Skip to content

Call Data Extraction

Jump to bottom
w0rd3 edited this page Feb 12, 2024 · 5 revisions

Correlating Audio Files to Call Data

This is still more of an art than a science, as not every SETUP packet will necessarily be captured for every call. For best results, try a call that begins with the phone ringing.

Assumptions:

  • You have run iridium-parser.py against your .bits file and have a full .parsed file ready to go
  • You have run reassembler.py against this full .parsed file with the -m lap option, resulting in a pcap file with gsm packets
  • You have run voc-cluster.py against your .parsed file and have individual call-[call_id].wav and .parsed files
  • You have identified a voice call you want to run additional analysis on.

Workflow:

  1. Stitch together any audio clips from the target call using sox.

sox call-[call_id0].wav call-[call_id1].wav call-[call_id2].wav [output file].wav

  1. Stitch together the correlating .parsed files using cat

cat call-[call_id0].parsed [call_id1].parsed [call_id2].parsed > [output file].parsed

  1. Use tshark to get timestamps of SETUP packets with associated phone numbers

tshark -r [full pcap].pcap -Y gsmtap -T fields \-e frame.time_epoch -e gsm_a.dtap.clg_party_bcd_num -e gsm_a.dtap.cld_party_bcd_num | awk '$2 $3 ~ /./'

  1. Run call_time.py against the target stitched .parsed file.

./call_time.py [target call].parsed

your output will look something like:

`First Epoch: 1707658532 UTC: 2024-02-11 13:35:32

Last Epoch: 1707658563 UTC: 2024-02-11 13:36:03

Call Duration: 31 secs`

  1. Manually correlate the epoch timestamp between the 'first epoch' and the tshark output. Bear in mind this time won't be exact, but should be within a few seconds of the FIRST RING.

  2. When you think you have a match, run date -u -d @[epoch from tshark] '+%Z %F %R:%S' as a sanity check to ensure the times correlate in a human-friendly form.

tshark cheats*

Run these on the output of reassembler.py with -m lap option.

Phone Number Extraction

tshark -r path/to/pcap.pcap -Y gsmtap -T fields \-e frame.time_epoch -e gsm_a.dtap.clg_party_bcd_num -e gsm_a.dtap.cld_party_bcd_num | awk '$2 $3 ~ /./'

SMS Extraction

tshark -r path/to/pcap.pcap -Y gsm_sms -T fields \-e frame.time_epoch -e gsm_sms.tp-oa -e gsm_a.dtap.cld_party_bcd_num -e gsm_sms.sms_text | awk '$3 ~/./'

*Rob VK8FOES (http://www.youtube.com/@RobVK8FOES) posted the tshark commands on his channel that became the basis for these cheats.

Clone this wiki locally