April 5,
2017
Cellular Provider Record Retention Periods
I just
returned from a fantastic few days at the Virginia Trial Lawyers Association
2017 annual conference. I spent 3 days
meeting with litigators from all over Virginia about the various ways data can
help in their cases. Part of the nuance
of operating a digital forensic consultancy is to actively listen and try to
drill down exactly how digital forensics and related services can add value in
different types of litigation. For
example, there is data that is contained on many mobile devices that could
serve to be the digital “smoking gun” with regard to distracted driving
cases. However, the problem is that when
litigation over distracted driving takes place, the data (and likely the
device) are long gone because the justice system grinds slowly. This makes the value that digital forensics
can add in these cases somewhat minimized, unless the case involved law
enforcement and they happened to have the foresight to get a device extraction
at or close to the time of the incident.
One of the
valuable areas I’ve been spreading the word about to all of my partners in
litigation is the power of cellular call detail records. Everyone carries around a mini tracking
device in their pocket in the form of a smart phone and it is virtually always connected to a cellular
network. That means data can be retrieved,
analyzed and even mapped-out to show location information. Other valuable data can be known associates,
cell tower “ping” data, cell tower sector data and so on. However, all of the cellular companies retain
these records for different periods of time.
When I talk about this with litigators and their staff, they almost
always ask how long the data is retained.
The answer is... (wait for it)… It
depends! Being that I get this
question quite often, I decided to contact each of the five major U.S. cellular
carriers and ask them myself. I’ve been
through training previously that detail this information, but nothing beats
getting the information directly from the source. So here we go!
Definitions
Before we
discuss the retention periods themselves, some explanation is required. First, there are only five cellular companies
who provide service in the United States.
They are:
·
Verizon Wireless
·
AT&T
·
Sprint
·
T-Mobile
·
U.S. Cellular
All of the
others that you see commercials for on TV – Cricket, Boost, Virgin Wireless,
Jitterbug, Straight Talk, Tracfone, Family Mobile – and so on, lease their
service from one (or more) of the five carriers listed above. From an investigative standpoint, it makes it
simpler that we only have five potential sources where that data could be kept.
Other
terminology is also important. Some
additional definitions for terms that will be used later are:
·
SMS
content: Text message detailed
content. This includes standard text
message only and is a different service from Apple proprietary iMessages and
third-party text message apps.
·
Cell
Tower: The sole-source
connection that a device makes on the given cellular network. Call detail records generally provide this
information via GPS latitude & longitude.
Many will also have the sector or side of the tower detailed as well.
·
Tower
Dump: A listing of all devices
connected to a given cellular tower at a certain point in time. These are mostly passive connections, but all
cell phones need to be connected to a cellular tower in order to receive
cellular phone calls.
·
PCMD:
Per call measurement data. This data
helps determine the distance a cell phone (or handset) is from a particular
cell tower during a call. It is
allegedly accurate within 10 meters or so.
·
NELOS: The same as PCMD, only NELOS is the term used
by AT&T
·
RTT: Range to Tower. The same as PCMD & NELOS, but RTT is used
by Verizon Wireless
These
definitions will become important as we list the particular data areas and
their retention periods.
Cellular Provider
Retention Periods
All cellular
service providers retain different types of data for different time
periods. When investigating a case, it’s
important to know how long you may have access to this data for, otherwise it
could be an investigative red herring.
It’s also important to note that these retention policies are not
written in stone and can be modified by
the provider at any time. The
retention periods below were provided by each of the 5 major U.S. Cellular
carriers themselves on the date of this publication:
Verizon Wireless
Subscriber
Information: 7-10 years
Call
History: 7 years
Tower
Locations as they related to Call History:
1 rolling calendar year
SMS
Content: 3-5 days (although I’ve been
told unofficially it may be as much as 7-10 days)
Tower
Dumps: 1 year
Range to
Tower (RTT) Data: 8 days
AT&T
Subscriber
Information: 7 Years
Call
History: 7 years
Tower
Locations as they related to Call History:
7 years
SMS Content: Not Available
Tower Dumps: 7 years
Range to
Tower (RTT) Data: 180 days
Sprint
Subscriber
Information: 10 years
Call
History: 18 months. Bill reprint form 7-10 years, pre-pay accounts
only 18 months regardless.
Tower
Locations as they related to Call History:
18 months
SMS Content: Not Available
Tower Dumps: 18 months
Range to
Tower (RTT) Data: 14-90 days. The technician advised that after 14 days,
certain detail in these records is purged, but the remainder is kept for up to
90 days.
T-Mobile
Subscriber
Information: 3-5 years. Canceled accounts are purged after account
closes.
Call
History: 23 months
Tower
Locations as they related to Call History:
23 months
SMS Content: Not Available
Tower Dumps: 3 months
Range to
Tower (RTT) Data: 23 months. This seems rather long to me, but the technician
repeated it on the phone.
U.S. Cellular
Subscriber
Information: up to 7 years
Call
History: 1 rolling calendar year. Bill reprint: 7 years.
Tower
Locations as they related to Call History:
1 rolling calendar year
SMS Content: 3-5 days
Tower Dumps: 1 rolling calendar year
Range to
Tower (RTT) Data: Not Available
(technician stated would be coming soon).
As you can
see, the retention periods and even the types of available records are not
uniform, making this type of information crucial in both criminal and civil
investigations alike. For records such
as bill re-print, the detail in this data will be far less than we normally see
in traditional investigative cellular call detail records, so I wouldn’t rely
on this information for anything other than basic communication
documentation. As a rule, I recommend checking with the provider
first to see if the data you’re looking for is still available.
Wrapping it Up
In the right
hands and in the spirit of the holistic mobile investigation, cellular call
detail records can be a powerful piece of evidence to help confirm or refute a
person’s location during a given time frame or incident. However, the ability to know what types of
data are available, how long the data is accessible for and how to analyze and
explain that data is a crucial intangible in any case. Without that, it’s all just one big
spreadsheet!
Author:
Patrick J. Siewert
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
Computer Forensics -- Mobile Forensics -- Specialized
Investigation
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the
Reid School of Interview & Interrogation and multiple online investigation
schools (among others). He continues to hone his digital forensic expertise in
the private sector while growing his consulting & investigation business
marketed toward litigators, professional investigators and corporations, while
keeping in touch with the public safety community as a Law Enforcement
Instructor.
