Hendon Publishing - Article Archive Details
Cell Phone Analysis, Part 2
(Ed. Note: Part One of
this article was published in the November 2012 issue of LAW and ORDER. It is also available online at
www.hendonpub.com, Resources, Article Archives.)
Two types of evidence can be retrieved from a cell phone.
Electronic evidence (discussed in Part One) and retained data evidence.
Retained data evidence is telecon records involving the details of calls made
and received, and the geographic location of the mobile phone when a call is
This information from the cellular service provider can be
used to compare with other investigative facts or theories. This can identify
discrepancies or corroborate statements. This can also be used to identify
other people who may be involved.
Most importantly, this info will put cell phones in approximate
geographic areas during specific dates and times, i.e., historical tracking.
Finally, most service providers are able to provide real-time, live tracking,
Real Time Versus
There is a huge difference between real time tracking and
historical tracking. Real time uses GPS.
Historical tracking uses cell towers.
Every cell phone sold through a U.S. carrier contains a tiny
GPS unit. This is done for the
E-911 systems to allow law enforcement to find the caller if they dial 9-1-1.
The latitude and longitude of a GPS
signal is fairly precise, usually within 700 yards. The GPS
precision location services do not deliver any call data, i.e., length of call,
number dialed. However, they do indicate a date/time stamp and a lat/long pair.
If the cell phone is on, the phone hits the closest tower
every so often. This is “pinging.” These ping records are stored no more than a
day before they are overwritten. Then the evidence of the event is lost. While
a ping is a real event, records are not kept.
The ability to ping a phone varies by cellular service
provider. Verizon, for example, cannot ping a cell phone. The best they can do
is provide the nearest cell tower, and only if the person is making / receiving
a call or sending / receiving a text message. The person you are live tracking
is only going to take one or two “wrong numbers” sent by you to make his / her
cell phone hit a tower.
AT&T can ping their phones and they will do it for
felonies and misdemeanors alike. Their result can be accurate to within 32
yards of the latitude /longitude. Sprint-Nextel calls a ping L-Site Data.
There are some issues with ping live tracking. First, since
all of the systems use GPS, the GPS has to be activated. The GPS signal can be “hidden” by one of the settings
on some phones, and / or “limited” in only 9-1-1 situations. Second, GPS-enabled phones can only be located if they are
turned ON. If the phone is OFF, there is no GPS
Third, GPS live
tracking is only as good as the reception. Beside tall buildings, under bridges
or tunnels, or in heavily forested terrain, the GPS
signal may be lost. Fourth, pings are sent in 15-minute intervals at the most
frequent. Unless the subject stays in one place for more than 15 minutes, you
will always be behind – chasing the ping.
That 15-minute interval may not be an issue in a live track
on the interstate from Chicago to Dallas. But it may indeed be a problem as you
tail or track a subject from the south side of Chicago to downtown.
Live tracking using GPS
follows the handset, not the cell tower. Historical tracking, on the other
hand, uses cell towers, and a record is kept. However, some activity had to
occur to have a record. A call had to be sent / received. A text had to be sent
/ received. Some app on the phone had to be used.
Cell Site Analysis (CSA)
is the science of reconstructing the physical movements of a mobile phone or
communication device. The evidence from this advanced investigation can
attribute contact between individuals, indicate proximity to a crime scene,
define patterns of movement of suspects, and confirm or dispute alibi
statements. To perform a Cell Site Analysis, you have to understand how cell
towers are built and operate.
Most (but not all) cell towers are three-sided. On each of
these sides, there are three panels. The middle panel is the transmitter, while
the outer panels are the receivers. The two outside panels “listen” for inbound
signals. Something like how our two ears compare slight differences in sound to
determine location and direction of movement, these two outside panels do the
same. This allows a smooth hand-off from tower to tower when the caller is
Each tower has three directional antennas. A directional
antenna receives signals with more intensity from the direction it is pointed.
It filters this, versus signals it receives from directions outside its field.
Cell Site Analysis
The Cell Site Analysis (CSA) starts with a court order or
search warrant requesting call detail records with the cell tower that were
used doing the call. The CSA, with information from particular tower locations,
will tell you what parts of the city you are in but not what street you are on.
For most investigations, knowing the handset was in a general area—and could
not have been in another area—is enough to confirm or deny an alibi about a
date, time, location.
The CSA will
only allow an investigator to state the call was from an area covered by the
cell tower, not a single address. That means it is better suited to eliminate
alibi locations than to prove the handset was in one specific house or block.
However, some pretty strong inferences can be made based on
the CSA and how towers work. Most
towers are divided into three 120-degree sides. (Some are six 60-degree sides.)
Depending on the cellular service provider who operates the cell tower, these
sectors will be identified as 1,2,3; A,B,C; Alpha, Beta, Gamma for a beam width
of 120-degree coverage tower. For a 60-degree coverage tower, combinations of
this alpha-numeric will identify which slice of the pie is involved. Each tower
has a reception range from less than a mile to 12 miles. Each area covered by
the sector can be narrowed to within one-tenth of a mile. Side 1 on AT&T and
Verizon towers faces north. This is for the typical tower…exceptions exist.
If possible, ask for cell tower information within 7 to 15
days. Then ask the service provider to provide the PCMD (Sprint), RTT (Verizon)
or Activity Log (T-Mobile). This can put a handset down to a certain distance
from the tower. For example, the handset was between 6/10ths and 7/10ths
of a mile from this specific tower within the sector with compass readings of
300 degrees (WNW) and 60 degrees (ENE).
That covers a lot of urban area, is more restrictive in a
suburban area, and actually helpful in a rural area. Even in a heavily
urbanized area full of multi-level buildings, it tells you the handset was
within those few city blocks—and nowhere else in the country. Remember, a lot
of factors can influence this range, so it may not be accurate.
It is not GPS,
but the handset being “this” distance from “this” tower in “this” sector is a
valuable piece of investigative information. A valid CSA
will be able to accurately come up with this kind of conclusion. Again, one of
the advantages of call measurement data is that juries understand it, they get
it...he said he wasn’t at the crime scene, so how did his phone get there?
All Classes of Crime
The uses for the evidence on cell phones cross all paths of
felonies and misdemeanors. Smartphones allow YouTube videos. YouTube keeps
copies of all videos placed on YouTube indefinitely and YouTube is law
enforcement friendly. All you need is a subpoena and the user ID who posted the
video. Real Player software will allow you to immediately download the YouTube
“With serious and fatal traffic collisions, we are not
looking at cell phones enough,” Roberts said. “Get the cell phone log for all
fatals.” Texting at the time may be hard to prove, but being distracted may be
easier to prove. Being distracted during (time) or near (location) the
collision might be negligence. At least rule it out.
Talking on a cell causes 25% of accidents and 80% of
accidents are attributed to distracted drivers. In perspective, drunk drivers
cause 33% of the collisions. Roughly 20% of the fatals involving teens were the
result of cell phone use. Talking on a cell phone while driving can reduce a
young driver’s reaction time to as slow as a 70-year-old driver. Texting while
driving has formed the basis of a manslaughter charge in some states.
The cell phone handset and call log may also have evidence
of sexting and cyber-bullying. The difference between the two is both content
and intent. Sexting is the act of sending sexually explicit pictures, messages
or videos via text message, instant messaging or e-mail.
Sexting may quickly result in cyber-bullying. This is the
use of any form of digital communication to send or post content meant to threaten,
harass, demean or intimidate. Get familiar with sexting acronyms.
Sexting may start off as voluntary between two consenting
parties. It may end up as cyber-bullying as others get involved, and the images
are posted on websites or social networking sites. Sexting can also lead
directly to sextortion, the most popular event going on today. Sextortion is
either a demand to send more images, or have sex with the bully or the first
image will be sent to family, friends, websites, or the victim’s social network
sites. The vast majority of young people fall victim to this tactic.
Types of charges that can result from sexting include child
pornography, distributing a sexually explicit photo, communicating with a minor
with intent of a lewd act, Internet sex crimes, and sending harmful matter with
the intent of seduction. In Ohio,
for example, cyber-bullying on school property or at school sponsored events
may involve a whole series of violations, criminal and civil. These are all
based on the Jessica Logan Act. Logan committed suicide in 2008 as a direct
result of sexting, which led to bullying.
One of the consequences of sexting and cyber-bullying is
teen suicide, as the teen cannot cope with the humiliation. Suicide is the
third leading cause of death among young people. In addition to pornography and
sex crimes, other crimes from sexting and bullying can be rape, extortion,
aggravated menacing, stalking and human trafficking (prostitution).
Cell phone technology allows a wide variety of financial
transactions to be conducted any time, anywhere. This means money laundering
and a variety of other money transfer crimes to be conducted anytime, anywhere.
Were you expecting to see one perp hand an envelope to
another perp in a drug deal? And all they did was high-five or fist-bump one
another and then they left the scene? So, what about the cash? What you saw was
a bump pay. That is a Mobile Peer-to-Peer
(P2P). With bump technology, i.e., Mobile Peer-to-Peer (P2P), you can transfer
money with the bump of a cell phone. No account numbers are needed.
With P2P, you click or touch a few keys that basically
selects the amount of money and set up the “I am sending” mode. The other
person goes into “I am receiving” mode. On smartphones equipped with accelerometers
(and many are), bumping them signals the action to make P2P payments, or share
images or contact details. You have to be connected to the Internet or have
Any time you seize a smartphone, check the apps on the
phone. Especially look for banking apps. Near Field Communication (NFC) uses a
combination of hardware and software to turn the smartphone into a wallet. You
can use P2P to buy even fast food and gas. You no longer need cash, check book
or credit cards.
With person-to-person Quick Pay, you can send money to
nearly anyone with an e-mail address. Bank of America, JPMorgan Chase and Wells
Fargo are among the banks that will move money from a checking account using an
e-mail address or cell phone number.
In addition to normal banking, PayPal payments and prepaid Western Union transfers, other cell phone transactions
are becoming common. Boarding passes in the form of a QR symbol sent by major
airlines to cell phones is old news.
The latest is a hotel key sent via text message to a cell.
The text contains the room number and a phone number to activate a code. Touch
the cell to the door and an audible code unlocks the door. Of course, both the
airline boarding pass and the hotel room key become evidence of this travel
activity stored on the smartphone.
Currently, cloud storage is the best thing to happen to law
enforcement since cell phones,” Roberts stated. Cloud storage is nothing more
mysterious or cyber-techno than simply saving data to an off-site storage
system maintained by a third party. Cloud storage is now extremely common. The
Internet provides the connection between the computer (or handset) and the
The computer (cell phone) user sends copies of files over
the Internet to the remote data server, which saves the information. To
retrieve the data, or manipulate the files, simply gain access to the server
through the Web.
With cloud storage you can access your data from any
location that has Internet access…any location. You don’t need to carry storage
or memory devices with you. You don’t even need to use the same computer (cell
phone) to gain access to the information. You can allow other people to access
the data file.
iCloud? That is Apple’s cloud storage system that allows you
to back up and restore data on your Apply iOS devices like iPhone, iPad and
iPod. They just need to be connected to the Internet. Text messages are on
iCloud. So are apps purchased from iTunes. So are all the photos and video on
the Camera Roll feature in iOS. iCloud keeps bookmarks and reading lists from
The standard for Fourth Amendment search and seizure usually
observes “in your personal possession.” Nothing in the cloud storage is in your
full personal possession. It is all stored on someone else’s computer systems.
Anything stored at Google or Facebook, the e-mails stored on Gmail or Hotmail,
cell phone call logs on the wireless company’s storage servers, files stored at
remote backup services like Carbonite are all, to a large degree, in someone
All that evidence is there. “All you have to do is ask,”
Roberts noted. The perp might delete something from his phone, but he may
forget to delete it from the cloud. The phone company does not keep text
messages, but the cloud does. Send a search warrant to Apple or Google and
asked for cloud contents and you may be surprised at the evidence you get back.
Formal training is necessary to become a cell phone forensic
specialist. This training may be covered by grants, such as the Paul Coverdell
Forensic Science Improvement Grant. Specialized hardware and/or software will
be required. Software-based solutions include Paraben and Secure View.
Hardware-based solutions are available from Cellebrite. Cellebrite is simple,
portable and car-adaptable. The unit is a bit expensive, compared to the
software-only solutions, including both an initial outlay and a yearly
Grant money is available for cell phone investigative
training based in Ohio and California. This training is the one-day
initial overview training to a 40-hour advanced investigative training, and the
formal cell-phone forensic training involves forensic and diagnostic hardware
and software to process the handset and SIM
Check out the investigative toolbar described at www.search.org/files/pdf/toolbarFriefox-0508.pdf,
and downloadable at http://searchinvestigative.ourtoolbar.com. This works as an
executable program on Microsoft Internet Explorer and as an add-on to
Mozilla-Firefox. This provides links to sites that provide info on phones,
people, ISPs etc. that apply to cell phone examinations as well as wireless and
Published in Law and Order, Dec 2012
Rating : Not Yet Rated
Click to enlarge images.