Records maintained by the service provider capture information needed to accurately bill a subscriber or, in the case of a prepaid service plan, debit the balance. The records collected are referred to as call detail records (CDRs) generated by the switch handling an originating call or SMS message from a mobile device. The records may also include fixed-line, international gateway, and voice-over IP transaction information for some service providers. While the content and format of these records differ widely from one service provider to another, the fundamental data needed to identify the subscriber/device initiating the call, the initial cell servicing the call, the number dialed, and the call duration is captured. Detailed information such as the cell’s identifier (i.e., the BTS) and the sector involved are often included. Appendix C gives an example of the data elements of a CDR specified in the GSM standards. As one can see, considerable discretion about what is implemented is left open to the service providers and network operators.
The retention period for maintaining call detail and other types of records varies among service providers. However, the period is generally limited, requiring immediate action to avoid data loss. One should act quickly to have the cellular carrier preserve any data used to identify communications that have occurred and are linked to the parties of interest, stressing non-disclosure of that action to the account subscriber. The data available may include subscriber records, the content of email servers (i.e., undelivered email), email server logs or other IP address authentication logs, the content of SMS and MMS message servers, and the content of voicemail servers. Note that certain types of undelivered content, such as voicemail, may be considered in transit from a legal standpoint in some jurisdictions. Obtaining or listening to them without the proper authority may be treated as an illegal interception of communications. While the USA PATRIOT Act eliminated this issue at the federal level, state statutes may be intentionally more restrictive or not yet be realigned completely with the federal statute (23).
For example, CDRs will contain sender and receiver phone numbers, time and duration of the call, call type (i.e., voice, SMS), etc. CDRs may be obtained from U.S. service providers through their law enforcement point of contact, with the appropriate legal documentation. Procedures may vary among states in the U.S., and new laws regarding proper seizure are continually legislated. Procedures also vary for getting records from service providers and network operators located in other countries. Close and continuing consultation with legal counsel is advised. Various online law enforcement forums can also help identify points of contact and share tips on procedures for accurately obtaining the required data (24).
24 For more information, visit http://groups.yahoo.com/group/phoneforensics/ and https://htcc.secport.com/mailman/listinfo/htcc.
Besides call detail records, subscriber records maintained by a service provider can provide data useful in an investigation. For example, for GSM systems, the database usually contains the following information about each customer:
- Customer name and address
- Billing name and address (if other than the customer)
- User name and address (if other than the customer)
- Billing account details
- Telephone number (MSISDN)
- UICC serial number (ICCID)
- PIN/PUK for the UICC
- Services allowed
Other useful information, including phone numbers (i.e., work or home), contact information (e.g., email address), and credit card numbers used, may also be retained in subscriber records. Pay-as-you-go prepaid phones purchased anonymously over the counter may also have useful information maintained with their accounts, supplied by the subscribers, such as the credit card numbers used for purchases of additional time or an email address registered online for receipt of notifications. Gaining access to the call records of prepaid phones should not be ruled out.
CDRs and other records maintained by the service provider can be requested using subscriber or equipment identifier information seized or acquired from a mobile device or UICC. This purpose’s subscriber information includes the IMSI from the UICC and the mobile device number (i.e., MSISDN). Equipment identifiers used are the ESN or IMEI of the phone and the serial number (i.e., ICCID) of the UICC. The search criteria used could be, for example, all calls received by a certain phone number (e.g., that of a victim) or all calls handled by a base station responsible for a particular cell (i.e., to determine who was in a certain area at a certain time) [Wil03]. The analysis of the initial set of records obtained usually leads to additional requests for related records of other subscribers and equipment based on the data uncovered. For example, frequent calls to a victim’s mobile device from one or more other mobile devices before a homicide would logically lead to an interest in obtaining the caller’s records (s).
CDRs can be analyzed for a variety of purposes. For example, a service provider may use them to understand the calling patterns of their subscribers and the performance of the network [Aja06]. Call detail records can also be used with cell site tower information obtained from the service provider to translate cell identifiers into geographical locations for the cells involved and identify the general locale from which calls were placed. While plotting call record locations and information onto a map can sometimes be useful, it does not necessarily provide a complete and accurate picture. Cell towers can service phones at distances of up to 35 kilometers (approximately 21 miles) and service several distinct sectors. Radiofrequency coverage maps maintained by the service provider get used to creating a more exact portrayal of the data for the sectors involved. The results of the data analysis can be used to determine the location of the mobile device at a given time [Oco09]. The analysis can also help to establish timelines and identify possible co-conspirators. A change of cell identifier between the beginning and the end of a call over a series of calls may also indicate a general direction of travel or pattern of behavior.
The boundaries of a cell are somewhat variable. Various factors, such as terrain, seasonal changes, antenna performance, and call loading, affect cells’ coverage area and the plausible locale to associate with a call record. Detailed field tests and measurements may be required to ensure an accurate analysis. Tools exist to aid law enforcement in performing cell site analysis and mapping activities independently. In some situations, such as densely populated urban locations involving microcells or picocells with a limited coverage area, location determination may be relatively straightforward by the very nature of the network.
Identifying the geographical coverage of specific cells may provide valuable information when combined with call detail records, geographically establishing plausible locations with some degree of certainty for the times involved. Professional criminals are aware of these capabilities and may attempt to turn them to their advantage by having someone use their mobile device to establish a false alibi. Attempts at evasion may also occur. A common ploy is purchasing, using, and quickly disposing of pay-as-you-go prepaid phones to minimize exposure or use of stolen phones. To obfuscate usage and complicate the analysis of records, various UICCs may be swapped among different GSM/UMTS mobile devices.
Careful analysis of the call records in conjunction with other forms of available data may be useful in establishing the relationship between the mobile device and its owner. For example, call detail records of pay-as-you-go prepaid phones are maintained by and available from network providers, the same as for contract subscriptions. By analyzing the patterns and content of communications and mapping the data to known associates of a suspect, ownership of such phones is possible. Other traditional forms of forensic evidence (e.g., fingerprinting, DNA) may also be used to establish ownership.
Network traffic information quantifying the amount of data transferred to/from the device is also frequently reported and may aid investigators in specific investigations.