What can be done to identify the perpetrator of crimes from their mobile phone usage? LATRO is a business that provides forensic support to the police, including the ability to determine the geographic location of individuals. We are joined by LATRO CEO Donald Reinhart and Tom Beiser, Director of LATRO’s Cellular Forensics Lab, to talk about the power and the limits of what can be established using network data.

Topical news items are debated by regular presenters, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hello, I'm Eric Priezkalns and this is the Communications Risk Show, the live streaming
discussion show produced by Comms Risk in collaboration with the Risk and Assurance
Group, RAG. Every Wednesday we talk to risk experts from around the world of electronic
communications and we broadcast live, so you can also join the conversation submitting
questions and observations as we go along. To ask a question, just type it into the window
immediately beneath the streaming window on our website at tv.commsrisk.com. Messages on
the website are anonymous, so write your name into the message if you want me to read it out.
We're also streaming the show on LinkedIn. A member of our team is going to keep an
eye on comments over there, so if you want to leave a comment or question there, that's great
too. Later in the show we'll be talking about the challenges involved in interpreting CDR
and other telecoms data as provided to law enforcement for their investigations.
Joining us will be Donald Reinhart, CEO of LATRO, a business which provides forensic data services
to police, and Tom Beiser, Director of LATRO's Cellular Forensics Lab, who previously was a
police detective who specialised in using and obtaining intelligence from phones and
comms providers. Today's show is sponsored by LATRO. But first, let's say hello to my co-presenter
Lee Scargall. I'm never quite sure where you are in the world. Are you back in Manama at the moment,
back in Bahrain, Lee? Back in sunny Bahrain today, Eric. In your plush apartment there,
which no doubt has got 16 bedrooms and older. You probably told the servants to keep out of
shock during the show. Lee's done all right for himself in life, fair play to the lad.
His career has seen him switching between executive management and freelance consulting
roles for a wide variety of communications providers in the Middle East, but not just
the Middle East, in Europe and the Caribbean and Asia. Sadly, Ed Feingold couldn't be with us today
but will be back next week. So, Lee, first subject, one that I think you're going to feel
strongly about. So, let me just set the scene there for the audience. The recent arrest of
Connor Brian Fitzpatrick, a 20-year-old New Yorker accused of running breach forums,
an online market where hackers sold data obtained from data breaches of telcos, ISPs,
social media networks, investment businesses, hospitals, all sorts of business, but a lot of
commerce businesses definitely in there. Now, breach forums has been taken down now,
but as of the beginning of this year, they had 340,000 members and its official database section
of this marketplace contained 888 distinct data sets for sale with over 14 billion individual
records between them. It's reincarnation of another forum that shared stolen data raid forums,
which were seized in April 2022. Lee, a young lad, these things get set up in no time,
huge numbers of users. Are you surprised at the scale of these black markets for stolen data
and the speed at which they get set up once the police has been involved and tried to rip one down?
Not really, Eric, right? There's data breaches all the time, right? So, to understand it,
you really need to go back to around about 2005, and this is when businesses, they moved from paper
to digital storage, and that's when it's all really started to happen. But actually, if you
look back to 2005, it was actually 136 reported breaches, and ever since then, it's just been
growing and growing each year, right? So, last year, there were over 4,000 data breaches around
the world, right? And I read somewhere that since 2005, the average American has been breached at
least seven times, right? So, when you look at the statistics, it's incredible, really. So, 68 records
are lost or stolen every second. 45% of U.S. companies have experienced a data breach,
right? But worryingly, right, the average time it takes to identify a data breach is 206 days
on average, right? And the average cost of a data breach is around 4 million U.S. dollars. So, no,
I'm not surprised, Eric, right? There's a market for stolen data, which is actively used by
criminals to commit for. But what comes first? See, this is the thing. I hear what you're saying
about the data breaches, plenty of data breaches, and every time it happens, business services are
tremendously sophisticated, are incredibly sophisticated, most sophisticated hackers ever,
something like a Hollywood movie, the way they cracked into our business.
This marketplace, which is less than a year old when it gets ripped down, 340,000 members.
So, you've got this incredible number of criminals who don't have to be sophisticated
to get their hands on breach data. We've got such a supply chain of breach data,
we have hundreds of thousands of people getting onto these forms, buying the data that they want.
This guy, he sold these tokens, these credits to people, and they would use the in-market currency.
This is how sophisticated it is, which tells us about the scale of what's taking place here,
the extent to which the criminal underworld has grown. Now, there's been another story.
Just yesterday, the FBI announced they took down another kind of online criminal market,
the Genesis market, which had cookies, IP addresses, time zones, and device information
that allows a criminal to impersonate the digital fingerprint of a subscriber to services like Gmail
or Facebook, Netflix, Spotify, PayPal, Reddit, Amazon, you name it, all those kinds of online
services. And this was an invite only site. So, you have to be literally invited as a criminal
to use this marketplace. But they had, they reckon, they estimated that between 30 to 50
million fingerprints, always known as bots. So, effectively, the equivalent of a user's account
would have been available for purchase from the Genesis market before the FBI ripped it down.
These are people who can, this is a criminal who can just basically click on a few buttons on their
web browser, use the plugin on the web browser, and then suddenly they become Lee Scargall,
and they're using your Amazon account, your LinkedIn account, whatever.
I'm amazed that even in a criminal's invite only, the scale of how quickly this thing just
blows out. I mean, what are we doing wrong here? What are we doing wrong?
I don't have the answer, Eric. I really don't have the answer to that because, you know, if you just
look at it as one forum opens up, it gets shut down, another one gets opened up. Yeah, it just
happens so quickly. Yeah, the pace of change. Okay, let me ask a different question. What are
we doing wrong? Because I have a hell of a time telling people that they should exchange data
about crime, and yet we're running supposedly, these people, you know, we work in an industry
where supposedly we've got lots of technology sophistication, we've got the best minds in the
business, we all really care about fighting crime. If you were to try and set up a marketplace for
exchanging data to fight crime, it would not be set up as quickly as these criminals are setting up.
So what are we doing wrong? Again, I don't have the answer to that, Eric. It just seems that the
bad guys, the bad guys really do know how to set these things up and share information a lot quicker
than what the good guys do. A 20 year old kid can set up something, and we've got grey hairs like
me fighting, fighting in this industry to get companies to exchange data. There's something
off here in terms of our motivation, I would say. This makes me think about the war on drugs.
And it makes me think about the war on drugs, because you'd have the big drugs seizures that
would like always grab the headlines, look, we're winning the war on drugs, we're fighting the war
on drugs, we've got the big drug seizure. You're just taking the top off the surface here, you
know, there's so much going on underneath that you're not dealing with. You've simply lost control
of the situation.
But yeah, I mean, Eric, I think you've just hit the nail on the head there. It's all about the
motivation, right? Now, the motivation for these guys is if they can share this information, they
get paid for it, right? So you've got this perpetual type of, yeah, exactly. So you've got
this perpetual type of thing. And I think when you come to the good guys, you know, what's in it for
us? Why do I want to share this information? Yeah. But we lose money, too. The businesses
lose money, too. Exactly. But But why do I see so many kind of so many kind of telcos? They find
this fraud, but they don't share that information. They don't they don't share it with places like
the GSMA. They don't share it with, say, rag, this type of stuff. And then you have to ask
yourself the question is like, why not? But I think it comes back down to the motivation. Yeah.
You're right. All right. I'll calm myself down by reading out an advert now from our main series
sponsors, Blue Gem. Blue Gem is a global provider of testing services for telecoms, government
and software businesses. They use real phone devices, which means they can create real events
such as data, video streaming and music events and even fraud bypass test calls using real
SIMs across a global network platform. Blue Gem can give you insights into a number of key areas
such as sandbox detection, OTT and refiling frauds, roaming service assurance and customer
journey testing. They can detect sandbox fraud using a hybrid developed system of automated
devices and crowd testers, which means they use real devices and SIMs to detect a higher rate of
fraud. The popularity of OTT applications like Viber, WhatsApp and Telegram, just to name a few,
has also seen the increase of OTT bypass fraud and Blue Gem's OTT solution automatically detects
IP voice and chat apps for any fraudulent activity. Blue Gem's approach to fraud bypass
is to use a risk-based test methodology, which means they strategically target higher risk
routes and countries to detect on-net and off-net fraud. With automated alerts, this enables
customers to profile fraudulent routes quickly and Blue Gem's flexible solution will adapt to
ensure fraudsters are not aware of the sandbox detection. So, if you want assurance of your
interconnected routes and want to tackle sandbox OTT or refiling frauds, then you should call upon
the experienced team of specialists at Blue Gem. So, Lee, back to the topical chat and let's
continue to talk about these data breaches because although I had a minute or so there
calming down thinking about the good work that Blue Gem do, these data breaches is driving me
crazy. I've been involved in data protection and data integrity, looking at loads of these things
since the late 1990s, and we just seem to be heading towards an apocalypse. And I've been
working in one of the industry sectors that's the most targeted of all. Comms providers,
they have a tremendous amount of data, about millions of people. They're targeted by social
engineering attacks all the time, stealing data, taking over people's accounts with frauds like
sim swap frauds and other accounts of account takeover. Lee, when we look at the scale of this
problem, here's one parameter we don't often talk about because you tend to get obsessed with the
technology. Is it fair to generalise that young men are especially prone to this kind of internet
and communications-based crime? Are law enforcement and societies in general drawing the right
conclusions about who we need to be focusing on to tackle these crimes? Well, it's not just young
men who are doing this, Eric, right? There's a whole- It is young men. It's not. It is young
men. It isn't, right? There's a whole range of bad actors out there doing this type of stuff,
right? So you've got the young script kiddies, right? Or the lone hackers, right? These are
the guys who are motivated to get some kind of fame, right? And if you cast your mind back
to the TalkTalk hack in about 2015, I think it was a 17-year-old school kid, and he did it,
but he said he was just showing off to his friends, right? But then you have, you've got
the organised cyber criminal gangs, right? And these are driven by the money. So these are the
likes of your Cobalt cyber gang. You've got the Lazarus Group, the Evil Corp, yeah. And then you've
got the state-sponsored groups, right? And these are the ones who are targeting companies to get
data on individuals, right? Now, telecommunications companies, if you just mentioned previously,
they're often targeted because of the type of information they hold, right? So you've got
people, they want to know who the people are calling, where are they located, what's the
browsing history, they want to intercept your voice calls, your messages. So basically, they're
just gathering intelligence on people. So in essence, right, Eric, just to summarise this,
it's not just young men, right? There's a whole range of bad actors out there who are motivated
for different reasons. We have to target our resources when it has the most effect.
And if you say it's not just young men, we create the impression that, you know, somebody's granny
needs to be targeted just as much. It's not old women in a retirement home that we're talking
about here. We're talking about teenagers, we're talking about 20-somethings. They're being trained
at a young age. They're being trained in their bedrooms. We're not breaking the chain here in
terms of the education. Now, if you were to work, or you do work for telcos, but if you were to go
out and say, how do I get my team trained, you might find it quite difficult to find the right
training course for your team to get them educated. Not hard for a 17-year-old lad to be sat at home
on the internet connection to get a very good training in how to do hacking, stealing data.
This Fitzpatrick guy who the FBI just arrested, he was very sophisticated. He provided an escrow
service for other criminals, holding the funds for the purchases of the stolen data,
whilst ensuring the stolen information was supplied. 20 years old. This is not a lad who's
just worked out how to do this. He's copying what other people are doing. Why are we not focusing
our resources on societies training, educating young men about the seriousness of these crimes?
Well, I think that that's something which has to be built into, say, something like the school
curriculum, right, from an early age, just to kind of demonstrate the seriousness of doing this. I
think if you look at things like YouTube, you can go on YouTube, you can actually find, it's just
like a tutorial of how you actually do this stuff. It actually tells you links to websites,
how to download this information. But I keep saying this, Eric, week after week is that you
don't have to have any coding experience to do these type of hacks. You just go down, you get
Kali Linux or Metasploit, and you just point these things towards a company. It goes off and
it comes back. It'll give you a list to say, right, these are the number of exploits within
this particular website. What do you want to do? Do you want to do ransomware? Do you want to hack
the email server? Whatever, right? And it's just an option one, option two, option three. And then
you just click it and off it goes. And it does it. It's, I mean, it's completely incredible. It
really is. But why are we so tolerant in our societies of so-called legitimate businesses? I
mean, legal businesses, let's put it that way. Legal, but they're advertising GSM gateways,
but they're advertising IMSEE catchers. It's all very well and good to say, well, actually selling
actually selling those things isn't illegal. Who do we think they're selling them to? I mean,
how naive do we have to be as a society that we have to wait until, say in the case of IMSEE
catchers, we have to catch somebody driving around Paris with an IMSEE catcher in the back
of the ambulance before we go, oh, duh, we never thought, oh, we didn't know it could be used for
that. Oh, why didn't we think of that before? Why are we not focusing more on the root cause?
And of course, if you are a supplier of this equipment, who are the people who are doing the
YouTube videos, the training? If I'm selling a GSM gateway, and I know that most of my customers are
sandbox fraudsters, I'm the one who's producing the videos explaining how to do the sandbox fraud
at the same time. Why are we being so naive about this? It seems as though we're almost
wantonly naive, maybe even the sectors of society, people in power who are profiting from the crime,
and that's why we're not tackling the root cause. Do you think I'm just a conspiracy mad maniac,
or do you think there's some truth that there's some higher echelons in society involved in this
kind of fraud? Well, the problem with the internet, and I've always said this, is that there are no
laws on the internet, right? Nobody controls it, and maybe that's one of the good things
about the internet, but maybe it's one of the bad things as well, right? So, but I think if I draw,
if you come back to the UK, and you have the UK online safety bill, now if you go back even a
couple of years, I think it wasn't even illegal to sell like drugs and guns on the internet in the
UK, right? I think it's illegal to sell it, it's illegal to sell it, yeah, but it's not illegal to
advertise it on the internet, right? But I think now with the online safety bill coming in, they
can actually take these websites down, yeah? So, but that's the UK, and then if you go back to
other jurisdictions around the world, there's no kind of controls or rules which go around that,
and a lot of the Emsi catches which I was looking at, right, that you buy them from Malaysia,
right? So it's quite easy, you can go on there, you can get them shipped to you,
even if you're living in the UK or anywhere else, right? So it's just a general problem
with the internet, that's, I don't know how to fix it, Eric, maybe you have an opinion on that.
Well, I'll keep on with the opinions, but next we'll do another advert, this time for Symmetry,
and the PRISM Fact of the Week. Now, each week, Symmetry Solutions supplies with some
interesting information, but it's based upon the intelligence gathering done from their PRISM
fraud intelligence service. And this one's a real doozy, my gosh, on the topic of marketplaces for
criminals, the team that gathers Intelligence PRISM has observed an astonishing 55,786% increase
in the number of North American phone numbers being offered to sale to criminals
being offered to sale to criminals since 2020. There's been an astonishing 43,835% increase in
US numbers, but the proportionate rise in Canadian numbers is even worse, 69,340%. And you might be,
you might be thinking you can guess which regions, which parts of the dialling plan
these increases have been the largest, but it's not that straightforward. Alaska, 218,000% increase.
Hawaii, 145%, 145,000% increase. And yet California, 29,300% increase. South Dakota,
37,800% increase in number of phone numbers. And some of Canada's worst affected provinces,
also some of their most populous provinces. Ontario, 135,700% increase in the number of
numbers offered to fraudsters. British Columbia, 119,600% increase. These numbers are astonishing.
And it's not just premium rate numbers or geographic numbers that are being sold to
criminals. For the PRISM team, there's also been a rapid rise in toll-free numbers being sold to
criminals and organised crime is also being offered numbers, which are especially reserved
for emergency use only. So if you want to learn more, or you want to arrange a trial of PRISM's
data, then get in touch with the team at Symmetry Solutions. Their URL, symmetrysolutions.co.uk.
Holy, wow, so there we go. The scale of this thing is out of control and put in certain parts
of the world there in North America. So astonishing statistics there from the Symmetry Solutions PRISM
team. Something else that's caused a lot of consternation recently, US police and law enforcement
around the world, they want a lot of data, they ask for a lot of data. And sometimes that upsets
the civil rights people in various countries. This year, we've already had the redacted report from
the Department of Homeland Security that some agencies failed to obtain legal permission as
required for the deployment of emergency catches. And I recently saw a press release from a business
called Afani that promises detection and protection from emergency catches. But who are
they selling this service to? Lawyers in order to protect the confidentiality of their clients. So
the implication being that lawyers are being spied upon using emergency catches. Lee, do you think
there's any substance to this claim that there may be lawyers out there who are being spied upon by
law enforcement that they need to resort to all sorts of methods to stop the phone surveillance?
So we talked on last week's show about how easy it was to buy emergency catches on the internet for
about $8,000. And these things, they can intercept the calls, right, because they downgrade it down
to 2G. Now, so yes, it is a real threat, Eric. Now, I would probably recommend that if you're
in a job where you have access to this kind of sensitive information, then you might
want to take precautions, right? I've recently stopped giving out my phone number because,
you know, in the wrong hands, right, I could be targeted for a SIM swap, right? And once they take
over your account, then they can do all kinds of damage, right? But I think the risk to the average
person, right, on this is pretty low, and they shouldn't get too paranoid about it.
Yeah, but aren't you worried about people driving by with emergency catches around your massive
estate in the north of England and around your plush apartment building, which look like
absolutely dead set targets for high net worth individuals? They may not be targeting you
specifically, but they'll be gathering your data because they know that you're a rich man with huge
amounts in your bank account, Lou. Well, I think there's so many factual errors in what you've just
said there, Eric. But no, look, if I've got, you know, something sensitive, I don't put it through
my mobile phone, right? And that's, you know, that would be my advice. I think
certain individuals will be targeted. So if you're a politician, yeah, if you're a, you know,
a minister, high ranking minister, then I'm certain these people will be targeted by some
people. You know, businessmen as well, if you're high profile businessmen, I'm sure people like
Elon and all these people, I'm sure there's people out there tracking these guys as well.
But I'm sure they're not stupid enough to put anything sensitive through a mobile phone these
days. Well, I think you give people too much credit. Having all this crime, there wasn't a
lot of stupidity out there. People in order to steal from, let's flip the question like I said,
you've worked in telcos, you've been a consultant to telcos. Where should telcos draw the line in
refusing demands of information from law enforcement? Where should they refuse it?
I'm not sure they can refuse it, right, if there's a warrant requesting that release
of information. In some countries that I've worked in, Eric, right, the police, they just
have direct access to everything anyway, right? But, you know, if we go back to, say, something
like Privacy International, I'm not sure if you've heard of Privacy International, but they've been
warning that the police forces in the UK, right, they've been using IMSI catchers since 2011,
right, and the police in the UK, they don't even have to disclose they're using them, right, due
to issues around national security. So it's not just being used in the USA, these IMSI catchers,
they're also being used in other countries too, by the police.
Lots of comments coming in here from the people watching online. So apologies to the people
apologies as I butt in, Lee, and share some of these observations with you now. Very interesting
stuff. One viewer here has pointed out who has a vested interest in scaffolding such laws to
prevent fraud to a favourable degree, we need to identify what organisations individuals have an
interest in committing fraud, then work on communicating those parties, how they can play
a favourable role in protecting our technical environment. Somebody else here says, another
anonymous one, sorry, telling me off, because I'm saying it's young men, they agree with you.
Apparently, it's women too, except I've never seen any names of any women. I read these stories,
and I'm always seeing men and I'm always seeing young men. So that's why I'm jumping to the
conclusion it's always young men. Those are the ones who get mentioned in the press release from
law enforcement. If it was women, I would absolutely scold women too, but I'm not seeing
women, you know, you might want to argue there's a gender gap there. I'm not so sure that's a
gender gap women need to be closing, perhaps as quickly as some other gender gaps in society.
And another comment here, this one from Sossina Tafari. The US is open about explaining data
breaches, partly due to policies, what the breaches look like in emerging markets? Good
question. As banking and telecom services move to convergent, how can companies protect their
customers from following victim to such frauds? How can governments hold companies to better
protection to their users? Lee, you've worked in a lot of emerging markets, are emerging markets
following the model that's seen in countries like USA? There's more need to be done in emerging
markets to protect people from data breaches. There is, but you know, if we look at it,
you know, a lot of the data breaches are coming from the USA, right? Now, is that just the
disclosure thing? Maybe, right? Maybe in some of these developing countries, they don't report it,
right? But I think there was a very good interesting comment there just coming in about
the women. Maybe the women, maybe Eric, they're better hackers at disguising their traces than
what the men are. I'm so sexist. I don't agree with that kind of sexism. I'm saying a compliment
there, Eric. Yeah, but you're sexist against men. That's what I'm saying. You're being sexist
against men, Lee. I'm not so sure I'm allowing that on this show. Both genders absolutely equal.
We're not going to tolerate that kind of blatant sexism from you, Lee. And I'm thankful that I'm
not going to get angry at now because of your blatant sexism, because I'm going to line up our
next advert. So, you're going to get off the hook. Otherwise, if we were still out of time,
I'd be having a right old go at you for that, Lee. I really would. So, sometimes it's easy to
get fixated about the problems in one country and fail to step back and to see what's happening
else and to fail to see the good in Liverpool. It's not all bad after all. That's why we're
so grateful to our friends at Geolocation, Fraud Prevention and Coal Authentication Business,
OneRoute, for their regular feature, which they call The World in Your Phone. Each week,
Jeffrey Ross of OneRoute asks us to step back and take a look at a different part of the world.
And this week, Jeffrey's destination is Ethiopia. So, producer James, roll VT.
Hey, everyone from OneRoute. I'm Jeffrey Ross, and this is The World in Your Phone.
Let's talk about Ethiopia. Now, I'm sure you've heard the name, but how much do you know
about this intriguing African nation? It's got beautiful landscapes and wonderful wildlife.
But did you know that Safaricom just started a brand new network there in Ethiopia?
Started in 2022, they are bringing and delivering new connectivity, expanding into
massive regions across the country, and they will continue to grow and bring M-Pesa,
the mobile money, into Ethiopia. It'll be fantastic to watch and see as that telecom
company grows in Ethiopia. Something else that I found interesting about Ethiopia is that it is
home to the lowest place on the African continent, the Danukil Depression. The Depression is at the
junction of three tectonic plates in the Horn of Africa, and it sits approximately 125 meters below
sea level. Who knew? But also, on the flip side, Addis Ababa, the capital city, is the highest
capital city in Africa. Located in the highlands, Addis Ababa sits at about 2,355 meters above sea
level. But most importantly, Ethiopia, birthplace of coffee. And I can tell you from personal
experience, their coffee is amazing. So thank you, Ethiopia, for bringing us coffee.
Be sure to tune in and subscribe to our channel on YouTube or other social media platforms and
click to like, subscribe, do all that fun stuff. And stay tuned for more of these series,
along with watching our One Route Roundup, where we put a spotlight on individuals making a
positive impact on the telecom industry. Now onto another great communications risk show.
So the guys from later will be joining us any moment now. Let me just warm you up in terms of
the topics that they'll be covering. CDR analysis, we know that's a proven method for uncovering
illegal activity and the abuse of service in mobile networks. For many years, telecom fraud
management professionals relied upon analysis CDRs detect patterns of malicious misuse and
abuse of service in mobile networks. For many years, telecom fraud management professionals
relied upon analysis CDRs detect patterns of malicious misuse of services to defraud
communications companies. However, for some criminal investigations, the outcome of CDR
analysis, even more serious consequences, extracted from mobile devices provided under
judicial warrant for very serious crimes. When compared to the physical location of
individual cell towers, including the orientation of antennas mounted on them, CDRs can show the
location of a mobile phone by triangulating from mobile switching centres, but they don't
point a cell phone user's location with the same precision as techniques like GPS. They do
indicate a phone's general location or cell relative to the network's tower. That's why
Americans often refer to cellular networks. Now, knowing a subscriber's location in comparison
to towers or the base transceiver stations, as they're called by technicians, is vital to
delivery of communication services. Otherwise, mobile networks be unable to manage the
mobility users, be limited to a simple fixed site wireless network. But there's more definitive
source of data, like I say, the history of GPS data, which can be forensically extracted as
digital evidence from a phone or another kind of handset. There are several solutions in the
market for forensic professionals to extract, gather and prepare digital evidence for mobile
devices, including the well-known one in this space, Cellebrite. In addition to GPS location
data, other critical information can be sourced forensically as part of digital evidence gathering
and preparation related to contacts, connections, situational clues from media like pictures,
and video. And here's a few eye-opening facts that the La Trobe team has shared with us
to get us going with this conversation. Increase in digital evidence, a 2020 survey
conducted by the National Institute of Justice found that 96% of law enforcement agencies in the
US reported an increase in digital evidence over the past five years, with mobile devices being a
significant contributor. Mobile devices investigations, according to a 2019 SANS
Institute survey on digital forensics incident responses, 88% of respondents reported that
mobile devices were part of their investigations, emphasizing the critical role of cellular
forensics. Location data, again, the National Institute of Justice found that data which is
derived from CDRs and other mobile device data was the most frequently used and valued type of
digital evidence in criminal investigations. And from the SANS Institute, 45% of respondents
said encryption was the most significant barrier to accessing data on mobile devices,
highlighting the need for advanced cellular forensic techniques and tools to overcome that
challenge. So complicated stuff. It's a good show if we've got two real experts to talk about it
with us. To talk about it, we'll now be joined by our two experts from LATRO, who not only know
about CDR analysis and mobile network technology as it applies to forensics, but also to
revenue assurance and fraud management. So these are well-rounded chaps who are joining them, and
we've had one of them on the show before, so we welcome Don Reinhart back. Donald Reinhart is the
CEO of LATRO, providers of revenue assurance, fraud management, police forensics services.
Don's been overseeing LATRO's growth since its early days, first as a vice president,
then as CTO and COO, and then finally becoming CEO in 2021. And joining us for the first time,
Tom Beiser is the director of LATRO's Cellular Forensics Lab. He's been with LATRO since 2017,
but he also knows what it's like to use telecoms data for police work from the other side of the
fence. He previously specialized in CDR analysis and mobile phone forensics when he was a detective
in the police force of Eastern Pennsylvania. Tom, Don, it's a pleasure to have you both on the show.
Before we dive into the forensic analysis, I'm just glad to hear that everybody's fine. There
was some terrible fire in your offices in Eastern in Pennsylvania, but I gather, Tom, nobody was
hurt. That's correct, sir. Thank you, Eric, for having us. Well, I'm glad that everything's fine,
but you're still up and running. The fire hasn't knocked you offline. You're still able to work
even though you're doing entirely sensitive stuff. It has slowed us down a little bit,
but we are still able to work, yes. Thanks. That's great to hear, guys. That's great to hear.
So let's get into the meat of this subject area now, which is a heck of a subject in order to be
talked about. Don, how did LATRO get into this business of cellular forensics, and how are your
cellular forensics services used today? Yeah, great question. When we started LATRO,
my co-founder, Alex Wilkinson, had an expensive experience in the forensics world through his
law enforcement background. So he left Verizon and started LATRO with me, but he really foresaw this
huge demand. Eric, would you mention some of the statistics already in the U.S. for digital and
evidence processing and cellular forensics? So we started basically supplementing overflow demand,
if you will, from the law enforcement community where there just wasn't enough internal resources
to handle the caseload and the amount of work, as well as just the technology expertise that
really is key to a lot of this investigation work. We later brought on Tom, who has over 20 years of
experience in law enforcement and doing this kind of work. So it's been a great business for us and
something we really feel like we're making an impact in the U.S. market. That's great to hear.
Now, your forensics business, U.S.-centric, but LATRO is known globally for your revenue
assurance, fraud management, analytics, products, and services. Are you providing any of these
forensic services outside of the U.S.? Not currently. So our biggest markets and our biggest
customers are part of our revenue assurance and fraud management business, which is almost
entirely international. Our forensics business is U.S.-centric and U.S.-focused. The nature of that
business is market dependent. So, for example, Tom is an expert qualified witness in the U.S.
court systems, and that just wouldn't translate to other jurisdictions outside of the U.S. So
we've looked at whether this business is scalable and feasible internationally. Currently for us,
that doesn't seem to be the case. So we've just been operating and delivering those services here
in the U.S. I'm glad you mentioned the process of Tom being an expert witness there. I've had a
couple of occasions in my life I've been asked to be an expert witness, and I turned him down
because I didn't think I was expert enough to do that kind of role. So I don't know from firsthand
what it's like to be involved in legal proceedings like that. What is it like for
LATRO and for your people to be involved in the legal proceedings? Tell us a little bit about what
it's like to be involved in a typical case and how that links to what you're doing in terms of
your end-to-end forensics. Absolutely. Thank you. So LATRO will often be retained by either the
prosecution or defense team. If we think about the resources available to law enforcement,
they have many of those tools and softwares and resources that LATRO currently does.
However, as a whole, they lack the expertise and the technology and putting all of those
resources together. So that being said, in some very serious criminal matters and criminal cases,
that prosecution team will bring LATRO in to assist them. Defense attorneys don't have those
resources that prosecution does, so they're always trying to bring LATRO in and trying to beat the
prosecution to retaining us to assist with that. So typically in most criminal investigations,
all of this evidence, all this digital evidence, including CDRs and the cell phones and the data
within those phones, that is typically seized by law enforcement. So no matter what side we're
working for, that information is ultimately turned over to LATRO so that we can assist with that
investigation. So CDRs would be turned over to us in the original format as received by the
carriers, and we'll often receive those by means of either encrypted emails and or passcode
protected USB or external hard drives. The same would go for any of that data that is extracted
from the cell phone itself. If law enforcement is extracting that data from the phone, we are then
provided with that raw data to analyze. If they lack the resources to conduct that forensic
examination, they'll also bring that to LATRO, and we can extract that data in a forensically
sound manner. So there's a lot of digital information and digital evidence here at play
that they will bring to us, and we'll start analyzing it. Once we dive into that data and
we kind of get a feel for what we have, we're going to take a look at all the other discovery
that were provided from the attorneys and try to figure out what kind of criminal investigation
does this entail and what criminal charges. Determine who the players are, where those
individuals live, where they work, where the crime was committed. We start putting all this
together, we start analyzing our data, and we'll eventually put together a thorough analysis report
with our attorney clients, often consulting with them along the way to make sure that that
report meets their needs of that investigation. Absolutely fascinating, Tom, I have to say. And
one thing I just want to pick up there in terms of particular point you're making there,
you aid both prosecutors and the defendants, both of them. It almost sounded like you perhaps
sometimes have, you're more likely to have the defendants as your clients rather than the
prosecutors, which kind of implies that there is also value in defendants protecting themselves
from prosecutors who perhaps haven't looked at the data as well as you're being asked to look
at it when you do forensic analysis. That's absolutely true. Again, law enforcement has
many of those resources that LACCHO offers. In many cases, they might be different departments,
they might be different departments and or agencies contributing as a whole to provide all
of those resources that we have. So we do find that most of our clients are on the defense side.
Those individuals and those attorneys who don't have those resources will often come to LACCHO.
Many of those resources involve the analysis of those call detail records and breaking down
the volume of information stored within those records. So not just the date and time and the
duration of those calls or the party A and party B numbers, but more specifically,
mapping the cell phone towers that we're hoping to get within those records as well.
I'm guessing that this data comes to you through some kind of disclosure process that takes place.
But how does law enforcement get there for the information? What do they do to apply for a
warrant and therefore get the data from the telecom companies, the CDRs and whatever the data
in the first place before you get it on behalf of your defendants?
Yes, the two primary methods of law enforcement obtaining this data are a court order. And most
of your court orders are based on reasonable grounds. It's a less burden to prove that a crime
likely happened, that this number and or this device may have been associated with that crime.
When you get call detail records specifically, in this case, with a court order, you're going
to get much of the same information that we would with the other method, which I'll describe in a
minute. However, you're not going to get location information. So we're not going to get the cell
phone towers that were used to facilitate that communication on a court order for call detail
records. The second primary method would be a search warrant. A search warrant requires
probable cause, which is more of a burden to meet for law enforcement. When law enforcement
does get a search warrant, they are requesting that tower location for those call detail records.
They might request content of text messages. They may request those specialized location records or
timing grants records, RTT, per call measurement data. Different operators define them differently.
So obviously, a lot of information here and potentially very sensitive information.
We talked about the volumes itself and obviously you're recipients of it in terms of doing your
specialized work. This is the kind of area where civil rights group people like the Electronic
Frontier Foundation, privacy activists, they may get a bit nervous about the data and who's got
access to the data. What are the legal requirements for handling this potentially sensitive data?
Obviously, to obtain the data, law enforcement would need one of those methods that I described,
a court order or search warrant. From there, the laws in possessing this data and how we handle
that data are very much different in the US as they are in some other countries, including the
UK. So for example, when law enforcement obtains this data, whether it be from the physical device
itself and or from the operators and by way of call detail records, that information must be then
provided to the prosecution team. It must be provided in a non-redacted manner. And then that
information also, by way of the rules of discovery, must be provided to the defense team in order to
identify the rules of discovery must be provided to the defense team in an unredacted manner as
well. So regardless of which team we are working for on any given case, we are receiving that
unredacted data. Now, obviously, there's still some sensitive information there. And we will
handle that information as sensitive. So we're not disclosing that information. Non-disclosure
agreements are signed between all parties involved. And there are certain security measures
that we follow within Latro to make sure that data is as secure as it can be.
Between just physical security within our office spaces and ensuring that all digital
devices and digital data are locked up in additional security measures.
Absolutely fascinating stuff. And I can see that from the legal side, that even if the technology
is the same in different countries, that's why it may be difficult to transfer the service from one
domain to another legal domain because of the protocols around what you're allowed to do and
how you do these things. But so far, we've been quite abstract. We talk about process and the
rules and the framework for how we do these things. Please give us a story about your
forensic services making an impact in a court case. Well, you provided some statistics in the
beginning of this show about just the number of cases where this digital evidence comes to play.
And it is always increasing. The number of cases that I've seen alone with Latro
has increased every year. So talk about one specific case that Latro was brought in on.
And one of the reasons I was brought in on this specific case by the prosecution team
is I assisted with the investigation in my last several months as a detective with the
City of Eastern Police Department. It involved a crime spree that took place in late 2016 into 2017.
It involved numerous crimes in excess of seven different armed robberies. There were six cell
phone stores that were robbed. There was a jewelry store that was robbed. It involved a homicide and
it involved a second incident of attempted kidnapping. All of these crimes occurred over
three separate counties, seven different jurisdictions in two different states.
So if you can just imagine the law enforcement investigations and I say plural investigations
going on because, again, you had several different agencies investigating each one of these crimes.
They kind of got in over their head. And it wasn't until I had gotten in my department,
I got more involved in the investigation where we identified one of the suspects using his cell
phone during one of the robberies. Now we had two suspects involved. One had left the store.
We saw another suspect inside the store that they were robbing using his cell phone. We ordered
certain call detail records from all the phone companies, all the operators, and were eventually
able to identify the phone numbers associated with these criminals and thus were able to then
identify them. And once we get additional call detail records for those numbers, we were able
to see that they were involved in all of these different crimes over the last over the six months
or so. That additional information led to search warrants being conducted in numerous different
jurisdictions in numerous different states. And much of the evidence that we were looking for,
including some of those items that were stolen from the cell phone store robberies,
the jewelry from the jewelry store robbery, and the weapon that was used in the outside were seized
during the search warrants. So that's just one rather large investigation. And I say large not
only with the number of crimes involved, but the number of agencies that were leading that
investigations. It's a great example of just taking all of this data, all the collective data
from cell phone forensic examinations and call detail records and all the different types of
records that we're getting from the operator, putting it all together, working with a number
of different agencies and really bringing this crime gang and criminal gang and crime spree to
an end. It's mind blowing when you think about the scale of these things and what can be done
in terms of information. And it is hard sometimes, I think, for members of the public to fully
appreciate the level of work that needs to go into this and the importance of the work that goes
into it. But I think maybe the public's a bit more aware because following the last presidential
election in the US, there was a bit of a hoo-ha in the capital. I'll say it like that because I
don't want to pick either side in terms of how big to make a deal of it or how little to make
a deal of it. But there was a lot of trespassers who are definitely breaking the law because
they weren't allowed to be in the US Capitol, the building where the Congress sits, and yet they
were in the US Capitol. Some people say they were just larking around and doing a bit of sightseeing
and taking selfies whilst they're wearing their helmets with the horns on the side of it. And
other people were saying that they were trying to interfere with the transfer of power to the new
US president, the head of state. So they were definitely committing treason. I won't pick a
side in terms of who's that. But nevertheless, a big deal and a lot of people in a building at a
specific point in time. So therefore, a lot of interest in terms of use of data to identify
those people and the legal proceedings that follow in terms of using that data to prosecute
that people. So tell us a little bit in terms about the techniques, the methods, the way in
which that's been approached in the USA. And maybe also tell us a little bit in terms of how much
it's changed perceptions of your work. Absolutely. So we're referring to the incident on January 6
in Washington DC and specifically at the Capitol. So you can imagine if law enforcement is searching
for one individual and or there's one or a handful of individuals in an area that large outside the
Capitol. I'm sure that they have ample surveillance coverage and cameras that they can pick up that
one individual. But if you start adding thousands of people into an area, and regardless of the size
of that area, it obviously becomes more difficult to identify any one person. So in this specific
case, you had thousands of people potentially committing crimes. So we're, you know, the law
enforcement is going to have to investigate that. So one of the ways that they did investigate that
is with call detail records. So identifying the phone numbers of those physical cell phones that
were in that area, taking that information, and following up again with the operators and
identifying those individuals who those phone numbers belong to. Once you once they start doing
that, you'll start, I don't want to call it conspiracy, but you might identify other key
players or suspects that are affiliated with any one of those individuals that you've now identified
through the use of call detail records, and the analysis of those call detail records.
So it's it's definitely a growing field. We constantly constantly see the need in
the wealth of data and information that we are able to obtain from the operators.
I've got a question here from a viewer I want to share with you guys now. A question asks,
the January 6 capital invasion, was this an unprecedented investigation by the police
using mobile operator data? Or has the US police forces already reached a point where
this is now normal practice? I would say it might be unprecedented,
unprecedented in just the numbers alone of individuals being investigated and being
identified, perhaps, perhaps mostly through the analysis of CDRs. But I'm sure there have been
many other events, some high profile bombings that we might see or high profile violent crimes,
where law enforcement is going to try to identify either those individuals involved or potential
witnesses to those crimes through the analysis of CDR. So I think one of the aspects or two of
the aspects that makes this unprecedented is just the number of individuals involved
and how public it was. So it's certainly it's not the only time an event like this has occurred
where law enforcement is analyzing this number of phone numbers and or devices. But it's impressive
from just the press involved. Another point I wanted to make is there
is a distinction between, at least in the US market, between sort of federal policing and local
and state level policing. And at the federal level, there's, of course, a lot more funding
and resources and technology available to handle these kinds of investigations. A lot of the work
we do is at the state and local level, which is a different set of funding and resources available.
So, you know, definitely a lot of interesting things going on in the US market across the board.
I was just going to add there is I don't think this this type of, you know, happens in happens
in the USA. I'm sure this is happening in places like Iran as well with all the protests going on
there. I'm sure the authorities are there trying to find out who's involved in the protests over
there as well. Well, and this is why it comes to sensitive topic in terms of the rights and
limits of these things that links to a comment here we've got from Ray Green from Focused Data.
He says, you need to be careful of using cell phone data for evidential purposes. It has a
number of flaws. It is data created for one purpose that is being used for another. I can
give you a number of instances where the data has been misleading. And that follows into
another question for the guys from LATRO here. Perhaps Tom would like to field this one.
That's a bit of a cheeky one. So I warn you in advance, it's a bit cheeky. If you were asked
to defend somebody who had been accused in the January 6th insurrection, that's how they write
it. If you were asked to defend them, what's the first thing that you would turn to in terms of
looking for data that they weren't involved? I'd say that's a tough question. So obviously,
I would have to analyze that data, which they do have against them. And you're going to look for
any inaccuracies or some maybe missed data within there that wasn't apparently analyzed.
And I think that's where you start. So that might give us or me as the investigator,
a better idea of what data I need to go out and search for. Does that data involve additional
surveillance video, license plate readers, which we could subpoena? Maybe the physical device and
extracting the data out of there to get a bigger and better picture of exactly what was going on.
Obviously, when we were looking at call detail records, that's just one source of data. So if
you're thinking about it as pieces in a jigsaw puzzle, that's just one or several pieces of that
entire jigsaw puzzle. So we want to try to uncover any possible evidence and not just digital evidence
that might help that investigation. Good point. But I guess a lot of the time,
one of the issues that comes up in court cases, tell me if I'm wrong, but I guess one of the
things that comes up a lot of the time is that people say, well, you have a record saying I'm
somewhere, but I wasn't actually there. I was nearby. There's some error in the data.
How do you deal with this question in court as to how accurate the data is in terms of determining
where somebody is? And of course, this is absolutely essential to something like what
happened in the January 6th US Capitol invasion, because if you're not in the building, then you're
not committing the crime of trespassing in the building. So I guess the accuracy must vary a lot
depending upon circumstances. How do you deal with that in terms of finding the right estimate
of accuracy? The accuracy does change and does vary, as you said. And what we try to do, and
this is primarily what I do on a day-to-day basis when I'm diving into call detail records and
combining that with the information from the device itself, you're trying to establish a
pattern, a pattern of life, if you will, which is often how it's referred to in the field.
So for example, I've seen several cases in one specific case involving a homicide where it was
portrayed that the defendant was in the area at the time the homicide was committed. But what was
not brought up was that the defendant is always in that area. That's his most frequently used area.
If you're looking at the frequency of the cell phone towers and cell IDs used, the defendant
lives in that area. So you would expect to find them in that area. So it's ensuring that you
analyze the data as a whole and don't be selective about just certain points in there. Yes, we know
that the RF survey also changes and it could vary. So again, you don't want to focus on one
very short piece of those call detail records. You want to look at them as a whole. You want to get as
much discovery, as much information about this case, and about the suspects involved that you
can and combine all that data. That is a great insight. The fact that it's not just about having
some data, it's about analysis of the data, interpreting the data, so you draw the right
conclusions from the data rather than just what seems like the first plausible conclusion you
want to make. We're running out of time, guys. It's been a great conversation. So I'll leave you
with just one last question to sum up where we are in terms of the situation these days.
What are the biggest challenges that both mobile operators and law enforcement face today when it
comes to using network data, device data in legal proceedings? I would say one of the biggest
challenges for the operators is just the growing number of legal requests for this data and the
high demands that it puts on their already outstretched resources. So whether it's manning
resources, equipment resources, financially, that's got to be a challenge to them. And we see
that on the law enforcement side, too. The law enforcement is constantly attempting to get this
data and preparing the legal documentation for this data. And sometimes getting that data is
slow. And I'm just talking about through the operators themselves. And then you have that
security issue with the devices themselves. Our device manufacturers are constantly upgrading
their security, which prohibits or inhibits law enforcement from getting inside that device. So
there's numerous challenges to both sides when it comes to attempting to get this data and analyze
the data. Fantastic. Well, thank you so much. I'm afraid we're out of time, guys. But Tom,
Don, I really appreciate having a show. I've gained a lot of insights from this interview.
I'd love to continue talking. I'm sure we will continue talking after the live stream ends,
but I need to start the show now. So thank you again, Tom, Don, for joining us on today's show.
Thank you. Thanks, Luke. That's all for today's show. Lee and I will be back with our regular
co-presenter, Ed Feingold, on Wednesday next week when we'll be talking about managing risk
as communications providers of increasingly complicated financial services and when it
becomes necessary to regulate them like banks. So Lee, Ed and I will be joined by our good friend
Joseph Nderitu. He's a director at business advisory firm Integrated Risk Services and one
of the most broadly traveled and experienced communications risk consultants working in
sub-Saharan Africa. We'll be all together. The live stream will occur on Wednesday, 12th of April
at 4 p.m. UK, 6 p.m. Saudi Arabia, 10 a.m. U.S. Central. But why not save the show to your diary
by clicking on the relevant link at the Communications Risk Show webpage? Or better still,
subscribe to our broadcast schedule and have every weekly show uploaded to your diary automatically.
Thanks again to today's guests. Donald Reinhart, CEO of LATRO. Tom Beiser, Director of LATRO
Cellular Forensics Lab. LATRO were sponsors of today's episode. Thanks to my co-presenter,
Lee Scargall. I'm always learning new things from him every time we're on this show. I've
known him for a long time. I still don't know the secret of success, how it's gotten so well for
you. But apart from that, I've learned a lot from Lee. And thanks to our hardworking producers of
the show who've been complaining that they'll never get rich with the amount that I pay them.
They are Matt Carter, who's been assisting James Greenley as our producer today. And that's it for
episode four of the Communications Risk Show. I'm your host, Eric Piscance. You'll find recordings
of all our previous broadcasts at the show's website, tv.commsrisk.com. Also visit our main site at
commsrisk.com for news and opinion about risks in the comms industry. And don't forget that
the Risk and Assurance Group offers free services and contact for risk managers, including the
RAG Block Chain and RAG's comprehensive fraud and leakage catalogs. You'll find them all at
RiskandAssuranceGroup.org. Thanks for watching today. We'll see you next Wednesday.