Evaluating Mobile Telephone Connection Behaviour – Part 2

The Basics of Evaluating Connection Records

by Sam Raincock, IT and telecommunications expert witness

Connection RecordsWithin the UK, details of past telephone connections are stored by the network providers. The minimum storage is advised by the Data Retention (EC Directive) Regulations [1][2]. However, each network provider is able to disclose different types of information about past connection activity and this availability also changes over time. As a result, it is important to be familiar with what connection record information may be available to your case so you can make appropriate requests to obtain access to it. Perhaps a useful strategy for companies undertaking connection record evaluation work would be to compile a procedure where your organisation will contact the network providers every 6 months to determine if anything has changed.

It is also important to note that the network providers will provide a ‘standard’ format of connection records if they are not directed regarding the information you require. My philosophy with network records is that if you don’t ask, you won’t get it!

Examining Connection Records

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Most often the instructions received in connection charting matters are to compile charts of connection patterns of the telephones of interest in a case. This is generally over a certain time period and may also include a frequency analysis to determine how many connections have occurred with particularly numbers of interest. It may (especially in defence cases) also include questions about the meaning of connections and the possible circumstances of the calls/SMS messages.

Where connection records specialists are lucky, they are provided with the records in electronic format. Where they are ill-fated they obtain a file of 500+ pages in paper format and the electronic records are unavailable (very common in older cases).

With paper records, you have two options: transfer the records into electronic format (however, you are going to have to thoroughly validate that this has occurred correctly) or you will need to examine them by eye. Actually, dealing with paper connection records is a lot easier than it sounds as you become used to looking for patterns over time.

With electronic records, if you are using pivot tables to assist you in performing a frequency analysis of the connection behaviour to establish how many connections have been made with certain telephone number of interest, remember that a telephone number may be provided in the records in various formats. For example, 07777 111111 may also be provided as 447777 111111.

Also with electronic records – make sure you don’t suffer from sorting issues. Firstly, if you haven’t set your data to be the correct type (which can be an annoying activity in itself), sorting can produce unexpected results. And of course, there is also the old Excel sorting problem where you sort by column and don’t expand the selection to the other data values too, resulting in shuffling your original connection records table.

Although all these points may seem very basic, in my experience mistakes do occur in this type of processing. Another area for error is overlooking the obvious – the date being in the wrong format or the wrong number is searched for etc. Hence, the key when performing connection charting/analysis is to validate, validate, validate and assume nothing.

Evaluating Connection Behaviour

So you’ve obtained your connection records…

The following table has been compiled as an illustration of the connection behaviour on 13/2/07 involving the number 07766215520:

Type of Connection Telephone Number contacted Date Time Duration (s)
SMS 07753984793 13/02/2007 09:48 0
Voice 07753984793 13/02/2007 09:49 12
Voice 07753983793 13/02/2007 09:54 3
SMS 0191 567890 13/02/2007 10:05 0
Voice 07971123456 13/02/2007 10:07 67
Voice 07753984793 13/02/2007 10:16 12

What’s in the table?

· Does it contain incoming connection information?

· What are the date and time ranges requested?

· Does it illustrate only certain telephone numbers?

Without an explanation of the content of the table its meaning cannot be established. Hence, when compiling connection behaviour or when receiving information from the network providers it is important to establish the content of the data provided so that appropriate assessments can be made of its meaning.

So let’s assume the request was to receive outgoing connections made by telephone 07766215520 between 9am and 12, on 13th January 2008. Let’s now consider the following questions:

· How many listed connections involve the 07753984793 number?

· How many voice calls were answered by the recipient telephone (and not forwarded to another device)?

· How many calls were made and over what time period?

· Is it possible to send an SMS message to a landline? Is it unusual to do so?

And their answers:

· How many listed connections involve the 07753984793 number?

The answer is 3 – one SMS message and two voice calls. Note that the connection at 09:54 is for the number 07753983793 and not 07753984793.

Attention to detail is key!

· How many voice calls were answered by the recipient telephone (and not forwarded to another device)?


The voice calls range from 3 to 67 seconds in duration. Hence, they could have forwarded to voicemail or answerphone. With the connection records supplied it is not possible to state if any forwarding has occurred. It would also be incorrect to assume the connection lasting 67 seconds was answered by the recipient telephone due to its length. Firstly, it could have been forwarded to another number and hence, the duration would not assist in establishing this. Secondly, it could have forwarded to answerphone – some services in the UK allow rerecording of messages and/or 2-4 minutes message duration. Test it!

· How many calls were made and over what time period?

Good question. The records were request for 13th January 2008. That’s 2008 and not 2007 that features in the records. Hence, we don’t know what time period the records were requested for or why they have been provided as the incorrect year. Also, the phrasing “between 9am and 12” is ambiguous. Is that 12 noon or 12 midnight?

· Is it possible to send an SMS message to a landline? Is it unusual to do so?

Yes (it’s amusing too). The unusual question is a tricky one. If it is a generic question then your ability to answer it will depend on how much connection records data you have analysed previously in order to be able to make your assessment.

You may wish to look at more records to determine if this activity was a one off or is consistent with the user’s ‘normal’ telephone behaviour.

Combining the Handset and Connection Record Evidence

In part 1 of this series and discussed above, I have introduced the process of starting to think about the meaning of connection information stored on mobile telephone equipment and the basics of connection record information.

Next month’s article will deal with the issues and benefits of combining the two sources of evidence. However, for those keen to have a go, download the example exercise and see what questions you can answer (please do not email or comment about your answers in the Columnists forum, though, answers will follow next month.)


1. Statutory Instruments. 2009 No. 859 Electronic Communications – The Data Retention (EC Directive) Regulations 2009. Available for download from http://www.legislation.gov.uk/uksi/2009/859/made/data.pdf.

2. Statutory Instruments. 2007 No. 2199 Electronic Communications – The Data Retention (EC Directive) Regulations 2007. Available for download from http://www.legislation.gov.uk/uksi/2007/ 2199/made/data.pdf.

Click here to discuss this article.

Read Sam’s previous columns

Sam Raincock Consultancy operates throughout the UK and Ireland providing IT and telecommunications expert witness services, training and IT security consultancy.

Sam specialises in the evaluation of digital evidence from the analysis of telephones to determining the functionality of software systems (and almost anything in-between). She also provides overview assessments of cases, considering different sources of evidence in the context of a whole incident to highlight inconsistencies particularly due to digital devices. Sam can be contact direct on +44 (0)1429 820131, sam@raincock.co.uk or http://www.raincock.co.uk.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles