An Introduction to SIGINT - Signals Intelligence
Introduction to Signal Analysis
A common "police scanner" is one of the most potentially useful tools a hacker-survivalist could have. Scanners have come a long way from bulky, crystal-controlled affairs with a handful of channels. Contemporary scanners fit in the palm of your hand, have a thousand keyboard-programmable channels, and have wide-band frequency coverage from 100 Khz. To 2 Ghz. Certain models even have the ability to follow communications on trunked radio systems used by government and business. For the uninitiated, a scanner is a VHF/UHF communications receiver that has the ability to step through multiple channels or "scan", stopping on a frequency it detects traffic on. Scanners monitor frequencies used by government agencies, the military, public safety, emergency services, utility companies, businesses, and wireless telecommunications devices. Some of the more deluxe units even cover the "HF" shortwave region. While the use of digital communications systems and encryption is on the rise, there is still plenty of monitorable activity for the forseeable future.
The military has an entire discipline dedicated to the collection of intelligence by monitoring communications: COMINT (Communications Intelligence). COMINT is a subset of SIGINT (Signals Intelligence). The military gives COMINT a "Top Secret/SCI" security classification, but it can be done by any individual with a clue and a $100 receiver available at a pawn shop. There is plenty of information available via open sources on the net and elsewhere. Back in my "reserve component" days, I was giving this E-7 98C (A Sergeant First-Class SIGINT Analyst for you civilians.) in my unit a ride in the old "Russian Trawler Crown Vic", and remember the dead silence that resulted after explaining the vehicles "commo package". (Consisting of an Icom IC-2000 2 meter mobile, Kenwood TK-805D UHF Mobile, Uniden HR-2510 10 meter mobile, VHF Low-Band Motorola Maxtrac, and Realistic PRO-2026 Scanning Receiver.) Another neat little-known fact about Military SIGINT is that in order to become a SIGINT Analyst one does not only have to have a very high ASVAB score, but also receive a qualifying score on the AAT (Analytical Aptitude Test); which has a 90% "failure" rate among those tested. Anyway, if you're interested in non-classified material on Intelligence Analysis, download a copy ofArmy Field Manual FM 34-3.
There's a lot of good equipment out there, and selection is pretty much a matter of personal preference and operational requirements. For those living in areas whose public safety agencies use a Motorola or GE/Ericcson Trunked system my recommendation would be the Uniden (Bearcat) BC-245XLT Trunktracker. This handheld is a refinement of the excellent BC-235XLT, which only was capable of monitoring Motorola systems. If you're looking for a really small wide-band unit with great audio examine the Icom R-2. This unit has coverage from 500 Khz, to 1300 Mhz. (minus cellular). The Uniden BC-3000, Icom R-10 and Alinco DJ-X10 are also nice full-featured wide-band handheld units. There are also computer-controlled units such as the Winradio, Icom PCR-1000, & Optoelectronics Optocom. While they are great hacker-type units I tend to lean away from them due to the simple expedient that you can't throw them in a tool bag or briefcase, take them out somewhere, and have them ready to go.
Due to Federal law, there are no new scanners with cellular phone coverage available in the United States to ordinary civilians. Those of you looking for a unit with unrestricted 800 Mhz. coverage will have to check out used equipment sources such as hamfests and pawn shops. The two models that still reign supreme are the Realistic PRO-2006 base and PRO-43 handheld. Good luck finding one. These days, scanners sold by Radio Shack are not only overpriced, but lacking in performance. There are much better sources available. The one thing, however, that I would get from Radio Shack is a copy of the book, Police Call. It is one of the best frequency directories you will find for any given area, along with theFCC's web site. (More on that in a moment.) A particular area might have a locally published directory, like The Official Connecticut Scanner Frequency Directory. Your local radio shop will most likely have information regarding directories that may go into greater detail than Police Call for your area.
Eventually, the serious scanner hobbyist gets the urge to go beyond listening to the standard widely available public safety and business frequencies. They get the desire to look for the good stuff that you will not find listed in Police Call or any of the other scanner frequency directories. The object of the hobbyistís listening might also be something mundane like the local mall security force, but a search through the directories fails to uncover their operating frequency. In either of these situations, the hobbyist can resort to using the various techniques detailed in this article to acquire an elusive frequency.
There are two basic approaches to finding frequencies. The first approach is to go on an electronic fishing expedition. This is how hobbyists operate most of the time. You simply take a small piece of the frequency spectrum that your radio is capable of receiving and listen to see what you can find. The second approach is to pick a specific target to be the focus of your monitoring attention and attempt to find the frequencies they use. During the course of using this second approach you will find other users; which you might find interesting later. I recommend that you use the first approach once in a while. Knowing the usual activity around you will help determine how far you can listen, and especially important, when a transmission out of the ordinary appears. I recommend you acquire frequency directories for your area. The most common one is Police Call. Police Call is available at Radio Shack or by mail order. It is excellent for public safety listings, but only average when it comes to identifying businesses. There are other excellent directories available for particular local areas.
For hobbyists in the states of Connecticut, New York, and Massachusetts I recommend Scanner Master and Official (insert name of state) Frequency Guide frequency directories. The best federal frequency directory in print form still remains the Top Secret Registry of US Government Radio Frequencies. If you have access to the Fidonet scanner message base, Roger Cravens periodically posts his very large, superlative list of federal frequencies to that message base. A frequency directory will identify the normal users of an area. This is useful in preventing you from wasting hours analyzing a common signal, when you should be analyzing something else.
The tool that every monitoring hobbyist has is the "search" function on their scanner. Most of them however, do not know how to use it. You should know the frequency band that your target uses. You should have an idea of where in that band they would be operating. You should search probable areas in small sections.
Knowing what band a target operates on could be a matter of general knowledge. If your local policeís dispatch channel is on VHF-high band, then it is a good bet their unlisted tactical channel is also there. It can also be determined by looking at the antennas on vehicles; unless the vehicle has a disguised antenna. A VHF-low band antenna will be a 60 to 100 inch whip or a 35 inch whip with a 5 inch coil on the bottom. A VHF-high band antenna will be either an 18 inch whip or a 40 inch whip with a 3 inch coil on the bottom. UHF band antennas will be either a 6 inch whip or a 35 inch whip with a plastic band in the middle. 800 Mhz. antennas are either a 3 inch whip or a 13 inch whip with a "pig tail" coil in the middle. A cellular phone antenna is a common example. I suggest ordering the catalogs of various antenna manufacturers to get a visual idea of what antennas on each of the bands look like. You can do the same thing with handie-talkie antennas. A VHF-low band antenna will be about a foot long. A VHF-high band antenna will be about six inches long and about as thick as your index or middle finger. UHF antennas will be either 6 inches long and slender compared to the VHF-high band antenna, or three inches long. 800 Mhz. antennas are about an inch and a half long.
Once you know the frequency band, you determine where in that band they might be operating. In most non-federal cases this is as easy as looking at the Consolidated Frequency List in the back of Police Call. The two types of users you might have problems with are police departments and the federal government. Police departments can use any public safety frequency for "tactical" communications on a non-interference basis. The FCC also licenses local government services for frequencies allocated to a different service; if the frequency does not have a licensee already assigned to it. For example, a fire department being licensed to a frequency allocated for highway maintenance. The Intergovernmental Radio Advisory Committee (IRAC) handles licenses for the federal government. IRAC listings have been exempt from the Freedom of Information Act since 1983. The mundane agencies have been using the same frequencies for the past 13 years, but some of the more interesting ones have changed frequencies. The IRAC listings in the Consolidated Frequency List are still fairly accurate. Remember that they are only fairly accurate.
You should search a range that covers three to five seconds, and with the scannerís fastest speed. This seems to be the average duration for a radio transmission. Lets say you are searching the VHF-High band with a scanner that does 50 steps a second. Channel spacing for VHF-high band is 5 KHz. You should search your target areas in sweeps of 750 KHz. to 1.25 MHz. Search a range for one to two weeks at different times; to catch everything in that range.
One little known trick is to use one of those old tunable public safety band receivers that predate scanners. An example would be the Realistic PRO-2. It covered 30-50 MHZ. and 152-174 MHz. You can pick one up at a flea market or hamfest for as little as $5. Radio Shack still sells a "multiband portable" (12-649) that covers the aircraft and VHF-high bands, but at $100 I think itís overpriced. While these units lack the sensitivity and selectivity of a scanner, they are excellent for doing high-speed searching. Once you get a hit, you will have narrowed the possible frequency range down to roughly 500 KHz. You then use your scannerís search function to find the exact frequency. They are also good dedicated single channel receivers for things like NOAA weather radio and the local fire departmentís dispatch frequency. If you ever find an old multiband portable that covers UHF-TV, remember that channels 70-83 are now the 800 MHz. public safety, business, and cellular phone band.
If a signal is in your locationís coverage area and your scanner is capable of receiving the frequency, you will eventually find it by searching. This will take time if you do it properly. If you are in a situation where you desire a faster approach, you can use a frequency counter.
A frequency counter is probably one of the most useful tools a SIGINT hobbyist can own. A frequency counter works by locking on the strongest radio signal in an area, and displaying the frequency. I strongly suggest that you bite the bullet and buy the Optoelectronics Scout if you are going to get into this facet of SIGINT. Other frequency counters cost less, but lack the features the Scout possesses. These features make a world of difference between simply being a piece of test equipment, and being a SIGINT tool. The Scout will automatically capture a frequency, and store up to four hundred of them in memory. When the Scout captures a frequency, it will either beep or discreetly vibrate. In each of these memories, the Scout stores up to 255 hits. This lets you know how active a given frequency is. The scout has a CI-V interface. The CI-V interface connects to a PC for automatic frequency logging, or to a receiver for reaction tuning. With reaction tuning, the receiver automatically tunes to the frequency the Scout captures. I used a Radio Shack frequency counter for SIGINT work before I bought a Scout. It had adequate sensitivity, but required constant viewing and a quick writing hand in order to use effectively. It was also very difficult to use while driving.
Frequency counters work in a radio transmissionís near field. This means that you will generally have to be within one thousand feet of the target transmitter in order to acquire the frequency. The following table shows the average distances one will acquire a particular type of transmitter:
1.2 GHz. 3 watt radio
870 MHz. 3 watt Cellular Phone
UHF 1 watt radio
FM Wireless Microphone
VHF-high band 1 watt radio
46/49 MHz. cordless phone
27 Mhz. 5 watt CB
There are a few things you can do to enhance a frequency counterís operation. The first technique involves antenna usage. The standard telescoping whip is good for many operations, but you can do better. With the standard whip antenna, the Scout will pick up a cellular phone at approximately one hundred fifty feet. Hook it up to a 5/8 wave 800 Mhz. antenna, and the range increases to approximately three hundred feet. A high-gain antenna designed for the band of interest will increase your range on desired frequencies and reduce interference from undesired ones. If you use a directional antenna, such as a yagi, you will be able to select a particular target location to investigate, and eliminate interference from another location. The second technique is using filters. Using filters will block out undesired frequency ranges and pass desired ones. An FM broadcast notch filter is very useful. Optoelectronics sells the N100; which I recommend. FM broadcasters are a major source of undesirable interference, and having one nearby will cause your counter to lock up on the broadcast stationís frequency.
By using these techniques, you will find the frequencies you desire. How quickly you find a frequency depends on your skill as a SIGINT hobbyist and how much the target uses their radios. You can acquire a target such as a mall security force in as little as thirty seconds. This was how long I had to loiter near a help desk with a frequency counter before a security officer keyed up a radio. Some of the less active federal agencies can take a week or two before you can tag them. If you do not find the frequency, there are two possibilities. The first is that your target either does not use radios or uses them very infrequently. I will assume that your target does indeed use radio communications. The only solution to tagging an infrequent radio user is persistence and patience. Eventually they will key up and you will have their frequency. The second possibility is that you found their frequency, but failed to identify it properly. Learn who operates on what frequency ranges. Listen to what you have found during previous SIGINT attempts over a period of time to determine who it is you have found. My SIGINT experiences have taught me that sometimes the true nature of the parties using a frequency may take a while to become apparent. Certain users use encrypted or spread spectrum (frequency hopping) communications. Receiving spread spectrum communications is at this time beyond the ability of the average hobbyist. As I write this I can hear some of my phriends telling me "Lets not go there.". A little birdie told me, however, that a certain radio hobbyist organization in Connecticut publishes an excellent introductory-level technical text. Encrypted communications not only present a similar technical difficulty, but are also illegal to listen to under the Electronic Communications Privacy Act. Encrypted communications system users will sometimes have equipment difficulties and operate in the clear. A patient listener will wait for this opportunity.
I find the thrill of exploring the airwaves to see what I can find to be one of the more enjoyable aspects of my monitoring hobby. There are so many different users of the radio spectrum, spanning a broad range of operations, that itís impossible to become bored. Every time I activate the search function on my scanner, I seem to discover something new. I hope that this article will let you share the thrill of this exploration.
Introduction to Signal Analysis
In past installments of Private Sector SIGINT, I have discussed the techniques of finding frequencies, certain frequency ranges that may yield desirable results when searched, various pieces of equipment that are of assistance to the SIGINT hobbyist, and some of the more interesting users of the RF spectrum. Now, as Bruce Bethke said in his novel Headcrash, "Welcome to the next level."
For this column, we will assume that you, in the course of your SIGINT hobby have come across a genuine unidentified ("unid") user while searching the spectrum. Youíve checked all the scanner frequency lists, e-mail lists, web sites, and Usenet postings and have come up with nothing. You wish to identify the unid, and determine the extent of its communications network. To do this, you ask the following questions:
The first five characteristics are noted as soon as you discover the unid. You will have some initial information about the others, but as time goes on you will acquire more information. What you should be doing now is noting what information you do have on the unid. Some people like using a computer database, others like 3x5 index cards. The more info you have, the easier itíll be to identify the unid.
The frequency in question can help tell you the approximate range, extent and purpose of the unidís communications net. For example, the VHF low-band would likely be used for regional communications between base stations and maybe mobile units. UHF on the other hand, would be for short-range tactical-type communications between several mobiles and portables. UHF portables are limited to a few miles. A VHF low-band base station can communicate a couple hundred miles under the right circumstances. What other identified users operate on nearby frequencies? For example, the Connecticut State Police employ several frequencies in the 42 MHz. Region that they are licensed for. They also use a number of frequencies in the same region for covert purposes that are not licensed. When the band conditions are right and the skip comes in youíll hear both their operations and SP communications from across the country on the same frequency.
PL/DPL tones are another identifier. Knowing the PL/DPL tone of an unid enables you to cross-reference it to other frequencies. If a police department uses a certain PL on their repeater, and an unid with surveillance activity is noted on the same band with the same PL, then itís quite possibly an unlisted channel for that police department. Knowing how many different PL/DPL tones are in use on a given frequency tells you approximately how many different nets, or distinct groups of communicators, are active on that freq. On a low-power portable frequency such as 154.600 MHz., users will use a "unique" PL/DPL tone so they donít have to hear everyone else. There are only a limited number of PL/DPL tones however, so duplication by different nets is inevitable. Other users wonít want to spend the extra money for radios with PL/DPL capability, run without it, and tolerate the other users on the channel breaking their squelch. If you hear an unid running DPL, then you can be 99% sure they are running real "commercial land mobile" equipment. There are only a couple ham rigs, such as the Yaesu FT-50, that have DPL.
Most radio communications businesses maintain "community repeaters". The license for the system is in their name, and they rent airtime to various businesses and organizations. The individual users will not be licensed; instead running under the radio shopís license. Each subscriber will be assigned his or her own PL/DPL tone on the repeater. The community repeater is being replaced with SMR (Specialized Mobile Radio) trunked systems, although they are still widespread. Motorola sold all their commercial SMR systems to Nextel who is gradually talking them off the air and replacing them with iDEN (digital) systems. This has prompted many radio users to seek out alternatives to Nextel. Many radio shops are setting up 400 MHz. LTR trunked systems, which will eventually replace their community repeaters. LTR is an open protocol. This not only means a wide availability of equipment for the business offering these services, but equipment for the monitoring enthusiast as well. There are also a few commercial SMRs running the GE/Ericsson EDACS system on 800 MHz., and 800 MHz. Smartnet systems that are not owned by Nextel. Each system can have several dozen users on it, making them a nice challenge for the monitoring hobbyist who wishes to map them out.
If an unid is scrambled, you will at least know whether or not the scrambling method is analog or digital. If they are using a simple single-frequency inversion method, then it is possible, although illegal, to descramble their communications and proceed. If they are using something advanced such as DVP, DES, or Rolling Code then you will not be able to monitor the actual communications. You will still at least be able to note how often the frequency sees activity, and the signal strengths of the stations communicating. Voice encryption is often subject to failure, and you might catch a station operating in the clear if you monitor long enough.
At this point, you have all the immediate characteristics of the unid noted down. The rest is just a matter of time. The remaining questions you have in identifying the user are:
All these will eventually answer the main question, "Who am I listening to? The best thing to do at this point is take a receiver and dedicate it to the given frequency. You can acquire basic 16-50 channel scanners for under $100 at flea markets, pawn shops, and hamfests for this purpose. If you want 24 hour monitoring of the frequency, attach a VOX-operated tape recorder to the scanner. Many scanners come equipped with a "tape out" jack for easy connection. Otherwise, go to Radio Shack and pick up one of the suction cup telephone microphones. This is attached to a telephone receiver by the earphone to record phone calls. Attach it near the speaker of the scanner. Experiment to find the best place to attach it to the scanner. For those of you who really want to get into things, Bill Cheekís Scanner Modification Handbooks contain a wealth of information on modifying your scanner to make SIGINT easier. You can add event counters to see how many times the frequency breaks squelch, time-stamping for monitored communications, and a whole host of other enhancements.
You will be able to initially discern IDs used on the frequency and the signal strength (even if approximate) of the stations on the net. You will also know what they are saying if itís in a language you can understand, although you might get a little tripped-up on any specialized jargon. Log it all down. Eventually youíll also be able to recognize the voices of the various people on the frequency, and match them to IDs. The signal strength of each user will tell you how approximately how far away they are from your location, and whether they are base or mobile/portable stations. Consistent signal strength will indicate a base station or repeater. Mobile and portable stations will have varying signal strengths and often "mobile flutter" on their signal.
When listening to an unid with the intent of identifying it, two things you should listen for are locations, and specialized trade jargon. They can be cross-referenced to assist in identifying the user. Street maps of your nearby locales are good reference to have. I donít advocate "call chasing", going to the site of an incident that youíve heard on your scanner. This can be dangerous, and complicates matters for public safety personnel who are working the incident. If, however, youíve determined you are listening to an obviously civilian unid on a trunked system or community repeater who was just sent on a service call to a location thatís a few blocks away from you, it would be a different matter. It would be worthwhile to take the dog for a quick walk to see whom you are listening to. On that note, information you discover on community repeaters or trunked systems is transitory in nature. The talkgroup or PL may belong to a different business next month.
If you listen long enough and pay attention to the communications you are receiving, you will identify the user. The amount of time will vary with the nature of the user, and how often they are on the air. Once you identify the user, the rest is up to you. You can become quite intimate with the operations of a business by monitoring their communications. Monitoring local public safety communications will often give you a better handle on whatís going on in your community than the local newspaper. The possibilities are endless. As an intellectual exercise your SIGINT endeavors will be delving into such diverse areas as electronics, geography, sociology, research skills, and current events. At any rate, SIGINT analysis is far better a pastime than sitting in front of the television (although having CNN running in the background while youíre working on something is a good idea). Chances are, youíll have some questions regarding communications systems or activities in your locale that could be answered by using SIGINT analysis. Some questions that might come to mind are:
Who are the users of local community repeaters and SMR systems? What are high crime areas in my community? What are the most common crimes in my community? What is the reliability of the local utility infrastructure (electrical, telephone, CATV, gas)? "X" is obviously employing radio communications, but no license is listed for them. Whatís their frequency? What frequencies and/or radio systems are the local public safety agencies using other than their publicly listed ones?
This article just scratches the surface of an activity that could easily take up a several book series. The best way a beginner can start is to just do it. Pick something, like a local community repeater or SMR system, and see how much information you can acquire on it. You might have some specific questions regarding a communications user or system you already have some information on, which you can go investigate. You might even be interested in something non-technical, such as crime statistics in your local community. Whatever your specific interest, remember that patience and persistence is a good thing, and will reap dividends far above and beyond your initial investment