EXECUTIVE SUMMARY

  This report has been compiled following a request from the Parliamentary Office of Science and Technology for information in regard to issues affecting mobile phone evidence. It draws upon more than three years' experience of work specialising in forensic analysis of mobile phone evidence relied upon in criminal cases nationwide. During the past two years alone, I have undertaken work leading to some 50 reports and provided oral testimony in court on a number of occasions.

  Chapter 1 provides an insight into the practices of telecommunications analysis with particular emphasis on that of mobile phone evidence and investigations. It highlights the reliance within such investigations on call data (phone billing usage records and cell-site information) held for limited periods of time by the mobile phone service providers.

  Having highlighted the process of investigation and the obtainable outcomes, Chapter 2 then provides summary details of the existing availability of call records.

  Chapter 3 outlines the implications this has for phone examination work. It also illustrates the benefits to be gained from being able to rely upon common extended minimum standards of call data recording by the mobile phone network providers and extension of the existing data retention periods for call data.

  Finally, the arguments are summarised for the extension of existing data retention periods and the need to increase and standardise the supply of call records for all call events types.

1.  MOBILE PHONE EVIDENCE

  There are three main areas for the forensic analyst to review as follows:

1.  Equipment Examinations—The retrieval and analysis of data stored on, or recoverable from the mobile phone equipment (Handset and SIM Card Subscriber Identity Module).

2.  Call Billing Record Analysis—The analysis of call records to identify common associations and patterns of communications, cross-referencing with data from equipment examination, etc.

3.  Cell-Site Analysis—Identifying the location and movements of mobile phones according to their historical call records.

  To a greater or lesser extent, there is a requirement for data to be provided from the relevant network provider in all aspects of the work outlined above.

1.1  "Equipment examination"

  This is the examination, data retrieval and capture of information saved within either the SIM (Subscriber Identity Module) card or mobile phone handset. There is a very wide range of mobile phone models in use and specifications vary greatly.

  1.1.2  The data capacity of mobile phones continues to expand as new models come onto the market. Already many phones have the capability to store many hundreds of text messages, and thousands of stored telephone numbers. Certain phone models have removable storage cards that are used to store larger volumes of user data, these memory cards can be subjected to further processes to recover deleted data.

  1.1.3  Data sources available within a mobile phone include, contact and associate information, contents of text messages (including recovery of text messages deleted from the SIM card), video data, photo images either taken or received by the phone, stored audio voice recordings, calendar and appointments data.

  1.1.4  Data extracted from the phone requires validation and verification. This includes validation of the time and date held by the phone and incorporated into some records. In the case of text messages, it is possible to falsify a sender's detail and also to alter the content after receipt. Techniques are employed by the analyst to identify suspect data.

  1.1.5  Analysis of the data information in relation to phone numbers (call data, address book entries) obtained from a handset may require follow-up investigation to gather subscriber details (where maintained) or call records belonging to the phone numbers obtained. These aspects require appropriate requests to the relevant network operators for call records data, subject to the data retention period.

1.2  Call Billing Record Analysis

  Call billing records provide detail for all chargeable transactions.

  1.2.1  The process of call billing involves the examination of a person(s) phone call records to identify one or more of the following:

—  To identify other third-parties who have made communication with the target phone number being examined (the creation of "friendship trees").

—  To understand what communication has taken place with other third parties, including the duration and frequency of calls or text messages.

—  To identify patterns of communication behaviour and deviations from those patterns.

—  To demonstrate the use/interaction or transfer or particular mobile phone handsets when billing records include the handsets IMEI identifier.

  1.2.2  Due to the prevalence of unregistered SIM cards and ease in transfer of phone ownership, subscriber details may not be available or applicable. Therefore, further investigations have then to be made on the phone numbers found within the target records in an attempt to positively identify phone ownership/association. This process can significantly increase the time expended on investigation.

  1.2.3  During call billing analysis other parties may be positively identified. This may call for similar analysis on other identified numbers. At that stage, requests for the billing data have to be made and the process can reiterate many times. Each stage can be time consuming and that time expending will be reflected in the amount (time span) of call billing remaining in accordance with existing data retention.

  1.2.4  For example a suspect telephone number is identified five months after an alleged incident. At that stage, based on 12 months' retention there is seven months' historical call data remaining leading up to the incident date.

  1.2.4.1  The call records/phone equipment are examined and analysed and the process takes a further month. From the investigation five other telephone numbers are identified all on varying networks. At this stage there is six months of historical call data from the date of incident. However there is now no record of text message interaction for three of the phones because this data is only held for six months by the relevant network operator.

  1.2.4.2  The analysis of these other records shows that there was significant interaction between these five phones and those of two others starting three months before the actual incident date. The second process of analysis has taken a further two months to compile and analyse but it is now shown that seven individuals conspired three months before the incident date and the common link is via two other numbers now identified.

  1.2.4.3  The call records of these other two phones are now required, the investigation has been ongoing for three months. The historical call records remaining can only provide one month of historical data for these two phones prior to the identified period of conspiracy.

  1.2.4.4  If at that stage other numbers are identified from the earliest call data there will not be any historical data retained as the data retention period from the alleged incident has diminished as time on the investigation is expended.

  1.2.4.5  The example above considers intelligence/evidence discovery well within the existing data retention period (ie 12 months "rolling" historical). However the reality can be that the whole investigation period may take many months or years.

1.3  Cell-Site Analysis

  The process of cell-site analysis considers the approximate location and movements of a mobile phone based upon the historical call events. When a mobile phone makes, and in many cases receives, a call the relevant network operator will record the unique identifier of the cell-site or cell-site-sector that the call was routed to or from.

  1.3.1  A network provider can supply historical call records that show the cell-site identity for each call event. However there is a variance in the level of detail supplied by network operators. For example in some cases it is possible to have both the identity of a cell-site that a call started from and also the identity of the cell-site that the call terminated on. Other providers only supply the start of call cell-site.

  1.3.2  As with most forms of analysis, the more data available the greater the level of analysis that can be performed.

  1.3.3  In the initial stages of cell-site analysis, the analyst will receive information in regard to the cell-sites that have served call events for particular mobile phones. The typical cell-site information supplied by a network operator will include the following:

—  name of the site;

—  postcode and/or address;

—  easting and northing settings, (map co-ordinates of sites);

—  number of cell-sectors;

—  cell-sector identification numbers; and

—  azimuth/bearing setting (direction in which antenna is facing in from true north).

  1.3.4  Methodologies for cell-site analysis are not defined and as such may vary from analyst to analyst. However, I regard that certain principles exist in the performance of cell-site analysis and these are given below:

—  Define the cell-site sector that served a call event (reliance on available data).

—  Plot the position of that cell sector. (call mapping process).

—  Understand the scale and scope of coverage from that sector (Prediction, Review Operator's Best Server Plots for incident dates, Field Measurement Surveys).

—  Validate/verify the sector coverage according to documented settings. (Survey).

—  Survey actual areas of interests and detect/define an order of service for cell-site coverage. (Spot Measurement Surveys).

—  Plot the positions of other relevant cells according to the order of service. (Network Modeling).

—  Consider other relevant issues such as local demographics and topology.

—  Based on the results of the above make location and/or movement predictions where possible.

  1.3.5  Cell-site changes can dramatically alter the footprint area of coverage provided from a particular cell-site or cell-site sector, altering the range (how far), width (how wide) and shape of each particular coverage area. The following provides a non-exhaustive list of the types of cell-site changes that can affect/alter the coverage area provide by a cell-site or cell-site sector:

—  Changes to antenna type and antenna efficiency, gain levels.

—  Changes to the physical positioning of antenna (lateral position changes).

—  Changes to azimuth settings.

—  Height changes.

—  Vertical elevation changes, grazing angles (vertical polarisation).

—  Power level changes.

—  Power control changes.

—  Channel frequency changes.

—  Several other front-end changes that would affect the resulting coverage patterns.

  1.3.6  When performing cell-site analysis after any notable time from the actual time that calls were made, it is important to understand what changes have taken place to the mobile phone network for a particular area. Whilst the network operators are often able to provide details of historical changes and planned maintenance (cell-site downtime), the level of detail is limited and often found to be incomplete or not available.

2.  NETWORK PROVIDER DATA

  2.1  In the UK the main network providers (data owners) are O2, Orange, T-Mobile, 3Three (Hutchinson) and Vodafone. Virgin Mobile also generates and retains billing data, but its backbone network provision (actual cell-sites) is provided by T-Mobile.

  2.2  These network operators record the details of the call events to and from a mobile phone. This data can include the identity of the cell-site or cell-site sector that a call was routed from/to.

  2.3  At present there is a variance in both the level of data recorded by each operator and also in the length of time that data is retained.

  Under current practices data is retained for no more than 12 months. However, variances can mean that historical call events including data for text message exchange may only be held for six months or less in the case of certain account types (ie contract, pre-pay, pay-as-u-go).

  2.4  It should be noted that the actual content/prose of historic text messages is not recorded/provided by any of the providers. This data may on occasion be available when an identified request for such data is made within days of a particular transaction.

  2.5  Each of the main network operators maintains a department to provide historical data or court liaison for law enforcement purposes. These departments supply historical call records and details of cell-site locations on a chargeable basis.

3.  DATA REQUIREMENTS—STANDARDISATION OF CALL DATA

  3.1  Standardisation on the level of historical data available from all the network operators would improve the quality of telecommunications evidence and reduce the overall time taken during investigation and analysis. At a minimum level the following should be provided regardless of account type.

  3.1.1  Historical Call Billing records to detail the following:

—  Phone numbers of other phones receiving or making calls/texts to and from the target phone.

—  The date and time of the call events (connecting calls, diverts to voicemail or text messages).

—  The duration of calls and the ringer/register (time to answer) duration for those calls.

—  The IMEI handset identifier for all calls.

  3.1.2  Cell-site call data to include:

—  Start and End cell-site identifier for each call event and cell-site for text message dispatch or receipt. This to be provided for both the A end (caller) and B end (receiver) of each call event. Some operators provide this when both A and B end phones are registered to that particular network operator.

—  Record of the "Timing slot and advance" issued for a particular call. This data is not currently provided by any operator within standard cell-site data. Its inclusion within records would assist the analyst in predicting if the call was made close to or far away from the epicentre of the cell-site and therefore increase the level of accuracy for predictions of call location.

  3.1.3  For cell-site configuration data, the following is required in addition to the standard information (location and azimuth settings) currently provided:

—  Height of antenna.

—  Power output.

—  Vertical polarisation (down tilt).

  3.1.4  For historical changes to cell-sites the following data should be maintained and available on request:

—  Changes to azimuth settings, height, power output and vertical polarisation.

—  Changes to the mobile network in a given area, cell-sites commissioned or decommissioned.

—  Record of cell-site down-time.

4.  SUMMARY—DATA RETENTION REQUIREMENT

  In any review of phone evidence and data retention the following factors should be considered.

  4.1  Most people nowadays carry a mobile phone and are carried and used not only by perpetrators of crime and their associates, but also by victims and witnesses of crime. In many of the criminal cases on which I have been instructed to provide expert opinion on phone evidence, a large number of mobile phones have been involved.

  4.2  The process of investigation takes several weeks or months depending upon the circumstance of crime/allegation. Furthermore, some time has passed since the incident under investigation took place before work is requested.

  4.3  There is a variable time factor involved in all stages of the evidence identification, retrieval and analysis. From that examination further additional requests for call records may be required. Those records may then require separate analysis from which other numbers may be identified where once again further call records are required. An investigation can expand and may need to consider the historical movements and locations of other mobiles. There is a delay to each stage during which the data retention period is continually decreasing.

  4.4  Under existing conditions data retention of mobile telecommunications data is at best 12 months with further restrictions applying to text message transfer details and in data relating to particular account types.

  4.5  In a Utopian world it would be beneficial to have standardisation on the level of historical data that is provided. For cell-site analysis there is also a need for standardisation in the level of data being provided by the network operators and where possible an increase to fields of data recorded or made available.

  4.6  There is a very strong need to increase and standardise the supply of call records for all call events types. Having regard to the time required to fully investigate and analyse such data, a minimum of two years' (24 months') data retention should be applied and this should be imposed for all inbound and outbound calls or text messages regardless of account types. An increase to a level of five-years' data retention should also be considered, treating call data similar to that of financial transactions for VAT purposes. Any increase to the existing data retention period would be beneficial to criminal investigations or matters of national security and especially when combined with standardisation in the level of details recorded.

  4.7  The proposed upgrading of data retention may have implications on data storage requirements for the network providers. Increases in call data retention periods would be beneficial to the majority of criminal investigations and it is therefore perceived that there would be a significant increase in the requests of such data.

  An anticipated increase in the revenue generation stream for network operators providing this historic data should be considered against the inevitable additional storage cost arguments forwarded by the network providers in response to proposals to extend existing data retention for call records.

  4.8  The existing practises for data retention of call records is inadequate given the prevalence of mobile phones in society and the overall time for any investigation or information gathering periods.

  4.9  Standardisation in the supply of call records together with a significant increase in the data retention period should be considered vital to British judicial system and to the interests of national security. Without these enhancements, evidence that may be gathered as a result of mobile phone usage is likely to be lost.