AQUACROSS LLC Computer Forensic Services

Welcome

Computer Forensics Examinations

Cell Site Analysis

Mobile Phone Examinations

Audio and Video Examinations

Contact Information



Call 541/646-1700
E-mail AquaCrossLLC@charter.net




Curriculum Vitae
Verlin Cross













|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|

Cell Site Analysis

Cell Site Analysis is the science of reconstructing the physical movements of a mobile phone or telecommunication device. The evidence produced from such advanced investigations can be especially powerful in attributing contact between individuals, proximity to a scene of crime, patterns of movement, and testing the strength of alibi evidence.

Below is a paper authored by Verlin Cross explaining the analysis.

Understanding Historical Cell Site Records

A client has been accused of a crime. Law enforcement state they can place the client at the scene of the incident by “ping data” from the client’s cell phone. Do they have the proof to place the client at the scene? This article explains the data and the way it is used.

When a cell phone is turned on it receives a signal from a cell site called a system identification code (SID). After receiving the SID, the cell phone transmits a registration request to a cell site (what we know as cell towers). This request allows the cellular provider to know the cell sites that are in range of the cell phone and allows calls to be properly routed to the device. The registration request is commonly referred to as ping data. Ping data must be recorded while an incident is occurring and is not available weeks or months afterwards. By actively sending a signal to the cell phone from multiple cell towers, the location of the cell phone can be triangulated. Law enforcement uses ping data to locate kidnap victims or lost individuals. Conversely, a history of cell site records can be obtained after the incident from the cellular provider. Analysis of the history of cell sites provides the general location of the cell phone. In most cases, the records that law enforcement have obtained are historical cell site records not ping data.

Understanding how a typical cell site works will allow a better understanding of Call Detail Records (CDRs) and their use. A cell site tower is located at a fixed geographical location with three directional antenna attached. The three directional antennas on the tower normally divide the 360-degree circumference around the tower into three 120-degree areas. For instance, if a cell site has three antenna, pointed with one centered at 30 degrees, one at 150 degrees and one at 270 degrees, the alpha antenna which is centered at 30 degrees would have a nominal coverage area from 330 degrees (-60 degrees) to 90 degrees (+60 degrees). The beta antenna, centered at 150 degrees, would have nominal coverage area from 90 degrees to 210 degrees. The gamma antenna, centered at 270 degrees, would have nominal coverage area from 210 degrees to 330 degrees [See Figure 1]. The antenna and tower that provides service for a call is determined by the antenna with the strongest connection to the phone. Cell sites and antenna do have overlapping coverage areas to provide for the ability of a call to be handed off to another tower or antenna if the cell phone is in a moving vehicle or to provide service by an adjacent antenna during high call volume periods.1

Cell site records cannot place a client at a particular location. These records show the cell site the cell phone was connected to and the general area a particular antenna services. In urban areas an antenna may cover two square miles, whereas in a rural area the coverage area may be approximately nine square miles. The coverage area is influenced by a number of factors including topography, weather, vegetation, and buildings.

The same information may not be available for SMS/text messages. SMS are technically known as Simple Message Service containing short text messages to be sent to or from cell phones. The data obtained from the cellular provider does not provide the level of detail for text messages that it does for a cell phone call. The data available from cellular providers for text messages is the switch that routed the message to the intended receiver’s cell phone. A switch handles text messages from hundreds of cell sites in a geographical area, making it useless to place someone in the proximity of an incident. If the question was, “Is the cell phone that sent the text message in Portland or in Seattle?” the text message records would be able to answer that question.2

In order to obtain historical cell site data, a subpoena or warrant would be issued to the cellular provider of the cell phone. The subpoena or warrant normally requests the subscriber information, Call Detail Records, a CDRs explanation form, and a listing of functioning cell sites in a geographic area at the time of the incident. At a minimum, the CDRs contain the dialing number, the dialed number, the call direction (incoming or outgoing), the date and time of the call, the length of the call, the cell site that initiated the call, the antenna servicing the call, the cell site terminating the call and the antenna that last serviced the call. When the provider responds, a letter of authentication should be included with the requested records. Some cellular providers may provide additional information. The CDRs explanation form details the contents of the CDRs and any codes it may contain. The cell site document has the address of the site, and the latitude and longitude of the site, the direction the center of each antenna is pointing. Be aware that many cellular providers only retain these historical cell site records for a limited time. Figure 2 lists the retention time for five of the top carriers. Cellular providers are traditionally slow in responding to subpoenas; therefore, your subpoena should be served well in advance of the court date.

Retention Period of Historical Cell Site Record

Verizon

T-Mobile

AT&T

Sprint

Nextel

  1 rolling year

  Officially 4 to 6 months, often a year or more

  From July 2008

  18 to 24 months

18 to 24 months

By analyzing the historical cell site records the data obtained can be mapped, illustrating the general area the cell phone was in at the time that call was initiated and concluded. Below is a map showing an analysis of the records. This map illustrates the following scenario:

Our client is accused of shooting a person at Mount Tabor Park on 1/4/2013 at approximately 10:36 PM. The client’s statement when interviewed by the police was he was at the Lotus Room that evening then drove to Hillsboro. By analyzing the call detail records, our client’s approximate location can be mapped. The records show the client made a call at 10:15 PM and was connected to a cell site east of SE Grand Ave and SE Yamhill St. At 10:30 PM, he made a second call and was connected to a cell site west of W Main St and SW 5th Ave. These two calls support the client’s statement of being at the Lotus Room. At 10:42 PM he received a call and was connected to a cell site southwest of N Broadway and N Benton Ave. At 10:44 PM he received a call and was connected to a cell site south of NW Northrup St and NW 20 Ave. These two calls document that the client would have had to leave the Lotus Room and driven approximately 3.5 miles to Mount Tabor Park, find the victim, shoot him and return to a location southwest of N Broadway and N Benton Ave in 12 minutes. The last call that was plotted was made at 11:05 PM and the client was east of NW Cornell Rd and NW Evergreen Pkwy, Hillsboro, again supporting the client’s statement.

This scenario is based on an actual case, but some of the details have been modified to protect the identity of the client and victim.

This article is meant to provide a better understanding of historical cell site records and how they are used. Remember, these records may only be available for a limited period of time, therefore do not delay in requesting them from the cellular provider.

1 O’Connor, Terrence P., Provider Side Cell Phone Forensics, Small Scale Digital Device Forensics Journal, Vol. 3, No. 1, June 2009.

2    UPDATE TO ORIGINAL ARTICLE: AT&T is now is now collecting the cell site and antenna that SMS messages are sent and received.