Monday, November 17, 2014

Cell Phone Tracking via Call Detail Records

We live in a world today where individuals’ movements and locations are being recorded in many different ways.  These movements and locations are commonly being used as evidence in civil, criminal and domestic litigation.  It is of paramount importance that anyone who is involved in litigation that uses cellular location evidence understands the appropriate and inappropriate use of this type of location data.

Recent decisions by some courts have made it possible for government agencies to obtain real time tracking information using an individual’s cellular phone or other cellular device without having to show probable cause or obtain a search warrant.
Additionally, the government and courts continue to maintain the position that obtaining historical call detail records for an individual does not require probable cause or a warrant since the person holding the cell phone is voluntarily providing their location data to a third party, namely the cellular service provider.  However, obtaining real time geo-location of a cell phone via the emergency 911 (E911) system in many cases requires either a warrant or permission from the cellular carrier.

What is Cellular Data Analysis?

Cellular data analysis is the process of collecting, analyzing and presenting the approximate location of a cell phone or other cellular device based on data obtained from the wireless company or in some rare cases, from the device itself. 
There are several types of cell phone location data that can be collected and examined;
·       Carrier based location data is collected by obtaining historical call detail records for a particular phone from the cellular carrier along with a listing of the cell tower locations for that carrier.  This data is then analyzed for the purpose of generally placing a cell phone in a location on a map.  This is NOT triangulation.
·       Cellular data  in the form of “pings”, which is  real time geo-location tracking of a cellular phone or other cellular device by activating the emergency 911 system (E911), which will then use either a network based or handset based method for locating the phone and will provide a location estimate generated via triangulation of the phone handset.
·       Law enforcement may issue a warrant or use an exigent circumstance application to get real-time call detail activity for a phone.  This is the same type of data contained in a historical call detail record but is provided in real time.
·       Cellular data may come from the device itself in the form of GPS location data either from an application running on the phone, a geo-tagged picture or some other data point.
It is important to understand about geo-location of a cellular phone or other cellular device is that the accuracy of the geo-location is dependent on a number of factors, not the least of which is the ability of the analyst to properly interpret and present the data and the methods used to present the information.

How is Cellular Data Analysis Used?

Cellular data analysis is used quite often in criminal cases to attempt locate a person of interest, either as they go about their criminal enterprises, or in relation to a particular incident or crime.
This type of analysis is also used in civil litigation involving vehicle accidents, property damage claims and other types of cases where the location of a particular cell phone at a particular time is of interest.

What about Triangulation?

The term triangulation is often misused and applied to the analysis of historical call detail records.  Call detail records only contain information about a single cell tower that was used when a call was made.  To triangulate the location of any phone or object you have to have a minimum of three points or more of reference.

Is There an Accurate Way to Track a Cell Phone Location?

Yes, but it can only be done in real time by using the cellular system or the cellular phone’s GPS unit to track the phone.
There are basically three ways to locate a phone using technology:  Handset based GPS, network based triangulation and hybrid location.
By law, cell phones are supposed to contain a GPS chip for the purpose of locating the phone in an emergency.  However, even today, not every phone has GPS capability. 
The most accurate way to locate a phone is by activating the phone’s on board GPS unit and allowing that to provide the phone’s location back to the wireless company for transmittal to authorities.  Handset based GPS location is supposed to be accurate within 50 feet. 
The second way to locate a cell phone is by triangulating the phone using network based location services.  What this does is calculate the position of the cell phone relative to three or more cell towers using round trip delay, and provides that location information back to the wireless company.
The third way to locate a cell phone uses a combination of network based triangulation and local wireless router locations.  However, this is not in common use to the best of my knowledge at this time.
When a cell phone user calls 911 on their cell phone, the 911 operator will get a cell tower location, a sector and in some cases a GPS location for the phone.
However, these locations can be off up to several thousand feet from the actual location of the phone.  In order to make sure that the GPS location is as accurate as possible, the PSAP (Public Safety Access Point) operator should manually update the location from their terminal.

Is cell tower tracking evidence junk science?

Generally locating a cell phone based on its historical call detail records for towers used at particular dates and times is an acceptable method and is based on the simple fact that cell phones do connect to cell towers .  From that standpoint, it is not junk science. However it is a science that is easily misinterpreted and misstated when prepared and or presented by persons not qualified to do this type of analysis.  The concept of plotting the locations of cell towers on a map is simple.  Understanding and explaining the underlying technical issues and considerations is extremely complex.

Is there a good use for cellular location evidence?

 Properly applied and interpreted cell phone location evidence can be helpful in many cases.  The issue is the overstatement of the accuracy of the phone’s location.
For instance, if the phone is using a cell tower in a particular town where an incident occurred and the person who was in possession of the phone claims to have been in a different town, it is a simple presentation to dispute the person’s claim.
Another good use is for tracking a phone across a distance based on cell tower usage.  While the analyst cannot claim a particular road was used, the cellular evidence can certainly illustrate for a jury that the phone did in fact travel from one city to another or some area to another.
In a recent case cell tower evidence was used to show that a phone call was made near the location of the defendant’s home and a subsequent call was located near his place of employment.  At issue was whether or not it would be possible for the defendant to travel to another location, commit a burglary and still make it to the location near his work in the time span between the calls.  By combining the cell phone locations, time estimates from Google Maps and the location of the burglary, the jury was convinced that the defendant could not have committed the burglary and still made it to the location of his work in rush hour traffic in Washington, DC.
Cellular evidence can also be used to show that a phone was near a particular area of interest with some reasonable confidence.   And with more data points, this kind of analysis can be helpful in showing that even if the analyst cannot determine why the phone picked a particular tower, dozens of uses of the same tower in a short time would lend itself to showing that the phone was using that tower over other towers nearby on a consistent basis.
The other side of cellular evidence is the use of call detail records to show communications via voice, data or text in the context of a timeline.  In a recent case involving a tractor trailer truck involved in an accident it was clear from the call detail records that the driver was not using his cell phone near the time of the accident for phone calls or text messages.  The issue for the attorneys who brought in an expert in the case was the time stamps on the cell detail records.  Initially it appeared at the times for the phone calls were within minutes of the accident.  However, once it was determined that the time stamps were dependent on the time zone of the cellular switch used to handle the call, the time was over an hour prior to the accident.  In this case, the truck driver was in the Eastern Time zone when the accident occurred, but the switch that processed the calls was in the Central Time zone and some of the calls reflected the time from the switch. Once the time stamps from the call detail records were moved an hour earlier, the issue was resolved.

Thursday, November 13, 2014

Jodi Arias - Computer Evidence Destroyed by the Police?

The defense in the Jodi Arias case has raised a significant issue of evidence tampering by the police in this case.  The motion alleges that evidence was purposely deleted from the victim's computer while it was in the custody of the police.

You can read the full article here.

Wednesday, August 27, 2014

Are you really anonymous on the TOR network? Federal Cybersecurity Director Found Guilty on Child Porn Charges

Federal Cybersecurity Director Found Guilty on Child Porn Charges


"Tor is free software that lets users surf the web anonymously. Using the Tor browser, the traffic of users is encrypted and bounced through a network of computers hosted by volunteers around the world before it arrives at its destination, thus masking the IP address from which the visitor originates. "

"As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images.

But DeFoggi—convicted today in Maryland on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of the Tor anonymizing network shielded him from federal investigators.
He’s the sixth suspect to make this mistake in Operation Torpedo, an FBI operation that targeted three Tor-based child porn sites and that used controversial methods to unmask anonymized users."

Link to the full article.

What's the takeaway?  Never believe you are completely secure in your dealings with any method of communication.

Friday, February 7, 2014

Computer investigator pleads guilty to misrepresenting credentials

" A Rye private investigator who has received $23,000 from the state since 2006 to do computer forensic investigations for indigent defendants pleaded guilty last week to misrepresenting some of her investigative certifications on her company’s website.
Judith Gosselin, owner and sole employee of J.A.G. & Co. in Hampton, claimed to be a “certified computer examiner” and to be trained as an ethical hacking forensic investigator when she wasn’t, according to court records.
Gosselin, who has worked for the state, federal public defender offices, and civil and criminal defense attorneys here and outside the state, avoided jail time in exchange for her guilty plea to a misdemeanor charge of unfair and deceptive business practices. She did receive a 12-month suspended jail sentence.
She was fined $2,000, ordered to reimburse the state’s indigent defense fund $3,500 for her work on a recent case and to “not ever accept any criminal case in the state of New Hampshire in any capacity,” according to her sentencing order.
A current count of Gosselin’s cases was not available last week. But while testifying for the defense in a criminal trial in Rockingham County in 2008, Gosselin said she had done 154 computer-related investigations, had been an expert witness in 36 cases and had testified in five trials on criminal and civil matters. She was then charging $254 an hour, according to her trial testimony. She has been doing computer investigations since 2000, according to her resume.  "
Make sure you read the whole article as this is an interesting case.

Wednesday, November 6, 2013

Anal probes? A new kind of abduction scenario that started with clinched butt cheeks.

Forget about aliens and UFOs.  Instead of watching the sky, apparently we need to be watching the police.

"The incident began January 2, 2013 after David Eckert finished shopping at the Wal-Mart in Deming.  According to a federal lawsuit, Eckert didn't make a complete stop at a stop sign coming out of the parking lot and was immediately stopped by law enforcement.    
Eckert's attorney, Shannon Kennedy, said in an interview with KOB that after law enforcement asked him to step out of the vehicle, he appeared to be clenching his buttocks.  Law enforcement thought that was probable cause to suspect that Eckert was hiding narcotics in his anal cavity.  While officers detained Eckert, they secured a search warrant from a judge that allowed for an anal cavity search. 

Eckert's attorney, Shannon Kennedy, said in an interview with KOB that after law enforcement asked him to step out of the vehicle, he appeared to be clenching his buttocks.  Law enforcement thought that was probable cause to suspect that Eckert was hiding narcotics in his anal cavity.  While officers detained Eckert, they secured a search warrant from a judge that allowed for an anal cavity search.
The lawsuit claims that Deming Police tried taking Eckert to an emergency room in Deming, but a doctor there refused to perform the anal cavity search citing it was "unethical."
But physicians at the Gila Regional Medical Center in Silver City agreed to perform the procedure and a few hours later, Eckert was admitted.

What Happened

While there, Eckert was subjected to repeated and humiliating forced medical procedures.  A review of Eckert's medical records, which he released to KOB, and details in the lawsuit show the following happened:
1. Eckert's abdominal area was x-rayed; no narcotics were found.
2. Doctors then performed an exam of Eckert's anus with their fingers; no narcotics were found.
3. Doctors performed a second exam of Eckert's anus with their fingers; no narcotics were found.
4. Doctors penetrated Eckert's anus to insert an enema.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
5. Doctors penetrated Eckert's anus to insert an enema a second time.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
6. Doctors penetrated Eckert's anus to insert an enema a third time.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
7. Doctors then x-rayed Eckert again; no narcotics were found.
8. Doctors prepared Eckert for surgery, sedated him, and then performed a colonoscopy where a scope with a camera was inserted into Eckert's anus, rectum, colon, and large intestines.  No narcotics were found.
Throughout this ordeal, Eckert protested and never gave doctors at the Gila Regional Medical Center consent to perform any of these medical procedures.
"If the officers in Hidalgo County and the City of Deming are seeking warrants for anal cavity searches based on how they're standing and the warrant allows doctors at the Gila Hospital of Horrors to go in and do enemas and colonoscopies without consent, then anyone can be seized and that's why the public needs to know about this," Kennedy said. "

Here is a link to the full story.

Here is a link to the PDF of the lawsuit.

Monday, October 28, 2013

Is Your GPS Bracelet Listening?

Here is an article from The Crime Report about some GPS bracelets that have a cellular telephone capability built into the bracelet.

The implications are interesting, to say the least.

Caution: Your GPS Ankle Bracelet Is Listening

Thanks to Sarah R. Olson at the NC Indigent Services for sharing this link with me.

Tuesday, October 22, 2013

Computer Forensics Job Opening

The Baltimore Police Department has an opening for a Computer Forensics examiner.

The link to the post is here:

Computer Forensic Examiner Opening

Job Title:Computer Forensic Examiner I
Closing Date/Time:Fri. 11/08/13 4:30 PM Eastern Time
Salary:$25.07 - $31.23 Hourly
$45,630.00 - $56,836.00 Annually
Job Type:MERIT
Location:Towson, Maryland

Thursday, August 29, 2013

Cell Tower Dumps

Cell Tower Dumps are used in cases where the FBI or local law enforcement is attempting to determine a cell phone number or numbers that can be used to investigate a crime.

I have seen cell tower dumps in several cases I have handled.  Here is an excellent article about this investigative technique from Ars Technica.

It is well worth the read.

How “cell tower dumps” caught the High Country Bandits—and why it matters

Tuesday, July 2, 2013

Friday, December 14, 2012

The Perils of Using the Local Computer Shop for Computer Forensics

In a recent article posted by the Association of Certified E-Discovery Professionals, Robert Hilson writes about the loss of priveledge documents due to the Attorneys' "absent" supervision.

"It is a familiar story. A client discloses thousands of privileged documents from an electronic universe of many millions due to alleged failures to supervise a computer consultant. The mistaken production results in a heated clawback motion, in which a judge finds that the attorneys did not take the “reasonable steps” required by law to prevent the disclosure.

Those are the facts arising from Blythe v. Bell, a little-reported lawsuit over the control of a sportswear manufacturer in Hickory, North Carolina. The case, in a state business court in Catawba County, bears uncanny resemblance to the high profile J-M Manufacturing skirmish and countless more suits that are either unreported or have yet to happen."
"Hickory Brands hired a service provider called Computer Ants, whose owner and operator, Thomas Scott, testified to never having performed forensic services in the context of a lawsuit.  Scott, who the defendants tasked with producing documents responsive to search terms from a total of 308 million potentially relevant files on 35 computers and six servers, had previously worked as a truck driver and a security manager for Bass Pro Shop."
The result was the delivery of 1,700 sensitive documents to the opposing counsel that resulted in a heated clawback motion, in which the judge found that the attorneys did not take the "reasonable steps" required by law to prevent the disclosure.
This case highlights what I wrote about in "Digital Forensics for Legal Professionals" on selecting an expert and the difference between a computer expert and a forensic examiner.
I cannot express strongly enough the risk associated with picking a computer for digital forensics contractor to use in civil and criminal cases. 
A recent experience helps to illustrate this:
I recently testified in a military court where the government was offering an expert for a fraud case and I was asked to explain the difference between hiring someone with my background versus the alternative expert, a government employee, who had a Masters Degree in Network Security, but did not have any forensic training or experience.
To his credit, he freely expressed that he did not know anything about forensic examinations, how to craft language to get information from ISPs or how to find the custodian of records for same.
I explained for the court, specifically the military judge, prosecutor and defense counsel how to go about tracking an IP address from the service provider and connect it to a particular subscriber.  As well and the process for locating information regarding on-line fraud on a computer.
The result was that the court approved me as the expert for the defense, however, the prosecutor immediately withdrew the charges.  So I did not get hired.  But the important thing is that I got a chance to educate a judge and some attorneys on the difference between a qualifed examiner and a network security administrator.
While he had tons of expertise in what he does, it is not what we do as forensic examiners.  As the case I mentioned above points out, failing to hire the right kind of expertise is risky for clients and attorneys.
And while it can be an expensive mistake in a civil case, it can be devasting in a criminal case where a person's freedom and perhaps even their life is in the balance.