by Mr Benedict Spencer
Mr Spencer has owned and run Spencer Research Limited providing forensic science services to defence and prosecution specialising in Cell Site Analysis.
1. When a mobile phone user makes a call the mobile phone (handset) communicates with ground based equipment via a two radio link. A mobile handset is a
small computer combined with a two radio way. As the user moves around town during a call the handset moves from one ground based two way radio to another to maintain the call. These ground based two radio station are called cell sites and normally have many two way radios each covering a different area of town, these are called cells, hence cellular phone.
2. When a mobile phone is used for a voice call, SMS message or data services the network provider creates and stores record of the use in a Call Detail/Data Record or CDR. Cell site analysis is the examination of historic Call Data Records and the determination of the location of the phone at the time of use.
3. Analysis of call records for multiple phones can do more than simply determine the locations of the phones. It can infer relationships between phones including
co-location, travel together, and corroborate other evidence: eye witnesses, ANPR, CCTV and so can help build or dismantle a case.
Mobile handsets and the IMEI
4. The International Mobile Equipment Identity (IMEI) is the handset identification number. The IMEI is 15 digits comprising 14 digits and a checksum which is the last digit. The IMEI is unique to a handset and can be used to establish the origin, model and serial number of that handset . Often the checksum is converted to “0” in call records and thus should be ignored.
5. The IMEI can appear in the call records for voice and SMS messages.
6. A 16 digit IMEI may occur if the checksum has been dropped and replaced by 2 digits indicating the software version installed in the handset. This is called IMEISV (Software Version) and sometimes appears in call records (notably GPRS records)
SIM card and the IMSI
7. A “mobile phone” comprises a mobile handset and a Subscriber Identity Module (SIM).
8. The SIM has the unique identifying number the International Mobile Subscriber Identity (IMSI). The IMSI is 15 digits and is used by the network to cross refer in a database to identify the mobile phone number that you or I would dial. The SIM determines the mobile phone number.
Mobile network operators
9. Today there are four UK networks operators, Telefonica O2, Vodafone, EE, and Hutchison 3G. Other providers Tesco, Virgin, Giff Gaff etc. simply rent airtime from the main operators and brand it as their own network.
Technologies
10. There are three different mobile phone technologies in use in the UK often called 2G, 3G and 4G but also known respectively as GSM, UMTS and LTE.
11. In 1991 GSM was introduced, a GSM phone can only use 2G GSM sites.
12. In 2002 UMTS was introduced, a UMTS phone can use 3G UMTS sites and 2G GSM sites
13. The newest technology is LTE, an LTE phone 4G LTE sites, 3G UMTS and 2G GSM sites.
Call Detail/Data Records CDRs
14. When a mobile phone is used the network provider creates and stores a record of it in a Call Detail Record or Call Data Record or CDR. Different networks operators store different amounts of data in the CDRs. But they all include the type of call, date, time, duration, who called who, IMEI, first cell ID used and last cell ID used.
Call data retention
15. Since October 2007 onwards the UK networks are required to store call records for calls/SMS/GPRSoriginating in the UK for 12 months.
16. For roamed calls overseas MACH in Luxemburg' retain roaming call data (phone use overseas) for 12 months.
Voice
17. Voice Call Data Records are created at the time the voice call is answered. The calling network and the called network each create a matching CDR.
SMS
18. Sent text messages (SMS) are time and date stamped the moment they are sent to the network and a CDR created. When an SMS is delivered another CDR is created. Multimedia messages (MMS) CDRs are treated in a similar manner to SMS.
GPRS
19. GPRS stands for General Packet Radio Service and is used by mobile phones for data services including vehicle tracking, Internet, e-mail, instant messaging etc.
20. GPRS records are not made when the user decides use to a data service. GPRS records are created without any action by the phone user.
21. GPRS Call Detail Records are created for a number of reasons: the user moves from one Routing Area to another, a data volume limit has been reached, a time of day passes, a tariff change, change of service type, a cell ID change, connection duration exceeds a pre-determined amount and other reasons.
22. Therefore GPRS CDR smay not show the correct time an event occurred and thus the phone may not have been in the service area of the cell ID recorded at the time of the call record. Although the phone must have used the cell ID shown at some time. And the phone must have connected to the cell ID shown not earlier than the previous call record (whether voice, SMS or GPRS) and not later than the time shown.
23. GPRS Call Detail Records only ever show a start cell ID.
24. All this means that the correct analysis of GPRS CDRs, which may be intermingled with voice, and SMS CDRs can take some considerable effort.
Call forwarding
25. Call forwarding (call diversion) of an incoming call to voicemail or another phone number can occur when:
a) The mobile phone is out of service coverage,
b) The mobile phone is switched off,
c) The mobile phone is on but simply not answered by the user,
d) The mobile phone is engaged on a call,
e) Call diversion has been activated on the mobile phone handset,
f) The user manually rejects an incoming call.
26. For cases a) and b) above there will be a CDR but no cell ID (although in some cases their may be an pseudo cell ID 65535 for the voicemail). If the phone is switched on and in a service area there may be a cell ID in the CDR.
Roaming calls when overseas
27. Billings for roaming calls (i.e. calls made or received when abroad) are based on data provided by the roamed overseas network to MACH. The data is simply accepted by the home network on trust from the overseas network.
Cell sites and cell IDs
28. Each network operator has built his own network of radio transmitter and receivers across the United Kingdom. They are called base stations or cell sites.
29. A cell site is a physical location (a site) where one or more cell IDs is located.
30. A cell site will have one or more antennae. Each antenna is a “cell” and each antenna has a uniquely identifiable Cell ID.
31. Each operator has built its own network of ground based cell sites across the UK. One can see them in fields, on buildings, as stand alone posts in towns, and
small burglar alarm sized ones in shopping malls.
32. A typical building mounted cell mast and antennae are shown in the photograph below. Photograph 1 below, Typical building mounted cell site.
33.These antennae, together with the transmitters/ receivers and computers (not shown in the photograph) form a Cell Site.
Cell sectors and azimuths
34. A typical cell site uses three or more cell sectors (cell IDs) mounted on the same mast to provide a full 360° of service coverage.
35. It is common for cell antennae to be overlaid (stacked) one above another all pointing in the same direction, up to four overlaid is not unusual. Overlaid cells may be the same technology or different (4G stacked on 3G stacked on 2G). Sites may have four cell IDs in one direction, four in another and the last four in another direction.
36. The range of a cell might be from less than 20 metres to about 15 km. In a built-up area the distance one might travel before being handed from one cell to another might extend to 1000 m or more. To determine the actual range of a particular cell, (and this is often the question in criminal cases) requires a field survey.
37. Adjacent cells provide overlapping coverage so that in principle no matter where one is located several cells can always provide service. Move out from a built up area coverage becomes less and in many places there is very poor or no coverage at all.
38. The geographical density of cell sites reflects the demand for mobile phone services. High densities of population are concurrent with high densities of cell IDs.
39. Away from conurbations there are cell sites along major transit routes. Motorways, major trunk roads and rail routes have cell antennae arranged to work best up and down the routes rather than at all around it.
Omni directional sites
40. Omni-directional cell IDs provide service in all compass directions equally well.
Directional antennae
41. Most cell IDs are not omni-directional but provide service out in a particular direction, a bit like a floodlight lighting up the area out to the front and sides but very little behind it.
42. By using several “floodlights” on the same mast but at different compass angles an entire area is lit up.
43. Far away when the “light” becomes weaker simply build another cell site with more floodlights. That is how mobile phone networks are built and work, simply put enough cell sites and floodlights across a town in to ensure that the whole town is lit and that only a few dark corners remain. These dark corners are places where there is not good service and calls are difficult if not impossible.
44. These “floodlights” are directional antennae and the compass directions in which they points is called the azimuth and given in compass degrees. Hence a cell ID antenna pointing due east would have an azimuth of 90°, one pointing north east 45°.
45. In Figure 1 below a hypothetical cell site location is viewed from above. The yellow dot is the cell site location and the coverage area of the three cell IDs indicated in red, green and blue.
46. This shows that the coverage of a cell is an irregular area determined by the local topography, buildings, transmit power, height of the antenna and how it is orientated (vertically and horizontally) etc. The outer boundaries of the coloured areas are where adjacent cells (not shown) provide equally good service. At those boundaries a phone can use any of the cells providing similar service. Of course the boundaries are not hard and the signals from cells significantly overlap, as they must for the system to work at all.
47. There can also be areas where a cell does not provide service (shown by the white “island” in the blue area) and areas outside the main area where on can get service (shown by the red “island”).
48. In areas of poor service coverage within a city, low powered Street Level Micro cells (SLM) can be used to “fill in the gaps”. The SLMs are about the size of a
burglar alarm box and cover a range of between ten metres to about one hundred metres from the cell. They are normally omni-directional.
49. The maximum range of a 2G GSM cell is taken as being 35 km irrespective of signal strength. The reason for this limit is dependent upon the time taken by a radio signal to travel between the mobile phone and the cell antenna. The strength of the signal does not matter.
50. It is unlikely (except in remote sparsely populated areas or from a ship to shore) that a cell would cover an area of anything approaching the theoretical maximum. To do so one would have to switch off all the cells between the mobile phone and the cell in question. Service out to 15 miles is not uncommon over flat urban countryside or in the Scottish highlands. In Cambridgeshire and Anglia for example connecting to a cell 10 miles away is commonplace.
51. A mobile phone might not use the cell nearest to it but because a cell further away might provide better signal quality the nearest cell or the network might assign a cell further away because the nearest cell is filled to capacity with ongoing calls, or out of service for maintenance and so on.
Field surveys/measurements
52. A field survey is undertaken to determine what cell IDs are able to provide service at a location or in an area or along a route. The data gathered is then used in the analysis.
53. Filed surveys reflect the state of the network at the time of the survey.
54. All cell site analysis assumes on the day the field surveys were undertaken the network was the same configuration as the day when the calls were made or that any changes are minor and had negligible effect.
55. The network hardware infrastructure may have changed (new cells installed, cells removed, antennas orientated differently etc.) and the software may have
changed since the day in question. The network telephone traffic at the time a call was routed cannot be replicated.
56. A mobile phone running engineering software or other specialised network monitoring equipment is used to monitor and log data from the nearby cell IDs along with Global Positioning data.
57. As a rule of thumb cells signal levels (RxLev) below about –100 dBm cannot hold a call so in later analysis cells with weaker signals below this level can be discounted.
58. Field surveys reflect the state of the network at the time of the survey.
59. All cell site analysis assumes on the day the field surveys were undertaken the network was the same configuration as the day when the calls were made or that any changes are minor and had negligible effect.
60. The network ground based infrastructure may have changed (new cells installed, cells removed, antennas orientated differently etc.) and the software may have changed since the day in question. The network telephone traffic at the time a call was routed cannot be replicated.
Spot survey
61. A spot survey is undertaken at and around a single location (usually an address) to determine what cell IDs can provide service. A spot survey might be external or internal to the property or both.
62. Spot surveys can also be undertaken at locations other than at properties, for example in a car park or field etc.
Drive Route Surveys
63. A drive route survey involves the use of a motor vehicle to travel a predetermined route whilst simultaneously logging to computer Global Positioning (GPS) data and cell ID and network data as the route is travelled.
64. The GPS data is also used in real time with mapping software to show precise position of the vehicle and thus the predetermined route for survey can be correctly driven.
“At/or in the vicinity of” and “at/near”
65. Most cell site analysts use the term “at/or in the vicinity of” to mean a phone may have be at/near a surveyed location at the time of a call or “in the vicinity of” that location.
66. Spencer Research uses “in the vicinity of” to mean anywhere within the service coverage area of the cell ID used. Now in some cases that will be a very large area in others, for example a micro cell, it will mean within 10 to 50 m.
67. There is one way to ascertain the service coverage area, the footprint, of a cell and that it undertake a drive route survey along sufficient number of roads
and sufficiently far enough away from the cell site to be sure the entire service are has been surveyed.
68. Spencer Research uses the term “at/near” to generally mean within a 50 meter radius of the surveyed address so a much smaller defined area.
Attributing a name to a phone number
69. Sometimes attribution can be as simple as a person agreeing to his phone number or the network operator producing a subscriber check result showing to whom the phone is registered. Sometimes people buy and register a phone/SIM to themselves but have bought it for someone else as a gift.
70. Normally for an attribution to be reliable one sees a series of unconnected reliable sources all converging to a common phone number. This being the user and/or other people giving the same contact phone number.
71. For example the person had given the same contact mobile number to his GP Surgery, his local taxi company, to the local vet, the credit card company, bank local Council, Police, DVLA, HMRC and so on and so on.
72. Given enough of these unconnected sources all saying this person gave this phone number as his personal contact number it reaches a state where the attribution is proven.
73. What one cannot do is use a circular argument. Because I say Phone A belongs to Man X and Phone A has name/number for Phone B I can use Phone B contents to prove Phone A belongs to Man A.
Co-location of two or more phones
74. In order to demonstrate that two mobile telephones are not together one must demonstrate that the physical distance between the cells used is sufficiently great that, in the time period between calls, the mobile telephones could not have moved from the service area of one cell to the service area of another. If this criterion is met then the demonstration is conclusive.
75. The inverse cannot be conclusively demonstrated, rather one can only suggest that two mobile telephones might be together if there is a large number of calls for each mobile and on numerous occasions the cells used are close to each other or for example there is an identical pattern of movement over similar times for both mobile telephones.
76. It is generally accepted by the Court that a series of calls between two mobile telephones supports the suggestion that they are not together albeit it does not
provide any information on degree of separation except possibly through use of geographically separated cells.
Cell site analysis limitations
77. Cell site analysis cannot alone prove precisely where a mobile phone was at a particular time. It can eliminate a location – for example a suspect states he was at home when a phone call occurred. His home is surveyed the cell ID used cannot be seen so the suspect was not at home or that if he was, his mobile phone was not.
78. Conversely, suppose a survey reveals that at the scene of the crime a particular cell of interest provides good service; it means the mobile phone may have
been there although it may have been anywhere else where that cell provides good service.
79. One must always remember the phone must have been located somewhere within the service area of that cell.
80. Cell site analysis can determine: That a mobile phone could not have been at a particular place or address.
81. Cell site analysis cannot determine:
? Who was using a mobile phone during a call.
? If the owner allowed another person to use the phone for a call.
? The content of a phone call or SMS message.
? If the mobile phone was at a particular place or address only that it may have been.
? If the cell used for a call or SMS message was, at that moment in time, the best serving cell for that location from which the call was made.
? If the user was inside or outside a building, on foot or in a vehicle.
? If the user was in company of others or alone.
About the author
Benedict Spencer spent 6 ½ years with the MoD and then spent many years as an Electronics and Design Engineer with the likes of Racal, Plessey, Motorola,
Westinghouse. For 20 years he has owned and run Spencer Research Limited providing forensic science services to defence and prosecution specialising in Cell Site Analysis and Video fields. You can contact Spencer Research on 01225 482604 or visit the website at www.spencerreearch.co .uk to find out more.