A cell phone isn't just a surface from which to lift a fingerprint, a device that reveals known associates, or even a repository of messages and images. There's another side to mobile forensics: service provider (or carrier) data, including call logs, undelivered messages and tower data — data that shows a cell user's location at the time of an incident. Matched with the information saved to the device, and mapped together with street names and landmarks, carrier data supplements and enhances device data. It can even break a case. Yet too often investigators overlook this critical evidence.Carrier data: an evidence cornerstone
Most cell towers consist of poles that send and receive signals in three sectors: alpha (north-facing), beta (southeast) and gamma (southwest). This configuration makes it easier for carriers to improve service by covering an entire hexagonal "cell" within the network. It also enables them to identify which sector of the antenna (which side of the tower) communicated with a cellular device.
Carriers keep detailed call records of these communications for billing purposes, so the data includes information like date, call length, whether a call was inbound, outbound, or went to voicemail; the tower's number and location; and which antenna the call communicated with.
Tower data reveals whether the device was in motion or stationary. A person dialing from one location will hit the same side of the same tower, but a person on the go will hit different towers and different sides. As Kipp Loving, a former criminal investigator with the Stanislaus County (California) District Attorney's Office notes, a long call may make it difficult to tell where a subject went between two towers, but short messages paint a clearer picture of a travel path.
Janice Cree, a crime analyst with the Stockton (California) Police Department, stresses that "It is important to emphasize [that] tower information shows the sequence of the cell tower usage and not the location of the phone itself." This information is easily visualized on a map. "All of the towers in the area (not just the ones the phone accessed) should be included to show relativity. Once the tower data is completed, I insert the primary locations notated in the case file." More than that, she adds, and the map can lose clarity.How carrier data applies
In an investigation, these kinds of data have important implications.
"Primarily, historical data can be used to place a phone within a geographical area at a specific time, identify call patterns, establish timelines and also identify co-conspirators," says Cree. "When applicable, the information also can be used to corroborate statements."
After-the-fact investigations aren't the only law enforcement aspects to utilize tower data, intelligence-gathering, anti-gang, narcotic and counterterrorism units can also benefit.
"One misconception is that you can only use this type of information after an incident has occurred," says Loving. "The fact is, if you have a suspect that you believe is involved in criminal activity and you would like to know where he was one week ago, you can contact the carrier to obtain that information without having to have any contact with the suspect. All you need is the suspect's cell phone number."
Tower data also comes into play during missing-persons searches. In one case, an aircraft that had lost radar contact in a remote part of Stanislaus County was located via its passengers' cell phones.
"We put a helicopter over the tower on the side that showed the last hit," says Loving. "Even though both passengers were deceased, to find the plane within 20 or 25 minutes instead of hours or even days worked to everyone's benefit."