From southakj@oz.uc.edu Thu Apr 13 09:00:07 2000
Newsgroups: alt.phreaking
Subject: Re: Tracing (correct me if you see fit)
From: southakj@oz.uc.edu (Kamal Southall)
Date: 13 Apr 2000 16:00:07 GMT

In article <8ctc49$map$1@nnrp1.deja.com>,
Hawkeye 6.49  <hawkeye649@my-deja.com> wrote:

First, a disclaimer.  This is what little I know, it is a broad topic and my knoledge is scant.  If
you see any innacurate information, then PLEASE correct it, preferably in an, um, polite tone :-)

>In article <sf1u9le8cqv52@corp.supernews.com>,
>  "Wirtanen" <yogi@innercite.com> wrote:
>> Is it possible to trace a phone call or cell phone like the police
>>do

>of course it is, they do it in the movies don't they? your silly!

The question was silly and your answer was silly, and your sig (while containing some interesting
quotes) was far too long.


Phone calls are traced a number of ways.  On Modern Lucent ESS or Nortel DMS switches the
originating number of a call and its destination number remains in the switches scratchpad memory
for the duration of the call, both are written to AMA tapes for billing.

On calls outside of the area that your central office services;

Every call placed generates an ANI message, on older networks ANI is transmitted via MF tones
(KP-I-ANI-ST), on a SS7 network its transmitted via a special high speed data link.  The destination
switch receives the ANI for your line, tracing you is a matter of looking this up, if your call
was bounced through multiple switches, for example if you are an authorise user of a WATS extender
(or unauthorised, oh me, oh my) - a cheap prepaid calling card is an example here - or if you are an
authorised user (ditto) connected to a PBX's port and dialing out through its DISA feature, then
often your ANI won't be transmitted, often the ANI of the system that you are dialing out from will
be.  So the trace will stop at the ANI for the port of the WATS extender that you came from, then
one can start the trace from the switch that services the actual line that the WATS number is mapped
on, and its switch may have your orginating number in its memory, or it may be retrieved from
billing tapes.

One one has the number for your line it is simply a matter of finding the line's ID and locating it
on your central office's distribution frame (asumeing that the line is not briged to another line
on the frame).

Wireless calls are absurdly easy to trace.  Cordless phones, use a directional yagi cut for the
frequency of the phone, cell phones, ditto - plus with surplus cell site equipment you can determine
which cell a person is in from the diagnostic messages, urban cells are often very small, you may
have multiple towers within a 4 or 5 block distance from each other (I've seen closer) so if you
know a person's cell you roughly know their location (in, say, a couple of square miles) so from
then one uses a directional antenna and signal strength meter to narrow in on the transmitting
signal.

Satellite phone calls are also not to hard to locate *with* the right equipment, this is how the
hero of the Chechen resistance, Dhokar Dudayev, was killed a few years ago, he was transmitting from
an Inmarsat terminal (I think ) and he remained on his phone a few seconds longer than he should
have, the Russians fired an anti-radiation missile at him, what these things do is to hone in on
sources of strong RF energy, microwave transmissions and the like, they are used to take out Radar
terminals and the like.

Lesson learned ? You can't hide very well online without going through non trivial methods of
operational security, all calls , well most of them (not all, but most) can be traced given enough
time and persistance.

So thats how they do it in the movies and real life (well, not quite, but...)

-- 
"Keep your old bank statements; throw away    | cute naif for hire
your old core dumps." -`The Console Cowboy'   | southakj@email.uc.edu
                                              | http://oz.uc.edu/~southakj
                                pgp 2.6.2 key on request.