I thought this needed its own thread. Btw, I’m not an expert. I’m just the guy sounding the horn.
Have you ever attended a training session and the presenter asked you to take out a piece of paper and draw a pig? As you know some of the class draws the pig facing forward and others draw the pig facing to one side or the other. Some draw large pigs while others draw small pigs. Some draw large ears and tails while others do not. After a few minutes the presenter will read off some statistics in relation to how you drew your pig. “X percent draw their pig facing to the left and if your pig has big ears or a long tail then it means this.” This test is often used as an ice breaker in training sessions and it’s also an indicator that we don’t all see things exactly the same. Maybe the differences are because there is no “Standard” when it comes to the size and shape of a pig?
When I began my career in law enforcement one of the calls I liked the least was responding to traffic accidents. For me the “traffic accident” did offer some positives. After throwing a diagram together I was able to add a text box that said “Drawing not to scale.” That basically got me off the hook. Even though I was only working minor fender benders I was able to take some degree of comfort in the words “Drawing not to scale.” I thought “Bring on those Defense Attorneys. Go ahead and beat up my diagram. It’s OK, because as I have indicated it’s not to scale.
When there were accidents involving serious bodily injury or death, investigators from the Traffic Division were called to the scene. They roped things off with crime scene tape, told us not to touch or move the debris/evidence in the road. They took lots of photographs and then measured hundreds of points with something they called the “Total Station, which seemed to be just like the surveying equipment I’d see road crews using from time to time. I heard them use terms like “drag factor, coefficient of friction, linear momentum and delta v.”
It was easy to see that when the stakes got raised and someone was possibly going to face jail time for their actions a higher standard was necessary. I have never been interested in Traffic reconstruction, but if I were, I’m sure I would sleep well at night knowing that there are nationally recognized organizations out there setting standards like NHTSA, ACTAR and others. I would also sleep well knowing that there are organizations out there that provide training which meets those nationally recognized standards like IPTM and others.
So let’s take a snap shot of where we are at. If an individual is facing the potential of jail time for actions resulting from their use of an auto mobile there are nationally recognized standards which would guide traffic investigators in how to work the accident, take measurements, make calculations and present that data on court. Is that fair to say?
Now let’s say that an individual is facing the potential of jail time and one of the key pieces of evidence is the use of their cellular device. As investigators, we send off our preservation letters, get our judicial process signed , send it off, wait about a month ( if we are lucky) and at some point we receive the “CDR’s” with location data. I think we’re good so far, but can anyone tell me of a nationally recognized organization which has set a standard in cell site analysis? Can you also tell me who is providing training that meets these nationally recognized standards? The answer is there isn’t anyone. There are excellent people out their providing training based upon their training and experience, but it’s not based upon a nationally recognized standard.
“This will be redundant to those that have had training, but please bear with me.”
If you have just a minute I’d like you to take out a sheet of paper. “Don’t worry, this isn’t the pig test.” Somewhere on the middle portion of the left side of the paper I’d like you to draw/visualize a small dot about the size of a pencil eraser. Next label the dot with an “X.” On the middle portion of the right side of the paper draw/visualize a “Y,” but if you can think of the degrees on a compass, draw the lines making the Y at roughly 300, 60 and 180 degrees. If we use the top of your paper as North, mark the area between 300 and 60 degrees as 2. Mark the area between 60 and 180 degrees as 3 and the area between 180 and 300 degrees as 4. Most of you will recognize the Y as the popular 0,120,240 configuration. The dot labeled as X is an Omni pole with 360 degrees of coverage and we will call the area that the Omni pole covers sector 1. “Let’s say the two towers are approximately 5 miles apart.”
So if the top of the paper is North we now have an Omni pole out to the West and East of that we have the popular three sector antenna. Those sectors are all equal at 120 degrees and the centerline of those sectors are at 0,120 and 240 degrees.
Now let’s go back to the pig for a minute. How long was the tail you drew? If your pigs tail was 1, 2, or 5 inches long I don’t think you were wrong either way, but we’re not talking pigs, we’re talking jail time. Now for you to make a Capital “Y” you need 3 line segments to intersect. How long are your line segments? Did you draw a big “Y” or a little “Y?” Since it’s just lines on a piece of paper it really doesn’t make much of a difference, but if you are plotting the coverage area of towers on a map it would seem only reasonable to have some idea of how long or what distance those lines should extend?
You can insert whatever software you choose to use, but while attending the ACME CSA School you might hear a conversations like this.
Student How far should I extent the coverage circumference of tower Y?
Teacher You can go out 1 mile, 3 miles, 10 miles, You might have to pull them in a bit in densely populated areas.
Clint Eastwood once said “A man’s got to know his limitations.” All of us need to know that we have limitations and the technology we use and reference has limitations as well.
Now if you look at the paper you drew on, it would be all too easy to say that if someone was up North of the “Y” in sector 2 the radio signal from their cellular device would be in communication with tower Y in sector 2. More than likely it is, but we need something better than “more than likely.” If someone was in close proximity to tower X it would be all too easy to say that their device was in the area around sector 1 and their device would be communicating with tower X. More than likely it is, but we need something better than “more than likely.”
Now if you were able to see an RF propagation map of the two towers you would see that there are spots around tower X where your cellular device could be communicating with sector 2, 3 and 4 on tower Y. Also if you looked at the map you would see areas in sector 2, 3 and 4 of tower Y where your cellular device could be in contact with tower X out to the West.
Now at least in my opinion Attorneys can’t have it both ways. I’ve heard DNA referred to as “junk science” and “unreliable”, but DNA is championed and given maximum reliability when it is used to exonerate an individual who has sat in prison for a number of years. CSA is not junk science either. It’s just in its infancy.
If you go to the link http//
In the Judge’s order he writes Mr. Schenk testified it is “impossible” to positively identify which cell phone tower was used by a caller. Cellular providers spend Billions on their networks to provide the customer with the best experience possible. The call initiated by the handset has to enter the system somewhere? I may not be able to replicate the exact tower handoffs during a call, but I believe the originating cell site is exactly what it says it is.
Mr. Schenk stated it is “impossible” to know if a call is actually matched to a cell tower. I need help on understanding that one!
Mr. Schenk stated that it is “impossible” to state where in the tower sector the caller was located. “In many instances this might be true, but what if the investigator had the benefit of CDMA enhanced ranging data like Verizon’s RTT or Sprint’s PCMD? What if we were able to obtain enhanced ranging data from a GSM provider called “timing advance?” You know, it’s the ranging data they have that they don’t want us to know they have.”
Mr. Schenk also stated that sectors could be as large as 900 square miles. In a rural setting that might be true, but I believe it is safe to say in densely populated areas that statement would not be accurate. “Manhattan and Beverly Hills don’t just have one cell tower or sector dedicated to the area.”
One of the things we need to be doing in law enforcement is we need to own the imperfections of the technology. We need to explain up front that the technology can and does have limitations, and that some of those might be the load on the system, RF attenuation, shielding, atmospheric conditions, elevation and other factors. Maybe just saying that the device originated a call on a certain side of a tower could be enough? When we try getting more specific, without the support of proper training and proper documentation we open ourselves to criticism. Then our testimony gets thrown out.
It’s time that some organization stepped up and created a “standard” in regard to historical cell site analysis and the technology surrounding it. What that standard will be is another discussion, but I believe these discussions need to take place. There’s got to be something better than just throwing circles up on a map.
Good piece. I posted that in the General section.
First rule of testifying, take words out of your vocabulary like absolutely, always, never, impossible, etc.
This gentleman opened a huge can of worms saying what he said and basically depending on how you want to read into it, is saying that everyone who has testified other than him is doing it wrong.
I totally appreciate the part you put about knowing your limits, I've been saying since I got on this site that people have to know your limits. When you see someone put out a hiring bulletin looking for a programmer, Pentester, have all major CF and infosec Certs, plus know Encase, FTK, etc. and have a testifying background, that person doesn't exist. What is happening (and I'm speaking from knowledge here) is that the person they get in to apply gets tested in a very small area or part of certain groups until the persons hiring for this position are satisfied that they know their stuff. Maybe the test consisted of firing up Encase and asking someone to show him where a certain function was and to execute that function. Maybe they wanted to see if he knew the OSI model.
You are usually only as good as the person or persons you are going up against. If the opposing person is a road deputy who took 1 first responder course, he probably wont be near as effective as you will be. If they are a testifier for the FBI taking courses for a living, they should be on the top of the food chain or near top.
They took lots of photographs and then measured hundreds of points with something they called the “Total Station, which seemed to be just like the surveying equipment I’d see road crews using from time to time.
I can confirm you that nowadays such an instrument is used.
A "Total Station" is a combination of several "traditional" instruments used by land surveyors
- a theodolite (which measures angles BOTH vertical and horizontal)
- a distancemeter (which measures distance)
- a small processing unit with memory that saves data and can do elementary tranfomation/conversions and accepts labels for points measured
The result (once extracted from the internal memory) is usually a list of coordinates in X/Y and Z of every point measured and often directly a .dxf (in scale) drawing of all the points together with their coordinates.
All in all it is only a rather accurate and faster method to make an exact graphical representation of the area (and position of any object measured), the result is not in any way different from what you can have measuring properly with a tape meter and later rendering (to scale) the measures on a drawing.
Some newer models also include a GPS, so that the instrument position is determined in absolute coordinates (as opposed to relative references to buildings or "known points").
As a matter of fact using a Total Station is in theory less accurate than directly measuring (properly) with tape (we are talking in case of road accidents of very "near" distances - say in a 50 m radius - whilst total stations and optical instruments in general are better suited for longer distances) , but it is much faster and much less error prone (reading mistakes, transcripton mistakes, render mistakes are virtually eliminated).
jaclaz
Mr. Schenk stated that it is “impossible” to state where in the tower sector the caller was located. “In many instances this might be true, but what if the investigator had the benefit of CDMA enhanced ranging data like Verizon’s RTT or Sprint’s PCMD? What if we were able to obtain enhanced ranging data from a GSM provider called “timing advance?” You know, it’s the ranging data they have that they don’t want us to know they have.”
"timing advance" is a useful mechanism in radio terms relevant to the radio-link, but it is not per se designed to be used in isolation to anything else to give an express and precise confirmation of the MS's land-location. TA is one tool in a range of useful tools that can assist, when brought together, to approximate location. Again it needs care how TA is presented and should not be presented in isolation to other data.
When we try getting more specific, without the support of proper training and proper documentation we open ourselves to criticism. Then our testimony gets thrown out.
Which is largely indicative of where you are at present.
It’s time that some organization stepped up and created a “standard” in regard to historical cell site analysis and the technology surrounding it. What that standard will be is another discussion, but I believe these discussions need to take place. There’s got to be something better than just throwing circles up on a map.
MTEB is an organisation since 2004 designed for that purpose.
Greg,
After sifting through your explanation I was able to gather that timing advance is only a part of the puzzle. Its 1 spoke in a wheel, but if you remove that 1 spoke it really can’t be used effectively to transport a load from point A to point B.
The reason I mention timing advance is this While in conversation with an individual who teaches cellular technology here in the states the topic of enhanced ranging data came up. After discussing the data available on a CDMA network the conversation switched to GSM carriers. Several years ago this individual was contacted in reference to a hostage situation. He lived near a GSM call center and was asked to go there. Mr. Bad guy had his phone off, but periodically he turned it on to check voice mail. At one point during this ordeal Mr. Bad guy’s phone makes a call and a location was generated. This guy claims to have actually witnessed the distance location on the screen. How exact the location was, I don’t know, but a tactical element was sent out based on that location data and ultimately things ended on a positive note.
In the U.S. the Verizon wireless LERT is flooded with requests for certain types of content which they retain. AT&T & T-Mobile stay busy too, but they are not flooded with the exact requests as Verizon is because they don’t retain the same data.
My theory is if AT&T and T-Mobile are already busy fielding requests for records and data why the heck would they tell us “Hey LE, btw we also retain some distance from the tower information you guys might want as well.” Personally I don’t see them being honest about it.
“MTEB is an organisation since 2004 designed for that purpose.”
Maybe it is time to go international? If you are already I’m talking to coming over to this side of the pond
As I have mentioned in other posts if an individual walks in to court and has certification as a “CFCE” Certified Computer Forensic Examiner it is easy to find out what minimum standards that individual had to meet to obtain those credentials. In the world of cellular technology we do not currently have that.
I don’t know if you went to bed last night considering the possibility of coming here to the states to provide training, but I can tell you that I and a number of other individuals would do our best to get the information out and fill the classroom.
This appears to be the beginnings of a long process, at least in my opinion, where you enter the decision process wondering “So what can I teach those Yanks.” I’m sure you already have a curriculum designed, but I would think you would be open for some input as well. Questions actually.
I don’t know what your curriculum is or whether or not you provide a certification, but let’s say you trained an individual to perform CSA on a UK based GSM network. Could that individual come over to the states and immediately pick up doing CSA on new cases on a U.S. based GSM network? In a way I guess my question is in regard to similarities or differences in the networks. Would those differences, if any, present hurdles in providing CSA to individuals here in the U.S?
Can you provide CSA in regard to CDMA networks and how does this all change as the competing communication protocols move towards LTE?
I have a feeling that one hurdle might be access to data. I don’t know what kinds of records you need for a case involving CSA, but I have a feeling it is information that LE is currently not seeking. My hunch is that the Courts in the UK have mandated the carriers provide this to you. We, on the other hand, may find out there is a prohibitive cost associated with obtaining the necessary data?
Cheers!
After sifting through your explanation I was able to gather that timing advance is only a part of the puzzle. Its 1 spoke in a wheel, but if you remove that 1 spoke it really can’t be used effectively to transport a load from point A to point B.
It is not clear why TA would be switched OFF? Could you explain that please?
“MTEB is an organisation since 2004 designed for that purpose.”
Maybe it is time to go international? If you are already I’m talking to coming over to this side of the pond
Indeed this is what is being discussed here - http//www.forensicfocus.com/Forums/viewtopic/t=9679/start=14/
As I have mentioned in other posts if an individual walks in to court and has certification as a “CFCE” Certified Computer Forensic Examiner it is easy to find out what minimum standards that individual had to meet to obtain those credentials. In the world of cellular technology we do not currently have that.
Respectively, I am not sure how relevant the pre-requisite cellular credentials compared to CFCE to which you refer has significance? It raises, quite naturally, the spectre "how have you been getting away with it todate in the absence of any credentials"?
I don’t know if you went to bed last night considering the possibility of coming here to the states to provide training,
Oh no, I was putting cases forward in 2007/2008 but as I understand it the US LE used 'personal friendships' and 'internal training' and it is seems 5 years later the state of the measured progress indicates that support is very much needed. However, the independents should know what is available, too, in order to push the boundaries where LE may have been hampered due to time or cost.
but I can tell you that I and a number of other individuals would do our best to get the information out and fill the classroom.
That is so kind of you, thank you hcso1510.
This appears to be the beginnings of a long process, at least in my opinion, where you enter the decision process wondering “So what can I teach those Yanks.”
This is more of a process unhampered by time limits and not designed to teach people how to suck-eggs, but to provide aims and objectives to support professionals within the field who wish to know about mobile telephone evidence and provide workable techniques and solution that can actually be applied to CSA.
I’m sure you already have a curriculum designed, but I would think you would be open for some input as well. Questions actually.
Indeed! A number of your LE and independent US professional colleagues have already been providing input. Naturally, listening to local questions is always so useful. Questions form an element of any training process as opposed to replacing training itself.
I have a feeling that one hurdle might be access to data. I don’t know what kinds of records you need for a case involving CSA, but I have a feeling it is information that LE is currently not seeking. My hunch is that the Courts in the UK have mandated the carriers provide this to you. We, on the other hand, may find out there is a prohibitive cost associated with obtaining the necessary data?
One important principle to remember when dealing with CSA is not to run before you can walk. Making assumptions about what a Court will or will not order is best measured on a case by case basis and not with a wholesale-applied outlook. The training is not to encourage anyone to undermine the Courts, the operators, the prosecution or defence. The training is designed to show delegates how to go about seeing where evidence can be available, where to seek it out and what may be applicable.
Another important principle is not to dumb evidence down.
Cheers!
Greg,
“It is not clear why TA would be switched OFF? Could you explain that please?”
Your original response was “"timing advance" is a useful mechanism in radio terms relevant to the radio-link, but it is not per se designed to be used in isolation to anything else to give an express and precise confirmation of the MS's land-location.”
Obviously I assumed or misinterpreted what you meant. I assumed you meant TA was part of a larger process/number of measurements so that you couldn’t just take the TA by itself and confirm the location of an MS. While I would like to know more about TA it appears that U.S. based GSM carriers have failed to acknowledge its existence. I fully understand that there is no federal law which mandates the retention of TA data, but whether or not it is TA or something else I will continue to believe that U.S. based GSM carriers can provide historical data that can be used to narrow down the location of an MS rather than just tower and sector.
“Respectively, I am not sure how relevant the pre-requisite cellular credentials compared to CFCE to which you refer has significance? It raises, quite naturally, the spectre "how have you been getting away with it todate in the absence of any credentials"?”
I’m not sure what you are referring to when you mention pre-requisite credentials. I only mentioned CFCE to highlight that other technical fields do have recognized standards. As you know in the world of cellular technology we have a few options for training. While much of that training is good, there is no recognized national standard.
In a way I’m surprised the FBI has not jumped into the fray to provide this training, but I tend to think they would only want to train law enforcement. I believe it is the private that needs to drive the bus. The defense needs it just as much as the prosecution.
“One important principle to remember when dealing with CSA is not to run before you can walk.”
I hope you will remember that when you are explaining the CSA process. You can get pretty techie.
I wasn’t trying to assume anything about what a Court will or will not order. Under existing federal law there are records that LE can obtain free of charge if it is determined the records are kept within the normal course of business and they are not overly burdensome or voluminous to produce. (That’s not the exact verbiage, but it should get the point across.) Past that they do have the right to charge for certain data and certain services rendered. My comment in a sense may be like putting the cart before the horse, but it would be nice to know ahead of time if every time I used CSA in a case if the data necessary for the analysis would be free or if there would be a price on it.
If I may revisit an earlier question. Is the CSA process you teach applicable to GSM networks based in the U.S? Also, can you provide CSA training in regard to CDMA networks and how does this all change as the competing communication protocols move towards LTE?
Sorry for all the questions, but if I don’t ask them someone will.
Cheers!
I like the pigs analogy. Of course, some of us might draw them with polka dots.
The first step in establishing any standard, in my opinion, would be to standardize first the evidence, then the analysis.
As long as the evidence is provided in a variety of forms, with more or less data, the harder it will be to determine what a standard practice would be for analysing evidence.
Larry,
It's provided to you in the form YOU ask for it. If I don't ask, I usually get a CD with some .xls files followed up by a few .pdf's explaining that regions terms and definitions.
However if you want something different, then it's just a motion away. Might take a bit longer if the carrier wants to fight, or claim IP on something. But I find myself asking for what I would need to do the job I've been hired to do and if I can't get it, then I explain how that impacts my finding upon that portion of the case.
I like the pigs analogy. Of course, some of us might draw them with polka dots.
The first step in establishing any standard, in my opinion, would be to standardize first the evidence, then the analysis.
As long as the evidence is provided in a variety of forms, with more or less data, the harder it will be to determine what a standard practice would be for analysing evidence.
I am quite familiar with the methods for obtaining additional information.