By Jason Reilly.....

 

The word 'detective' is likely to conjure up all sorts of images. Images of the overworked, burger munching man, sitting in a dimly lit office trying to piece clues together to solve a case. Or the image of a tall, shadowy figure, stealthily stalking his 'prey', with a weapon concealed beneath a waist-coat in case the situation becomes a little too 'hot'. To a certain extent, both these images are valid for the creature we will now examine: the frequency detective.

The frequency detective is a person who works to solve the mysteries of the RF spectrum. Often, seemingly insignificant clues need to be pieced together to solve a mystery. Other times call for the frequency detective to hunt his prey, with the 'concealed weapon' being a scanner, of course.

At one time or another, most of us have heard a signal, an unknown signal, and wondered "who does that signal belong to?" Or you may have seen a user of a radio system, and tried to find out what frequencies they may use. Thus the frequency detective is born. There are various tools that are available to the frequency detective, some obvious, some not. The first is the radio. Most often this will be a scanner, but not always. This you will already have. The next tool needed is knowledge. Not knowing the RF spectrum in which you are snooping is a bit like setting out for a bushwalk without knowing where you are going. You would become lost very quickly! By it's very nature, the shortwave part of the spectrum is constantly changing. This makes it a bit more difficult to keep track of things, when compared to the relative stability of the VHF/UHF bands. On the other hand, the VHF/UHF spectrum is constantly changing too, with old users disappearing, only to be replaced by new users, and new frequencies. Nevertheless, both on shortwave bands and the VHF/UHF bands, there are certain sections set aside for specific purposes. The VHF airband is a good example. On shortwave, there are sections devoted to broadcasting, maritime communications and so on. Of course, there may be 'pirates' who operate outside the guidelines, which makes listening very interesting indeed.

 

While not an expert on the shortwave bands, I'm told that the best way to learn the ways of this band is to concentrate on a chunk, usually 1 MHz, and listen at different times of the day and night, to get to know this chunk. Using this concentrated monitoring method is equally suitable for the VHF/UHF bands, and sometimes it is surprising what turns up. As a general guide to what you might expect to hear on the VHF/UHF bands here is a short breakdown of what's what:

 

• 29.700-46.000 MHz low power transmitters, cordless phones (naughty, naughty!), long haul communications, defence communications.
  

 

• 50.000-54.000 MHz Amateur 6 metre band.

• 70.000-87.500 MHz Commercial users, government, emergency services etc.

• 108.000-118.000 MHz Aircraft navigation beacon band.

• 118.000-137.000 MHz Aircraft communication band.

• 144.000-148.000 MHz Amateur 2 metre band.

• 148.000-149.250 MHz Pagers.

• 149.250-174.000 MHz Commercial users, government, emergency services, Trunking and point to point links.

• 225.000-400.000 MHz Defence allocations, includes some satellite communications.

• 403.000-420.000 MHz Commercial users, government, emergency services, Trunking and point to point links.

• 420.000-450.000 MHz Amateur 70cm band.

• 450.000-520.000 MHz Commercial users, government, emergency services and point to point links. Probably the busiest band in metropolitan areas.

• 820.000-960.000 MHz Trunking, mobile phones (naughty again!), links.

 

• 960.000 up mainly links, very little voice communications to be heard.

 

A better and more comprehensive breakdown of the spectrum was given by Russell Bryant in the May/June 1994 edition of 'Scanning 1994' in CBA.

 

But to get a real intimate look at the RF Spectrum in your area, we now introduce you to one of the most often used tools used by a frequency detective. The Frequency Register. This will list frequency by frequency, all the users of the VHF/UHF spectrum. As you can see, quite a handy tool. Now you can look up the user of a particular frequency or find frequencies belonging to a user. But what happens if the frequency or user you want isn't in the register?

 

This is where the real frequency detective work begins!

 

A real detective will spend time watching, observing and collecting information, so that a clearer picture of the mystery can be built up. For our frequency detectives, it is no different. If you hear a signal, the only clue you have is to listen to it to try to ascertain who the user is, or at least what the user is doing using the frequency. Or is it the only clue? Is the frequency being used as a repeater? Or is it simplex? Does the frequency seem shared with other non-related users? Where, in relation to the spectrum, is the signal being heard? Is it in a part of the band allocated for a specific use (aircraft, links, marine etc)? These questions can be answered fairly quickly, and already you will have more information on the user than first thought. You may even be able to judge how far away the signals are eminating from. If you have a directional antenna, you can even find out what direction the signal is coming from. If you are hearing the signal in a metropolitan area (where frequencies are at a premium) and that there only appears to be one user, you could almost say that this user must be fairly important to hold up one frequency in a metropolitan area, and either has lots of money to pay for an exclusive licence, or has some other justification to do this. If the subject of conversations tend to chop and change, you have just found either a Trunking system, or a community repeater (i.e. a facility that is shared by more than one user).

 

Obviously, the conversations being held on the frequency will give you a clue as to whom is using it. The general subject of conversation, any place names, instructions given on air will help to identify the user. Is a callsign mentioned? If so, is this the same callsign listed in your frequency register on another frequency? If it is then you've just nailed your first 'case'. After a while, you should be able to tell roughly what the frequency is being used for and you may have an idea as to where the signal is coming from, as well as place names being mentioned. But you can extract yet more clues.

 

If the frequency is being used as a link to a remote transmitter site, see if you can find that remote transmitters frequency. If this is listed in your register, the identity of the user will now be known. How large does the fleet appear to be? You can gauge the size of the company or user of the frequency by listening to how many 'mobiles' or stations are heard.

\OK, so now you have a few clues to go on with to find out who owns a signal that you hear, but what about finding out what frequencies that belong to a user that you decide to 'target'? This is a little easier, and can sometimes prove more interesting. Obviously, you can look the required numbers up in a frequency register, and this is all well and fine, but again, if the user isn't listed, then other avenues have to be chased. Luckily, the scanner owner with a computer and modem has a secret weapon. By dialling up your local BBS (bulletin board system) you can log onto the Oz-Scan forum and there you will find many friendly people able to help. Don't despair those of you who are computer-less or modem-less, there is plenty that can be done. One of the latest 'toys' to hit the market is the Optoelectronis R10 communications interceptor (reviewed in CBA Nov/Dec '94) which will allow you to hear any close-range transmissions without knowing the frequency. If you combine this with another of Optoelectronics little gems, a handheld frequency counter, you will be able to intercept and locate almost anything that you can get close to. It almost takes the fun out of the challenge! For those with not so much cash to devote to such 'toys', there are other ways.

 

Firstly, if you look at the antennae used on the vehicles, you will be able to get an idea on the frequency band being used. For the VHF mid band (70-85 MHz) the most common antenna is either a stainless steel whip, or a fibreglass whip of roughly the same length. These will be between 102 cm and 84 cm (40 inch to 33 inch). The VHF hi band (156-174 MHz) has generally two types of antennae. The 1/4 wave in stainless steel or a ground-independent 1/2 wave antenna. The length of the 1/4 wave antennae will be between 46 cm and 41 cm (18 inch and 16 inch) and roughly double that for the 1/2 wave antennae. The 1/2 wave antennae will have a loading coil, encapsulated in plastic at the bottom of the whip. UHF bands (400-520 MHz) will probably have the greatest variety of antennae. For the 1/4 wave types (both in stainless steel or flexible rubber duck type) the lengths will be between 18 cm and 14 cm (7 inch to 5.5 inch). Other antennae are used, all with some form of loading coils somewhere in the antenna, with the 4.5dB type common. These types look very similar to those used for UHF CB.

 

With such a variety of antennae available for the various UHF bands, it may come in handy to know that many antenna manufacturers colour-code their whips according to the band in which they are designed to operate. It is either the band (which could be painted on or a sticker) or the plastic static cap that is coloured. The colour code is listed in the chart elsewhere. Glass-mounted UHF antennae are also available, and these will be around 50 cm long (20 inches). These look similar to the very common cellular phone antennae, but are longer. For the 800 MHz band, 1/4 wave antennae will be around 9 cm (3 1/2 inch) long. The high-gain antenna for this band will look like a miniature version of a UHF 4.5dB antenna. With some practice you will be able to glance at an antenna and say what band it operates on, maybe even what part of the band.

 

Lets say that you are visiting a special event, and want to find out the frequencies in use. Have a look at the antennae in use, and make an educated guess as to what band or bands are in use. Now comes the hard bit. Locating the exact frequency. This is made easier by the use of a cheap multi-band analogue radio. Using one of these radios, you can sweep across the band very quickly, and its lack of sensitivity means that only nearby stations will be heard. Tandy had a portable multiband called the Patrolman. This covers the VHF lo band (30-55 MHz), the VHF Hi band and part of the UHF band. Other multiband portables are generally available in only the VHF bands. After a few minutes of dial-twisting, you should be able to hear something nearby, and be able to guess it's frequency to the closest megahertz. By placing a conventional scanner into search mode, searching around 1/2 to 1 MHz either side of the suspected frequency, you will quickly nail your wanted frequency. Keep listening with the portable, there may be more channels in use. By having the frequencies you find in the scanners memory and scanning them while exploring with the analogue portable, you will be able to hear any further channels. If your portable hears something, with the scanner still silent, there's still more channels to be found.

 

Of course if you have one of those super-fast scanners (i.e. Uniden BC220 XLT) that can search the whole of the VHF hi or mid band in around 5 seconds, this can work quite well, too. Setting one of these loose to find your frequencies would come up with something very quickly indeed! For those of you who own a scanner that can receive Wide-FM (WFM) then you can effectively increase your searching speed by searching using Wide-FM in larger steps, 50 or 100kHz for example. By doing this, you effectively increase your scanners bandwidth, and with the larger stepping, you will rip through the spectrum just that little bit quicker. Once a signal is located this way, all you have to do is to search in the immediate vicinity of that frequency using the proper mode (narrow FM or AM) to find the exact frequency. Be aware that this method won't work too well if you are searching in a crowded band and that the scanners sensitivity wont be quite as good to weak signals.

The direct approach may well be the quickest way to find out what channels are in use. Asking a user 'what frequency does your radio operate on?' can have responses ranging from 'What on earth are you on about?' to 'yeah, sure, its....' or at worst 'no, I can't tell you'. I used this method to obtain a supposedly 'confidential' frequency. It's worth a try, who knows, you may even introduce another person to the ranks of scanning.

 

Sometimes, a user will become aware that his frequencies are published in a frequency register, and may request that his entry not be recorded in the information from which the registers are derived, or the company may simply list the frequency under a parent or subsiduary company, to hide the identity of the user of a frequency. Here is where a telephone book can come in handy. Look up the company you are hunting, and check the adverts in the yellow pages. See if a parent or subsiduary company is listed. Look up any possibilities, and see if the radio-traffic on these channels sounds promising.

Speaking of unpublished frequencies, some of the users who DON'T want you to know what frequencies they use are: State police (especially Tactical Response type groups), Federal Police, Security companies, some government agencies such as ASIO and ASIS, visiting international VIP's escorts, foreign embassies etc. It is rumoured that certain covert sections of the American Government sometimes use frequencies that are found between the guard-bands of television signals. It was even reported that 27 MHz CB was once used as backup communications on several raids. As they say: hide in plain sight. For any sensitive operations, these groups would employ some form of encryption to their radio communication. DVP (Digital Voice Protection) is a common encryption method, and from the sources I have, it is impossible to decode without the correct decode key. This could be any one of 26 trillion combinations, so it would be incredibly difficult to 'break'. Other companies are releasing similar encryption methods, and these are probably as secure as DVP. One method of encryption is called 'voice inversion' where all the high voice frequencies are transposed into low ones and vice versa. While this has the effect of making the communication un-intelligible, it isn't as secure as DVP, since given suitable electronics (easily constructed at home) or a sophisticated computer driven sound-package, the signal can be decoded.

 

There are a few other techniques that can be employed to find frequencies or the user of a frequency, but these methods are questionable in their legality, and as such, I'll steer clear of this side of things.

 

Become friendly with a broad-minded (radio-wise) amateur radio operator, they can be a wealth of information, as can radio-technicians, especially those who have radio as a hobby and not just a career.

 

So there it is. You should now have a good start to becoming a frequency detective. Go get 'em!