11/04/2010

Cell Site Analysis as a About me

Data Mining Discipline
Sam Raincock
BSc (Hons), MSc, CCE, MBCS, CEng MIET
Expert Witness in Computing and Telecommunications and
IT Security/Investigation Specialist
 I am a computer scientist.
 Expert witness in computer and telecommunications
forensics specialising in cases involving
– Complex computer cases – network forensics, concealing
information, evaluating just what really happened.
– Complex telecoms cases – data analysis, charting behaviour,
correlating data and cell site analysis.
 IT Security, compliance and corporate investigative
services.

The Mobile Network

Introduction
• The main element of the network consists of a number of
 An overview of telecommunications. cells (transmitters) orientated around a mast. This may
be one single cell (omni-directional) or multiple cells
 What is cell site analysis?
that are arranged generally with equal spacing.
 Surely it’s just simple triangulation/intersections?
• These are controlled by a complicated system of Base
 Travelling with a phone.
Stations (manager sites) and network provider
 Static locations – what’s this got to do with data computers.
mining? • Cell on masts are arranged to provide coverage to a
 Conclusions - Computer science or telecoms? particular section around the mast – known as the sector.
• Major networks: O2, T Mobile, Vodafone have their own
cells for the GSM and 3G networks (Three has just 3G).

1

Cell site analysis
• When your telephone is connected to the network is
it connected to a cell. Cells are your phone’s
gateway on to the mobile network.
• Each cell has a unique number assigned to it known
as the Cell ID. The Cell ID is broadcast, hence, can
be detected.
• Information relating to each of the cells is stored by
the network provider:
• Type of cell
• Orientation (azimuth)
• Geographical location ……
11/04/2010
Cell Site Analysis cont.
• The problem of CSA can be reduced somewhat to – what
geographical area can the cell(s) used in past connections
(calls and SMS messages) serve (would be able to
coordinate a connection) given all the other cells also
available?
• The cells used at the time of the past connections are
stored by the network provider of the telephone.
• Purely an expert witness field – based on opinions about
how the network would behave given certain situations.
• Unable to pin-point a mobile telephone at the time
of its past connections – it’s not like The Bill.
• Experts seem to like the phrase – consistent with???
2

Surely it’s pretty easy……
• If only!
• but what about triangulation/intersection and
using all the broadcasted data?
• That’s great but unfortunately cell site analysis is mostly
about past events. This means the data is very limited –
you have the information relating to the cells used at the
time of the past connections and that’s it.
• No information about neighbouring cells in operation at
the same time.
Area of Coverage cont.
• Typically in city centres, where buildings are present and
usage is high, the coverage is lower. The formation of
streets in residential areas may cause signal strength to
vary greatly along them. It is possible that a cell could
serve at one end of a street and not be detected at the
other.
• However, in more rural areas odd behaviour can be seen.
I have measured a cell serving over 10 ½ miles away from
where it was located.
11/04/2010
Area of Coverage of a Cell
• A second 2G cell has a particular geographical area in
which it will coordinate (serve) mobile telephone
connections (given the other cells in the
environment). This is known as its serving coverage.
• A cell’s area of coverage is determined by a combination
of factors including the its orientation, the type of cell,
and the physical features in the locality (and the other
cells around it).
• Back coverage does exist but will usually not extend to a
large distance.
• The theoretical maximum coverage of a 2G cell is a
distance of 35km radiating from the centre of the site.
Cells are approximately 20km apart. Let’s say
the connection with cell 9999 occurs 20 minutes
after a connection using cell 2222. What’s
happened?
3

What about now?
Travelling
• When distances between cells are great enough, then it
may be possible to draw conclusions regarding the
travelling behaviour of the telephone based on the maps
alone.
• The number of connections and when they occurred may
assist (or not).
• 10 connections in 20 minutes perfectly fitting with
travelling from Durham to Newcastle allow us to say
much more about the evidence than 2 connections with
one using a cell in Durham and one in Newcastle.
• Orientation information of the cell and its arrangement
are also very important.
11/04/2010
….and now?
Close Proximity Locations
• Most cell site analysis is about determining behaviour in
given locations. Determining if particular cell(s) of
interest (those used at the time of past connections)
would be able to serve connections in those location(s)
(given consideration to the other cells).
• Usually this involves a scene of the crime and a location
where the defendant(s) state they were. Cell site analysis
is used to determine if (n)either or both of the locations
are consistent with the network behaviour in those
locations.
• For example, connections at 00:20 and 00:25 used the
cells 9999 and 8888. Visits would be made to the scene
and defence location to determine how the network
behaves in those locations.
4
 11/04/2010

Network Readings What is the data?

• How the network behaves? - take readings. Serving Signal Other cell Neighbour 1 Signal Other
Cell ID Strength info Cell ID Strength info
• Network readings are taken with specialist handsets such (dBm) (dBm)
as Nemo. These allow data relating to the cell that is 9999 -85 Penalties 2222 -95 Penalties
serving as well as the neighbouring cells.
• These handset produce data:
• The handset displays the current network data (partial amounts). • Signal strength is given in dBm. The more negative the
• The handset logs the data for further analysis.138169 less detected signal strength.
• For those engineers – the signal strength uses a
logarithmic scale meaning that an increase in 10
equates to 10 times the signal strength. E.g. -85 is 10
times the signal strength of -95 dBm.

Data Mining Data Example

• When monitoring the network using a network Serving Signal Neighbour 1 Signal Neighbour 2 Signal
monitoring device, data points are created at least every Cell ID Strength Cell ID Strength Cell ID Strength
(dBm) (dBm) (dBm)
second. This results in a lot of data which could contain
9999 -85 2222 -95 8888 -90
unknown patterns not discovered by observing the
handset. 9999 -88 2222 -90 8888 -88
• Can you observe 10 things at once? 9999 -89 2222 -87 8888 -86
• What about needing the data from other screens at the same time 9999 -87 2222 -82 8888 -86
as observing these 10 events?
• What’s the issues with monitoring for a few minutes? • If merely the serving cells are examined then only 9999
• Data mining – a process that extracts patterns from data. served in the location. However, if the data from the other
A process in which data is transferred into information. cells are analysed then some interesting possibilities begin
to become apparent……

5
 11/04/2010

Hand-overs Data Example

• Hand-overs – change in serving cell. 0
-10 0:00 0:05 0:10 0:15
• In a static location you may have multiple cells that
-20
can serve in that location.
-30
• This means that they could coordinate the connection at Cell 1
the time of the past connections you are analysing. -40
Cell 2
• Yes, you definitely can get a change in serving cell even -50
Cell 3
when you are standing still. -60
Cell 4
-70
-80
-90
-100

It all seems obvious to me…. More complications

• What about when you’ve 5,000 lines of data and information relating
to 10 cells in each line?
• The variability of the network is huge – a whole different lecture!
• Hand-overs are complex things. They are calculated by two
algorithms – one for cells with strengths under -85 dBm and the
other over this strength.
• These mean that not always the cell with the best signal strength
will serve at a given time.
• Why? Well if it wasn’t like this you would have too many changes
which would be a large stress on the system.
• Also other factors in the algorithm such as penalty information to
try to manipulate where cells will serve.
• Often trying to replicate past events – landscape changes,
football match, weather conditions, network set up
changes!
• Different types of cells provide different coverage.
• Only possible to state if a particular location is consistent
(there’s that ambiguous word again!) with how the network
behaves – very difficult to conclusively rule out a given
location if close to the cell of interest.
• Can not give a probability of how likely it is the cell would
serve.
• Cell site analysis can not pin-point a telephone.

6

3G Cell Site Analysis
More headaches…….add a variable network to the
equation………….
So why bother?
• CSA is very good at demonstrating when telephones
are congregating in an area or a telephone is
travelling.
• It also allows assessments of evidence. An alleged
scene location can be assessed as well as a defence
location to determine if both are viable locations for
the telephone.
• However, it is only ever (and should only ever be
used as) circumstantial evidence.
11/04/2010
Problems with Current Analysis
• Current Cell Site Analysis is often perform via a brief
observation of the data on the handset.
• Where data is collected it is usually for a maximum of 5
minutes in duration meaning it may not encapsulation the
variability of the network.
• It’s definitely variable – black spots in the kitchen?
• In past cases I have worked on further data collection and
analysis using basic techniques has negated previous opinions
or made stronger cases than originally posed.
• Very important to get this right– CSA is often used in Murder
and high penalty cases.
Computer Science or Telecoms?
• You could think of the problem of cells being match sticks……..
• My research shows that cell site analysis should utilise data
analysis techniques (be it databases, visualisation etc.) but
currently it isn’t making use of everything this area has to
offer. Hence, all of the available information isn’t been
discovered and incorrect conclusions/opinions are often
formed.
• Incorrect conclusions/opinions can be made if inadequate
data analysis or capture; and in some cases virtually no data at
all!
• 25 years is a long time…………
7
 11/04/2010

Computer Science or Telecoms? Questions

• Collection of data
• Analysis of connection behaviour  Contacts:
• Algorithms – http://www.raincock.co.uk
• Analysis of patterns in data – Telephone: 07908 138169
– sam@raincock.co.uk

• Trust a computer science to make a subject involve

computers! However, CSA lends itself to utilising
computer science techniques to produce a scientific
process and more importantly a scientific analysis!