Cell site blog: ‘consistent’ data, or data ‘not inconsistent’

By Dr Iain Brodie, Senior Cell Site Expert

As cell site experts we are often asked to consider whether cell site data is ‘consistent’ with a specific scenario, in the knowledge that our words can have a significant impact on how a jury thinks.

For example, a typical question put to us might be:  is the data for a particular mobile phone ‘consistent’ with it having been at the scene of a particular incident which occurred, say, in the centre of Birmingham at 12:00 on a particular day?

If the cell site data for the phone shows that it connected via a cell site in the centre of Birmingham which serves the scene at 12:00, then in my opinion it is clear that the data is consistent with the phone having been at the scene. This does not mean that I think the phone necessarily WAS at the scene, as the cell ID used will cover an extended area and, of course, locations that are not the scene. Given the unpredictable ways in which phones are used, however – what data there is supports the contention that the phone was at the scene.

The situation is equally clear cut if, at 12:00, the phone connected via a cell in central London. It is physically impossible for the phone to have connected to a cell in London whilst located in Birmingham, so (if the records from the network are correct) such data would be in conflict with or inconsistent with the phone having been in central Birmingham at 12:00.

If, at 12:00 and 12:01 say, the phone connected via cells in central Coventry, the scenario is slightly different. It is not, under all circumstances, physically impossible for the phone to have connected to a cell in Coventry whilst located in Birmingham. But in all normal circumstances – given the huge number of other more likely cells in Birmingham for the phone to have used, I would still say that this data was in conflict with the phone having been in central Birmingham at 12:00. Such an opinion could be reinforced by carrying out further work if required, but in general such further work would not be required.

But imagine the data was less clear cut. For example, now my phone’s call data records show a cell site in Coventry connected to by the phone at 11:00, a cell site in Solihull at 11:30, a cell site in eastern Birmingham at 11:45 and a cell site in Wolverhampton connected to at 12:30.

In my opinion this data is again ‘consistent’ with the phone having been at the central Birmingham scene at 12:00, as the logical journey of the phone would have been close to the scene. Indeed there are not many plausible routes other than the phone passing close to the scene at 12:00 that could generate such data – although again, I do not believe the data means that the phone definitely was at the scene (and nowhere else) at 12:00.

If, however, the call data for the cell in Wolverhampton was not so. All we would have was call data consistent with movement of a phone towards the centre of Birmingham, but even less evidence that the phone was in the centre of Birmingham. Such a scenario presents quite a grey area for evidence of opinion. Some experts may say the data is still consistent with the phone being in the centre of Birmingham at 12:00, whilst it may be argued that there is, in fact, NO data consistent with the phone being in the centre of Birmingham at 12:00.

I would say that the data is consistent with the phone having travelled towards the centre of Birmingham in the times leading up to 12:00, although there is no data showing it had been used in central Birmingham.

A final scenario would be where the phone connected to a cell site in Coventry at 11:00 and again to the same cell site in Coventry at 12:45. In this scenario it is quite POSSIBLE that the phone had time to travel to the centre of Birmingham and back, but there is no data that would lead me to expect that this had been the case. Here I would use the phrase ‘the data is ‘not inconsistent’ with the phone having been in the centre of Birmingham at 12:00 but there was no data indicating it had done so’.

This may seem like semantics. However, in a case where I gave evidence for the defence earlier this year (in Birmingham Crown Court as it happens), the prosecution expert asserted that there was cell site evidence ‘consistent’ with the defendant’s phone having been travelling away from a location of a crime at a particular time, when the cell site used for all of the relevant calls provided service at his home address. The prosecution expert’s use of the word ‘consistent’ here was challenged and the challenge was accepted by the court.

The judge, Justice John Royce in summing up said:

‘although the data is not in conflict with such a theory <that the defendant was at the relevant scene>.  The data <for the time in question.> is not consistent with being at the site.  It could possibly be that the phone was en route however from the site to the defendant’s home…’

the prosecution has been driven to trying to construct theories because of the absence of solid evidence.  They have tried to make bricks with but a few straws, and have done so with admirable skill and ingenuity.  But is this sufficient evidence to be left to the jury?  Could a jury, on this evidence, properly directed, safely convict?  The conclusion to which I am driven is that they could not. Accordingly, I shall direct the jury to return not guilty verdicts’

Had the prosecution expert’s semantics not been challenged, the outcome may have been different resulting, possibly, in a miscarriage of justice.

July 2012 cell site blog: The top five (potential!) pitfalls in cell site analysis.

By Nicholas Patrick-Gleed, Cell Site Analyst

This month’s cell site blog takes on a slightly different style.  The team here at CCL-Forensics has been discussing the most common potential pitfalls encountered in the world of cell site evidence, and thought it would be a useful exercise to commit some of them to the blogosphere.  So, rather than focusing on a particular topic, we’ll look at the top five (as we see them) issues which need to be at the forefront when planning and, more importantly, carrying out a cell site investigation.

We’ve touched on some of these in previous blogs, but they form a concise summary of some of the ‘issues’ we have seen experts (almost) experience.

This Month’s Topic: Five things to be wary of in cell site analysis

1. Exhibits without interpretation

When working for the defence, we regularly see prosecution evidence which can best be described as “exhibits without interpretation”.  A good example of this is a series of maps plotted by an intelligence analyst, who has carried out a series of instructions based on some call data records, but presented them without any explanation of what they mean.  This not only causes confusion and delay within the criminal justice system (the defence will, no doubt, ask for the explanation at some point – so it may as well be provided at the outset) but also means that an opportunity could be missed as part of the investigation stage.  Simply ‘blindly’ plotting information on a map is hardly investigative – but we have seen it more than once.  What is the point of an exhibit without context?

From the prosecution’s perspective this is an obvious potential pitfall – as it means that the evidence does not include something which could enhance the prosecution’s case.

There have also been occasions where the defence leaves it until the 11th hour before ‘complaining’ that the person who has produced the exhibit is not an expert – and the judge could rule that the prosecution needs to carry out more expert analysis.

It’s simply not worth chancing these situations.  Moral of the story: produce exhibits which mean something; it makes for a smoother investigation.

2. Who’s who on the call data records?

Cell site is full of idiosyncrasies.  It’s what keeps us experts on our toes.  But there are small variations between networks and circumstances can lead to major confusion.  The best example of this is when you are analysing a call data record, and the person is in contact with someone on the same network.  There are occasions when both parties cell IDs appear on the same CDR – which can immediately confuse things.  Furthermore, and lets use the ‘3’ network as an example here, if an incoming call to the subject phone is unsuccessful, then the cell ID for the person making the call still appears on the CDR.  This is particularly a problem, as the CRD doesn’t differentiate between the A and B phone (in columns) and so this needs to be taken into account.  It’s pretty easy to spot if there’s a day’s worth of cell IDs in London, and one in Edinburgh – but when both parties are geographically close, then vigilance is the watchword.

This is especially the case if the person plotting the calls is not trained in these nuances – as they may easily go unnoticed.

Moral of the story: be thorough.

3. Timely surveys

Networks change and evolve.  Nothing new there, but the sooner the survey is carried out after the incident in question, the better.  It means the results will be more accurate and better reflect what happened.

We previously touched on our use of historic data, which may help to counteract this problem – and this is a benefit of the robust methodology which CCL uses.  But, timeliness is still a big potential pitfall for a number of reasons.

One of the biggest is the evolution of “Everything Everywhere” – or the merger of
T-Mobile and Orange as most people still know it.  This means that “Everything Everywhere” now has many more channels available than each of their competitors – and consolidating cells seems like a sensible thing to do.  If there are two cells covering the same approximate area, it seems only prudent to use just one of them and either deactivate the other, or reallocate it to, say, the new 4G networks, which have been in the news recently.  This clearly impacts on the survey, especially if the cell in question is no longer transmitting.

Moral of the story: Consider the impact of the T-Mobile and Orange merger before surveying.  What are you expecting to see – and what are you expecting NOT to see?

4. Getting the whole picture – not just a small slice

Cell site is all about focusing on a phone’s movements around the time of a crime, right?  Wrong.  Yes, this is often the best place to start, but it can also be vitally important to look at the patterns of usage within the data as a whole, rather than just isolating and concentrating on a small piece of evidence.

There may be no evidence of a phone being in an area of interest at a particular time, but the best advice here it to stop, look around and think.

There may be behaviour patterns, where the time in question shows some deviation from the norm. There may be evidence elsewhere of the use of ‘clean’ and ‘dirty’ phones.  There may be evidence someone ‘casing the joint’ before the crime, which goes against the usual pattern of usage.

One just doesn’t see these when points are blindly plotted on a map.  The solution is to have as much data available as possible at the outset of a cell site assignment (or as much as can be reasonably requested under RIPA).

At the end of the day, it depends on what question you are trying to answer, but the moral of this story is: Don’t just rely on data from the time of the incident.  More complex investigations need more data.

5. Surveying techniques

Quite honestly, this is something of a bugbear of ours, and a topic which we have covered numerous times.  With that in mind, I won’t go into any major detail, but just summarise something which we think all cell site experts should adopt.  (And we’ve had this published in a peer-reviewed journal, so it’s more than just a passing fad!)

Movement is key to getting an accurate overall picture of how a phone interacts with cells.  The concept of ‘dragging’ a cell can be key to determining if a cell provides coverage at a location.  Driving to a location from a number of directions can result in a different cell providing coverage, depending on which direction you arrive from.  This is because the phone has a tendency to “hold onto” a cell, rather than chopping and changing – (to reduce the risk of a dropped call).  Spot samples (i.e. turning up at a location, surveying without moving, and then leaving, is hardly comprehensive).  This is about so much more than simply dotting the i’s and crossing the t’s.

While we’re on the subject, it’s worth touching on tracking frequencies.  Network Operators, typically use two or three 3G frequencies at their cell sites.  When moving geographically, a phone may use a new cell which uses a different frequency than the original one.  This created a potential pitfall when surveying, as the expert needs to be mindful of how many frequencies are available, and ensure the most appropriate survey is therefore carried out.  The moral of this part of the story: remember there is more than one available frequency – and be as thorough as the investigation requires.

I hope you’ve enjoyed our whistle-stop tour through the potential pitfalls of cell site analysis – and as, ever, we’re always keen to hear your thoughts on the matter.  If you would like to discuss any aspect of cell site analysis, please don’t hesitate to drop us a line at cellsite@ccl-forensics.com

Next month

Next month, Dr Iain Brodie analyses comments made by a judge during a recent case, and highlights what the criminal justice system REALLY wants from cell site experts.

Cell site analysis and impactive court presentation

The monthly cell site blog is back – and this month, we’ll be looking at what makes for an high impact piece of cell site evidence in court, as well as how going that extra mile at the outset of a cell site investigation can, in the long run, save time, money and bring your case to a speedier, more positive conclusion.

Impactive court presentation

By Dr. Iain Brodie, Cell Site Expert

Let’s consider a real case which CCL-Forensics investigated on behalf of a UK police force.  We’ll change some of the location and crime details for the sake of confidentiality, and to help with legalities.  The story goes like this:  there was an aggravated burglary at a house in a semi-rural location, and following enquiries, a man was arrested.  It was crucial for the prosecution to demonstrate the man was at the scene and not merely in the vicinity.

The prosecution claimed that the man in custody had made a number of phone calls to an accomplice, waiting outside the property, while the crime was in progress.  They obtained the call data records (CDRs) from the phone company which the phone (attributed to the individual) was connected to at the time.

CCL-Forensics cell site experts looked at the calls at the pertinent time, and could see that there were indeed incoming and outgoing calls – as well as a number of texts.  These events on the CDR used three different cell IDs (mobile phone mast sectors), but all took place over the period of a number of minutes.

In order to determine whether the suspect was likely to have been at the scene, surveys were carried out of the entire coverage areas of these three cells.  CCL-Forensics performed a number of drive surveys, looking at areas where the cells in question would initiate a mobile phone call.  Once these drive surveys had been carried out, for each of the three masts, they were uploaded onto our mapping system and the so-called ‘derived service areas’ were plotted.

The result was instantly compelling.  Like a neat Venn diagram, the areas overlapped, with that overlap area covering a comparatively small area.  Well within this area, was the crime scene.  It was, to a certain extent, a ‘textbook’ piece of evidence.  The fact that a number of cells were used at the time could easily be down to the fact that the suspect was moving around the house, and receiving a different dominant signal from different elevations of the property.

The question you may well ask, is why not just carry out a ‘spot sample’ at the crime location?  Surely this would have yielded the same result.  The reason for this was down to the case conference CCL-Forensics held with the investigating officer, where it was felt that a more robust survey was required to pre-empt any possible challenge from the defence.  This turned out to be a very wise move, as in the weeks after the survey was carried out, the defence put forward an alibi location which was only a comparatively short distance from the crime scene.

When this point was plotted on the same map (without the need to go out and re-survey), it does indeed show that one of the cells served (for initiating a call) at this location – but not all three.  The alibi location was therefore rejected, and based on the compelling evidence from cell site analysis, the suspect was found guilty.

The map shows the coverage areas, along with the overlap, which ultimately proved to be the pivotal piece of evidence in court.  When presented to the jury in this way, the impact is immeasurable. 

Image

The remit here was to find an effective balance between doing the bare minimum, and doing too much – incurring unnecessary costs.  Had a simple ‘spot sample’ been carried out in the first instance, it would have been necessary to return to the scene to carry out similar exercises at the alibi location – incurring delay and cost.  As it transpired, this was not necessary, as the measurements had already been taken.  In addition to this, the way the evidence was presented, showing the relevance of the small area where the cells’ service overlapped, proved to be an invaluable method of demonstrating the point to the jury.  Cell site evidence, when not presented in an impactive way, can be confusing in court – and at worst, can overwhelm those sitting on the jury.  This was an elegant, easily understandable piece of evidence – and it worked.

This enhanced service was agreed by collaboration of the cell site expert with the customer force at the initial case conference. This has shown the value of providing expert advice from the start of the analysis.

The power of the evidence more than justified ‘going that extra mile’ – and it ultimately saved the expense of carrying out at least one additional survey.  I hope this goes to show that a tailored investigation, based on the intelligence of the case and the requirements of the investigating officer, can be a much more powerful approach than a ‘one size fits all’ turn-up-and-survey approach.

If you would like more information about cell site analysis and its use in cases of this type, please contact me or any of my colleagues by emailing info@ccl-forensics.com.  As ever, please keep the feedback to these articles coming in.  We do enjoy reading your comments and opinions.

Keep posted as next month we will look at another aspect of cell site that will make or breaks a prosecution.

Effects of exceptional demand on mobile phone networks

Nick Patrick-Gleed, a cell site expert at CCL-Forensics, looks at the effect of a large number of people gathering in one place and how the networks compensate for it. He’ll also talk about just how this may affect what cell site analysts see on call data records, and the potential challenges which may come up in court.

Q: Let’s take, for example, a large festival being held in a rural location – where the usual network configuration would be unable to cope with such an influx. What happens when all that phone traffic hits the network?

A: A number of things – three main ones. The first is that, as these events are obviously planned well in advance, the network can introduce temporary cells to cover the area in question. These are usually vehicle/trailer mounted, and are located overlooking the site to ensure maximum coverage – and are quickly removed afterwards.

Q: Doesn’t that pose a problem when surveying if a cell which shows up on a call data record no longer exists?

A: It’s not a problem, as they are labelled on the CDR (call data record) as being a temporary cell, and they usually say why – for example “temporary cell – Glastonbury”. If that is the case, then a survey doesn’t add anything to the process. But these cells tend to have a very small coverage area to avoid interference with the existing network, so as long as you know it’s a temporary cell, you can (even as part of a desktop exercise) locate a phone with reasonable precision.

By that, I mean that the phone is clearly in the vicinity of the festival and not, say, 100 miles away, as claimed by their alibi.

Also, the caller may use neighbouring cells around the time of the incident. They will be detected during a survey.

Q: Is there any way that extra capacity can be introduced to the existing network?

A: Absolutely, and that brings me on to points two and three, following on from point number one above.

One is that extra “kit” can be installed at the mast site, and the other is that software add-ons can be used to handle more calls.

The first of those is a relatively simple procedure, which sees an engineer adding (usually) a piece of rack-mounted equipment in the hut or box at the foot of the cell tower. This takes about an hour – and gives the cell a significant number of extra traffic channels, and therefore the ability to handle more calls.

The benefit of this to cell site analysts, over the temporary cell scenario, is that it has no effect on what you see on the CDRs. The cell ID already exists, and can be surveyed if required.

Q: And the final method?

A: This is the software solution, and basically means that different codecs (audio compression) are used between the phone and the cell. It reduces the bandwidth used to code the callers’ voices into the bits and bytes that are carried by the network. This means that the same frequency can handle more calls, but they are of a slightly lower quality. The quality is still good enough to hold a conversation; it’s just not to the normal standard. Again, this has no effect on the CDRs, and the cell can be surveyed as normal.

This tends to be used as a temporary technique, as it costs the network in software licensing fees… although in theory, they should make it back by handling more calls. It can be a useful method to add capacity as a short term solution or on a daily basis.

Q: Even with these techniques, there are still bound to be scenarios where call volumes are too great, and even they can’t cope.

A: Yes – it is possible that demand can outstrip capacity… and this is possible where large unexpected events happen like a major pile-up or a large scale incident occurs.

When this happens, a person wanting to make a call will be forced to use a neighbouring mast, as their “first choice” is unavailable. The handset has a list of cells that it can detect. It prioritises these, to give a preferred cell, and a list of others which can provide service (seven in total). It also knows other cells that it can detect, but they are not considered to provide service. This list changes dynamically, so the phone always has options.

If the handset is in an area of non-dominance more than one cell may already provide service. When the handset tries to use its “number one” cell, and it is congested with other calls, a process known as “directed retry” happens. This is where it uses one of the other masts in its list, which can provide service.

Q: How does this impact on the way the event appears on a call data record?

A: That’s something of an irrelevant question. If we were to survey the area, we would also see the list of cells which can provide service. Just because the phone doesn’t use the number one cell, it isn’t a problem. We would detect during our survey other cells which provide, or are considered to provide, service – which would undoubtedly include the cell which was used.

Cell site analysis is about much more than just turning up with a piece of kit and surveying one cell. The skill and knowledge of the analyst is key in handling any of these challenges – and the science of cell site analysis is robust enough to rebut them.

Q: Is network congestion a common occurrence?

A: Service providers monitor their network performance, routinely recording data such as the number of dropped calls, the distances of user from mast, and congestion – among others. Their performance is also monitored by OFCOM. They will compare the data against the planned performance and optimise the network accordingly. If a problem is routinely observed, for instance congestion on a cell, additional capacity would be added.

Nick Patrick-Gleed

Cell Site Expert

The idiosyncrasies of mobile phone network providers

All mobile phone network providers have to, by law, hold call data records for at least one year. Problems arise, however, because they all present the records in very different formats and some of the data can seem irrelevant and confusing, giving rise to the risk of information being misinterpreted.

Call data records?

CDRs are similar to itemised phone bills – but they hold much more information. As well as the dates, times and numbers called, CDRs also include IMEI numbers, cell site data and locations.

What do you mean by idiosyncrasies?

Here’s an example: some networks will record the cell ID (the sector of the phone mast) for phone calls which were made, but didn’t connect – others won’t. And some will give the other party’s cell ID if they’re on the same network. This provides a number of opportunities, but these idiosyncrasies also present significant risks if the person analysing them isn’t aware of all these nuances.

As mentioned in a previous blog, the key is to get the call data records into a workable format. This is a massive data manipulation exercise, compounded by the fact that the networks can record locations differently – they may use the postcode, BNG (British National Grid) or latitude and longitude co-ordinates – plus the other idiosyncrasies mentioned above.

Another major issue is that CDRs from some networks’ CDRs can apparently attribute the cell site data from the person at the other end of the call to the subject phone. An unwary analyst may misinterpret this data as coming from the person receiving the call by inadvertently associating the outgoing data with incoming calls and vice versa. This is something I have even seen in court.

Shown below is an example of part of a call data record for phone 07875 477828 for part of 03/12/2010.

Note that the call at 20:54 appears to show cell site information for the phone number 07772 000987 even though this number was not the target of the call data records. An amateur assessment of the call data records – simply looking at all the cell IDs – might conclude that the target phone 07875 477828 had been in the service area for cell
03010 52339 at this time. Such a conclusion would be totally false.

This cell was many kilometres from a particular location of interest in a criminal investigation in one case. Had this issue not been picked up in court, it could easily have led to a miscarriage of justice.

Call data record

Example call data record

What other oddities are thrown up by CDRs?

There are a couple of fairly common issues that can cause problems for even the most experienced analyst.

Text messages may appear on the CDR that the user isn’t aware of. They do exist – but are likely to have been network messages which the user doesn’t actually see. They are “codes” sent by the network under a number of different circumstances to update software, and user details – amongst others. These texts can also be indicative of the user taking the SIM card and/or battery out of the device.

They are not a particularly common occurrence, but can provide additional useful evidence especially if a suspect has deliberately not used their phone in order to stay off the network. For example: a suspect may put a new SIM card into a device at their home, unaware that the phone is then communicating with the network, and therefore leaving location data on the CDR.

As mobile phones become more complex, and smartphones begin to dominate the market, this also provides a useful opportunity for cell site analysts. Not only are calls, texts and network messages registered on the CDR, so is data packet transmission. Every time the phone connects to the internet, whether browsing the web, social networking or being used by apps, this is also recorded. However, unlike a phone call, which records the start and end cell, this data will show the cell ID for where a user started browsing, but not necessarily where they finished.

It gives rise to another question: how long is a browsing session? Some networks record browsing sessions in blocks of time – for example, the cell ID of a session begun at the start of an hour will be recorded – and that will also include a second session begun at the end of that hour. Both locations may not necessarily be separately recorded. This issue again is shown on the call data above at 22:00 and 23:00.

How can the problems caused by these idiosyncrasies be avoided?

There’s no substitute for experience. Cell site analysts with substantial knowledge of these idiosyncrasies can easily circumvent any problems – by spotting them up front.

In addition, converting and sorting the vast amount of data into a properly formatted call sequence table (CST) makes the data uniform and easy to work with.

The CST means that investigators can filter and delete unwanted data easily and without the risk that something will be missed.

CCL-Forensics has developed a tool which takes raw data from the network providers, and converts it into a consistent, workable form – removing the need for extensive manual manipulation. For more information please feel free to get in touch on 01789 261200.

Most importantly, analysts really need to know the individual networks well in order to understand their various oddities and work around them.