Hi. I am a digital forensics newbie (sorry) and am in very early stages of studying in the field. I am interested in the methods related to a recent forensics story in the news concerning the Holly Bobo missing persons case in TN.
Background, Holly was abducted two years ago. Not a lot of information released to the public in a long time until the family hired their own investigators of late and released information about Holly's phone location in the 2 hours following the abduction. A map was released that shows abductor's likely route after the abduction. It is a very deliberate drive through a remote area that one would really have to be familiar with not to be come hopelessly lost. Interestingly, the phone was back near Holly's house within a couple of hours right when law enforcement had a checkpoints and a perimeter setup. The suspect was most likely a local and on the scene early in the search. See map and more info …
I assume from the term "hits" that this map was created from data from cell phone towers and not local GPS data from the phone? Does that sound like the case?
I am interested in experimenting with some of my phones. What are the best methods for extracting GPS data from an iPhone. Can I import this data into some kind of mapping software to create a map of path traveled?
As to cell tower information, when this information is received by LE, do they do the triangulation of location themselves or is this something that the cell provider provides in the form of finished location data?
As to cell tower information, when this information is received by LE, do they do the triangulation of location themselves or is this something that the cell provider provides in the form of finished location data?
Hello bbking13.
There are destinctions between captured data obtained from 'live' track and trace mapping methods and 'historical' network usage mapping methods.
Generally, one method of "triangulation" is commonly considered to be applied in live network trace of a switched ON mobile phone that is registered to a particular mobile network. The key word there is 'registered'. Triangulation is normally conducted using x-number of Masts (Towers) that may surround a switched ON and registered to the network mobile phone. The more Masts that can be used in the exercise the better, generally 3 is ok, 5 is said to be better and so on for a single instance report. From each report's content a profile (MEAS_RES/MEAS_REP message) is created from the information returned by the mobile phone of the Masts that it has detected. The collective profiles are then exported to a particular mapping systems from which usually the network operator looks to possible location based upon where the 'proximity' of the edges of profiles overlap to a high degree such that an ellipsis defining a specific area can be revealed suggesting the likely location of a switched mobile phone that is registered to the mobile network conducting the track and trace. This is but one method.
Track and trace doesn't simply involve sending a command to mobile phone to 'action a response' by sending back a profile but subscriber database details and fixed network detail are need too. In short, this work is performed by the particular mobile network operator and not law enforcement.
Of course, my comments are general as I do not know who the mobile operator is in the case you have mentioned and the type of transmission the operator has deployed.
Law enforcement can plot the location of Masts using information provided to them by the mobile network operator based upon call record details and the radio coverage used by the mobile phone assocated based upon a particular Mast cell identity and from the operator's fixed installed database. If from such plotting is suggested to be triangulation for this work then it is my assumption (in the absence of any further detail) the term has been used based upon the plotted location of Masts defined on a map. This really is no more than compilation, really, and is minimalistic compared with live network triangulation for track and trace.