Mobile Network data (cell site analysis) vs Data from a physical mobile phone handset
Due to the nature of these two sets of data and how the prosecution's case will often intertwine evidence, there is often confusion regarding these two different sets of data and the information they can provide.
Mobile Network Data can be analysed to produce Cell-Site Evidence
Cell site analysis is carried out by utilising Call Data Records (CDRs) which are obtained from a Network Provider, i.e Vodafone, o2, EE, Three. It is this data that Networks use to monitor a customer's usage of their network in order to generate and calculate a customer’s monthly bills. But, that same data can also be analysed to provide evidence for civil or criminal proceedings. If relevant to their case, the police will request this data from the Network Provider at the point of investigation. If the police have not done so and the defence requires it, this will need to be requested via a Court Order.
However, here’s the kicker, it is only available on a 365-rolling basis, thereafter the Network deletes the data. Therefore, if today’s date is 23 October 2024, then the earliest CDRs one can obtain is 24 October 2023. Therefore, it always best practice to get a Court Order as soon as possible, if it is likely to be pertinent to a case.
What information does network data provide?
Call Data Records (CDRs) can provide a wealth of information. First and foremost, they provide all incoming and outgoing calls and texts (SMS, MMS) carried out by a particular phone number during the requested period. These are reliable and cannot be manipulated by the user of the number.
They also show GPRS (data) sessions, i.e when a phone is connected to data. This is not as specific as calls and texts, as data sessions show ‘chunks’ of usage rather than specific interactions.
Lastly, CDRs provide geographical information due to the fact that they contain details regarding which cell mast was utilised to make a call, send a text or start a data session.
This enables analysts to 'map' the data and produce a series of diagrams ('maps') which depict the movement of the mobile phone (or rather the movements of the individual that the phone has been attributed to).
What are the limitations of mobile network data and the cell-site analysis produced using it?
As mentioned, data sessions are not specific to a user’s interaction and therefore do not provide information about what they were doing at that time. For example, if a message was sent via Whatsapp (which requires the internet), this specific communication would not show up as its own entry. It would just be part of a data session which could contain all sorts of other elements such as a phone connecting to a weather app, an Instagram notification etc.
The contents of SMS / MMS messages are not available, just information about when, duration, and who they were sent to / received from.
Furthermore, whilst CDRs are helpful for mapping an individual/s movement, they can only show ‘general’ movements. This is because a cell mast can cover, and supply signal to a large area. Therefore, caution needs to be taken when reviewing said evidence, as a) it cannot pinpoint the exact location and b) when it comes to co-location with another person, it can only be said they were using the same cell at the same time; they may well be metres/miles apart. It is often important that the interpretation and limitations of this evidence is emphasized as it can often mislead a jury.
Phone Downloads downloads/data extractions
How does it differ? This is data that has been extracted from a physical handset and SIM card. There are several different types of software available to carry this out, some examples include Cellebrite UFED, Oxygen Forensic Detective, XRY by MSAB, Magnet AXIOM, SPF Pro by SalvationDATA, MOBILedit Forensic Express, EnCase Forensic, Andriller and GrayKey.
What information do physical extractions provide?
In short its everything stored on the internal memory of the device. A whole plethora of data can be obtained such as contacts, images, videos, web searchs, emails, notes, calls, SMS, Chats (data-based communication platforms like Whatsapp, Snapchats, Facebook messenger). This includes the contents; therefore, it would be possible to see conversations between the user of the device and contacts.
Can forensic mobile phone extractions recover deleted data?
It is possible to recover deleted data when downloading data from a device, however the process is arbitrary and not guaranteed. When a user deletes an item from their phone, it goes into a temporary inaccessible space. At this stage, is still theoretically accessible using these specialist forensic software. However, when a device needs to create space, it will begin to permanently delete this data and not in any particular order. At this point, it is no longer recoverable.
What are the limitations of analysing data from a physical mobile phone extraction?
The data recovered is not always the full story. As mentioned not all deleted data can be recovered and some applications on a phone do not always back up to the internal memory of the device.
The timestamps cannot always be relied upon either, especially if the device’s clock settings are incorrect. If there is a dispute about when or if a phone or SMS/MMS message occurred, it is always best to revert back to Call Data Records.
Whilst devices can also contain geographical dates such as geo-tags or specific apps that track movements, these are not always reliable and not nearly as widely used as CDRs.
The amount and type of data recovered varies depending on the device and software used.
A summary of the main differences
CDRs come from a Network provider (Vodafone, O2, EE, Three), downloads are extracted from physical handsets/devices and SIM cards.
CDRs cannot be altered or manipulated, whereas data on mobile phones can be and a forensic extraction will not always recover everything.
CDRs provide consistent and reliable (although non-specific) location data whereas phone downloads might occasionally feature geographical information, but these are often via several different incohesive means that are not suitable for consistent mapping.
Phone downloads allow you to see the contents of messages if recovered whereas CDRs only show timestamps, durations and contact numbers.
CDRs can only show data ‘sessions’ whereas the phone download will allow access to individual messages (via data-based messaging services), app usage, and other internet-based interactions such as web searches etc.
To summarise, it is often best to obtain both sets of data to have the full picture however, if it is not possible to do so, the limitations must be considered and emphasised when presenting the evidence to the Civil or Criminal Court.
Comments