Cell site blog: ‘consistent’ data, or data ‘not inconsistent’

By Dr Iain Brodie, Senior Cell Site Expert

As cell site experts we are often asked to consider whether cell site data is ‘consistent’ with a specific scenario, in the knowledge that our words can have a significant impact on how a jury thinks.

For example, a typical question put to us might be:  is the data for a particular mobile phone ‘consistent’ with it having been at the scene of a particular incident which occurred, say, in the centre of Birmingham at 12:00 on a particular day?

If the cell site data for the phone shows that it connected via a cell site in the centre of Birmingham which serves the scene at 12:00, then in my opinion it is clear that the data is consistent with the phone having been at the scene. This does not mean that I think the phone necessarily WAS at the scene, as the cell ID used will cover an extended area and, of course, locations that are not the scene. Given the unpredictable ways in which phones are used, however – what data there is supports the contention that the phone was at the scene.

The situation is equally clear cut if, at 12:00, the phone connected via a cell in central London. It is physically impossible for the phone to have connected to a cell in London whilst located in Birmingham, so (if the records from the network are correct) such data would be in conflict with or inconsistent with the phone having been in central Birmingham at 12:00.

If, at 12:00 and 12:01 say, the phone connected via cells in central Coventry, the scenario is slightly different. It is not, under all circumstances, physically impossible for the phone to have connected to a cell in Coventry whilst located in Birmingham. But in all normal circumstances – given the huge number of other more likely cells in Birmingham for the phone to have used, I would still say that this data was in conflict with the phone having been in central Birmingham at 12:00. Such an opinion could be reinforced by carrying out further work if required, but in general such further work would not be required.

But imagine the data was less clear cut. For example, now my phone’s call data records show a cell site in Coventry connected to by the phone at 11:00, a cell site in Solihull at 11:30, a cell site in eastern Birmingham at 11:45 and a cell site in Wolverhampton connected to at 12:30.

In my opinion this data is again ‘consistent’ with the phone having been at the central Birmingham scene at 12:00, as the logical journey of the phone would have been close to the scene. Indeed there are not many plausible routes other than the phone passing close to the scene at 12:00 that could generate such data – although again, I do not believe the data means that the phone definitely was at the scene (and nowhere else) at 12:00.

If, however, the call data for the cell in Wolverhampton was not so. All we would have was call data consistent with movement of a phone towards the centre of Birmingham, but even less evidence that the phone was in the centre of Birmingham. Such a scenario presents quite a grey area for evidence of opinion. Some experts may say the data is still consistent with the phone being in the centre of Birmingham at 12:00, whilst it may be argued that there is, in fact, NO data consistent with the phone being in the centre of Birmingham at 12:00.

I would say that the data is consistent with the phone having travelled towards the centre of Birmingham in the times leading up to 12:00, although there is no data showing it had been used in central Birmingham.

A final scenario would be where the phone connected to a cell site in Coventry at 11:00 and again to the same cell site in Coventry at 12:45. In this scenario it is quite POSSIBLE that the phone had time to travel to the centre of Birmingham and back, but there is no data that would lead me to expect that this had been the case. Here I would use the phrase ‘the data is ‘not inconsistent’ with the phone having been in the centre of Birmingham at 12:00 but there was no data indicating it had done so’.

This may seem like semantics. However, in a case where I gave evidence for the defence earlier this year (in Birmingham Crown Court as it happens), the prosecution expert asserted that there was cell site evidence ‘consistent’ with the defendant’s phone having been travelling away from a location of a crime at a particular time, when the cell site used for all of the relevant calls provided service at his home address. The prosecution expert’s use of the word ‘consistent’ here was challenged and the challenge was accepted by the court.

The judge, Justice John Royce in summing up said:

‘although the data is not in conflict with such a theory <that the defendant was at the relevant scene>.  The data <for the time in question.> is not consistent with being at the site.  It could possibly be that the phone was en route however from the site to the defendant’s home…’

the prosecution has been driven to trying to construct theories because of the absence of solid evidence.  They have tried to make bricks with but a few straws, and have done so with admirable skill and ingenuity.  But is this sufficient evidence to be left to the jury?  Could a jury, on this evidence, properly directed, safely convict?  The conclusion to which I am driven is that they could not. Accordingly, I shall direct the jury to return not guilty verdicts’

Had the prosecution expert’s semantics not been challenged, the outcome may have been different resulting, possibly, in a miscarriage of justice.

July 2012 cell site blog: The top five (potential!) pitfalls in cell site analysis.

By Nicholas Patrick-Gleed, Cell Site Analyst

This month’s cell site blog takes on a slightly different style.  The team here at CCL-Forensics has been discussing the most common potential pitfalls encountered in the world of cell site evidence, and thought it would be a useful exercise to commit some of them to the blogosphere.  So, rather than focusing on a particular topic, we’ll look at the top five (as we see them) issues which need to be at the forefront when planning and, more importantly, carrying out a cell site investigation.

We’ve touched on some of these in previous blogs, but they form a concise summary of some of the ‘issues’ we have seen experts (almost) experience.

This Month’s Topic: Five things to be wary of in cell site analysis

1. Exhibits without interpretation

When working for the defence, we regularly see prosecution evidence which can best be described as “exhibits without interpretation”.  A good example of this is a series of maps plotted by an intelligence analyst, who has carried out a series of instructions based on some call data records, but presented them without any explanation of what they mean.  This not only causes confusion and delay within the criminal justice system (the defence will, no doubt, ask for the explanation at some point – so it may as well be provided at the outset) but also means that an opportunity could be missed as part of the investigation stage.  Simply ‘blindly’ plotting information on a map is hardly investigative – but we have seen it more than once.  What is the point of an exhibit without context?

From the prosecution’s perspective this is an obvious potential pitfall – as it means that the evidence does not include something which could enhance the prosecution’s case.

There have also been occasions where the defence leaves it until the 11th hour before ‘complaining’ that the person who has produced the exhibit is not an expert – and the judge could rule that the prosecution needs to carry out more expert analysis.

It’s simply not worth chancing these situations.  Moral of the story: produce exhibits which mean something; it makes for a smoother investigation.

2. Who’s who on the call data records?

Cell site is full of idiosyncrasies.  It’s what keeps us experts on our toes.  But there are small variations between networks and circumstances can lead to major confusion.  The best example of this is when you are analysing a call data record, and the person is in contact with someone on the same network.  There are occasions when both parties cell IDs appear on the same CDR – which can immediately confuse things.  Furthermore, and lets use the ‘3’ network as an example here, if an incoming call to the subject phone is unsuccessful, then the cell ID for the person making the call still appears on the CDR.  This is particularly a problem, as the CRD doesn’t differentiate between the A and B phone (in columns) and so this needs to be taken into account.  It’s pretty easy to spot if there’s a day’s worth of cell IDs in London, and one in Edinburgh – but when both parties are geographically close, then vigilance is the watchword.

This is especially the case if the person plotting the calls is not trained in these nuances – as they may easily go unnoticed.

Moral of the story: be thorough.

3. Timely surveys

Networks change and evolve.  Nothing new there, but the sooner the survey is carried out after the incident in question, the better.  It means the results will be more accurate and better reflect what happened.

We previously touched on our use of historic data, which may help to counteract this problem – and this is a benefit of the robust methodology which CCL uses.  But, timeliness is still a big potential pitfall for a number of reasons.

One of the biggest is the evolution of “Everything Everywhere” – or the merger of
T-Mobile and Orange as most people still know it.  This means that “Everything Everywhere” now has many more channels available than each of their competitors – and consolidating cells seems like a sensible thing to do.  If there are two cells covering the same approximate area, it seems only prudent to use just one of them and either deactivate the other, or reallocate it to, say, the new 4G networks, which have been in the news recently.  This clearly impacts on the survey, especially if the cell in question is no longer transmitting.

Moral of the story: Consider the impact of the T-Mobile and Orange merger before surveying.  What are you expecting to see – and what are you expecting NOT to see?

4. Getting the whole picture – not just a small slice

Cell site is all about focusing on a phone’s movements around the time of a crime, right?  Wrong.  Yes, this is often the best place to start, but it can also be vitally important to look at the patterns of usage within the data as a whole, rather than just isolating and concentrating on a small piece of evidence.

There may be no evidence of a phone being in an area of interest at a particular time, but the best advice here it to stop, look around and think.

There may be behaviour patterns, where the time in question shows some deviation from the norm. There may be evidence elsewhere of the use of ‘clean’ and ‘dirty’ phones.  There may be evidence someone ‘casing the joint’ before the crime, which goes against the usual pattern of usage.

One just doesn’t see these when points are blindly plotted on a map.  The solution is to have as much data available as possible at the outset of a cell site assignment (or as much as can be reasonably requested under RIPA).

At the end of the day, it depends on what question you are trying to answer, but the moral of this story is: Don’t just rely on data from the time of the incident.  More complex investigations need more data.

5. Surveying techniques

Quite honestly, this is something of a bugbear of ours, and a topic which we have covered numerous times.  With that in mind, I won’t go into any major detail, but just summarise something which we think all cell site experts should adopt.  (And we’ve had this published in a peer-reviewed journal, so it’s more than just a passing fad!)

Movement is key to getting an accurate overall picture of how a phone interacts with cells.  The concept of ‘dragging’ a cell can be key to determining if a cell provides coverage at a location.  Driving to a location from a number of directions can result in a different cell providing coverage, depending on which direction you arrive from.  This is because the phone has a tendency to “hold onto” a cell, rather than chopping and changing – (to reduce the risk of a dropped call).  Spot samples (i.e. turning up at a location, surveying without moving, and then leaving, is hardly comprehensive).  This is about so much more than simply dotting the i’s and crossing the t’s.

While we’re on the subject, it’s worth touching on tracking frequencies.  Network Operators, typically use two or three 3G frequencies at their cell sites.  When moving geographically, a phone may use a new cell which uses a different frequency than the original one.  This created a potential pitfall when surveying, as the expert needs to be mindful of how many frequencies are available, and ensure the most appropriate survey is therefore carried out.  The moral of this part of the story: remember there is more than one available frequency – and be as thorough as the investigation requires.

I hope you’ve enjoyed our whistle-stop tour through the potential pitfalls of cell site analysis – and as, ever, we’re always keen to hear your thoughts on the matter.  If you would like to discuss any aspect of cell site analysis, please don’t hesitate to drop us a line at cellsite@ccl-forensics.com

Next month

Next month, Dr Iain Brodie analyses comments made by a judge during a recent case, and highlights what the criminal justice system REALLY wants from cell site experts.

Cell site blog – Never mind the quality, feel the width

Thoughts and observations on how ‘more’ could mean ‘less’ in the presentation of cell site analysis.

By Matthew Tart, Cell Site Analyst

This month – we look at quality over quantity in cell site analysis – with particular emphasis on a recent example where a pile (literally) of maps could easily have left jurors’ heads spinning.  And cost the prosecution a considerable sum.

This month’s topic: Getting the balance right in cell site analysis 

This blog starts with a case we were involved in recently, involving a high profile crime with a number of defendants.  On this occasion we were working for the defence, but this story acts as a useful pointer for the prosecution by illustrating techniques that experts used by the Crown should – and should not – be doing.  We’ll focus on a method used by a large number of cell site analysts (but not ourselves) which is not necessarily robust or stand up to close scrutiny.

Q: What were the details of the case?

A: The prosecution were investigating the probability of a suspect being at a crime scene – a pub in an inner city location.  At the time of the crime, one of the suspects (we were working for that suspect’s defence solicitor in this case) made a phone call.  The call data records showed that this phone call was made on what we’ll call ‘cell A’, which was on a mast near the crime scene – but also near to his home address which was about 500m away.

The suspect’s alibi was that he was at home at the time of the crime and the phone call.

The prosecution’s outsourced expert carried out ‘spot samples’ (i.e. turned up at a location with a piece of equipment) at both the crime scene and the alibi location.  Their report showed a different cell serving at each location.  Cell A was shown as best serving at the crime scene – but not at the alibi location.

Q: So what did we do differently?

A: We carried out a much more extensive survey i.e. a drive survey at the home address and the surrounding area.  This was carried out with regard to the cell of interest (Cell A), and we used multiple pieces of equipment and repeatedly moved in and out of the area.  We found that cell A provided coverage north, south, east and west of both locations (crime and alibi scene), and based upon this, could not distinguish between the mobile phone being at either location.  The evidence was simply not strong enough to suggest one or the other.

Q:  So, were both sides saying something different?

A: Yes and no. Before the court date, the prosecution’s outsourced expert asked for a copy of our defence report, which we provided.  We then discussed the contents with the expert over the phone, who claimed that he wouldn’t expect cell A to provide coverage at the home address.  After looking at our evidence, he admitted that our assertion that the cell served at both addresses was actually the most valid interpretation of the evidence.  This is a worrying admission/u-turn to say the least.  This is despite his evidence not documenting that cell A also serves at that crucial home address.

Q:  The other side claimed that a different cell provided service at the home address.  Did your survey find that cell as well?

A: Yes, but we found four cells which served at the home address.  Cell A, the one the other side claimed – AND two others.

Q: How was this data presented by the prosecution’s expert?

A: In a rather cumbersome, and lengthy fashion, to say the least.  There were a number of suspects, and their report showed the same maps over and over – and over – again.  It showed the locations of interest, calls for varying time periods, and whether the cells used actually covered the locations.  This came to more than 100 (one hundred) maps.  All printed on A3 paper and bound into a daunting, unwieldy piece of physical evidence, which the jury would have to absorb.

I would defy even the most attentive juror to have easily made sense of this massive tome.  Notwithstanding the threatening size of the document, but all the pages were practically the same, or almost identical copies of other similar pages.  You simply wouldn’t be able to take it all in.  Especially as one wouldn’t expect jurors to be familiar with this type of evidence – making it all the more crucial to have it presented in a friendly form.

Q: What would we have done differently?

A: Firstly, not produced a huge weighty un-jury-friendly document. The best way of presenting this evidence (for which we would have had MUCH more survey data, having done more than carry out simple spot samples) would have been a series of two or three detailed maps which can be presented interactively at court with the relevant points being highlighted by the expert in the course of presenting the evidence.  These maps would have covered specifically the period of interest – and would have a secondary, financial, benefit.

By not producing hundreds of maps, we would have saved a considerable amount of time – and therefore cost.  We would estimate that producing this unmanageable number of maps and documents would have potentially cost tens of thousands of pounds. Our approach would almost certainly have been cheaper AND more robust.

Q:  So the lesson here is…

A: …to think about what you need to achieve, and the best way of doing it.  Don’t be held to ransom by an outsourced experts ‘way of doing something’.  Hopefully this example has shown two things.  One, that carrying out spot samples (as we’ve mentioned in previous blogs) may not be the most appropriate way of surveying.  And secondly, that the end product i.e. what the jury see and have to understand, can be something a little more sophisticated than a batch of similar-looking, repetitive – and quite frankly, uninspiring – maps and tables.  Technology has moved on.  So has cell site analysis.  And so has the presentation of evidence in court.

In terms of maps it is quality not quantity that delivers the most impactive conclusions in relation to the possible locations of a mobile phone.

For more information about this – or any aspect of cell site analysis, please contact Matthew Tart (or any of our other cell site analysts) on 01789 261200 or by emailing cellsite@ccl-forensics.com

Benefits of hindsight: Why ‘nurturing’ data can prove valuable for cell site analysts.

It’s at this time of year, when the sun is shining (well, it IS at the very moment these words are being written), that carrying out an intensive cell site survey seems almost like a perk of the job. But, as everyone involved knows, a cell site expert shouldn’t expect that each assignment should come with such luxuries.  Surveys aren’t always necessary – and even where they are, there could be a smarter solution.  In this month’s cell site ‘blog’, Matthew Tart looks at the possibility of using data from previous cases.

This month’s topic: Use of historic cell site data

Q: First of all, precisely what do we mean by historic cell site data?

A: Simply, it’s data CCL-Forensics has generated from carrying out previous cases, which we have organised and stored in an ever-growing database.  The reason we have this, is because we don’t carry out static surveys as we have found they have limited repeatability and failed validation (this is described in our previous blog here), which I’ll go into in a little more detail later.  So if we’re interested in where a particular cell serves, there is a potential that we’ve already surveyed relevant areas.  We’re not (quite!) up to UK wide coverage yet, but the database is growing rapidly, plus we’re getting additional cell data every time we travel between our offices and the general area of the survey.  

Q: So, how does this actually benefit the case. Surely, all cases are different, and you may still have to do some surveying?

A:  This is not necessarily a replacement for any future survey, it is an enhancement, but it does have some significant advantages.  The first being that it can help us to scope out a case, and therefore produce a more accurate strategy – keeping costs down.  The more CCL-Forensics know about the network infrastructure of the location in question, the more easily we can produce the most cost-effective forensic solution to the problem at hand. It’s also been useful in court, where very specific questions have been raised about the coverage of a cell; if we have relevant data, our expert in the witness box can easily (and with no cost to anyone involved), use that area information – adding value to proceedings.  In short, it means that we simply have more data with which to work – and scientifically, that’s a very good place to be.

Q: But isn’t there a risk that the data may be out of date?

A: The timeliness of data is always a consideration in cell site analysis.  One of the most common concerns tends to surround how the network may have changed in the (often) months between the incident and the survey.  By using data collected in the past, it could be more relevant to the time of the incident.  Additionally further surveys can be undertaken to assess whether that there have been changes in the network over a period of time – and not even the networks themselves can give us information as reliable as that.

Q:  Why aren’t all cell site analysts doing this?

A: I’m not saying it’s only CCL-Forensics who are doing it, but there are analysts who practice certain surveying techniques where keeping a database would not be appropriate.  Earlier, I mentioned the concept of carrying out static surveys.  CCL-Forensics have gone through this at length before, but this just goes to reinforce why turning up at a scene, carrying out a few measurements and then leaving again, is not the strongest piece of science in the world.

Using static surveys each job stands alone and in isolation from any other examination.

Q: It must take up a serious amount of storage space

A: CCL-Forensics had to buy a huge new server to hold this data, but it’s already been worth it.  We’ve saved so much time by having access to this data, and passed on significant cost savings as a result.  It also means that our clients are getting stronger evidence, effectively for free.  It’s stronger because we can more accurately assess service areas, and also get an educated idea of network changes, which can inform expectations at the outset of an investigation and same time during it.

For us, it’s definitely an investment in the future and ideally, we’d like to be a position where we have the whole country mapped, but that’s a little way away at the moment!

To finish with an example: There was an urgent pre case management hearing relating to an incident in a city 150 miles from our base.  We were asked to provide some analysis of call data records on a Wednesday morning, which were needed by the Thursday evening. 

CCL-Forensics checked our database and found extensive surveys in and around the locations of interest, and could make an informed estimate of cell service at those addresses without the disruption, delay and cost of travelling to the area and carrying out a survey.  Basically this would not have been possible, given the time constraint, had we not had the historic data. 

Of course it is not just the survey time that causes delay, it’s the preparation, travelling, data manipulation, analysis and reporting of that data.  But, as we’d already surveyed the area, the client had the report they needed well ahead of the deadline: something which would have been practically impossible otherwise. 

To summarise, every case we do makes CCL-Forensics service stronger.

For more information about historical cell site data usage, or any of the other issues highlighted in this month’s blog, please email Matthew Tart at mtart@ccl-forensics.com or call 01789 261200

 

Cell site analysis and impactive court presentation

The monthly cell site blog is back – and this month, we’ll be looking at what makes for an high impact piece of cell site evidence in court, as well as how going that extra mile at the outset of a cell site investigation can, in the long run, save time, money and bring your case to a speedier, more positive conclusion.

Impactive court presentation

By Dr. Iain Brodie, Cell Site Expert

Let’s consider a real case which CCL-Forensics investigated on behalf of a UK police force.  We’ll change some of the location and crime details for the sake of confidentiality, and to help with legalities.  The story goes like this:  there was an aggravated burglary at a house in a semi-rural location, and following enquiries, a man was arrested.  It was crucial for the prosecution to demonstrate the man was at the scene and not merely in the vicinity.

The prosecution claimed that the man in custody had made a number of phone calls to an accomplice, waiting outside the property, while the crime was in progress.  They obtained the call data records (CDRs) from the phone company which the phone (attributed to the individual) was connected to at the time.

CCL-Forensics cell site experts looked at the calls at the pertinent time, and could see that there were indeed incoming and outgoing calls – as well as a number of texts.  These events on the CDR used three different cell IDs (mobile phone mast sectors), but all took place over the period of a number of minutes.

In order to determine whether the suspect was likely to have been at the scene, surveys were carried out of the entire coverage areas of these three cells.  CCL-Forensics performed a number of drive surveys, looking at areas where the cells in question would initiate a mobile phone call.  Once these drive surveys had been carried out, for each of the three masts, they were uploaded onto our mapping system and the so-called ‘derived service areas’ were plotted.

The result was instantly compelling.  Like a neat Venn diagram, the areas overlapped, with that overlap area covering a comparatively small area.  Well within this area, was the crime scene.  It was, to a certain extent, a ‘textbook’ piece of evidence.  The fact that a number of cells were used at the time could easily be down to the fact that the suspect was moving around the house, and receiving a different dominant signal from different elevations of the property.

The question you may well ask, is why not just carry out a ‘spot sample’ at the crime location?  Surely this would have yielded the same result.  The reason for this was down to the case conference CCL-Forensics held with the investigating officer, where it was felt that a more robust survey was required to pre-empt any possible challenge from the defence.  This turned out to be a very wise move, as in the weeks after the survey was carried out, the defence put forward an alibi location which was only a comparatively short distance from the crime scene.

When this point was plotted on the same map (without the need to go out and re-survey), it does indeed show that one of the cells served (for initiating a call) at this location – but not all three.  The alibi location was therefore rejected, and based on the compelling evidence from cell site analysis, the suspect was found guilty.

The map shows the coverage areas, along with the overlap, which ultimately proved to be the pivotal piece of evidence in court.  When presented to the jury in this way, the impact is immeasurable. 

Image

The remit here was to find an effective balance between doing the bare minimum, and doing too much – incurring unnecessary costs.  Had a simple ‘spot sample’ been carried out in the first instance, it would have been necessary to return to the scene to carry out similar exercises at the alibi location – incurring delay and cost.  As it transpired, this was not necessary, as the measurements had already been taken.  In addition to this, the way the evidence was presented, showing the relevance of the small area where the cells’ service overlapped, proved to be an invaluable method of demonstrating the point to the jury.  Cell site evidence, when not presented in an impactive way, can be confusing in court – and at worst, can overwhelm those sitting on the jury.  This was an elegant, easily understandable piece of evidence – and it worked.

This enhanced service was agreed by collaboration of the cell site expert with the customer force at the initial case conference. This has shown the value of providing expert advice from the start of the analysis.

The power of the evidence more than justified ‘going that extra mile’ – and it ultimately saved the expense of carrying out at least one additional survey.  I hope this goes to show that a tailored investigation, based on the intelligence of the case and the requirements of the investigating officer, can be a much more powerful approach than a ‘one size fits all’ turn-up-and-survey approach.

If you would like more information about cell site analysis and its use in cases of this type, please contact me or any of my colleagues by emailing info@ccl-forensics.com.  As ever, please keep the feedback to these articles coming in.  We do enjoy reading your comments and opinions.

Keep posted as next month we will look at another aspect of cell site that will make or breaks a prosecution.

Continue your professional development with us

There are many ways to grab a few CPD points here and there if you’re a criminal defence lawyer, but all of them take time out of your busy day, and some of them are little more than a box-ticking exercise.

Here at CCL-Forensics we like to spread a little love by offering our own CPD course – free of charge*. You can choose from a one, two, or three-hour course and we’ll come to your premises at a time and date to suit you.

The course aims to improve delegates’ understanding of digital evidence: including things you may not have considered, and a look at what it is possible to extract and use to build a case. Building a full picture of your client’s activities is vital if he or she is to receive a fair trial, and making use of all the evidence available is a key part of that.

It’s a very popular course, and we consistently receive feedback from people who are genuinely surprised at how much they learn. Delegates take information from the course and put it into practice when building defence cases which involve digital evidence.

Take a look at the agenda:

  • Introduction to digital forensics
  • How people communicate electronically
  • What information can be recovered and from where
    • Social media evidence
    • Smart phones and computers
    • Chat and messenger services
    • Real life examples (e.g. the recent riots)
    • Deleted data
  • Indecent images
    • Brief overview of the law
    • Extracting deleted files and internet history
    • Showing intent
  • 20 unlikely places you may find defence evidence
  • Cell site analysis
    • Using phone mast data to analyse your client’s movements
    • How precise can it be?
    • Understanding and challenging the prosecution evidence

Give us a call on 01789 261200 or email info@ccl-forensics.com and find out how we can help you to make the best of the evidence available to you.

*Subject to a minimum number of attendees.

Absence of evidence is not necessarily evidence of absence…

In what is probably the first published and peer-reviewed research paper of its kind, the title of this blog is, essentially, what I and my colleagues have argued.

Digital Investigation Journal has published our research in its December 2011 edition under the title: “Historic cell site analysis – Overview of principles and survey methodologies”. In the paper, we make a number of scientifically-justified recommendations on how cell site analysis surveys should be carried out.

It is important to note, though, that there will never be a perfect survey technique; survey methods are constantly evolving as technology moves on, and our analysts are continually searching for the best way to gather the appropriate evidence. Not to mention the fact that it very much depends on the case in question and what is required from the survey.

We outlined a number of advantages and disadvantages of several cell site survey techniques and explained the problems that can be encountered when interpreting survey data. These problems can cause practitioners to draw inappropriate conclusions from their results and can end up causing arguments in court.

Location samples

Advantages:

A five-minute static location sample would enable cells with a timing offset of less than five minutes to be selected over others. It is also a quick and efficient method for data collection and analysis.

Disadvantages:

As with spot samples, five-minute location samples showed significant variability in results with small changes of position and between equipment, but to a slightly lesser degree. Even with large amounts of data from a single location, it is still less likely that other legitimately-serving cells will be reselected.

Again, any piece of equipment may not monitor all “valid” cell IDs as serving, and conversely many neighbour cells were detected that never provided service. It would be inappropriate to exclude a cell from serving at a given location using this method because it had not been detected in the survey.

Area surveys

Advantages:

These showed the least variability in results between pieces of equipment.

This method optimises the chance of cell reselection, minimising the effects of restricted BA lists and non-dominance. It is not infallible, but there is a much clearer indication of which cells genuinely provide service at and in the immediate area of a location or property.

Area surveys provide a wider picture of the general network configuration around the area of the location, enabling comment as to possible network changes if further work is required at a later date.

Disadvantages:

It takes longer to generate data and there is more data produced, making it more complicated to analyse – and this adds time (and therefore cost) to the examination.

Large quantities of measurements are not routinely obtained at a single specific location (although this can be done) for cells with a timing offset to be selected.

More possible cells will be identified (some may be false positives for that specific location, especially if they are “small” cells at the edge of the sampled area). The experiments we conducted suggest that there would be an estimated increase of around 20 per cent because of this. However, they may become relevant to an investigation later because they are detected in the local area even if not at the specific target location.

It is rare that a specific point is highlighted as being where a call was believed to have been made from.

Cell surveys

The advantage of this type of survey for a “normal” voice call or text is that the size of the area served by the cell can be demonstrated, which can be extremely useful in highlighting the limitations of the cell site evidence (if the cell provides service over a large and relevant area) or in emphasising its importance (e.g. if the service area is very small).

With hundreds of data points, absence of a specific cell from the serving and neighbour information can be a good indicator a given cell would not be expected to provide service at the location.

So what’s the best way?

There is no perfect way to conduct cell site analysis surveys, but we need to be sure we can rely on survey data to indicate whether a cell does, or – more importantly – does not, legitimately serve at a location. Different investigators will have their own way of interpreting call record data from phone companies, and we have successfully challenged some of these in court.

For example: if a suspect claims that he was in a particular area at a particular time, and was using his phone at the time, this can be verified by analysing the coverage area of the mast that he claims he was using, or visiting the location to see if it serves there.

However, by simply turning up at the scene and taking a “spot sample” as to whether the mast serves that point is not sufficient. We are aware of investigators who do this, but it is quite feasible that by carrying out a more comprehensive analysis including, for example, approaching the scene from different directions, a different picture could be revealed.

The implications of this could be far reaching in terms of the verdict delivered during a criminal court case – the difference between “guilty” and “not guilty”.

We reviewed a number of survey techniques to determine the most reliable method for collecting RF survey data for historic cell site cases. Results from experiments have demonstrated that area surveys around a location of interest provide the most consistent method for detecting serving cells at a location.

Area surveys were also more reliable for excluding cell IDs from a location, and for assessing possible network changes if further surveys take place later.

We hope that this paper will set the standard for surveys in cell site analysis, and ensure that the criminal justice system is built upon a sound base of scientific evidence. Only by keeping up with changes in technology, and reviewing what other cell site experts are doing, can practitioners ensure that they undertake the most appropriate analyses. There is enormous scope for more research, and we hope to see much more published for peer review.

Matt Tart

Cell Site Analysis Expert