“伪基站”数据取证研究

Forensic Analysis of “Pseudo Base Station” Data

"伪基站"是一种通过伪装成运营商基站冒用任意号码向用户发送短信的高科技设备,经常被用于经济诈骗和商业宣传。本文针对"伪基站"设备的数据取证展开了深入分析,介绍了"伪基站"的工作原理,对"伪基站"在取证中的三大挑战进行了探讨,提出了"伪基站"数据取证的基本框架和方法,阐述了对"伪基站"通信日志、软件数据库和软件运行环境检验的"伪基站"取证框架,并针对GSMS"伪基站"进行重点分析,介绍了如何把取证方法应用在实际案例中,同时对GSMS"伪基站"的代码进行深入分析,解释了为何软件界面的显示数不能被采用。最后通过GSMS"伪基站"测试实验从另一个侧面验证了本文的理论框架。

Pseudo Base Station, albeit high in technology, is a kind of illegal equipment that sends messages to its nearby mobile phones through any coincidently identical numbers it creates randomly. It pretends a telecom operator＇s base station to communicate with the nearby mobile devices. The illegal use of this equipment poses a threat to national security and social stability. However, Pseudo Base Stations has not received much attention in forensic research and investigation until now. This paper attempts to analyze Pseudo Base Station data based on the previous experiences, beginning with the introduction to basic background knowledge of Pseudo Base Station. The second section describes the forensic challenges of Pseudo Base Station and the reason of its existence. A novel framework for analyzing Pseudo Base Station is in succession to be proposed. It suggests three steps to obtain data from a Pseudo Base Station. First is to extract ＂interrupted number＂ from the Pseudo Base Station system logs （OpenBTS.log or syslog）. Second is to pick up ＂sent IMS! number＂ from Pseudo Base Station software database. Last is to extract user activities and system information from Pseudo Base Station data. The fourth section of this paper is a case study. This section introduces how to conduct a forensic analysis on this type of Pseudo Base Station. It explains the reason why the number shown in the user interface is wrong and should reject in the result based on the analysis of the source codes. Moreover, a simulative experiment was designed using a GSMS ＂Pseudo Base Station＂ to send text to nearby mobile phones, verifying the proposed method by comparing the received data with the examined results.