How Police Track A Phone After A Crime

Every mobile phone is a tracking device. Not because of spyware, but because the cellular network requires continuous location updates to function. A phone that cannot tell the network where it is cannot receive calls, cannot receive data, and cannot exist on the network at all. This is a structural requirement of how cellular radio access works, baked into every 3GPP specification from GSM through 5G NR.

When law enforcement investigates a serious crime, the phone becomes one of the most powerful pieces of evidence available. Not the contents of messages or call recordings (those require different legal instruments), but the location trail: where the device was, when it was there, how it moved, and which other devices moved with it. Investigators who understand these systems can reconstruct a suspect's movements with startling precision.

This post covers the full technical stack that makes phone tracking possible: the radio-layer mechanisms, the carrier-side logs, the device-side data stores, the active surveillance tools, and the forensic reconstruction process. The legal framework is primarily European, because EU data retention law, GDPR, and national implementations create a regulatory landscape that differs significantly from the US approach.

1. Cell Tower Triangulation: Radio Geometry as Evidence

The most commonly cited phone tracking technique is cell tower triangulation, but the popular understanding is vague to the point of being misleading. "The phone connected to three towers and they drew circles" is the Hollywood version. The real process is more nuanced and relies on specific radio measurements defined in the 3GPP standards.

How a Phone Selects a Cell

A mobile phone does not connect to "a tower." It connects to a specific sector of a specific cell site. Most modern cell sites use three-sector configurations: three directional antennas, each covering approximately 120 degrees of azimuth. A cell site at the intersection of Stadiou and Panepistimiou in central Athens might have Sector A pointing roughly north, Sector B pointing southeast, and Sector C pointing southwest. Each sector has its own Cell ID and broadcasts its own System Information.

When your phone is idle, it camps on the strongest sector. When you make a call or start a data session, the network assigns you to a specific cell. That assignment is logged. Immediately, the network knows your phone was within the coverage area of that sector at that time. For a dense urban environment like central Athens, Berlin, or Amsterdam, a single sector in a three-sector macro site might cover an area with a radius of 200 to 500 metres. In a rural area in northern Finland, that radius might be 2 to 10 kilometres.

This is not triangulation yet. This is single-cell identification, and it already provides a useful, if coarse, location.

Timing Advance: Distance from the Tower

The first refinement comes from the Timing Advance (TA) parameter. In GSM (2G), the TA is a value from 0 to 63, where each step represents approximately 550 metres of distance from the base station. Because radio signals travel at the speed of light, a phone further from the tower must transmit its uplink burst slightly earlier so that it arrives at the base station in the correct time slot. The base station measures the actual arrival time and instructs the phone to adjust.

The TA calculation is straightforward:

distance = TA_value × 550 metres (GSM)

A TA of 0 means the phone is within 550 metres. A TA of 1 means 550 to 1,100 metres. A TA of 3 means 1,650 to 2,200 metres. This gives you an annular ring around the serving cell site.

In LTE (4G), the Timing Advance is more precise. The TA value ranges from 0 to 1,282, with each step corresponding to approximately 78 metres (specifically, 16 × T_s, where T_s is the basic LTE time unit of 1/(15000 × 2048) seconds, which works out to about 4.89 metres per T_s step). This yields a distance resolution of roughly 78 metres per TA value, a significant improvement over GSM's 550-metre granularity.

In 5G NR, the timing resolution improves further due to wider subcarrier spacing and shorter time units. With 120 kHz subcarrier spacing (numerology mu=3), the time resolution is approximately 0.51 microseconds, corresponding to a distance precision of about 76 metres.

Combining Sector and Timing Advance

With a three-sector site, knowing the serving sector and the TA value places the phone within an arc: the angular width of the sector (roughly 120 degrees, sometimes narrower with beamforming) intersected with the annular ring defined by the TA. In a dense urban environment with small cells, this can narrow the location to a wedge-shaped area of perhaps 100 by 200 metres.

Multi-Cell Triangulation

True triangulation requires measurements from multiple cell sites. During an active call or data session, the phone and the network continuously measure the signal strength and timing from neighbouring cells for handover decisions. These measurements are logged in Measurement Reports (3GPP TS 36.331 for LTE). If the phone can be heard by three or more sectors on different sites, the intersection of the arcs from each site constrains the location more tightly.

The accuracy depends on cell density:

These figures are conservative estimates for traditional macro cells. With the proliferation of small cells and femtocells in urban areas, accuracy in dense city centres can be significantly better.

Received Signal Strength and Angle of Arrival

Beyond timing, the network also has Received Signal Strength Indicator (RSSI) and Reference Signal Received Power (RSRP) measurements from multiple cells. Signal strength decreases with distance following a path-loss model (typically a log-distance function with environment-specific parameters). By comparing the received power from multiple cell sites against their known transmit power and antenna patterns, the network or a forensic analyst can estimate the phone's position using multilateration. This is less precise than timing-based methods because signal strength is affected by buildings, terrain, weather, and even the orientation of the phone in the user's hand, but it provides an additional data point that helps refine the location estimate.

Some modern base stations with massive MIMO antenna arrays (common in 5G deployments) can also estimate the angle of arrival of the phone's uplink signal. A 64-element antenna array can resolve angles to within a few degrees. Combined with distance estimates from timing, AoA can place a phone within a very small area, particularly in dense urban 5G networks across cities like Stockholm, Barcelona, and Milan.

2. Call Detail Records: The Carrier's Logbook

Cell tower measurements are useful for real-time or near-real-time location, but after the fact, investigators rely on Call Detail Records, the structured logs that every mobile carrier maintains for billing, network management, and (critically) legal compliance.

What a CDR Contains

A CDR is generated for every call, SMS, and data session. The exact fields vary by carrier and technology generation, but a typical CDR for a voice call includes:

Record Type:           Mobile Originated Call
MSISDN (phone number): +30 694 XXX XXXX
IMSI:                  202 01 XXXXXXXXXXXX
IMEI:                  35 XXXXXX XXXXXX X
Date/Time Start:       2026-03-15 14:23:07 UTC
Date/Time End:         2026-03-15 14:27:42 UTC
Duration:              275 seconds
Called Number:          +30 210 XXX XXXX
Originating Cell ID:   22801-10532-7821
Originating LAC/TAC:   10532
Last Cell ID:          22801-10532-7834
Call Type:             Voice
Bearer:                VoLTE

The Originating Cell ID tells investigators which specific cell sector the phone was using when the call started. The Last Cell ID shows where the phone was when the call ended. If the call lasted several minutes and the user was moving, the phone may have handed off between multiple cells during the call; some carriers log intermediate handoff cells as well.

For data sessions, modern carriers generate CDRs or equivalent records (sometimes called IPDRs, IP Detail Records) at periodic intervals or when certain thresholds are reached (volume, duration, cell change). A phone actively using data might generate location-tagged records every few minutes.

The Critical Identifiers

Three identifiers in a CDR are forensically significant:

MSISDN is the phone number, the most human-readable identifier. It is tied to the SIM card and can change if the user swaps SIMs.

IMSI (International Mobile Subscriber Identity) is the unique identifier of the SIM card itself. It is a 15-digit number: 3-digit Mobile Country Code, 2 or 3-digit Mobile Network Code, and the remaining digits identifying the subscriber. The IMSI is what the network uses to authenticate and authorise the subscriber. If someone puts a new SIM in a phone, the IMSI changes.

IMEI (International Mobile Equipment Identity) is the unique identifier of the handset hardware. It is a 15-digit number burned into the device at manufacture. If someone puts a new SIM in the same phone, the IMEI remains the same. If someone puts the old SIM in a new phone, the IMEI changes. This separation of device identity from subscriber identity is extremely important for tracking, as we will see in the IMEI section.

EU Data Retention Law

The legal framework governing how long carriers must store CDRs in Europe has been turbulent for over a decade.

The EU Data Retention Directive (2006/24/EC) required all EU member states to mandate that telecommunications providers retain traffic and location data for a minimum of 6 months and a maximum of 24 months, for the purpose of investigation, detection, and prosecution of serious crime. Member states implemented this with varying retention periods: Germany chose 6 months, France chose 12, and several others chose the maximum of 24.

In April 2014, the CJEU invalidated the Data Retention Directive in the landmark Digital Rights Ireland case (Joined Cases C-293/12 and C-594/12), ruling that blanket, indiscriminate retention of all communications metadata was incompatible with the Charter of Fundamental Rights. The court found the directive interfered with Article 7 (privacy) and Article 8 (data protection) disproportionately.

This created a fragmented landscape. Some member states kept their national retention laws; others repealed them. Further CJEU rulings in Tele2 Sverige (2016), La Quadrature du Net (2020), and SpaceNet (2022) refined the boundaries. The current position: general and indiscriminate retention of traffic and location data remains incompatible with EU law, but member states may require targeted retention for serious threats to national security, provided there is effective judicial review.

In practice, most European carriers still retain CDRs for operational and billing purposes for 6 to 24 months, depending on national law. Law enforcement access typically requires a court order, with specifics varying by member state.

What CDRs Reveal

A month of CDRs for a single phone number paints a detailed picture. An investigator can identify:

• Where the phone spends nights (likely the user's home address)
• Where it spends working hours (likely the workplace)
• Regular routes (commute patterns)
• Deviations from routine (a trip to an unusual location on a specific date)
• Who the user communicates with and when
• The precise cell sector the phone was in at the start and end of every call and data session

This is metadata, not content. But as former NSA Director Michael Hayden acknowledged, metadata is extraordinarily revealing. A phone that is in a specific cell sector in the Exarchia neighbourhood of Athens at 02:30 on the night of an arson attack is a strong investigative lead, even without knowing what was said on any call.

3. GPS History: The Phone Knows Exactly Where It Was

Cell tower records provide location accuracy measured in hundreds of metres at best. GPS provides accuracy measured in single-digit metres. And modern smartphones record GPS history extensively.

How GPS Data Ends Up on the Phone

Every modern smartphone has a GPS receiver (more accurately, a GNSS receiver supporting GPS, GLONASS, Galileo, and BeiDou). When location services are enabled, the operating system and various applications continuously or periodically record the device's position. The two primary stores of this data are:

Google Location History (now called Timeline): On Android devices with Location History enabled (it was enabled by default for years before Google changed the default in 2024), the phone periodically records its GPS coordinates, accuracy estimate, and activity type (walking, driving, still) and uploads this data to Google's servers. A single day of Timeline data might contain hundreds of location points, spaced a few minutes apart, each with latitude, longitude, altitude, accuracy radius, timestamp, and inferred activity. This data is extraordinarily precise, often placing the phone within 3 to 10 metres.

Apple Significant Locations: iPhones record a feature called Significant Locations (previously called Frequent Locations). This system learns places the user visits frequently and logs the times and durations of visits. The data is stored on-device in an encrypted form and is also included in iCloud backups (if enabled). Apple's implementation is more privacy-preserving than Google's historical approach: the data is end-to-end encrypted on-device, and Apple states it does not have access to it. However, if investigators have the device and the passcode (or can compel the user to provide it), the data is accessible.

Forensic Extraction

When investigators seize a phone, they extract GPS history using forensic tools such as Cellebrite UFED, GrayKey (Grayshift), or MSAB XRY. These tools can perform:

• Logical extraction: Reads data accessible through the device's APIs, similar to what a backup would contain. This captures most location data.
• File system extraction: Reads the full file system, including databases and caches that are not exposed through normal APIs.
• Physical extraction: A bit-for-bit copy of the flash storage, capable of recovering deleted data in some cases.

On Android, the key databases for location data include:

/data/com.google.android.gms/databases/herrevad
/data/com.google.android.gms/databases/location_history.db
/data/com.google.android.apps.maps/databases/gmm_myplaces.db

On iOS, Significant Locations are stored in:

/private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite

These databases contain timestamped latitude/longitude coordinates that can place the device at a specific street address at a specific time. For forensic purposes, this is often the most precise location evidence available.

Cloud Subpoenas

Even if the physical device is destroyed or encrypted, investigators can seek the same data from cloud providers. A court order directed to Google can compel the production of all Location History data associated with an account. In Europe, cross-border data requests to US companies are governed by Mutual Legal Assistance Treaties (MLATs) or the EU-US Agreement on Cross-Border Access to Electronic Evidence (under ratification). Direct requests under the US CLOUD Act are also possible if the provider has operations in the requesting country.

Timelines matter. An MLAT request to the United States can take months. Direct requests to Google's European operations under local law (the German Telekommunikationsgesetz, the French Code de procédure pénale) can be faster, sometimes weeks. In urgent cases involving threats to life, emergency disclosure requests can be processed in hours. Google's Transparency Report shows that in 2024, European agencies submitted over 85,000 user data requests, with approximately 72% compliance.

The Timeline Reconstruction

A forensic examiner working with extracted GPS data might produce a timeline like this:

2026-03-15 13:45:12  37.9838°N, 23.7275°E  ±5m  Syntagma Square, Athens
2026-03-15 13:52:07  37.9810°N, 23.7335°E  ±4m  Plaka district
2026-03-15 14:03:33  37.9785°N, 23.7289°E  ±6m  Monastiraki
2026-03-15 14:15:48  37.9838°N, 23.7310°E  ±3m  Ermou Street
2026-03-15 14:23:09  37.9862°N, 23.7341°E  ±5m  Near Klafthmonos Square

This level of detail is devastating evidence. It can confirm or refute an alibi, place a suspect at a crime scene, or trace a getaway route through a city.

4. Silent Pings: Locating a Phone Without the User Knowing

Cell tower records show where a phone was when it made or received a call or data connection. But what about periods of silence, when the phone is idle and not generating CDRs? Investigators use a technique variously called silent pings, stealth pings, or "stille SMS" (the German term, widely used in European law enforcement).

How Silent Pings Work

A silent ping is a specially crafted SMS message (technically, a Type 0 SMS as defined in 3GPP TS 23.040) that is delivered to the target phone but produces no notification, no sound, no vibration, and no visible message. The phone receives the message, processes it at the protocol level, and discards it. The user sees nothing.

The value for law enforcement is not the message itself but the network events it triggers. When the silent SMS arrives, the phone must communicate with the serving cell to acknowledge delivery. This creates a signalling event in the network that logs the Cell ID, timestamp, and TA of the phone at the moment of delivery. Investigators can send silent pings at intervals (every few minutes, if authorised) to track a phone's location in near real time, even when the target is not making calls or using data.

Scale of Use in Europe

The use of silent pings by European law enforcement is well documented because several countries require statistical reporting.

Germany is the most transparent. The Bundestag publishes annual statistics on the use of stille SMS. In 2022, German federal police (BKA), state police, customs, and intelligence services sent approximately 51,000 silent SMS messages. The Bundesamt für Verfassungsschutz (domestic intelligence) sent an additional undisclosed number. These figures have grown steadily from around 38,000 in 2015.

The Netherlands, France, and Belgium are known to use equivalent techniques, though with less public reporting. The legal basis varies: in Germany, it falls under the Strafprozessordnung (Code of Criminal Procedure), Sections 100i and 100g. In France, it is covered by provisions in the Code de procédure pénale relating to technical surveillance measures.

Legal Requirements

In most European jurisdictions, sending silent pings requires judicial authorisation (a court order) for criminal investigations. The standard is generally that the measure must be necessary for the investigation of a serious offence and proportionate to the intrusion on the target's privacy. Some jurisdictions permit administrative authorisation (no court order) for intelligence purposes, a distinction that has been challenged in multiple CJEU cases.

The legal landscape is complicated by the fact that silent pings are sometimes classified differently from traditional wiretapping or telecommunications surveillance. In some jurisdictions, because no content is intercepted (only metadata is generated), the threshold for authorisation is lower than for content interception. Privacy advocates have criticised this distinction, arguing that real-time location tracking is equally intrusive.

Technical Detection

From the user's perspective, silent pings are nearly undetectable. The message does not appear in the normal SMS inbox. However, on Android devices, applications like SnoopSnitch (developed by researchers at the Berlin-based Security Research Labs) can monitor the baseband radio for Type 0 SMS messages and alert the user. On rooted Android devices, the baseband processor's AT command interface can sometimes reveal incoming silent SMS activity.

On iOS, detection is significantly harder because Apple does not expose baseband-level signalling to applications. Without jailbreaking the device, there is no reliable way for an iPhone user to detect silent pings.

5. Wi-Fi Probe Requests: The Radio Fingerprint You Broadcast

Mobile phones do not only communicate via cellular networks. The Wi-Fi radio in every smartphone creates a separate and independent location trail through a mechanism called probe requests.

What Probe Requests Are

When a phone's Wi-Fi is enabled (even if it is not connected to any network), it periodically broadcasts probe request frames. These are 802.11 management frames transmitted on all Wi-Fi channels, asking nearby access points to respond. There are two types:

Directed probe requests include the SSID of a specific network the phone has previously connected to. The phone is, in effect, shouting: "Is 'Dimitris-Home-5G' here? Is 'CoffeeShop-Free' here? Is 'Lufthansa-FlyNet' here?" Each of these reveals a network the phone has connected to in the past.

Undirected (broadcast) probe requests contain a wildcard SSID, asking any access point in range to respond. These still include the phone's MAC address (or a randomised version of it).

Why This Matters for Tracking

Directed probe requests are a privacy disaster. The list of SSIDs a phone probes for is, in effect, a fingerprint. If your phone probes for "Hotel-Marais-Paris", "Schiphol-Free-WiFi", and "FerryLine-Helsinki", an observer can infer your travel history. More importantly, the MAC address in probe requests can be used to track the phone's physical movements.

Law enforcement and intelligence agencies deploy Wi-Fi monitoring equipment at locations of interest. These are passive receivers that capture probe request frames from every phone in range. The captured data includes:

• Source MAC address
• Probed SSIDs
• Signal strength (which gives approximate distance)
• Timestamp
• Channel

By deploying multiple sensors, investigators can track a phone's movement through an area with reasonable precision. The French police, for example, have been reported to use Wi-Fi monitoring at major protests and demonstrations.

MAC Address Randomisation: Defence and Its Limits

Starting with iOS 8 (2014) and Android 8 (2017), mobile operating systems began randomising the MAC address used in probe requests. Instead of using the device's real, globally unique MAC address, the phone generates a random address for each probe cycle or for each SSID.

This sounds like a complete defence, but it has significant limitations:

Randomisation is not always enabled. Older devices do not support it. Some Android manufacturers disable or improperly implement it. When a phone is connected to a saved network, it typically uses its real MAC address (though iOS 14 and later use per-network random addresses by default).

Information elements betray the device. Even with a randomised MAC, probe request frames contain Information Elements (IEs) that reveal the device's capabilities: supported data rates, HT/VHT/HE capabilities, extended capabilities, and vendor-specific IEs. Research by Mathy Vanhoef and others has shown that the combination of IEs in probe requests can uniquely fingerprint a device model and, in many cases, an individual device, even when the MAC is randomised. A paper published at ACM WiSec 2016 demonstrated that 96% of devices could be uniquely identified from their probe request IE fingerprints despite MAC randomisation.

Sequence number analysis. The 802.11 sequence number is a 12-bit counter that increments with each transmitted frame. If an observer sees two probe requests with different random MAC addresses but with sequence numbers that follow a plausible increment pattern, they can infer that both requests came from the same device.

Timing patterns. Different devices probe at different intervals with characteristic timing jitter. This temporal fingerprint can be used to correlate randomised probe requests from the same device over time.

SSID Lists as Identifying Information

The set of SSIDs a phone probes for can be highly identifying even without a stable MAC address. If a phone probes for "Elena-Flat-Athens" and "Nikos-Office-Wifi" and "Vodafone-GR-A1B2C3", that combination is almost certainly unique to one device in the world. Investigators who capture these probes can cross-reference the SSIDs against wardriving databases (such as WiGLE) to identify the physical locations of those networks and, by extension, identify the device's owner.

6. IMSI Catchers: Active Surveillance at the Radio Layer

An IMSI catcher (also known by brand names such as Stingray, though that is a Harris Corporation product used primarily by US agencies) is a device that impersonates a legitimate cell tower to force nearby phones to connect to it.

How IMSI Catchers Work

The attack exploits a weakness in GSM (2G) authentication: the network authenticates the phone (via the SIM's Ki secret key and the A3/A8 algorithms), but the phone does not authenticate the network. Any device broadcasting valid System Information on the right frequency can impersonate a cell.

The operational sequence:

1. The device broadcasts as a cell site on the target network's frequency, with a strong signal.
2. Nearby phones perform cell selection and camp on the fake cell.
3. As phones attach, they transmit their IMSI (or TMSI) during the Attach procedure.
4. The IMSI catcher logs the IMSI, IMEI, and TMSI of every phone that connects.
5. In advanced configurations, the catcher relays traffic to the real network (man-in-the-middle), making surveillance undetectable.

Forcing Downgrade to 2G

Modern networks (4G, 5G) implement mutual authentication, which should prevent IMSI catchers from working. In practice, IMSI catchers circumvent this by jamming 4G and 3G frequencies (or sending crafted reject messages), forcing phones to fall back to 2G where mutual authentication is absent. This is why 2G remains a security concern. Android 12 introduced a toggle to disable 2G connectivity, and some European operators (notably in the Netherlands and Germany) have begun shutting down their 2G networks entirely.

European IMSI Catcher Use

IMSI catchers are widely used by European law enforcement and intelligence agencies, though the practice is politically sensitive and details are often classified.

Germany: The BKA and state-level LKA agencies use IMSI catchers under Section 100i StPO, requiring a court order.

United Kingdom: Police use IMSI catchers under the Investigatory Powers Act 2016. The Metropolitan Police acknowledged their use after investigative journalists from The Bristol Cable and Privacy International forced disclosures.

France: The DGSI and police judiciaire operate under the 2015 intelligence law (Loi relative au renseignement), passed after the Charlie Hebdo and November 2015 attacks.

Austria: In 2018, IMSI catchers were discovered near the Austrian parliament, triggering a parliamentary inquiry into potential surveillance of politicians.

5G SUPI Encryption: A Partial Fix

The 5G standard (3GPP Release 15) addresses this by encrypting the permanent subscriber identity. In 5G, the IMSI is renamed SUPI (Subscription Permanent Identifier) and is never transmitted in cleartext. Instead, the phone sends a SUCI (Subscription Concealed Identifier), encrypted with the network's public key. A passive IMSI catcher cannot harvest 5G identities. However, active catchers that force a downgrade to 2G can still extract the IMSI. Full protection requires disabling legacy RATs on the device or the network having decommissioned them entirely.

7. Base Station Handoff Logs: Tracking Movement at Walking Speed

When a phone moves, it does not stay connected to a single cell. The network continuously monitors signal quality and hands the phone off to neighbouring cells as the user moves. These handoffs are logged, and the logs create a granular trail of movement.

How Handoffs Work

In LTE, handover is network-controlled. The serving eNodeB instructs the phone to send Measurement Reports containing RSRP and RSRQ for the serving and neighbouring cells. When a neighbour's signal exceeds the serving cell's by a configured threshold (the A3 event in 3GPP TS 36.331), the network initiates handover: the serving eNodeB prepares the target, sends a Handover Command, and the phone switches cells in tens of milliseconds.

Each handover event is logged, including source Cell ID, target Cell ID, timestamp, and measurement values.

What the Handoff Trail Reveals

For a phone moving through a city, the handoff log creates a breadcrumb trail. Consider a suspect walking from Monastiraki to Omonia in Athens:

14:15:03  Handover from Cell 22801-A-3421 to Cell 22801-A-3422
14:17:45  Handover from Cell 22801-A-3422 to Cell 22801-B-5510
14:19:12  Handover from Cell 22801-B-5510 to Cell 22801-B-5511
14:22:38  Handover from Cell 22801-B-5511 to Cell 22801-A-3445

Each Cell ID maps to a specific sector with a known location and orientation. The sequence of handoffs, combined with the known positions and coverage areas of each sector, traces a path through the city. The temporal spacing between handoffs gives an approximate speed: if handoffs occur every 2 minutes in a dense urban area where cells are 200 metres apart, the phone is moving at roughly walking speed (100 metres per minute, or 6 km/h).

Idle Mode Cell Reselection

Even without active calls or data sessions, the phone performs cell reselection in idle mode, periodically switching to stronger cells. These reselections are recorded as Location Area Updates (2G/3G) or Tracking Area Updates (LTE). In a city, Tracking Areas might comprise only a handful of cells, generating an update every few hundred metres of movement.

For investigators, this is critical: handoff and reselection logs capture movement even when the suspect avoids calls during a crime. As long as the phone is powered on, it generates a continuous trail.

8. What Happens When the Phone Is Off (and Related Countermeasures)

Criminals who are aware of phone tracking attempt to defeat it through various means. The effectiveness of each countermeasure varies, and investigators have techniques to work around most of them.

Phone Powered Off (Normal Shutdown)

When shut down normally, the phone sends a Detach message to the network (IMSI Detach in 2G/3G, Deregistration Request in LTE/5G). This is logged with the last serving Cell ID and timestamp. After the Detach, no cellular tracking is possible. But the Detach event itself is evidence: a suspect's phone sending a Detach from a cell near the crime scene 10 minutes before the crime is highly probative.

On some modern smartphones, "powered off" is not fully off. Since the iPhone 11, Apple phones maintain a low-power mode keeping the U1 ultra-wideband chip and Bluetooth active for Find My. An iPhone that appears off can still broadcast BLE beacons relayed by other Apple devices. Law enforcement with access to Find My infrastructure (via court order) could potentially locate such a device.

Aeroplane Mode

Aeroplane mode disables the cellular modem without sending a Detach. From the network's perspective, the phone simply vanishes, stopping paging responses and eventually timing out. No explicit disconnect is logged, but the timestamp of the last network interaction gives an approximate time. The abrupt cessation of all activity is itself notable if the phone was previously generating regular data traffic and then went silent.

Battery Removed and Faraday Bags

Removing the battery has the same network effect as aeroplane mode: disappearance without a Detach. On modern phones with non-removable batteries, the equivalent is a Faraday bag, a pouch lined with conductive material that blocks all electromagnetic radiation (cellular, Wi-Fi, Bluetooth, GPS, NFC).

Interestingly, law enforcement uses Faraday bags for the opposite purpose: preserving a seized phone's state. When a phone is seized as evidence, it is immediately bagged to prevent remote wiping, stop new data from overwriting evidence, and preserve the network state. Professional forensic Faraday bags attenuate signals by 60 to 100 dB across 700 MHz to 6 GHz. Consumer-grade pouches often provide inadequate shielding.

The Investigator's Advantage: Absence Is Evidence

The critical point is that switching off, enabling aeroplane mode, or using a Faraday bag creates a gap in the location trail that is itself evidence. If a suspect's phone shows continuous location data throughout the day but has a suspicious two-hour gap precisely during the time window of a crime, that gap is damning. The phone's location trail shows the suspect leaving their home, the trail going dark near the crime scene, and then resuming two hours later. A jury does not need a data point during the crime; the gap tells the story.

9. The False Trail: Taking the Victim's Phone on a Trip

One criminal technique that appears periodically in European case law is the deliberate creation of a false location trail. The scenario: after committing a crime, the perpetrator takes the victim's phone and carries it to a different location, sometimes travelling for hours, to make it appear that the victim was alive and moving long after the crime occurred.

How the Technique Works

After killing or kidnapping the victim, the criminal takes the victim's phone and keeps it powered on. The phone continues to connect to cell towers, generating CDRs and handoff logs that show the victim's phone moving through the city or countryside. If the criminal sends text messages from the victim's phone ("I'm fine, just travelling"), the deception is strengthened.

The goal is to delay the investigation by making the victim appear alive and to misdirect resources towards the false trail.

How Investigators Detect the False Trail

This technique has a fundamental weakness: the criminal now has two phones in their possession, their own and the victim's. Unless the criminal has also left their own phone behind (which creates its own evidentiary trail showing the suspect's phone stationary while the suspect was actually elsewhere), both phones will move through the same cell sectors at the same times.

The investigation technique is called phone pairing analysis or co-location analysis. Investigators request tower dumps (all phones connected to specific cells at specific times) along the path of the victim's phone. They then search for a second phone that appears in the same cells, at the same times, moving through the same sequence of sectors.

The analysis might look like this:

Time        Victim's Phone    Suspect's Phone    Cell Sector
14:30       Cell A-1001       Cell A-1001        Monastiraki
14:35       Cell A-1002       Cell A-1002        Psyrri
14:42       Cell B-2010       Cell B-2010        Omonia
14:48       Cell B-2015       Cell B-2015        Metaxourgio
14:55       Cell C-3001       Cell C-3001        Kerameikos

Two phones moving through the exact same sequence of cell sectors over a period of time is powerful circumstantial evidence that they were in the same location, likely in the same vehicle or carried by the same person.

Real Cases

This co-location analysis has been used successfully in numerous European cases. In the Milly Dowler case in the UK (2002, though the phone evidence analysis was discussed extensively during the News of the World phone hacking trial), cell site analysis was central to the investigation. In Germany, the Bundesgerichtshof (Federal Court of Justice) has repeatedly accepted cell site co-location analysis as evidence in murder cases. The Europol-supported investigation into the 2015 Paris attacks used extensive phone tracking and co-location analysis to map the movements of the attack cell across Belgium and France in the days before the attacks.

The Counter-Counter Technique

Sophisticated criminals who are aware of co-location analysis might leave their own phone at home (or give it to an associate) before committing the crime and taking the victim's phone. Investigators counter this by looking for other phones present at the victim's last known location that cannot be accounted for. A phone registered to an unknown prepaid SIM that appears at the crime scene, moves along the false trail, and then disappears is itself a strong lead, especially when combined with IMEI tracking (see below).

10. IMEI Tracking: The Hardware Never Forgets

When criminals attempt to evade phone tracking, one of the first steps is changing the SIM card. A new prepaid SIM, purchased anonymously, gives a new MSISDN and a new IMSI. The phone number changes, and the carrier records now show a different subscriber. However, the handset's IMEI remains the same.

How IMEI Persistence Aids Investigation

The IMEI is recorded in every CDR alongside the IMSI. This means that if investigators know a suspect's IMEI (from previous CDRs, from a known phone purchase, or from data extracted from another device), they can track the handset across SIM changes.

The typical investigative workflow:

1. Suspect is identified, and their known phone number yields CDRs that include the IMEI.
2. Suspect discards the SIM and inserts a new prepaid SIM.
3. Investigators request that the carrier (or carriers, since the new SIM might be from a different operator) flag the IMEI.
4. When the phone with the flagged IMEI appears on any network, its new IMSI/MSISDN is immediately identified.
5. CDRs under the new number provide the suspect's current location trail.

The IMEI Database: EIR

Every mobile network operates an Equipment Identity Register (EIR) as specified in 3GPP TS 22.016. The EIR maintains lists of IMEIs:

• White list: Valid, permitted equipment.
• Grey list: Equipment under observation (potentially stolen or suspect).
• Black list: Blocked equipment (reported stolen, known counterfeit).

When a phone attaches to a network, the network can query the EIR with the phone's IMEI. If the IMEI is on the black list, the network can deny service. European operators participate in the GSMA IMEI Database, a centralised global database that allows an IMEI blacklisted by one operator (because it was reported stolen) to be blocked by all operators worldwide.

For law enforcement, the EIR system provides a mechanism to track or block specific handsets. An investigator can request that an IMEI be placed on the grey list, which causes the network to log all activity from that IMEI without blocking it, enabling ongoing surveillance.

IMEI Spoofing

Criminals with technical knowledge can modify the IMEI stored in the phone's baseband firmware. On many Android devices, this can be done through engineering mode commands or by flashing modified firmware. IMEI spoofing is illegal in most European jurisdictions (in the UK, it is an offence under the Mobile Telephones (Re-programming) Act 2002; in Germany, it is covered by the Telekommunikationsgesetz).

Despite the legal prohibition, IMEI spoofing is a known counter-forensic technique. Investigators must be aware that a sophisticated suspect may have changed the IMEI, and should not rely on IMEI tracking as the sole identification method.

Dual-SIM and eSIM Complications

Modern phones often have dual-SIM capability or eSIM. A phone with an eSIM and a physical SIM slot has two IMEI numbers (one for each radio). Investigators must track both. The proliferation of eSIM, which can be provisioned remotely without visiting a shop, adds complexity: a suspect can activate a new eSIM from a different carrier without changing the handset, but the IMEI (for that specific SIM slot) still persists.

11. Tower Dumps and Geofence Warrants: Casting the Wide Net

All of the techniques discussed so far start from a known phone and work outward to find its location. Tower dumps and geofence warrants work in the opposite direction: they start from a known location and time, and identify all phones that were present.

Tower Dumps

A tower dump is a request to a carrier for the records of all phones that were connected to a specific cell tower (or set of towers) during a specific time window. If a robbery occurred at Ermou Street in Athens at 15:30, investigators might request a tower dump of all phones connected to the three or four cell sectors covering that area between 15:00 and 16:00.

The carrier produces a list that might contain hundreds or thousands of entries, each showing an MSISDN, IMSI, IMEI, connection start/end times, and Cell ID. Investigators then cross-reference this list against other evidence: known associates of the victim, phones that were not in the area before or after the crime (suggesting someone who came specifically for the crime and left), phones associated with prior criminal activity, or phones using newly activated prepaid SIMs (which are suspicious in context).

Tower dumps are a standard investigative tool across Europe. In Germany, they are governed by Section 100g of the Strafprozessordnung and require a court order. In the Netherlands, they fall under Article 126n of the Wetboek van Strafvordering. In France, Article 60-1 of the Code de procédure pénale covers the production of telecommunications data.

The Data Volume Challenge

A tower dump from a busy urban cell during a 60-minute window can contain tens of thousands of records. In the aftermath of the 2016 Berlin Christmas market attack, German authorities reportedly obtained tower dumps from multiple cell sites around Breitscheidplatz, generating massive datasets that required sophisticated analysis tools to process.

Investigators use analytical software (such as Analyst's Notebook by IBM i2, or PenLink) to visualise and filter these datasets. Common filtering strategies include:

• Eliminating phones with known subscriber identities (registered to local residents, businesses in the area)
• Focusing on prepaid or unregistered SIMs
• Identifying phones that appeared in the area only during the crime window
• Cross-referencing with other tower dumps from different crime scenes to find phones present at multiple locations

Geofence Warrants (Reverse Location Warrants)

A geofence warrant takes the tower dump concept further. Instead of requesting records from a single carrier for a specific tower, a geofence warrant defines a geographic area and time window and requests data from all carriers (and, in some implementations, from Google's Sensorvault database or Apple's equivalent) for all devices present in that area.

Google's Sensorvault is particularly powerful because it contains GPS-level location data, not just cell tower associations. A geofence warrant served on Google might return the precise GPS coordinates of every Android phone with Location History enabled that was within a 100-metre radius of a crime scene during a specific 30-minute window.

In Europe, the legal framework for geofence warrants is less established than in the United States. The blanket nature of these requests, collecting data on potentially hundreds of innocent people to identify one suspect, raises significant proportionality concerns under GDPR and the ECHR's Article 8 (right to respect for private life). Several EU member states have not yet developed specific legal provisions for geofence-style requests, relying instead on general data production orders that may not adequately address the proportionality question.

In 2023, the Hamburg Commissioner for Data Protection published guidance stating that geofence-style requests to Google must be assessed on a case-by-case basis and that blanket fishing expeditions are not compatible with German data protection law. The European Data Protection Board (EDPB) has not yet issued formal guidance on this specific technique, but its general guidance on law enforcement access to personal data emphasises necessity and proportionality.

The Google Sensorvault Process

Google's response to geofence requests follows a staged approach: first providing anonymised device IDs present in the area, then allowing investigators to select devices of interest based on movement patterns, and finally de-anonymising only the selected devices. This limits privacy intrusion, but still requires Google to search its entire location database for a geographic area, inherently processing data about many innocent people.

12. Forensic Timeline Reconstruction: Building the Minute-by-Minute Map

All of the data sources described above converge in the forensic timeline: a single, chronological reconstruction of a phone's (and, by inference, a person's) movements. Building this timeline is the core analytical task in phone tracking investigations.

Data Fusion

A forensic examiner working a serious case draws on multiple independent sources: CDRs (cell IDs at call/session times), handoff logs (cell transitions), GPS data (from device or cloud), Wi-Fi connection logs, Wi-Fi probe captures from police sensors, silent ping responses, tower dump data, and CCTV correlation. Each source has different accuracy and coverage. GPS is precise (3 to 10 metres) but may be unavailable indoors. CDRs are always available when the phone is on the network but are coarse (50 to 500 metres urban). Wi-Fi data is precise when available but depends on the phone's Wi-Fi being active.

The Reconstruction Process

The forensic examiner typically works through these steps:

Step 1: Cell site survey. Before analysing any records, the examiner obtains a cell site database from the carrier, mapping every Cell ID to a physical location, antenna height, antenna azimuth, antenna beamwidth, and transmit power. This is essential because Cell IDs are meaningless numbers without this mapping. In some jurisdictions, the examiner physically visits the cell sites to photograph the antennas and verify their orientation.

Step 2: Mapping CDRs to locations. Each CDR record is plotted on a map at the location of the serving cell, with the sector coverage area shown as a wedge. The temporal sequence of CDRs shows the phone moving between cells over time.

Step 3: Refining with TA and signal strength. Where TA values and signal strength data are available, the examiner narrows each CDR point from a sector-wide area to a smaller arc within that sector.

Step 4: Integrating GPS data. If GPS coordinates are available from the handset or cloud, they are overlaid on the cell-based location estimates. GPS points should fall within the coverage area of the serving cell at that time; if they do not, this may indicate data integrity issues.

Step 5: Cross-referencing with Wi-Fi. Wi-Fi connection logs and probe request captures are added to the timeline, providing additional location points (the physical location of the access point the phone connected to, or the location of the Wi-Fi sensor that captured the probe).

Step 6: Narrative construction. The examiner produces a written narrative and a visual timeline (often a map with timestamped waypoints and paths) that describes the phone's movements. This narrative is presented in court as expert evidence.

Accuracy and Uncertainty

Responsible forensic examiners always report the uncertainty associated with each location estimate. A CDR-based location might be reported as: "The phone was within the coverage area of Cell Sector X, which extends approximately 300 metres north to northeast of the cell site at [address]. The timing advance value of 2 indicates the phone was between 156 and 234 metres from the cell site."

A GPS-based location might be reported as: "The phone recorded a GPS fix at 37.9838°N, 23.7275°E with a reported accuracy of ±5 metres at 14:23:07 UTC."

The distinction between "the phone was here" and "the phone's user was here" is also critical. A phone can be left behind, given to someone else, or stolen. Phone location is a proxy for person location, and forensic examiners are careful to present it as such.

Tools Used by European Law Enforcement

The primary forensic tools: Cellebrite UFED/Physical Analyzer (dominant platform across Germany, France, Netherlands, UK), MSAB XRY/XAMN (Swedish, widely used by Nordic agencies), GrayKey (primarily for iPhone unlocking, used by the UK's National Crime Agency), Oxygen Forensic Detective (cloud extraction), PenLink (telecommunications analysis), and IBM i2 Analyst's Notebook (link analysis and visual timeline construction).

13. European Cases Where Phone Tracking Solved Crimes

Phone tracking has been decisive in numerous high-profile European criminal investigations. A few examples illustrate the range of techniques and their effectiveness.

The Encrochat Operation (2020)

French and Dutch police compromised the Encrochat encrypted phone network in 2020, in what Europol described as one of the largest law enforcement operations in European history. The French Gendarmerie's C3N unit deployed a technical implant on Encrochat's servers (routed through France), gaining access to message content and location data from approximately 60,000 devices. Dutch police used this data to arrest over 100 suspects and seize tonnes of drugs, firearms, and millions of euros. The location data from Encrochat devices corroborated conventional cellular tracking, allowing investigators to build ironclad movement timelines.

The Bundesgerichtshof ruled the evidence admissible in March 2022. UK courts reached the same conclusion after extensive argument.

The 2015 Paris Attacks Investigation

After the November 2015 attacks that killed 130 people, French and Belgian investigators used phone tracking to reconstruct the attack cell's movements between Belgium and France. Co-location analysis revealed connections between suspects who were not previously known to be associated: two phones repeatedly appearing in the same cell sectors in Molenbeek (Brussels) and then Saint-Denis (Paris) established a link before other evidence existed. This analysis was presented at the landmark trial concluding in June 2022, where 20 defendants were convicted.

The Maddie McCann Investigation

The McCann investigation was reinvigorated partly through phone tracking. In 2020, German prosecutors identified Christian Brückner as a suspect based partly on CDR analysis placing his Portuguese phone number on a cell tower serving the Ocean Club resort area approximately 30 minutes before Madeleine was reported missing in 2007. A phone call he received that evening was routed through a cell consistent with his presence near the scene.

Europol's Role

Europol's EC3 and Operational Centre provide analytical support for phone tracking investigations. The Europol Analysis System and SIENA (Secure Information Exchange Network Application) allow member states to share telecommunications data across borders. In 2023, Europol supported over 1,800 operations involving telecommunications data analysis.

14. Accuracy Limits and Legal Challenges

Phone tracking evidence is powerful, but it is not infallible. Understanding its limitations is as important as understanding its capabilities.

Technical Limitations

Cell site analysis is not GPS. A CDR placing a phone on a specific cell sector means the phone was somewhere within that sector's coverage area, which could be hundreds of metres wide. It does not place the phone at a specific building or room. Defence experts regularly challenge cell site evidence by demonstrating that the coverage area of a sector is larger than the prosecution suggests, or that radio propagation conditions could cause a phone to connect to a non-optimal (more distant) cell.

Propagation anomalies. Radio signals do not always follow idealised path-loss models. Reflections, atmospheric ducting, and antenna downtilt variations can cause a phone to connect to a non-optimal cell. In R v. Steele & Others (2006, UK), cell site analysis was challenged because propagation conditions were anomalous due to building reflections.

Indoor uncertainty. Inside buildings, attenuated and reflected signals mean the serving cell may not be the closest one. Placing a phone on a specific floor or room using cell site analysis alone is generally unreliable.

Clock synchronisation. CDR timestamps from different carriers may not be perfectly synchronised. Even a few seconds of discrepancy matters when reconstructing fast-moving events.

Legal Challenges in European Courts

Proportionality. Under ECHR Article 8 and GDPR principles, any surveillance measure must be proportionate to the legitimate aim pursued. Blanket tower dumps that collect data on thousands of innocent people to find one suspect face proportionality challenges. The German Federal Constitutional Court (Bundesverfassungsgericht) has been particularly active in scrutinising the proportionality of telecommunications surveillance measures, ruling in several cases that overly broad data requests violated the right to informational self-determination (informationelle Selbstbestimmung).

Data retention validity. Following the CJEU's invalidation of the Data Retention Directive and subsequent rulings, the legal basis for CDR retention varies across member states and is subject to ongoing litigation. Defence attorneys in multiple countries have argued that CDR evidence should be excluded because it was retained under a national law that is incompatible with EU law. The outcomes have been inconsistent: some courts have excluded the evidence, while others have admitted it on the basis that the illegality of the retention does not automatically render the evidence inadmissible.

Expert evidence standards. Cell site analysis is presented in court by expert witnesses, and the qualifications and methodology of these experts can be challenged. In the UK, the Forensic Science Regulator has published codes of practice for cell site analysis (FSR-C-132), establishing standards for how the analysis should be conducted and reported. Not all European jurisdictions have equivalent formal standards, leading to inconsistencies in the quality of cell site evidence.

Attribution. Phone tracking places a device at a location, not a person. A suspect can argue that someone else had their phone. Investigators mitigate this by correlating phone data with CCTV footage, witness testimony, DNA on the handset, or biometric unlock data showing the phone was unlocked with the suspect's fingerprint or face during the relevant period.

Cross-border complexity. Crimes involving movement across borders require data from multiple carriers and jurisdictions. The European Investigation Order (Directive 2014/41/EU) streamlined cross-border evidence requests, but delays remain. The proposed e-Evidence Regulation aims to allow direct requests between member states, reducing timelines from months to days.

The Future: Increasing Precision, Increasing Scrutiny

The technical capability for phone tracking will only increase. 5G networks with massive MIMO and beamforming can estimate device positions more precisely. Indoor positioning systems using Wi-Fi RTT (Round Trip Time, specified in IEEE 802.11mc) can locate devices within 1 to 2 metres indoors. Bluetooth direction-finding (Bluetooth 5.1 AoA/AoD) adds another layer of location data. Ultra-wideband (UWB) ranging, now present in many flagship phones, provides centimetre-level distance measurements.

At the same time, privacy-enhancing technologies are improving. MAC randomisation is becoming more robust. 5G SUPI encryption closes the IMSI catcher vulnerability (at least on 5G-only networks). End-to-end encrypted messaging reduces the metadata available from carrier logs. Google's decision to move Location History processing to on-device storage (announced in 2024) will eventually reduce the availability of cloud-stored GPS histories.

The tension between investigative capability and privacy protection will intensify. European courts and regulators will continue to refine the boundaries. The technical facts described in this post are the foundation on which those legal and ethical debates must stand: you cannot meaningfully argue about whether police should be allowed to track a phone until you understand exactly how they do it, what it reveals, and where its limits lie.

Summary of Data Sources and Their Characteristics

Every entry in this table represents a distinct technical system generating location data. A thorough investigation draws on all of them, cross-referencing independent sources to build a timeline that is both precise and resilient to challenge. The phone in your pocket is, from a forensic perspective, the most comprehensive location tracking device ever built, not because it was designed for surveillance, but because location awareness is inseparable from how modern wireless communication works.