Part 4: CDR/IPDR Analysis | Module 3

Introduction

Understanding Telecom Records

Telecom records are among the most valuable sources of evidence in cyber crime investigations. Call Detail Records (CDR) and IP Detail Records (IPDR) provide crucial information about communication patterns, locations, and relationships between suspects.

In India, telecom operators are mandated to retain CDR and IPDR data for specified periods and provide it to law enforcement upon proper legal request. Understanding how to request, analyze, and interpret this data is essential for investigators.

💡 Legal Framework for CDR/IPDR

                        Under the Indian Telegraph Act and various TRAI regulations, telecom operators must:
                        Retain CDR data for minimum 2 years
Retain IPDR data for minimum 1 year
Provide data upon Section 91 CrPC notice or court order
Comply with interception requests under Section 5(2) of Telegraph Act

CDR Fields

Call Detail Record (CDR) Structure

A CDR contains detailed information about each call made or received by a mobile number. Understanding each field is crucial for effective analysis:

Calling Number (A-Party)

The mobile number that initiated the call. For outgoing calls, this is the target number.

Called Number (B-Party)

The mobile number that received the call. For incoming calls, this is the target number.

Call Date/Time

Timestamp when the call was initiated. Critical for timeline reconstruction.

Duration

Length of the call in seconds. Zero duration indicates missed/rejected call.

IMEI

Device identifier - helps track if suspect changed SIM cards but kept same phone.

IMSI

SIM card identifier - helps track if suspect changed phones but kept same SIM.

Cell ID / LAC

Tower identifier providing approximate location of the caller at call time.

Call Type

Indicates MO (Mobile Originated), MT (Mobile Terminated), or SMS.

Sample CDR Data

Date/Time	A-Party	B-Party	Duration	Type	IMEI	Cell ID
15-01-2026 10:30:45	9876543210	9123456789	180	MO-Voice	35298710xxxxxxx	12345-67
15-01-2026 11:15:22	9123456789	9876543210	45	MT-Voice	35298710xxxxxxx	12345-68
15-01-2026 12:00:00	9876543210	9111222333	0	MO-SMS	35298710xxxxxxx	12346-01
15-01-2026 14:30:15	9876543210	9123456789	320	MO-Voice	35298710xxxxxxx	12350-15

Tower Analysis

Cell Tower and Location Analysis

Cell ID information in CDR records can be used to determine the approximate location of a mobile device at the time of each call. Understanding tower coverage is essential for location analysis.

Understanding Cell Tower Coverage

📡

Urban Area

200-500m radius coverage. High tower density provides better location accuracy.

🏡

Suburban Area

500m-2km radius coverage. Moderate accuracy for location determination.

🏞

Rural Area

2-10km+ radius coverage. Limited accuracy, larger area of uncertainty.

📍

Tower Dump Analysis

A tower dump provides all mobile numbers that connected to a specific tower during a specific time period. This is useful when:

You know the crime location and time but not the suspect's number
You need to identify all persons present at a crime scene
Cross-referencing multiple incidents at same location

Note: Tower dumps can contain thousands of records. Effective filtering and correlation with other evidence is essential.

CDR Analysis Tool

Practical Tool: CDR Analyzer

📞

CDR Analyzer Tool

Upload and analyze CDR data to identify call patterns, frequent contacts, and location movements. The tool visualizes communication networks and generates investigative reports.

Launch CDR Analyzer

CDR Analysis Workflow

Data Import and Cleaning

Import CDR data (usually CSV/Excel format from telecom). Standardize date formats, remove incomplete records, and verify data integrity.

Contact Analysis

Identify most frequent contacts, call duration patterns, and communication timings. Look for unusual patterns or new contacts around incident dates.

Location Mapping

Plot cell tower locations on map to visualize movement patterns. Identify home location, workplace, and anomalous location visits.

Timeline Correlation

Correlate CDR data with incident timeline. Verify alibis, identify presence at crime scene, and establish communication around incident time.

Network Visualization

Create visual network diagrams showing relationships between phone numbers. Identify clusters, intermediaries, and communication patterns.

IPDR Section

IP Detail Records (IPDR)

IPDR contains records of internet/data usage by mobile subscribers. With increasing smartphone and mobile data usage, IPDR has become equally important as CDR for investigations.

📞 CDR Contains

Voice call records
SMS records
Caller and called numbers
Call duration
Tower/Cell ID for calls

🌐 IPDR Contains

Data session start/end times
IP address assigned to device
Data volume (upload/download)
NAT port mappings
Cell ID during data session

💡 IPDR Investigation Use Cases

Correlating IP address to subscriber: When you have an IP address from a crime (e.g., from email headers, server logs), IPDR can identify which mobile number was assigned that IP at that timestamp.
Identifying mobile data location: IPDR contains cell tower information, useful when suspect uses data-only (no voice calls).
Timestamp correlation: Match data sessions with specific online activities being investigated.
NAT traversal: For CGNAT environments, IPDR provides port mapping needed to identify specific subscriber.

Key Points

Key Takeaways

CDR provides voice/SMS records while IPDR provides internet/data usage records
Cell ID/LAC in records can be used to determine approximate location
IMEI tracks device, IMSI tracks SIM - useful for suspects changing either
Tower dumps help identify all devices at a location during specific timeframe
Urban areas have better location accuracy due to higher tower density
IPDR is essential for correlating IP addresses to mobile subscribers
Always request CAF (Customer Application Form) along with CDR for subscriber details
Proper legal process (Section 91 CrPC / Court Order) required for obtaining records

Navigation