Cell Site Analysis

A Basic Guide
Version 1.1 [public]
23/07/2014
TRN-0033

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Executive Summary Cell Site Analysis

Cell site analysis attempts to provide evidence of where a mobile phone may have
been when certain calls were made.
Mobile phone networks consist of a large number of radio cells each of which
covers a limited geographical area. Each cell is assigned a unique Cell ID, which
is captured in the billing record (CDR) when calls are made.

radio cell with

unique cell ID

mobile phone

cell site

CDR

date/time called/calling
numbers Cell ID

Network operators are able, under tight regulatory guidelines, to provide details of
the calls made by target phones and can also provide details of the locations of
the cells used by those phones.
Cell site analysis is designed to enable an investigator to determine whether calls
made at or around the time of an incident or offence used cells that are located
near the location of that offence.
Additional evidence can be provided by undertaking an RFPS (Radio Frequency
Propagation Survey) at each significant location. RFPS equipment captures details
of the cells that can be detected at a location and can indicate which cells are
mostly likely to be selected for use by a phone at those locations.
Cell site analysis, based on a combination of a phones billing records, cell location
details and RFPS results, can provide compelling evidence to support an allegation
made by investigators.

Forensic Analytics Ltd 2014

Page 2

Automating Cell Site Analysis

www.forensicanalytics.co.uk

What Cell Site Analysis Can (and Cant) Prove

Cell Site evidence works best as supporting evidence. On its own, cell site
evidence is generally considered to be too open to interpretation to be used as the
sole or the primary evidence in a case.
The simplest thing that cell site evidence can prove is that a target phone used a
specific cell to make a call at a certain time. The target must therefore have been
somewhere within the coverage footprint of that cell when it was used.
If the coverage area of a cell can be measured (by undertaking an RFPS cell
coverage survey, for example), then a reasonably exact area in which the phone
must have been located can be determined.
This level of evidence is commonly used to help prove or disprove an alibi. For
example, with cell site it is possible to prove where a handset wasnt located. If
someone states that they were in Birmingham at the time of an incident and the cell
site evidence points to the handset being in London then that alibi can be shown
to be potentially false.
RFPS spot surveys may be undertaken to provide details of the serving cells at a
specific address or location. If one of the cells used by a target phone at around the
time of a significant event used one of those cells, it possible to conclude that the
user of the target phone could have been at that location at that time.
Note the use of the words could have been in the previous paragraph. Unless a
cell can be shown to provide coverage only to the surveyed address, the fact that a
cell used by the target phone serves at that location doesnt necessarily prove that
the phone was actually there. The target phone may alternatively have been
anywhere else in the cells coverage area at that time.
If there is other evidence available eyewitnesses, CCTV images, ANPR hits,
credit card usage records that help to place the alleged user of the target phone
at the significant location, then the cell site evidence can provide very compelling
reinforcement of that evidence.
If the cell site evidence is all that the investigator has to tie the suspect to a
location, then a level of uncertainty must be accepted.
In general, except in very specific and unusual circumstances, cell site evidence
cannot be used to prove that the user of a phone was definitely at a particular
location and nowhere else. At best, cell site evidence can be used to show only
that it is possible for the user of the phone to have been at a location.
Additionally, cell site evidence typically provides evidence of where the user of a
mobile phone may or may not have been when calls were made. Cell site evidence
generally does not provide proof of the identity of that user - cell site analysis is
used to identify the potential location of a handset, not the hand holding the
handset - so it is recommended that cell site analysis is only undertaken once a
solid attribution for the target phone(s) relevant to a case is made.
In summary, the closest that cell site analysis can come to placing a handset is to
conclude that it could have been at or in the vicinity of a given location.

Forensic Analytics Ltd 2014

Page 3

Automating Cell Site Analysis

www.forensicanalytics.co.uk

The Components of Cell Site Analysis

The elements that combine as inputs to cell site analysis include:

The CDR (Call Detail Record) billing data for each target phone
Details of the locations of the cells used by the phone
Details of the events, times and locations significant to the case
Solid attribution of the target phone(s) to the suspected individual(s)
Ideally, a description of the specific allegations the investigators would like
tested against the cell site data

Events,
locations

cell
addresses

attributions

CDRs

RFPS

allegations

Report

Maps

Call
Tables

The elements that form the output of cell site analysis include:

RFPS survey results, showing cell coverage at significant locations

Cell site analysis report, providing conclusions related to calls or groups of
calls and indicating if the evidence supports the allegations made or not
Call tables, which list the call data provided for the target phone(s)
Cell site maps, which provide a graphical view of the relationship between
significant locations/events and the locations of the cells used by the target
phone(s)

Forensic Analytics has developed CSAS the Cell Site Analysis Suite to automate
both the processing of call record data and the creation of survey reports, call tables
and mapping.
Collectively, the results of a cell site analysis can be used to prove (or disprove) the
specific allegations made in a case. It is important to remember that cell site analysis
can be just as useful to the Defence in a case as it is to the Prosecution.

Forensic Analytics Ltd 2014

Page 4

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Radio
Cellular networks use communications methods based on basic RF (Radio
Frequency) transmission principles.
A radio signal is essentially a targeted ball of energy that has a certain frequency of
operation and power level.
In the UK Ofcom (the Office of the Communications Regulator) are the custodians
of the Radio Spectrum. What this means is that only licensed operators have the
right to broadcast on certain frequencies. For example the BBC own the sole right
to broadcast on the frequencies that they use.
It is the same with Cellular Service Providers (CSPs). Each has an exclusive right
to broadcast on certain frequencies, for which they pay Ofcom a licence fee. For
example the recent 4G spectrum auction in the UK channelled 4 billion into
government coffers.
In general there are chunks of frequency spectrum that have been allocated to
Cellular Service Providers for previous generations of mobile technology. We only
identify one frequency when discussing these, but in reality, just like radio stations
we have chunks of spectrum either side of (for example) 900Mhz that are chopped
up into channels and allocated to specific CSPs for their Cellular Radio Access
Networks.
Radio signals have certain properties that must be born in mind when gathering cell
site evidence: the higher the frequency (for a given power level) the shorter the
usable distance; the higher the frequency (for a given power level) the greater the
loss experience whilst travelling through walls, vehicles, humans etc.
A radio signal can get reflected, blocked, bent or absorbed as it travels between A
and B. The only way to tell which signals can actually be received at a specific
location is to go and measure the radio coverage there, which is the reason for
taking forensic radio surveys as part of a cell site analysis report.
A radio wave is essentially a sine wave (a alternating cycle of radio energy), which
has a certain amount of power, and travels or propagates through free space.
One cycle per second is known as one Hertz (after the scientist who first described
this phenomenon) and is abbreviated as 1Hz. 1000 cycles per second is 1kiloHertz
(1kHz), 1 million cycles per second is 1MegaHertz (1MHz) and so on.
The basic terms employed to describe aspects of RF transmission include:

Frequency - the rate at which a source electrical signal alternates and

therefore also the number of cycles per second, with 1 cycle per second
equal to 1 Hertz (1Hz)
Wavelength - describes the distance a radio signal travels during one cycle.
Radio waves move away from a transmitter at the speed of light (300,000km/
second), so a 1Hz signal (one cycle per second) has a wavelength of
300,000km for each cycle.
Amplitude - describes the power level of a radio wave and is measured when
the signal reaches the peak positive and peak negative points in its cycle.

Forensic Analytics Ltd 2014

Page 5

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Radio Spectrum
The range of possible radio frequencies is known as the Radio Spectrum. The
useable range of frequencies available within the radio spectrum runs from around
3kHz up to over 300GHz.
To ensure that Interference between users is kept to a minimum, individual
systems or networks are licensed to operate within a particular range of radio
frequencies this is known as a Frequency Band.

Radio Spectrum
Radio
Channels

3kHz

80MHz

104MHz

FM Radio Band

300GHz

880MHz

960MHz

900MHz Band

Within each band smaller allocations of frequencies are defined for individual users
of the network these are known as Radio Channels. The bandwidth (e.g. the
range of frequencies used) of the radio channels used by a network is determined
by the amount of capacity the network assigns to each user.
UK cellular networks employ the same set of radio bands as other EU members.
The set of bands employed to support cellular services in the UK includes (or
potentially includes):

300MHz band
450MHz band
700MHz band
800MHz band
900MHz band
1800MHz band
2100MHz band
2300MHz band
2600MHz band
3400MHz band

Airwave public safety network (TETRA)

possible future 4G LTE deployment
possible future 4G LTE deployment
EE, Three, Vodafone, O2 (4G LTE)
Vodafone, O2 (2G GSM, 3G UMTS)
EE, Three, Vodafone, O2, (2G GSM, 4G LTE)
EE, Three, Vodafone, O2 (3G UMTS)
future 4G LTE deployment (to be auctioned in 2014)
EE, Vodafone, BT (4G LTE)
UK Broadband (4G LTE)

Details of the exact spectrum allocations currently in force in the UK are published
by Ofcom in the UK Frequency Allocation Table, which can be accessed here http://stakeholders.ofcom.org.uk/binaries/spectrum/spectruminformation/UKFAT_2013.pdf

Forensic Analytics Ltd 2014

Page 6

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Radio Measurements
The unit in which radio signal strengths are measured is the Watt (W), although the
th
milliwatt (mW) is also commonly used one milliwatt is 1/1000 of a Watt.
To allow for simpler comparisons and calculation to be made when performing
radio measurements, engineers generally use decibels (dB) and decibel milliwatts
(dBm) respectively. The decibel uses a logarithmic scale to allow for simpler
comparisons of large and small numbers.
A logarithm is a mathematical term that can be paraphrased as the power that
number X must be raised by to get number Y. An alternative way of writing this is:
a

X =Y

where a is the logarithm of X that equates to Y

2

A simple example of a logarithm is: Log10(100) = 2, as 10 = 100

The dB scale provides a comparison of gain or loss between two values: a dB
measurement itself is not an absolute value; rather it is a comparative value.
Where dB will show the comparative difference between two values, the dBm
(decibel milliwatts) scale will provide a result that can be mapped to a specific
milliwatts value. dBm employs the same logarithmic scale as dB and is calibrated
around the value 1mW, which is equal to 0dBm.
A signal measured with a strength of 100mW will therefore equate to a value of
20dBm.
Positive dBm values (e.g. +20dBm) equate to values above 1mW, while negative
dBm values (e.g. -20dBm) equate to values below 1mW but above 0mW.
Radio signals lose power as they travel through space. If a cellular radio signal is
transmitted with an output power of 100W (50dBm) and is received by a distant
mobile device at or near the floor value of -110dBm, it would be at much less than
one billionth of its original power, which is a power loss level of over
99.99999999%, but that radio signal should still be able to carry a phone call.
2G, 3G and 4G radio systems employ very different technologies and engineers
therefore use quite different measurement scales to describe them.
A general comparison of typical signal strengths is shown below:
Signal Strength Description

2G (dBm)

3G (dB)

4G (dB)

Very Strong

-48 to -84

-3 to -6

-3 to -10

Strong

-85 to -90

-7 to -10

-11 to -15

Moderate

-91 to -100

-11 to -18

-16 to -20

Poor

-101 to -112

-19 to -25

-21 to -30

Floor (lowest reportable value)

-110

-25

-30

Forensic Analytics Ltd 2014

Page 7

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Cellular Mobile Networks

The original radiotelephone networks, which went into service from the 1920s
onwards, employed a single radio transmitter to provide the service over a wide
geographical area. The main limiting factor of these networks was the lack of
capacity caused as a consequence of the large radio transmission areas used. If a
network operator employed just one very powerful transmitter to provide coverage
for a city or a region, they would only ever be able to serve a tiny fraction of the
potential market in that area. In the early 1960s, a concept known as Cellular
Mobile Communications was developed to address this capacity problem.
Cellular network architecture provides not just one transmitter for each region, but
instead uses hundreds or even thousands of much smaller and less powerful radio
transmitters to cover the same geographical area.
These smaller transmitters are known as Base Stations and the small geographical
areas covered by their radio signals are known as Cells. In the same area
previously covered by just one large transmitter, a cellular operator might site
hundreds of Base Stations, each supporting several radio channels, which would
increase the availability of radio connections by a similar factor.
urban area

base station

rural area

radio cell

The size of the cells used in a network can vary dependent upon such factors as
geography and demand. Base stations serving rural locations with, low demand for
service, might be configured with cells that cover a large area. Base Stations
covering high-demand areas such as city centres; business areas and airports
might be configured to provide coverage using very small cells

Forensic Analytics Ltd 2014

Page 8

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Network Generations
The earliest type of mobile communication was provided by radio telephone
networks, which offered a very expensive service to a very limited number of users.
The first truly cellular mobile networks began to appear in the late 1970s and are
st
now collectively known as 1G (1 Generation) systems.
The modern era of digital mobile communications began in the early 1990s with the
nd
release of 2G (2 Generation) networks. Several competing versions of 2G
network were developed in different regions, but the system developed in Europe
known as GSM (Global System for Mobile communications) eventually came to
be the dominant global 2G technology.

2G GSM networks offered access to a limited range of services voice calls, text
messaging, dial-up data services but provided them in a secure, high capacity
and high quality fashion. In the late 1990s two updates to GSM were released,
known as GPS (General Packet Radio Service) and EDGE (Enhanced Data rates
for Global Evolution), which offered more efficient data and Internet connectivity.
GPRS/EDGE formed what became known as a 2.5G system. In the early 2000s
rd
networks started to launch 3G (3 Generation) services, beginning with a
technology known as UMTS (Universal Mobile Telecommunications System),
which offered voice, text and picture messaging and faster Internet connections.
3.5G upgrades to UMTS were developed later in the decade, known as
HSPA/HSPA+ (High Speed Packet Access), which offered increasing fast mobile
broadband data rates. 4G (4th Generation) services began to launch in the early
2010s, which offer very fast Internet connectivity.
The progression of technologies shown in the diagram reflects the European
brands of mobile technologies and although these are the dominant network types
around the world, other technologies are used in some countries and regions.
Whichever mix of technologies they use, most countries now support a mix of 2G,
3G and 4G services.
Forensic Analytics Ltd 2014

Page 9

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Network Identities

PLMN ID
Mobile networks are technically known as PLMNs (Public Land Mobile Networks)
and each authorised network is assigned a unique PLMN ID This consists of a
three digit MCC (Mobile Country Code), which indicates the country the network
operates in, and a 2 or 3 digit MNC (Mobile Network Code), which identifies the
network within their country.
Examples include: 234 (UK), 208 (France), 505 (Australia), 310 (USA).
The MCC/MNC pair is used as a prefix on values such as Cell IDs and IMSIs.
IMSI
The purpose of the IMSI is to identify the subscriber in the mobile network. The
IMSI number is used for registering and identifying a subscriber within the PLMN.
The HLR uses the IMSI to uniquely identify each mobile subscriber. A mobile
device identifies its user/subscriber using the IMSI number that is stored held on
the SIM card.
An IMSI is always 15 digits long and it consists of the following format:
MCC MNC MSIN (Mobile Subscriber ID Number, unique within PLMN)
IMEI
The International Mobile Equipment Identity (IMEI) is a number unique to every
GSM and UMTS mobile phone. It is usually found printed on the phone and can
also be displayed by dialling the sequence *#06# into the phone.
The IMEI is composed of the following elements (each element consists of decimal
digits only):

Type Allocation Code (TAC) - (8 digits)

Serial Number (SNR) is an individual serial number uniquely identifying
each equipment within each TAC (6 digits)
Spare digit: this digit is set to zero, when transmitted by the MS.

The IMEI (14 digits) is complemented by a check digit. The check digit is not part of
the digits transmitted at IMEI check occasions, which means that the IMEI printed
on a handset often differs from the IMEI captured in call records, with a different
last digit. The Check Digit avoids manual input errors, for example when customers
register stolen MEs at the operators customer care desk.
MS-ISDN
The MSISDN is a number uniquely identifying a subscription in a GSM or UMTS
mobile network. It is the telephone number allocated to the SIM card and it is the
MSISDN which is the number normally dialled to connect a call to the mobile
phone.

Forensic Analytics Ltd 2014

Page 10

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Network Architecture
Cellular networks are generally divided into two main areas:

The Radio Access Network which is home to the cells, base stations
and other radio elements

The Core Network which is home to the networks central administrative

and interconnection services
2G and 3G core networks are divided into three main areas:

The CS (Circuit Switched) core, which deals with real time services such
as voice and video telephony and also typically deals with SMS text
messaging
The PS (Packet Switched) core network, which deals with non real time
data services such as Internet connections, email, instant messaging and
MMS

4G LTE networks only have a PS core network, as they only provide data services.
All generations of network share a common administrative area that hosts
subscriber databases, the billing system and other key services.
HLR/HSS
The most important network database is the HLR (Home Location Register), which
is also known as the HSS (Home Subscriber Server). The HLR/HSS is the main
repository of subscriber data within a network and stores each subscribers details,
listed against their IMSI. The database record also holds details of the MS-ISDN
associated with the account and lists the set of services (international roaming, call
diversions, call barring, etc) that the user has set or is permitted to use.
EIR
The EIR (Equipment Identity Register) is an operators database of mobile devices
and their IMEIs.
The operator registers the IMEI of each device they supply with the EIR, which
allows the IMEI to be checked when a device attempts to connect to the network.
The EIR holds IMEIs in one of three areas of its database:

The white list contains IMEIs of devices that are permitted to use the
network
The grey list contains details of IMEIs that are permitted to use the
network but that should be monitored, possibly due to a fraud flag or
because they are suspected of having a fault
The black list contains details of IMEIs that are not permitted to use the
network, normally because they have been registered as stolen

The main UK operators have interlinked their EIRs, at the request of the Home
Office, which should ensure that no stolen phones or other cellular devices would
be permitted to connect to those networks. The theory behind this being that if a
stolen device cant be used there is little point in stealing it.

Forensic Analytics Ltd 2014

Page 11

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Cells & Base Stations

A cellular base station is designed to generate radio cells that allow it to transmit
and receive user and control traffic over the radio path or air interface radio
channels that connect to users mobile phones.
A base station contains sets of radio transmitter/receiver units which each cover a
certain geographical area of the operators network. The base station may generate
one cell or several cells and maybe operate across one or more radio channels.
Base station configurations fall into two basic categories

Omnidirectional Sites (covering one cell) which transmit their radio

signal in all directions from one antenna like a Bart Simpson ring doughnut
of radio energy

Sectorised Sites, which transmit their radio signals in sectors, each

sector being generated by a different, directional antenna. Which is a bit
like a torch beam shining focused radio energy over a specific area The
traditional sectorised cell configuration uses three antennas to create
three different cells that between them provide 360 coverage around the
site. Sectorised sites can be configured in a variety of ways, but typically
have either 3 or 6 sectors.
A sectorised site employs directional antennas, which limit transmission of each
radio channel to a specific part of the base station coverage area. Sectorised sites
can be configured in a variety of ways, but typically have either 3 or 6 sectors.
Cell Sectors will point in a certain direction. In cellular parlance, this is described
using the word Azimuth, an ancient navigational term which identifies the compass
angle along which the centre of a cells radio beam is pointing in relation to Due
North. For example, with a three sectored cell site, if one of the antennas had an
azimuth of 0 (North) then the other sectors would normally be 120 (South East)
and 240 (South West).
00

600

3000

1200

2400

1800

Each cell is assigned a unique Cell ID, which will be unique within its network. The
Cell ID is advertised on a broadcast channel in each cell, allowing mobile devices
to determine the identity of the cell they are currently connected to.

Forensic Analytics Ltd 2014

Page 12

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Cell Types & Sizes

A typical radio cell, of any generation, has a finite capacity limit.
For large cells this finite capacity is spread across a wide area and might need to
be shared by a large number of users, which has implications for the density of
coverage (in terms of numbers of concurrent connections that can be supported vs.
the population of the area served by the cell) and may also limit the data rates that
might be available to individual users. With small cells this finite capacity is focused
on a small area, which implies high density of coverage and potentially high data
rates per user.
macrocell 1-20km

microcell 0.5-1km
picocell 20-500m

cell site

femtocell 10-20m

On the other hand, a few large cells can cover a large area, lowering the cost of
providing service to that area, while a large number of small cells would be required
to cover the same area, which would increase the cost of service. Cellular
operators are therefore very careful about planning the size and number of cells
they deploy to match the expected customer demand in each area.

The range of cell types that operators can choose from is generally categorised as
follows:

Macrocells outdoor sites that provide wide area coverage with typical
cell radius measurements of 1km up to 20km or more
Microcells outdoor sites that provide more focused hotspot coverage
with typical cell radius measurements of 0.5-1km
Picocells can be deployed as outdoor sites, in which case the cell radius
can be up to 500m, or as indoor sites in offices, shopping centres or
airports with a typical cell radius of 20-30m
Femtocells can be deployed as outdoor sites or indoor sites with a
typical cell radius of 10-20m

There are no rigidly defined standards for cell descriptions and so the descriptions
provided above should be viewed as guidelines rather than rules.
In general, the cells in a mobile network provide coverage over a limited area.
Overall network coverage is therefore base on a patchwork of coverage provided
by deploying large numbers of closely spaced base stations.
Cellular network coverage is very deliberately planned and well engineered. This is
worth bearing in mind as the defence have a tendency to create the illusion that it is
somehow random and totally unpredictable.

Forensic Analytics Ltd 2014

Page 13

Automating Cell Site Analysis

www.forensicanalytics.co.uk

UK Mobile Networks

There are two types of network operator: an MNO (Mobile Network Operator) owns
their own base stations, radio access network and core network and supports a full
range of mobile services; an MVNO (Mobile Virtual Network Operator) offers
mobile services to their customers but does not own its own physical network,
instead they piggyback on the facilities of an MNO. Examples of UK MNVOs
include: Virgin Media, Tesco Mobile, Lebara, Lyca Mobile and many others.
Forensic Analytics Ltd 2014

Page 14

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Source Data Call Records

Call Detail Records (CDRs) are produced every time a user makes or receives a
call, sends or receives a message or connects to a data service.
A new CDR record is opened each time a new connection is setup. Once a CDR
record is closed (when the connection is released), it will be transmitted to the
operators billing system and stored in a centralised database. Ostensibly, CDR
data is captured for billing and charging purposes but it can also be disclosed to
authorised agencies such as the police. In the UK this occurs under the provisions
of RIPA (the Regulation of Investigatory Powers Act).
CDR (Call Detail Records) are provided by network operators in a wide variety of
different formats and different operators provide a variety of information but
generally each CDR contains the following:
Date and Time of call
Originating MSISDN (A-Number)
Terminating MSISDN (B-Number)
IMSI and IMEI
Duration of call
Type of Service e.g. voice call, SMS, MMS, data, etc.
Serving Cell ID (at Start of call)
Serving Cell ID (at End of call) not always provided
GPRS (or data) CDRs often use a different format but provide much the same level
of information. The difference between voice CDRs and data CDRs however, is
that a voice CDR will record each transaction (phone call, SMS) as a separate
event, whereas a data CDR provides details of an entire data connectivity session
but wont provide details of individual connections (to a website, for example)
established during each session.
Data CDRs can be closed for a variety of reasons, some of which relate to what is
termed user inactivity. A GPRS CDR is opened when a mobile device establishes
a new connectivity session with a data network, such as the Internet. The
connection will typically carry intermittent bursts of data traffic as the user browses
websites or sends email or instant messages. If the connection isnt used for a
period of time (5 minutes, for example) the network assumes that it is no longer
required and releases the connection, triggering the closure of the associated CDR.
Any location or Cell ID information captured at this point could be up to 5 minutes
(or whatever the length of the inactivity timer period is), which means that GPRS
Cell ID data can be less reliable than voice/SMS Cell ID data.
It is for this reason that, in terms of best practice for cell site analysis, current
guidance indicates that Voice and Text CDRs should take precedence over data
CDRs if they are sufficient to prove the prosecution case.

Forensic Analytics Ltd 2014

Page 15

Automating Cell Site Analysis

www.forensicanalytics.co.uk

UK Network CDRs
There are currently 4 main network operators in the UK: Vodafone, O2, Three and
EE (which consists of EE, T-Mobile and Orange). Each operator has its own
specific CDR format and each has issues and idiosyncrasies.
Data Retention and Acquisition
Call data is retained within CSP storage networks for minimum of 12 months.
All CSPs now have an automated system in place in which a SPoC (Single Point of
Contact for dealing with CSPs) with appropriate authority under RIPA (Regulation
of Investigatory Powers Act) legislation has the authority to download data directly
from CSP billing platforms. This copy we call the golden copy, which should be
securely retained by the SPoC, and only a further copy of this data should be
forwarded to investigation teams. This means that there is always a clean source
of un-manipulated original data available should the need arise to access this.
Forensic Analytics CSAS (Cell Site Analysis Suite) tool currently recognises and
automatically processes over 55 UK CDR formats, which includes all current
formats and most recent historical formats.

Forensic Analytics Ltd 2014

Page 16

Automating Cell Site Analysis

www.forensicanalytics.co.uk

RF Propagation Surveys
Radio Frequency Propagation Surveys can be undertaken for several reasons:
To determine the set of cells that provide coverage at a location
To determine the extent of coverage of a given cell
To determine serving coverage along a given route
RFPS surveys are usually undertaken in support of historical cell site analysis but
may also be performed to gather intelligence as part of live events such as
kidnaps.
Spot/Location Surveys
Incident location

spot survey
taken in vicinity

Spot or location surveys provide details of the set of serving and non-serving cells
that provide coverage at a given location. Generally the spot chosen is the address
or location where an incident has occurred or where a person of interest lives or
works.
The strength of a radio signal can vary hugely. This is because a radio signal is like
a breeze, it will ebb and gust over time, which means that radio conditions are ever
changing. Phones located in an area served by more than one cell might elect to
reselect to a different cell without the phone necessarily moving anywhere.
Spot/location surveys therefore work best when the taken over an extended period.
A typical ideal value for this would be between 5 and 10 minutes, which allows the
survey to capture the changes in radio signal strengths caused by the breeze effect
All Network Profiles
Spot/location surveys are typically undertaken to gather evidence related to a
specific target phone and are therefore often conducted on just one or two
networks or technologies at a time.
Mobile networks are constantly being upgraded and optimised, with new cells being
built and existing cells being expanded and adjusted. Due to the fast rate of change
going on in the radio networks of all CSPs it would be sensible for investigators to
commission a network profile at key locations as soon as these can be identified
within a case.

Forensic Analytics Ltd 2014

Page 17

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Most UK police forces have the capacity to undertake network readings

autonomously as they now have the skills, equipment and training to do so. Failure
to capture forensic radio survey measurements of key locations quickly enough
could mean that details of the radio environment which existed at the time of an
event may be lost forever, which may impact significantly on an investigation down
the line.
All-Network profiles are usually undertaken on all networks and all technologies at
a spot location to preserve details of the radio coverage at a location before it
changes.
Cell Coverage Surveys
Cell coverage surveys are intended to determine the extent of serving coverage of
a particular cell. The survey is generally performed as a drive survey and the
results provide a snapshot of cell coverage at the time the survey was undertaken.
Route Profiles
A route profile employs similar methods as a coverage profile, but whereas a
coverage profile seeks to determine the area served by a single cell, a route profile
attempts to represent the set of cells that serve along a given route.

Forensic Analytics Ltd 2014

Page 18

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Cell Site Reports

The process of compiling a cell site analysis report is largely an iterative one:
Divide calls into batches that match the times of the allegations being made
Check each batch of a suspects calls against the allegations being made
Were any calls made at around the time of a significant event?
If so, did those calls use cell sites near to the event location?
If yes, do the RFPS results from that location indicate that the cells used for
the calls are serving cells at the location?
If the cells do serve then the report can conclude that the calls could have
been made at or in the vicinity of the location

If the cells provide non-serving coverage then the report can conclude that
the calls could have been made in the general area of the location

If the cells were not detected during the RFPS survey then the report can
conclude that the calls are unlikely to have been in the general area of
the location
Cell site reports are often used to provide support for, or confirmation of, other
forms of evidence.
For example, a significant event in a case may have been the suspect was
captured on CCTV making a phone call. Cell site evidence would then be used to
show whether any call details were recorded for the suspects phone at that time
and if so, whether the cell used serves at the observed location.
Cell site reports are also often used to show association between individuals, so
reports might be required to focus on calls made between target phones or to
highlight instances of co-location where target phones might be using cells that
cover the same areas.
In cases where the attribution of a mobile phone to a suspect is not solid, especially
where there is a suspicion that clean and dirty handsets are being used
interchangeably, cell site analysis can be used to provide additional attribution
evidence.
Cell site reports are sometimes required to show whether calls could have been
made from a car during a specific journey; for example, if a call was made during a
period when the suspect was alleged to have been in a getaway car fleeing a
robbery scene. In this case the cell site analyst might request an RFPS route
profile to be performed following the route of the getaway vehicle. If the cells used
by the target phone serve at points along the route, then it supports the allegation
that the user of the phone could have been in the vehicle at the time the calls were
made.
It is important to remember that cell site evidence is generally not definite enough
to be used on its own; it works best when supporting other evidence.

Forensic Analytics Ltd 2014

Page 19

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Automated Cell Site Analysis - CSAS

Forensic Analytics has developed a software tool designed to simplify the data
processing and analysis work associated with cell site analysis.
CSAS the Cell Site Analysis Suite takes the drudgework out of call data
processing and also removes the human element, which is often the unwitting
cause of inaccuracies or missed information. CSAS functions can be summarised
as follows:
Cleanse CDR Data all CSPs have different CDR formats, which often have to be
combined into a single table for evidential purposes. The whole area of analysing
pages of billing data and taking out repetition or collapsing multiple CDR entries
into a single record is known as cleansing the data and is often the bane of an
analysts life.

It is an area where mistakes are easily made and it consumes a disproportionate

amount of time. CSAS imports CDR billing files and cell site addressing files and
combines and cleanses the data almost instantly (dependent upon data volumes)
to create an evidential call table with colour-coded handsets and associated
attribution details. We currently recognize over 45 individual UK billing formats and
have the ability incorporate international formats quickly and simply.

As investigations evolve and target mobiles are added or removed from the
investigation, CSAS enables this seamlessly and efficiently, instantly updating the
database as old file or phones are removed or new files are added.

Analyse Data Once data has been cleansed it is placed into a professionalgrade database. Once in the database it can be viewed (using our powerful CDR
Browser feature), filtered (by date/time, called/calling numbers, call type, etc.) or
queried (using our best-in-class analytical engine). CSAS Analytics supports a
range of standard queries Top Callers, First Call/Last Call analysis, IMEI & IMSI
timelines and many others - which allows analysts to gain quick, accurate access to
information related to a just one or a collection of handsets.

RF Survey Results CSAS will import and process raw RF survey data captured
by common RF survey devices, such as CSurv, NEMO or TEMS. The data will be
averaged and tabulated ready for analysts to review. CSAS also makes survey
results available to CSAS Analytics, allowing it to be used as the basis for further
queries and analysis, such as creating call tables showing calls made using cells
that serve at particular locations.

Mapping the call data in the CSAS database can be used to automatically
populate maps with call and cell details using Microsoft MapPoint or Google Maps
and can also generate Map Labels for PowerPoint mapping presentations at the
push of a button.

Continuity CSAS treats each investigation as a separate case and as an

investigation evolves, CSAS will log activity for continuity purposes providing an
audit trail.

Forensic Analytics Ltd 2014

Page 20

Automating Cell Site Analysis

www.forensicanalytics.co.uk

Glossary
2G
3G
4G
ANPR
Azimuth
CCTV
CDR
CI
CSA
CSAS
CSP
dB
dBm
EDGE
EE
GHz
GPRS
GSM
Hex
HLR
HSPA/HSPA+
Hz
IMEI
IMSI
kHz
LAC
Log
LTE
MCC
MHz
MMS
MNC
MS-ISDN
MSIN
mW
Ofcom
PLMN
RF
RFPS
RIPA
SAC
SIM
SMS
UMTS

2nd Generation mobile technologies

3rd Generation mobile technologies
4th Generation mobile technologies
Automatic Number Plate Recognition
Compass angle an antenna points towards
Closed Circuit TV
Call Detail Record
Cell ID
Cell Site Analysis
Cell Site Analysis Suite - Forensic Analytics software
Cellular Service Provider
decibel
decibel milliwatts
Enhanced Data rate for Global Evolution - 2.5G
Everything Everywhere - UK mobile operator
Gigahertz
General Packet Radio Service - 2.5G technology
Global System for Mobile - 2G technology
Hexadecimal (base 16 number system)
Home Location Register
High Speed Packet Access - 3.5G technology
Hertz
International Mobile Equipment Identity
International Mobile Subscriber Identity
kilohertz
Location Area Code
Logarithm
Long Term Evolution - 4G technology
Mobile Country Code
Megahertz
Multimedia Messaging Service (photo messages)
Mobile Network Code
Mobile Station ISDN Number (mobile phone number)
Mobile Subscriber Identity Number
milliwatts
Office of the Communications Regulator
Public Land Mobile Network
Radio Frequency
Radio Frequency Propagation Survey
Regulation of Investigatory Powers Act 2000
Service Area Code
Subscriber Identity Module
Short Message Service (text messages)
Universal Mobile Telecommunications System - 3G

Forensic Analytics Ltd 2014

Page 21

Cell Site Analysis Suite

Automated Cell Site data processing

Import, cleanse and view call data
Fast, accurate data processing
Incorporates powerful CSAS Analytics data querying
Imports, processes and analyses RF survey data
Creates court-ready call tables and map presentations
Quick, simple updating of CDR formats via the Internet
Fully international, can be deployed worldwide
See a Return on Investment in weeks
Simple to use, incredibly powerful, exceptional value

Want more copies of this free Cell Site guide? Email us and let us know:
cellsiteguide@forensicanalytics.co.uk

Forensic Analytics Ltd

PO Box 324
Letchworth Garden City
SG6 9FL UK
www.forensicanalytics.co.uk