April 25, 2017


There may be occasions when the reader is on-scene at a location, and need to determine the extent of radio frequency spectrum usage. Elements of interest may include fixed, mobile, and portable assets over a typical frequency range of 25 MHz. To 1.3 GHz.
In the United States, OSINT1 can be used 99% of the time to determine the frequencies licensed at a particular location. The primary source is the FCC General Menu Reports page on the Internet. From there, the researcher can enter in latitude and longitude coordinates to get a listing of all FCC licenses in a given location. This will not account for Federal Government radio transmitters, amateur radio repeaters, or transmitters that are unlicensed for whatever reason. It also will not tell the researcher what frequencies are actually actively transmitting at the location. To determine that, the researcher will need to conduct a field exercise.
The most common tool used for on-site frequency determination is a police scanner with nearby signal detection capability. They are known by the trade names “Close Call” (Uniden/Bearcat), “Signal Sweeper” (Whistler), and “Signal Stalker” (Radio Shack). For the purposes of this article, they all function in the same manner and are referred to as “CC/SS.” With a Radio Shack #20-032 Magnet-Mount Scanner Antenna (or similar unit), the operator should be able to receive transmissions from a tower location at line of sight distances of up to one mile with the scanner's CC/SS function. Busy frequencies will be detected in short order. Less active ones will take longer. Some CC/SS scanners have an auto store feature that will automatically record CC/SS hits into memory. A scanner with said function could be left in a hidden location and recovered at a later time. The disadvantages to using a CC/SS scanner are:
  1. The operator is limited to the frequency coverage of the scanner itself.
  2. The operator will be unable to detect certain digital signals.
A better solution would be to use a recording digital frequency counter such as the Optoelectronics Digital Scout. The Digital Scout has a frequency coverage range of 10 MHz. To 2.6 GHz. In addition to detecting analog signals, it will detect TDMA2, GSM3, FHSS4, APCO 25 (P25), ON/OFF Keying, TETRA5, RF remotes, RC controllers and other pulsed RF signals. It will detect an RF burst with a duration as low as 300us, and accommodate any RF modulation as long as as long as zero crossings are produced by the RF carrier. Although not specifically mentioned by Optoelectronics, based on its specifications it should also be able to lock on to DMR6 and NXDN7 signals. The Digital Scout has 1000 memories, and can record up to 65,000 hits per memory. It can be used to Reaction Tune the following receivers:
  • Icom PCR1000
  • Icom R10
  • Icom R20
  • Icom R7000
  • Icom R7100
  • Icom R8500
  • Icom R9000
  • AOR AR8000
  • AOR AR8200
  • Optoelectronics Optocom
  • Optoelectronics OS456/Lite (for Radio Shack PRO-2005 and PRO-2006)
  • Optoelectronics OS535 (for Radio Shack PRO-2035 and PRO-2042)
  • Optoelectronics R11
Optoelectronics also makes near-field receivers that perform the same functions as CC/SS scanners with full-spectrum frequency coverage. Before the advent of CC/SS scanners, amateur SIGINT8 operators used the Optoelectronics Xplorer. This is an FM-only unit with frequency coverage of 30 MHz. to 2 GHz. This model is still in production along with the newer X Sweeper that has frequency coverage of 30 MHZ. to 3 GHZ. Optoelectronics products start crossing over into the realm of entry-level test equipment, and thus will outperform a CC/SS scanner in regard to their intended function.

 AOR is offering a “D” upgrade to their AR-8200MK3 that enables the demodulation of P25 signals. With this feature now available in a high-quality communications receiver, the optimal near-field signal detection receiver choice would be an AOR AR-8200D with an Optoelectronics Digital Scout. The combination of digital signal detection, extreme wideband frequency coverage, and P25 demodulation capability make this the preferred system for detecting, discovering and demodulating nearby RF signals.

 The author has been experimenting with near-field signal detection technology since Radio Shack introduced their handheld #22-305 Frequency Counter in the mid 1990s. Over the past 20 years he has used everything from the Radio Shack Frequency Counter to Optoelectronics Xplorers, to Close Call/Signal Sweeper scanners. His experience has shown that the most versatile setup has so far been the Optoelectronics Scout frequency counters Reaction-Tuning a handheld wideband communications receiver.

Regardless of actual make and model of equipment in one's possession, having the capability to arrive at a location and determine the extent of tactical frequency use is an essential function of a SIGINT element. It should be among one of the first capabilities a SIGINT element should develop.

In addition to intercept equipment, a SIGINT element tasked with “on-scene” collection activity should be equipped with adequate STANO9 capability. This can range from a simple pair of general purpose 10x50 binoculars, to spotting scopes for long distance observation, to NODs10 for night-time operations. STANO equipment can be used to visually identify radio communications equipment and determine frequency band(s) of operation based in the models of radio identified. This technique was proven successful at Ferguson, Baltimore, and more recently Burns. Burns was a prime example of the uneducated, perhaps ineducable, committing gross OPSEC11 violations, and should serve as an important lesson to those readers who are serious students of such matters.
In addition to frequency counters and CC/SS scanners, spectrum analyzers and panadpater-equipped receivers such as the RTL-SDR can be used effectively for on-scene frequency identification. They may also be employed for the detection of non-communications emitters and a greater variety of spread spectrum communications. Prices on these devices have come down to where they are now easily affordable. They still, however, have a steeper learning curve as compared to other equipment. Specifics on their field employment will be covered in a future article.

When conducting electronic intercept operations of any sort, proper compartmentalization is essential. The COMINT12 intercept team should be divided into two separate elements. The first element concentrates on signal acquisition (acquisition element). Upon identifying an active frequency, the acquisition element passes the frequency and other electronic identifying information (mode, CTCSS/DCS13 tone, et. al.) to the second element. The second element (collection element) is tasked with a brief identification of the frequencies via OSINT (if possible), and the ongoing collection of COMINT information.
An especially active location will require multiple operators in order to effectively fulfill the tasks of the acquisition and collection elements. Each acquisition operator may be assigned a different band or sector search depending on mission requirements, or a particular band may be assigned multiple operators depending on OSINT results. A particularly busy frequency may have a collection operator assigned specifically to it, as opposed to the usual SOP of an operator performing point searches of a small selection of frequencies. One acquisition operator should always be initially assigned to STANO if the opportunity for said activity is available. The key objective is to quickly and accurately acquire frequency information, and collect COMINT information in as complete and accurate a manner as possible.
The information acquired by acquisition and collection elements is passed along via secure means to the analysis element. While certain pieces of COMINT information may require little in the way of analysis for tactical intelligence purposes, a competent analysis team is needed for proper generation of strategic (long term) intelligence. The analysis element should be completely separate from the acquisition and collection elements, although they will be working closely together. Those with the aptitude who are interested in intelligence and traffic analysis may refer to the following publications:
  • Field Manual FM 34-3, Intelligence Analysis, March, 1990 - U.S. Army
  • Field Manual FM 34-40-2, Basic Cryptanalysis, 13SEP1990 – U.S. Army
  • Technical Manual TM 32-250, Fundamentals Of Traffic Analysis (Radio-Telegraph), October, 1948 - U.S. Army
The previous three publications may be found via the use of any Internet search engine, and downloaded in PDF format. Make sure to print them out, and add them to your library.
1Open Source Intelligence
2Time Division Multiple Access
3Global System for Mobile Communications
4Frequency Hopping Spread Spectrum
5Terrestrial Trunked Radio (formerly known as Trans-European Trunked Radio)
6Digital Mobile Radio, aka MotoTRBO
7Implemented by Icom in their IDAS system, and by Kenwood as NEXEDGE.
8Signals Intelligence
9Surveillance Target Acquisition and Night Observation
10Night Optical/Observation Device
11Operational Security
12Communications Intelligence
13Continuous Tone Coded Squelch System/Digital Code Squelch. Known by Motorola as Private Line and Digital Private Line (PL/DPL). Bubble-pack radio users call them “privacy codes.”

No comments:

Post a Comment