Guest Blogger: Haydar Yener Arıcı

A crime does not always begin with the sound of a trigger; sometimes it starts with a darkened screen, the silent relocation of a SIM card, or a device unknowingly connecting to the wrong party. Fake base stations (IMSI Catchers/Stingrays) are among the leading threats that operate silently and leave no trace. Today, these technologies are used not only for illegal surveillance but also for digital identity theft and data exfiltration. For a mobile forensic expert, these devices are not just technical anomalies but digital echoes within silence that need to be traced.

Technical Detection of Fake Base Stations
Fake base stations imitate legitimate cellular networks to trick mobile devices into connecting to them. Since devices automatically prefer the strongest signal, this redirection is often unavoidable. However, the forensic analysis begins right at this point.

2.1 Detection Methods

• BTS Behavior Anomaly: Legitimate base stations broadcast periodically, while fake ones may aggressively and continuously request IMSI values.
• LAC/TAC Inconsistency: Inconsistent Location Area Codes (LAC) or Tracking Area Codes (TAC) in the same geographical area may point to a suspicious base station.
• Signal History and Encryption Drop: Sudden switches to 2G, increased frequency of TMSI renewals should be monitored.
• Spectral Anomaly: Fake BTS devices may use artificially amplified signal strengths, which can be revealed through spectral analysis.

2.2 Application Notes

• Deep-level analysis can be conducted on Android devices with root access using tools such as SnoopSnitch.
• As fake BTSs are often mobile and temporary, timing is of critical importance.

3. Tracing with Forensic Software
   Mobile forensic software can analyze not only content but also base station history, BTS identifiers, and events such as LAU/TAU.

3.1 Commonly Used Software

3.2 Analysis Notes

• Prioritize meaningful traces over data overload.
• Interpret in conjunction with timelines, signal strength, and location data.

4. Interpretation and Forensic Reporting
   Technical findings become evidence only when contextualized meaningfully. Below are example analyses associated with event chains.

4.1 Case Examples

• Example 1 – Location Hopping: A SIM card active in Istanbul at 20:32 appears under a different LAC three minutes later. Physical movement is impossible.
  Interpretation: The device was redirected via a mobile fake BTS; likely used to collect IMSI.
• Example 2 – Forced 2G Downgrade: A device on LTE switches to 2G for one minute, during which an OTP SMS is sent. Paraben E3 analysis shows encryption was disabled.
  Interpretation: The SMS content may have been intercepted.
• Example 3 – Attacker’s Own Trap: The same device appears in six different regions. Cellebrite analysis shows short-range, high-power signals.
  Interpretation: The device may be acting as an IMSI Catcher. However, this requires hardware modifications.

4.2 Reporting Recommendations

• Combine witness statements and location data with technical logs.
• Cross-verify with operator data.
• Ensure time correlations are validated using NTP synchronization.

5. Event Timeline – IMSI Catcher Scenario

6. Comparative Table – Real vs. Fake Base Stations

7. Forensic Practice Recommendations

• Device logs (RSSI, RSRP) should be analyzed in detail.
• Connections that suddenly exhibit NULL encryption must be reviewed carefully.
• Following IMSI request detection, all subsequent events should be chronologically mapped.
• Sudden Cell ID switches within the same LAC are anomalous.
• Spectral analysis is recommended after identifying fake BTS activity.

Fake base stations are not merely invisible digital attack vectors; they are silent tools of identity theft. A mobile forensic analyst must not only examine logs, but also listen to the scream hidden within silence. To detect this scream, precise technical analysis, timeline contextualization, and appropriate tool selection must come together. Because in forensics, the most dangerous thing is often what appears as if nothing happened—yet changed everything.