked example

SIM swap in Pune, May 2024

A composite case in the digital forensics style with all five artefacts in place.

A Pune-based professional reported a UPI fraud of ₹4.8 lakh on a Saturday morning. The bank account had been drained between 03:14 and 03:42 IST through 11 sequential UPI transfers to a chain of mule accounts. The victim's phone had shown no signal since the previous evening. The Pune Cyber Cell pulled the operator log via a Section 94 BNSS notice and confirmed a SIM replacement processed at a retailer in Hadapsar at 18:22 the previous evening.

The examiner built the file. The operator log named the retailer, the staff ID and the KYC document type (a forged DL). The CCTV from the retailer (preserved within 48 hours under the operator's data-retention obligation) showed a man matching the description filed at the FIR. The CDRs for the original SIM showed last activity at 18:18, four minutes before the swap request; the CDRs for the replacement SIM showed first incoming OTP at 03:14 IST, which is 33 hours and 52 minutes after the swap activation, comfortably outside the TRAI 24-hour bar window. The bank statement OTP timestamps were aligned to the CDR. The retailer was charged under IT Act Section 66C read with BNS 2023 Section 318 and Section 336 (forgery for cheating). The CEIR query on the IMEI of the device the fraudster used (recovered later) showed it had been flashed with a tampered IMEI, which failed the Luhn check on examination, adding an IT Act Section 65 charge (tampering with source code is the legal home for IMEI tampering under Indian case law).

Practice

Question 1 of 5· 0 answered

An Indian SIM card shows an IMSI of 405854000123456. Which operator MNC family does this belong to, and what does the leading 405 indicate?

Frequently asked questions

Can a 3G or 4G SIM be cloned the way 2G SIMs could?

Not under current public cryptanalysis. 2G SIMs running COMP128-1 were cloneable by an attacker with physical access to the card and a few hours of compute, because COMP128-1 leaked Ki under chosen-challenge attacks. COMP128-2, COMP128-3, and the MILENAGE family used by 3G USIMs and onward are not known to be cloneable in this way. The practical Indian fraud path today is SIM swap (social-engineering the operator into issuing a fresh SIM with the same MSISDN), not cloning.

What is the difference between IMSI and MSISDN, and why does it matter in a CDR query?

IMSI is the subscriber identity on the network, stored on the SIM and in the HLR; it is what authenticates the SIM to the AuC. MSISDN is the phone number, the dialable identifier the user knows. Two SIMs can in principle share an IMSI lineage during a swap, but only one is active. A CDR query by MSISDN returns rows for whichever SIM was active at the time of the call. A CDR query by IMSI returns rows for that specific SIM regardless of MSISDN reassignment, which is the more reliable query when port-in or swap activity is suspected.

How does CEIR differ from the operator's own EIR?

An EIR is per-operator: it carries the IMEI whitelist, greylist and blacklist that one operator (Airtel, Jio, Vi, BSNL) uses to grant or deny service. CEIR is the national registry that aggregates and synchronises across all Indian operators, so an IMEI blocked through CEIR on a Sanchar Saathi complaint is refused service by every Indian operator within 24 to 48 hours. CEIR was operationalised nationwide in 2023 after the Maharashtra and Karnataka pilots.

Is an IMSI catcher detectable from the handset side?

Partially. Open-source tools like AIMSICD (Android IMSI Catcher Detector) and SnoopSnitch (which requires a rooted phone with a Qualcomm baseband) flag a set of indicators: forced 2G attach in a 4G area, unencrypted paging, cell ID and neighbour-cell anomalies, and frequent re-registrations. None of these are conclusive on their own, but a stack of them in a clean radio environment is a reasonable working signal. For a forensic case, the cell-ID and last-cell logs on the seized handset are the artefact to preserve.