Monday, June 1, 2020

Beyond Location Data In Cellular Records Analysis


June 1, 2020

Beyond Location Data In Cellular Records Analysis

For reasons I’m not sure I can put a firm grasp on, there still seems to be a debate over the value of cellular call detail records and their strength in being able to prove or disprove location in litigation.  Clearly the location data is generally what is sought after the most, because it carries weight with regard to a particular incident and/or time frame at the heart of the dispute.  However, some still try to debunk this data as “junk science”.  The reasoning for this is a great topic for another article, and is touched upon in our previous article entitled Three Reasons Why Call Detail Records Analysis Is Not “Junk Science”.  However, there’s much more to the cellular records than location data, or at least much more that is ancillary to location data.  This deeper level of analysis can further lend validity to the records themselves and any conclusions drawn from their analysis, location or otherwise.



Dataset #1:  Link Analysis

Along with location data, properly obtained cellular records also tell us a great deal about who our target is talking to, when they are talking and how often.  This is most commonly referred to as link analysis, but effective analysis of these records goes beyond that.  For instance, target is suspected of marital infidelity with a married woman.  The call detail records (CDR) show he calls and texts the married woman several dozen times a day.  A private investigator tracking the married woman spots the two of them together on a particular date and time.  What is likely to happen?  They’ll stop calling or texting each other during that time because they’re in the same location.  In another example, suspect #1 is arrested and charged with robbery.  His defense team has information that he was NOT the only one involved in the robbery, and perhaps was not the primary involved in the robbery.  Analyzing who the suspect called and texted the most leading up to the robbery and afterward can be of great value in determining whom an accomplice may have been.  Usually what we see with link analysis is the people will call and text their loved ones the most – husbands/wives, parents, best friends, etc.  This all goes to show a pattern of usage and helps identify who they talk to the most and potentially, their activity with regard to those people as well.

Dataset #2:  Usage Patterns

Often in conversations with litigators about analysis of these records, we get asked “what if they turned their phone off?” or “What if he simply left his phone at home or at work?” during the time of interest.  All valid questions!  The issue becomes, what can we tell is likely during the time frame of interest in relation to other usage patterns.  If a cheating husband is meeting his paramour in a hotel during his lunch hour once or twice a week and he leaves his cell phone at the office, we’ll be able to tell from looking at 1) the usage patterns from when he is not with his paramour and 2) a pattern of missed calls and/or texts for the period of time he was separated from his phone.  Let’s also not overlook that he may have had a flurry of text messages or calls with the paramour leading up to this activity.  There are very interesting and often very valuable items we can tell by looking at the record, such as: 

·      If the phone rang and went to voicemail
·      If the phone was turned off and calls when directly to voicemail
·      If calls were received and unanswered in succession for a period of time (and later returned)
·      If text messages were received and  unanswered for a period of time (and later returned)
·      Whether any of this activity is normal, as compared to other activity for time frames outside of the time frame of interest

People are creatures of habit.  By analyzing the usage patterns in the records, we can see what their habits are in relation to the use of their device.  This is the single biggest reason we advise all litigators who wish to use these records to obtain at least 30 days of records on either end of the incident in question.  The more data, the better.  Usage patterns are of great value when conducting this analysis.



Dataset #3:  Where They Lay Their Head

Much of usage analysis mentioned previously has little or nothing to do with location.  One area that has to do with location, although not necessarily during the time frame of the alleged incident(s), is where your target lays their head.  As stated earlier, people are creatures of habit.  Their phones are with them virtually all the time.  So even outside of the time frame of the incident, we can likely tell where that person is staying at night.  By in large, during late night and early morning hours, we see the mobile device stationary, only using one sector of one cell site for an extended period.  This information in the records tells us likely where they lay their head.  By filtering down to late night & early morning hours, we can also see if they have more than one place where they may stay at night.  This typically generates a “hot list” of cell sites that are used most often, and this is also included in any reports we generate.  It’s relevant insofar as it shows the finder of fact or opposing counsel that where their stated address is may not be where they stay.  It could also provide additional information for follow-up if the house and likely person with whom they are staying can be determined.  It’s a fantastic piece of evidentiary data!

Wrapping It Up

As illustrated briefly here, there’s more to cellular call detail records analysis than simple location.  These points also further prove that the proper and effective analysis of this data is not “junk science”, rather there may be a contingent of analysts who simply don’t have the ability or desire to perform this type of higher-level analysis in their cases.  Ignorance of the power and effective use of the data does not make the data invalid.  By looking deeper into the data, we can start to sort out what may help to prove or disprove the claims in the case.  It could also help shed light upon or validate who else may be involved in the matter, whether previously known or not.  The ability to analyze behavior patterns in the record cannot be over-stated either.  At the heart of any digital forensic practice is a person, whether it is behind the keyboard, phone screen or a cellular subscriber.  People behave in patterns.  Your analyst should be able to identify those patterns and determine whether or not they are of relevance in your case.  Happy hunting!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com