Cellular Records Review and AnalysisPart 4: T-Mobile

PATCtech

Glenn K Bard, Chief Technology Officer

Jim Alsup, Director – PATCtech

Scott Lucas, Instructor and Examiner

Brian Sprinkle, Case Manager and Software consultant

Steve Dempsey, Instructor

Kathy Enriquez, Instructor

Stefani Lucas, Marketing Director

Stacey Papa, Of Counsel

Mark Tomallo, Network Architect

Glenn K. BardPublic Agency Training Council tech

Chief Technical OfficerPA State Trooper – Retired

NCMEC – Project ALERT

CISSP, EnCE, CFCE, CHFI, A+, Network+,

Security+, ACE, AME

For Starters

• What can we get from T-Mobile?

Cell phone technology

• What can T-Mobile provide with appropriate legal process?

•Call detail logs•Cell Sites accessed•Cell site sector Azimuth•Direction of call (incoming or outgoing)•Answered status•Service Code•Calling number•Dialed number•Call Time and duration•Location of cell tower

Cell phone technology

•Subscriber information (Name, address, etc)

•SMS Dates and Times

•IMEI, IMSI of target phone.

•Phone Model

•Tower dump

•Definitions page (Key Codes)

•Reports of Lost / stolen phone

•If prepaid, where purchased?

•Other phones on the same account

•Cell sites at the time of the incident (Not current)

•PCMD (Per Call Measurement Data)

Some important definitions

• IMEI – International Mobile Equipment Identifier

• IMSI – International Mobile Subscriber Identifier

• MSISDN - Mobile Station International Subscriber Directory Number (It means your phone number)

Some important definitions

• LAC / CID – This is the switch (LAC – Location Area Code) and tower along with side (CID –Cell ID) accessed

• LTE Site ID – If the call was handled via LTE

• Azimuth – The median of the sector accessed

• MCC – Mobile Country Code

• MNC – Mobile Network Code

Some important tips

• Dates and times are in UTC – Universal Time Coordinated.

• The records will come in Excel spreadsheets. But they can look a little different.

• SMS information is supplied in the CDR’s. MMS information is NOT supplied.

• SMS generally shows a duration of 60 seconds.

• Pay special attention to 18056377249 in the Dialed Number column– That is voicemail.

Some important tips

• T-Mobile has recently changed their records. For a long time they could not supply SMS locations, and in many instances were not able to supply sector information for calls. In the last few months the records have changed drastically.

• Due to this make sure and pay special attention to their definitions page.

• Dates and Times are in UTC

Some important tips

• ALWAYS make sure you get Mediation records, especially if you got the records the night of the incident. Get a second set a week or two later. T-Mobile continues to receive information from switches days later, and not until the records are mediated are they complete.

Some new changes

• If the call is over LTE, the EnodeBid column will be populated. The LAC / CID columns will be empty.

• If the call did not go over LTE, the EnodeBidcolumn will be empty. The LAC / CID columns will be populated.

Contact information

Contact Name: Gavin Pinchback, Director, Law Enforcement Relations GroupOnline Service: T-MobileOnline Service Address: 4 Sylvan Way

Parsippany, New Jersey 07054USA

Phone Number: 866-537-0911E-mail Address: LERINBOUND@T-Mobile.comNote(s): Metro PCS and T-Mobile are now one company. All

subpoenas and preservation requests are routed to one location.Submit subpoena to: LERINBOUND@T-Mobile.com.

Requesting information about a subpoena or attempting to get an update on a subpoena email: LER2@t-mobile.com.

Routine toll and subscriber requests can be requested from T-Mobile by e-mail using their LER2@t-mobile.com address. They require a scanned or digital copy of a company letterhead fax cover sheet with the requested numbers, the type of response you are looking for (toll/subs) and the scanned court order / subpoena.

T-Mobile

Warrant language

For the T-Mobile records:Address as T – Mobile, AKA T-Mobile America

• Subscriber information for the number _____________ including name, date of birth, mailing address, alternate phone number, and other numbers on the same account.

• All communication for the wireless number _______________ for the time period of _______________ to include cellular calls and SMS messages along with tower locations (LAC / CID or LTE Site ID) to include Switch / MSC / BSC / Cell Name and azimuth, as well as Azimuths for the sectors accessed during the communication. Also, identify the existence of any T Mobile cloud services associated with the wireless number of ____________________________ and provide any data held within the cloud to include SMS, MMS, and emails communications. Additionally, supply PCMD (Per Call Measurement Data) aka “historical GPS Locations”, “Historical Handset Location data”, and “Handset triangulation data”. Also provide any IP (Internet Protocol Addresses) assigned to the device for the time period of _____________________. Lastly, provide a detailed definitions page which identifies all information in the records.

• Please provide this information to Detective ________________ in digital format on a compact disc in Excel, PDF or TXT format.

• Email: LERINBOUND@T-Mobile.com• Fax to: 973-292-8697

Retention periods

Subscriber information: 5 years

Call History: 2 years

Tower Locations: 1 year

SMS Content: NA

Tower Dumps: 90 days

PCMD: 14 days

Two Notes

• TracFone sells phones that use the T-Mobile network, so the records must come from T-Mobile.

• MetroPCS is now part of T-Mobile US.

• Now let’s see some examples of what you can get: