Since linking with Jamie Morris at Forensic Focus to create a Mobile Forensics Discussion Forum (http//www.forensicfocus.com/index.php?name=Forums&file=viewforum&f=14) to bring mobile telephone evidence to a wider audience, I have had several discussions with people who are new to mobile telephone evidence and have asked me to provide further discussion on matters concerning Checking Masts. Also from police sections asking me to open up the discussion as to what might happen when Mast checks are not made and how that might impact on a criminal case. Whilst the criminal case discussion is hypothetical, some events happening in the discussion are factual and drawn from a number of criminal cases.
The necessity to check with a mobile network operator regarding details of a particular Mast (Cell Site) and the bearing of coverage (azimuth) from it, for a particular Cell ID, at the material time to see whether it has changed prior to conducting cell site analysis is a useful rule to follow. There are, of course, many other matters that need to be checked also, but I have simplified the issues for the purposes of this discussion.
The details of Mast changes are recorded by Operators and recorded in their databases. Single Point of Contact (SPOC) is not prevented from asking an Operator about Mast details and obtaining the relevant information. However, as a SPOC doesn’t decide what evidence should or shouldn’t be required for a criminal investigation, the SPOC should be asked to obtain the Mast information.
The Masts
Below is an image (a) which displays a Mast's radio coverage for a particular Cell ID illuminating in a westerly direction towards a block of flats.
Image (a)
The next image (b) below displays the same Mast (as above) relating to radio coverage with its associated Cell ID but this time the radio coverage is illuminating in an easterly direction, in the opposite direction towards a house.
Image (b)
For the purposes of this discussion the Mast is shown close to the properties in both images. This was done for artistic purposes and is not intended to mean the Mast is actually that close to both properties. Also an actual Cell ID has not been shown but the inference about Cell ID being relevant is inferred by the presence of radio coverage being displayed.
Criminal Case
Imagine if you will that on a particular date, let us say the 30th March 2008, a dead body is found in the house, shown in image (b). The police have been alerted to the property by a neighbour because of a dreadful smell emanating from the direction of the house. Upon entering the property the police find a decomposing body of a woman on the floor. The Pathologist is called and indicates, following assessment of the decomposing body, that the body had been dead for approximately two weeks. That would generate a time line back to Tuesday 16th March 2008.
The police conduct door-to-door enquiries and one neighbour next door but one mentions that two weeks ago as she passed the house there was shouting emanating from inside the property and cries for help. The neighbour thought nothing more of it because the couple that lived there had regular arguments, which the neighbours and passers-by could overhear.
The police asked the neighbours had they noticed anything else? One lady who lived a few doors away replied that she looked out of her window and that she had seen the man that lived there leave the property at about 8.30pm, and that would have been a Tuesday, and funnily enough that was about two weeks ago.
To cut a long story short, the police found the man who lived in the house a month later, seized his mobile telephone and having retrieved his mobile telephone subscriber details, obtained call records and identified the Masts that routed mobile calls to and from his mobile phone. From the records it was noted that two weeks before the body was found his mobile had used a Mast for a call (on Tuesday at 8.00pm) the Mast was sited 2.4Km away from where he lived with his partner. This was also the nearest Mast to the house.
The police called for radio test measurements to be conducted outside the house three weeks later. The time-span from the estimated time of death to radio testing was approximately 9 weeks. The radio tests confirmed that the Cell ID recorded in the call records is the same as detected outside the house.
The man, during questioning, confirmed he had not been back to the house since leaving on the Saturday. That being the Saturday prior to the Tuesday when it is approximated the death took place. He had also been living in a Bedsit because the relationship with his partner had irrevocably broken down and they had agreed to split and go there separate ways.
The police believed from the evidence that they had thus far that it was enough to hold the man, now a suspect, and the death case turned into a murder case. The evidence they relied upon was
1) The neighbours hearing regular arguments and cries for help on the fateful day
2) The neighbour that says she saw the suspect leaving the house at 8.30pm
3) The call records that shows a call on the Tuesday from the suspect's mobile telephone using a Cell ID from a Mast that is sited 2.4Km away and is the nearest Mast to the house
4) The radio test measurements that show the Mast’s coverage, thus Cell ID, used by the suspect's mobile phone illuminated outside the house.
So at minimum there appears to be four good pillars of evidence. However, when the radio test measurements were conducted no checks had been made with the mobile operator whether any changes had been made to the Masts in the area prior to radio test measurements being conducted. It subsequently came to light at trial that the Cell ID illuminating towards the house (image (b)) had only been illuminating eastwards towards the house from Thursday 18th March 2008 after the alleged murder due to changes at the Mast. Prior to that date the Mast had been illuminating westwards, towards a block of flats (image (a)).
Impact on Criminal Case
So when the police had noted from the suspect's call records that over the last few months they showed the suspect's mobile phone using a particular Cell ID for mobile calls that the police thought could be made or received from the house, they were mislead and operated under a false assumption. The suspect had, in fact, been having an affair with a married woman in the block of flats (image (a)) and didn't want to say anything for fear of reprisals from the woman’s husband who was known to have a temper and may take it out on the woman if she was called as a witness. It was this affair that the victim, when she was alive, and been tipped off about some months earlier and the cause of the couple constantly arguing.
The lack of discovery about any changes to a particular Mast prior to conducting radio test measurements impacted on the case by
- the test results, that should add value to a case, were inaccurate and unhelpful
- introduced delays into an investigation as the test results steered the police investigation in the wrong direction
- operational man-hours increased
- operational costs increased
- worst still, a false allegation of murder was made against an innocent person
As to the other pillars of evidence 3) and 4) were no longer valid and the woman with whom the suspect was having an affair corroborated the dates and times she was with the suspect. As to 1) and 2)? On the fateful day, 1) the argument that was heard by a neighbour turned out to be the victim's ex-boyfriend from a previous relationship whom she had given evidence against him for drug dealing, some 5 years earlier, and who had been released from prison 20 days before the murder. He had vowed to seek revenge against the victim. 2) The neighbour who saw the suspect at 8.30pm at night in fact saw a silhouette of the man she thought was the suspect because it was 8.30pm at night and her eyesight wasn't as good at night. The silhouette leaving the house was the ex-boyfriend leaving after having murdered his ex-girlfriend.
Further Observations
In consequence, by not checking with the operator about their Masts prior to conducting radio test measurement caused lost investigation time to find the real culprit, unnecessary redundant evidence, increased costs, investigation time increased exponentially, apart from wrongly accusing a person. Moreover, as checking the Masts is a well known procedure, not to have checked it during an investigation may amount to act of intent to plant evidence to create incrimination against someone by using an act of deliberate omission during an investigation.
This is only a hypothetical discussion, but if these acts were operated in reality on a regular basis in criminal cases and applied as policy in widespread use across England, it may potentially lead to £20 millions in retrials. Of course that shouldn’t be possible arising from the 'Golden Rule' of disclosure, enunciated by Lord Bingham in R -v- C & H (February 2004), when he said that ‘fairness requires that full disclosure should be made of all material held by the prosecution that weakens its case or strengthens that of the defence’. The test is an objective one and is grounded on what is ‘reasonable’. However, the guidance makes it plain that an expert witness is no longer to be trusted to exercise his or her own judgment in deciding what falls within this definition and what is and is not relevant.
It is the influence of the Golden Rule placing affirmative duties on the prosecution from 2004 onwards that safeguards the reliability of evidence in criminal cases. That suggests were Her Majesty's Inspectorate called upon to require the prosecution tomorrow to provide, from randomly selected 200 cases from across the country by the Inspectorate, documents of enquiry to a particular operator seeking to be notified of any changes to a particular Mast in a particular case and the documented response received from the operator, they could do so.
That doesn't mean to say if the prosecution mobile telephone case has 50 Masts used for calls that documentation for each of the 50 Masts would be necessary, as rarely are all Masts relevant to an alleged crime, anyway, and a large proportion being used for padding simply to show movement. The relevant Masts are those where the Masts and coverage can illustrate that the mobile telephone or telephones could potentially be at the scene of crime, which on the whole usually relates to the last three to six Masts nearest the scene of crime. Besides I couldn't see the prosecution being hoodwinked into believing that because there are 50 Masts in a case that the number amounted to far too many enquiries to be made to the operator and so didn't make any enquiries at all.
As I have mentioned above this is purely hypothetical, but hopefully it illustrates the importance of Checking Masts before conducting radio test measurements.
Trewmte do you, yourself perform Cell Site Analysis/Surveys for cases?
If so what equipment do you use for this very interesting task?? )
Trewmte do you, yourself perform Cell Site Analysis/Surveys for cases?
If so what equipment do you use for this very interesting task?? )
Yes I do and have been doing so since the early 90s for GSM and since 2006 for 3G.
I use Nokia network monitor for 2G and have used, but do not particularly like, some of these newer independent flash files that enable some smartphones to obtain 3G network control data. I do continue to use them as one tool but for fairness reasons in dealing with the radio evidence. The reason for that is there are no
1) forensic standards for the calibration of test equipment generating evidence
2) forensic standards for the content or quantity of radio data captured for evidence
3) forensic requirements for user mobile phones to be calibrated
4) standards that requires a mobile phone after it has left the manufacturing production line to maintain its radio mask calibration longer than 12-months.
For example, dealing with point 4) most mobiles in use do not precisely meet calibration standards, but largely their radio mask is towards the upper or lower limits due to they way in which mobile phones are treated by their users dropped, fall in water, exposed to f*g ash, drink splatter, overcharging, over heating, running the battery flat during calls etc etc. All these things and more take there toll on mobile phone operation over time and it is not surprising to find that calibrated radio engineer test equipment often produce a better RxLv sensitivity. For instance, if one puts a used mobile phone side by side with a radio engineers test rig they both record 'absolute' measurments, obviously, but the disparity between 'relative' measurements can be surprising.
For radio engineer test rig I use Anite's Nemo Handy. Also I have secured in evidence the requirement for the readings and the electronic files that contain the readings and the screen prints to be served in evidence because
a) they are original evidence
b) it exposes not just preservation of evidence but the processes which brought the evidence about
c) it means the prosecution can meet the Golden Rule without being fed spurious argument of why things can't be done
d) it stops outsourcer firms holding back on evidence or unilaterally deciding that they control what our courts and criminal justice system can or cannot see
e) whilst I used Anite's Nemo Handy .dt1 file for the criminal case in which I was advising, the requirement is not limited to simply radio test measurements from Nemo Handy but all other radio test equipment etc and equally applies to handset and U/SIM card evidence.
The additional benefit this offers is that where the police want to save money extracting and harvesting data that is subsequently produced in reports and want to cut down on unessential data, this means they can still produce reports with only the content they want to show. The full copy of data are still obtained by the examiner and this means the defence, having a copy of the full data in electronic format, can examine all the other data to see whether any vital evidence for the defendant's case has been overlooked or not.
Moreover, the defence can still examine the exhibit as the prosecution will have already produced their evidence. This will allow for variations in evidential standard or interpretation to be checked and exposed, if any, in order to maintain the principle 'nothing lost in translation.'
This can also work on other levels as well. Such as, we know the Forensic Regulator is due to launch soon and the public sector are rushing around to create and approve their own standards. However, the independent sector has not had the opportunity to qualify whether the public sector standards are better than the standards in the independent sector. The work I have been doing is to highlight issues and attitudes to mobile phone evidence and to let the courts know there is evidence the courts can have. If the Regulator accepts procedures created by the public sector it should not bar the independent sector procedures being accepted also.
If the independent sector were automatically disbarred from having their own procedures accepted it could potentially lead to following public sector standards containing systemic failure being promulgated throughout the country. Not only that but the knock-on can directly affect small business by placing heavy regulation and financial demands upon small business, causing collapse and unemployment in MPs constituencies. Apart from which there may be the issues associated with breach of human rights under the Human Rights Act and the European Convention on Human Rights.
Apologies for the length of commentary. It was necessary to go along this discussion path because it is important to promote standards and to highlight choices available to people interested in mobile telephone evidence and identify what is possible by knocking over artificially generated psychological boundaries. I would hope to get the message into evidence in the London area, but my instructions come from outside of London these days and London appears to be a bit of a no-go zone.
[Update I apologise in advance for any typos I missed that cause discomfort whilst reading this thread]
Wow )
Thank you for that very intelligent write up.
It really is an eye opener
Thanks you
Interesting and informative, Greg!
I was directed to your article by friend and colleague Tom Slovenski. Here's part of my email reply to him
Did you catch this line
"Moreover, as checking the Masts is a well known procedure…."
Really??? Maybe in the UK, but isn't this still 'mystery science' in the US?
After thinking a bit I should've said "Black Magic" instead of "mystery science." Analysis of cell mast ("tower" to us Yanks) data is in its infancy on this side of The Pond. Sure, you might see it featured in an episode of CSI, but in real cases attorney's and judges eyes glaze over at the notion of cellular triangulation.
-A
Interesting and informative, Greg!
I was directed to your article by friend and colleague Tom Slovenski. Here's part of my email reply to him
Did you catch this line
"Moreover, as checking the Masts is a well known procedure…."
Really??? Maybe in the UK, but isn't this still 'mystery science' in the US?
After thinking a bit I should've said "Black Magic" instead of "mystery science." Analysis of cell mast ("tower" to us Yanks) data is in its infancy on this side of The Pond. Sure, you might see it featured in an episode of CSI, but in real cases attorney's and judges eyes glaze over at the notion of cellular triangulation.
-A
'mystery science', 'black magic'?????
AWTLPI, checking Mobile Masts has been a procedure and used in UK since the 1980s when we had analogue TACS mobile phone system in the UK. Indeed in the US it was a procedure the police used when checking stolen police cars with police radios in the 50s/60s/70s. Indeed early black and white cop films from US shown on British television showed US law enforcement checking Masts and pinging from the radio masts and using signal strength to conduct live triangulation to follow the driver of the stolen police vehicle along the highways etc.
As for triangulation, this cannot be conducted using historical call data and is only used for live emergency services issues, surveillance and interception.
So nothing 'mystery science' and 'black magic' over here, but I am still surprised that it should be puzzling the US. Your digital Masts use coordinates for antennas identities and your own highly respected P25 programme required additional measures. Also, I have spoken with US radio tower engineers and they couldn't understand why it would seem strange when it was so obvious to check Mast. In the US apparently you have a high crime rate with theft (copper/cable/dishes?) from Masts and also interference/pirate radio affecting police radio bands and the police and FCC investigate and check out Mast configuration.
Basically, if the Operator has made alterations at the Mast prior to the expert tests being conducted those Mast changes may produce test results that are entirely inaccurate or display false positives. Equally any changes at the Mast are required to be recorded in the UK for the PMOL.
However, as an analogy as to why it is important to check before running tests and stating findings, imagine if a crime was committed and allegedly a Ford Cortina 4-door Saloon that had been driving East on Highway 66 is suspected of being involved and your expert turns up to assess without checking and says the police asked me to check, and in accordance with their allegation, a Ford Cortina 4-door Saloon that had been driving WEST on Highway 66, this is consistent with my findings, then clearly the expert hasn't bothered to check.
The fact there are standards indicating the importance of bearing of radio coverage, height of antennas and issues associated with mechanical and electrical tilt frankly it shows a high degree of inexperience, lack of knowledge and common sense not to think about this and what could impact to create inaccuracy of test results prior to conducting tests.
The fact there are standards… frankly it shows a high degree of inexperience, lack of knowledge and common sense not to think about this and what could impact to create inaccuracy of test results prior to conducting tests.
In the U.S., when trial testimony gets a wee bit technical, the MEGO Factor ("My Eyes Glaze Over") comes into play. Attorneys and Judges want to keep things simple enough for a person with a 7th-grade education (the supposed "average" juror) to understand.
Thanks to our SCOTUS ("Supreme Court of The United States"), if there is to be "expert testimony," we must endure a "Daubert Hearing" where counsel attempts to have *their* experts accepted by the court and opposing counsel attempts to discredit same. The decision is left to the Judge. As a retired Federal Judge said to me when I bemoaned this process, "Well, hell, how do you think WE [judges] feel? We have no idea what the hell you [experts] are talking about!"
"nexperience, lack of knowledge and common sense"? Alas, that's the American Justice system.
cry
Thanks to our SCOTUS ("Supreme Court of The United States"), if there is to be "expert testimony," we must endure a "Daubert Hearing" where counsel attempts to have *their* experts accepted by the court and opposing counsel attempts to discredit same. The decision is left to the Judge. As a retired Federal Judge said to me when I bemoaned this process, "Well, hell, how do you think WE [judges] feel? We have no idea what the hell you [experts] are talking about!"
"nexperience, lack of knowledge and common sense"? Alas, that's the American Justice system.
cry
AWTLPI I trust you realised my comments are not criticism or being critical of US, UK or any other legal system.
If the American Justice system is uncertain, as you say, why doesn't the Judge or Court email and ask? Because I firmly believe they take the view that it is the responsibility of the expert to know what they are talking about and the Justice System shouldn't have to learn their own job and then learn everyone elses as well.
As mobile telephone evidence is fairly new to the US this is why Jamie at Forensic Focus allowed the Mobile Forensics Forum to start to help practitioners.
If you are in a case and the Judge has a matter requiring independent observations then I extend the invitation to you AWTLPI to invite the Court to send an email to me and if it is within my skill and knowledge relating to mobile telephone evidence I will respond with an answer or tell the court that I don't know the answer. I am using the email route because I am based in the UK, as you know.
I can't say fairer than that now can I?
No criticism taken! On the contrary, your comments are on-target.
It's just a difficult task for us as digital forensic examiners to get "heard" in court. It *is* getting better as our attorneys are just beginning to talk about "metadata." They may not know what it is, but they've heard it enough for it to become a buzzword in legal circles.
Our challenge is to "dumb it down" to the level of folks with the education of a 14-year-old. The U.S. public is now familiar with "DNA," but their eyes *will* glaze over if an expert speaks of "alleles."
Similarly, if I testify to finding lewd images in "unallocated space" on a hard drive, I'll not win many points. Saying "the Accused tried to erase these pictures of nekkid children," will keep me on the stand a bit longer.
Tower/Mast data *is* valuable. I registered for a class in cell-tower data recovery last November that was to be held immediately after Rick Mislan's Mobile Forensics class. There were about 20 of us in Rick's class. Only 3 of us registered to stay the extra day for the tower class. Subsequently, the class was canceled due to lack of interest.
We're still rather "colonial" in our collective thinking about mast data in the States, I'm afraid. If there's any criticism, it comes from me trying to urge my colleagues to get on board with this valuable source of data.
Careful with you offer, though You may be invited to testify in U.S. court as an "Expert Witness!"
D
Cellular Transmission Technology
Here are two test sheets identifying a range of cellular transmission technologies for CSA beginners and practitioners. It requires going through the charts to identify the accuracy of the information recorded in them and identify the relevant mobile network operators. It means researching not simply at the mobile network operators' websites, but researching the standards, etc etc etc.
http//