April 2005, VisuaLinks News, Volume 4, Issue 2

Referenced in our Newsletter Volume 4, Issue 3 - July 2005

Telephone Toll Analysis Link Chart

This issue's link chart shows a process for analyzing telephone toll records, subscriber data, and other phone-related interdependencies. Generally, telecommunication (telco) companies provide some of the most consistent data because it is generated electronically - meaning that any subsequent analyses will prove accurate and reliable.

Basic toll records typically track the calls between a subscriber (i.e., the target) and other phone numbers, most often with a reliable date, time, and duration. Depending on the type of call, additional data can be gathered, including switch data, cell tower IDs, device identification (serial) numbers, as well as International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) codes.

When analyzing any data, including toll records, certain types of inconsistencies may appear the data such as incomplete connections, third party dialing, and specific types of exchange representations (international country codes, cellular numbers, etc).

Generally, basic telephone toll analysis concepts can also be applied to instant messaging, e-mail logs, and other electronic types of correspondence. More recently, Voice over Internet Protocol (VoIP) has been popular but poses a challenge for collecting content. Use of security such as Advanced Encryption Standard (AES), with strong, 256-bit end-to-end encoding in programs such as Skype, are proving to make this more difficult in the future.

For this example, a law enforcement agency (LEA) has a particular interest in the communication patterns and behavior of a certain individual involved in known criminal activities. Following is a simple representation of the target.

The LEA has performed surveillance and acquired the call-detail records (CDRs) for this target. In the following diagram, the target is shown connected to three (3) numbers which are located in the Washington, DC metropolitan area.

These linkages represent subscription or usage data for the target. The thickness of each link relates directly to the number of calls made. It clearly shows that the target uses a particular number more often than the other phones. In fact, this phone number represents the target's personal cell phone.

From here, the investigators expand the call network one level based on the CDRs using the VisuaLinks Walk Data feature. The data sources used in this investigation include all of the CDRs as well as a reference to public payphones. If a phone number is found in the public payphone reference data set, the icon for the corresponding VisuaLinks object will display an appropriate icon. In this case, a payphone located in New York City is shown with the special icon.

The size of the linkages to the payphone represents the largest number of calls for our target.

The investigator wants to learn more about the calling behavior between these two phone numbers. In the next diagram, a transactional model is used to expand the data to show the individual phone calls (e.g., transactions).

Each call is listed with the date and duration, and the color depicts the direction of the call (arrowheads were turned off to minimize the display clutter). Green linkages show inbound calls and blue linkages show outbound calls. The diagram indicates that the payphone receives mostly inbound calls from our target number.

Next, the investigator uses the VisuaLinks object clustering placement features to see if any of the calls were made on the same day.

The circle-of-circles placement shows that there were several days where at least 2 calls were made between the phones and one particular day where 4 calls were made (shown at the 5:00 position in the circle).

These types of situations show the target number calling the payphone and then at a later time, the payphone calling back the target - obviously some type of coordinated effort is occurring to explain this type of activity.

From here, the investigator changes the placement within VisuaLinks to a Temporal Grid to get a better understanding of when the phone calls were made.

The X axis is based on the day-of-week, so there are 8 columns starting with null (undefined) and then Sunday - Saturday. The Y axis is based on the week-of-year so there are 52 rows where the top represents January and the bottom December. Based on this type of visualization, a few interesting observations can be made:

There was little activity in the first several months of the year (January-March).
There was very sporadic activity for the next two months.
During the summer period, there appears to be a flurry of activity with a mid-week concentration of calls and the first showing of multiple calls within the same week.
The activity then drops off for the month of July where there were no calls made between these two phones.
The investigators deem it important to also look at the calling patterns for the other phones to see if there was a concentration or increase of calls to other phones during this period. Alternatively, it simply could be a period of inactivity due to vacation.
The weekly pattern then picks back up for little over one month, dies back down for another month, and then apparently switches to a pattern of weekend activity (there is an increase in Saturday and Sunday calls).
Finally, the pattern stops until the last week of the year.

The investigator performs one last check of the data within VisuaLinks to show the cell-tower locations from where the target made the phone calls. For each CDR there is also a cell-tower identification number and a reverse look-up for its latitude/longitude can be acquired using VisuaLinks' powerful data integration functions.

All of the calls originate a little North of Manhattan. Remember, this is a cell-phone based in Washington, DC calling a New York payphone. This diagram proves the target is physically operating out of this area and is most likely coordinating drop points with another criminal associate.