Wednesday, April 5, 2017

Cellular Provider Record Retention Periods



April 5, 2017

Cellular Provider Record Retention Periods

I just returned from a fantastic few days at the Virginia Trial Lawyers Association 2017 annual conference.  I spent 3 days meeting with litigators from all over Virginia about the various ways data can help in their cases.  Part of the nuance of operating a digital forensic consultancy is to actively listen and try to drill down exactly how digital forensics and related services can add value in different types of litigation.  For example, there is data that is contained on many mobile devices that could serve to be the digital “smoking gun” with regard to distracted driving cases.  However, the problem is that when litigation over distracted driving takes place, the data (and likely the device) are long gone because the justice system grinds slowly.  This makes the value that digital forensics can add in these cases somewhat minimized, unless the case involved law enforcement and they happened to have the foresight to get a device extraction at or close to the time of the incident. 

One of the valuable areas I’ve been spreading the word about to all of my partners in litigation is the power of cellular call detail records.  Everyone carries around a mini tracking device in their pocket in the form of a smart phone and it is virtually always connected to a cellular network.  That means data can be retrieved, analyzed and even mapped-out to show location information.  Other valuable data can be known associates, cell tower “ping” data, cell tower sector data and so on.  However, all of the cellular companies retain these records for different periods of time.  When I talk about this with litigators and their staff, they almost always ask how long the data is retained.  The answer is... (wait for it)… It depends!  Being that I get this question quite often, I decided to contact each of the five major U.S. cellular carriers and ask them myself.  I’ve been through training previously that detail this information, but nothing beats getting the information directly from the source.  So here we go!

Definitions

Before we discuss the retention periods themselves, some explanation is required.  First, there are only five cellular companies who provide service in the United States.  They are:
·       Verizon Wireless
·       AT&T
·       Sprint
·       T-Mobile
·       U.S. Cellular
All of the others that you see commercials for on TV – Cricket, Boost, Virgin Wireless, Jitterbug, Straight Talk, Tracfone, Family Mobile – and so on, lease their service from one (or more) of the five carriers listed above.  From an investigative standpoint, it makes it simpler that we only have five potential sources where that data could be kept.



Other terminology is also important.  Some additional definitions for terms that will be used later are:

·       SMS content:  Text message detailed content.  This includes standard text message only and is a different service from Apple proprietary iMessages and third-party text message apps.
·       Cell Tower:  The sole-source connection that a device makes on the given cellular network.  Call detail records generally provide this information via GPS latitude & longitude.  Many will also have the sector or side of the tower detailed as well.
·       Tower Dump:  A listing of all devices connected to a given cellular tower at a certain point in time.  These are mostly passive connections, but all cell phones need to be connected to a cellular tower in order to receive cellular phone calls.
·       PCMD: Per call measurement data.  This data helps determine the distance a cell phone (or handset) is from a particular cell tower during a call.  It is allegedly accurate within 10 meters or so.
·       NELOS:  The same as PCMD, only NELOS is the term used by AT&T
·       RTT:  Range to Tower.  The same as PCMD & NELOS, but RTT is used by Verizon Wireless

These definitions will become important as we list the particular data areas and their retention periods.

Cellular Provider Retention Periods

All cellular service providers retain different types of data for different time periods.  When investigating a case, it’s important to know how long you may have access to this data for, otherwise it could be an investigative red herring.  It’s also important to note that these retention policies are not written in stone and can be modified by the provider at any time.  The retention periods below were provided by each of the 5 major U.S. Cellular carriers themselves on the date of this publication:

Verizon Wireless
Subscriber Information:  7-10 years
Call History:  7 years
Tower Locations as they related to Call History:  1 rolling calendar year
SMS Content:  3-5 days (although I’ve been told unofficially it may be as much as 7-10 days)
Tower Dumps:  1 year
Range to Tower (RTT) Data:  8 days

AT&T
Subscriber Information:  7 Years
Call History:  7 years
Tower Locations as they related to Call History:  7 years
SMS Content:  Not Available
Tower Dumps:  7 years
Range to Tower (RTT) Data:  180 days

Sprint
Subscriber Information:  10 years
Call History:  18 months.  Bill reprint form 7-10 years, pre-pay accounts only 18 months regardless.
Tower Locations as they related to Call History:  18 months
SMS Content:   Not Available
Tower Dumps:  18 months
Range to Tower (RTT) Data:  14-90 days.  The technician advised that after 14 days, certain detail in these records is purged, but the remainder is kept for up to 90 days.

T-Mobile
Subscriber Information:  3-5 years.  Canceled accounts are purged after account closes.
Call History:  23 months
Tower Locations as they related to Call History:  23 months
SMS Content:  Not Available
Tower Dumps:  3 months
Range to Tower (RTT) Data:  23 months.  This seems rather long to me, but the technician repeated it on the phone.

U.S. Cellular
Subscriber Information:  up to 7 years
Call History:  1 rolling calendar year.  Bill reprint: 7 years.
Tower Locations as they related to Call History:  1 rolling calendar year
SMS Content:  3-5 days
Tower Dumps:  1 rolling calendar year
Range to Tower (RTT) Data:  Not Available (technician stated would be coming soon).

As you can see, the retention periods and even the types of available records are not uniform, making this type of information crucial in both criminal and civil investigations alike.  For records such as bill re-print, the detail in this data will be far less than we normally see in traditional investigative cellular call detail records, so I wouldn’t rely on this information for anything other than basic communication documentation.   As a rule, I recommend checking with the provider first to see if the data you’re looking for is still available.

Wrapping it Up

In the right hands and in the spirit of the holistic mobile investigation, cellular call detail records can be a powerful piece of evidence to help confirm or refute a person’s location during a given time frame or incident.  However, the ability to know what types of data are available, how long the data is accessible for and how to analyze and explain that data is a crucial intangible in any case.  Without that, it’s all just one big spreadsheet!


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6

Tuesday, March 14, 2017

Digital Forensic Discussion: So You Fired An Associate



March 14, 2017

Digital Forensic Discussion: So You Fired An Associate

Every company at every level has had to perform the unenviable task of forcefully off-boarding an associate or employee.  Usually, this is initiated by management and executed by Human Resources.  Somewhere in this process, the associate is informed of the decision, sometimes placed on suspension pending adjudication and often terminated when the final decision is made.  It is at that point when company property, such as computers and cell phones, is often collected from the newly-former employee and generally recycled to be used by a successor or other company representative. 

Terminations can be executed for a variety of reasons.  Violations of non-compete clauses, intellectual property theft, gross violation of company policy or breach of contract are just a few reasons why a company may decide they no longer need the services of an associate.  However, several crucial elements should enter into this timeline of events, particularly surrounding the collection, preservation and use of company electronic devices.

Timing is Crucial

When an internal investigation is conducted, corporate and/or H.R. representatives often don’t have the luxury of acquiring the company’s assigned digital devices as part of the investigation prior to suspension or termination.   This makes the timing of collection of these items crucial.  If you wait too long, valuable information could be destroyed.  If you collect too soon, the subject of the inquiry could be tipped off about what is going on and that could jeopardize the integrity of the investigation.  So when should you acquire the company’s digital assets for analysis?  We suggest doing it at the time the target of the investigation is made aware that they are being investigated, which is generally at the time of initial suspension.  Unless union or other policy dictates targets be made aware of the investigation as soon as it is initiated, there is no better time than notification to the target that you have compiled enough information to act upon to seize the digital devices.  



After the devices have been collected, they should be locked away in a safe place with limited access until a digital forensic expert -- not information technology staff -- can be called, consulted and respond as appropriate.  Cell phones should be placed in airplane mode and disconnected from all networks immediately.   The question has been asked, why not use IT staff, they know all about the computers, right?   Suppose the person whom you have been investigating and are potentially going to terminate works in the IT department.  You would then be putting their friends and/or co-workers in a difficult position taking part in an investigation against their soon-to-be-former co-worker.  Beyond that, most IT staff do not have the requisite training and experience in forensic data acquisition and analysis.  It is analogous to consulting a general practice urgent care doctor to treat your cancer.  A specialist is recommended always for best results.

What Does the Forensicator Need to Know?

Digital forensic investigation and analysis is not unlike standard types of investigation in that we need to know the facts.  Helpful information such as:

  • Who is the target of the investigation and were they the only ones with access to the device(s)?
  • What devices are relevant and what data might we be looking for?

  • Where have the devices been in use before they were re-possessed and where have they been since

  • When is the time frame of any suspected/alleged malfeasance

  • How did they access the data on the devices?  Passcodes to mobile devices and passwords for any encrypted hard drives and/or mobile devices are very important

  • Why do you think evidence exists to support the allegation?



Whenever possible, human resources, management and IT staff should refrain from “fishing” through devices to find evidence to support the investigation.  It’s understandable that investigations like this can sometimes be salacious and everyone is curious to find out what was going on, but this violates the integrity of the evidence and opens the door to claims of unfair treatment in its various forms as the case progresses.

Information is important for a few different reasons.  First, detailed information helps us develop a strategy for the analysis that will best serve finding the truth in the case.  Second, it helps us whittle down the facts of the case and only spend time looking for what is relevant.  Finally, providing your digital forensic consultant detailed information will save the company money and time in the long run.

Why is All of This Necessary?

Why do you need to keep appropriate timing & collection of company devices always in mind?  Why do you need to call an outside forensic consultant to conduct the analysis & forensic investigation?  Because in our litigious society, when someone is terminated from a company – be it a large, medium or small company – it is the corporation’s responsibility to prepare for the worst and hope for the best.  By that we mean, always approach the case as if it will go to litigation.  Litigation will require discovery, production of documentation, depositions and yes, forensic data analysis in a legally defensible manner.  You cannot assume the terminated associate will simply find a new job and go away.  Even if they find a new job, there is no guarantee they won’t file suit.  Always remember, anyone can sue anyone else for anything.  It’s the American way.  So as remaining corporate representatives, it is your responsibility to prepare for the eventuality that you’ll have to defend the company’s position.  The data on the corporate digital devices doesn’t lie, so what better position to be in as a company than to have the digital forensic ace-in-the-hole when and if the case comes to litigation?


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Twitter: @ProDigital4n6