Call detail records are coming into play more often in cases every day. The purpose of the call detail records is to bill customers for cellular usage. However, they are also being used in court to attempt to place the cell phone user in a geographical location based on the tower used by the cell phone to send or receive a phone call, text message, or Internet data connection. This kind of evidence is fraught with potential misunderstanding by courts and juries alike and should be treated accordingly.

The purpose of the cellular network is to allow cellular phone companies to provide wireless phone calls and data transfer at the least expensive cost in terms of infrastructure, power usage, and coverage area. The cellular system was not designed to locate cellular phones beyond simply knowing if a cell phone can be reached to connect a call. In other words, cellular mobile phone networks are optimized for capacity and call handling, not for location of cellular phones.

The cellular phone system is part of the regular telephone system or Plain Old Telephone System (POTS), which provides the public telephone system we all use every day.

The cellular system is equipment that has been added to the POTS network to accommodate wireless voice and data calls.

The system is made up of cell towers, base transceiver stations (BTS), Mobile Switching Centers (MSC), radio network controllers (RNC), and the home and visitors (roamers) location register. Figure 33.1 shows a cell tower with antennas in a three-sector configuration.

A cell tower normally covers an area that is roughly circular in shape and can be divided up into sectors. Figure 33.2 shows a top-down view of a cell tower divided into three sectors. In a call detail record, each sector will be numbered so the sector can be identified. The sector number will be the first number in the cell tower ID.

At the base of every cell tower there is a base transceiver station (BTS) that processes and handles local radio communications with cellular phones and facilitates communication between the wireless network and the landline network. The tower, antennas, and base transceiver station make up a cell site. Figure 33.3 shows a cell tower and BTS that make up a cell site.

The base transceiver station (BTS) is connected via landline to a radio network controller (RNC). The RNC manages several base transceiver stations. The radio network controller is connected to a Mobile Switching Center. Each Mobile Switching Center (MSC) manages the cell towers in a single coverage area. One or more Mobile Switching Centers make up a location or market area.

Figure 33.4 shows all of the pieces connected together into a functional wireless network.

The Home Location Register (HLR) is a large database that permanently stores data about subscribers. The HLR maintains subscriber-specific information such as the individual cell phone, and the SIM card identifies the current location of the cell phone, roaming restrictions, and subscriber-supplemental features for each phone that belongs to the wireless carrier. There is logically only one HLR in any given network, meaning that there is only one master HLR database, but generally speaking, each network has multiple physical HLRs spread out across its network to account for hardware failures.

The visitor location register (VLR) is a database that contains the same type of information located on the HLR, but only for subscribers currently in its Location Area. There is a VLR for every system to store the information about a mobile phone that is roaming in the system.

Figure 33.5 shows the cellular systems for two wireless carriers side by side. If a subscriber of Carrier 1 calls a subscriber on Carrier 2’s system, the call must go first to the home location register for Carrier 1. Carrier 1 will recognize that the subscriber belongs to Carrier 2 and will contact Carrier 2’s HLR to locate the phone to make the call.

Figure 33.6 shows a cellular system with all the parts in place.

A cell phone is basically a two-way radio and communicates with cell towers via radio signals. When a cell phone is turned on, it registers with the cellular system by contacting the cell tower with the strongest signal, which may or may not be the closest tower. This allows the cellular system to know how to find the cell phone in case the system needs to route a call to the phone. Records of this process are not part of a call detail record since this is not a billable transaction. In most cases, these registration pings are only present for a few hours and are not recoverable after the fact.

At this point, the cellular system knows the tower location of the phone, which market it is in, and whether or not the phone is a “registered” phone. In other words, a registered phone is one that has an active account and can receive calls or make calls.

Once the phone is turned on and operating, it will periodically “ping” the tower with the strongest signal to maintain its registration so the system can locate it for incoming calls.

These registration pings are recorded in the equipment located at the individual cell towers and are maintained for a very short length of time, normally less than 48 hours.

It is important to remember that cellular service providers use derived information in call detail records for use in their billing, coverage, and analytics.

Call detail records are a potential form of evidence, but the claims made based on them are often overstated when they are used as evidence. Knowing the merits and limitations of call detail records is critical when bringing them to bear in a case. Call detail records need a significant amount of supplementary information to be of most use, such as the maintenance records or trouble tickets of the cell towers referenced in the call detail records, information about the configuration of cell towers of interest, and the radio frequency maps, if available, for the cell towers. These and other factors must be taken into consideration and dealt with if an examination of call detail records is to be performed comprehensively and correctly.

One of the most important things to remember is that a cell phone cannot be located from a historical call detail record. The best that can be done is that the phone can be placed in a general area corresponding to a cell tower that was connected to the phone at a particular time when a call was made or attempted.

What the call detail record report contains varies by carrier; however, they will usually supply the following information for each call attempt:

Figure 33.8 shows the portion of a call detail record containing the date, time, and number called. This kind of information is part of what is used to perform an analysis of call detail records by providing the timeline information for an incident.

Once it is established that the date and times of phone calls in the call detail record correspond with the timeline in a case, the next step is to get the cell tower identifier from the call detail record.

Figure 33.9 shows the part of the call detail record that contains the cell tower identification number or CID. Note that carriers use different abbreviations for the cell tower ID. Some use terms like SZR or other designations for the tower IDs.

The cell tower ID (CID) in this case is a five-digit number. The first number is the sector of the cell tower and the last four digits are the cell tower ID number.

Using this information, a call can be associated with a particular cell tower and sector of a cell tower. This is done by matching the cell tower ID from the call detail record with the cell tower ID on the list of tower locations that should always be supplied with any subpoena request for call detail records. Requesting call detail records is covered in Chapter 24. Figure 33.10 shows a portion of a cell tower location report with the geolocation information for the towers. By matching the cell tower IDs from the call detail records with the tower IDs in the cell tower location report, you can determine the geolocation of the tower using the latitude and longitude for the tower.

With the development of the Enhanced 911 system (E911), it is possible to locate a cell phone with varying degrees of accuracy and success depending on the level of E911 services available in the locality.

By the end of 2005, wireless telephone carriers were required to comply with the Federal Communications Commission regulations for the E911 system.

However, even at this late date, the FCC continues to issue waivers to telephone companies for areas where full implementation of the E911 system has not been fully implemented for technical or geographic reasons.

With the advent of wireless technology, a system had to be implemented that could handle the location of a wireless caller when he or she dialed 911.

The purpose of the E911 system is to provide enhanced information to emergency services personnel when a caller dials 911. These enhancements include the number calling, the address of the caller, and the ability to call the caller back if they should hang up.

Figure 33.13 gives a visual overview of the E911 system. The PSAP operator may update the location on demand. It is not automatic.

However, the reality of it is that the E911 system is not fully implemented in all areas due to several factors, including geographic considerations and lack of cell towers that would make accurate location of a cell phone impossible. If the E911 call is a Phase 1 call, all the wireless carrier is required to provide is the calling number, and the location of the cell tower. This means that the call location can be anywhere in the overall sector of the cell tower coverage area. As shown earlier, a single sector of a cell tower coverage area can be very large, especially in rural areas.

If the E911 call is a Phase 2 call, then there is a good likelihood that the cell phone location will be accurate to several hundred feet.

Even though the Public Safety Answering Point (PSAP) may be able to receive location information, the ability to handle the information is not consistent throughout the system. In one case in Tennessee, Germantown dispatchers were unable to locate a cell phone from the location information even though the information was transmitted to the PASP dispatcher.

In an emergency situation where a person is in immediate danger, the E911 system can be activated to locate the phone, providing that the phone is turned on and in an area where the phone can receive a cellular signal.

In this chapter we looked at how call detail records and cell phone location works, both as historical data analysis and via the E911 system. We discussed the makeup of the wireless phone system and how cell phones work within the wireless system.

We also discussed the content of call detail records and the methods used to attempt to provide location information for a cell phone from those records. The reality of attempting to locate cell phones via historical call detail records is suspect at best and highly inaccurate in worst-case scenarios. Beware of this type of evidence being used to pinpoint the location of a person via these records unless they dialed 911 from the cell phone and the local E911 system is fully implemented for accurate location services.