CELL PHONES : INVES TIGATING DATA By: Christopher Robinson Cell - - PowerPoint PPT Presentation

CELL PHONES : INVES TIGATING DATA

By: Christopher Robinson

TECHNOLOGIES

Cell Phones

Terms & Technologies

• GS M vs. CDMA - the two technological platforms

currently in use for cell phone companies.

• GS M - Global S ystem for Mobile Communication

(most commonly used worldwide); used by AT&T and T-Mobile. Most visible feature is the use of a S IM card.

• CDMA - Code-Division Multiple Access; used by

Verizon and S print.

• S IM Card - S ubscriber Identity Module (smart card)

used by GS M phones and generally not by CDMA phones (however, some CDMA phones use a S IM card for less robust purposes such as data storage).

Terms & Technologies

• IMEI: International Mobile Equipment Identity

– This is a code that is embedded in the phone to provide device information. It can be used to identify the phone that is used.

• IMS I: International Mobile S ubscriber Identity

– This is a code that identifies the subscriber and account info. The IMS I is stored on a S IM card. (S IM: S ubscriber Identity Module).

Global Positioning S ystem

• Cell phones have GPS -R Technology
• Cell phone acts as a passive receiver

used to calculate location in relation to the satellites orbiting the earth.

• If program (App) is installed it may do

more than just receive. It may record.

Global Positioning S ystem

• 24 S atellites Orbiting the Earth
• 8 Visible at anytime
• Orbiting satellites constantly transmit

message, which are then acquired by ground receivers and translated into longitude and lateral coordinates.

• Accuracy varies, bet generally within about

10’

• Accurate in rural areas/

less accurate in urban areas.

THE LAW

Why it all matters to you.

Police S tate

• Hawkins v. S tate, 604 S .E. 2d 886 (Ga. App.

2010)

– Defendant’s car is searched incident to arrest. – Police find a cell phone. They immediately search it for text messages between the officer and the arrestee. – Court notes that the rationale for search incident to arrest exception to warrant requirement is safety & preservation of evidence. – Arrest was lawful. Officer limited search to text messages and didn’t do a “ general search” thus met 4th Amend. Restrictions.

Police S tate

• People v. Diaz, 2011 WL 6158, (California

January 3, 2011)

– A warrantless search of the text message folder on an arrested person’s cell phone, 90 minutes after arrest ,was valid as incident to a lawful custodial arrest. – Cell phone on arrestee’s person is same as a cigarette pack in his pocket or the clothes on his back. – Length of time between arrest and search didn’t concern the court.

• Preservation of evidence justification of search incident to

arrest exception has left the building!

Police S tate

• U.S . v. Hill, U.S . District Court (January 10,

2011)

– Hill driving in a white S UV decides to expose himself to some children. He is subsequently identified and

• arrested. During a search of defendant, officers

located an iPhone and immediately began searching

• it. The phone contained images of a young girl

exposing herself to defendant and vice versa. Back at the station, officers also discovered videos of the same girl and defendant on the iPhone. They get a search warrant based on this evidence and hit the lottery at his house. – Court ruled cell phone equivalent to a wallet.

S weet Home “ Ohio? ’

• S tate v. S mith, S upreme Court of Ohio,
• No. 2008-1781 (2011)

– Ohio S upreme Court rejected argument that a cell phone is like a container on or near a person searched incident to arrest. – Once officer has cell phone they did not need to search it to preserve evidence. – Ruled a person has a high expectation of privacy in a cell phone’s contents, thus warrant required.

Lesson to Take Away

• When driving place your cell phone in the glove

compartment and lock it if you don’t want it to be searched.

• If a person has a password protected cell phone would

that change the court’s view on expectation of privacy?

• Will Vermont's Constitution provide greater protection for

expectation of privacy in a cell phone’s contents?

• S omeone in this room will likely get the first case in

Vermont (if they haven’ t already). It is incumbent upon all of us as defenders of rights to understand this technology and be ready to argue in order to create good law.

NETWORK EXPLAINED

How Cell Phones Work

S imple Cellular Network Explanation

• The cellular telephone has an antenna.
• The Base Transceiver S tation (BTS =cell

tower) also has an antenna.

• Both antennas transmit and receive Radio

Frequency (RF) signals.

• Base Transceiver S tation-BTS (cell tower)

transmits an originating and terminating RF signal.

Key Terms

• Radio Frequency (RF) S trength - also referred to as

signal strength. Radio frequency is the rate at which radio waves alternate. RF strength is measured in Hertz (Hz)- cycles per second.

• Base S tation Controller - controls one or multiple cell

sites’ radio signals. It is similar to a computer data router “ routing” incoming and outgoing calls. It also has radio repeater functions enabling the consumer to call another cell worldwide. This is where RF strength data gets recorded.

• MTS O (Mobile Telephone S witching Office) “S witch” -

the central switch that controls the entire operation of a cellular system. A sophisticated computer that monitors all cellular calls, arranges handoffs, keeps track of billing information, etc.

Triangulation vs. Historical Data Reconstruction Analysis

• They are not the same thing.
• Position based on triangulation is much more exact.
• Records pertaining to triangulation are much harder

to obtain.

• To determine relatively exact location you would

need to obtain the RF strength (i.e. signal strength) records from the Base S tation Controller sometime within about 0-72 hours.

Historical Data Reconstruction Analysis

• This is what the title suggests.

– Not real time – S ubpoena available (historical) records:

• Calls made and received (includes times and

dates)

• Towers of origination and termination
• Cell S ector orientation

– Analyze data to suit your need – Reconstruct it

Triangulation Key Terms

• Triangulation-a process by which the location of a

radio transmitter can be determined by measuring either the radial distance, or the direction of the received signal from two or three different points. Triangulation is sometimes used in cellular communications to pinpoint the geographic position

• f a user.
• “Ping”-About every five seconds, a cell phone

sends a signal to cell sites within its network. This

• ccurs whether the cell phone is in use or not. The

base station controller records the RF strength (signal strength). You can determine a cell phone’s approximate location within about a 300-meter radius using data captured from the Time Difference

• f Arrival (TDOA) and/
• r Angle of Arrival (AOA)

recorded by the cell phone company.

Triangulation Key Terms

• Time Difference of Arrival (TDOA) - Each tower measures

the time taken to receive a handset’s signal. The tower translates this information (RF S trength) to estimate the distance of the handset from the tower. The information is cross-referencing with other towers in the network. The handset’s position is then expressed as longitude and latitude readings.

• Angle of Arrival (AOA) - Antenna arrays at a base station

determine the angle at which a handset’s signal arrives at the station. By comparing this AOA data among multiple base stations, the relative location of a wireless phone can also be triangulated. This is also expressed in longitude and latitude coordinates.

*S ome networks indicate that they utilize both TDOA and AOA for more accurate locations.

The S nitch in Your Pocket

Newsweek: February 19, 2010

• FBI and other LE Agencies are obtaining more

and more records of cell phone locations.

• S print Nextel has even set up a dedicated

Website so that LE agents can access the records from their desks – a fact divulged (and confirmed later) by the company’s manager of electronic surveillance.

• “

The tool has just caught on fire with law enforcement,” he said.

• Jack Killorin, a director of a federal drug task

force in Atlanta commented, “ This is pretty workaday stuff for us.”

S tranger Than Fiction

The Roving Bug

• U.S . v. Tomero (2006)

– The government applied for a “ roving bug,” that is, the inception of Ardito’s conversations at locations that were “ not practical” to specify. Judge grants application, authorizing interception… and the installation of a listening device in defendant’s cell phone. – Device functioned whether or not cell phone was powered on or off!

CELLEBRITE UNIVERS AL FORENS ICS EXTRACTION DEVICE (UFED)

CELLEBRITE UNIVERS AL FORENS ICS EXTRACTION DEVICE (UFED)

• The UFED family of products is able to extract

and analyze data from more than 3000 phones, including smartphones and GPS devices. The mobile device performs both logical and physical data extraction, including recovery of deleted messages and content.

• Designed for portability, the UFED solution is a

stand-alone device that can be used either in the field or at the lab.

ACQUIRING & PRES ERVING DATA

Gleaning the Cube

What Can We Obtain?

• Handset

– Browsing History

• S earch Terms

– Pictures

• May contain GPS Data

– Text Messages

• Time S ent
• To Whom
• Message Content

What Can We Obtain?

• Handset (continued)

– Phone number of handset – Call made and received – Contact Information

• S ervice Provider

– S ubscriber Information – Cell S ite Location and S ector Orientation – Call Detail Records

• Number called and/
• r dialed
• Date and time of call
• Duration of call

How do we get it?

Indentify S ervice Provider

• If you have the handset indentify if it is CDMA or

GS M.

– Does it have S IM? – Any Cooperate Insignia?

• If you only have a number, search the number in

Google or any of a number of reverse phone directories:

– www.fonefinder.net/ – www.reversephonedirectory.com – www.mobofinder.com – www.reversenumberdatabase.com

Locate S ubpoena Compliance Center

• Most S ervice Providers have a subpoena

compliance center. You can most easily find it by going to:

www.search.org/ programs/ hightech/ isp/

Questions for S ubpoena Compliance

• 1. Are their any costs for obtaining data? If so, may I

submit a request for a waiver of fees based on representing indigent clients?

• 2. Can we fax the subpoenas/
• rders?
• 3. Does the information I’m requesting require a judge-

signed subpoena?

• 4. How will they send CDR/

Tower Info: PDF, XLS , Fax? You want XLS (Excel spreadsheet) format.

• 5. How long do they keep CDR/

Tower Info? How long do they keep other data (i.e. S MS , MMS , GPS History, IP Address/ Web Browsing History, Email, etc.)

• 6. Are the current tower names the same as they were

during the activity or have they renamed their towers since?

• 7. Have they merged or bought another company?

S ubpoenas

• Cell phone companies are all different, often times

confusing.

• S ubscriber Information-“

… the most current bill reprint and/

• r subscriber information pertaining to phone

number xxx-xxx-xxxx… ”

• Call Detail Record (and/
• r S MS and MMS )-“

… any and all call detail record(s), S MS and/

• r MMS detail

record(s) for phone number xxx-xxx-xxxx from *DATE+ to *DATE+… ”

S ubpoenas

• Cell Tower S ite Info - “

… any and all cell tower information for target number xxx-xxx-xxxx, from [DATE/ TIME] to [DATE/ TIME], pertaining to any and all call detail, S MS , MMS , direct connect, GPS , Email, and/

• r IP

address/ browsing history records from the aforementioned date(s). Also, a complete list of all cell tower names and locations for the aforementioned dates is required, as well as all sector layout and

• rientation information… ”

Request letter (w/ subpoena attached) [Date] Privileged and Confidential Via Fax (816) 600-3111 Custodian of Records S print Corporate S ecurity-S ubpoena Compliance 6480 S print Parkway Overland Park, KS 66251 Phone: (913) 315-0660 Re: Records Request/S ubpoena for xxx-xxx-xxxx Dear Custodian of Records/ S ubpoena Compliance: Pursuant to the attached subpoena, I am requesting the following information for target number xxx-xxx-xxxx.

– S ubscriber information as of May 18 through May 20, 2010. – Call detail records with cell tower information from May 18, 2010 through May 20, 2010; including a master list of all cell tower names and locations during May 18, 2010 through May 20, 2010. – S MS and/

• r MMS detail records with cell tower information for May 18, 2009 through May 20, 2009.

– Cell sector, azimuth, and/

• r orientation information pertaining to each tower.

– AT&T Wireless sector layout information.

The subpoena is signed by Judge Bob S mith Once the records are ready, you can email them to me at xxxxxxxx@ state.vt.us. If you have any questions or concerns, my direct line is (802) xxx-xxxx.

Cell Tower Locations

• Find the pertinent cell tower in the Excel spreadsheet

provided by the phone company. From S print’ s Key of Understanding:

– First Cell: S pecific cell site in which the call was initiated. The last 3 digits represent the site number. The first digit reflects the sector. (S ee attached “ Three S ector Layout” page for sector orientation.) For example, if the number in the column reads 2083, the cell site is 083 and the sector is 2. – Last Cell: S pecific cell site in which the call was ended. The last 3 digits represent the site number. The first digit reflects the sector. (S ee attached “ Three S ector Layout” page for sector orientation.) For example, if the number in the column reads 2083, the cell site is 083 and the sector is 2.

Cellular S ectoring

Cellular S ectoring

• Cell sites or towers normally use a three-sided model.

• North side is normally identified as S ector 1 or S ide A
• r other first sector of a tower.

S print S ectoring Example

Cellular S ectoring

• S ector Orientation is important
• Not all sectors have the same orientation
• You must specifically request the sector
• rientation

S ector Orientation

S ector Orientation- Use an Azimuth to determine the sector’s orientation

Importance of Cell Phone Historical Data Reconstruction

• Everybody has a cell phone (clients/

witnesses)

• Contains Evidence (Exculpatory and Inculpatory)
• Provides Leads
• Must understand what the S tate is alleging. How

and why the S tate can or cannot corroborate its allegations through phone records?

Caveats to Cellular S ectoring

• Exceptions to sectoring are Picocells and Microcells
• These are omnidirectional and do not provide

sectoring information

• Picocells are usually located in a very small coverage

area such as a park. Use of a picocellis very similar to the distance of a WiFi network or hotspot. (I.e. the white box on the ceiling of an airplane providing WiFi capabilities is a picocell.)

• Microcells are similar to picocells. They are used in

small areas but are a bit larger for specific events such as an Olympic venue or other sporting events or concerts, etc. They can be placed temporarily for added subscriber use to prevent system overload.

Caveats to Cellular S ectoring

Two-sided sectoring-

• S ome phone companies may use a two-

sided sector model as opposed to the typical three-sided model in certain

• situations. This means you can only limit a

cell phone’s communication with a tower from one of two directions as opposed to

• ne of three directions.

Things to keep in mind…

• Know your source of information and their

capabilities.

• S ubpoena compliance does not know

much about technical information.

• Where are the records kept?
• S witch technicians and RF engineers

know much more regarding technical information.

Things to keep in mind…

• Have you done an environmental survey

to map the address and examine the layout such as height and physical location?

• Go to the tower
• Take a compass

Things to keep in mind…

• Tower coverage varies and having three

uniform circles as an area of coverage is completely incorrect.

• Coverage varies because of height,

topographical, and geographical differences, etc.

Things to keep in mind…

• Historical Data Reconstruction Analysis

identifies where the client’s phone was not as well as where others’ phones (witnesses, etc.) could not have been.

Things to keep in mind…

• Historical records do not display

anomalies that could affect cell tower sites.

• Weather (i.e. lightning strike, high winds,

etc.)

• Earthquake, fire, etc.
• Anything that may cause the failing or

blockage of a certain cell tower’s signal.

Things to keep in mind…

• A simple CDR request does not contain

tower information or cellular sector layout and orientation.

• You must find the orientation of the cellular

sector in order to accurately analyze where a phone may have been or where it definitely could not have been.

• Remember to specifically request this

information included in your subpoena

Things to keep in mind…

• The tower carrying the call may not be the

closest tower.

• Through triangulation (“

pinging” ), you can

• nly approximate the cellular RF signal

and the phone location (within about a 300-meter radius). You cannot pinpoint a phone’s exact location.

Things to keep in mind…

• What statements were made by client (or

witnesses) relative to the cellular historical data?