So how does an IMSI Catcher operate? Well, I have no idea and need to speculate. In contrast to a real network it is only meant to be used by a few Mobile Stations (MS), it is supposed to be the most attractive Cell, by nature it should have more SDCCH than TCH.
The next step in thinking is to figure out how to achieve some of the above goals. As it should only work with a few handsets the System Information might/should contain an Access Class allowing only certain IMSIs to attach, one should see a lot of Location Updating Reject messages or unanswered messages. To be the most attractive cell the signal strength should be higher than the others, the channel configuration might be guessable by looking at the RACH and see which kind of channels are requested and assigned (keeping track of them).
The next thing would be to use a database like OpenCellID, or some other database and check if the LAC/CI has been seen in this area, comparing the SI to the other SIs of the same operator...
I plan to start such a thing as it is mostly about statistic and stochastic and I have become too rosty on these topics. The question is how likely (t-test) is that this SIx is coming from the real network, how likely is that this RACH pattern is coming from the real network.
any ideas and comments?