The content of the article
Not just CDR
If there are a lot of anonymous devices
Telephone terrorism: what if the call was really one?
And if you make calls via VoIP using a VPN?
How is the analysis
Somehow it's all ... unreliable!
Imagine this situation: an unknown person calls from a disposable telephone and demands a ransom for the person stolen by him. The next day, the offender calls again. The victim contacts the police, and after half an hour they will find out not only the real number of the caller, but also the entire history of his movements and calls. And all this without complex equipment, fake base stations and signal interception.
We regularly write about vulnerabilities of smartphones, data networks and the security of cloud services. We are so used to “thinking hard” that we completely forget about the existence of much simpler and more effective methods available to the police of different countries.
Often the police will not even try to hack or intercept something, but simply make a request to the mobile operator, and the latter will give not only the call history, but also a lot of other interesting information. As an example: an article about an Australian journalist, which analyzes the information collected about the journalist by his mobile operator over the past two years (and only she).
According to Australian laws, mobile operators are required to store certain information about network users, the Call detail record database for two years. This includes information about the location of the device at any time (by the way, a precedent has recently been created in Sweden: this information alone is not enough to pronounce a sentence), a call log, including information about another subscriber, and data about Internet access sessions. As for SMS, according to the Australian law on protection of privacy, without prior authorization to listen, the operator has the right (and is obliged) to save only metadata: time of sending, message size and addressee. The content of the messages themselves (and especially voice calls) is not saved.
This is the information gathered by the operator about the journalist.
Places visited by the journalist on April 1, 2015
Places that he most often visited during a given time period.
Interactive versions of this data are available via the link.
Metadata includes information about who the user called and wrote messages about, the duration of calls, and which base stations the telephone was connected to at what point in time (this information allows you to accurately determine the location of the device). In some countries (we will not point the finger, but this is the United States), operators not only provide information about the location of the police user, but also with pleasure trade in such data.
The most interesting thing is that mobile operators are available (and issued to the police, as well as sold to anyone) details about the use of the Internet, including website addresses and the amount of data transmitted. This is a completely separate topic for discussion; data is collected by tracking requests to the provider's DNS servers. With this data, operators are also happy to bargain; the feeder is so attractive that operators even tried to block clients from using third-party DNS servers.
US mobile operators are also required to keep CDR records. In addition, in the United States, special services maintain a single MAINWAY database, records in which can be stored for much longer than legally permitted by mobile operators.
In Russia, the so-called Spring Law has been adopted, which obliges mobile operators to store metadata for three years (their list almost completely coincides with the Australian version of the law). In addition, since October last year, operators are required to store for at least 30 days (but not more than six months) text, voice, video and other user messages. Accordingly, in Russia, any call must be recorded by the operator and provided to the police according to legal requirements.
Not just CDR
In the above study, journalist Will Oakenden used an iPhone. A correctly executed request to Apple (in the terminology of the company - Device Request, that is, a request in which the police have nothing but a hardware device identifier - IMEI) will allow the police to receive the data that Apple collects about the user, and it includes almost everything with rare exceptions. Here, for example, looks statistics of requests to Apple in Russia.
For comparison, in the United States over the same year, the police requested information on 19,318 devices (81% of requests were successful). Google offers an interactive schedule, which can be found here.
And if Apple does not provide the police with data such as user passwords, device usage statistics, SMS / iMessage messages and “Health” data (a history of the user's physical activity, including the number of steps and heart rate in a given time interval, is a useful thing for catching as criminals spouses), then Google will give everything, including passwords (to be completely technically correct, I will add that backup encryption has appeared in Android 9; accordingly, the police will not receive any backups or store their SMS and call logs).
Criminals who use their primary telephone for threatening calls, extortion, and other criminal offenses are now almost gone; above, we figured out why in detail. What remains to the criminal? Disposable SIM cards (perhaps we will not discuss the ways criminals acquire such cards now) and disposable (usually cheap push-button) devices, preferably completely devoid of Internet access.
In order to get at least some information about the suspect, the police need at least one clue - IMEI is enough. But what can be determined by the identifier of the device, which turned on for just a few minutes? Read conspiracy theories (a perfect example), novice criminals anxiously take out the battery from the phone, including the device, just to make a call.
Of course, none of them even thinks about what happens when the device turns on and off (both standard and emergency, with the battery removed). Moreover, few people think about whether operational police officers are aware of such a pattern.
Confident in its safety, the criminal leaves home (if he doesn’t leave, it is very likely that his location will be determined immediately or after the fact, after analyzing the logs) and calls from a disposable phone. Where is his main telephone located? Consider the options.
Let's start by considering the most typical situation: a “suspicious” call is made from a one-time, “anonymous” phone, while the criminal took his own phone with him. There is nothing unbelievable about this; just read the police reports to understand that this is how the majority works.
The police are requesting CDR records from a mobile operator for the indicated period. Depending on the country and laws in force in it, the operator returns either raw data or an anonymous list of devices (each hardware identifier is replaced with a hash function). In fact, the police receive a ready-made list of devices connected to the cell where the device from which the call was made was registered. It is assumed that among these devices will be present and the criminal's own phone.
Several thousand subscribers can be connected to the same cell at the same time, so a single request will not give the police much. However, if the offender calls the victim again - no matter from the same cell or from another (from another it is even better) - the police will receive additional samples. Next, the sets of devices that were registered in the same cell at the time of making a call from the “anonymous” device intersect; as a rule, only a few dozens or even single identifiers remain in the second or third sample.
Of course, in practice, everything is somewhat more complicated. For example, it takes into account not only the connection to the specific tower with which the call was made, but also data from neighboring towers. Using this data allows (and allowed, by the way, even fifteen years ago) to perform triangulation, determining the location of the device with an accuracy of several tens to several hundred meters. Agree, working with such a selection is noticeably more pleasant.
However, in large cities with a high population density (anonymous calls are often made in crowded places), the circle of suspects, even as a result of the third sample, may be too wide. In such cases (not always, but in especially important cases) the analysis of "big data" comes into play. I managed to find out more about this two years ago from an opening speech at the police congress in Berlin. The analyst examines the behavior patterns of devices indicated by conditional identifiers. Talking on the phone, actively consuming traffic, moving in space, the time of registration in the cell and a number of additional parameters make it possible to exclude a significant part of the devices, thereby significantly reducing the range of suspects.
Conclusion: the easiest way to detect a criminal who has with him a personal device (personal smartphone) and which while moving. I made an anonymous call from one cell - a lot of devices are outlined. Made a second call from another cell - and a list of devices following the same
All that the police need is the raw CDR data and software, with which they can be downloaded and analyzed (the raw data is of little use for manual analysis, but the filtered ones can be displayed in text form or printed).
The popularity of this method of investigation is evidenced by the fact that almost every serious forensic package supports CDR recordings. Examples: Penlink, HAWK Analytics, GeoTime, CSAS, the Russian Oxygen Forensic Suite from Oxygen Software, Advanced Cell Tracking, and many others. However, we had to communicate with the police, who successfully used a bunch of Google Maps and Microsoft Excel in their work.
Without a doubt, the special services are armed with special equipment that allows you to suppress cellular communications, replace the base station, or fake GPS coordinates. That's just the police do not use most of this equipment - at least in the investigation of routine crimes of telephone terrorists and extortionists. Expensive, vain, time-consuming, and by and large not necessary, and sometimes ineffective. Log analysis CDR (Call Detail Record) is a much more efficient investment of time and effort.
The case that occurred several years ago in the UK is indicative. Police monitored one of the bosses of the drug cartel. It is not a problem to detain, but there is no evidence, the case would fall apart in court. According to the police, the phone of the criminal (he used the iPhone) could contain vital evidence, but it was not possible to crack the lock code of a fairly recent model at that time. As a result, an operation was developed; the offender was monitored. As soon as he picked up the phone, unlocked it and started typing, the drug lord was detained, and the phone was literally wrested from his hands.
What’s interesting here is not the backstory, but such an insignificant detail: in order to bring the criminal’s iPhone to the laboratory in an unlocked state, a special policeman was appointed, all of whose work was to periodically swipe your finger across the screen, preventing the device from falling asleep. (You do not need to consider policemen simpletons: everyone knows that there is a setting that controls the time after which the phone’s screen turns off and the phone locks. But it’s easy to set up a configuration profile on the phone with a few clicks that prohibits disabling automatic locking, not everyone knows already.) The phone was successfully brought to the laboratory, the data was extracted, the necessary evidence was received.
Somehow it's all ... unreliable!
If after reading this article you got the impression that it’s somehow not quite right to base the sentence on the data received from mobile operators, I’ll hurry to agree. Moreover, the Danish Supreme Court agrees with you, limiting the use of location data from CDR records by the prosecution. The ban did not come out of the blue: out of 10,700 convictions based on these data (which is a lot for a calm small country), 32 people were found not guilty as a result of additional checks. According to the director of the Telecommunications Industry Association, "this infrastructure was created to provide communications services, and not to monitor citizens." “Attempting to interpret this data leads to errors,” and “evidence that appears to be based on accurate technical measurements does not necessarily have high value in court.”
At most continuing education courses for police officers, they necessarily say that one cannot completely trust digital evidence regardless of the way they were obtained. They talk about cases when the location of a suspect was determined on the basis of metadata from photos that were synchronized through the cloud and not captured by the device itself.
It is significant when the answer to an incoming call was interpreted as “distraction while driving”, which led to an emergency. In fact, the button phone at that time was still lying peacefully in the driver’s pocket, but due to the accidentally pressed button, the phone “answered” the call, which was registered by the operator. The defense was able to justify the driver by interrogating the second subscriber, who testified that the conversation did not take place (by the way, what was “really” there is unknown, but the court sided with the accused).
I am sure such a case is far from the only one. CDR data is a great tool in the hands of an operative, but unreliable as evidence.
What conclusions can be drawn from this article? Now, when almost everyone has a personal smartphone or at least a push-button phone, anyone leaves a “digital footprint”. This track contains significantly more information, and getting to it is much easier than many people realize. To get all the information of interest to the police, only one clue is needed, which can be the hardware identifier of the criminal’s personal smartphone, even if he has never used his personal device for criminal purposes. Getting such a clue is the result of the usual, ru