Glenn K. Bard CISSP, EnCE - PowerPoint Presentation

1. Glenn K. BardCISSP, EnCE, CFCE, CHFI, A+, Network+, Security+, ACE, AMEPA State Trooper – RetiredNCMEC – Project ALERTUS Army Veteran

2. Electronic Serial Number (ESN) - The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier's mobile switching office can check the call's validity. MINs and ESNs can be electronically checked to help prevent fraud.

3. ESN

4. Mobile Equipment Identifier (MEID) - a globally unique 56-bit identification number for a physical piece of CDMA equipment. MEID’s replaced ESN’s after the original ESN scheme being depleted in 2008. gbard@patctech.com

5.

6.

7. ESN / MEIDMany times you will still see providers use the term ESN even thought the number will actually be the MEID. What can these numbers identify? The device or the account?

8. Be carefulDon’t confuse the pESN with the actual ESN. pESN – pseudo ESN – It is calculated using a hash based on the MEID. The moral of the story, make sure and get the ESN or MEID.

9.

10. Mobile Identification Number (MIN)-Unique identifier that can be used to identify a cellular phone by the network. The MIN and ESN are both transmitted to the network to assist with authentication. Mobile Directory Number (MDN)- The actual number a person would dial to reach a specific phone. (This is your phone number!!)

11. MIN and MDNThe MIN and MDN are both 10 digits in length and “can” be the same. However they generally will not be the same number. In many instances they will be the same area code, and if not the same area code, then a code for the same city. (For Example the Pittsburgh PA area has 412 and 724 area codes. It is not uncommon for the MDN to be a 412 and the MIN be a 724.)

12. Glossary of Cellular TermsGlobal System for Mobile Communications (GSM)-GSM is a digital cellular phone technology based on TDMA that is the predominant system Europe, the Middle East, Africa, Asia and in parts of America and Canada. First introduced in 1991, the GSM standard has been deployed at three different frequency bands: 900 MHz, 1800 MHz and 1900 MHz. GSM 1900 is primarily deployed in North America. Named after its frequency band around 900 MHz, GSM-900 has provided the basis for several other networks using GSM technology. GSM uses narrowband TDMA which allows eight simultaneous calls on the same radio frequency. Along with CDMA and TDMA it represents the second generation of wireless networks.Source – Mobiledia.com

13. GSM – GSM networks using the 2nd generation (2G) of CDMA technology. UMTS – CDMA networks using the 3rd generation (3G) of CDMA technology. LTE – Long Term Evolution is the standard for the 4th generation (4G). 5Ge – 5G Evolution is the standard for the 5th generation (5Ge).

14. In AmericaGSM technology is used by AT&TT-Mobile

15. MSISDNMSISDN - Mobile Station International Subscriber Directory NumberIt is your phone number including area code. 1 – US 52 – Mexico97 – Indonesia 

16. Most popular in the world. Extremely popular everywhere but the United States. The phones MUST contain a SIM cardSIM – Subscriber Identity Module

17. GSM technologySubscriber Identity Module (SIM)-A small card inserted into a GSM cellular phone that contains subscriber-related data. Note: Some CDMA phones (Verizon, Sprint, etc) can have SIM cards. This is becoming more popular as those carriers are making world phones. However, when in the US, these phones us CDMA technology.

18. SIM cards

19.

20. SIM CardsWhat can a SIM card contain?PhonebookCall logsSpeed dialSMS messages(Not so much anymore.)

21. SIM cardsWhat must a SIM card contain? The IMSI(We will learn exactly what the IMSI is in a few minutes.)

22. SIM cardsNow, let’s learn all of the details about GSM technology.

23. ICCIDIntegrated Circuit Card ID (ICCID) – a 19 to 20 digit serial number for a SIM card used to securely store the IMSI number for a subscriber.The ICCID is also called the SIM Serial Number.It is stamped on the SIM card.

24.

25. International Mobile Equipment Identifier (IMEI)-A unique 15-digit number that serves as the serial number of the GSM handset. The IMEI appears on the label located on the back of the phone. The IMEI is automatically transmitted by the phone when the network asks for it. A network operator might request the IMEI to determine if a device is in disrepair, stolen or to gather statistics on fraud or faults. Here is a good thing to know. Take your GSM phone, go to the dial pad and dial *# 06 #

26.

27. IMEI number

28. When using records and forensics:

29. When you combine them:

30. IMEI StructureIMEI: If it is 15 digits, it is the IMEI plus a check digit. IMEISV: If it is 16 digits, it is the IMEI plus the software version digits. So the rule, look at the first 14:

31. International Mobile Subscriber Identifier (IMSI)-A unique 15-digit number which designates the subscriber. This number is used for provisioning in network elements.It is stored on the SIM card.This one identifies the account holder.

32.

33. IMSIThe first 3 numbers identify the country code, for example the US is code 310.The next 3 number will identify the carrier code, for example AT&T code is 410. T-Mobile is code 260. Therefore an AT&T IMSI will begin with 310410 and T-Mobile will begin with 310260.

34. IMEI and IMSIHow else can these numbers help us?

35. Cell records update

36. Part 1: AT&T

37. For StartersWhat can we get from AT&T?And more importantly how can we use it?

38. AT&T WirelessWhat can AT&T provide with appropriate legal process?Call detail logsContain calls / SMS / Data communications and locationsCell Sites accessedLAC/CID or ECGI Cell site sector AzimuthMedian of the sector accessed – Show which side of the towerBeam WidthWhen available – reveals the width of that sectorDirection of call (incoming or outgoing)Remember that incoming unanswered calls don’t necessarily mean the person was using it. All incoming and unanswered could mean the phone was left at home, the person is dead, etc. Can also show intent – IE a fight before a murder, or a person stops making calls

39. AT&T WirelessCalling numberNumber initiating the callDialed numberThe target being calledCall Time and duration (UTC)UTC is Greenwich Mean Time – Not your local timeMust do the offset, for example right now the East Coast is -4 or -5 hours (Depending on time of year.)UTC does not do “spring forward / fall back”ET Elapsed TimeSeizure – Time from the call was placed until answeredData usage location information Don’t map dataLocation of cell towerWill be in Longitude then latitude

40. AT&T WirelessSubscriber information (Name, address, etc)May come back to TracfoneSMS location information IMEI, IMSI of target phoneInternational Mobile Equipment IdentifierChange by a bunch means new phoneChange by final character means update the OSInternational Mobile Subscriber IdentifierNew IMSI means new numberMCC / MNCPhone ModelMake and Model

41. AT&T WirelessTower dumpAll communication through a locationYou supply AT&T with the location, they tell you what tower(s)Definitions page (Key Codes)Very important – helps identify call featuresAlso helpful for testimonyReports of Lost / stolen phoneIf prepaid, where purchased?Other phones on the same accountA second phone not known aboutHistorical Handset Location Network Event Location System (Nelos)This is what we have called “pinging”Even when you get this, still map the towers as well

42. AT&T WirelessContents of the CloudAT&T does have a cloud service:

43. Some important definitionsIMEI – International Mobile Equipment IdentifierIMSI – International Mobile Subscriber IdentifierMSISDN - Mobile Station International Subscriber Directory Number It means your phone number – Country Code / area code / prefix / number)

44. Some important definitionsLAC / CID – This is the switch (LAC – Location Area Code) and tower along with side (CID – Cell ID) accessedECGI – Enhanced Cell Global IdentityAzimuth – The median of the sector accessedBeam Width – The width of the sector accessedMCC – Mobile Country CodeMNC – Mobile Network Code

45. Some important definitionsSeizure – The time it takes for the call to connect to the network. NOT the elapsed time. ET – Elapsed TimeCT – Call TypeUTC – Universal Time, also known as GMT

46. Some important tipsThe location is Longitude then LatitudeThis is the opposite of all other companiesThe records will come in both PDF and TXTIf you want Excel, we will learn how to import TXT into Excel in a bit.

47. Some important tipsAT&T can provide locations for Voice, SMS and Data for a very long time. (Which is not common.)Tower Dumps also include Voice, SMS and Data. (Which is not common.) AT&T does not use the terms Lucent or Nortel when describing the tower sides. They simply give the Azimuth. (Which is not common.)

48. Some important tipsNELOSAKA: “historical GPS Locations”, “Historical Handset Location data”, and “Handset triangulation data”Technically: Network Event Location SystemWhat it means is an estimate of the location of the handset itself at the initiation of the event. How accurate can it be:

49. Some important tipsNELOS

50. Some important tipsNELOS – The results with Unknown Accuracy can be hundreds of miles off. So that is why you never get just NELOS, always get the towers as well.

51. Some new changes

52. Some new changes

53. Some new changes

54.

55. Two very important notesDo not map AT&T data communications. From an AT&T representative, they can not tell if the data was initiated by the handset or the network, and therefore, can not confirm if it is accurate. On a personal note, I have seen AT&T data locations jump a few hundred miles and back again in the same ongoing data communications.

56. Two very important notes

57. Two very important notesDo not map just the AT&T NELOS.Always use it to support the towers, but when in doubt, trust the towers. Again on a personal note, I have seen AT&T NELOS locations jump from one state to the next and then back again in a few minutes. When I saw this happen, the location accuracy was listed as “Location Accuracy Unknown”.

58. Two very important notesIn either of the previous scenarios, the answer is to ALWAYS trust the towers over anything else. AT&T is a great company and can supply a wealth of information, and their towers are very accurate. And they are very helpful.

59. Contact information (updated)Contact information:AT&T Global Legal Demand Center11760 US Highway 1, Suite 600North Palm Beach, FL 33408Phone Number: 800-635-6840Fax Number: 888-938-4715E-mail Address: gldc@att.com

60. Contact informationTwo Hints:AT&T owns Cricket. TracFone sells phones that use the AT&T towers, so the records must come from AT&T.

61. Warrant languageSubscriber information for the number _____________ including name, date of birth, mailing address, alternate phone number, and other numbers on the same account. All communication for the wireless number _______________ for the time period of _______________ to include cellular calls, SMS messages and Data communications, tower locations (LAC/CID or eCGI) and azimuth / beam width for the sectors accessed during the communication. Additionally, all content for SMS messages for the wireless account of ___________________________ for the time period of ____________________ . Also, identify the existence of any AT&T cloud services associated with the wireless number of ____________________ and provide any data held within the cloud to include SMS, MMS, and emails communications. Additionally, supply “historical GPS Locations”, “Historical Handset Location data”, “Handset triangulation data”, aka NELOS (Network Event Location System). Also provide any IP (Internet Protocol Addresses) assigned to the device for the time period of ____________________. Lastly, provide a detailed definitions page which identifies all information in the records.

62. Retention periodsSubscriber information: 7 yearsCall History: 7 yearsTower Locations: 7 yearsTower Dumps: 7 yearsNELOS: 1 year

63. Part 2: Verizon

64. For StartersWhat can we get from Verizon?And more importantly how can we use it?

65. Cell phone technologyWhat can Verizon provide with appropriate legal process?Call detail logsContain calls onlyCell Sites accessedElement and Cell Site / eNB IDCell site sector AzimuthMedian of the sector accessed – Show which side of the towerBeam WidthWhen available – reveals the width of that sectorDirection of call (incoming or outgoing)Remember that incoming unanswered calls don’t necessarily mean the person was using it. All incoming and unanswered could mean the phone was left at home, the person is dead, etc. Can also show intent – IE a fight before a murder, or a person stops making calls

66. Cell phone technologyCalling numberNumber initiating the callDialed numberThe target being calledWhat do things like 7777, 1191, 5556 mean?Call Time and duration Times are based on location of cellular towerSeizure – Total duration of the communicationLocation of all cell towerWill be in Latitude then LongitudeWhy get all towers when they accessed just one?Subscriber information (Name, address, etc)May come back to Tracfone

67. Cell phone technologySMS ContentDefault and Cloud basedSMS detail logNo locationsIP Data sessions (TDR2)Towers but no sectorsMIN / MDN of target phoneMobile Identification NumberMobile Directory NumberPhone ModelMake and ModelTower dumpAll communication through a locationYou supply Verizon with the location, they tell you what tower(s)Beginning tower / Ending tower

68. Cell phone technologyDefinitions pageDifferent page for each type of set of data Also helpful for testimonyReports of Lost / stolen phoneIf prepaid, where purchased?Other phones on the same accountA second phone not known aboutHistorical Handset Location RTT (Range to Tower)This is what we have called “pinging”Even when you get this, still map the towers as wellVoLTEVoice Over LTEType of TowerLucent vs Nortel (not relevant on VoLTE)

69. Cell phone technologyContents of the CloudVerizon does have a cloud service:

70. Cell phone technologyContents of the CloudVerizon does have a cloud service:

71. Some important definitionsMDN – Mobile Directory NumberMIN- Mobile Identification NumberESN – Electronic Serial NumberMEID – Mobile Equipment IdentifierElement – Switch nameAzimuth – The median of the sector accessedRTT – Range To Tower

72. Some important definitionsBeam Width – The width of the sector accessedSeizure date / time – The day and time of the initiation of the call. Seizure duration – Total elapsed time of the call. Alpha / Beta / Gamma – side of the tower accessed.

73. Some important tipsDates and times are based upon local time zone. You will need both the incoming outgoing calls, and the Element tower locations to do any mapping. The records will come in Excel spreadsheets. Except contents of SMS, those will be in TXT.SMS locations are in RTT only, not in conventional records.

74. Some important tipsTower Dumps are Voice only. Verizon does use the terms Lucent or Nortel when describing the tower sides. The whole switch must be Lucent or Nortel. For Lucent, you have to subtract one. 4=3, 3=2, 2=1. (Alpha / Beta / Gamma helps with this.)For Nortel, 3=3, 2=2 and 1=1

75. Some new changesIf the call went over VoLTE, there will be no entry in the Incoming / outgoing call list. And you will identify that it is a VoLTE call, because the Dialed Digit will be preceeded by 1191.If that is the case, the VoLTE calls will be in a second form. And you do not look up the Cell site, instead you focus on the eNB ID. (You won’t always see this.)

76. Some new changesAdditionally, when looking at VoLTE calls, they do NOT have an offset for Lucent towers. 1 is 1, 2 is 2, and 3 is 3, regardless of BTS Manufacturer. Lastly, when using VoLTE, the number is called the MSISDN, not the MDN. Also, Verizon is now adding several books to each spreadsheet.

77. Contact informationOnline Service: Verizon; Attn: VSATOnline Service Address: 180 Washington Valley Road Bedminster, NJ 07921Phone Number: (888) 483-2600Email: verizonlegalprocesscompliance@verizon.comAug 2020: preservation letters and search warrants can now be emailed to vsat.cct@verizon.com Subpoena contact: 888-483-2600 Search warrant contact: 800-451-5242; select option 2 Wireless Records contact: 800-451-5242; select option 1

78. Warrant languageSubscriber information for the number _____________ including name, date of birth, mailing address, alternate phone number, and other numbers on the same account. All communication for the wireless number _______________ for the time period of _______________ to include cellular calls, tower locations and azimuth for the sectors accessed during the communication for all Element’s accessed. Also indicate if the tower was Lucent, Nortel and provide a three sector layout. As well as possible maximum ranges. Additionally RTT (Range To Tower) and EVDO for the cellular phone number of _____________________ for the time period of _______________. Also, all content for SMS messages for the wireless account of ___________________________ for the time period of ____________________ . Additionally, identify the existence of any Verizon cloud services associated with the wireless number of ____________________________ and provide any data held within the cloud to include SMS, MMS, and emails communications. Also provide any TDR2 (IP - Internet Protocol Addresses) assigned to the device along with locations for the time period of _____________________. Lastly, provide a detailed definitions page which identifies all information in the records. Please provide this information to Detective ________________ in digital format on a compact disc in Excel, PDF or TXT format.

79. Retention periodsSubscriber information: 5 yearsCall History: 1 yearsTower Locations: 1 yearsSMS Content: 3-5 days officiallyTower Dumps: 90 daysRTT: 7 days

80. One NoteTracFone sells phones that use the Verizon network, so the records must come from Verizon.

81. Part 3: SprintNote: Spring has been completely taken over by T-Mobile. However, weKnow what many of you still have some Spring records and wanted to Make sure and go over them in case you have a trial coming up.

82. Very ImportantSprint is now owned by T-Mobile, and the Sprint records are being phased out. The records are now coming as combined records. So you will get a Sprint copy and a T-Mobile copy of the records.

83. For StartersWhat can we get from Sprint?And more importantly how can we use it?

84. Cell phone technologyWhat can Sprint provide with appropriate legal process?Call detail logsContain calls and SMSLocation for calls onlyYou will get two, Voice and VOLTECell Sites accessedNEID and Cell Site Cell site sector AzimuthMedian of the sector accessed – Show which side of the towerBeam WidthThe records do not indicate a beam width, so we use 120Data locationsTower location – Do not map the sector

85. Cell phone technologyDirection of call (incoming or outgoing)Remember that incoming unanswered calls don’t necessarily mean the person was using it. All incoming and unanswered could mean the phone was left at home, the person is dead, etc. Can also show intent – IE a fight before a murder, or a person stops making callsMR Inbound, Outbound, Routed Call, UndeterminedCalling numberNumber initiating the callDialed numberThe target being calledWhat do things like 11 or 62450 mean?Time and duration Call Times are usually based on location of cellular towerSMS Times are either central or UTC, depending on NEID

86. Cell phone technologyLocation of all cell towerWill be in Latitude then LongitudeWhy get all towers when they accessed just one?Subscriber information (Name, address, etc)May come back to Tracfone / BoostMIN / MDN of target phoneMobile Identification NumberMobile Directory NumberPhone ModelMake and ModelTower dumpAll calls through a locationYou supply Sprint with the location, they tell you what tower(s)

87. Cell phone technologyDefinitions pageVery helpful for testimonySupplies Time Zone informationReports of Lost / stolen phoneIf prepaid, where purchased?Other phones on the same accountA second phone not known aboutHistorical Handset Location PCMD (Per Call Measurement Data)This is what we have called “pinging”Even when you get this, still map the towers as wellType of TowerLucent, Nortel, Samsung, Ericsson, MotorolaSWAT (Software Wireless Access Tandem)

88. Cell phone technologyContents of the CloudSprint does have a cloud service:

89. Some important definitionsESN – Electronic Serial NumberMEID – Mobile Equipment IdentifierNEID – Element name (Network Element ID)Azimuth – The median of the sector accessedM_R – Mobile Role BTS Manufacturer – Type of Base Transceiver Station (Lucent / Nortel / Samsung / Motorola / Ericsson)

90. The towersHere is how I described the way to read towers in a recent report: When reviewing the Call detail record, there is no cell site sector listed. That is because Sprint identifies the sector in the 1st and Last cell column. For example, in the records above the first listed tower is 40188. To identify the exact sector and tower, the first number, 4 is the sector, and the tower is 0188.

91. The towersAnd how I described Lucent towers: The switch is listed as Lucent. This means in the Call Detail records the sectors will be numbered as 2, 3, and 4. However in the Cellular tower locations there will only be sectors 1, 2, and 3. To further illustrate this, using the tower and sector from above, Sector 4 of Tower 0188, when looking for that location in the tower locations, following is the entry:

92.

93. Some important definitionsSWAT – Soft Wireless Access Tandem (These are used in high Sprint traffic areas)TLDN – Temporary Local Directory NumberDates and times are usually based upon switch time zone. Except text messages, which are either in Central or UTC depending on NEID.

94. Sprint times

95. Some important tipsYou will need both the incoming / outgoing calls, and the NEID tower locations to do any mapping. The records will come in Excel spreadsheets. SMS locations are in PCMD only, not in conventional records.

96. Some important tipsTower Dumps are Voice only. Sprint does use the terms Lucent / Nortel / Samsung / Ericsson / Motorola when describing the tower sides. For Lucent, you have to subtract one. To identify a Tower and side, you take the listed Cell, for instance 30128. The 3 is the side, and 0128 is the tower.

97. Some important tips11 before the number in the called number column indicates voicemail. 62450 in the called number column indicates visual voicemail.

98. Two NotesTracFone sells phones that use the Sprint network, so the records must come from Sprint. Boost / Virgin records are also held by Sprint

99. Part 4: T-Mobile

100. For StartersWhat can we get from T-Mobile?And more importantly how can we use it?

101. Cell phone technologyWhat can T-Mobile provide with appropriate legal process?Call detail logsContain calls and SMSLocation for bothExcept: SMSc and RCS-IMChatCell Sites accessedLAC / CID or LTE Site IDCell site sector AzimuthMedian of the sector accessed – Show which side of the towerBeam WidthThe records do not indicate a beam width, so we use 120From their definitions page: “Generally, the coverage of a tower is circular and divided in three equal pieces (each 120 degrees wide).” Data Locations

102. Cell phone technologyDirection of call (incoming or outgoing)Remember that incoming unanswered calls don’t necessarily mean the person was using it. All incoming and unanswered could mean the phone was left at home, the person is dead, etc. Can also show intent – IE a fight before a murder, or a person stops making callsCalling numberNumber initiating the callDialed numberThe target being called outgoing call to 8056377249 - forwarded to voicemail outgoing call to 8056377243 – voicemail retrieval Time and duration Call times are in UTC (Universal Time Coordinated)UTC does not use Daylight Savings time

103. Cell phone technologyLocation of all cell towerWill be in Latitude then LongitudeWhy get all towers when they accessed just one?Subscriber information (Name, address, etc)MetrocPCS is part of T-MobileIMEI, IMSI of target phoneInternational Mobile Equipment IdentifierChange by a bunch means new phoneChange by final character means update the OSInternational Mobile Subscriber IdentifierNew IMSI means new numberMCC / MNC

104. Cell phone technologyPhone ModelMake and ModelTower dumpAll calls through a locationYou supply T-Mobile with the location, they tell you what tower(s)Definitions pageVery helpful for testimonyDescribers Service CodesReports of Lost / stolen phoneIf prepaid, where purchased?Other phones on the same accountA second phone not known about

105. Cell phone technologyHistorical Handset Location TruCallThis is what we have called “pinging”Even when you get this, still map the towers as wellContents of the CloudT-Mobile does have a cloud service:

106. Some important definitionsIMEI – International Mobile Equipment IdentifierIMSI – International Mobile Subscriber IdentifierMSISDN - Mobile Station International Subscriber Directory Number (It means your phone number)

107. Some important definitionsLAC / CID – This is the switch (LAC – Location Area Code) and tower along with side (CID – Cell ID) accessedLTE Site ID – If the call was handled via LTEAzimuth – The median of the sector accessedMCC – Mobile Country CodeMNC – Mobile Network Code

108. Some important tipsDates and times are in UTC – Universal Time Coordinated. The records will come in Excel spreadsheets. But they can look a little different. SMS generally shows a duration of 60 seconds.

109. Some important tipsT-Mobile has recently changed their records. For a long time they could not supply SMS locations, and in many instances were not able to supply sector information for calls. In the last few months the records have changed drastically. Due to this make sure and pay special attention to their definitions page. Dates and Times are in UTC

110. Some important tipsALWAYS make sure you get Mediation records, especially if you got the records the night of the incident. Get a second set a week or two later. T-Mobile continues to receive information from switches days later, and not until the records are mediated are they complete.

111. Some notes about TrucallTruCall records are not readily accessible for production and delivery. Due to the burden involved in production and delivery of TruCall records, T-Mobile will only consider requests for TruCall records in 7 day increments per target telephone number. T-Mobile will formally object to requests that seek a greater scope. T-Mobile does not rely on TruCall data for managing individual accounts and is unable to warrant the accuracy of the data at the account-holder level. T-Mobile does not routinely collect TruCall data, which is not available in every market. T-Mobile is unable to certify TruCall records and will not provide any testimony that goes to the accuracy of same. T-Mobile will preserve up to 7 days of TruCall data per target.Source: search.org

112. Some new changesCell Site location is not available for Call Types SMSc and RCS-IMChat For SMSc messaging, T-Mobile provides record of any activity between the requested target number and any other customers utilizing the T-Mobile network for the time and date range requested regardless if the target number currently is/was assigned to T-Mobile or a T-Mobile wholesale partner.

113. A note on azimuthA NOTE ON AZIMUTH: The azimuth listed is the center compass degree facing of the identified sector of the tower. Generally, the coverage of a tower is circular and divided in three equal pieces (each 120 degrees wide). Due north is 0, due south is 180. However, not every tower is aligned with the first sector starting at 0. Using the listed azimuth, rough direction from the tower can be calculated for a call. The center degree of the sector’s facing is indicated in this field. For example, if a facing has a listed orientation of 90, the center of the coverage is pointed at 90 degrees but the sector will cover traffic from roughly 60 degrees on either side (thus 30 to 150 degrees in this example).

114. Contact informationT-MobileContact Name: Gavin PinchbackOnline Service: T-MobileOnline Service Address: 4 Sylvan Way Parsippany, New Jersey 07054Phone Number: 866-537-0911Fax Number: 973-292-8697LE specialists: 973-292-8911. This is a 24/7 numberT-Mobile Court Orders, Search Warrants and Subpoena’s go to: Lerinbound@T-Mobile.com

115. Warrant languageFor the T-Mobile records:Address as T – Mobile, AKA T-Mobile AmericaSubscriber information for the number _____________ including name, date of birth, mailing address, alternate phone number, and other numbers on the same account. All communication for the wireless number _______________ for the time period of _______________ to include cellular calls and SMS messages along with tower locations (LAC / CID or LTE Site ID) to include Switch / MSC / BSC / Cell Name and azimuth, as well as Azimuths for the sectors accessed during the communication. Also, identify the existence of any T Mobile cloud services associated with the wireless number of ____________________________ and provide any data held within the cloud to include SMS, MMS, and emails communications. Additionally, supply TruCall data aka “historical GPS Locations”, “Historical Handset Location data”, and “Handset triangulation data” for the 7 days of ____________ through _______________. Also provide any IP (Internet Protocol Addresses) assigned to the device for the time period of _____________________. Lastly, provide a detailed definitions page which identifies all information in the records.Please provide this information to Detective ________________ in digital format on a compact disc in Excel, PDF or TXT format.Email: LERINBOUND@T-Mobile.comFax to: 973-292-8697

116. Retention periodsSubscriber information: 5 yearsCall History: 2 yearsTower Locations: 1 yearSMS Content: NATower Dumps: 90 daysTrueCall: 7 days

117. Two NotesTracFone sells phones that use the T-Mobile network, so the records must come from T-Mobile. MetroPCS and Sprint are part of T-Mobile US.

118. Operating Systems

119. ForensicallyLet’s learn some basics about iOS forensics

120. ForensicallySome notable items about iOS devices:Private / VAR / Mobile Applications (App Domain) Third party apps Library (Home Domain) iOS appsSome applications may have artifacts in both, such as Safari. Currently up to iOS 15

121. ForensicallyTypes of data SQL – Database – Store content SQLite, SQLitedb, DB, phonedata BLOB – Binary Large Object Plist – XML – Store settings

122. ForensicallySome notable items about iOS devices:Dates and times: Dates and times in the SQL / Plist are in UTC Unix Numeric Value – 1/1/1970 at 00:00 Mac Absolute – 1/1/2001 at 00:00

123.

124.

125. ForensicallyLet’s learn some basics about Android forensics

126. Android FlavorsCupcake (1.5)Donut (1.6)Éclair (2.0 – 2.1)Froyo (2.2)Gingerbread (2.3x)Honeycomb (3.1 – 3.2)Ice Cream Sandwich (4.0)Jelly Bean (4.1 – 4.3)KitKat (4.4)Lollipop (5.0 – 5.1)Marshmallow (6.0)Nougat (7.0 – 7.1)Oreo (8.0 – 8.1)Pie (9.0)10 (Sometimes called Q)1112 and 12L13

127. ForensicallySome notable items about Android devices:DATA / DATA / App Name Databases – DB’s - contents Shared Pref’s – XML – SettingsPhysical / File System / Logical / ADB

128. ForensicallySome notable items about Android devices:Dates and times: Dates and times in the SQL / XML are in UTC Unix Numeric Value – 1/1/1970 at 00:00USB Debugging 4.2.1 or older – Settings / app / Dev 4.2.2 Tap Build number 7 times

129. ForensicallySome notable items about Android devices:Rooting:Kingo Root:https://www.kingoapp.com/ODIN:https://forum.xda-developers.com/showthread.php?t=2711451

130. ForensicallySome notable items about Android devices:There are MANY other rooting tools. Before you use any of them on an evidence phone, test it! How do you test it? Try it on non evidence phones.

131. Now let’s see some forensicsLink Screen CaptureXML / Plist analysisSQLite analysis

132. CloudsWhat types of clouds are available?FacebookGoogleAppleCellular Providers

133. CloudsHow can we get them?Consent using the cloud interfaceCloud analyzerSearch warrantWhy are they so important? Let’s see one of my favorite ways to illustrate this. Where can we find the evidence?

134. The deviceBenefits: Proves ownershipDeleted dataDrawbacks:Needs a warrantMay need to examine numerous devicesYou need specialized software and training

135. The recordsBenefits: User can’t access themAvailable for long periods of timeA lot of informationCan contain locationsDrawbacks:Need a warrantNot much contentAll networks are different

136. The cloudBenefits: Hidden informationMultiple devices in one locationSome data is not controlled by the userDrawbacks:Needs a warrantNo deleted

137. With a warrant:

138. With a warrant:

139. My Favorite Trick:

140. Clouds Why do we care?

141.

142.

143. Some TipsDon’t type a report with one set of terms and then use others in court. A lot of time in the reports, we write in a very common terminology, and then try to very formal acronyms in court. The prosecutors will get lost and have no idea what you are trying to say.

144. Some TipsDon’t let the first time you talk to that prosecutor be on the stand. Make sure you explain this to your attorneys. They are experts in Law, not forensics. We need to educate them about the topics we are going to speak about. Also, help them with the questions. They don’t know what is relevant. Help them understand. Volunteer to make them some questions. I love helping write my own questions, let’s take a look:

145. Some TipsBe prepared. And I mean, seriously prepared. Treat every case like it is your most important. It is!!! Be able to do it without your report. I had to do that once.

146. Some TipsDon’t let opposing attorneys get you upset. The more relaxed and professional you remain, the more it will impress the Judge and Jury. When someone starts to fight, it shows they feel threatened or like they can’t win based on facts. Remain calm, state the facts, and don’t let anyone force you to play their game.

147. Some TipsGet your own warm-up. And it doesn’t have to be something scientific or legal. Just something that helps you prepare. For me, on the days leading up t the trial, I testify in my head while I work out. I try to make sure I know all of the details without reading that report.

148. Some TipsAnd on the date of the trial, I listen to music. It lets me be able to ignore distractions and be able to focus. Trials are important. Not only are people counting on your to be able to get this information out, but it is a huge honor to be asked to testify, and it carries a huge burden. This is someone’s freedom; we need to make sure we are always accurate and correct. Additionally, we owe it to the victim.

149. Some TipsAlways remember, it is not our job to have someone found guilty. It is our job to seek the truth, no matter which way it goes.