Design Daniel DiPinto
FEATURED IN TECHNOLOGY AND COMMUNICATIONS
A burglar had plagued Idaho’s Treasure Valley for months, smashing the glass front doors of area businesses, clambering to the offices and then proceeding to rip safes from the floor. Our department was at a loss because this was occurring all over the city at different times of the week and day.
A break came when a vehicle was seen leaving the area of a burglary. The vehicle description—“white Cherokee, red stripe on side and black roof rack”—was sent across the valley’s airwaves. Patrol officers saw a vehicle matching that description rolling around town, giving us a surveillance subject.
With a target now in sight, the surveillance team worked day and night. Sitting, eating, sitting some more and, most importantly, watching. “Does he know we’re watching him, or is this not our guy?” we continued to ask one another. This went on for several days.
“Hey, let’s buy a GPS tracker to put on the vehicle,” several police officers suggested. Team members researched GPS (global positioning system) trackers and presented the administration with its findings. The administration concluded the units were too expensive. The burglar continued to burglarize.
We began pondering cheaper alternatives. Could we attach a GPS-enabled Nextel phone to the vehicle and track it with Accutracking software via the Internet? We decided to try it. We loaded a Motorola i710 phone with Accutracking software, purchased a data package through Nextel and placed the phone in a plastic electronics box from Radio Shack. We then covertly placed this unit on the target vehicle.
We watched a laptop computer as it read out the phone’s direction of travel, speed and location. Within three hours of installation we watched as our target slowed to 0 mph and sat. The troops were called in to surround an area business. As they neared the location on foot, they observed the smashed front window of the business. Over the radio we heard, “We have a subject inside, stand by, stand by.” Units took positions outside and waited.
Soon a subject emerged from the rear of the business carrying a safe. As he was taken into custody, the look on his face was priceless. “How did they know I was going to be there?” he later asked a detective. He received a simple answer: “You can run and hide from the police, but you can’t run and hide from technology!” The burglar later admitted to 30-plus burglaries over a three-month period and is currently serving a 15-year prison sentence.
Sometimes it may seem we are living a chapter of George Orwell’s book 1984. The proliferation of cell phones in our society has tied each of us to a number, a device that, if the power is on, can find us, talk to us, write to us and send us a picture or video from almost anywhere in the world.
These devices present police officers with tracking opportunities unintended by cell-phone designers, and we must take advantage of them. Of course, locating a handset does not necessarily locate its subscriber—someone else may be using it—but investigators must know what type of data they can obtain. So, let’s break down cell-phone tracking and see how you can apply it to your own investigations.
The call-detail record (CDR) is a historical record produced by a subscriber’s carrier for billing purposes. These records indicate the originating number, terminating number, duration, switch used by the carrier and, most importantly for this article, the locations of the towers the phone utilized. Investigators can plot the record of the cell towers utilized by a subscriber in outgoing or incoming call/text/data usage onto a map to show the movement of the cellular handset during a specific usage period.
Let’s say you would like to obtain call-detail records for a specific cellular number. Before submitting this request to a carrier, you must identify the cellular company using the phone number. With today’s ability to port a cellular number, you must take some extra steps to accomplish this task.
What’s porting? Back in November 2003, the Federal Communications Commission made wireless local number portability available. This allowed consumers to retain their current phone number when they changed carriers. For investigators, this means that just looking up a phone number utilizing various tools (e.g., international numbering plans) might cause you to send a request to the carrier that formerly held the subscriber’s information, not the current carrier. You must check to see if the target number has been ported by the subscriber before requesting the subscriber’s records.
One place to do that is Neustar (www.neustar.biz). Neustar is free to law enforcement, but you must request the service via its Web site. Once approved, the organization will contact you via telephone and issue you a PIN. Once you have this PIN, you can call Neustar and enter up to 10 phone numbers to check on portability. It’s an invaluable resource.
So, how long do the carriers keep the records? There is really no set time—the carriers are not consistent and there is no regulation. However, you should use 30 days as a rule of thumb for historical tower records because after 30 days the carriers start to archive the data. When the data is archived, the historical records you will receive will most likely be mailed to you. If you request records prior to 30 days, you likely will receive the data in electronic format, i.e., Microsoft Excel. This is the preferred way to receive the records because it allows you to 1) search the records easily, and 2) place the data into mapping software.
To get these records, first send preservation letters to the carriers immediately to start the preservation of the call data you will soon be requesting with the proper court paperwork. Then serve the carrier with a search warrant or court order—you can do it via fax. (Because the CDR includes cellular-tower usage data, the carriers request a search warrant or court order with CDR requests to remove the liability monkey from their back. As a side note, if you’re just looking to obtain subscriber information, a subpoena will suffice.)
You can also obtain a live track of a cellular phone by asking the carrier to set up the equivalent to a pen register or trap-and-trace device, which captures incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source (provided such information does not include the contents of any communication). At this time, most carriers will give you only the cellular towers utilized during phone usage, but in our experience, direction of travel, speed and location are surprisingly accurate using only tower information and RF mapping. Carriers can often use triangulation, and they state they can identify a handset at 50 meters. Some carriers (e.g., Nextel) will allow you to send a signal to or “ping” a phone and receive its actual GPS location in latitude and longitude at the time of the ping. The carrier will request, as in a pen register, a court order signed by a judge and outlining why the ping is needed to locate this subject. At press time, Verizon can track the GPS locations of subscribers on its network as long as the subscriber has GPS-enabled the phone and there are exigent circumstances.
Speaking of exigent circumstances, what if you need the location immediately? All carriers allow law enforcement to receive location data without a signed court document if the circumstances are exigent. Most carriers realize that violent offenders, missing children and homicide suspects are time-sensitive situations and to obtain the paperwork with judicial review could mean disaster. What the carriers do require, however, are documents that outline the exigent need faxed to them with the target number and your acknowledgment that they will receive a court order or search warrant completed and sent to them within 48 hours. Once they’ve received this paperwork, they will attempt to locate the handset in real time. Note: Not all carriers can complete this task due to older cellular switches in their networks.
Cell Phones & GPS
You can also use cellular handsets as a GPS device like we did with the Treasure Valley burglar. Not necessarily as a receiver, but as a transmitter. You can load a Nextel handset, for instance, with navigation software such as Accutrack (www.accutracking.com) and TelNav (www.telenav.com), and direct the phone to transmit its location every 60 seconds. The coordinates of the handset can then be viewed via Internet. This technology has been tested several times on live tracks with a 100-percent success rate.
Many departments around the United States are using phones from Nextel or Boost, placing the tracking software on the handset and then attaching the handset to the vehicle or package. Tests indicate that with a standard battery, investigators can expect more than two days of live tracking on their suspect. An extended battery could possibly double the handset’s tracking life. If the handset is not recovered, all you lose is a device that costs under $100, as opposed to an Orion tracking device that costs $600-plus.
Other options for cell phone tracking include live tracking using equipment from the private sector. Due to the sensitive nature of using this equipment, we don’t want to divulge exactly how this it works in the field. If you are interested in learning more, please e-mail Karl Dunnagan at email@example.com using your agency contact information. Once we’ve verified you as a law enforcement officer, we’ll send you the contact information of the company that provides this type of equipment.
Use This Resource
The cellular community grows larger every day, and the cellular networks must continue to grow and upgrade their equipment and technology to handle the call volume. Law enforcement personnel can use these networks as a tool to identify, track and locate our targets. Bottom line: Whether you are using historical CDR tracking, simple GPS-enabled phones as tracking devices or live tracking equipment, putting the bad guy at the scene of the crime is now up close and personal even from miles away.
Karl Dunnagan is a 14-year veteran of the Los Angeles County Sheriff's Department (LACSD) and a 2006 Timothy Fidel nominee finalist. From 1999–2005, Dunnagan was assigned to the Technical Operations Detail for the LACSD, which is a part of the Southern California High Tech Crime Task Force. He is a member of the National Association of Technical Investigators as well as the High Tech Crime Investigators Association. Dunnagan founded Mobile Forensics Inc. (mobileforensicstraining.com) and serves as a technical advisor for such television shows as “Law and Order: SVU” and “Shark.”
Lee Reiber is an 11-year law enforcement veteran. From 2002–2006 he has been assigned to the Criminal Investigations Division of the Boise Police Department in Boise, Idaho. His primary duty with the Boise Police Department is the forensic analysis of both computers and mobile devices to assist investigators with their criminal investigations. Reiber strives to educate and inform both the law enforcement community as well as the private sector of the valuable information contained in the cellular handset. In addition to founding CellPhoneDetectives.com, Reiber is also the lead instructor for MFI Training.