Towards 5G cellular network forensics
The fifth generation (5G) of cellular networks will bring 10 Gb/s user speeds, 1000-fold increase in system capacity, and 100 times higher connection density. In response to these requirements, the 5G networks will incorporate technologies like CUPS, NFV, network slicing, and CIoT. Each of these 5G features requires system adaptations to enable acquisition and forensic processing of cellular network evidence. This paper reviews the digital forensics mechanisms for Lawful Interception and user localization available in LTE and LTE-Advanced networks together with the associated evidence types, tools for forensic analysis, and supporting legal framework. The challenges and potential adaptations for retaining these capabilities in the future 5G networks are also discussed to outline the future research directions for cellular network forensics.
KeywordsCellular networks LTE/LTE-Advanced 5G Lawful Interception (LI) Lawful Access Location Services (LALS)
3rd generation partnership project
Assisted Global Navigation Satellite Systems
Angle of Arrival
Application programming interface
Access point name
Business support systems
Cellular service gateway node
Communications Assistance for Law Enforcement Act
Content of Communication
CC triggering function
Charging data records
Cell global identity
Communication service management function
Control and user plane separation
Domain name service
Digital signature standard
Evolved cell global identity
Extended coverage for GSM IoT
Enhanced cell ID
Electronic Communications Privacy Act
Extended discontinuous reception
Evolved machine type communication
EPC network initiated localization request
EPC network mobile terminating localization request
Evolved packet core
European telecommunication standardization union
Foreign Intelligence Surveillance Act
Global positioning system
Global system for mobile
Gateway tunneling protocol
Handover interface 1
Handover interface 2
Handover interface 3
Home subscriber system
HyperText transfer protocol secure
Interception Control Elements
International Mobile Equipment Identity
International Mobile Subscriber Identity
Internet of Things
Integrated Service Digital Network
ISO Transport Service on top of TCP (ITOT)—also referred to as TPKT
Interconnection Mobile Switching Center
Location area code
Location area identity
Lawful Access Location Services
Law enforcement agency
Law Enforcement Monitoring Facility
Lawful interception identifier
Location measurement units
LTE positioning protocol
Management and orchestration
Mobile edge computing
Mobility management entity
Mobile switching center
Mobile subscriber ISDN number
Narrow band IoT
Network functional virtualization
Network slice instance
NSI management function
Network slice subnet instance
NSSI management function
Open air interface
Omnibus Crime Control and Safe Streets Act
Operations support systems
Observed time difference of arrival
Packet data convergence protocol
Packet forwarding control protocol
Packet flow description
Public key certificate
Public land mobile network
Physical network function
Radio access network
Received signal time difference
Subscriber identity module
Service mobile location centers
SMS and gateway MSC
Short message service
Tracking area code
Tracking area identity
Transmission control protocol
Traffic detection function
Time To First Fix
User datagram protocol
Universal mobile telecommunication system
Uplink time difference of arrival
UMTS terrestrial radio access network
Virtual infrastructure manager
Virtual network function
Virtual network function manager
Cellular networks evolved through four generations and the fifth is projected for commercial roll-out in 2022. Currently, there are 7.5 billion worldwide cellular subscriptions, each generating 5 GB of traffic per month on average . The subscription and traffic volume is forecast to increase fivefold in the next 5 years, requiring 5G to accommodate 1000 times the system capacity of the current LTE/LTE-Advanced networks. The pervasiveness of cellular access implies that most crimes are, or will be, facilitated by cellular devices. To support legal processing, cellular network forensic investigations are necessary in obtaining critical evidence, especially in cases where it is infeasible to physically seize a cellular device or a critical transient data is needed promptly .
Cellular network forensics is a cross-discipline of digital forensics and cellular networks with the goal to investigate cellular network-facilitated crimes under a legally obtained warrant for the purpose of crime reconstruction. These criminal activities can be carried out with a direct network support (e.g., perpetrators communicate over a cellular network) or network is incidental to the crime (e.g., the network can provide historical data about calls or user locations). The investigations in cellular network can be in real time and non-real-time. The real-time investigations work with evidence transiting over the network at the time of the crime or the attack like ongoing calls, browsing sessions, or triangulated geolocation coordinates of a user. The non-real-time investigations work with evidence in relation to past user activity such as charging data records or user’s most visited cell. Prior to every investigation, operators and law enforcement agencies (LEAs) must establish forensic readiness to ensure secure identification, acquisition, and delivery of cellular network evidence [3, 4]. These operations are realized with two forensics mechanisms, Lawful Interception (LI) and Lawful Access Location Services (LALS).
This article reviews the implementation of LI and LALS in LTE and LTE-Advanced networks. Various types of LI and LALS evidence are also presented together with tools and techniques for cellular network forensic analysis. The challenges for continuous support of LI and LALS are discussed in the context of the key technologies for 5G evolution including Control and User Plane Separation (CUPS), Network Functional Virtualization (NFV), network slicing, and CIoT. Several adaptations of the current LI and LALS operations for each 5G technology are proposed and elaborated to ensure the future cellular network forensic investigations are conducted as similarly as possible to the current practice. The article concludes with a discussion of the legal and privacy aspects of the current and future cellular network forensics practice.
2 LTE cellular network forensics
2.1 Lawful Interception
The example shown in Fig. 1 depicts interception of all outgoing data and SMS, so in this case ADMF provisions LI at the MME, S/P-GW, and the SMSC . Operators can intercept two types of cellular data: user traffic and signaling traffic. The intercepted user traffic is referenced as Content of Communication (CC) and delivered over the HI3 in a pre-defined format to the LEMF (e.g., audio or pcap files). The intercepted signaling traffic is referenced as Interception-Related Information (IRI) and is delivered over the HI2 in various IRI record types.
2.1.1 Interception-Related Information (IRI)
IRI-BEGIN—The first event of a communication attempt of the target identity
IRI-END—The end of a communication attempt; closing the IRI transaction for the targeted identity and/or service
IRI-CONTINUE—Intermediary record at any time during a communication within the IRI transaction
IRI-REPORT record—Used for non-communication-related events, for example, a network attach request
2.1.2 Content of Communication (CC)
The CC data represents the actual user traffic that is realized over the cellular network by the target identity. It includes actual voice conversations intercepted and delivered in formats like.wav files or IP sessions delivered in packet captures like.pcap files. To determine whether the conversational parties from the intercepted voice CC are the ones subject to investigation, various forensic speaker recognition techniques are used to analyze the voice CC. The aural/acoustic technique relies on experienced human perception in matching the intercepted voice CC and a recorded voice based on the phonetic similarity between the two sources . The auditor-instrumental technique employs statistical analysis of common voice features like the average fundamental frequency, articulation rate, formant central frequencies, rhythm, and voice quality to determine for the same purpose. In the automatic forensic speaker recognition, the recognition system works by extracting voice features of a training set of speech data to model different speaker patterns that are later compared with the features extracted of the intercepted voice CC to yield a similarity score with the target speaker. Among the most prominent tools for automatic forensic speaker recognition is ALIZE .
2.2 Lawful Access Location Services—LALS
ECID—The coordinates of the cellular device are derived by measuring either the RTT or the AoA of a reference signal between one or three base stations and the cellular device (known also as triangulation). The precision of the ECID positioning is between 50 m and 1 km, but the Time-To-First-Fix (TTFF) is less than a few seconds for more than 90% accuracy.
OTDOA—The mobile device measures the TOA for the downlink reference signals received from multiple base stations (at least three) and subtracts it from a reference TOA from its serving station (known also as multilateration). Each of the RSTD measurements describes a hyperbola or ellipsoid so the intersection of their focus lines provides the coordinates of the cellular device. OTDOA precession is less than 50 m with a TTFF of around 10 s but less than 70% accuracy.
UTDOA—This is a similar positioning method as OTDOA in which the LMUs measure the time difference of arrival of the uplink reference signals from the cellular device. The advantage of the UTDOA is that it requires minimum device involvement, so it improves the accuracy to more than 90% while retaining the same precision and timing as OTDOA.
A-GNSS—The standalone navigation based on GPS requires unobstructed line of sight between the user and at least four satellites. Given that most of the time users are indoors and cannot satisfy this requirement, cellular networks assist the users by supplying information about the availability and configuration of GPS satellites. The user then measures the available GPS signals so it can calculate its 3-dimensional coordinates and report them to the SMLC. The precision and timing of the A-GNSS is less than 1 m and TTFF of 35 s, though the accuracy is below 80% because the GPS signals needed might not be always available for measurement (for example, almost 50% of the user calls/sessions are indoors).
The LCS architecture allows for various positioning procedures, depending on the entity initiating the localization request. For example, the network can induce a localization after an emergency attach from a user (referred to as EPC-NI-LR) or if an external client like a LEA requests localization for a target identity (referred to as EPC-MT-LR). External LCS clients can be location-based advertising companies, map services, or Enhanced 911/112 systems. Each external client has to be authorized to use the LCS service by the network and the users. For lawful localization, the LEA needs to obtain a warrant and secure the delivery and storage of the location information for the target identities investigated.
The LALS are invoked in two forensic investigation variants: (1) target positioning and (2) enhanced location for IRI. The target positioning is used to determine the target’s location independently of the services used and can be further invoked either for an immediate localization or for a periodic localization. The immediate localization is invoked when the LEA needs the location of the target in real-time, while the period localization is used in non-real-time cases where the LEA can track the movement of the target identity over a longer period of time. For the periodic localization, the LEA can specify the reporting interval and the number of reports it needs from the SMLC depending on the needed tracking granularity. In cases where the LEA needs to localize a target identity that uses a specific service, e.g., SMS, the enhanced location for IRI is used.
3 Cellular network forensics in 5G
5G is envisioned to achieve 1000 times increase in system throughput, peak data rate of 10 Gb/s, and 100 times higher connection density . The new generation of cellular networks will support new deployment scenarios including high-speed vehicles and trains, IoT, commercial air-to-ground service, and service for light aircraft/helicopters. To meet these requirements, the network architecture introduces a series of novel technologies including CUPS, NFV, network slicing, and CIoT.
3.1 Control and User Plane Separation—CUPS
The idea behind the CUPS is to separate the control and user plane for the S-GW, P-GW, and the TDF. LTE and LTE-Advanced networks already provide separation by implementing most of the control functions in the MME and the user traffic delivery functions in S/P-GW. CUPS takes this separation further to allow independent network scaling—deploying more user plane nodes (e.g., forwarder routers) closer to the network edge without increasing the number of control nodes for applications including tethering, local Vehicle-to-X communications, augmented reality, or optimized video streaming .
From a LALS perspective, the target positioning is not affected with the separation of the control and user planes because the mobility management for LCS is handled separately by the MME and is independent of the cellular service used. Same holds for the enhanced location for IRI, given that each user is served by only one control node which informs the MME and SMLC of the target identity using the service of interest for investigation. It is worth mentioning that LALS also need to be supported for MEC applications, where the service part of the service-based localization is offered on the local cloud. In this case, the LALS procedure shown in Fig. 6 stays the same; only the SMLC needs to be able to request the service details from the MEC server and include them in the subscriber location report back to the LEA.
3.2 Network Functional Virtualization—NFV
The introduction of NFV brings several challenges for continuous support of LI and LALS in the current form for conducing cellular network investigations. Because the NFVI can reside in a different jurisdiction than the VNFs, PNFs, and even the NFV-MANO entities, LEAs cannot assume regulated forensic readiness and pre-established points of interception and localization. First, the LEA must ensure that the ADMF and the virtualized interception control elements or the SMLC are trusted and isolated from other VNFs on the same NFVI (which might not be even functions from the same cellular network at all). Second, the ADMF as the LI and LALS root-of-trust needs to interoperate with the other roots-of-trust such as the elements of NFV-MANO. Third, ADMF needs to perform attestation on the VNFs before LI or LALS are invoked to determine whether the target identity is served by VNFs residing in the legally authorized jurisdiction.
For this purpose,  discusses potential use of a PKC scheme between the ADMF and the ICEs (as the points of interception), the SMLC, and the NFV-MANO entities. However, LI and LALS can include broad set of services and might be invoked for a longer period of time during which the target identity may start using services from NFVs residing out of the authorized jurisdiction. In this case, the LI and LALS certificates need to be revoked (other alternative is to use shorter expiration times for each certificate but that might result in a PKC management burden). This mechanism has a potential impact on real-time investigations in that critical IRI records or CC data might not be collected while the user and signaling traffic transits through the VNFs due to revoked or expired certificates.
3.3 Network slicing
A network operator provides the virtual/physical infrastructure and the PNF/VNF; a private third party uses the dedicated functionality provided by the network operator
A network operator provides the virtual/physical infrastructure and the PNF/VNF; a private third party manages some PNF/VNF via APIs provided by the network operator
A network operator provides the virtual/physical infrastructure; a private third party provides some PNF/VNF
A private third party provides some PNF/VNF and manages them
All management options for supporting private slices have an impact on the LI and LALS mechanisms. In the network slicing models from Rel. 15, all the involved operators are subject of national regulation and the exiting LI and LALS mechanisms can be adapted with small modifications as discussed in the next two subsections. However, private third parties might not be regulated, so the forensic investigations of users belonging or using private slices require redefined procedures for LI and LALS. To support LI and LALS for private slices, a trust relationship between the network operators and the private third parties must be defined.
For the first management option, the third party must trust the network operator when provisioning the LI and LALS requests and delivering the cellular network evidence back to the LEA. The third party in this case might need to be allowed to authorize these requests with a direct access to the ADMF. For the second and third second management option, ADMF needs to be adapted so it can provision LI and LALS to the PNF/VNF managed and/or provided by the third party. For the fourth option, the LEA needs to establish separate handover interfaces with the third party. In all cases, the LEA needs to be able to authenticate and verify the trustworthiness of the cellular network evidence delivered by the third party.
3.3.1 Lawful Interception adaptations for network slicing
3.3.2 Lawful Access Location Services adaptations for network slicing
3.4 Cellular Internet of Things—CIoT
CIoT is a network feature preliminary defined in LTE-Advanced to enable access in licensed spectrum for massive number of IoT devices . CIoT can be implemented in three variants: (1) EC-GSM-IoT, (2) eMTC, and (3) NB-IoT. EC-GSM-IoT introduces coverage extension, LTE-grade security, and improved power efficiency for legacy machine-to-machine communications. GSM has the largest global coverage footprint and very small time-to-market, which is a huge advantage for readily available CIoT applications . eMTC is an adaptation of the current LTE access to accommodate CIoT applications like wearables, CCTV, object tracking, or smart healthcare. It enables 15-dB enhancement over the standard LTE coverage and extends the DRX to relax the latency and provide bigger delay budget needed for many CIoT applications. eMTC is fully compatible with the standard LTE/LTE-Advanced architecture, making it relatively easy to support in the currently deployed LTE networks . For CIoT applications like smart metering that require modest data rates, relaxed latency, longer battery life, extended coverage, and massive capacity, 3GPP introduces the self-contained NB-IoT radio access. The narrower bandwidth of only 200 kHz allows for significant reduction in device complexity, supporting sporadic (maximum latency of 10 s) and low-rate CIoT traffic (50 kbps) for a battery life between 5 and 10 years .
3.4.1 Lawful Interception adaptation for CIoT
3.4.2 Lawful Access Location Services adaptation for CIoT
This LCS modification for CIoT affects both the real-time and non-real-time forensic localization. In the case of immediate localization, the LEA has no option but to accommodate to this delay. In the case of periodic localization, the LEA might need to use a larger reporting granularity (fewer reports and a longer report interval) to be able to track the location of a CIoT device over a prolonged period of time. For the enhanced location for IRI localization, the LEA also needs to expect delayed and out-of-order reports, given that many of the target identities will respond to the localization requests in a prolonged and uncoordinated manner.
4 Cellular network forensics—legal and privacy aspects
4.1 Cellular network forensics in the European Union
The use of LI and LALS within the European Union is covered by the Council Resolution 96/C 329/01 requiring the LEA to be able to access all IRI records and CC data from user and signaling traffic transiting or stored by cellular network operators, as well as request subscriber localization information. The 2002/20/EC directive established guidelines concerning cooperation between LEAs and cellular network operators which made LI and LALS a condition for granting cellular networks the authority to operate . The 2002/20/EC directive also contains a number of conditions that may be attached to the general authorization for providing LI and LALS in conformity with Directive 97/66/EC and Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
4.2 Cellular network forensics laws in the USA
In the USA, the CALEA requires that LEAs need to be able to access IRI records and CC data with no degradation and interference to the subscriber service while protecting the privacy and security of subscribers and the respective intercepted material . The Wiretap Act including the Title III of the OCCSSA and the ECPA prohibits unauthorized, nonconsensual interception of wire, oral, or electronic communications by government agencies for target identities that are US citizens. The FISA covers the use of LI and LALS for intelligence purposes where the target identity could not be a US citizen, working as an agent on behalf of a foreign country. The invocation of LI and LALS under FISA requires prior authorization by the FISC federal court. The Title II of US Patriot Act allows LEAs to obtain authorization for LI or LALS by demonstrating that the IRI and CC records are relevant for an investigation, rather than the stricter FISA requirement to demonstrate that the target identity is explicitly involved in unauthorized activities and terrorism.
4.3 Cooperative cellular network forensic investigations
In general, prior the LI and LALS are invoked, the LEA must obtain a court warrant and implement privacy protections for safe storage and analysis of the acquired cellular network evidence. Warrantless invocation of LI and LALS is possible if it is determined that an emergency situation exists involving immediate danger of death or serious physical injury to any person, conspiratorial activities threatening the national security interest, or conspiratorial activities characteristic of organized crime. The responsible LEA in such a case needs to apply for a warrant approving the interception within few days after the LI and LALS evidence acquisition has occurred to the appropriate court. With a probable increase use of CIoT in the future, however, there is another possibility for another type of warrantless acquisition of cellular network evidence, namely the digital witness methodology proposed in  that enables citizens to share their CIoT data with some privacy guarantees.
A CIoT device can be a digital witness with the capabilities of identifying, collecting, safeguarding, and communicating cellular network evidence. The digital witness is harmonized with the ISO/IEC 29100 privacy principles to stimulate the cooperation of citizens in forensics investigations. This is an interesting and promising approach for augmenting CIoT LI and LALS; however, the LEA must be able to correlate and possibly verify the evidence material collected from the CIoT digital witnesses with the material acquired from the CIoT network operator.
The forensic capabilities of LI and LALS currently available in LTE/LTE-Advanced networks were reviewed to propose adaptations and discuss implementation challenges with the main technologies envisioned for 5G. CUPS, NFV, network slicing, and CIoT are developed largely in insolation so integration into the 5G ecosystem will impact the continuous support for LI and LALS. Different correlation mechanisms per technology, multiple streams of IRI and CC records, and potential inclusion of third parties in the cellular service realization are just some of the challenges LEAs need to address to keep the LI and LALS capabilities in the future 5G networks. Equally relevant is the legal aspect of conducting cellular network investigations. With the traffic served by virtualized functions that can reside in multiple jurisdictions, LEAs also need to find a way to continuously support LI and LALS, especially for real-time investigations. On top of this, LEAs are increasingly challenged with the analysis of third party encrypted CC, which, depending on the jurisdiction, might preclude LEAs to decrypt the user traffic of interest.
The author wishes to acknowledge UTel Systems and ZetX for their technical support and provision of their tools for cellular network forensic analysis.
Availability of data and materials
The materials supporting the conclusions of this article are included within the article.
The entire manuscript is a sole contribution of the author. The author read and approved the final manuscript.
The author declares that he has no competing interests.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
- 1.Ericsson Mobility Report (2017). https://www.ericsson.com/en/mobility-report. Accessed 12 Oct 2017.
- 3.International Standardization Organization: ISO/IEC 27035:2011 – Information security incident management, (Geneva, 2016). https://www.iso.org/standard/62071.html.
- 4.International Standardization Organization: ISO/IEC 27037:2012 guidelines for identification, collection, acquisition and preservation of digital evidence, (Geneva, 2012). https://www.iso.org/standard/44381.html.
- 5.3rd Generation Partnership Project: TS 33.106 V14.1.0 - Technical Specification Group Services and System Aspects; 3G security; Lawful interception requirements (Release 14). (3GPPSophia Antipolis, 2017). http://www.3gpp.org.
- 6.3rd Generation Partnership Project: TS 33.108 V14.1.0 - Technical Specification Group Services and System Aspects; 3G security; Handover interface for Lawful Interception (LI) (Release 14). (3GPPSophia Antipolis, 2017). http://www.3gpp.org.
- 7.ETS Institute. Lawful Interception (LI); Cloud-Virtual Services for Lawful Interception (LI) and Retained Data (RD). (ETSISophia Antipolis, 2016). http://www.etsi.org/deliver/etsi_tr/101500_101599/101567/01.01.01_60/tr_101567v010101p.pdf. Accessed 20 Jan 2018.
- 8.STINGA Lawful Interception Analyzer. https://utelsystems.com. Accessed 15 Oct 2017.
- 9.ZetX. http://zetx.com. Accessed 15 Oct 2017.
- 10.A Drygajlo, in Forensic Speaker Recognition: Law Enforcement and Counter Terrorism, ed. by A Neustein, HA Patil. Automatic speaker recognition for forensic case assessment and interpretation (SpringerNew York, 2012), pp. 3–20.Google Scholar
- 11.A Larcher, J-f Bonastre, B Fauve, KA Lee, L Christophe, H Li, JSD Mason, J-y Parfait, in Interspeech. 14th Annual Conference of the International Speech Communication Association. ALIZE 3.0—open source toolkit for state-of-the-art speaker recognition (Lyon, 2013), pp. 2768–2772.Google Scholar
- 12.3rd Generation Partnership Project: TS 27.071 V14.1.0 - Services and System Aspects; Location Services (LCS); Service description; Stage 1 (Release 14). (3GPPSophia Antipolis, 2017).Google Scholar
- 13.3rd Generation Partnership Project: TR 38.913 V14.3.0 - Technical Specification Group Radio Access Network; Study on Scenarios and Requirements for Next Generation Access Technologies; (Release 14). (3GPPSophia Antipolis, 2017). http://www.3gpp.org.
- 14.P Schmitt, B Landais, FY Yang. Control and user plane separation of EPC nodes (CUPS). (3GPPSophia Antipolis). http://www.3gpp.org/cups. Accessed 16 Oct 2017.
- 15.G McQuaid, DR Cione. Lawful interception in virtualized networks.3GPPSophia Antipolis, 2017). https://www.sicurezzaegiustizia.com/lawful-interception-in-virtualized-networks-sept-2017/. Accessed 20 Jan 2018.
- 16.ETS Institute. Network functional virtualization (NFV); NFV Security; Privacy and Regulation; Report on Lawful Interception Implications. (ETSISophia Antipolis, 2015). http://www.etsi.org.
- 17.3rd Generation Partnership Project: TR 28.801 V2.0.1 - Technical Specification Group Services and System Aspects; Telecommunication management; Study on management and orchestration of network slicing for next generation network (Release 15). (3GPPSophia Antipolis, 2017). http://www.3gpp.org.
- 18.3rd Generation Partnership Project: Feasiblity Study on Business Role Models for Network Slicing in Rel. 16. (3GPPSophia Antipolis, 2018). http://www.3gpp.org.
- 19.3rd Generation Partnership Project: 3GPP TR 23.720 V13.0.0 - 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on architecture enhancements for Cellular Internet of Things (Release 13). (3GPPSophia Antipolis, 2016). http://www.3gpp.org.
- 20.Cellular networks for massive IoT. https://www.ericsson.com/assets/local/publications/white-papers/wp_iot.pdf. Accessed 14 Oct 2017.
- 21.An overview of 3GPP enhancements on machine to machine communications. IEEE Commun. Mag.54(6), 14–21 (2016).Google Scholar
- 22.3rd Generation Partnership Project: 3GPP TR 23.730 V14.0.0 - 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on extended architecture support for Cellular Internet of Things (CIoT) (Release 14). (3GPPSophia Antipolis, 2016). 3GPP TR 23.730 V14.0.0.Google Scholar
- 23.Government Access to Encrypted Information. https://www.loc.gov/law/help/encrypted-communications/european-union.php. Accessed 17 Oct 2017.
- 24.H Miller, The ready guide for intercept legislation (2007).Google Scholar
- 25.Open Air Interface. http://www.openairinterface.org. Accessed 6 Jul 2017.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.