A cops guide to cellular network investigations

October 30, 2023
Featured image for “A cops guide to cellular network investigations”

Modern criminal investigations inevitably include cellphones. While most investigators focus on the data stored inside the phone, critical evidence can be found on the cellular networks themselves. This article covers key topics for investigating cellular networks like how mobile phones use networks, important identifiers, and locating phones using cell towers.

How Cellular Networks work

There are four main parts involved: the Public Switched Telephone Network (PSTN), the Mobile Telephone Switching Office (MTSO), the Cell Sites, and the mobile devices like our phones (Mobile Subscriber Units or MSU). Together, these parts work together to connect a caller in California to the recipient in Romania.

The Public Switched Telephone Network (PSTN) is the traditional wired telephone network made up of telephone lines, known as trunk lines, that carry the calls and switches directing calls to their destinations. This is the dumb part of the network consisting of hardware only.

The Mobile Telephone Switching Office (MTSO) is the smart part of a cellular network and is responsible for routing calls and other data to and from mobile phones within its service area. When you make a call, the MTSO picks up the signal, figures out where the call needs to go, and makes sure it gets there. It also manages the cell towers in its region keeping track of which mobile phones are in which cells to ensure calls and data get routed correctly. As you move from one cell to another while talking on your phone, the MTSO orchestrates a ‘handoff’ of your call from one cell tower to the next, so your call doesn’t drop. Law Enforcement Note: From an investigators perspective, the most important part of the MTSO is its role of keeping logs of calls and data usage for billing purposes. It records who called whom, for how long, and how much data was used. Because Telecoms need to charge customers for calls, Call Data Records (CDRs) are standard business records that can be collected with a search warrant. The second most important part of the MTSO is the handoff. Recording precise location data of handsets is needed to ensure a high quality of service and preventing dropped calls.

Cell towers, often referred to as cell sites, are critical components in the infrastructure of mobile communications. They facilitate the wireless connections necessary for our mobile phones and other devices to communicate over long distances. Cell towers service geographic areas known as cells. Each cell is the area around a tower in which the signals are strong enough for reliable communication. The term “cellular” comes from these cells which together form a network covering a larger region. When your phone is in a particular cell, it communicates with that cell’s tower.

When tower locations are planned out by providers like T-Mobile or AT&T, they are arranged in hexagons to ensure even coverage. Radio waves don’t conform to those boundaries; they radiate outward generally forming a circle. That isn’t exactly true though. The cell tower has antennas hanging off of it sides and they generally point in three directions. These directions are known as the tower azimuth. Due to environmental factors like hills or tall buildings, the antennas can have different powers and therefor longer ranges.

Cell towers and azimuth

4G and 5G Networks

When we talk about 4G and 5G, we’re referring to the fourth and fifth generations of mobile network technology. 4G technology brought us fast internet speeds on our phones, making streaming videos and browsing the web a breeze. On the other hand, 5G, the latest version, promises even faster speeds, lower latency (which is the delay before a transfer of data begins), and the ability to connect many more devices at once. These technologies work using higher frequency radio waves, and 5G particularly uses very high frequencies to achieve its speed, which also means 5G towers need to be placed closer together compared to 4G towers.

4G and 5G network illustration

Because 4G radios can cover much larger distances, their cells are much larger. That means the phone you are investigating could be anywhere within a 150 square mile area. In 5G networks, the cells can be as small as 2,000 feet. Law Enforcement Note: When investigators review Call Data Records (CDR), 5G cells make for much more accurate location data.

Mobile Identifiers

Every mobile phone handset has a unique IMEI (International Mobile Equipment Identity) number, which is like the handsets fingerprint. This number helps identify the make and model of the phone and can be used to track or block the phone if it gets stolen. On the other hand, the IMSI (International Mobile Subscriber Identity) number is the SIM card number that is 14-15 digits long and contains the country code. The Mobile Station International Subscriber Directory Number (MSISDN) is the phone number that we are all familiar with dialing. When you switch your phone, your IMSI number goes with you on your SIM card, but your new phone will have a different IMEI number.

Per Call Measurement Data & Location

Per Call Measurement Data (PCMD) is a useful type of data collected by cellular networks during mobile phone communications, serving multiple purposes. One of its primary functions is to determine the distance of a mobile phone from a specific cell tower during a call, with a reported accuracy of about 10 meters.

This process is known as Timing Advance and is similar to Sonar. The telecom provider knows exactly how long it take for a signal to travel. Because the speed is known, when the response signal is received by the tower the telecom will know exactly how far from the tower the handset is. Remember though, that signals radiate from a tower in a circular shape so the phone can be anywhere in a 10 meter wide arc within the connected azimuth.

T-Mobile uses Time Difference On Arrival (TDOA) for its stringent location accuracy in systems like E911 (Enhanced 911) services to pinpoint a subscriber’s location​. TDOA achieves this by measuring the time it takes for a signal to travel from a mobile device to three or more network antennas, thereby determining a more precise position of the device​. T-Mobile’s PCMD records were known as “TrueCall” data, but they have since retired that name.

AT&T uses a system known as Network Event Location System (NELOS) to estimate the location of mobile devices within their network. NELOS is a form of Timing Advance and AT&T is transitioning to a TDOA system of PCMD similar to T-Mobiles system.

Verizon uses a system known as Range to Tower(RTT) which is another Timing Advance estimation.

Law Enforcement Note: The timing information contained in PCMD records is instrumental in estimating the geo-location of subscribers. TDOA, NELOS and RTT are sometimes call “historical gps”, but remember that the location of mobile phones are derived from timing advance and not from a GPS radio in the phone itself.

Search Warrants for cellular service providers

When writing search warrants for telecoms, it is important to recognize that some providers are land-line only while other providers, like AT&T, have both wired and wireless networks. There are some distinct differences in what can be collected through a search warrant. For California law enforcement, search warrant for cellular network providers need to comply with CalECPA.

Aside from subscriber information, the primary item of evidence collected from telecoms are Call Data Records (CDRs). The layout and format that CDRs are provided vary from company to company, but they all contain inbound and outbound calls to the target. It is important to remember that these logs were kept for billing purposes. Some of you may remember a time when calls were billed by the minute. To ensure accurate billing, every aspect of a call was logged. Call Data Records identify the phone number (MSISDN) of the other party, the duration of the call, and if the call was accepted or missed.

For wireless networks, Call Data Records identify the tower and azimuth that the device was connected to during the duration of the call. If the suspect was sitting at home for the whole call, they would likely connect to one tower and stay connected to that tower. If the suspect was driving, the CDRs would show all the towers and azimuths of the towers that the phone connected to as it travelled.

Cell tower azimuth

Call Data Records also show when mobile data was used. For example, if the suspect was using Snapchat or streaming music on Spotify. CDRs do not record what specific activity was occurring, only that data was being used.

Stored Text Messages

Text messages are a frustrating topic. Regular text-only text messages, known as Simple Message Service (SMS), and Multimedia Messaging Service (MMS) are sent through cellular networks and are facilitated by the service provider. As such, the provider may or may not store the contents of text messages. It is estimated that about 41 million messages are sent out every minute globally as of 2023. That equates to about 3TB of data every day; you can see why a company wouldn’t be keen on storing all that data without a reason. It is also important to note that not all “text messages” are text messages. Apple iPhone use the iMessage service where messages are sent as data and bypass the SMS system. Messages on iPhones where the bubble is blue are iMessage; messages where the bubble is green use SMS and indicate that the iPhone is likely communicating with an Android. Additionally, messaging apps like Snapchat or TextNow use data and will not show up in CDRs.

Analysis Challenges

Cops don’t learn Excel in the academy, but they should. Records provided by telecoms usually come in the form of spreadsheets and records from AT&T look very different compared to Verizon. Most law enforcement agencies rely on software to process the returns and create easy to read reports. The benefit of the software, while expensive, is relying on their team to stay up to date with record changes and innovating better ways to review records and present those in court. The list below are big names in Cellular Data Record analysis:

Law Enforcement Note: Be sure to ask for Carrier Key and Cell Site Lists. The carrier key is a glossary of sorts that explains what certain columns in the returns mean. The cell site list contains the latitude and longitude of the cell towers in your area. These are super helpful when analyzing your returns.

By analyzing Call Data Records, investigators can determine who a suspect is communicating with potentially identifying coconspirators or establishing their connection to a known victim. A “hot list” analysis of the most frequently called phone numbers will help investigators determine who is the most important person(s) to the suspect. Additionally, location records when mapped can show the suspect’s phone being at or near the crime scene regardless of calls being made or received. Overall, CDRs provide insight into a suspects actions, location, and sometimes their mindset like no other evidence can. Despite the technical challenges of analysis, we encourage investigators to always consider how cellular networks could effect their case.