Basics of Cellular Evidence

Lars Daniel, EnCE

Cellular Evidence

Examination and Analysis of Cellular Records,

Cellular Towers, and Geo-location.

PART 1: Cell Phone Acquisition and Examination

Collection and Acquiring Cell Phones

Unique Preservation Issues – Phone must be isolated from the network. – Data can be destroyed very easily by police, first

responders, others. – Turning the phone on can destroy data

permanently Preservation Phones should be left in the original condition and placed in a Faraday bag.

Collection and Acquiring Cell Phones • Cop “thumbs through” the phone at the scene.

– Phone is collected and either turned off and placed in evidence

– Phone is collected and left on and placed in evidence

• Cop pulls phone from evidence and does a “thumb forensics” exam with no records or documentation.

Dangers Of “Thumb Forensics”

• Usually cannot tell if something has been deleted • Usually cannot tell if anything has been created

Logical Acquisition Of A Cell Phone How it Works • Using forensic software and hardware, a connection is made to the phone and the

forensic tools “ask” for the data from the phone. • Based on modem technology

Data That Can Be Recovered • Can recover only data that is still present on the phone (information that has not been deleted) • Data that can be recovered includes: contacts, call history, images, videos, email, text messages, address book, etc.

Logical Acquisition Of A Cell Phone Why do a logical acquisition of a cell phone when you could get the same information using “Thumb Forensics”? • Verification • Advanced Reporting • Will Stand Up In Court • Forensic Best Practices

Physical Acquisition Of A Cell Phone How it Works • Using forensic software and hardware, the physical memory of the phone or a

device in the phone is recovered. This allows for the recovery of deleted data. • Deleted data can be recovered from SIM Cards, Media Cards, and on some phones

the physical memory itself.

Data That Can Be Recovered • If the physical memory of the phone can be accessed, or a SIM Card or Media card

is present in the phone it is possible to recover any type of deleted data.

Physical Acquisition Of A Cell Phone How it Works • Like a computer acquisition • Forces the cell phone to give up its data

Deleted information can be recovered if a physical acquisition can be Performed.

Physical Acquisition Of A Cell Phone How it Works • This data was manually carved out to recover a deleted

picture.

• A qualified examiner can “read” what you see above. If an examiner cannot, then they will not be able to get back the deleted picture since it must be manually recovered.

• The next slide shows the picture that was recovered.

Physical Acquisition Of A Cell Phone How it Works • Deleted picture that has been recovered

Manual Examination of A Cell Phone

Manual Examination: The last resort in cell phone examinations • If no option is available to examine a cell phone logically or

physically, a manual examination is performed. • A manual examination of a cell phone should follow best

forensics practices.

Manual Examination of A Cell Phone 1. A camera is used to take pictures of the screen as an examiner manipulates the

phone using the keypad. 2. A video camera should record the entire examination so that a record is kept

showing that no information was modified or deleted. 3. Without full documentation of the process, there is no way to know if someone

deleted information in the process of a manual examination.

PART 2:

Cellular Technology Forensics

How Telephones Work The Telephone 132 years old and the technology has not changed It’s still basically tin cans and strings.

1. Your voice vibrates the tin can

2. Tin can vibrates the string

3. Wave travels along string

4. Causes identical vibration on receiving can.

5. Sound is reproduced

Telecommunication Evolves The Goal Transport sound from point A to point B with as little distortion as possible. The Patent: The vibration produces an electric current that can be carried over a wire and reproduced at a distant point.

Alexander Graham Bell (and Others)

Basics of Telephones

1875

String

Electricity

Fiber Optics (light) 1975

1946 (yes)

Radio

Telephony Evolved, but the principle has never changed…phones are still tin cans

Basics of a Mobile Phone

Mobile Phones The ‘string’ is simply a radio channel The technology has not changed

It’s still basically tin cans and strings. You listen to a simple radio receiver You are a broadcaster when you speak

Exactly Like an AM/FM Radio or a Broadcast Station

Central Office

Cellular Telephone – Easy to Understand

Channel (frequency) 610

Channel (Frequency) 1560

The Cellular System – Cell Towers

The Cellular System – A Cell Site

• Controls Antenna Power • Manages Connections • Talks to a Radio Network Controller

Antennas send and receive signals from phones

Base Station Transceiver

Anatomy of the Cellular System

• Manages the network of cell sites through the Radio Network Controllers

Multiple Cell Sites Connect to Radio Network Controller via Land Lines

Mobile Switching Center

The Cellular System In a Nutshell

The Hook Up!

Tower A Tower B

4.1 Miles 1.3 Miles

On power up your phone tunes to a known frequency

and starts to listen

The Hook Up! – Choosing a Tower

Tower A Tower B

How does the phone choose a tower?

Pick me! Pick me!

Power Up Connects to Strongest Signal

Tower A Tower B

4.1 Miles 1.3 Miles

Registration

95dbm 85dbm

The closest tower will normally have the strongest signal

Power Up Connects to Strongest Signal

Tower A Tower B

3.0 Miles 3.0 Miles

Registration

95dbm 85dbm

When equally distant from both towers, the power output from the antennas may come into play.

Power Up Connects to Strongest Signal

Tower A Tower B

3.0 Miles 3.0 Miles

Registration

95dbm 85dbm

When equally distant from both towers, occlusion may be the deciding factor.

I can’t see you Tower A!

Power Up Connects to Strongest Signal

Tower A Tower B

3.0 Miles 3.0 Miles

Registration

95dbm 85dbm

Sorry, all channels are busy!

Channels must be available for the phone to use.

The Cellular System In Action

Cellular Coverage

To the public network

Mobile Switch Base Station

Mobile Radio Phone

Each Base Station Has about 100 Channels. You need two channels for a phone call so up to 50 people can make calls at the same time.

Mobile Radio Phone (in an area of no service)

January 11, 2007

33

1

6 4

5

2

7 3

Generic System Design is “Cellular”

33

Cellular – Go Small, Not Big and Reuse Channels

Tower A Tower B

1 Mile

Channel 850 Channel 900

Channel 860 Channel 910

5 4 3 2 1

Tower A Channel 850 Channel 900

Fill the Gaps with Towers with different channels

Miles: 6 5 4 3 2 1

Tower B Channel 860 Channel 910

Tower C Channel 870 Channel 920

36

January 11, 2007

1 6 4

5

2 7 3

By repeating this pattern, any size city can be fully covered

by a cellular system.

In rural areas, you may only need one cell tower.

In big cities you may need

hundreds of cell towers

City Wide Coverage

One City 110 square miles

January 11, 2007

1 6 4

5

2 7 3

January 11, 2007

1 6 4

5

2 7 3

5

January 11, 2007

1 6 4

5

2 7 3

Each Cluster is called a LOCATION

AREA

36

January 11, 2007

1

6 4

5

2

7 3

Each Cellular Site may Have 100 Channels. Rather than have 1 big cell that serves 100 people, we have 7 cells, that serves about 350 people.

Go Small-Serve More Customers

Tower Coverage Example

Cell Towers Are Divided Into Sectors

Southern Orientation

Cellular Phone Coverage – The “MATH”

Show your work! Cell Site with a 1 mile

radius

Area = PiR2

So if: Pi=3.14159 R=1 mile Then Area=3.14 Mile2

1 square miles = 640 acres

3.14 square miles = 2010 acres.

Northern Orientation

Tower Coverage Example – With Sectors

Call Detail Records (CDRs)

The Base Evidence

• Legal Proof of a Service Provided • A Technical Road Map of a Call • A Financial Transaction Record

Call Detail Records (CDRs)

Call Detail Records (CDRs)

First or last number can tell sector. Or not.

Call Detail Records (CDRs)

• When did the incident occur? • Time factor for deciding which calls to

include.

•What phones were involved. • Defendant, co-defendants, victim or

possible witnesses.

•Where did the incident occur? • For plotting calls versus location.

Case Development

• Do we have sector information? • Without sectors we are limited to the total

tower coverage and so are they.

• Do we have tower orientation? • Without tower orientation, we have to

guess based on past experience.

Case Development

• Let’s build a case! • Plot what we know for certain

Case Development

We know the tower locations

Now we draw some circles

Add in the sectors

Place the crime scene

Crime Scene

Place our defendant’s phone

Place our co-defendant’s phone

Call from Smith to Wesson at 9:14PM in Sector 3

Call from Smith to Wesson at 9:10PM in Sector 1

Crime Scene

Correct Case Analysis Steps • Perform an independent analysis of the telephony

facts of the matter. • Build a timeline • Place calls along timeline • Develop Map of towers for correct date of incident

(Radio Frequency Plan aka Coverage Map) • Show location and path of phones based on discovery • Get original data sources • AFTER analysis of phones, THEN review incident in

light of facts to form opinion, rather than unscientifically using cell phone evidence to fit the desired facts of the incident.

Best Location Is A 911 Call

1 2 3 4

6

7

Public Telephone Network

Public Data

Network 5

Mobile Phone

Base Station GPS Location 1 mile radius

655 acres Mobile Switching Center Public Telephone Network

Home Location Register

Public Data Network

Mobile Position Center

56

Absent of 911, a Resolution of about 655 acres is generally the best accuracy

E-911 Location

E-911 System Consists of 2 Phases • Phase 1 and Phase 2 • Phase 2 is the best location • Phase 2 is not always available

E-911 Location

E-911 System Consists of 2 Phases • Phase 1 requirement is:

• Calling Number • Sector of a cell tower (hundreds of acres)

E-911 Location

E-911 System Consists of 2 Phases • Phase 2 requirement is:

• Calling Number • GPS location with 150 feet accuracy.

• Must be manually updated by 911 operator to get best accuracy.

Cellular Analysis Examples Sector Layout and Azimuth Refresh

Expert Map

Propagation Map

Sector Error

Wrong Tower and Sector

Shooting Case Example

Robbery Case Example

Where’s Waldo Example

Questions?