Why and how to add mapping to your cell phone evidence

cell phone forensics mapping

How maps help juries visualize cell phone data

In May, Law Enforcement Technology published an article, “Mapping Human Behavior,” which used a high-profile California homicide case to show the pivotal role which cell phone evidence played.

Wireless expert Jim Cook, quoted in the article, will be presenting at the HTCIA International Training Conference & Expo in September. To promote his lecture via their blog*, I interviewed him for more information.

We ended up in a long discussion that wouldn’t fit there, but that I thought would fit quite well here, about things first responders and investigators both need to know about cell phone evidence — but rarely do.

Why cell data mapping?

Cook says in some cases, the cell phone can be one of the primary pieces of evidence. It usually contains content and metadata (information about content, such as a date/time stamp or geotag on an image or video).

In other cases, the data on the phone may be deleted. While cell phone forensics can recover this kind of data, it may not recover everything (depending on the tool used and the examiner’s skill level). Even if it does, carrier data can be an important corroboration of what the phone tells the investigator.

A carrier’s call detail records are a “fingerprint” of the device’s activity, which may include calls, texts, and data transmissions placed or received. The records include information about the cell sites and sectors from which this activity originated; sometimes, if requested soon enough, location information and text content can be obtained from the carrier.

“Sometimes you don’t have the weapon, or witnesses, but you do have potential suspects,” Cook explains. “The victim’s or suspects’ cell phones and carrier data together can contain critical evidence including a suspect’s movements, possible witnesses or even more suspects.”

Otherwise, with no clues, investigators may want to consider requesting a “tower dump.” The tower dump is a request which the investigator makes of the carrier to provide all call, text, and data transmissions that connect to the cell sites covering the crime’s geographic area for a specified time period.

Cell carriers are encouraged to “co-locate,” or lease space on the tower(s) they own, to other carriers wishing coverage in an area that they don’t currently cover. That means that a single tower can contain records for multiple carriers’ customers — which can run into the hundreds or even thousands, depending on the time period and the location.

“A tower dump is a ‘needle in a haystack’ piece of evidence,” Cook says, “but it can be especially useful with serial crimes such as home invasions, robberies or sexual assaults, because tower dumps for each crime location can be cross-referenced for numbers that come up in all locations.” In a case he assisted with, this type of evidence was backed up with search warrants to specific carriers, which led to the arrests of 11 suspects.

But so much evidence can be overwhelming in its raw format. Once the tower dump leads to a specific suspect via a specific carrier, as in the case example above, those call detail records can be mapped as a way to help non-technical people visualize a suspect’s or victim’s movements.

cell sector mapping

Visualizing a cell sector as a "piece of pie."

Page 1 of 3 | Next page