Call Detail Records: How Police Track Criminals Without Advanced Technology
Imagine this scenario: an unknown person calls from a disposable phone and demands a ransom for a kidnapped victim. The next day, the criminal calls again. The victim contacts the police, and within half an hour, the authorities not only know the real number of the caller but also have a complete history of their movements and calls. All of this is done without any advanced technology, fake cell towers, or signal interception.
The All-Seeing Eye
We often discuss smartphone vulnerabilities, data transmission networks, and cloud service security. We’ve become so used to “thinking complicated” that we forget about much simpler and more effective methods available to police in many countries.
Often, the police don’t even try to hack or intercept anything. Instead, they simply request information from the mobile carrier, who provides not only the call history but also a wealth of other valuable data. For example, an article about an Australian journalist analyzed the information collected about him by his mobile operator over two years.
Australian law requires mobile operators to store certain user data for two years, known as the Call Detail Record (CDR). This includes device location at any given time, call logs (including information about the other party), and internet session data. For SMS, only metadata (time sent, message size, recipient) is stored without the message content, unless there’s a warrant for wiretapping. Voice calls and message contents are not saved.
Metadata includes who the user called or messaged, call durations, and which cell towers the phone connected to at specific times—allowing fairly accurate location tracking. In some countries (notably the U.S.), operators not only provide this data to police but also sell it to third parties.
Operators also collect and sometimes sell details about internet usage, including website addresses and data volumes, tracked via DNS requests. Some operators have even tried to block customers from using third-party DNS servers to maintain this data stream.
In the U.S., mobile operators must keep CDRs, and agencies maintain a centralized database called MAINWAY, where records can be stored longer than the law allows operators to keep them. In Russia, the “Yarovaya Law” requires operators to store metadata for three years and message content for at least 30 days (up to six months), making all calls and messages available to police upon request.
Beyond CDR: Data from Device Manufacturers
In the study mentioned above, journalist Will Ockenden used an iPhone. A properly formatted “Device Request” to Apple (using only the device’s IMEI) allows police to obtain nearly all data Apple collects about the user. For comparison, in the U.S., police requested information on 19,318 devices in one year, with an 81% success rate. Google provides an interactive graph of such requests.
Apple does not provide police with user passwords, device usage statistics, SMS/iMessage content, or Health data (like step count and heart rate). Google, however, provides almost everything, including passwords (though Android 9 introduced backup encryption, making some data inaccessible to police).
Disposable Phones and SIM Cards
Criminals rarely use their main phones for illegal calls anymore. Instead, they use disposable SIM cards and cheap, basic phones, ideally without internet access. To get any data on a suspect, police need at least one clue—an IMEI is usually enough. But what can be determined from a device that’s only turned on for a few minutes?
Many novice criminals, influenced by conspiracy theories, remove the battery between calls, thinking this will keep them safe. However, they often overlook what happens when a device is powered on or off and that police are well aware of such patterns.
If a criminal leaves home to make a call from a disposable phone, where is their main phone? Let’s look at some scenarios:
Case 1: The Main Phone Is Carried Along
The most common situation: the criminal makes a suspicious call from a disposable phone but brings their own phone along. Police request CDRs for the relevant period. The operator returns either raw data or an anonymized list of devices connected to the same cell tower. Police cross-reference devices present during multiple calls from different locations, quickly narrowing down suspects to a handful of devices. Triangulation using data from neighboring towers can pinpoint locations to within tens or hundreds of meters.
In densely populated cities, the suspect pool may still be large, so police use big data analysis to study device behavior patterns—calls, data usage, movement, and registration times—to further narrow the list.
Conclusion: It’s easiest to catch a criminal who carries their personal device and moves around. Each call from a new location reduces the suspect list dramatically.
Contrary to movie tropes, the time a phone spends on the network doesn’t matter for location tracking; the location is logged instantly upon network registration. A powered-off phone does not transmit its location (except for some future features like Apple’s U1 chip).
In summary: after three calls from different locations, police can identify the criminal using simple log analysis—no special equipment needed.
Case 2: The Main Phone Is Turned Off
A cautious criminal might turn off their main phone before making a call from a disposable device. In this case, police look for devices that were powered off at the time of the anonymous call. If the main phone is turned back on afterward, it’s easy to track.
When a phone is turned off, it sends a signal to the network, distinguishing it from devices that simply leave the area. Turning it back on creates a new log entry, making such activity easy to trace.
Case 3: No Main Phone Is Carried
Some criminals leave their main phone at home but might bring other devices like smartwatches, which can also be tracked. Most “phone criminals” are not professionals and lack knowledge about how mobile networks work and what data is collected. Human error often helps police solve cases through simple fact-matching.
If a criminal never brings any device, big data analysis can still help, depending on how much effort the criminal puts into staying anonymous and how many calls are made.
If Multiple Disposable Devices Are Used
If a criminal uses several disposable phones, discarding each after a call (as often shown in movies), this only buys them a few extra seconds of anonymity. Police can still trace the origin of the SIM cards and where the phones were purchased. Whether calls are made from one or several devices doesn’t affect the investigation much.
Phone Terrorism: What If There’s Only One Call?
What if only one call is made, such as a bomb threat to a school or airport? The criminal can simply discard the phone and SIM card afterward. Surprisingly, such criminals are often caught using investigative techniques dating back to the era of payphones. If the criminal has a regular smartphone, police can narrow down suspects using the methods described above, often reducing the pool to a few hundred or thousand people. If the threat is to a school, the suspect list overlaps with the student body, making it easier for police to identify the perpetrator.
Many such criminals misunderstand police capabilities and focus on imaginary threats while ignoring obvious risks. For example, a woman once called in a bomb threat using a “disposable” phone and a SIM card registered to a fake name, but was caught within hours.
What About VoIP Calls Using VPN?
Some might think that making an anonymous call via VoIP and VPN (especially a free, no-logs VPN) is foolproof. Criminal groups sometimes go to great lengths, using modified phones for such purposes. The arrest of a CEO whose company made encrypted BlackBerry phones for criminals shows the scale of these operations. Even after police took down the network, they know criminals will migrate to other services and are prepared to follow them.
How the Analysis Works
An ITU report from Guinea details the methods and tools analysts use. Essentially, police need raw CDR data and software to load and analyze it. While raw data is hard to analyze manually, filtered data can be displayed or printed for review.
CDR analysis is so common that nearly every major forensic software package supports it, including Penlink, HAWK Analytics, GeoTime, CSAS, Russia’s “Mobile Forensics” by Oxygen Software, Advanced Cell Tracking, and more. Some police even use Google Maps and Microsoft Excel for analysis.
Special equipment exists to jam signals, spoof cell towers, or fake GPS coordinates, but police rarely use these for routine cases—they’re expensive, time-consuming, and often unnecessary. CDR analysis is a much more efficient use of resources.
For example, in the UK, police once surveilled a drug cartel boss. They couldn’t break into his iPhone, so they waited until he unlocked it and then seized it, keeping it awake until it reached the lab for data extraction. This small detail—assigning an officer to keep the phone from locking—shows the lengths police will go to obtain evidence.
Is This Reliable?
If you think basing convictions on mobile operator data is questionable, you’re not alone. The Danish Supreme Court limited the use of CDR location data in prosecutions after 32 wrongful convictions were overturned. The telecom infrastructure was built for communication, not surveillance, and interpreting this data can lead to errors.
Police are taught not to fully trust digital evidence, regardless of how it was obtained. There have been cases where a suspect’s location was determined from photo metadata synced via the cloud, not from the device itself. In another case, a driver was accused of distracted driving because his phone “answered” a call due to a button being pressed in his pocket, but the defense proved no conversation took place.
CDR data is a powerful tool for investigators but unreliable as sole evidence in court.
Conclusion
What can we conclude? Today, when almost everyone has a smartphone or at least a basic phone, every person leaves a “digital footprint.” This footprint contains much more information than most realize, and it’s much easier for police to access than people think. All they need is a single clue—like the hardware ID of a suspect’s phone, even if it was never used for criminal purposes. Obtaining this clue is often just a matter of routine log analysis by mobile operators. No special equipment or conspiracy is needed; it’s all much simpler and more interesting than the movies suggest. Instead of car chases and shootouts, it’s mostly office work with analytical software, databases, or even printouts.