Do you ever go anywhere without your phone or smartwatch? We increasingly depend on mobile devices for daily tasks, and so do criminals. Digital data sources have become essential in solving crime. However, a specific subset of digital investigations is becoming increasingly relevant: CDR forensics.
What is CDR forensics?
CDR stands for Call Detail Records. These include a broad category of data sources collected by telco carriers, from cellphone towers, satellites, user devices, texts, and more. The data collected can involve device pings and call metadata such as timestamps, call directionality, duration, and location coordinates that can, in most cases, place a device (and its user) in a specific time and place or reveal other relevant information, such as made or received calls, duration, or even the phone status. This type of analysis doesn’t interest the content of the communication. Instead, it analyzes the technical details of the communication in whatever form it happened.
What’s in a CDR data dump?
There are different types of CDR data, and their format varies from carrier to carrier. Below is an example of anonymized raw data provided in CSV format (the source can be found here).
What can you discover with CDR analysis?
When you stare at a CDR data dump, it’s not obvious what to look for. However, investigators in this field use different analytics techniques to extract valuable information that can be used in the investigation to confirm or eliminate suspects.
For example, they can calculate call frequency, duration, and time of day to understand general call patterns, identify trends such as increased call volume during specific periods or days, and explore relationships between variables like call duration and time of day.
Network analysis is another crucial part of the investigation: visualizing call patterns as a network allows for identifying key individuals, communication clusters, and relationships. With that, it’s possible to determine the most influential individuals in a network based on their connections and call frequency and identify groups of individuals who frequently communicate with each other.
Finally, geographical analysis allows tracking the location of callers and recipients to identify patterns and movements. This can be done at different levels, and the more detailed the original records, the more thorough the visualization of their patterns will be.
How CDR forensics help solve crime
In 2020, Arlington police solved a homicide case using CDR forensics as their primary investigation tool. Although there were few leads, once a suspect was identified, CDR became very relevant to solving the case.
The suspect declared to be elsewhere during the murder. However, investigators noticed that during that time frame, the suspect’s device received incoming calls and immediately forwarded them to voicemail. The lack of access to terminal data from the cell towers indicated that the device was put on Do-Not-Distrub or flight mode.
The additional geospatial analysis allowed investigators to retrace the man’s movement over time and place him at a radium compatible with the crime area. The evidence from CDR analysis against the subject was so strong that the suspect was eventually found guilty and sentenced to life of first-degree murder.
Practical applications of CDR forensics
CDR analysis has a wide range of practical applications across various fields. For law enforcement investigations, as we have seen, it can help:
- Criminal Investigations: CDRs can be used to track suspects, identify accomplices, and establish connections between individuals involved in criminal activities.
- Missing Persons: Analyzing call patterns and location data can help locate missing persons by identifying their last known contacts and movements.
- Fraud Detection: CDRs can help identify fraudulent activities such as SIM card swapping, unauthorized calls, or subscription fraud.
However, CDR analysis has unparalleled growth potential and is invaluable for disaster response, humanitarian aid, and public assistance applications.
Roadblocks to gaining CDR forensics expertise
Forensic expertise in working with CDR data comes with exposure to the field and knowledge of communications. Besides being a technical field requiring understanding the jargon and the principles of cellular networks and radio wave propagation, it also requires understanding geolocation, behavioural patterns, and data analytics.
Despite CDR’s usefulness for practical applications, obtaining sample data to practice with, even in an anonymized format, is not easy. In general, the main roadblocks to this type of forensics activity are:
- Data Confidentiality: Carriers worldwide protect their users’ data confidentiality, and even authorized police personnel must request it only with formal documentation (for example, a warrant) and motivation to analyze it.
- Unstandardized Data Formats: There is no standard when it comes from CDR formats. The data structures and distribution methods vary from carrier to carrier, and automation of the gathering and raw data transformation process is not easy.
- Data Retention Policies: Most CDR data is live, meaning carriers collect continuous data flows from their infrastructure and user devices. Due to the vast amount of collected data, carriers retain it for a short time, so investigators can only obtain a short timeframe’s worth of data to work with.
CDR forensics analysis is a fascinating topic. At Negative PID, we are developing a growing expertise in this subject with formal police-led training and previous experiences with other forms of CDR analysis. Contact us to learn more about how we can help with your CDR projects!
