To exemplify the use of Graph Database in digital forensics, let us consider an actual event as a use-case, “High Country Bandits” which happened at one 2009 robbery in Pinetop, Arizona. (want to know more — https://arstechnica.com/tech-policy/2013/08/how-cell-tower-dumps-caught-the-high-country-bandits-and-why-it-matters/)
Interestingly, one witness saw a suspicious man hanging out by the bank a couple of hours before the robbery, talking on a cell phone. Wait, but how can one find a single cell phone user without knowing the cell phone number? Indeed, without knowing anything but the time and location?
With court approval, the LEA (Law Enforcement Agency) requests Cell Tower Dump from the carrier companies for a particular time & location. All cell phones need to be connected to a cellular tower to receive cellular phone calls. Tower Dump lists all cell phones connected to a given cellular tower at a certain point in time in that location.
Let’s unfold some required data fields of cell tower dump like MCC, MNC, LAC, CellID, Cell Tower Lat-Lon, and vital data like the distance a cell phone is from a particular cell tower during a call. Tower Dump Data and cell phone call detail records (CDR) become a powerful piece of evidence to help confirm the presence of the person’s location during a given time frame.
Mobile Country Code (MCC), e.g., for USA is 310 & Canada is 302
Mobile Network Code (MNC),
Location Area Code (LAC/ area) and
Cell Identification (CI/cellID)
Device information like: -
Type — GSM or CDMA
IMEI — 6567xxxxxxxxx10
Country — USA
Operator Name — XYZ
…………..
CDRs — Call Detail Records are simply cell phone records, and these records are generated whenever the caller places or receives the call. When LEA requests these CDRs from the service provider along with tower dump data to find the time & location.
I have shown a few screenshots below of fake data from Tower Dump connected to a few cell towers at a particular time or for a certain length in the Neo4j Graph Database. A graph database stores nodes and relationships instead of tables, or documents. Data is stored as shown in Graph Data Model for Tower Dump Data.
To drive more profound insights into this data, Graph Database provides a powerful, intuitive, graph-optimized query language called Cypher, which helps to find and reveal unknown relationships and clusters previously, as shown in the screenshots.
To analyze data for deeper context and unearth hidden patterns and insights, “Neo4j Graph Data Science” is a connected data analytics and machine learning platform that helps you understand the connections in big data to answer critical questions and improve predictions. Please visit https://neo4j.com/ for more information.
With the help of this Graph Database technology can help identify and detect persons of interest from the Tower Dump Data & Cell Phone CDRs by taking advantage of Cypher query language and Neo4j Graph Data Science.
In summary, the use of a Graph Database in digital forensics can be exemplified by the “High Country Bandits” case where the Law Enforcement Agency (LEA) obtained a Cell Tower Dump from a carrier company for a specific time and location to track the movements of a suspect. The tower dump data contains information such as the Mobile Country Code (MCC), Mobile Network Code (MNC), Location Area Code (LAC), and Cell Identification (CI) of all cell phones connected to a particular tower at a certain point in time. By combining this data with cell phone call detail records (CDRs), LEA can confirm the presence of a person at a specific location and time frame. Neo4j Graph Database and Cypher query language can be used to analyze this data and uncover hidden patterns and relationships, while Neo4j Graph Data Science can help improve predictions and answer critical questions.
Disclaimer: Views and opinions expressed in this article are my own and do not represent that of my place of work. I expressly disclaim any liability or loss incurred by any person who acts on the information, ideas or strategies discussed in my stories on Medium.com. While I make every effort to ensure that the information I’m sharing is accurate, I welcome any comments, suggestions, or correction of errors.
