• Chris Zachar

Cell Phone Forensics: Location Data

Geolocation: Big Willy Style is just a myth

Forensic location data from cell phones, tablets, and even smart watches is becoming more and more common in criminal prosecutions. Authorities use cell phone forensics to try and place defendants at the scene of a crime, track movements of suspected drug dealers, and to download GPS or Wi-Fi data that may be incriminating. At the same time, defense attorneys often use cell phone evidence to prove a client’s alibi, put supposedly incriminating movements into context, or show that another user could have been sending texts or communicating on a phone. Modern criminal defense practice requires a solid understanding of the use and limitations of this type of evidence.

So what kind of evidence can we obtain from cell phones? When I first started practicing, I assumed that cell phones could be tracked, monitored, and analyzed like the movie Enemy of the State. Remember that scene where the government tried to locate Will Smith’s character and a satellite zoomed into him talking on the phone in real time? Yeah, it’s nothing like that in real life. Not in 1998 and not now.

What is Range to Tower Data?

Cell phone tower, sector, and range...delicious.

Cell phone location data can be divided into three broad categories: range to tower (RTT), GPS data, and Wi-Fi/data connection. The most commonly used category is range to tower data (RTT). This is what is referred to when someone says that a person’s phone “pinged” to a tower. Many people assume that this is a very accurate method of locating an electronic device, but that impression is incorrect. In reality, RTT data can only tell us which tower and sector of a tower a device connected to. Picture a circle divided into three equal segments, like a pizza with three slices. The circle is the tower, and the slices are the segments. This is how most cell services operate. We can tell which tower (which pizza) a device connects to, and which slice it is connecting with, and sometimes get a rudimentary estimate of how far from the slice of pizza the phone is, but that is the extent of our ability to locate a particular phone.

But there are serious limitations to range to tower data. First, it’s a rough estimate, not a location. Cell phone towers and sectors often service dozens, if not hundreds of square miles. So we can tell whether someone is in the area of La Crosse by RTT data, but not whether someone is at a particular home or even in a particular neighborhood. And it’s impossible to track a phone within a cell phone sector. Additionally, RTT data requires that a cell phone be powered on and communicating with a tower. This means that a phone will not provide location data unless a person is using it to call, text, conduct an internet search, or using an app that requires data.

Another common misconception is that RTT data reveals the closest cell phone tower. That’s also incorrect. Cell phones select the best available signal, which sometimes can come from a tower or sector that is farther than a closer tower. In the Driftless region of Wisconsin where I practice, we have to constantly consider whether a signal is reflecting from the bluffs to connect a user to a tower that is not the closest to the user. In other words, connecting to a tower and sector does not mean that a phone is actually connected to the closest possible point.

What about triangulation?

Many people assume that a cell phone “ping” is the same thing as triangulation, or finding the location of a device by measuring its azimuth and distance from several fixed points. With the exception of specialized military equipment, aeronautical navigation equipment, and the old fashioned LORAN, cell phones are not triangulated.

A LORAN from a World War 2 Bomber...still more accurate than modern range to tower data.

Okay, well can’t the government access my GPS data instead?

Short answer, yes, but not always. GPS data has to be stored on a phone and, absent any warrant for real time monitoring of a phone’s movement, downloaded by a program like cellebrite. GPS is far more accurate than RTT data, and can provide precise movements of a phone. However, it generally has to be activated, stored, and downloaded after the fact, which doesn’t always happen. GPS is also limited by the ability to seize and analyze a phone, and can’t tell us who was actually in possession of a phone at the time.

How can the government track my phone by Wi-Fi?

It’s simple actually. Every time you log onto a Wi-Fi network or data hotspot, a smart phone will record what network you are connected to. In fact, many phones will keep a record of which Wi-Fi networks are available as the phone passes through areas of coverage. So if you are driving down I-90 and pass by Wi-Fi networks that are available on a specific route, those available networks will be recorded in a phone’s memory. Which means that Wi-Fi networks are more specific geolocations that can track the location and movement of a phone more accurately than the networks themselves.

How does the State use this type of evidence?

Cell phone location data is used in a wide variety of cases. It’s used to establish a defendant’s location in cases like homicide, robbery, burglary, and sexual assault. It is used to establish a phone’s user when the device is used to download contraband or facilitate illegal encounters. Cell phone location data is frequently used in drug trafficking and conspiracy cases, often in combination with cellebrite data downloads to recover text messages and phone contacts.

How does the defense use cell phone location data?

In much the same way, but with more limitations. Cell phone data can be very helpful to establish an alibi, or prove that a phone was moving when an owner would have been elsewhere. However, a defendant does not have the same access to cell phone forensic data as the State. Defendant’s generally have to submit their own phones for independent analysis, usually at significant cost, or obtain location data from their cell phone provider. This can be difficult without a standard billing plan if a phone is a pay as you go (“burner”) phone. Unlike the State, with very limited exceptions, the defendant does not have the ability to issue a search warrant or subpoena for documents on third party phones. If you believe that cell phone location data may be important to your defense, it is important to tell your lawyer right away so that he or she can arrange to preserve the data that will help your case.