Primer on Types of Cellphone Evidence
Cellphones have become an integral part of modern life. We use them to communicate by phone, text message, email, and mobile applications. Cellphones are also tools to take photographs, film videos, and to access the internet for countless reasons related to daily life such as to pay bills, access bank and other accounts, transfer money, read the news, conduct research, and more. The list of ways and reasons we use our phones is endless and varies from person to person. Because of how pervasive phones have become in modern life, it is no surprise they are regularly targeted and seized by law enforcement during criminal investigations.
Criminal investigations seek cellphone evidence in various forms to detect criminal activity and to obtain evidence necessary to prove crimes. The various forms of cellphone evidence include:
- pen register information
- Toll data information
- 911 GPS ping information
- cell site data
- digital forensic extractions (DFE)
Below is a summary of each type of evidence, to include how it is obtained by law enforcement and the information it provides.
Toll Data Information
Toll data information may be obtained by law enforcement from cellphone service providers using a subpoena. Toll data consists of historical, detailed call and text message activity sent and received by a particular phone number, referred to during investigations as a target telephone (TT). The data will show all incoming and outgoing calls by the TT during a specified time period, to include the date, duration, and numbers participating in each call. Toll data will also provide the same for text messages.
However, it does not include the substance of text messages. Toll data information for messages only relates to SMS text messages, and not messages sent or received utilizing mobile applications such as iMessage, WhatsApp, Facebook messenger, and more. These and other applications use the internet to send and receive messages, opposed to the cellular service. Therefore, the cellphone service provider is unable to capture this data, as it does with SMS text messages. Once law enforcement collects toll data information, it identifies the numbers the TT was in communication with and compares them to other numbers that have been identified by other investigations as associated with suspected criminals and/or criminal activity.
Pen Register Data
Pen register data may only be obtained with a court-authorized search warrant, supported by probable cause. Pen register data is similar to toll data, except that the information from the pen register is provided by the cellphone carrier to law enforcement in real time. It enables law enforcement to monitor, in real time, a TT’s call and SMS text message activity. It does not, however, enable the monitoring of text and instant message communications through mobile applications that utilize the internet. When a pen register warrant is issued, it is normally limited to one or more TTs for a specified time period. If law enforcement requires an extension of time to continue monitoring real time call and SMS text activity, it must apply to the court.
911 GPS Ping
Callers in need of emergency assistance may dial 9-1-1 from a cellphone. To aid 911 emergency responders with providing aid to callers, a cellphone service provider using the cellular network may determine a particular phone’s GPS location. Phones active on a network silently communicate with the network to provide their GPS location. This is known as 911 GPS ping. Cellphones periodically and silently ping the network, communicating their location.
The ping intervals vary by carrier and other factors, but range from seconds to a few minutes. The pings are designed to inform emergency responders of a 911 caller’s location in the event he or she cannot communicate it directly to a 911 operator. Law enforcement often seeks this information when attempting to track the location and movements of a suspected user of a particular cellphone.
The data provides real time information as to a TT location. Law enforcement seeking 911 GPS ping data must obtain a warrant supported by probable cause to believe the data will yield information about criminal activity. When issued, the ability to obtain this location data is limited to a particular TT for a specified time period.
If law enforcement requires an extension of time to continue monitoring this information, it must apply to the court.
Cell Site Data
Cell sites are radio towers that comprise a cellphone network. The towers transmit calls, text messages, and data downloaded or uploaded using the internet. Law enforcement may subpoena cell site information pertaining to a particular TT. The historical information will provide detailed date and time as to when calls, texts or data was transmitted, and by what particular cell site or tower within a cellphone carrier’s network.
Each cell site also consists of three sectors, totaling up to 360 degrees. For example, sector one is 0 to 120 degrees, sector two is 120 to 240 degrees, and sector three is 240 to 360 degrees.
Cell site data not only includes which tower transmitted the call, text or data, but also by which of the three sectors of the cell site. Armed with this information, law enforcement will attempt to estimate the physical location of a TT during a cellphone transmission.
This information is not as precise or as accurate as real time 911 GPS ping data. However, cellphone providers are able to determine that the TT was located within a particular radius, measured in feet or percentage of a mile, when transmitting a call, text or data. Law enforcement may obtain cell site data from a cellphone service provider using a subpoena. A warrant is not required.
Digital Forensic Extractions
When collecting evidence during criminal investigations, law enforcement routinely seize cellphones. Once in possession of a device, law enforcement may wish to search the contents of the device. Beforehand, the investigator must either obtain consent of the device’s owner or user, or a court-authorized search warrant.
Once authorized to search the device, an investigator must first gain access to its contents by overcoming any security features such as passwords, electronic fingerprint recognition, or facial recognition. Once accessible, the device will be connected to a piece of digital hardware or equipment, which utilizes software to extract the data stored on the phone.
This data is then downloaded onto a computer where it is sorted and analyzed. The extracted data will include call history, text message history, mobile application usage history, internet browsing history, photos, videos, GPS data of the phone’s historical location, metadata regarding any files stored on the device, and more. Deleted data may sometimes also be recovered during a digital forensic extraction.
The amount and quality of the data extracted varies by the level of security on the device, the operating system and version of software on the device, and the sophistication of law enforcement’ s extraction hardware and software.
Cellphone evidence analysis
Cellphone evidence is often analyzed by an expert in conjunction with a criminal case. Police departments often have staff who are trained, certified and/or experienced with digital forensic extractions and with understanding and interpreting the various types of cellphone evidence. Sometimes these experts are willing to speak with and even assist defense attorneys, other times they are not.
It is recommended that criminal defense attorneys consult with an independent expert regarding cellphone evidence. This will assist with understanding government witness cellphone evidence collection methodologies, understanding reports, and may even lead to the discovery of independent evidence or competing interpretations of existing evidence.
As technology continues to evolve, so will the methods and means by which criminal activity is committed and investigated. Being familiar with the types of cellphone evidence will enable defense attorneys and prosecutors alike to better analyze case evidence, prepare and draft pretrial motions, develop questions for in-court direct and cross-examinations, consult with digital forensic experts, and overall, prepare for trial.
This primer was designed to provide an overview on the types of cellphone evidence presently available. Because technology rapidly changes, individual practitioners should work to stay abreast of technological advances and developments that may affect the ways we practice law.