Junk Science? Your thoughts.

I really wish with 980 views there would be more than 9 replies.

The problem with the article is that it imprecisely defines the subject matter which it then seeks to raise criticism with respect to its (1)accuracy and (2)precision. The article has little probative value in the absence of identifying a relevant transmission technology

GSM
iDEN
CDMA
TETRA
wcdma
LTE
and so on.

The article fails to appropriately distinguished between

1 - historical records
2 - subscriber/equipment track and trace
3 - lawful interception

For instance, using standard GSM protocols, whilst not being finite, can offer a higher degree of accuracy to location positioning.

Measurements Reports can be obtained by the network for the purposes of allocation of radio resources. The Radio Resource Management (RRM) has responsibility for communicating the necessary messages to the mobile phone (MS). It is important, however, due to the limited resources of radio that utilising control channel requires using shortform notation to send commands in order for the receiver (the MS) to provide responses. To do this a vocabulary was created for GSM and utilised by the RRM e.g. Skip Indicator/Protocol Discriminator = 06 (relevant for handover). The SI/PD messages are predefined in a mobile phone's vocabulary (e.g. look-up table) to understand messages sent to it. For MEAS_REP the shortform message sent is known as ID (Hex) 15. The verbose message translated from the shortform ID (Hex) 15 command requires

MS -> BTS send MEASurement REPort.

This means MEAS_REP transfers the current measurement results of the MS to the BTS (uplink measurements). These measurements contain the sending levels of the serving cell and neighbouring cells. [It is important to remember there is a distinction to be made between a mobile phone switched ON (idle mode and camped on a cell), one that has already registered to the network (idle mode and ready for radio resources) and one that is actively involved with the radio network using resources. In the idle mode the mobile phone in a registered state can update its position either by commands made by the network, by moving to another radio area or using the periodic update parameter to found in the SIM Card elementary file e.g. EFHPLMN.].

In the case of an active connection, a MEAS_REP is sent to the BTS every 480ms via the SACCH. The BTS forwards the MEAS_REP to the BSC, embedded in its own measurement results (MEAS_RES). [In the active state the MEAS_REP assists the network control MS handovers and power output and the MEAS_RES assist with the building blocks for track and trace of an MS to a particular groups of cells and other surveillance tasks.]

With a single meas_rep sent every 480ms whilst the the MS is in dedicated mode, this is very fast timing and the combined results from a number of reports/results obtained can be used with the other processes to locate an MS down to within tens of metres of a particular location. WCDMA and LTE also have similar capability/techniques. Where GPS coordinates are also included in the returned reports to the network it is possible to improve location positioning.

This should be the "actual brief" mentioned ? .
http//judiciary.house.gov/hearings/113th/04252013/Eckenwiler%2004252013.pdf
It seems to me like it goes at length in part "B." (Laws and regulations) and touches "very lightly" the actual scientific data (in part "A.").

Well done jaclaz, you have a really good nack of demonstrating 'revelation'.

Commenting with the benefit of hindsight on the brief (so no criticism of the author of the document because we do not know the conditions set for producing the document), it does make me wonder if images to demonstrate radio matters such as "equal power boundary" would be better technically demonstrated by images produced from using radio tools designed for that purpose. The point being it may transform the presentation from something that could appear to be vey simplified to showing the audience reading/seeing the presentation that actually we have to work at what we do and not merely lick our finger and stick it in the air to see which way the wind is blowing.

……I would suggest that a lot of what we do isn't "commercially available", nor is it peer reviewed.

Agreed.

The thing that makes it “junk science” is that it is new.

The thing that makes something junk science is that the conclusions are not supported by scientific evidence.

Further to athulin's point, even with scientific evidence it still requires the person giving the evidence to have understood the results presented as evidence (e.g. false positive).

If the methods used aren't commercially available or the science hasn't been peer reviewed or it is not widely accepted in the industry, then it doesn't meet the fairly high bar set by Daubert.

Interesting. I would suggest that a lot of what we do isn't "commercially available", nor is it peer reviewed.

This is why you have to deal with the totality of evidence. If the prosecution's entire case hangs on cell phone triangulation, then you really don't have much. If you have some sort of video surveillance to corroborate the cell phone triangulation, then you're in better shape. Maybe there's some other physical evidence. Cell triangulation is good, but it can be, and often is, wrong.

I happen to be in a Cellebrite class right now, and the instructor mentioned that in this hotel, triangulation places him about 20 miles north.

Bulldawg triangulation in cellular networks is conducted live. How is your instruction accessing a live network?

I happen to be in a Cellebrite class right now, and the instructor mentioned that in this hotel, triangulation places him about 20 miles north.

This sounds to me a bit (actually a lot) on the "extreme" (an error of the order of magnitude of 20 miles should mean a spacing among antenna's in roughly the same range) where is your hotel, in the middle of nowhere?

And, still to be picky as I always am, what is the sense of video footage "corroborating"?

I mean, if you actually have a surveillance camera placing the subject in a given place at a given time, who cares about the tower cell data? 😯

What if you have video footage of a subject possessing NO phone?

Would it not be enough by itself? ?

The Court order I referenced rejected a specific "evidence" based on a specific technology/theory, that of Granulization, NOT the "whole" cellular network positioning evidence.

jaclaz

If the prosecutors case hangs on cell phone triangulation, then why don't you have much?

What we are talking about is the fallibility of providing a precise location. IMHO you have a lot to deal with if that is all they are offering.

This is why you have to deal with the totality of evidence. If the prosecution's entire case hangs on cell phone triangulation, then you really don't have much. If you have some sort of video surveillance to corroborate the cell phone triangulation, then you're in better shape. Maybe there's some other physical evidence. Cell triangulation is good, but it can be, and often is, wrong.

I happen to be in a Cellebrite class right now, and the instructor mentioned that in this hotel, triangulation places him about 20 miles north.

You're right, not live triangulation, but reviewing the SIM card's LAI value. Sorry for the confusion. However, if the SIM card's LIA thinks the last tower connected was 20 miles away, how accurate can the triangulation be? That's serious question. I haven't attended any cell tower triangulation training. I don't think I'll ever run into cell tower triangulation in civil litigation. This hotel is on the water, so the strongest tower may be a reflected signal from across the water. Maybe that's also the only tower within range. What if you don't have 3+ towers that can see the phone?

If all you have is cell tower triangulation to place the suspect at the scene, then you go with it, but it's relatively weak, IMO. Relative to more traditional physical evidence–not settled science. What if you have a traffic cam with the suspect's car near the scene at the same time? Better. Eyewitness? Better. But, if all you have it triangulation, then you go with it, but be prepared for these arguments when you go to court. Have strong case studies to refute the defense's claims that it's junk science. BTW, I don't think triangulation is junk science, but it's a new field relative to most forensics.

As far as what attorneys do, they have no reason to be scrupulous. They can say whatever they want to get their client off at that time. This same attorney may turn around on the next case and try to use cell tower triangulation to establish his client wasn't at the scene. You can bet he won't say it's junk science then. As experts, we don't have this freedom. Anything we say on one case can be used against us on the next case. Best to be consistent.

You're right, not live triangulation, but reviewing the SIM card's LAI value. Sorry for the confusion.

No worries Bulldawg, thank you for making it clear.

However, if the SIM card's LIA thinks the last tower connected was 20 miles away, how accurate can the triangulation be? That's serious question. I haven't attended any cell tower triangulation training. I don't think I'll ever run into cell tower triangulation in civil litigation. This hotel is on the water, so the strongest tower may be a reflected signal from across the water. Maybe that's also the only tower within range. What if you don't have 3+ towers that can see the phone?

Assuming network/handset/(U)SIM have been considered for association/activity between them, examples of elementary files like those below may have been checked for clues

SIM recorded radio location details

USIM recorded radio location details

Just some observations you may find helpful.

LAI in the (U)SIM Card EFLOCI File is not used per se for triangulation or precision location positioning. The integers of data residing there are recorded based upon the last time e.g. EFLOCI File was updated. This data can be recorded e.g.

- when the handset (in which the (U)SIM Card is inserted) had been switched OFF and the location area identifier data has changed from the previous data.

- The previous EFLOCI File data may change e.g. when the radio location area has changed that may be caused due to e.g.

+ the MS travelling around moves through different location areas
+ the MS detects stronger coverage at the border (e.g. roaming on another network say in another country but MS still remains in own country)
+ or long periods of dormancy where the MS has had long 'dwell' periods in an area and made no calls and updates to the network 'dependent' upon the e.g. EFHPLMN timer value that has been set.

Regarding water, I agree with you radio signals can produce spurious results due to reflection; the same can be said where the terrain influences radio coverage detected at the receiver. But the investigation and analysis would not be left simply to read e.g. the EFLOCI File data in isolation to investigating other matters.

I agree with you, LAI data contains certain radio parameters (dependent upon which data you are reviewing) that should not be duplicated to another radio area. You drew reference to only one tower may have been used for call/s. LAI though doesn't identify a particular cell tower.

I would agree with you cell site anslysis (CSA) is not junk science. It has a number of elements of scientific fact associated with it. It is fair to say it is highly significant to distinguish between live data track and trace (which has a higher degree of accuracy) when compared to historial data. Historical data can be used quite effectively to show where MS wasn't by defining a radio coverage area which the MS has detected and may have used radio resources.

Hope this thread hasn't finished and forum visitors haven't responded due only to researching as there are so many radio scenarios for CSA that assists in understanding the (pre-)survey tasks/results.