There has been an ongoing debate for several years within the UK RFPS (Radio Frequency Propagation Survey) or forensic RF survey community about the ‘best’ type of survey device to use – this simmering debate has been brought to the boil recently in a trial where the two sides (prosecution and defence) had widely divergent views on the topic.
There have traditionally been two classes of forensic RF survey device:
Phone emulators – these are test devices that are based on (or actually are) standard mobile phones – they work in the same way that a phone does, make the same cell selection decisions and, usually, also allow users to make test calls
Scanners – these are usually intended to be used by network operators and are designed to provide a list of the cells that can be detected and capture details of their received signal strength over time. They typically aren’t designed to perform cell selection
Before looking at the pros and cons of either option, let’s remind ourselves why we undertake forensic RF surveys in the first place: the objective of an RFPS survey is usually to determine whether calls made using particular cells could have been made when the subject was located at a particular location or in a particular area.
The methodology employed for a standard RFPS ‘location’ survey is therefore to go to a significant location (e.g. a crime scene or the address of a suspect) and check to see whether the cell(s) of interest could be used from there. RFPS practitioners are also often asked to undertake ‘coverage’ surveys, which seek to determine the footprint of the area within which a specific cell could be used.
Proponents of phone emulators insist that the results provided by this type of device are preferable because they take into account the cell selection actions that would be performed by a normal mobile device and therefore provide a guide to the ‘usability’ of each cell. Scanners, on the other hand, provide details of the strength of each cell, and so can only provide details of their ‘detectability’. This interplay between ‘usability’ and ‘detectability’ lies at the heart of the ‘scanners vs test phones’ debate
The key concept here is that of ‘serving’ cells: a serving cell is the cell that a mobile device would choose to use if it was asked to make a call – the cell selection algorithms employed by mobile devices usually (but not always) choose to use the cell that is providing the strongest signal at the time when it is asked to establish a connection. The ‘but not always’ component of the previous statement, the fact that the strongest cell might not always be the one that is selected to serve, is caused by subtle differences in the configuration of cells and of their selection parameters, and it is this aspect of RFPS that usually requires expert interpretation.
Let’s list the pros and cons of each of the survey methods and see if that brings us to any conclusions as to which is ‘best’:
These devices are usually built into a standard mobile phone or are constructed using individual modems that work in the same way as a normal mobile phone. Phone emulators capture and decode the broadcast control messages transmitted by the cells they are surveying and use this data to perform the same cell selection activities that a normal phone would undertake.
If the objective of an RFPS survey, the argument goes, is to emulate the actions of a suspect’s mobile device, then using a phone emulator offers that capability. Phone emulators are generally also able to make calls, send texts or connect to mobile data, so they offer the potential to make ‘test calls’. Test calls, again as the argument goes, add an extra dimension to a survey by capturing details of the cell(s) that actually served (e.g. the cells that were chosen to be used) at a location, rather than merely capturing details of cells that might have the potential to serve.
Pros: emulate the actions of the subject phone; provide an indication of the ‘usability’ of cells as well as their ‘detectability’; allow surveyors to make calls to test for usability
Cons: usually need to have a SIM inserted, each phone/unit can usually only survey one network/technology at a time meaning that complex surveys either take along time (using just a few phones or units) or are very costly because surveyors have to use multiple phones or units simultaneously. Surveys of all networks and all technologies at a location, using just a couple of test phones, can take several hours to complete; administrative complexity of purchasing and managing large numbers of SIMs
These devices are designed to operate over a wide area of radio spectrum and to capture details of all of the cells found there simultaneously. This means that even the most complex surveys can be undertaken in a few minutes. The more traditional type of scanner was designed to only capture the cell ID of cell that was detected during a scan and compile details of each cell’s received signal strength. The typical output of a scanner is a list of the cells that were detected in a time period, ranked in order of signal strength.
Pros: speed, complex surveys are completed in a fraction of the time required for phone emulators; completeness, scanners are often able to detect and report on cells that might be hidden (due to cell selection parameters) from phone emulators; administration, no requirement to purchase and manage large sets of SIMs for individual test phones.
Cons: cost, scanners are often very expensive (£/$/€100,000 or more); can report detectability and not necessarily usability; size, often too large to be hand-portable, meaning that they generally have to be vehicle-mounted, which limits the range of locations they can be used at
Traditional scanners (and I’ll come on to why I keep using the word ‘traditional’ a little later in this piece) are therefore able to show, for each surveyed spot location, the set of cells that were detected and their strengths. This allows RFPS surveyors to compile details of which cells were strongest at a location or to compile maps showing where particular cells were detected and of where they might be usable. So, in theory, results obtained from a scanner should be able to allow a surveyor to show that a particular cell should serve at a particular location, right?
Well…not definitively – the reasons for this go back to the ‘but not always’ caveat I inserted back in paragraph 6 – ‘the cell selection algorithms employed by mobile devices usually (but not always) choose to use the cell that is providing the strongest signal at the point when it is asked to establish a connection’
Knowing that a cell is strong enough to carry a connection isn’t the same as knowing that it actually serves. There are numerous reasons why a cell could be strong enough to serve but doesn’t – there may be a stronger cell locally, the cell may have been deliberately configured to deter phones from selecting it and many others.
Surveys performed using just a traditional scanner, that don’t use any input from phone emulators or that don’t use test calls, are only going to able to comment on the ‘detectability’ of the cells in question and won’t be able to comment, to an evidentially rigorous standard, on the ‘usability’ of those cells. There will be occasions where the data provided by a scanner could be as robust as that provided by a phone emulator – areas where there is only one cell detected (which must therefore be the serving cell), for example, but the interpretation of scanner data will struggle to offer concrete conclusions in areas where there are multiple cells, especially where there are multiple cells with roughly the same signal strength.
This isn’t to say that there’s no role for scanners in RFPS – if the objective of a survey is to list the cells that were detected at a location or to plot the overall area in which a cell could be detected, then data from scanners is perfectly acceptable. The big benefit of using a scanner is the efficiency and productivity gain it provides, by compressing into minutes the work that would require hours if discrete phone emulators were being used. For this reason, many practitioners promote the idea of hybrid surveys, where the general list of detectable cells is captured using a scanner and test calls, made with a phone emulator, help to determine which of those cells serve.
Indeed, recent years have seen the emergence of the ‘hybrid scanner’ (hence my insistence on referring to ‘traditional’ scanners earlier). A hybrid scanner provides the expected wide-spectrum capture capability but backs that up by capturing cell selection parameters from the detected cells and performing the same selection calculations that a phone emulator would undertake.
This seems to offer the best of both worlds: the speed and efficiency of a scanner with the empirical serving cell evidence provided by phone emulators – the only downside is that scanners, whether traditional or hybrid, tend to be expensive and are often beyond the purchasing power of cash-strapped, austerity-battered law enforcement agencies.
There’s an argument to say, and we support this, that the ever-growing complexity of the cellular RF environment – with new technologies, new radio bands and new challenges – will require RFPS practitioners to move to some form of scanner-based surveying in the near future, as the alternative will be to spend days at each location working through individual surveys with a set of phone emulators.
So, for us, the question for the future isn’t ‘what’s best, scanners or test phones?’ it is ‘what’s the best mix of scanners and test phones?’ to achieve the optimum balance between time, cost and accuracy.
I said at the start of this piece that this debate had heated up recently – my colleague Martin Griffiths was asked to provide an independent statement in a case where the prosecution (using phone emulators) and defence (using a scanner) had come up with wildly divergent coverage maps for the same set of cells. We’ve turned his report into a more general technical briefing note which we’ve published on our website here – if this short article has piqued your interest in this topic then please download the briefing paper for a more in-depth treatment.
We’re very keen to hear your opinions on all of this – if you want to comment, provide feedback, disagree with us or contribute in any way please email – firstname.lastname@example.org. If there’s a significant level of debate on this, we’ll publish it in a follow up blog.
Joe Hoy, September 2018