Cell Phone Analysis, Part 2

(Ed. Note: Part One of this article was published in the November 2012 issue of LAW and ORDER. It is also available online at www.hendonpub.com, Resources, Article Archives.)


Two types of evidence can be retrieved from a cell phone. Electronic evidence (discussed in Part One) and retained data evidence. Retained data evidence is telecon records involving the details of calls made and received, and the geographic location of the mobile phone when a call is made.

This information from the cellular service provider can be used to compare with other investigative facts or theories. This can identify discrepancies or corroborate statements. This can also be used to identify other people who may be involved.

Most importantly, this info will put cell phones in approximate geographic areas during specific dates and times, i.e., historical tracking. Finally, most service providers are able to provide real-time, live tracking, AKA, pinging.


Real Time Versus Historical

There is a huge difference between real time tracking and historical tracking. Real time uses GPS. Historical tracking uses cell towers.

Every cell phone sold through a U.S. carrier contains a tiny GPS unit. This is done for the E-911 systems to allow law enforcement to find the caller if they dial 9-1-1. The latitude and longitude of a GPS signal is fairly precise, usually within 700 yards. The GPS precision location services do not deliver any call data, i.e., length of call, number dialed. However, they do indicate a date/time stamp and a lat/long pair.

If the cell phone is on, the phone hits the closest tower every so often. This is “pinging.” These ping records are stored no more than a day before they are overwritten. Then the evidence of the event is lost. While a ping is a real event, records are not kept.

The ability to ping a phone varies by cellular service provider. Verizon, for example, cannot ping a cell phone. The best they can do is provide the nearest cell tower, and only if the person is making / receiving a call or sending / receiving a text message. The person you are live tracking is only going to take one or two “wrong numbers” sent by you to make his / her cell phone hit a tower.

AT&T can ping their phones and they will do it for felonies and misdemeanors alike. Their result can be accurate to within 32 yards of the latitude /longitude. Sprint-Nextel calls a ping L-Site Data.


Pinging Has Limitations

There are some issues with ping live tracking. First, since all of the systems use GPS, the GPS has to be activated. The GPS signal can be “hidden” by one of the settings on some phones, and / or “limited” in only 9-1-1 situations. Second, GPS-enabled phones can only be located if they are turned ON. If the phone is OFF, there is no GPS connection.

Third, GPS live tracking is only as good as the reception. Beside tall buildings, under bridges or tunnels, or in heavily forested terrain, the GPS signal may be lost. Fourth, pings are sent in 15-minute intervals at the most frequent. Unless the subject stays in one place for more than 15 minutes, you will always be behind – chasing the ping.

That 15-minute interval may not be an issue in a live track on the interstate from Chicago to Dallas. But it may indeed be a problem as you tail or track a subject from the south side of Chicago to downtown.

Live tracking using GPS follows the handset, not the cell tower. Historical tracking, on the other hand, uses cell towers, and a record is kept. However, some activity had to occur to have a record. A call had to be sent / received. A text had to be sent / received. Some app on the phone had to be used.


Historical Tracking

Cell Site Analysis (CSA) is the science of reconstructing the physical movements of a mobile phone or communication device. The evidence from this advanced investigation can attribute contact between individuals, indicate proximity to a crime scene, define patterns of movement of suspects, and confirm or dispute alibi statements. To perform a Cell Site Analysis, you have to understand how cell towers are built and operate.

Most (but not all) cell towers are three-sided. On each of these sides, there are three panels. The middle panel is the transmitter, while the outer panels are the receivers. The two outside panels “listen” for inbound signals. Something like how our two ears compare slight differences in sound to determine location and direction of movement, these two outside panels do the same. This allows a smooth hand-off from tower to tower when the caller is mobile.

Each tower has three directional antennas. A directional antenna receives signals with more intensity from the direction it is pointed. It filters this, versus signals it receives from directions outside its field.


Cell Site Analysis

The Cell Site Analysis (CSA) starts with a court order or search warrant requesting call detail records with the cell tower that were used doing the call. The CSA, with information from particular tower locations, will tell you what parts of the city you are in but not what street you are on. For most investigations, knowing the handset was in a general area—and could not have been in another area—is enough to confirm or deny an alibi about a date, time, location.

The CSA will only allow an investigator to state the call was from an area covered by the cell tower, not a single address. That means it is better suited to eliminate alibi locations than to prove the handset was in one specific house or block.

However, some pretty strong inferences can be made based on the CSA and how towers work. Most towers are divided into three 120-degree sides. (Some are six 60-degree sides.) Depending on the cellular service provider who operates the cell tower, these sectors will be identified as 1,2,3; A,B,C; Alpha, Beta, Gamma for a beam width of 120-degree coverage tower. For a 60-degree coverage tower, combinations of this alpha-numeric will identify which slice of the pie is involved. Each tower has a reception range from less than a mile to 12 miles. Each area covered by the sector can be narrowed to within one-tenth of a mile. Side 1 on AT&T and Verizon towers faces north. This is for the typical tower…exceptions exist.

If possible, ask for cell tower information within 7 to 15 days. Then ask the service provider to provide the PCMD (Sprint), RTT (Verizon) or Activity Log (T-Mobile). This can put a handset down to a certain distance from the tower. For example, the handset was between 6/10


and 7/10


of a mile from this specific tower within the sector with compass readings of 300 degrees (WNW) and 60 degrees (ENE).

That covers a lot of urban area, is more restrictive in a suburban area, and actually helpful in a rural area. Even in a heavily urbanized area full of multi-level buildings, it tells you the handset was within those few city blocks—and nowhere else in the country. Remember, a lot of factors can influence this range, so it may not be accurate.

It is not GPS, but the handset being “this” distance from “this” tower in “this” sector is a valuable piece of investigative information. A valid CSA will be able to accurately come up with this kind of conclusion. Again, one of the advantages of call measurement data is that juries understand it, they get it...he said he wasn’t at the crime scene, so how did his phone get there?


All Classes of Crime

The uses for the evidence on cell phones cross all paths of felonies and misdemeanors. Smartphones allow YouTube videos. YouTube keeps copies of all videos placed on YouTube indefinitely and YouTube is law enforcement friendly. All you need is a subpoena and the user ID who posted the video. Real Player software will allow you to immediately download the YouTube video.

“With serious and fatal traffic collisions, we are not looking at cell phones enough,” Roberts said. “Get the cell phone log for all fatals.” Texting at the time may be hard to prove, but being distracted may be easier to prove. Being distracted during (time) or near (location) the collision might be negligence. At least rule it out.

Talking on a cell causes 25% of accidents and 80% of accidents are attributed to distracted drivers. In perspective, drunk drivers cause 33% of the collisions. Roughly 20% of the fatals involving teens were the result of cell phone use. Talking on a cell phone while driving can reduce a young driver’s reaction time to as slow as a 70-year-old driver. Texting while driving has formed the basis of a manslaughter charge in some states.


Sexting and Cyber-bullying

The cell phone handset and call log may also have evidence of sexting and cyber-bullying. The difference between the two is both content and intent. Sexting is the act of sending sexually explicit pictures, messages or videos via text message, instant messaging or e-mail.

Sexting may quickly result in cyber-bullying. This is the use of any form of digital communication to send or post content meant to threaten, harass, demean or intimidate. Get familiar with sexting acronyms.

Sexting may start off as voluntary between two consenting parties. It may end up as cyber-bullying as others get involved, and the images are posted on websites or social networking sites. Sexting can also lead directly to sextortion, the most popular event going on today. Sextortion is either a demand to send more images, or have sex with the bully or the first image will be sent to family, friends, websites, or the victim’s social network sites. The vast majority of young people fall victim to this tactic.

Types of charges that can result from sexting include child pornography, distributing a sexually explicit photo, communicating with a minor with intent of a lewd act, Internet sex crimes, and sending harmful matter with the intent of seduction. In Ohio, for example, cyber-bullying on school property or at school sponsored events may involve a whole series of violations, criminal and civil. These are all based on the Jessica Logan Act. Logan committed suicide in 2008 as a direct result of sexting, which led to bullying.

One of the consequences of sexting and cyber-bullying is teen suicide, as the teen cannot cope with the humiliation. Suicide is the third leading cause of death among young people. In addition to pornography and sex crimes, other crimes from sexting and bullying can be rape, extortion, aggravated menacing, stalking and human trafficking (prostitution).


Financial Crimes

Cell phone technology allows a wide variety of financial transactions to be conducted any time, anywhere. This means money laundering and a variety of other money transfer crimes to be conducted anytime, anywhere.

Were you expecting to see one perp hand an envelope to another perp in a drug deal? And all they did was high-five or fist-bump one another and then they left the scene? So, what about the cash? What you saw was a bump pay. That is a Mobile Peer-to-Peer (P2P). With bump technology, i.e., Mobile Peer-to-Peer (P2P), you can transfer money with the bump of a cell phone. No account numbers are needed.

With P2P, you click or touch a few keys that basically selects the amount of money and set up the “I am sending” mode. The other person goes into “I am receiving” mode. On smartphones equipped with accelerometers (and many are), bumping them signals the action to make P2P payments, or share images or contact details. You have to be connected to the Internet or have Wi-Fi.

Any time you seize a smartphone, check the apps on the phone. Especially look for banking apps. Near Field Communication (NFC) uses a combination of hardware and software to turn the smartphone into a wallet. You can use P2P to buy even fast food and gas. You no longer need cash, check book or credit cards.

With person-to-person Quick Pay, you can send money to nearly anyone with an e-mail address. Bank of America, JPMorgan Chase and Wells Fargo are among the banks that will move money from a checking account using an e-mail address or cell phone number.

In addition to normal banking, PayPal payments and prepaid Western Union transfers, other cell phone transactions are becoming common. Boarding passes in the form of a QR symbol sent by major airlines to cell phones is old news.

The latest is a hotel key sent via text message to a cell. The text contains the room number and a phone number to activate a code. Touch the cell to the door and an audible code unlocks the door. Of course, both the airline boarding pass and the hotel room key become evidence of this travel activity stored on the smartphone.


Cloud Storage

Currently, cloud storage is the best thing to happen to law enforcement since cell phones,” Roberts stated. Cloud storage is nothing more mysterious or cyber-techno than simply saving data to an off-site storage system maintained by a third party. Cloud storage is now extremely common. The Internet provides the connection between the computer (or handset) and the database.

The computer (cell phone) user sends copies of files over the Internet to the remote data server, which saves the information. To retrieve the data, or manipulate the files, simply gain access to the server through the Web.

With cloud storage you can access your data from any location that has Internet access…any location. You don’t need to carry storage or memory devices with you. You don’t even need to use the same computer (cell phone) to gain access to the information. You can allow other people to access the data file.

iCloud? That is Apple’s cloud storage system that allows you to back up and restore data on your Apply iOS devices like iPhone, iPad and iPod. They just need to be connected to the Internet. Text messages are on iCloud. So are apps purchased from iTunes. So are all the photos and video on the Camera Roll feature in iOS. iCloud keeps bookmarks and reading lists from the Internet.

The standard for Fourth Amendment search and seizure usually observes “in your personal possession.” Nothing in the cloud storage is in your full personal possession. It is all stored on someone else’s computer systems. Anything stored at Google or Facebook, the e-mails stored on Gmail or Hotmail, cell phone call logs on the wireless company’s storage servers, files stored at remote backup services like Carbonite are all, to a large degree, in someone else’s possession.

All that evidence is there. “All you have to do is ask,” Roberts noted. The perp might delete something from his phone, but he may forget to delete it from the cloud. The phone company does not keep text messages, but the cloud does. Send a search warrant to Apple or Google and asked for cloud contents and you may be surprised at the evidence you get back.

Formal training is necessary to become a cell phone forensic specialist. This training may be covered by grants, such as the Paul Coverdell Forensic Science Improvement Grant. Specialized hardware and/or software will be required. Software-based solutions include Paraben and Secure View. Hardware-based solutions are available from Cellebrite. Cellebrite is simple, portable and car-adaptable. The unit is a bit expensive, compared to the software-only solutions, including both an initial outlay and a yearly subscriber fee.

Grant money is available for cell phone investigative training based in Ohio and California. This training is the one-day initial overview training to a 40-hour advanced investigative training, and the formal cell-phone forensic training involves forensic and diagnostic hardware and software to process the handset and SIM cards.




Investigative Toolbar

Check out the investigative toolbar described at www.search.org/files/pdf/toolbarFriefox-0508.pdf, and downloadable at http://searchinvestigative.ourtoolbar.com. This works as an executable program on Microsoft Internet Explorer and as an add-on to Mozilla-Firefox. This provides links to sites that provide info on phones, people, ISPs etc. that apply to cell phone examinations as well as wireless and online investigations.

Published in Law and Order, Dec 2012

Rating : Not Yet Rated

Related Products



cell phone analysis

Posted on : Feb 13 at 11:41 AM By Christine Roberts

Great article, but was unable to locate Part 1 in the archives. There isn't a Nov. 2012 issue listed and was unable to locate using broader parameters. Suggestions? Thx U.

Related Companies

Close ...