forensic cell site analysis: mobile network operator evidence integrity maintenance ... · 2020. 5....

Journal of Digital Forensics, Journal of Digital Forensics, Security and Law Security and Law

Volume 14 Number 2 Article 5

6-30-2019

Forensic Cell Site Analysis: Mobile Network Operator Evidence Forensic Cell Site Analysis: Mobile Network Operator Evidence Integrity Maintenance Research Integrity Maintenance Research

John B. Minor [email protected]

Follow this and additional works at: https://commons.erau.edu/jdfsl

Part of the Computer Law Commons, and the Information Security Commons

Recommended Citation Recommended Citation Minor, John B. (2019) "Forensic Cell Site Analysis: Mobile Network Operator Evidence Integrity Maintenance Research," Journal of Digital Forensics, Security and Law: Vol. 14 : No. 2 , Article 5. Available at: https://commons.erau.edu/jdfsl/vol14/iss2/5

This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].

(c)ADFSL

http://commons.erau.edu/jdfslhttp://commons.erau.edu/jdfslhttps://commons.erau.edu/jdfslhttps://commons.erau.edu/jdfslhttps://commons.erau.edu/jdfsl/vol14https://commons.erau.edu/jdfsl/vol14/iss2https://commons.erau.edu/jdfsl/vol14/iss2/5https://commons.erau.edu/jdfsl?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss2%2F5&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/837?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss2%2F5&utm_medium=PDF&utm_campaign=PDFCoverPageshttp://network.bepress.com/hgg/discipline/1247?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss2%2F5&utm_medium=PDF&utm_campaign=PDFCoverPageshttps://commons.erau.edu/jdfsl/vol14/iss2/5?utm_source=commons.erau.edu%2Fjdfsl%2Fvol14%2Fiss2%2F5&utm_medium=PDF&utm_campaign=PDFCoverPagesmailto:[email protected]://commons.erau.edu/http://commons.erau.edu//creativecommons.org/licenses/by-nc-nd/4.0//creativecommons.org/licenses/by-nc-nd/4.0/

Forensic Cell Site Analysis... JDFSL V14N2

FORENSIC CELL SITE ANALYSIS:MOBILE NETWORK OPERATOR

EVIDENCE INTEGRITY MAINTENANCERESEARCH

John B. Minorjohnbminor.com

[email protected]

ABSTRACT

Mobile Network Operator (MNO) and Mobile Virtual Network Operator (MVNO) evidencehave become an important evidentiary focus in the courtroom. This type of evidence isroutinely produced as business records under U.S. Federal Rules of Evidence for use in theemerging discipline of Forensic Cell Site Analysis. The research was undertaken to determineif evidence produced by operators should be classified as digital evidence and, if so, whatevidence handling methodologies are appropriate to ensure evidence integrity. This researchproject resulted in the creation of a method of determining if business records producedby MNO/MVNO organizations are digital evidence and whether evidentiary integrity ismaintained in the conveyance of evidence between MNO/MVNO records custodians, lawenforcement investigators and attorneys in criminal and civil cases. Block-chain basedDistributed Ledger Technology was examined as a feasible evidence integrity maintenancesolution.

Keywords: Distributed Ledger Technology, DLT, Block-chain, Openchain, Charging DataRecords, Call Data Records, Call Detail Records

1. INTRODUCTION

A cell phone subscription in the United Statesis activated with either a Mobile NetworkOperator (MNO) or Mobile Virtual NetworkOperator (MVNO), which includes a varietyof business models variously termed VirtualNetwork Operator or Mobile Other LicensedOperator. MNO/MVNO subscriber activityrecords, technically defined in 3G standardsas Charging Data Records, are “a formattedcollection of information about a chargeableevent (e.g. time of call set-up, duration of the

call, amount of data transferred, etc) for usein billing and accounting” (ETSI, 2015) andcommonly referred to as Call Detail Records(CDR), fall into a class of evidence calleddigital evidence. This type of evidence hastraditionally been introduced in the court-room as business records evidence. Citingthe Federal Rules of Evidence, Rule 803, ex-ceptions to the rule against hearsay, courtshave, with rare exception, accepted CDRs asbusiness records evidence. FRE 803 states inpart:

c© 2019 ADFSL Page 59

JDFSL V14N2 Forensic Cell Site Analysis...

“The following are not excluded by the ruleagainst hearsay, regardless of whether thedeclarant is available as a witness:”. . .(6) Records of a Regularly Conducted Ac-tivity. A record of an act, event, condition,opinion, or diagnosis if:

• (A) the record was made at or near thetime by—or from information transmit-ted by—someone with knowledge;

• (B) the record was kept in the courseof a regularly conducted activity of abusiness, organization, occupation, orcalling, whether or not for profit;

• (C) making the record was a regularpractice of that activity;

• (D) all these conditions are shown by thetestimony of the custodian or anotherqualified witness, or by a certificationthat complies with Rule 902 (11) or (12)or with a statute permitting certification;and

• (E) the opponent does not show that thesource of information or the method orcircumstances of preparation indicate alack of trustworthiness.”

the records should be subject to the same fun-damental evidence handling standards andrules as any other digital evidence.

The research for this project is basedupon patented scientific concepts and peer re-viewed research as well as standards derivedfrom the 3rd Generation Partnership Project(3GPP), International Organization for Stan-dards (ISO), European TelecommunicationsStandards Institute (ETSI) and the Inter-net Engineering Task Force (IETF), The 5GPublic Private Partnership (5G-PPP), theAmerican Society for Testing and Materials(ASTM) and the Institute of Electrical andElectronics Engineers (IEEE) .

1.1 Digital Evidence Test

A four-part test was devised and applied toMNO/MVNO evidence to determine if thistype of evidence should be subject to digi-tal evidence handling and analysis standards.The devised test is as follows:

• Is mobile network subscriber communica-tions activity record keeping a computerdriven digital process?

• Are subscriber communications activityrecords maintained by MNOs/MVNOsand extracted for litigation purposes clas-sified as digital evidence?

• Is this type of evidence subject to digitalevidence handling standards?

• Do the same rules for spoliation deter-mination apply to this type of evidence?

When applied to a control group ofMNO/MVNO records produced as evidencefrom a pool of 100 civil and criminal casesthe four-part test resulted in a positive deter-mination that this class of evidence is indeeddigital evidence.

This conclusion led to an evidence spolia-tion analysis of the control group of evidence,

Note that under rule 803, (6), Records of a Regularly Conducted Activity, MNO/MVNO produced evidence including Call Detail Records and other records meet the require-ments as business records, if, according to (6)(E) the opponent does not show that the source of information or the method or cir-cumstances of preparation indicate a lack of trustworthiness. (Federal Rules of Evidence, 2019) This analysis will test the trustworthi-ness of MNO/MVNO records production as business records under FRE803(6)(E).

The key questions that this research anal-ysis project seek to answer are: 1) whether MNO/MNVO records should be recognized by courts as digital evidence and 2) whether

Page 60 c© 2019 ADFSL


consisting of over 700 evidence items, to de-termine if any evidence items were taintedduring initial production and postproductionconveyance between parties.

1.2 Evidence Spoliation/TaintAnalysis

The evidence spoliation analysis consisted ofa multi-part test applied to determine if anyevidence items exhibit positive indications forspoliation. The test was designed to answerthe following questions:

• Is chain of custody documentationpresent for the conveyance from the pro-ducing MNO/MVNO to recipient(s)?

• What are the metadata creation andmodification dates of each evidence arti-fact received?

• Is a modification date present indicatingpost creation modification to the evi-dence artifact?

• What are the metadata creation datesand authorship of the content of eachevidence artifact?

• Is a modification date present indicatingpost creation modification to the evi-dence artifact and by whom?

• Has all metadata been removed from anyanalyzed evidence artifact?

• Is a verification function cryptographichash value present for the originalproduction evidence artifacts (ASTM,2018)?

2. BACKGROUND

Mobile Network Operators (MNO)/MobileVirtual Network Operators (MVNO) ini-tiated subscriber activity tracking for

billing purposes when analogue cellular waslaunched in 1979. In 1996, the Federal Com-munications Commission (FCC) issued anorder for the Enhanced 911 initiative, aug-menting mobile network billing records to in-clude location information. Phase 1 requiredthat the location of the cell site to which asubscriber device was registered during com-munications be documented as part of therecord keeping process.

Multiple technologies are utilized withinmobile networks including radio frequencyisotropic propagation technologies, PublicSwitched Telephone Network (PSTN) com-munications standards-based technologies,patented communications flow technologies,and a variety of data recording and gather-ing technologies. This section will not at-tempt to reiterate the corpora addressing theMNO/MVNO technology layers utilized inwhat are commonly referred to as 1G, 2G,3G, 4G and 5G cellular communications butrather will address the science and methodol-ogy more directly applicable to the account-ing and billing for subscriber communicationsactivities of a mobile phone.

CDRs as evidence were made availablefrom MNO/MVNO in response to the Com-munications Assistance for Law EnforcementAct (CALEA) (1994), Wireless Communi-cation and Public Safety Act (911 Act)and Electronic Communications Privacy Act(ECPA) (1986) acts. This type of evidencehas become an important evidentiary focusin the courtroom.

In the late twentieth century, Mobile Net-work Operators (MNO)/Mobile Virtual Net-work Operators (MVNO) began to producesubscriber device activity records, otherwiseknown as, Call Detail Records (CDR)/CellSite Location Information (CSLI) as evidencein response to subpoena, search warrants andcourt orders. The primary focus of the anal-ysis of this type of evidence is two-fold: 1)analysis of who was communicating with the



subscriber and 2) where the subscriber devicewas located during communications.

2.1 Forensic Cell Site Analysis

Forensic cell site analysis is a developingforensic analysis discipline requiring founda-tion knowledge of mobile network infrastruc-ture and operations as well as an ability toanalyze and interpret Call Detail Record/-Cell Site Location Information (CDR/CSLI)and other Mobile Network Operator (MNO)produced evidence. Forensic cell site anal-ysis is a complex field incorporating radio,atmospheric, photonic, wave propagation,metrology and computer sciences, and is pri-marily reliant on human estimations aidedby network testing, basic mapping, spread-sheet and word processing software tools.Under-developed algorithms embedded in au-tomated tools currently used to process ev-idence and perform a preliminary analysishave resulted in a developing analysis capa-bility in its nascent stage. Deficiencies inknowledge, skills and abilities (KSAs) or er-rors in algorithms, tools, and processes leadsto incorrect findings, hence the necessity forstandard analysis, validation and error miti-gation protocol development. The scientificdisciplines upon which forensic cell site anal-ysis is dependent are often interlaced in com-plex scenarios due to various factors includ-ing:

• MNO infrastructure conditions and uti-lization loading.

• Cell site to mobile switching core back-haul issues.

• Subscriber and public event crowd be-havior.

• Atmospheric events.

• Global network cyber-security events.

Basic understanding of the following areas ofscience should be requisite to every practi-tioner’s KSAs.

2.2 Radio Science

Radio science is central to forensic cell siteanalysis despite the fact that typically lessthan 5% of the communications path betweensubscriber device and mobile switching coreconsists of a radio connection. Radio fre-quencies in use, communications technologiesutilized, electromagnetic radiation physics,antenna radiation behaviors and other fun-damental radio issues must be consideredduring an analysis.

2.3 Atmospheric Science

Atmospheric science impacts the airgap ofmobile network linkage between subscriberdevice and cell site. Antenna radiationpattern and sizing in mobile subscriber de-vices such as cell phones and mobile net-work access points (Base Transceiver Station,NodeB, eNodeB, gNodeB) may be affectedby heightened solar activity, certain precipi-tation events, lightning strikes or near strikes,and extremely high winds often affect mobilenetwork operation and radio signal propaga-tion. Atmospheric impact can reduce, block,destabilize or skew cell site coverage.

2.4 Photonic Science

Photonic science is the foundation of thecommunications transportation infrastruc-ture utilized in the remaining 95% of thecommunications path between subscriber de-vice and mobile switching core. Interruptionor congestion in segments of the photonic net-work used as backhaul between cell sites andmobile switching core may disrupt or reroutecommunications, resulting in intermittent re-pathing, often manifested as slowdowns orinterruptions in mobile communications thatresult in dropped calls, out of sequence com-munications events, or other anomalies.



2.5 Wave Propagation Science

Wave propagation science has a direct bear-ing on how radio signals propagate betweensubscriber device and cell site. The wave func-tion is a key feature of quantum mechanicsand radio wave scintillations including reflec-tion, diffraction, refraction, absorption andother scattering of radio signal propagationat various frequencies, affected by objects inthe path between a subscriber device andcell site, determine the extent and quality ofcell coverage. Defined as manmade or nat-urally occurring objects varying in densityand height, morphologies include vegetal, ge-ographic, building or other structures, streets,waterways, and much more. Morphologiesimpact wave propagation and thereby cell sitecoverage. Antenna wave propagation behav-iors must be considered during an analysis.

2.6 Metrology Science

Metrology, the science of measurement, isutilized in forensic cell site analysis to elevatethe accuracy of analytical outcomes. An obvi-ous example is the use of time and frequencymetrology in performing radio surveys formobile network testing. The units of mea-surement result in a standard, meaningfulmeasurement of mobile network element per-formance and impact the radio link analysisbetween subscriber device and cell sites.

The photonic backhaul link between themobile network cell site and the mobile net-work core is similarly subjected to link in-tegrity quantification.

Location determination technologies uti-lized by mobile network operators to geolo-cate a subscriber device, the algorithms forwhich utilize a variety of measurements, of-fer another example of how the science ofmetrology influences forensic cell site analy-sis outcomes.

Standardized measurement units are criti-cal to experimental and theoretical determi-

nations. Metrology establishes a standardmeasurement basis for discussion of analysisoutcomes and resulting opinions.

From the evaluation of communicationssession metadata to radio frequencies in useduring communications, time and frequencymetrology plays a primary role in forensiccell site analysis.

The airgap between mobile network sub-scriber device and cell site consists of lessthan 5% of the path to the mobile net-work core. The measurement of variousradio signal parameters and the associatedformulae for determining cell site coverage,quality of service, handoff, and likelihoodof service outages are critical to determin-ing analysis outcomes and the formation ofexpert opinions. Examples include use ofseveral formula models including Okumura–Hata Model, COST 231–Walfisch–IkegamiModel, COST 207 GSM Model, ITU-R Mod-els, 3GPP Spatial Channel Model, ITU-Advanced Channel Model, and 802.15.4aUWB Channel Model to determine pathloss.

Dimensional Metrology is the science ofusing measurement equipment to quantifythe distance from an object. Examples of theuse of measurement equipment in forensiccell site analysis illustrate this usage.

Subscriber device location quantification inforensic cell site analysis is dependent uponlocation determination technology rangingfrom highly accurate, finite location deter-mination to wide-ranging, general locationdetermination.

Radio surveys of the network segments un-der analysis, utilizing radio survey methodolo-gies including idle mode and dynamic mode,and specific location, cell, and wide area map-ping utilize precise dimensional metrology todetermine handoff zones, sector coverage lim-its, and mobile network void coverage bound-aries.


Forensic Cell Site Analysis...

2.8 MNO/MVNOCharging/Billing

Architecture

Mobile network subscriber activity recordsare created during the usage of a subscriberdevice, while registered to the MNO/MVNOinfrastructure and during communicationssessions transporting voice calls, SMS textmessages and data usage. Multiple mobilenetwork elements, including Home LocationRegister (HLR), Visitor Location Register(VLR), Charging Gateway Function (CGF),and Policy and Charging Rules Function(PCRF) are tasked with documenting deviceusage and sending the activity records to aBilling/Charging Gateway and subsequentlyon to the Billing Domain, thereby creatingrecords that become the basis of customerbilling.

Charging Data Records, known as CallDetail Records (CDRs), are subscriber com-munications activity records produced fromthe billing information database and are typ-ically considered to be higher accuracy ac-counts of device usage than a cell phone bill,e.g. metadata time stamp accuracy to thesecond rather than rounded to the minute,etc.

The functional output of the charging/-billing architecture has remained fundamen-tally the same during the evolution from 2Gto 5G. The result has been highly accuraterecordkeeping of subscriber activities duringcommunications sessions, absent any errorsin recordkeeping resulting from network docu-mentation or functionality issues, network orbilling domain configuration errors, or datastorage failures.

A logical diagram of 2G, 3G, 4G and 5G ar-chitecture including an overview of the basicnetwork elements and reference connectivityto the billing domain elucidates the conceptthat mobile networks are complex systems.These systems require significant knowledge

JDFSL V14N2

Optical metrology is the science and tech-nology of measurements with photons. In forensic cell site analysis 95% of the commu-nications linkage between subscriber device and mobile switching core is composed of pho-tonic links. Understanding the measurement unit and normal link loss over segments of the photonic networks employed to transport communications sessions for a subscriber de-vice on the mobile network is essential to calculating probabilities of network latency issues that may cause dropped calls, out of sequence text messaging, and other irregular-ities in communications sessions.

Metrology assists decision making in the analytical process by quantifying measure-ments and depending on type I (false posi-tive) and type II (false negative) error rate determination.

Systematic errors usually originate within test and measurement instruments and occur due to instrument malfunction or improper use. Random errors occur by unknown and of-ten unpredictable factors such as atmospheric conditions or morphologies introducing reflec-tion, refraction or absorption of radio signals.

2.7 Computer ScienceComputer science is fundamental to how the network elements that comprise the mobile network function and how accurately the MNO/MVNO subscriber device activities are logged to eventually become evidence in crim-inal or civil litigation. A thorough under-standing of the Transmission Control Pro-tocol/Internet Protocol, addressing schemes, composition of the Internet including network elements, switched packet flow, and routing protocols is essential to understanding both computer and photonic sciences. An under-standing of peering, transit and service level agreements enhances understanding and lu-cidity regarding potential pathing issues that sometimes result in communications session sequencing irregularities.



by analysts of the differences and complexi-ties within each network generation.

The CDRs are extracted from largerdatabase systems within the mobile net-work charging/billing infrastructure. Theintegrity of evidence extracted from this datarepository is dependent upon the extractionmethodology employed by mobile networklegal production personnel and the handlingof the evidence post extraction. Mobile

network records custodians do not produceany chain of custody documentation, how-ever, in many instances the records custodianprepares a notarized certification of records,indicating, for example, that “such recordswere kept in the course of regularly conductedbusiness activity”, that “the business activitymade such records as a regular practice” andthat “if such record is not the original, suchrecord is a duplicate of the original”. Typi-cally, the certification letter lists the phonenumber(s) and start and end dates of recordsproduced without listing, by name or othermeans, the digital evidence items accompa-nying the certification.

Various other records are also maintainedby various MNO/MVNO departments includ-ing billing records, network maintenance logs,real time and near real-time subscriber de-vice location tracking logs, cell site databaserecords that include technical data abouteach access point in the mobile network, con-figuration data regarding how the mobile net-work is configured, mobile network radio sur-vey or drive test data, key performance in-dicator data that exhibits the coverage andhealth of the mobile network and other tech-nical information about subscriber activitiesor network conditions. All records, apartfrom handwritten logs from physical cell siteaccess, of maintenance, upgrade and repairpersonnel, are digital in origin and should beconsidered digital evidence when producedin court as evidence.

In the digital forensic science discipline,digital evidence obtained from sources includ-ing computer hard drive evidence and mobiledevice (cell phone), is preserved using a chainof custody methodology and must be provenidentifiable as true to the original evidenceproduced to avoid preclusion by the courts.Digital evidence integrity is assured with ver-ification of metadata creation and modifica-tion date/time preservation along with verifi-cation function cryptographic checksum hash-ing of each digital evidence item.

The International Organization of Stan-dards (ISO) and the Internet EngineeringTask Force (IETF) have published standardsfor the acquisition, preservation and handlingof digital evidence, including the establish-ment of chain of custody and evidence ver-ification function. The National Instituteof Standards and Technology (NIST) andthe American Society for Testing and Mate-rials (ASTM) International have publishedextensive forensic evidence guidance and stan-dards documents for the acquisition, valida-tion and analysis of computer and cell phoneevidence. Curiously absent are standards forthe handling, validation or error mitigationof CDR/CSLI evidence in any of the afore-mentioned standards bodies.

A method of validating cellular carrierrecords for forensic cell site analysis is definedin United States Patent US9113307 (Minor,2015). Research has demonstrated that amethod for validation and error mitigationof MNO/MVNO evidence should be utilizedto accurately complete a forensic cell siteanalysis (Minor, 2017). As a prefatory toperforming validation and error mitigationof a forensic cell site analysis, an examina-tion of the condition of the MNO/MVNOevidence is an important step that should beperformed prior to proceeding with analysis,validation and error mitigation steps.



Figure 1. 2G-3G-4G-5G Mobile Network / Charging/Billing Architecture

2.9 Mobile Network Toll &Call Data Records Are a

Computer Driven Process

Other records are produced byMNO/MVNO include a variety of logs,technical configuration data for segmentsof the mobile network, test data from radiosurvey results, and billing records.

The basis for all mobile network CDRs is the toll or billing record database sourced from the MNO/MVNO charging/billing system. The CDR is the primary subscriber record produced for criminal and civil cases.



2.10 Charging and BillingSystem

The MNO/MVNO charging/billing sys-tem necessarily maintains careful account-ing of subscriber communications activi-ties. The charging/billing system of eachMNO/MVNO is operated according to stan-dards established by a variety of organiza-tions, including national and internationalbodies.

Charging Data Records, commonly knownas Call Detail Records (CDRs) are main-tained and produced from a standards baseddata flow to the Charging Gateway Func-tion and into the CDR database in a formatestablished by standards.

2.11 3GPP/ETSI Standards

One of the applicable standards relatedto billing and charging functionality, for ex-ample, are specified within 3GPP TS 32.299V12.6.0 (2014-10)(ETSI, 2014) 3rd Genera-tion Partnership Project; Technical Specifi-cation Group Service and System Aspects;Telecommunication management; Chargingmanagement; Diameter charging applications(Release 8). These standards among othersare followed by MNO/MVNO in the UnitedStates and virtually all other MNO/MVNO.

The 3rd Generation Partnership Project(3GPP) – European TelecommunicationsStandards Institute (ETSI) TS 32.297 v13.2.0(2016-06) standard addresses Charging man-agement; Charging Data Record (CDR) fileformat and transfer, thereby clearly demon-strating that MNO/MVNO records are digi-tal evidence.

In Chapter 6 of TS 32.297 v13.2.0, CDRfile format specification, 6.1.1.0, General, theexact format of the CDR file header is givenin table 6.1.1.1. This record keeping formatis indicative of entirely digital content. Notethat timestamps, file sequence numbers and

other important information is maintained,according to this standard. (ETSI, 2016)

The following table, from chapter 6, providesthe data repository record layout for CDRdata:

Table 6.1.1.0.1: Format of CDR file header(p.21)

CDRs are addressed extensively in the fileheader and a variety of key indicators of thedigital nature of this record keeping activityincludes timestamp metadata, record num-bers, file sequence numbers, record exten-sion information and IP addressing of thenode generating the CDR file. The specifica-tion concisely addresses how information isrecorded and integrity is maintained.

Metadata timestamps include when a CDRfile was opened, the local time differential off-set from Universal Coordinated Time (UTC),append and closure times.

Information integrity is addressed in thisformat standard including number of CDRsin a file, file sequence numbers, file closuretriggering and reasons for closure.

Finally, the specification provides for theIP address of the Charging Gateway Func-tion creating the CDR file and a Lost CDRIndicator providing traceability of any errorconditions detected.

The specification continues below (p.22):



6.1.1.5 File opening timestamp Theseparameters indicate the time when the filewas opened, according to the following binaryformat:- The first four binary bits indicate the month(1 .. 12), according to the CGF’s(ETSI, 2005)local time zone;- The next five binary bits contain the date(1 :: 31), according to the CGF’s local timezone;- The next five binary bits contain the hour(0 .. 23), according to the CGF’s local timezone;- The next six binary bits contain the minute(0 .. 59), according to the CGF’s local timezone;- The next bit indicates the sign of the localtime differential from UTC (bit set to “1”expresses ”+” or bit set to ”0” expresses ”-”time deviation), in case the time differentialto UTC is 0 then the sign may be arbitrarilyset to ”+” or ”-”;- The next five binary bits contain the hour(0 .. 23) deviation of the local time towardsUTC, according to the CGF’s local time zone;- The next six binary bits contain the minute(0 .. 59) deviation of the local time towardsUTC, according to the CGF’s local time zone;Note that the CDR file name contains de-tailed date and time information related tofile closure (see clause 6.2)

taining more CDRs than represented by thatvalue) and shall therefore not be used.

6.1.1.8 File sequence number This pa-rameter is a value in binary that contains arunning number of the CDR file generatedby the same CGF. The first file of a CGF isindicated by the value ”0”. When the max-imum number of file is reached (all bits setto “1”), the sequence shall be restarted with”0”.

6.1.1.9 File closure trigger reason Thefile closure reason provides a means to deter-mine the reason that the file was closed bythe CGF. It is encoded as a single octet asfollows:Normal closure reasons (Binary values 0 to127):0 = Normal closure (Undefined normal clo-sure reason).1 = File size limit reached (OAM&P config-ured).2 = File open-time limit reached (OAM&Pconfigured).3 = Maximum number of CDRs in filereached (OAM&P configured).4 = File closed by manual intervention.5 = CDR release, version or encoding change.6 to 127 are reserved for future use.Abnormal closure reasons (Binary values 128to 255):128 = Abnormal file closure (Undefined errorclosure reason).129 = File system error.130 = File system storage exhausted.131 = File integrity error.132 to 255 are reserved for future use.

6.1.1.10 Node IP address This param-eter indicates the IP address of the CGFgenerating the file. For both IPv4 and IPv6CGF addresses, the parameter is encodedin IPv6 representation. The first four bytesof the parameter, which are [preceding] thisIPv6 address, are insignificant, e.g. filledwith ’FF’.

6.1.1.6 Last CDR append timestamp This parameter is formatted the same as in clause 6.1.1.5, and indicates the time when the last CDR was appended to the file in UTC format. In case of an empty file (i.e. no CDRs included), the value of the parameter is ”0”.

6.1.1.7 Number of CDRs in file This parameter contains a binary value that spec-ifies the total number of CDRs that are in-cluded in the file.The value with all bits set to “1” is reserved for future extensions (e.g. for CDR files con-



6.1.1.11 Lost CDR indicator This pa-rameter indicates if and how many CDRswere lost during their processing in the CGF(see clause 5.1.1). The term ”lost” impliesthat the CDR(s) could not be placed into thedestination file due to irrecoverable errors.

Due to the possibility that the irrecoverableCDR errors may have impacted CDR param-eters that are relevant for CDR routeing, itis possible that the CGF cannot determinefor a particular file whether CDRs have beenlost. Appropriate indication shall be givenaccording to the following encoding of the”lost CDR indicator”.

- MSB bit “0”, all other bits “0”: no CDRshave been lost;

- MSB bit “0”, all other bits set to a valuecorresponding to decimal 1 to decimal 126:CGF has identified that a number of CDRscorresponding to the value of the lower 7 bitswere lost, while it is unknown whether moreCDRs were lost;

- MSB bit “0”, all other bits set to “1”: CGFhas identified that 127 or more CDRs werelost, while it is unknown whether more CDRswere lost;

- MSB bit “1”, all other bits “0”: CDRshave been lost but CGF cannot determinethe number of lost CDRs;

- MSB bit “1”, all other bits set to a valuecorresponding to decimal 1 to decimal 126:CGF has calculated the number of lost CDRsas indicated in the value of the lower 7 bits;

- MSB bit “1”, all other bits set to “1”: CGFhas calculated the number of lost CDRs tobe 127 or more.” (ETSI, 2016)

2.12 Digital EvidenceIntegrity Maintenance

Standards

ISO (The International Organization forStandardization) and IEC (The InternationalElectrotechnical Commission) form the spe-

cialized system for worldwide standardiza-tion. National bodies that are members ofISO or IEC participate in the developmentof International Standards through techni-cal committees established by the respectiveorganization to deal with specific fields oftechnical activity. (ISO, 2012)

ISO 27037, Section 5.4, titled “Digital ev-idence handling processes”, Section 6 titled“Key components of identification, collection,acquisition and preservation of digital evi-dence”, and Section 6.1, titled “Chain of cus-tody” (ibid), address the global standardsfor digital evidence handling including collec-tion, acquisition, preservation and chain ofcustody.

The introduction to ISO 27037 states inpart . . . “These processes are required inan investigation that is designed to main-tain the integrity of the digital evidence – anacceptable methodology in obtaining digitalevidence that will contribute to its admissibil-ity in legal and disciplinary actions as well asother required instances. This InternationalStandard also provides general guidelines forthe collection of non-digital evidence thatmay be helpful in the analysis stage of thepotential digital evidence.”

The standard continues with the follow-ing statement: “This International Standardalso intends to inform decision-makers whoneed to determine the reliability of digitalevidence presented to them. It is applicableto organizations needing to protect, analyzeand present potential digital evidence.” . . . ”Due to the fragility of digital evidence, it isnecessary to carry out an acceptable method-ology to ensure the integrity and authenticityof the potential digital evidence.”

Under Section 1, Scope, the standard de-lineates applicable devices as ” . . . devicesand/or functions that are used in variouscircumstances:

— Digital storage media used in standard com-puters like hard drives, floppy disks, optical



and magneto optical disks, data devices withsimilar functions,

— Mobile phones, Personal Digital Assistants(PDAs), Personal Electronic Devices (PEDs),memory cards,

— Mobile navigation systems,

— Digital still and video cameras (includingCCTV),

— Standard computer with network connec-tions,

— Networks based on TCP/IP and other digi-tal protocols, and

— Devices with similar functions as above.”

MNO/MVNO networks are a composite ofseveral of the listed devices including “net-works based on TCP/IP and other digitalprotocols”, “digital storage media used instandard computers”, “mobile navigation sys-tems”, “mobile phones, personal digital as-sistants”, “standard computer with networkconnection”, and “devices with similar func-tions as above”.

Under Section 3, Terms and Definitions,several definitions were found to be relevantto this analysis, including:

“3.1 acquisition

process of creating a copy of data within adefined set Note 1 to entry: The product ofan acquisition is a potential digital evidencecopy.”

“3.5 digital evidence

information or data, stored or transmittedin binary form that may be relied on as evi-dence”

“3.6 digital evidence copy

copy of the digital evidence that has beenproduced to maintain the reliability of the ev-idence by including both the digital evidenceand verification means where the method ofverifying it can be either embedded in or in-dependent from the tools used in doing theverification”

“3.1 preservation

process to maintain and safeguard the in-tegrity and/or original condition of the po-tential digital evidence”

“3.19 spoliation

act of making or allowing change(s) to thepotential digital evidence that diminishes itsevidential value”

“3.22 timestamp

time variant parameter which denotes a pointin time with respect to a common time refer-ence

[SOURCE: ISO/IEC 11770-1:1996]”

“3.25 verification function

function which is used to verify that two setsof data are identical

Note 1 to entry: No two non-identical datasets should produce an identical match froma verification function.

Note 2 to entry: Verification functions arecommonly implemented using hash functionssuch as MD5, SHA1, etc., but other methodsmay be used.”

ASTM International establishes that “con-fidence in digital and multimedia evidenceforensic results is best achieved by using anerror mitigation analysis approach that fo-cuses on recognizing potential sources of errorand then applying techniques used to miti-gate them, including trained and competentpersonnel using tested and validated methodsand practices”. (ASTM, 2018)

All MNO/MVNO networks are pervasivelyintegrated into the network of networks com-monly called the Internet. Voice, text anddata communications over the cellular net-work traverse the Internet from cell sites toMNO/MVNO network core (Cisco, 2011).

The Scientific Working Group on DigitalEvidence (SWGDE) discipline guidance inRecommendations for Cell Site Analysis con-firms that “if use of the records [CDRs] incourt is anticipated, it is important to pre-pare to meet any applicable rules of evidencerequirements”. (SWGDE, 2017)



The Internet Engineering Task Force(IETF) provides guidance and standardiza-tion for handling digital evidence in RFC3227. The standard states in part “. . . youshould consider generating checksums andcryptographically signing the collected evi-dence, as this may make it easier to preservea strong chain of evidence. In doing so youmust not alter the evidence.” (IETF, 2002)

The National Institute of Standardsand Technology (NIST), in the publica-tion “Guidelines on Mobile Device Forensics”(NIST, 2007), verifies that all digital evidencemust be handled using an appropriate chainof custody and a forensic hash validation ofthe evidence. NIST defines each of the pro-cedures as follows:

• “Forensic Hash Validation: A forensichash is used to maintain the integrity ofan acquisition by computing a crypto-graphically strong, non-reversible valueover the acquired data. After acquisition,any changes made to the data may be de-tected, since a new hash value computedover the data will be inconsistent withthe old value. For non-forensic tools,hash values should be created using atool such as sha1sum and retained for in-tegrity verification. Even tools labelledas forensic tools may not compute a cryp-tographic hash, and (in these cases anintegrity hash should be computed sepa-rately).”

• “Chain of Custody – A process thattracks the movement of evidence throughits collection, safeguarding, and analy-sis lifecycle by documenting each personwho handled the evidence, the date/timeit was collected or transferred, and thepurpose for any transfers.”

The Forensic Hash Validation is an integralpart of the scientific digital forensics stepprocess.

The verification function mentioned in ISO27037 is best performed by comparing twodigital evidence artifacts using a forensic hashvalidation.

2.13 Role of Metadata Date &Time

An important method of determining ifdigital evidence is spoliated is to analyzemetadata creation and modification timesand authorship of digital evidence artifacts.Documents such as Microsoft Word, ExcelSpreadsheets or Adobe PDF’s can also be an-alyzed for content creation and modificationmetadata, including authorship to furtherenhance the accuracy of digital evidence spo-liation analysis.

Metadata creation and modification dates/-times should be identical if copies of digitalevidence have not been tainted. Absence ofthis information is an important positive in-dicator of spoliation, absent the presence ofverification function hash values.

NIST publication “Guide To IntegratingForensic Techniques Into Incident Response”describes external file metadata as follows- File Modification, Access and CreationTimes.

It is often important to know when a filewas created, used, or manipulated, and mostOSs keep track of certain timestamps relatedto files. The most commonly used times-tamps are the modification, access, and cre-ation (MAC) times, as follows:

• Modification Time. This is the last timea file was changed in any way, includingwhen a file is written to and when it ischanged by another program.

• Access Time. This is the last timeany access was performed on a file (e.g.,viewed, opened, printed).

• Creation Time. This is generally thetime and date the file was created; how-



ever, when a file is copied to a system,the creation time will become the timethe file was copied to the new system.The modification time will remain intact.

A method of validating cellular carrierrecords accuracy for forensic cell site analysisis defined in United States Patent US9113307.The process includes a multi-part test to vali-date CDR/CSLI records and an analysis errormitigation methodology.

At least one MNO/MVNO has concludedthat this evidence is digital evidence andshould be treated as such. In 2013, AT&TMobility acquired Cricket Wireless, a prepaidmobile network provider (Mobile Virtual Net-work Operator or MVNO). Cricket Wirelessuses the AT&T infrastructure to process com-munications for its subscribers and the

AT&T Mobility charging/billing systemprovides usage records to Cricket Wireless.Cricket produces CDR/CSLI evidence for itssubscribers in response to legal requests andoffers the following disclaimer when digitalcopies of CDR/CSLI evidence is producedand emailed to a requesting party:

“At the request of the law enforce-ment agency receiving the followingSubpoena Compliance information,Cricket Communications (”Cricket”)provides the following informationelectronically in a searchable, manip-ulable form. Although Cricket veri-fies the authenticity of the informa-tion attached to this e-mail as sent,Cricket cannot and will not testify tothe authenticity of this informationafter it is received by the recipientlaw enforcement agency. This is be-cause the attached information elec-tronically sent by Cricket is manipu-lable.” (Pennsylvania Superior Court, 2016)

3. RESEARCH

METHODOLOGY

The analysis was performed in four phases asfollows:

Different types of filesystem may store differ-ent types of times. For example, Windows systems retain the last modified time, the last access time, and the creation time of files. . . ” (NIST, 2006)

2.14 Error RatesMNO/MVNO have documented error rates in subscriber activity records that, to date, have not been publicly disclosed. Research performed during validation and error mit-igation testing on over 300,000 pages of MNO/MVNO produced evidence realized er-ror rates that approach 2% in some cases (Minor, 2017).

The previously mentioned 3GPP/ETSI TS 32.297 standard, Section 6.1.1.11 Lost CDR indicator, mentions error rates; however, in hundreds of cases analyzed, and many cases in which a MNO/MVNO employee testified, none has ever disclosed any error rate infor-mation. The standard states in part ”This parameter indicates if and how many CDRs were lost during their processing in the CGF (see clause 5.1.1). The term ”lost” implies that the CDR(s) could not be placed into the destination file due to irrecoverable errors.”

Studies performed on the Movistar - Tele-fonica Chile Mobile Network Operations re-sulted in creation of a methodology to analyse time accuracy in post-mediation (postpaid billing) CDRs (Peredo, 2017). In this study, recorded CDR events were compared with actual logging events using a network event measurement tool. Although the analysis results were inconclusive, the methodology exhibits promise that more accurate error models for the CDR record keeping function are arriving and that error rates are quantifi-able.



3.1 Phase I

A four-part test was applied to first de-termine if MNO/MVNO subscriber activityrecords should be subjected to digital ev-idence handling and analysis standards asfollows:

• Is MNO/MVNO subscriber communica-tions activity record keeping a computerdriven digital process?

• Are subscriber communications activityrecords, extracted for litigation purposes,digital evidence?

• Is this type of evidence subject to digitalevidence handling standards?

• Do the same rules for spoliation deter-mination apply to this type of evidence?

3.2 Phase II

The control group of MNO/MVNO digi-tal evidence was reviewed for the presence ofany chain of custody documents. Note thatany certification letters provided by recordscustodians do not list evidence items by doc-ument name, number or other confirmableidentifier.

3.3 Phase III

The MNO/MVNO CDR evidence was thensubjected to a five-part metadata analysisusing the following protocol:

• Internally within each digital evidenceitem, any document “creation date”metadata including date and author.This portion of the analysis was doc-umented under the Internal DocumentMetadata categorization.

• Internally within each digital evidenceitem, any document “modification date”metadata including date and author.

This portion of the analysis was doc-umented under the Internal DocumentMetadata categorization.

• Internally within each digital evidenceitem, any document “last printed date”metadata including date and author.This portion of the analysis was doc-umented under the Internal DocumentMetadata categorization.

• Externally, any valid original creationdate metadata for each digital evidenceitem. This portion of the analysis wasdocumented under the External FileMetadata categorization. (NIST, 2006)

• Externally, any valid original modifica-tion date metadata for each digital evi-dence item. This portion of the analysiswas documented under the External FileMetadata categorization.

3.4 Phase IV

Finally, a verification function analysis wasperformed to determine that the copy of theevidence is identical to the evidence producedby the MNO/MVNO custodian of records inthe following manner:

• Each evidence item was scrutinized fora verification function cryptographicchecksum hash value. A cryptographicchecksum hash value should have beencalculated on the original and any copyof the evidence item.

• If a verification function cryptographichash value was found, then a crypto-graphic hash value was calculated forthe produced evidence item for the pur-pose of comparison and final verificationthat the original evidence item and theevidence item produced are identical.



Microsoft Excel, a spreadsheet databasesoftware product, was utilized to documentthe chain of custody analysis, metadata anal-ysis, verification function analysis outlinedabove and document the presence or absenceof spoliation. All information in the matrixis independently verifiable.

4. OUTCOMES

4.1 Phase I - BusinessRecords – The Question of

Digital Evidence

Are Mobile Network Records Produced asEvidence Actually Digital Evidence?

Analysis of MNO/MVNO CDR evidencewas undertaken from the research controlgroup of cases to determine if each evidenceartifact should be classified as digital evi-dence by applying the devised four-part test.All evidence items tested positive as digitalevidence.

The following outcomes were observed forPhase I:

1. Is MNO/MVNO subscriber communica-tions activity record keeping a computerdriven digital process? Yes, standardsfor digital record keeping methods andformats clearly affirm this question.

2. Are MNO/MVNO subscriber communi-cations activity records, extracted forlitigation purposes, classified as digitalevidence? Yes, the records are createddigitally by computing-based methodsand the extracted reports produced aredigital evidence and, thus, are purelydigital from inception to production.

3. Is this type of evidence subject to digitalevidence handling standards? Yes, alldigital evidence is subject to the sameevidence handling standards.

4. Do the same rules for evidence spolia-tion determination apply to this typeof evidence? Yes, no exceptions to thestandards are addressed.

4.2 Phase II - Chain ofCustody Issue

No chain of custody documentation accom-panied any of the evidence. Chain of custodydocumentation should have been created andforwarded with the CDR evidence from theMNO/MVNO legal department/custodian ofrecords and all others conveying the evidence.

The Custodian of Records certification let-ters were present in many cases. When suchdocuments were present, the certificationsdid not describe or specify which files, doc-uments or other digital evidence were beingprovided, by file name, traceable number orany other recognizable, traceable or account-able method.

The following outcomes were observed forPhase II:

None of the digital evidence items wereaccompanied by chain of custody documen-tation.

4.3 Phase III - EvidenceCondition Observations

and Findings

A spoliation analysis of the MNO/MVNOCDR evidence produced the following results:

1. Observation: MNO/MVNO CDR evi-dence within the control group was pro-duced in a variety of digital formatsincluding Microsoft Excel spreadsheetfile, comma-separated values (CSV) file(IETF, 2005) (typically opened automat-ically by Excel), plain text file, Rich TextFile (RTF) file, Adobe Portable Docu-ment Format (PDF) file, Joint Photo-graphic Experts Group (JPEG) file, andMicrosoft Word Document file.



Figure 2. Outcomes Summary

2. Observation: MNOs/MVNOs began tooffer degraded evidence production aspressure to respond to escalating de-mand during recent years. Observedmanifestations were typically either re-moval of all creation/modification meta-data, creation of documents using meth-ods that produce no creation/modifica-tion metadata, multiple employee (au-thor) creation/modification metadata,or removal of employee (author) meta-data combined with differing creationand modification metadata. Examples ofappropriate creation/modification meta-data were rarely found within the controlgroup.

Figure 3. MNO evidence item example in-dicating appropriate evidence creation andhandling

Examples of tainted evidence is indicatedin significant percentages of MNO/MVNO ev-

Figure 4. MNO evidence item example inter-nal metadata with proper artifact integrity

idence when multiple authors are discoveredduring analysis of metadata.

1. Observation: MNO/MVNO CDR pro-duction formats vary widely in contentand arrangement of data. Contrary toguidance provided in SWGDE Cell SiteAnalysis that states that “Even if CDRsare provided, which include specific lat-itude and longitude references to theantennas used by a target device, it isnecessary to have the neighboring cellsite locations and information to con-duct CSA more thoroughly”, production



Figure 5. MNO evidence item example pre-senting multiple authors with no metadatadate changes. The Last Modified by author isconsistent with changes by a different author

from some MNOs/MVNOs do not pro-vide neighboring cell site locations.

2. The National Domestic Communi-cations Assistance Center (NDCAC,2018) is provided extensive support byMNOs/MVNOs, specifically supplyinglists of cell sites with technical config-urations for each site to NDCAC. Arequest to NDCAC for access to thecell site database receives an access de-nial from NDCAC personnel with themessage “Users who access our systemsmust acknowledge and attest they arean employee of a law enforcement or

Figure 6. MNO evidence item example pre-senting multiple authors and disparate cre-ation and modification dates metadata evi-dence taint

criminal justice agency, in good stand-ing and are accessing this U.S. Govern-ment system for official use only”. UntilMNOs/MVNOs provide the informationproduced in a data repository that is ac-cessible to all stakeholders / practition-ers, or, an acceptance of MNO/MVNOevidence as digital evidence transpires,performing any verification of authentic-ity or validation of the condition of thiscategory of evidence will continue to bea challenge.

The following outcomes were observed forPhase III:



Figure 7. Results of the Phase III Analysis

1. Analysis of the internal file metadatapresent within the evidence revealed thatonly 0.41% of the internal metadata cre-ation dates had been altered.

2. Various authorship was indicated ininternal file creation and modificationmetadata in 10.9% of the control groupanalysis.

3. The last modified date, according tointernal file metadata, was not consis-tent with pristine evidence condition in23.17% of the evidence.

4. 20.14% of the evidence was found tohave been scrubbed of internal file meta-data creation / modification information,thus rendering the evidence subject toundetectable, inappropriate alteration.The most commonly observed evidencewith such missing metadata was CommaSeparated Values or CSV data, a methodof saving spreadsheet files, commonlyused to eradicate any indications of au-thorship or metadata creation/modifica-tion information. CSV format evidence

from the control group is from more re-cent cases.

5. External file metadata for last modifieddate was found to be tainted in 37.79%of the evidence.

6. Overall, excluding the tests for chain ofcustody and verification function hashvalue presence, 74.07% of evidence re-viewed from the control group werefound to be tainted.

7. Evidence taint was introduced ei-ther carelessly or nefariously byMNO/MVNO employees, law enforce-ment investigators, attorney staffor others involved in handling andconveyance of evidence.

8. 100% of the evidence was found to haveno chain of custody documentation.

9. 100% of the evidence was found to haveno calculated verification function cryp-tographic checksum hash values.

4.4 Phase IV – VerificationFunction Calculated Hash

Value Analysis

The following outcomes were observed forPhase IV:

None of the digital evidence items were ac-companied by a cryptographically calculatedverification function checksum hash value.



Figure 8. Evidence Spoliation/Taint was Discovered Throughout the Stakeholder Spectrum

5. EVIDENCE

INTEGRITY

MAINTENANCE

SOLUTIONS

MNOs/MVNOs do not currently utilize amechanism to properly preserve the integrityof evidence produced in criminal or civil caserequests. Research into multiple existing oremerging chain of custody/verification func-tion technologies resulted in potential solu-tions to the evidence integrity maintenancechallenge.

5.1 Background andIncentives

Key incentives for MNO/MVNO adoption ofa solution are likely to be the following:

• Ease of integrating a solution into exist-ing charging/billing architectures.

• Judicious Capitalization (CAPEX) andOperating (OPEX) Expenses.

• Timeliness and performance speed of ev-idence integrity preservation processing.

• Ability for the solution to be assimilatedby each successive generation of the mo-bile network.

MNO/MVNO evidence production isclearly a process lacking uniformity betweenoperators, varying widely in internal evidenceextraction techniques. Format and contentof evidence production also varies widely.

Standards are non-existent for uniformMNO/MVNO evidence extraction, format,integrity assurance or delivery methods. Thewidespread use of this type of evidence incriminal and civil cases necessitates an ur-gent need for evidence production and man-agement protocols that incorporate chain ofcustody, verification function hash value gen-eration and maintenance of evidence integrityassurance, none of which are currently uti-lized by MNO/MVNO nor other digital plat-forms such as social network, search engine,or other digital service providers during evi-dence production.

This research project undertook develop-ment of a simplified solution to MNO/MVNOevidence production protocols that would pro-vide a relatively low cost, state of the artevidence integrity assurance mechanism thatmeets basic digital evidence handling stan-dards. MNO/MVNO operations are complex,ultra-busy environs with an exponential risein communications volume and evidence pro-duction expected in the coming years, con-sequently any solution would necessarily beefficient and effective.

Numerous proven and patented methods for evidence integrity maintenance currently ex-ist and this paper explores one such solution.



5.2 Distributed LedgerTechnology/Block-chain

Research

Block-chain/Distributed Ledger Technology(DLT)(Gramoli, 2018) offers a promising solu-tion to digital document authentication andverification. Block-chain paradigms such asBitcoin and other open source technologies,e.g. Openchain (Openchain, 2019), providefor a distributed ledger-based chain of cus-tody and verification function checksum hashvalue generation for each evidence artifact, en-abling an analyst to verify evidence integrity.

Numerous service providers currently offerdocument authentication and verification ser-vices that utilize Block-chain/DLT protocols.

Incorporating a built-in Block-chain/DLTclient during the evidence production processwould eliminate the evidence spoliation/taintissues discovered during this research projectand would introduce readily validated evi-dence that is synonymous with digital evi-dence in all other digital forensics disciplines.Block-chain/DLT provides key elements of afunctional architecture that ensure validityand integrity of digital evidence.

Fundamental DLT Architecture

The architecture of Distributed Ledger Tech-nology is articulated in several elements.(Gramoli, 2018)

The Consensus Element (p.19) is a funda-mental function of a Block-chain providing a“distributed voting process”. Protocols thatare both scalable and secure will be requiredto accommodate the rapidly growing worldof MNO/MVNO evidence production.

The Security Element (p.20) is critical toauthentication and integrity, providing mali-cious user protections.

The Validation Element (p.20) is the asym-metric cryptographic system used to createnecessary public and private key pairs, us-ing technologies currently available including

Elliptic Curve Cryptography (ECC) (IETF,2011) algorithms. Despite securityconcerns regarding early ECC algorithmsadopted by NIST (NIST, 2000) almost 20years ago, more current ECC including Curve25519 (IETF, 2016) offer security levels withexponentiated Elliptical Curve Digital Signa-ture Algorithm (ECDSA) protections.

The Ownership Element (Gramoli, p. 20)enables transfer of evidence copy while ensur-ing authenticity and integrity. DLT transac-tion language offers the opportunity for suchtransfer of digital assets between accountswhile maintaining evidence integrity.

All entities requesting evidence productionfrom an MNO/MVNO would be dealt withuniformly as follows:

1. As evidence extraction from theMNO/MVNO occurs a Block-chain/DLT process is incorporatedduring evidence production to createa chain of custody and a public key isutilized to encrypt each evidence item.

2. Using Block-chaining transaction tech-niques during the encryption process, aledger-based chain of custody and verifi-cation function hash value calculation isautomatically created.

3. Each evidence artifact is transmitted toan evidence portal to be accessed bythe evidence requesting entity. Evidenceitems are decrypted by authorized par-ties, producing a chain of custody result-ing in self-auditing evidence artifacts.

4. An evidence integrity checking mecha-nism is integrated into the same portal,resulting in the ability for anyone whohas access to the evidence to determinethe condition of the evidence.

To validate the effectiveness of theuse of Block-chain/DLT protocols with



Figure 9. Comparison of Bitcoin Financial Transaction and MNO/MVNO Evidence Transac-tion Paradigms

Figure 10. Data Flow for the MNO/MVNO Compliance Center Evidence Production withBuilt-in Distributed Ledger

MNO/MVNO evidence, an experiment wasconducted using MNO/MVNO produced evi-dence to authenticate and provide conditionverification services for each evidence item.

The experiment consisted of several stepsas follows:

1. Creation of a user ID on the website of aprovider offering DLT digital documentauthentication and verification services.

2. Two MNO/MVNO evidence items werethen processed into the portal. The time

to perform an intake varied from 15-45seconds (processing time is primarily re-lated to digital file size and Internet ac-cess bandwidth). Processing timelinessmay be a critical function for MNOs asthe volume of evidence requests soars.

3. The evidence artifacts were then digi-tally signed, creating the digital ledger-based chain of custody documentationrequired.



Figure 11. Example test Block-chain processing of MNO/MVNO evidence

4. The intake, verification function hashvalue calculation and signature processrequired a total of 1-2 minutes to per-form for each evidence artifact. Thefinal step in this process, notarization,required a short pause for verification ofsteps 1-3.

5. At this stage in the process the evid-nce receipt is available, and the evidenceitem is available to download by the re-questing party.

Block-chain/DLT research (Bonomi 2018)(Lone 2019) has produced similar methods forevidence processing, demonstrating that atleast conceptually, this is a potential solutionthat MNOs/MVNOs, and tech giants suchas Facebook, Google and other technologyplatforms could readily integrate to introducean evidence integrity maintenance process tolegal records production as evidence.

Alternative solutions to the evidenceintegrity maintenance conundrum for


Forensic Cell Site Analysis...

integrity, and with affirmative evidence spoli-ation/taint indicators, such evidence shouldbe precluded by a court.

The use of a variety of existing methodsfor maintaining the integrity of digital evi-dence offers an opportunity to bring muchneeded integrity to MNO/MVNO evidenceproduction.

Use of Block-chain based DLT technol-ogy, researched and tested as an evidenceintegrity maintenance solution, would per-mit MNO/MVNO organizations to createchain of custody and verification functioncryptographic hash value calculations duringevidence production. The process could beperformed with minimal human interaction,requiring no trusted third party while ensur-ing that evidence integrity endures duringevidence conveyance among parties.

Further performance and conformitytesting will ultimately evolve an ade-quately robust mechanism for preserving ev-idence integrity in MNO/MVNO environs.MNOs/MVNOs work together continuouslyto create global standards for the operationand inter-operation of mobile networks world-wide. No published standards work has oc-curred to jointly create a uniform evidenceproduction format or evidence handling, in-tegrity maintenance and conveyance proto-cols.

5G and future Generations of mobile net-works are expected to continue to produceincreasing volumes of evidence as continu-ous connectivity between subscribers reachesubiquity and use of this evidence in criminaland civil cases becomes ever more prolific.

MNOs/MVNOs cooperate with govern-ment and law enforcement entities necessarilyas a requirement of CALEA and other acts.The Federal Communications Commission(FCC) regulates radio frequency spectrum inthe United States yet has no oversight regard-ing evidence produced by MNOs/MVNOs.Determination whether evidence produced

JDFSL V14N2

MNOs/MVNOs include the use of a digital certificate, by ”[i]nserting the certifica-tion into the file”, research of which has demonstrated, “is the only apparent reliable method and is the approach used by leading companies such as Microsoft and Adobe for digital signing of Office and PDF documents” (Curran 2017) offer potential resolution of this issue, however may be cumbersome to integrate.

6. CONCLUSIONSThe MNO/MVNO evidence analyzed dur-ing this research project was determined to be digital evidence. Subsequently, the evi-dence was subjected to a multi-part spolia-tion/taint test and examined to validate if each digital evidence artifact was identical to the evidence originally produced by the MNO/MVNO records custodian.

Over 74% of the evidence was determined to be spoliated/tainted based upon an anal-ysis of the metadata creation/modification dates and/or authorship for each evidence artifact.

National and international standards for the preservation, integrity maintenance and handling of digital evidence were not followed in 100% of the evidence.

Neither chain of custody documentation nor verification function cryptographic hash values were found to be present within any of the evidence, further eliminating any oppor-tunity to validate that the evidence analyzed was an exact copy of the original evidence produced by the MNO/MVNO.

If any evidence from the control group was offered as digital evidence in a court proceed-ing it should be precluded from admission as valid evidence based on the findings from this research. If challenged under FRE 806 (6)(E), absent adequate chain of custody documen-tation, verification function cryptographic checksum hash calculations ensuring evidence



by MNOs/MVNOs is permissible in a court-room as business records under FRE 803 (6)or is required to be treated as digital evi-dence falls under the scope of the UnitedStates Federal Judiciary. A persuasive ar-gument using FRE 803 (6)(E) could resultin a judicial decision that the current prac-tice of introducing this evidence in a court asbusiness records is an obsolete paradigm forMNO/MVNO evidence acceptance by courts,resulting in a shift in judicial precedent forthis issue. The increased use of this type ofevidence in criminal and civil cases could alsoresult in U.S. Congress deciding to regulatethese decisions through legislation to ensurethat constitutional rights are upheld.

Only when MNOs/MVNOs follow well es-tablished digital evidence preservation, in-tegrity maintenance and handling protocolswill pristine evidence be found throughoutthe life cycle of a civil or criminal case.

REFERENCES

[1] American Society for Testing andMaterials (ASTM)(2018), Standard Ter-minology for Digital and MultimediaEvidence. Retrieved on December 15,2018 from https://compass.astm.org/EDIT/html annot.cgi?E2916+13#s00007

[2] American Society for Testing andMaterials (ASTM)(2018). ASTM E3016-18 Standard Guide for EstablishingConfidence in Digital and Multimedia Evi-dence Forensic Results by Error MitigationAnalysis. Retrieved on January 4, 2019, fromhttps://www.astm.org/Standards/E3016.htm

[3] Bonomi, Silvia & Casini, Marco &Ciccotelli, Claudio. (2018). B-CoC: ABlock-chain-based Chain of Custody forEvidences Management in Digital Foren-sics. Retrieved on June 6, 2019, fromhttps://www.researchgate.net/publication

/326681814 B-CoC A Block-chain-based Chain of Custody for EvidencesManagement in Digital Forensics

[4] Cisco (2011). The Case for IP Backhaul -The Internet Protocol Journal, Volume 14,No. 3. Retrieved on January 4, 2019, fromhttps://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-53/143-backhaul.html

[5] Curran,Kevin, Harran, Martin, & Farrelly,William. (2017). A method for verifyingintegrity & authenticating digital media.Letterkenny Institute of Technology, Done-gal, Ireland, Ulster University, Derry, UnitedKingdom. Retrieved on June 6, 2019, fromhttps://doi.org/10.1016/j.aci.2017.05.006

[6] European Telecommunications StandardsInstitute (ETSI). (2005). Universal MobileTelecommunications System (UMTS);Telecommunication management; Chargingmanagement; Charging architecture andprinciples (3GPP TS 32.240 version 6.2.0Release 6)

[7] Retrieved on January 4, 2019,from http://www.etsi.org/deliver/etsits/132200 132299/132240/06.02.00 60

/ts 132240v060200p.pdf

[8] European Telecommunications StandardsInstitute (ETSI). (2014) Digital cellulartelecommunications system (Phase 2+);Universal Mobile TelecommunicationsSystem (UMTS); LTE; Telecommunicationmanagement; Charging management; Di-ameter charging applications. Retrieved onJanuary 4, 2019, from https://www.etsi.org/deliver/etsi-ts/132200-132299/132299/09.17.00-60/ts-132299v091700p.pdf

[9] European Telecommunications StandardsInstitute (ETSI). (2016). Digital cellular



telecommunications system (Phase 2+)(GSM); Universal Mobile Telecommunica-tions System (UMTS); LTE; Telecommuni-cations management; Charging management;Charging Data Record (CDR) file formatand transfer (#GPP TS version 13.2.0Release 13). Retrieved on January 4, 2019,from http://www.etsi.org/deliver/etsits/132200 132299/132297/13.02.0060/ts 132297v130200p.pdf

[10] European Telecommunications Stan-dards Institute (ETSI). (2017). ETSI Digitalcellular telecommunications system (Phase2+); Universal Mobile TelecommunicationsSystem (UMTS); LTE; Telecommunica-tion management; Charging management;Charging Data Record (CDR) parameter de-scription. Retrieved on January 4, 2019, fromhttp://www.etsi.org/deliver/etsi ts/132200132299/132298/12.06.00 60/ts132298v120600p.pdf

[11] Gramoli, Vincent & Staples, Mark.(2018). Block-chain Standard: Can WeReach Consensus?. IEEE CommunicationsStandards Magazine. 2. 16-21. 10.1109/M-COMSTD.2018.1800022.

[12] International Organization for Stan-dardization (ISO)(2012). Informationtechnology — Security techniques —Guidelines for identification, collection,acquisition and preservation of digital evi-dence. Retrieved on January 4, 2019, fromhttps://www.iso.org/obp/ui/#iso:std:iso-iec:27037:ed-1:v1:en

[13] Internet Engineering Task Force(IETF)(2002). Guidelines for Evi-dence Collection and Archiving. Re-trieved on January 4, 2019, fromhttp://www.ietf.org/rfc/rfc3227.txt

[14] Internet Engineering Task Force(IETF)(2005). Common Format and MIMEType for Comma-Separated Values (CSV)Files. Retrieved on January 4, 2019, fromhttps://tools.ietf.org/html/rfc4180

[15] Internet Engineering Task Force(IETF)(2011). Fundamental Ellip-tic Curve Cryptography Algorithms.Retrieved on January 4, 2019, fromhttps://tools.ietf.org/html/rfc6090

[16] Internet Engineering Task Force(IETF)(2016). Elliptic Curves for Secu-rity. Retrieved on January 4, 2019, fromhttps://tools.ietf.org/html/rfc7748

[17] Lone, Auqib Hamid & Mir, RoohieNaaz,. (2019). Forensic-chain: Block-chainbased digital forensics chain of custody withPoC in Hyperledger Composer. Departmentof Computer Science and Engineering, NITSrinagar, Jammu and Kashmir, 190006,India. Retrieved on June 6, 2019, fromhttps://www.sciencedirect.com /science/arti-cle/pii/S174228761830344X

[18] Minor, J. B. (2015). A method ofvalidating cellular carrier records accuracy,U.S. Patent No. 9,113,307. Washing-ton, DC: U.S. Patent and TrademarkOffice. Retrieved on January 4, 2019, fromhttps://www.google.com/patents/US9113307

[19] Minor, John B. (2017) ”ForensicCell Site Analysis: A Validation &Error Mitigation Methodology,” Jour-nal of Digital Forensics, Security andLaw : Vol. 12: No. 2, Article 7. DOI:https://doi.org/10.15394/jdfsl.2017.1474Retrieved on January 4, 2019, fromhttps://commons.erau.edu/jdfsl/vol12/iss2/7

[20] National Institute of Standardsand Technology (NIST)(2000). DIGI-



TAL SIGNATURE STANDARD (DSS).Retrieved on December 14, 2019,from https://csrc.nist.gov/csrc/media/publications /fips/186/2/archive/2000-01-27/documents/fips186-2.pdf

[21] National Institute of Standardsand Technology (NIST)(2007). Guide-lines on Cell Phone Forensics. Re-trieved on December 14, 2019, fromhttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf

[22] National Institute of Standards and Tech-nology (NIST)(2006). Guide to IntegratingForensic Techniques into Incident Response.Retrieved on December 14, 2019, fromhttp://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

[23] Openchain. (2019) Openchain is anopen source distributed ledger technol-ogy. Retrieved on January 4, 2019, fromhttps://www.openchain.org/

[24] Pennsylvania Superior Court.(PSC)(2016). Commonwealth of Pennsylva-nia vs. Bryant Jones, No. 865 WDA 2015(page 17). Retrieved on January 4, 2019, fromhttp://www.pacourts.us/assets/opinions/Superior/out/J-S37012-16m.pdf

[25] Peredo, Oscar & Deschamps, Ro-main. (2017). Time Accuracy Analysis ofPost-Mediation Packet-Switched ChargingData Records for Urban Mobility Applica-tions. Retrieved on January 4, 2019, fromhttps://www.researchgate.net/publication/316921278 Time Accuracy Analysis of Post-Mediation Packet-Switched Charging Data Records forUrban Mobility Applications

[26] Scientific Working Group on DigitalEvidence (SWGDE)(2017). SWGDE

Recommendations for Cell Site Analy-sis. Retrieved on January 4, 2019, fromhttps://www.swgde.org/documents/CurrentDocuments/SWGDE Recommendations forCell site Analysis.

[27] The National Domestic Communica-tions Assistance Center. (NDCAC)(2018).Retrieved on January 4, 2019, fromhttps://ndcac.fbi.gov/

[28] United States Courts FederalRules of Evidence (FRE).(2019). Ex-ception to the Rule Against Hearsay.Retrieved on January 4, 2019, fromhttps://www.rulesofevidence.org/article-viii/rule-803/


Forensic Cell Site Analysis: Mobile Network Operator Evidence Integrity Maintenance ResearchRecommended Citation

Forensic Cell Site Analysis: Mobile Network Operator Evidence Integrity Maintenance Research