Wednesday, November 30, 2011

CDR Toll Ticket

CDR Toll Ticket

Essential to any police inquiry and/or investigation is the availability of mobile network call detail records. Significantly, the data to be found in a CDR usually contains far more detail than data produced in eg compilation records; the latter data being selected based upon the 'subjective' mindset of the person creating the compilations.

Toll Ticket Enquiry is very different from Toll Ticket Analysis as the latter document only extrapolates those fields of data chosen by the person eg making selective choices from data stored in a database; thus an unsuspecting officer with little-to-no-experience may have no concept of the range of fields of data available that could be useful to an inquiry and investigation. Thus any objectivity by the officer to form an appropriate opinion or conclusion might be blocked.     

I have produced below scanned headers from two Vodafone Toll Ticket Enquiry CDRs both dated in February 1998. Both of the headers come from genuine Toll Ticket Enquiry CDRs, the first is for a Toll Ticket relating to call traffic on 13-02-98 on Vodafone's analogue TACS mobile network and produced on the 24-02-98. The second Toll Ticket relates to call traffic on 13-02-98 on Vodafone's digital GSM mobile network and produced on the 21-02-98.  Both were served in evidence in a murder case, thus in the public domain. The scanned headers below do not contain any personal data.  

Vodafone's Toll Ticket Enquiry CDR (TACS)

Vodafone's Toll Ticket Enquiry CDR (GSM)

It is entirely consistent that as an expert I would seek these CDRs in cases (as I did in the above case) in order that I can properly and appropriately advise those who instruct. The two Toll Ticket Enquiry CDRs represent a useful historical guide of events in 1998. It is noteworthy to mention that the GSM and TACS records illustrate the position of a single mobile network operator running two different radio transmission mobile networks at the same time. Moreover, such a feat did not limit or prevent the operator capturing data for CDRs relating to call traffic from its switches (EMX/MSC). Note also the duration of time between the dates of the call traffic CDRs and the production of them. Thus any inquiry or investigation into serious crime in 1998 would or should have had access to such records. So when reading the transcripts from eg two Appeals involving the same case  ( NIHC/QB/2009/50NICA/2011/33 ) and Toll Ticket is mentioned by name, the above provides the reader with some insight as to the data that can be recorded in such CDRs.

Today, of course, CDRs from mobile operators may have changed with respect to the identified fields of data in them or by design due to the system that produced them. I have shown examples elsewhere. Historically and like today the CDRs referred to should not contain fields of data that would compromise security of an operator's secure protocols, encryption keys etc.  Toll Ticket or other types of CDRs are ideal for evidence and provided there is completeness in the data (as opposed to subjective content imported into compilation records) then CDRs are essential to call record analysis (CRA) and cell site analysis (CSA).

Historical and current material on this subject and other subjects are included in my training courses for police and examiners to assist inquiries and investigation to make the best use of data and, as equally as important, how to interpret such data.

Tuesday, November 22, 2011

Cellphone Tracking Without Warrant Unconstitutional

Cellphone Tracking Without Warrant Unconstitutional

The Wall Street Journal online article about cellphone tracking highlights interesting perceptions into the complexities involved between the US Constitution and Statutory Law. WSJ in its article sets out its stall of the various decisions there have been that, on the surface of it, at any rate, illustrate how diverse one US State perceives cellphone tracking compared to another State. A very short Order issued by her Honour Lynn N Hughes made recently in the United States District Court Southern District Of Texas succinctly makes it plain that the standard under partiuclar provisions set out in the Stored Communications Act are below that of the US Constitution Ammendment 4. A copy of the Judgment can be downloaded from WSJ website hughesorder1116.pdf.

Sunday, November 20, 2011

Basic Terrain Plot, GPS & CSA

Basic Terrain Plot, GPS & CSA

A question emailed to me recently raised a useful point, which I thought would be useful to mention. By using a GPS receiver to trace the route along which test mesaurements are taken in a geographical area, would that reduce the need for terrain and clutter maps? The answer is absolutely not. Given the nature and purpose of a GPS receiver it does not and could not replace terrain and clutter maps. The purpose of the latter have an entirely different function to perform for cell site analysis (CSA) and evidence.

Below is an example of a basic terrain plot. I should point out there are many different versions that can be produced, but the one below will do for the purposes of this blog discussion. 

PRIMER - how to read the plot
The basic plot incorporates the following. Mast location (eg postcode, NGR etc), height above ground level of the antennas (trx) on the Mast, azimuth and a target reference location (eg postcode, NGR etc) where an incident is alleged to have taken place. The raw geo data can be obtained from national sources (eg Ordnance Survey or equivalent in other countries). The TERRAIN path profile has been mapped between those two locations in the plot below. The GREEN LINE represents the linear radio path between both reference locations. The RED LINE represents the TERRAIN between both locations. The BLACK ELLIPSOIDS identify obstructions in the line of the radio path. The BLACK LINE represents GSM "maximum acceptable boundary" (35 km).

The basic terrain plot should be prepared prior to conducting any site surveys, intended radio test measurements, etc. Importantly, this rules out the use of a GPS receiver replacing terrain and clutter maps because:

(a) the plot is produced prior to a site visit, so no e.g. GPS waypoints can be logged at this early stage; and
(b) the plot identifies aspects on the terrain path that need to be known; a GPS receiver can not provide such important information;      
(c) the plot also provides an advanced warning of potential locations where testing maybe needed and where a GPS receiver could be used to mark particular waypoints. Three examples from the plot above for waypoints (i) the small ellipsoid identifies the possibility of radio path interference such as potential attenuation, diffraction, reflection, shadowing, etc (ii) the large ellipsoid suggests blocking of the radio path with coverage being directed into the earth's surface and (iii) the target location is 48km distance from the Mast, thus beyond the maximum acceptable boundary. 

There is a considerable body of material and further discussion I could add about information and inferences about terrain plots (which is covered in the cell site analysis (CSA) course material), but I do not wish to give the impression, nor do I have the intention, of building a case against the use of GPS receivers. A GPS receiver is not a redundant tool. It is, though, only one very useful tool of many useful tools that are needed for cell site analysis (CSA). GPS should not be considered the tool that is capable of replacing other knowledge-based sources or test information gathering tools. The latter are as equally required for cell site analysis, and, in some instances, even more so.

Friday, November 18, 2011

Taping Business Mobile Phone Calls - Part 2

Taping Business Mobile Phone Calls - Part 2

Last year the FSA (Financial Services Authority) published its consultation document concerned with recording mobile communications within the finanical services industry I also produced a list of additional statutory and regulatory links to materials about call recording.

The FSA has now concluded their consultation and published CP10/17 which can be downloaded here:

"2.28 What constitutes ‘reasonable steps’ is fundamentally principles-based, meaning that we are not prescriptive about what we expect from firms to be compliant. Each firm must decide what it deems necessary and reasonable to comply with the taping provisions."

Thursday, November 17, 2011

FAB LAB Manchester

FAB LAB Manchester

(For those international readers of my blog, that is 'Manchester' in the Great U of K)

People often refer back to the early days of the BBC Microcomputer,  Commodore 65, ZX Spectrum and Amstrad CPC. Nostalgic, well maybe, but with that style of programming it doesn't mean it has gone forever.

Have you seen Fab Lab in Manchester ( - what a great idea.

I heard about this place on BBC Radio Four. They have built their own basic computer board with operating system and just needs terminal devices added.  From there anyone can programme the system to do 'something'.

In essence teaching how to programme from the floor upwards.

Here are the excellent images of retro devices of the early 1980s and links to their background.

Other material on mobile programming:

Tuesday, November 15, 2011

Rifle Fishing Rod

Rifle Fishing Rod

Searching for details about smartphone processing speeds vis-a-vis laptop processing speeds, I found the data I wanted, but on my internet travels I came across this device. Apparently, it is a pack rifle (at the website of Pack Rifle Company) that fires shells (yup, naturally) but it can be transformed into a fishing rod. As a combi-device it perhaps gives oxygen to the notion of 'Combat Fishing' - "Hey! You stole my Tench.....take that..." - although the images do suggest something out of an old Bond film on a beach somewhere. Might just be a tad difficult to hide that in your budgie huggers.

Photos from aboutpackrifle

A sample of other items at this blog uncovered whilst researching:

Monday, November 14, 2011

Urban bike to charge mobile phones

Urban bikes to charge mobile phones

With the Olympic Games 2012 not far off we learned on the radio news today that apparently the level of security now extends to possible use of ground-to-air-missiles.  It did make me wonder, though, has anyone thought about how mobile phones/devices were going to remain charged up? Well here's an idea..... 

Two new urban bikes called Starke 1 and 2 from German maker Silverback (silverbacklab) incorporate a USB charger connector enabling mobile phones and other mobile devices to be charged using pedal power. 

This could be quite an appealing feature for London's own bicycle-mad little rascal, Mayor Boris Johnson (photo couresty of thisislondon). Reeaadddy!...Steeeaaddddy!...GO !

Whenever I see Boris or hear him speaking abouts bikes I wonder whether he would be as enthusiastic about riding one if he had to ride a pennyfathering (photo courtesy of to work?  Perhaps Nick Ferrari, LBC's ( early morning erudite radio presenter, could ask Boris what Olympic security measures has he considered for London's own pedal-power coppers?

The urban bike with a USB charger could be a good idea for Summer 2012. The police could tear around the place wearing their black-lycra SWAT gear cyclist outfits whilst charging up their mobile devices without having to stop and charge up their mobiles at the local boozer. From Bow Street Runs to Green and Keen Pedallers. Crikey !

Thursday, November 10, 2011

11th hour of the 11th day of the 11th month

 11th hour of the 11th day of the 11th month

Poppy Day is also referred to and known as Remembrance Day. For children, schools or anyone who may want to know how this day came about, there is useful reference material at Remembrance_Day. For other reference materials look here: d-day-6th-june.

Poppies and Heroes
Under one Flag

Tuesday, November 08, 2011

Screenspy program can read texts and emails

The NewScientist online website ran an article on the 2nd November 2011 about new surveillance method relating to a touchscreen spy that reads text and email messages on your smart phone.

"......dubbed iSpy, that can identify text typed on a touchscreen from video footage of the screen or even its reflection in windows or sunglasses. Video from an ordinary mobile phone camera can be used to spy on a person from 3 metres away. And a snoop with a digital SLR camera that shoots HD video could read a screen up to 60 metres away."

"Their method exploits a feature meant to aid typing on small touchscreens: magnified keys. Letters on a virtual Android or iPhone keyboard pop up in larger bubbles when pressed. The program analyses video footage and identifies the letters based on the bubble locations on screen. Pop-ups for neighbouring letters like E and R can overlap, so the program assigns an accuracy probability to each detected letter. The program correctly identifies letters more than 90 per cent of the time.."

Screenspy program can read texts and emails.html

Sunday, November 06, 2011

Signal Strength and Distance

Signal Strength and Distance

Reading an article on Susan Brenner's blog lay-testimony-on-cell-phone-radio-waves  about the case U.S. v. Kale, 2011 WL 4361531 (U.S. Court of Appeals for the 3d Circuit 2011) I read with interest the comments of the network operator's lay witness, in the article, recorded as having stated:

" Jeff Strohm, a custodian of records at Sprint Nextel Communications (Sprint), testified that Kale's cell phone used signals from a cell tower located in Pennsauken, New Jersey, and that `the biggest indicator’ of which tower has the strongest signal is `distance.’ "

" Jeff Strohm explained that a “cell phone is constantly searching for the strongest signal” and that the strongest signal is usually determined by `how far away you are from the cell phone tower.’ "

If one is speaking very, very generally to school children or novices etc where those people learning the information are hardly going to make a decision upon learning that info, may well be sufficient, but as influencing testimony for a criminal trial? Is that really enough to provide low-level of information that may be used to decide someone's innocence or guilt?  It is important to enter the caveat that other things may have been said by this witness or other material looked at, but this is the only info included in the article and, thus, by omission of any other info the discussion is based upon what is stated in the article.

Technically, when we deal with received signal strength (MS-BTS/BTS-MS) radio engineers - as opposed to back office call record staff - generally consider it to be a composite of three discrete effects:

- path loss
- slow fading
- fast fading

Those discrete effects take no account of and omit other fundamentally important data a mobile phone requires to have received, decoded and understood in order to 'camp on a cell', that is even before the mobile phone is receiving a communication or instructed to communicate.  

'Signal strength' and 'distance' are most certainly not sufficient for either GSM or spread-spectrum transmission technologies such as CDMA or W-CDMA to suggest are the main key factors to determine which Mast will handle a particular mobile phone's communications.

Within the realms of the GSM transmission technology it is made fundamentally clear as part of the mandatory requirements that a mobile phone shall detect 'signal strength', but what use is ranking signal strength in order of merit without understanding issues, such as:

- cell selection algorithm C1?
- cell reselection algorithm C2?
- if the mobile phone fails to decode parameters in 'control channels' e.g. RACH control parameters in the SYS_INFOS BCCH_INFOS 1–4. Is the Cell Barr Access bit = 1 (trace cf: 9D 00 00 & 9F 00 00) or the Access Control Class not equal 0?
- etc?
- And what about BTS capacity and directed retry?

When a mobile phone is engaged in a mobile call then the newtork instructs a mobile phone which Mast to use via control info through eg SDCCH.

Turning to issues associated with distance. If a mobile phone is located in-building, which can have affect on radio signals and latching to a particular Mast; where the landscape surrounding the mobile phone affects radio signals; or the clutter on the landscape affects the radio signals or a combination of any of the aforementioned, distance between MS and BTS gets blown out of the window as a reasonable suggestion in opposition to other matters that ought to be mentioned to a court of law.

As Sprint operates spectrum-spread transmission technology CDMA mobile services and iDEN transmission technology TDMA mobile services, I need to take some care here not to portray, too much, the wrong image of identical scenarios with GSM.

Wiki records Sprint's activities (Sprint_Nextel)
Sprint Nextel Corporation (NYSE: S) is an American telecommunications company based in Overland Park, Kansas. The company owns and operates Sprint, the third largest wireless telecommunications network in the United States, with 52 million customers, behind Verizon Wireless and AT&T Mobility. Sprint Nextel also owns a separate wireless division, Sprint Prepaid Group which offers prepay wireless services as Boost Mobile and Virgin Mobile USA.

Sprint is a global Internet carrier and makes up a portion of the Internet backbone. In the United States, the company is the third largest long distance provider and also owns a majority of Clearwire, which operates the largest wireless broadband network.

The company was renamed in 2005 with the purchase of Nextel Communications by Sprint Corporation. The company continues to operate using two separate wireless network technologies, CDMA and iDEN (for Nextel and some Boost Mobile subscribers). In 2006, the company spun off its local landline telephone business, naming it Embarq (which was subsequently acquired by CenturyTel). In 2009, Sprint reached an agreement to outsource management of its wireless networks to Ericsson.

Sprint Nextel launched its first WiMAX wireless card on December 21, 2008 (the Franklin Wireless u300 broadband card), and the first WiMAX phone available in the United States (the HTC Evo 4G) on June 4, 2010, utilizing its WiMAX technology from Clearwire Corp. A recent Consumer Reports survey tied Sprint with perennial front-runner Verizon Wireless in terms of customer satisfaction, a big improvement over previous years.

Thus, Sprint Nextel is a company with not only good quality indicators, but has outsourced management of its wireless networks to Ericsson, according to Wiki. The latter company (Ericsson) is known for its high technical competence, quality and originality in telecommunications and mobile communications, and adds further gravitas to my discussion that using 'signal strength' and 'distance' are insufficient to suggest that those elements should be used in isolation to other factors how a mobile phone may use a particular Mast. Ericsson, one could say, as an owner of patents, a developer of mobile networks/devices and transmission technology are the expert's expert. I am convinced, therefore, that companies like Sprint Nextel and Ericsson would hardly endorse in isolation to anything else the simplicity of using 'signal strength' and 'distance' as the indicators to inform a court of law about why a mobile phone would use a particular Mast.
In the next discussion I shall go further to open up and explore CDMA/TDMA parameters and protocols required for a mobile phone and Mast to connect for communications purposes.