Monday, May 15, 2017

Case Study: Call Detail Records Analysis in Civil Domestic Litigation



May 15, 2017

Case Study: Call Detail Records Analysis in Civil Domestic Litigation

The conventional wisdom with regard to cellular call detail record analysis is that it is a tool primarily used by law enforcement to help prove or disprove the location of a criminal suspect in a given incident.  More and more, however, we’re seeing uses for cellular call detail record (CDR) analysis and mapping in the civil litigation world, too.  We’ll be discussing one such case in this article.

As a brief disclaimer, the exact locations of the houses of the parties involved in this case have been changed for confidentiality, but the rough geographical area and the cell tower information is the same.  This is a live case which we worked and was recently concluded.  So if you still don’t think that CDR analysis can be of use in your civil case, keep reading and let us help change your mind!

Background

In July, 2016, we received a call from a divorced client who was seeking to have his alimony agreement reviewed by the Court.  He had been divorced from his ex-wife for a number of years, but his spousal support agreement was costing him thousands of dollars every year, so he was researching ways to show that his ex-wife was not in compliance with the agreement.  Like many alimony agreements, his stipulated that if the ex-wife cohabitated with anyone for a period of 12 months or more, the client would be released from the alimony agreement.  The client, a very savvy and smart businessman in his own right, had already hired a traditional private investigator for surveillance, but the requirements to prove his suspicion in this case were too great and costly for that to be a viable year-long solution.  However, he surmised that if he could obtain the cellular call detail records for his ex-wife’s paramour for a period of 12 months and illustrate that he never stayed at his listed residence and always stayed at the ex-wife’s residence during the 12-month period, it would constitute cohabitation.  The client called us and we assisted with subpoena language, consultation, cellular record analysis and mapping.

The paramour’s cellular provider is Verizon Wireless.  His listed address is also the address on the cellular account, which made proving where he claimed to live a simple matter.  Both houses’ locations were verified through GPS coordinates and were not that far apart, but as you’ll see, they were far enough apart to make a difference in this case.

Methodology

Verifying the data is always a part of best practices.  To that end, we traveled to and physically verified the GPS coordinates of the houses of interest and the cellular towers primarily involved in this case.  We further verified the type of cellular device the paramour was using through Verizon Wireless and spent some time on the phone with technicians from Verizon Wireless to ensure the analysis in this case was accurate. 

Verizon Wireless records are provided in a series of Excel spreadsheets.  The call detail records (CDRs) for the requested time period are in one spreadsheet and another details every tower in every switch in every locality that the device connected to for the requested period.  It further details the GPS coordinates of those towers, the sectors (sides) of the towers and the azimuth and beam width of the given sectors.  CDRs do not provide cellular signal range, but we can estimate the range by identifying the next closest tower of the same provider (one of which also happened to be a relevant tower in this case), measure the total distance and calculate 60% of that distance for the range of each tower in that direction.

Finally, timing of use was a primary issue.  Because the paramour had a job that required him to travel all over the local area (in addition to out-of-state locations), the time frame for the analysis was restricted from 2100 hrs. to 0700 hrs. every day for all 12 months.  This would help demonstrate where the paramour may actually be laying his head at night.  In presenting our final report, we tallied the percentage of times calls were made from 2100 hrs. to 0700 hrs. on the towers that would likely service both the paramour’s listed residence and the ex-wife’s residence on a month-by-month basis.  The final numbers were greatly skewed toward the tower and sectors servicing the ex-wife’s house.

Challenges to Analysis

As you can imagine, this was a large amount of data to analyze, map and report.  Additionally, condensing over 12 month’s worth of cellular call data into a concise, easy to understand report was vital in this case.  To add to the challenges, the ex-wife’s residence lie on the border of two sectors of the tower that was closest to it, so if a call were made in the front driveway, it may “ping” off of sector gamma, but if a call were made from the back of the house, it pay “ping” off of sector beta (see graphic below).  This proved in the end to be an asset because it increased the percentages of calls that the paramour was making that hit off of that tower and those sectors. 

Mapping for Analysis

Mapping the locations of houses, cell towers and sectors in this case was essential.  To ensure a concise illustration, the data was pared down to the two relevant towers, three overall relevant sectors between them and the two relevant locations – the ex-wife’s house and the paramour’s listed residence.  When the data is distilled down, here’s what the map looked like:


As we stated in the final report, there are a number of factors that can affect the range of cell towers.  Terrain, tower load (use at a particular time), maintenance, weather, etc.  The pie-shaped wedges illustrated here are estimates and should be considered rough operational ranges. 

When all calls in the specified time frame were added up, 63% of them were sent or received from tower 468, sectors BETA and/or GAMMA.  While that may not seem like an astronomical amount, when you factor in that some months 100% of the calls were sent or received from those sectors and in the same time period, only 1% of calls were sent or received from tower 302, sector BETA, which would be the tower closest to the paramour’s alleged & listed residence.

The Outcome

Despite continued challenges from the opposing party throughout this case and receiving a subpoena to appear in court to testify as to our findings, the case settled to our client’s satisfaction about a week before trial.  The client’s attorney in the case emailed to say “I believe that a big reason it resolved was your report.  Feedback like that is fantastic to hear.  This case involved many hours of tedious analysis work and we’re very happy it turned out postively for the client. 

The value of cellular call detail record data in any number of cases should not be overlooked.  Recently, I was discussing mobile data with some personal injury attorneys.  The challenge in distracted driving cases, for instance, is that the device that may have been in use may be long gone by the time litigation and discovery comes around.  Other evidence, such as cellular call detail records, can prove very useful and should be considered as a valuable resource of information in civil cases ranging from alimony to employment disputes to personal injury. 


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available wherever you need us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6

Wednesday, April 5, 2017

Cellular Provider Record Retention Periods



April 5, 2017

Cellular Provider Record Retention Periods

I just returned from a fantastic few days at the Virginia Trial Lawyers Association 2017 annual conference.  I spent 3 days meeting with litigators from all over Virginia about the various ways data can help in their cases.  Part of the nuance of operating a digital forensic consultancy is to actively listen and try to drill down exactly how digital forensics and related services can add value in different types of litigation.  For example, there is data that is contained on many mobile devices that could serve to be the digital “smoking gun” with regard to distracted driving cases.  However, the problem is that when litigation over distracted driving takes place, the data (and likely the device) are long gone because the justice system grinds slowly.  This makes the value that digital forensics can add in these cases somewhat minimized, unless the case involved law enforcement and they happened to have the foresight to get a device extraction at or close to the time of the incident. 

One of the valuable areas I’ve been spreading the word about to all of my partners in litigation is the power of cellular call detail records.  Everyone carries around a mini tracking device in their pocket in the form of a smart phone and it is virtually always connected to a cellular network.  That means data can be retrieved, analyzed and even mapped-out to show location information.  Other valuable data can be known associates, cell tower “ping” data, cell tower sector data and so on.  However, all of the cellular companies retain these records for different periods of time.  When I talk about this with litigators and their staff, they almost always ask how long the data is retained.  The answer is... (wait for it)… It depends!  Being that I get this question quite often, I decided to contact each of the five major U.S. cellular carriers and ask them myself.  I’ve been through training previously that detail this information, but nothing beats getting the information directly from the source.  So here we go!

Definitions

Before we discuss the retention periods themselves, some explanation is required.  First, there are only five cellular companies who provide service in the United States.  They are:
·       Verizon Wireless
·       AT&T
·       Sprint
·       T-Mobile
·       U.S. Cellular
All of the others that you see commercials for on TV – Cricket, Boost, Virgin Wireless, Jitterbug, Straight Talk, Tracfone, Family Mobile – and so on, lease their service from one (or more) of the five carriers listed above.  From an investigative standpoint, it makes it simpler that we only have five potential sources where that data could be kept.



Other terminology is also important.  Some additional definitions for terms that will be used later are:

·       SMS content:  Text message detailed content.  This includes standard text message only and is a different service from Apple proprietary iMessages and third-party text message apps.
·       Cell Tower:  The sole-source connection that a device makes on the given cellular network.  Call detail records generally provide this information via GPS latitude & longitude.  Many will also have the sector or side of the tower detailed as well.
·       Tower Dump:  A listing of all devices connected to a given cellular tower at a certain point in time.  These are mostly passive connections, but all cell phones need to be connected to a cellular tower in order to receive cellular phone calls.
·       PCMD: Per call measurement data.  This data helps determine the distance a cell phone (or handset) is from a particular cell tower during a call.  It is allegedly accurate within 10 meters or so.
·       NELOS:  The same as PCMD, only NELOS is the term used by AT&T
·       RTT:  Range to Tower.  The same as PCMD & NELOS, but RTT is used by Verizon Wireless

These definitions will become important as we list the particular data areas and their retention periods.

Cellular Provider Retention Periods

All cellular service providers retain different types of data for different time periods.  When investigating a case, it’s important to know how long you may have access to this data for, otherwise it could be an investigative red herring.  It’s also important to note that these retention policies are not written in stone and can be modified by the provider at any time.  The retention periods below were provided by each of the 5 major U.S. Cellular carriers themselves on the date of this publication:

Verizon Wireless
Subscriber Information:  7-10 years
Call History:  7 years
Tower Locations as they related to Call History:  1 rolling calendar year
SMS Content:  3-5 days (although I’ve been told unofficially it may be as much as 7-10 days)
Tower Dumps:  1 year
Range to Tower (RTT) Data:  8 days

AT&T
Subscriber Information:  7 Years
Call History:  7 years
Tower Locations as they related to Call History:  7 years
SMS Content:  Not Available
Tower Dumps:  7 years
Range to Tower (RTT) Data:  180 days

Sprint
Subscriber Information:  10 years
Call History:  18 months.  Bill reprint form 7-10 years, pre-pay accounts only 18 months regardless.
Tower Locations as they related to Call History:  18 months
SMS Content:   Not Available
Tower Dumps:  18 months
Range to Tower (RTT) Data:  14-90 days.  The technician advised that after 14 days, certain detail in these records is purged, but the remainder is kept for up to 90 days.

T-Mobile
Subscriber Information:  3-5 years.  Canceled accounts are purged after account closes.
Call History:  23 months
Tower Locations as they related to Call History:  23 months
SMS Content:  Not Available
Tower Dumps:  3 months
Range to Tower (RTT) Data:  23 months.  This seems rather long to me, but the technician repeated it on the phone.

U.S. Cellular
Subscriber Information:  up to 7 years
Call History:  1 rolling calendar year.  Bill reprint: 7 years.
Tower Locations as they related to Call History:  1 rolling calendar year
SMS Content:  3-5 days
Tower Dumps:  1 rolling calendar year
Range to Tower (RTT) Data:  Not Available (technician stated would be coming soon).

As you can see, the retention periods and even the types of available records are not uniform, making this type of information crucial in both criminal and civil investigations alike.  For records such as bill re-print, the detail in this data will be far less than we normally see in traditional investigative cellular call detail records, so I wouldn’t rely on this information for anything other than basic communication documentation.   As a rule, I recommend checking with the provider first to see if the data you’re looking for is still available.

Wrapping it Up

In the right hands and in the spirit of the holistic mobile investigation, cellular call detail records can be a powerful piece of evidence to help confirm or refute a person’s location during a given time frame or incident.  However, the ability to know what types of data are available, how long the data is accessible for and how to analyze and explain that data is a crucial intangible in any case.  Without that, it’s all just one big spreadsheet!


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6