Christa M. Miller is a Maine-based freelance writer specializing in public safety topics. Digital forensics is one of her particular areas of interest; this article was the result of a collaboration with one of her regular sources, Kipp Loving of the Sacramento Valley (California) Hi-Tech Crimes Task Force. The original article is available at Officer.com/Law Enforcement Technology; Christa can be reached at firstname.lastname@example.org.
Getting Evidence… from Cell Phone Towers?
On a cell phone, SMS (text) messages, phone books, images, and call logs establish alibis or guilt, a suspect’s known associates, and other key pieces of a criminal investigation.
However, investigators can’t rely only on device data for a variety of reasons. First, they may not have the device in hand, or it may be damaged. As long as they have its phone number, however, they can contact the service provider that maintains it to get at least some evidence.
Including more extensive call logs, undelivered messages, and tower data, such evidence can show a cell phone user’s location at the time of an incident. It can be matched with the information saved to the device, and/or mapped together with street names and landmarks.
Service providers’ “tower” data
Most cell towers consist of poles that send and receive signals in three sectors: alpha (north-facing), beta (southeast), and gamma (southwest). This configuration makes it easier for carriers to improve service by covering an entire hexagonal “cell” within the network. It also enables them to identify which sector of the antenna-which side of the tower-communicated with a mobile device.
Carriers keep detailed call records of these communications for billing purposes, so the data includes date and time stamps; call length; whether a call was inbound, outbound, or went to voicemail; the incoming or dialed phone number; and the tower number, its location, and which antenna the call communicated with, along with the towers from which both originating and terminating signals were sent.
Tower data can sometimes reveal whether the device was in motion or stationary. A person dialing from one location will hit the same side of the same tower, but a person on the go will hit different towers and different sides. A long call may make it difficult to tell where a subject went between two towers, but short calls paint a clearer picture of a travel path. Such a path can be easily visualized on a map, which should include all the towers in the area-not just the ones the phone accessed-to show relativity, along with primary locations noted in the case file.
Tower data in criminal investigations
Tower data can be used to place a phone within a geographical location at a specific time, identify call patterns, establish timelines, corroborate statements, and identify co-conspirators. Investigators do not have to wait until they have made an arrest to use this type of information. If they have a suspect that they believe is involved in criminal activity and would like to know where he was one week ago (for instance, was he at the scene of a robbery, homicide, drive-by shooting, or just simply in the area), they can contact the carrier to obtain that information without needing any contact with the suspect. All that is necessary is, again, the suspect’s cell phone number. This makes tower data useful for intelligence gathering among anti-gang, narcotic, counterterrorism, and similar units.
It’s also important to remember that everyone has a typical call pattern: whom they call, how often, from what location(s), and at what times of day or week. When crimes occur, the people involved will step outside of their normal call patterns. Tower data can help establish previous patterns. If, for example, an individual kills his next-door neighbor, the cell phones won’t necessarily be the homicide team’s priority. However, if a homicide occurs in Stockton but the suspect lives in Fresno, the team should be looking at the carrier data very quickly to establish call patterns in the days leading up to and the day of the incident.
Challenges in obtaining carrier data
Collectible data doesn’t go by tower. Instead, it goes by carrier. Each carrier maintains each set of information for different periods of time. Furthermore, customer privacy remains important. To better balance consumer and law enforcement needs, most carriers have assigned a department to process law enforcement requests and answer their questions, along with assuring legal compliance on all sides.
Another challenge is that tower data still tells only part of the story. The only way to positively identify a user is through personal statement, direct observation, or audio identification-to tie the individual to the phone that was tied to the scene. This was the case following the February 2006 murder of a California peace officer. It wasn’t enough that the officer was found clutching the suspect’s vehicle registration, or that tower data showed calls being made along the suspect’s escape route. The suspect had even erased all inbound and outbound call logs. Instead, investigators made their case by tying the suspect’s detailed calendar and phonebook to the tower data. This supplemented physical evidence: gunshot residue found on the phone itself.
Training is another important component. When seizing a cell phone during an arrest, the officer must also immediately ensure that its data remain intact. An arrestee can use his one in-custody phone call to contact an associate, who can log on to the carrier’s website and remotely delete information. If the phone is on, or turned on during an investigation, the data will be deleted as soon as the phone connects to the network.
Some investigators prefer to use a “Faraday cage,” a signal disruption device that allows them to turn on the phone without it connecting to the network. An alternative is to turn on the seized phone’s “flight mode” feature, which enables the device’s full functionality without a network connection.
Portable Faraday Cage
Homemade Faradaty Cage blocks radio signals.
Many states make it possible for officers to search a subject’s cell phone incident to arrest; some require a search warrant. To obtain carrier data, however, investigators almost always need a court order.
Because looking at records is not considered as intrusive as kicking down a door, suspicious activity alone is enough. For instance, if the license plate of a car seen near a burglary comes back to a parolee, that’s enough to obtain a court order for his or her cell phone records. A search warrant also works if a subject needs to be located in real time. It’s possible to have the carrier ping the phone and receive feedback.
Various challenges can lead investigators to think they’ll have a hard time getting a warrant. But the trick isn’t obtaining the warrant; it’s doing so quickly enough. The best way to accomplish this is a preservation letter. Under U.S. Code Title 18 § 2703 (f), investigators can fax a written request to the carrier to preserve all data for a target phone number. The carrier must then hold the data for 90 days, and if requested, renew for 90 more days if the agency requires it. Often this allows investigators enough time to obtain a warrant.
Sometimes exigent circumstances come into play. Although an amendment in the Patriot Act allows providers to give information to law enforcement in the event of an “emergency involving the risk of imminent death or serious physical injury,” most states-including California-continue to preserve citizens’ privacy. Judicial approval is necessary, which means the department must submit a request on letterhead. In most cases, carriers will comply. In others they require warrants, but will supply information in an emergency as long as the request is later backed up.
Some seemingly exigent circumstances still are not enough for forensic examinations of phones or other electronics. This is especially true of suicides. Even when the subject has a chance to be saved, the individual’s privacy overrules.
Read more from Christa M. Miller here.