Mobile Technologies: 2G to 5G, GSM/CDMA, SIM and IMEI

The cellular timeline is short enough to memorise and broad enough to anchor most digital forensics questions on mobile technology. 1G was AMPS (Advanced Mobile Phone System), an analog FDMA system that ran in North America from 1983 to its US shutdown in 2008. 2G arrived in 1991 with GSM, a digital TDMA system that introduced the SIM card and the IMSI. In parallel, IS-95 (cdmaOne) brought CDMA to the same generation with a different multiplexing approach. 2.5G added GPRS in 2000, the first packet-switched data path over GSM. 2.75G added EDGE, raising peak data rates to about 384 kbps. 3G arrived with UMTS and WCDMA in 2001, with HSPA and HSDPA layered on top to push the data ceiling past 14 Mbps. 4G LTE landed in 2009, then LTE-Advanced in 2012, both built on OFDMA and an all-IP core. 5G NR launched commercially in 2019, with Sub-6 GHz coverage and mmWave capacity, an EPC successor called 5GC, and three usage families: eMBB (enhanced mobile broadband), URLLC (ultra-reliable low-latency communication) and mMTC (massive machine-type communication for IoT).

India shut down 1G never (it was never deployed at scale here, BSNL ran AMPS-era trials only). 2G is being retired by Indian operators in phases through 2026, with Vi and Airtel publishing 2G-sunset advisories. CDMA in India died commercially when Reliance Communications shut its CDMA network in 2017 and Tata Teleservices wound down consumer CDMA the same year. The Indian regulatory anchor for spectrum reuse and generational migration is the DoT National Frequency Allocation Plan (NFAP), most recently revised in 2022, which governs which bands a generation may occupy.

GSM architecture assigns a distinct role to each node. The mobile station (MS) is the handset plus the SIM. The base transceiver station (BTS) is the cell tower's radio. The base station controller (BSC) groups BTSs and handles handovers between them. The mobile switching centre (MSC) is the switch that routes calls and SMS. The home location register (HLR) is the master subscriber database for an operator. The visitor location register (VLR) is a working copy of HLR rows for subscribers currently in the MSC's service area. The authentication centre (AuC) holds the per-SIM Ki keys and runs the A3 and A8 authentication algorithms. The equipment identity register (EIR) keeps IMEI status: white-listed, grey-listed (monitored) or black-listed (blocked).

The forensic value of these nodes is in the records they keep. An HLR query (issued via a Section 94 BNSS notice to the operator) returns the IMSI, the MSISDN (phone number), the current VLR address, the last known cell ID and the subscriber's service profile. The MSC produces CDRs (call detail records) with the called and calling numbers, the cell ID, the duration, and on LTE and beyond the eNodeB ID. The EIR row for an IMEI tells the operator whether to refuse service. India's CEIR is the union of operator EIRs and is queryable by both citizens (via DoT Sanchar Saathi) and law enforcement.

The multiplexing scheme is the line that separates GSM from CDMA in every working examiner discussion. FDMA (frequency division) gives each user a different frequency slice; AMPS used it. TDMA (time division) gives each user the same frequency in different time slots; GSM combined TDMA with FDMA. CDMA (code division) gives each user the same frequency at the same time, distinguished by an orthogonal spreading code; IS-95 and WCDMA used it. OFDMA (orthogonal frequency division) splits the band into thousands of narrow subcarriers and assigns groups of subcarriers to users on a per-symbol basis; LTE and 5G NR use it.

CDMA and GSM differed beyond the air interface. GSM separated subscriber identity (SIM) from the device, so a user could move SIM between handsets. Early CDMA in the US baked the identifier into the handset's R-UIM or directly into the device firmware, which is why CDMA SIMs were uncommon. GSM authentication uses the COMP128 family of algorithms (COMP128-1 was famously weakened by Briceno, Goldberg and Wagner in 1998; COMP128-2 and COMP128-3 patched it). 3G UMTS introduced MILENAGE, a stronger algorithm built on AES, which LTE and 5G inherited. The forensic implication is that a 2G SIM running COMP128-1 is theoretically cloneable with physical access; a 3G+ USIM with MILENAGE is not, under current public cryptanalysis.

The historical-protocol layer the syllabus still asks about: WAP (Wireless Application Protocol) was the early-2000s mobile-optimised web stack that died when smartphones got real browsers; i-mode was NTT DoCoMo's Japan-only equivalent with a similar trajectory. Both are dead in practice but live in textbook question sets.

A SIM card is a small Java Card or native-application smart card with a standardised file system, defined by 3GPP TS 51.011 for GSM SIMs and TS 31.102 for USIMs. The hierarchy is three levels: MF (Master File) at the root, DF (Dedicated File, equivalent to a directory) one level down, and EF (Elementary File, the actual data file) at the leaves. DF_GSM, DF_TELECOM and DF_DCS1800 are the named DFs an examiner cares about. Under each, EFs hold the addressable data: EF_IMSI holds the IMSI, EF_ICCID holds the ICCID, EF_LOCI holds the last known location area, EF_ADN holds the abbreviated dialling numbers (the phone book), EF_SMS holds stored SMS, EF_LND holds last numbers dialled, EF_FPLMN holds forbidden PLMNs.

The command interface is APDU (Application Protocol Data Unit), defined in ISO/IEC 7816-4. An APDU has a header (CLA, INS, P1, P2) and an optional data field. A SIM reader (an ACR38, an ACS ACR122U or any 3GPP-compliant reader) issues APDUs through a tool like SIMspy, SIMcon, MOBILedit Forensic SIM Clone or the open-source pySim. Cellebrite UFED and Magnet AXIOM include SIM-specific acquisition flows. The standard forensic flow is read-only: bind the reader, select the MF, select DF_GSM, read each EF, hash the output, and write a parsed report. The SIM never gets a write APDU during examination, and the case bag records the SIM's ICCID before insertion to prevent any chain-of-custody ambiguity.

The IMEI is the device identity. It is 15 digits in modern handsets: an 8-digit TAC (Type Allocation Code, assigned by the GSMA to a make and model), a 6-digit serial number unique within that TAC, and a 1-digit Luhn check. The check digit is computable on paper. Double every second digit from the right (excluding the check digit itself), sum the digits of the products and the un-doubled digits, then the check digit is whatever makes the total a multiple of 10. An IMEI of 49015420323751 with check digit 8 passes if the Luhn sum of the 14 digits plus 8 is divisible by 10.

1. Read the IMEI
   Dial *#06# on the handset, or read it from the device's about screen, the SIM tray etching, or the original box. A multi-SIM phone returns multiple IMEIs, one per radio.
2. Verify the Luhn check
   Compute the Luhn checksum by hand or with a one-liner. A bad checksum means the IMEI has been tampered with, often via a hex editor or a flashing tool, and the device should be marked for chip-off acquisition.
3. Resolve the TAC
   Query the GSMA TAC database or a public mirror (TACDB, IMEI.info) to confirm the make and model. A TAC that resolves to a different make than the housing claims is a hardware-swap indicator.
4. Query Sanchar Saathi
   For a stolen-device case, file the IMEI on the DoT Sanchar Saathi portal at sancharsaathi.gov.in. CEIR will propagate a block to all Indian operators within 24 to 48 hours.
5. Lift the block on recovery
   On device recovery and seizure, raise an unblock request through Sanchar Saathi or the originating police station so the device can be powered on for forensic acquisition in the lab.

CEIR (Central Equipment Identity Register) is the Indian national IMEI registry, operationalised nationwide in 2023 after a pilot in Maharashtra and Karnataka in 2019 to 2020. It is the equivalent of the GSMA's global IMEI blacklist, with Indian operator participation enforced by DoT. Sanchar Saathi is the citizen-facing portal that fronts CEIR for lost-device blocking, unblocking on recovery, and a "Know Your Mobile" check that resolves an IMEI to make, model and KYC status. NCRB Crime in India 2022 reported over 32,000 mobile-related cyber offences registered under IT Act sections, a large share of which involve IMEI tampering or stolen devices reflashed for resale. For the examiner, a CEIR query is now a standard pre-examination step on any seized handset whose chain of custody includes a theft component.

SIM swap is the most common Indian mobile-fraud pattern that crosses into criminal forensic work. The playbook has four steps. The fraudster collects the target's MSISDN, name and a piece of KYC data (often from a leaked database or a phishing site). The fraudster walks into a retailer with a forged ID and requests a SIM replacement, claiming the original is damaged. The retailer files the request with the operator. The operator, after KYC verification, deactivates the original SIM and activates the new one in the fraudster's hand. OTPs for the victim's bank account, UPI app and email then route to the new SIM, and the fraudster drains the accounts within minutes.

The TRAI directive that constrains this playbook is the 24-hour SMS-and-call bar after a SIM replacement. The TRAI Mobile Number Portability Regulations 2009 and subsequent amendments require operators to bar incoming and outgoing SMS and voice on a swapped SIM for the first 24 hours after activation. This is the regulatory speed bump that gives a victim a window to file a complaint and the operator a window to reverse the swap. The fraud succeeds when the victim does not notice for the full 24 hours, which is why most successful Indian SIM swaps are timed for weekends and long holidays.

IMSI catchers, also called Stingrays after the Harris Corporation product, are rogue base stations that impersonate a legitimate BTS to force nearby handsets to register. The handset attaches to the strongest signal; a rogue BTS with sufficient signal strength wins the registration. The catcher then reads the IMSI in cleartext during the registration exchange, or downgrades the handset to 2G to defeat MILENAGE authentication. Indian use is documented but not officially acknowledged; civil society reports under RTI have surfaced procurement records for IMSI catcher hardware by several Indian central agencies. For the examiner, the relevance is defensive: a 2G-only attach pattern in a handset's last-cell logs, in an area with 4G coverage, is a possible IMSI-catcher indicator. Detection tools include AIMSICD (Android IMSI Catcher Detector) and SnoopSnitch on rooted Android.