A modern smartphone does not simply make calls. It is a continuous location transponder, a behavioural log, a social network map, a financial record, and a communication device — all simultaneously, all the time. For investigators, this creates an intelligence opportunity of unprecedented richness. For criminals, it creates an exposure surface that is almost impossible to fully eliminate.
Mobile data — particularly Call Detail Records (CDRs) and location intelligence derived from the advertising ecosystem — has become one of the most operationally valuable intelligence sources available to law enforcement, yet it remains significantly underused in most jurisdictions. The gap is not technical; it is organisational. Investigators who understand what mobile data actually contains, and how to fuse it with other sources, hold a decisive analytical advantage over those who treat it as a supplementary resource.
A typical smartphone generates thousands of data points per day across call logs, location pings, app activity, and purchase events. Most investigators access a fraction of this — and often in isolation rather than fused with other intelligence sources. The result is a narrower picture than the evidence actually supports.
Understanding Call Detail Records
A CDR is the metadata record generated by every mobile network interaction. Each call, SMS, and data session creates a CDR containing: the originating number (MSISDN), the IMSI (SIM card identifier), the IMEI (device identifier), the cell tower used (providing geographic location), the timestamp and duration, and the counterpart number. The network generates this record automatically, as a matter of billing and operational management, regardless of any investigative interest in the subscriber.
What this enables is substantial. CDRs establish presence — the subject was in this cell sector at this time. They establish movement — a sequence of tower pings traces a route from origin to destination. They establish communication networks — who called whom, how often, with what timing and duration. And they establish device associations — an IMSI that switches between IMEIs, or an IMEI that cycles through multiple IMSIs, are both operationally significant artefacts that warrant further investigation.
CDRs are held by mobile network operators and are accessible through lawful process in most jurisdictions. Critically, they are not subject to content interception law. They are metadata, not communication content, which means the legal threshold for access is typically lower than for wiretapping. An investigator who cannot obtain a wiretap authorisation may nonetheless be able to obtain CDR records — and those records may be sufficient to establish the investigative picture that content interception would merely confirm.
Analysed over time, CDRs reveal pattern of life: where a subject sleeps, where they work, which locations they frequent, who they contact before and after each visit. Deviations from established patterns are operationally significant. A subject who normally pings towers in one neighbourhood but appears in another city on the day of an incident has provided investigators with a material data point — without a single word being intercepted.
The Advertising Intelligence Layer
Beyond carrier CDRs, a parallel and often more granular location record exists: the data generated by mobile advertising networks. Smartphones with standard commercial apps installed continuously broadcast location data to advertising exchanges — often at intervals of one to two minutes when apps are active, and less frequently when backgrounded. This data is collected by data brokers and advertising platforms for targeting purposes. The same datasets, obtained through legal channels, provide investigators with a location record that CDRs alone cannot match in granularity or continuity. BlackAdint is built specifically to exploit this intelligence layer at operational scale.
The key difference lies in resolution. CDR location is cell-tower-based, which in urban areas might mean an accuracy radius of 100 to 500 metres — enough to place a subject in a district, but not enough to place them at a specific building. Ad network location data is GPS-derived, accurate to five to ten metres. For placing a subject at a specific building, floor, or room, the difference is operationally decisive. It is the difference between "was in the vicinity" and "was at this address."
Equally significant is the population scope. Ad network location data exists for the entire population of smartphone users, not just those already under investigation. This enables retroactive location analysis — placing a subject at a location of interest before an investigation has formally begun, using data that was collected passively months or years earlier. A target identified today can be historically located using records that predate the investigation entirely.
The IMSI and IMEI Intelligence Layer
The IMSI identifies the SIM card. The IMEI identifies the physical handset. They are distinct — and they can be separated. A criminal who swaps SIM cards retains the same IMEI. A criminal who acquires a new device retains the same IMSI if they keep the SIM. Either swap generates a detectable artefact in the mobile data record, and each artefact tells investigators something operationally useful.
Common OPSEC behaviours, and their intelligence signatures:
- SIM swapping — a new IMSI appears in the same cell sectors as the previous IMSI, at the same times of day, with the same communication patterns. The subject changed their number but not their life. The pattern of life is continuous across the identity change.
- Device swapping — a new IMEI appears associated with the known IMSI. Device metadata — manufacturer, model, OS version — may match profile data from other sources, enabling confirmation of the link even where the IMSI alone is insufficient.
- Multiple SIMs on one device — in some jurisdictions, carriers can detect IMSI sequences on a single IMEI, revealing that a subject is operating multiple numbers from the same handset. Each number may appear clean in isolation; the IMEI linkage connects them.
- Burner discipline failures — a burner IMEI that contacts the same counterpart numbers as the primary device, at similar times and from similar locations, is analytically equivalent to the primary device. The burner provides operational convenience; it does not provide intelligence separation. The communication graph remains continuous across both devices.
The SIM-Swapping Problem — And Why Correlation Beats It
A common concern among investigators is that SIM-swapping defeats CDR-based investigation. It is true that switching SIM cards breaks a direct carrier record linkage — the old MSISDN goes silent, and a new one appears. For a single-source analysis operating on a single identifier, this creates a gap.
Under multi-source analysis, SIM-swapping fails as an OPSEC technique for a fundamental reason: the physical device typically remains constant. The locations visited remain constant. The people contacted often remain constant — only the calling number changes, but the receiving numbers are known from prior records. The timing patterns remain constant. Every dimension of the mobile intelligence picture except the identifier continues unchanged.
Changing a SIM card changes the identifier. It does not change the person. Every other dimension of the mobile intelligence picture remains continuous.
Multi-source correlation — CDR data combined with ad network location, social intelligence, and financial transaction timing — creates a composite identity that survives SIM changes, device changes, and most other OPSEC manoeuvres short of a complete cessation of mobile device use. The subject who disappears from one dataset reappears in its intersection with others. The identifier changes; the behavioural signature does not.
Network Analysis from Communication Metadata
CDRs, in aggregate, produce a communication graph: a map of who calls whom, how often, at what times, and in what sequence. This graph is a structural representation of a network — and networks have structure that reveals organisational logic without any content being examined.
What the graph reveals is operationally significant on multiple dimensions. High-degree nodes that many others call but that initiate fewer calls outward are likely coordinators or handlers — they receive reports but do not initiate them. Operational clusters — groups of numbers that call each other frequently but rarely call outside the group — indicate compartmented cells within a larger network. Event correlation — a burst of communication across a network immediately before or after an incident — establishes coordination and timing in a form that is often more precise than witness testimony.
This analysis does not require intercepting a single word of content. The metadata alone establishes conspiracy, hierarchy, and operational coordination with a level of evidential clarity that frequently exceeds what content interception produces. Juries understand call logs. They understand "these people called each other 47 times in the 72 hours before the incident." The complexity of encrypted content, when present, often obscures rather than clarifies the investigative picture.
The full investigative picture emerges when communication network analysis is fused with financial transaction records, location intelligence, and OSINT — connecting the dots that no single dataset contains. BlackFusion is built to perform this multi-source correlation at scale, mapping networks that span jurisdictions and data types into a single unified investigation workspace.
Legal Frameworks and Operational Discipline
Mobile intelligence collection operates within legal frameworks that vary significantly by jurisdiction. CDR access typically requires court authorisation in most jurisdictions; the threshold varies from a simple production order to a judicial warrant depending on the legal system and the category of data requested. Ad network location data operates under different and often more permissive frameworks, reflecting its origin as commercial rather than telecommunications data — though this is an area of active legislative development in several jurisdictions.
Investigators need to understand the applicable framework before building an evidentiary case on any data source. Intelligence collected outside the appropriate legal process may be usable for targeting but inadmissible as evidence, which creates a gap between investigative knowledge and prosecutorial capability that must be managed deliberately from the outset of an operation.
Chain of custody for digital evidence is as rigorous as for physical evidence. Mobile intelligence used in prosecution must be collected, preserved, and authenticated in ways that will survive legal challenge. This is not a technical problem — it is a procedural one that requires discipline at every stage of the collection and analysis process.
The intelligence value of mobile data is also time-sensitive. Historical CDRs may only be retained for six to twenty-four months depending on jurisdiction and carrier policy. Requests made outside this window find nothing. Early identification of targets and timely CDR preservation orders are operationally critical — a delay of weeks at the start of an investigation can mean the loss of months of historical data that cannot be recovered.
The Integration Imperative
Mobile intelligence is most powerful when it is not treated as a standalone capability but as one layer in a multi-source intelligence picture. The investigator who receives CDR records and analyses them in isolation is using a fraction of the available evidential weight. The investigator who fuses those records with ad network location, IMSI/IMEI history, communication network analysis, financial transaction records, and open-source intelligence is operating at the full capacity of what the evidence supports.
Each source has gaps. CDRs establish presence and communication but not precise location or content. Ad network data establishes precise positioning but may have coverage gaps for subjects who limit commercial app usage. IMSI/IMEI analysis establishes device continuity across identity changes but requires the subject to maintain mobile connectivity. Communication network analysis establishes organisational structure but cannot identify individuals who communicate only through intermediaries. Financial transaction records establish money flows but may not reach cash operations. OSINT adds biographical context but is subject to deliberate manipulation by aware subjects.
Each source is corroborated by the others. The subject who is invisible in any single dataset becomes visible in their intersection. A phone number that appears in CDR records but carries no other identifying information becomes identifiable when ad network location data places the associated device at a residential address, and that address appears in a property record, and that property record links to an individual whose financial profile matches patterns seen in the transaction data.
The mobile device is the most comprehensive intelligence artefact that a criminal carries. The investigator's task is not to break into it — it is to understand all the data that surrounds it.