All mobile phone network providers have to, by law, hold call data records for at least one year. Problems arise, however, because they all present the records in very different formats and some of the data can seem irrelevant and confusing, giving rise to the risk of information being misinterpreted.
Call data records?
CDRs are similar to itemised phone bills – but they hold much more information. As well as the dates, times and numbers called, CDRs also include IMEI numbers, cell site data and locations.
What do you mean by idiosyncrasies?
Here’s an example: some networks will record the cell ID (the sector of the phone mast) for phone calls which were made, but didn’t connect – others won’t. And some will give the other party’s cell ID if they’re on the same network. This provides a number of opportunities, but these idiosyncrasies also present significant risks if the person analysing them isn’t aware of all these nuances.
As mentioned in a previous blog, the key is to get the call data records into a workable format. This is a massive data manipulation exercise, compounded by the fact that the networks can record locations differently – they may use the postcode, BNG (British National Grid) or latitude and longitude co-ordinates – plus the other idiosyncrasies mentioned above.
Another major issue is that CDRs from some networks’ CDRs can apparently attribute the cell site data from the person at the other end of the call to the subject phone. An unwary analyst may misinterpret this data as coming from the person receiving the call by inadvertently associating the outgoing data with incoming calls and vice versa. This is something I have even seen in court.
Shown below is an example of part of a call data record for phone 07875 477828 for part of 03/12/2010.
Note that the call at 20:54 appears to show cell site information for the phone number 07772 000987 even though this number was not the target of the call data records. An amateur assessment of the call data records – simply looking at all the cell IDs – might conclude that the target phone 07875 477828 had been in the service area for cell
03010 52339 at this time. Such a conclusion would be totally false.
This cell was many kilometres from a particular location of interest in a criminal investigation in one case. Had this issue not been picked up in court, it could easily have led to a miscarriage of justice.
What other oddities are thrown up by CDRs?
There are a couple of fairly common issues that can cause problems for even the most experienced analyst.
Text messages may appear on the CDR that the user isn’t aware of. They do exist – but are likely to have been network messages which the user doesn’t actually see. They are “codes” sent by the network under a number of different circumstances to update software, and user details – amongst others. These texts can also be indicative of the user taking the SIM card and/or battery out of the device.
They are not a particularly common occurrence, but can provide additional useful evidence especially if a suspect has deliberately not used their phone in order to stay off the network. For example: a suspect may put a new SIM card into a device at their home, unaware that the phone is then communicating with the network, and therefore leaving location data on the CDR.
As mobile phones become more complex, and smartphones begin to dominate the market, this also provides a useful opportunity for cell site analysts. Not only are calls, texts and network messages registered on the CDR, so is data packet transmission. Every time the phone connects to the internet, whether browsing the web, social networking or being used by apps, this is also recorded. However, unlike a phone call, which records the start and end cell, this data will show the cell ID for where a user started browsing, but not necessarily where they finished.
It gives rise to another question: how long is a browsing session? Some networks record browsing sessions in blocks of time – for example, the cell ID of a session begun at the start of an hour will be recorded – and that will also include a second session begun at the end of that hour. Both locations may not necessarily be separately recorded. This issue again is shown on the call data above at 22:00 and 23:00.
How can the problems caused by these idiosyncrasies be avoided?
There’s no substitute for experience. Cell site analysts with substantial knowledge of these idiosyncrasies can easily circumvent any problems – by spotting them up front.
In addition, converting and sorting the vast amount of data into a properly formatted call sequence table (CST) makes the data uniform and easy to work with.
The CST means that investigators can filter and delete unwanted data easily and without the risk that something will be missed.
CCL-Forensics has developed a tool which takes raw data from the network providers, and converts it into a consistent, workable form – removing the need for extensive manual manipulation. For more information please feel free to get in touch on 01789 261200.
Most importantly, analysts really need to know the individual networks well in order to understand their various oddities and work around them.