Tag Archives: law enforcement technology

Why and how to add mapping to your cell phone evidence

cell phone forensics mapping

How maps help juries visualize cell phone data

In May, Law Enforcement Technology published an article, “Mapping Human Behavior,” which used a high-profile California homicide case to show the pivotal role which cell phone evidence played.

Wireless expert Jim Cook, quoted in the article, will be presenting at the HTCIA International Training Conference & Expo in September. To promote his lecture via their blog*, I interviewed him for more information.

We ended up in a long discussion that wouldn’t fit there, but that I thought would fit quite well here, about things first responders and investigators both need to know about cell phone evidence — but rarely do.

Why cell data mapping?

Cook says in some cases, the cell phone can be one of the primary pieces of evidence. It usually contains content and metadata (information about content, such as a date/time stamp or geotag on an image or video).

In other cases, the data on the phone may be deleted. While cell phone forensics can recover this kind of data, it may not recover everything (depending on the tool used and the examiner’s skill level). Even if it does, carrier data can be an important corroboration of what the phone tells the investigator.

A carrier’s call detail records are a “fingerprint” of the device’s activity, which may include calls, texts, and data transmissions placed or received. The records include information about the cell sites and sectors from which this activity originated; sometimes, if requested soon enough, location information and text content can be obtained from the carrier.

“Sometimes you don’t have the weapon, or witnesses, but you do have potential suspects,” Cook explains. “The victim’s or suspects’ cell phones and carrier data together can contain critical evidence including a suspect’s movements, possible witnesses or even more suspects.”

Otherwise, with no clues, investigators may want to consider requesting a “tower dump.” The tower dump is a request which the investigator makes of the carrier to provide all call, text, and data transmissions that connect to the cell sites covering the crime’s geographic area for a specified time period.

Cell carriers are encouraged to “co-locate,” or lease space on the tower(s) they own, to other carriers wishing coverage in an area that they don’t currently cover. That means that a single tower can contain records for multiple carriers’ customers — which can run into the hundreds or even thousands, depending on the time period and the location.

“A tower dump is a ‘needle in a haystack’ piece of evidence,” Cook says, “but it can be especially useful with serial crimes such as home invasions, robberies or sexual assaults, because tower dumps for each crime location can be cross-referenced for numbers that come up in all locations.” In a case he assisted with, this type of evidence was backed up with search warrants to specific carriers, which led to the arrests of 11 suspects.

But so much evidence can be overwhelming in its raw format. Once the tower dump leads to a specific suspect via a specific carrier, as in the case example above, those call detail records can be mapped as a way to help non-technical people visualize a suspect’s or victim’s movements.

cell sector mapping

Visualizing a cell sector as a "piece of pie."

“You first explain to the jury how the phone actually works,” says Cook. “You explain antennas, sectors [he uses the analogy of a piece of pie] and so on — then the call process, and how the carrier captures the data.

“Then you show them the map and how you plotted the data, and ultimately, what it means to the case — how it solidifies or even potentially refutes other evidence, including eyewitness accounts, video or social networking updates.” He estimates the conviction rate on cases he has assisted with is 96-97 percent. “Cellular phones are really the new DNA,” he adds, paraphrasing Santa Clara County Deputy DA Vicki Gemetti.

So how do investigators do the mapping?

1. Book cell phones as evidence; don’t mark them as personal property.

“Personal property, if picked up by the suspect or a designee, can be wiped of any and all content,” says Cook. “Booking the phone as evidence allows you to write a search warrant to examine the phone, and also obtain call detail records, text and data transmissions from the carrier for the time period in question, which should be done ASAP because it’s volatile. Not every carrier holds it for a year — some expunge call records after just 90 days.”

Currently, MetroPCS is the only carrier that maintains text message content for up to 60 days. Other carriers such as AT&T and Sprint don’t maintain content at all, while some (like Verizon) maintain it for very short periods of time — six to eight days.

Call detail records can substantiate witness, suspect, or victim testimony, and can even solve a case. At that level, waiting too long can be fatal to a case.

2. Be sure to get data from the phone, too.

Don’t overrely on the carrier, even if you haven’t waited too long. “There is always more evidence,” says Cook. “Take the extra step or two you need to find what you can find from the device.

“Don’t think you can’t get data if the phone’s battery isn’t charged, or if you don’t have cell phone forensic tools. I’ve bought chargers for police from wireless retailers,” he adds. “And if you don’t have a forensic tool, or the tool you have doesn’t work on that phone, or you have only one tool, find an agency that has a tool that will work or a different tool from the one you use. There is always more data; to recover the maximum amount of data from the device, use more than one tool.”

3. Write warrants for carrier data from at least the past three months.

Cook raised this point in the LET article, what he calls “the Jim Cook Rule #1”: go far beyond the immediate period of time you’re interested in.

“We’re all creatures of habit,” he says. “We’re up in the morning, on the road by a certain time, driving through Starbucks and calling mom or dad on our way to work. We have similar routines on the way home and on the weekends.

“But then, we take our phone to New York, and there’s this big gap of no activity when normally, we’re talking to people. Only an extended sample of call detail records can show whether this is out of the ordinary, or part of a subject’s monthly routine.”

4. In your warrant, use the right verbiage.

Also discussed in the article — a sidebar goes into the specific eight items that Cook recommends — is the need to get the right amount of detail in the search warrant. “Carriers need exact requirements for certain information,” says Cook, “like cell sites and sectors, along with the phone data. If they don’t provide it up front, investigators will end up having to write multiple warrants.” That can waste precious time, and lose data along the way.

5. Make sure you’re getting the right data from the carrier.

If the defense attorney is doing his or her job, you may need to prove that the phone really belonged to the suspect at the time of the incident. “Number portability and number switching mean that the investigator needs to find out if the device was active and billable in the suspect device’s carrier’s network during the specified date range,” says Cook.

“If not, you have to find out where to serve the paper sooner rather than later, while the data is still there, instead of finding out you were wrong two or three months later when the records are gone.” Services like FoneFinder or Neustar will show carriers of record; however, they aren’t always 100% accurate, and investigators should follow up their findings with a phone call to those carriers.

6. Be specific with tower dump requests.

If you have to take that next step into the haystack, provide carriers with a physical location, longitude, latitude of crime scene or other location of interest; then, request a tower dump of all calls, text events and data transmissions from all cell sites and sectors covering that geographic area during a period of time. “Let the carrier’s engineers determine the best sites and sectors, as opposed to an investigator making an incorrect assumption that will only result in the wrong data being obtained,” says Cook.

Questions about cell phone investigations or mapping, or want to get in touch with Jim Cook directly? Let us know in the comments!

*Disclosure: HTCIA is a client, but I was not compensated for this post.

Another move, another redesign, a change in scope

IMG_1200If you’ve visited Cops 2.0 in the last few weeks, you probably saw that it was down — not once, but twice. If you’re reading it now, you probably also see that it’s gone to a somewhat more minimalist design. Finally, you’ve probably further noticed that the contributor list is gone.

Yes folks, more changes are afoot as of today, Cops 2.0’s second birthday. First, it has returned stateside after its brief run as official blog of the Canadian Association of Police on Social Media. CAPSM founding members realized that they needed a blog that more accurately reflected Canadian laws, culture, and policing; Cops 2.0’s content, however, had been mainly US-focused. CAPSM also thought it made sense for all their content to be housed in one place, which you’ll be able to find at capsm.ca/blog.

I continue to support CAPSM’s research and other work, and am very pleased to have had the opportunity to partner with them. This was a valuable learning experience for both of us — namely, that you can’t always know whether something will work until you actually try it. And then, even if it doesn’t work the way you thought it would, you must tweak.

Which brings me to the second change: scope. When I read articles like this one, which note a statistic that 81% of 700+ U.S. law enforcement agencies are using social media, I can’t help but think back to when I said I was bored with social media.

You see, there are only so many times you can read about some agency’s new Facebook or Twitter account. While these uses are important, they are not and should not be the end of a law enforcement agency’s social media use. That use is in flux, as Gov2.0 blogger Lovisa Williams points out, and the best people to manage that flux are the front-liners themselves.

A number of good blogs and conferences have stepped up to address this, not the least of which is the IACP itself. I think they all have “law enforcement + social media” pretty well covered.

Meanwhile, the more entrenched I become in helping my corporate clients figure out how to use social media, the more I learn about how these tools integrate with other technology and other forms of communication — and how the communication impacts my clients’ business goals.

Cops 2.0’s tagline has therefore changed from “branding police work via social media” to “Communications, Technology & Service.” I want to hear about police technology use in its many different forms, online or offline, and how it impacts communications with your communities, be they on social media or through more traditional channels.

I believe this is the best way to continue to deliver the same high quality content you’ve always gotten, whether it comes weekly or monthly, or somewhere in between. If you want to contribute, so much the better — just let me know.

Meanwhile, thanks for sticking with me over two years. I’m looking forward to the next steps the third year brings!

Creative Commons License photo credit: schjlatah