SWGDE

Menu
Subscribe
Subscribe

published documents

Technical Notes on the Use of Timing Advance Records

SWGDE 25-F-002-1.0

View Pdf

The version of this document is in draft form and is being provided for comment by all interested parties for a minimum period of 60 days.

Disclaimer Regarding Use of SWGDE Documents

SWGDE documents are developed by a consensus process that involves the best efforts of relevant subject matter experts, organizations, and input from other stakeholders to publish standards, requirements, best practices, guidelines, technical notes, positions, and considerations in the discipline of digital and multimedia forensics and related fields. No warranty or other representation as to SWGDE work product is made or intended.

SWGDE requests notification by email before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in such proceeding. The notification should include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; and 3) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Subsequent to the use of this document in the proceeding please notify SWGDE as to the outcome of the matter. Notifications should be submitted via the SWGDE Notice of Use/Redistribution Form or sent to secretary@swgde.org.

From time to time, SWGDE documents may be revised, updated, deprecated, or sunsetted. Readers are advised to verify on the SWGDE website (https://www.swgde.org) they are utilizing the current version of this document. Prior versions of SWGDE documents are archived and available on the SWGDE website.

Redistribution Policy:

SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met:

  1. Redistribution of documents or parts of documents must retain this SWGDE cover page containing the Disclaimer Regarding Use.
  2. Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents.
  3. Any reference or quote from a SWGDE document must include the version number (or creation date) of the document and also indicate if the document is in a draft status.

Requests for Modification

SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be submitted via the SWGDE Request for Modification Form or forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of any suggested modification:

  1. Submitter’s name
  2. Affiliation (agency/organization)
  3. Address
  4. Telephone number and email address
  5. Document title and version number
  6. Change from (note document section number)
  7. Change to (provide suggested text where appropriate; comments not including suggested text will not be considered)
  8. Basis for change

Intellectual Property

All images, tables, and figures in SWGDE documents are developed and owned by SWGDE, unless otherwise credited.

Unauthorized use of the SWGDE logo or document content, including images, tables, and figures, without written permission from SWGDE is a violation of our intellectual property rights.

Individuals may not misstate and/or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material and/or curriculum vitae.

Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE.

Table of Contents

Table of Figures

Figure 1. Uplink transmissions must arrive when they are expected by the cell site irrespective of where the device is located from the cell.

Figure 2. Cell site initially calculates the latency from the uplink RACH message.

Figure 3. Device uplink transformations arrive in a time-correlated order and when expected by the cell site.

Figure 4. Each TA band in 4G LTE is approximately 78 meters wide.

Figure 5a. TA bands on an LTE sectorized cell with an azimuth of 300°.

Figure 5b. TA band table.

Figure 6. TA band number indicating the start of the TA band.

Figure 7. Combination of TA data can be corroborative.

1. Purpose

The purpose of this document is to provide a foundation on Timing Advance (TA) and recommendations on how to acquire, analyze and interpret the data.

2. Scope

This document provides guidance with the acquisition, interpretation, and analysis of TA data. The intended audience for this document are practitioners who have training, knowledge, and experience in using these records who may include investigators, analysts, and attorneys. This document is not intended to be a training manual or to replace standard organizational procedures. This document is not all-inclusive and does not account for every possible scenario related to TA data, and it should not be confused with historical cell site location information analysis. Refer to SWGDE 17-F-001-3.0 Recommendations for Historical Cell Site Analysis.

3. Definitions

The following definitions are provided to assist with interpreting this document. For further details, readers may refer to more technical resources defining these terms, such as the Third Generation Partnership Project (3GPP) and European Telecommunications Standards Institute (ETSI).

  • 4G LTE: A standard for wireless communication of high-speed data for mobile devices; LTE is an abbreviation for Long Term Evolution.
  • 5G NR: A cellular network technology, offering higher transmission speeds than 4G with lower latency; NR is an abbreviation for New Radio
  • Antenna: An electrical device which converts electric power into radio waves, and vice versa. It is usually connected with a radio transmitter or radio receiver and can be mounted on various structures including poles, masts, towers, etc.
  • Arc: Curved geographical region at a specific distance from a cell site where a device is estimated to be located.
  • Azimuth: a bearing, expressed in degrees (clockwise) from true north, which represents the orientation of a directional cellular antenna.
  • Band: See arc.
  • Beamwidth: the angle between the two points on either side of the azimuth where the antenna’s power drops to half its peak (-3 dB). For example, on a 120 degree sector, the half power points are usually found at 30 degrees of the azimuth.
  • Call Detail Record (CDR): Usage records (e.g. voice, text, data) maintained by the service provider capturing information typically needed to accurately bill a subscriber or, in the case of a prepaid service plan, debit the balance. This information typically includes the date, time, duration, source identifier, destination identifier, or the amount of data transmitted or received.
  • Cell Site: A physical location that contains the equipment needed to receive and transmit radio signals for cellular voice and data transmission and may consist of equipment from one or more service providers. Cell sites are designed to provide radio frequency coverage over defined geographic areas.
  • Cell Site Analysis: The analysis of historical records provided by the cellular companies, or other geographic data, in order to place a particular cellular device within an approximate geographic area during a specified date and time.
  • Cell Site List: Also called a tower list, mast list, or or cell site key, is a list of all cellular system antennas with sector information that is retained by a cell provider. Cell site lists typically contain the latitude and longitude of cell sites as well as specific sector information including the azimuths and beamwidths of sectors.
  • Cell Site Location Information: Information contained within Call Detail Records that pertains to specific antennas used, including their location and orientation.
  • Cellular Service Provider: A wireless communications service provider that owns or controls all the elements necessary to sell and deliver services to an end user including radio spectrum allocation, wireless network infrastructure (antennas and switches), backhaul infrastructure, provisioning computer systems and repair organizations. Examples of cellular network providers are AT&T, T-Mobile, and Verizon Wireless. This can also be known as cellular network operator, Mobile Network Operator (MNO) and wireless carrier.
  • Confidence: Refers to the degree of reliability or certainty in the estimated device location, as estimated by the service provider.
  • Device: User equipment capable of connecting to a cellular network. This may include cellular phones, tablets, vehicles, smart watches, wearable technology, etc. (this list is not exhaustive and will continue to evolve).
  • Distributed Antenna System (DAS): A network of relatively small antennas linked to a centralized base station within a geographic area or structure.
  • Global Positioning System (GPS): See GNSS.
  • Global Navigation Satellite System (GNSS): A network of satellites to determine a location. Different systems are in operation around the world. Commonly referred to as GPS.
  • Global System for Mobile Communications (GSM): A set of standards for second generation cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP).
  • International Mobile Equipment Identifier (IMEI): A unique numerical identifier assigned to every device capable of connecting to cellular networks.
  • International Mobile Subscriber Identifier (IMSI): A unique identifier associated with a mobile network subscriber used by cellular networks to identify and authenticate a specific subscriber.
  • Latitude and Longitude: A coordinate system that enables every location on the Earth to be specified by a set of numbers.
  • Multipath: A phenomenon where a wireless signal travels from a cell site to a device (e.g., a mobile phone) along multiple paths. These paths may include direct routes and indirect routes caused by reflections, refraction, diffractions, or scattering off objects such as buildings, trees, and the ground.
  • Omni-Directional Cell Site (AKA Omnipole): A cell site that contains only one sector with 360° of coverage.
  • Optimal Beamwidth (OBW): The coverage reported by a cellular provider that reflects the best, or optimal, coverage area of a particular sector. Optimal beamwidth does not typically reflect the absolute coverage area of a particular sector.
  • Radio Frequency (RF): Any of the electromagnetic wave frequencies that lie in the range extending from around 3 kHz to 300 GHz, which include those frequencies used for communications or radar signals.
  • Radio Frequency Propagation Map: A geographical representation of RF coverage, not necessarily including signal strengths, which displays the approximate boundaries of a cell on the date and time that the survey was performed. .
  • Second-generation (2G): A cellular network standard that was developed to provide improved voice communication, text messaging, and basic data services compared to the earlier first-generation (1G) analog systems.
  • Sector: The section of a cell site that covers a specific geographic area.
  • Service Type: It is used to distinguish the type of connection the device had with the network (e.g., voice, data, voice and data).
  • Serving Cell: The cell that a device determines is the best when attaching to a cellular network.
  • Specialized Historic Location Data: Other data that might be disclosed by a provider which may contain timing advance data and/or estimated mobile device location data.
  • Subcarrier Spacing (SCS): It defines a configuration of a 4G LTE/5G NR air interface. In LTE, SCS is fixed. In 5G NR, SCS is variable. SCS defines the width of the timing advance band. To understand the width of a specific timing advance band, it is necessary to know the SCS value of the associated cell.

4. Introduction

Cellular service providers maintain Timing Advance (TA) records during the normal course of business. It is beyond the scope of this document to discuss, in detail, the various legal avenues a practitioner might pursue to preserve or obtain TA records. Timing Advance is the measure of delay (time), not distance, but it can be used to infer an approximate distance for geolocation purposes.

The TA process is used within 2G GSM/4G LTE/5G NR cellular networks to synchronize the attached devices in the uplink direction towards the cell site. The cell site calculates the latency in the uplink direction between a device and the cell site. The uplink synchronization is maintained through the application of TA. This is achieved through the cell site generating a calculated TA value which enables an attached device to advance or retard the timing of its transmissions towards the cell site in order to ensure synchronized uplink transmissions. This is an ongoing process which is periodically updated as a device moves around a network. The TA value issued by a cell site can be used to infer a device’s physical distance from the cell site. The timing advance value actually represents a band number. The physical dimensions of a band and the number of bands varies depending upon the cellular technology.

5. Record Preservation, Acquisition, and Documentation

5.1 Preservation Requests

Title 18 U.S. Code § 2703(f) provides law enforcement officials with the ability to order the preservation of records and other evidence held by an electronic communications provider [1]. In doing so, data that may otherwise be perishable (e.g., deleted by the provider) is preserved for a specified period of time prior to obtaining the appropriate legal authority to secure the release of the preserved data. Preservation requests are of utmost importance when seeking TA records, as retention periods are dependent upon the individual wireless carriers and may be as short as several days. Wireless carriers are not required by law to retain TA records for any specific period of time; subsequently, retention periods are subject to change.

5.2 Emergency and Exigent Requests

Federal law, and some state laws, allow for the immediate and voluntary release of records by providers in certain specific emergency situations. Consult Title 18 U.S. Code § 2702(b)(8) [2]. Providers may require submission of their “Exigent Request” form prior to providing records. Also, some jurisdictions may require following the exigent request with legal process.

5.3 Subpoenas, Search Warrants, and Court Orders

Since TA records are location-based data, a probable cause search warrant is the necessary legal standard throughout the United States in criminal matters. In civil matters, court rules may allow for the use of a subpoena or court order for some aspects of TA records.

5.3.1 Cell Site Lists

In order to map TA records, practitioners should obtain applicable cell site lists from the carrier. The list should be representative of the time period(s) relevant to the investigation. This information will indicate the location of the cell site.

5.4 Documentation

Practitioners should follow their agency or organization’s policies and procedures on maintaining chain of custody for TA records.

6. Considerations

The following are a list of known considerations with TA data.

6.1 Multipath Propagation

TA measurements may be affected by multipath propagation when radio signals are delivered by two or more paths between the cell site and the device. Multipath propagation may be caused by signal reflection off buildings, water, mountains, and other environmental factors that result in a non-line-of-sight environment between the cell site and the device. Because multipath propagation will cause additional delay to be experienced in the uplink transmission, the TA distance inferred from those measurements will be further away from the antenna than the actual device location. Therefore, the subject device may be physically closer to the antenna than indicated by the TA data.

6.2 Other Considerations

TA data cannot be used to determine a device’s exact geolocation. However, multiple TA measurements may be corroborative (see Figure 7).

Responsive data may include estimated device location (latitude and longitude) and confidence ratings. Practitioners should use caution in using this data because the results are derived from proprietary algorithms. These algorithms, devised by the providers, have not been made public. The validity and accuracy of the location estimation methods derived by these algorithms cannot therefore be determined.

This document was prepared with the resources available at the time of publication. As with all technology, cell site analysis is a constantly evolving discipline, with frequent implementation of new features and innovations.

Those conducting cell site analysis should be familiar with the type of records produced by the various service providers and the intricacies, nuances, and limitations associated with each provider.

To ensure accurate interpretation and application of TA data, it is important that practitioners receive proper training and guidance in its use.

7. Technical Description

In 2G GSM a band is 550 meters wide, in LTE 78 meters wide, and in 5G NR it can be 78 meters or less depending upon the configuration of the radio resources. This level of monitoring is required due to three factors:

  • First, the fact that different devices using the same cell site will be located at different distances from the serving cell site.
  • Second, even though radio signals travel at the speed of light (c = 300,000 km/s), it still takes a finite amount of time for a radio signal to travel a given distance; the further a device is from a cell site, the longer its signal will take to travel to the cell site.
  • Third, 2G GSM/4G LTE/5G NR networks share the capacity of a cell site among concurrent users using a combination of frequency (different devices use different sets of radio frequencies) and time (different devices transmit at different points in time based on their distance from the cell site). To ensure the traffic from multiple devices is received correctly, the traffic transmitted by each device must be received by the cell site at exactly the right point in time.

This means the further away from the cell site a device is, the earlier in time it needs to start sending its bursts of data to ensure they arrive at the cell site at the expected time. Timing Advance is a way of compensating for the latency experienced by radio signals that have to travel longer distances (see Figure 1).

A device’s latency (inferred distance from cell site) is measured by the cell site, whenever a device transmits data.

A device will initially attach to a serving cell site via the common Random Access Channel (RACH), there are regular random access periods set aside by the cell site for this purpose and it is a common channel shared by all devices within a cell. A device wishing to connect to a serving cell waits for the next RACH opportunity and, when the opportunity period starts, transmits a RACH Request to the cell site.

The cell site starts a timer at the beginning of each RACH period. This allows it to note the latency associated with each new RACH Request. RACH Requests from distant devices arrive later in the RACH period than requests sent by devices that are closer to the cell site (see Figure 2).

A reasonably simple calculation is used to measure the latency experienced by each RACH Request (based on how late in the allocated RACH period it arrived). This is then used by the cell site to create a ‘Timing Advance’ command to send back to the device. This command is included in the Random Access Response (RAR), which instructs the device to begin transmitting earlier in time to allow the transmitted signal to arrive at the beginning of each transmission time period allocated to the device (see Figure 3).

TA commands are subsequently sent to each device periodically throughout the life of a call, text, or data session instructing it to advance or retard the time at which it transmits bursts of data to the cell site. As a device gets further away from the cell site it is instructed to start transmitting each burst earlier (advancing them in time). As the device gets closer to the cell site it is instructed to reduce (or ‘retard’) its transmission start time to reflect the reduced latency.

The network does not need to know a device’s exact distance from the cell site. The TA process calculates an approximate value which is accurate enough to compensate for the transmission

latency. This results in each TA value covering a range of distances expressed as a band rather than as an exact geolocation for that device.

The TA calculation takes some of the characteristics of the radio technology into account, meaning that the TA band width distance is different for each generation of network technology (2G GSM/4G LTE/5G NR).

In 4G LTE the TA bands are approximately 78 meters wide; LTE TA Band 0 covers 0-78 meters, Band 1 covers 78-156 meters, and so on. For example, an LTE device 201 meters from the cell site will be reported as being within LTE TA Band 2 (e.g., 201m/78m = 2.57 = TA band 2) (see Figure 4).

In 5G NR the TA band is a function of the configuration of the air interface, specifically the Subcarrier Spacing (SCS), which can be 15 kHz, 30 kHz, 60 kHz, or 120 kHz. This would result in a TA band width of approximately 78 meters, 39 meters, 19 meters, or 9 meters, respectively.

Figure 5a shows an illustration of the TA bands – inferring that a device was somewhere within TA band 1.

As shown in Figure 5a, if the azimuth for the cell is provided, the TA band can be displayed as an arc across the sector angle.

Figure 5b shows the correlation between the TA bands and their approximate distances (in LTE).

Cellular service provider records may represent TA distances in values other than meters (e.g. steps or miles), which need to be converted to meters. Reference the provider records guides to determine the value used.

Example: At the time of publication, T-Mobile TA records for LTE represents a distance to the device of 0.34 miles. This converts to a metric distance of 547.18m (e.g., 547.18m/78.07m = 7); this measurement represents timing advance band 7 (546.49m – 624.56m).

A TA band has an inner and an outer edge. The inner edge is closer to the cell site, the outer edge is further away from the cell site. For a TA value of 1, the inner edge of the band would be 78.07 meters from the cell site, the outer edge of the band would be 156.14 meters from the cell site.

The distance inferred in TA records can generally be interpreted as identifying the inner edge of a TA band (see Figure 6).

TA data does not infer a precise distance between the cell site and a device. Instead, it is reporting the approximate band where the device is inferred to have been located at the time the data was captured.

Figure 7 shows two TA events (which occurred closely in time) whose bands overlap. By overlaying the intersecting TA bands, it is possible to provide a more precise estimate of an area where the device may be located. This is a lateration technique.

8. Data Interpretation

Historical Cell Site Location Information (CSLI) used in cell site analysis is typically obtained from historical Call Detail Records (CDR) sourced from the cell service providers. Cellular service providers often also maintain Specialized Historical Location Data for engineering and network optimization purposes through the normal course of business.

Some providers disclose TA data in the form of a band number, whereas others disclose TA as a distance. If a band number is disclosed, the distance associated with the inner edge of that TA band can be calculated as the band number multiplied by the TA step size for the associated technology. If a distance is disclosed, it should be interpreted as referring to the distance to the inner edge of the TA band. In all cases, the TA band or provided distance represents the inferred distance to the subject phone’s potential geolocation.

9. Uses of TA Data

TA data can be used to visually represent and identify movement patterns and analyze voids in usage data. It can also be used to identify and interpret patterns such as routes frequently traveled, speed of movement, periods of static activity, or changes in movement direction.

10. Geolocation Based Searches (Area Search)

Specialized Historical Location Data can also be obtained from location-based searches. Certain providers will supply devices within a provided search area, during a prescribed period of time. This data derives from the estimated device location, not TA (band distance) data.

11. References

[1] United States, House of Representatives, Congress. United States Code. Title 18, section 2703(f), U.S. Government Publishing Office, 30 Dec. 2011.

[2] United State, Congress, House of Representatives. United States Code. Title 18, section 2702(b)(8), U.S. Government Publishing Office, 30 Dec. 2011

[3] Forensic Analytics. https://www.forensicanalytics.io/uk/. Accessed 15 Jan. 2025.

12. Additional Resources

  • European Telecommunications Standards Institute (ETSI). “Term and Definitions Database Interactive (TEDDI).” ETSI, https://webapp.etsi.org/Teddi/. Accessed 14 Jan. 2025.
  • Hoy, Forensic Radio Survey Techniques for Cell Site Analysis. 2nd ed., Wiley, 2023.
  • Scientific Working Group on Digital Recommendations for Historical Cell Site Analysis. SWGDE 17-F-001-3.0. SWGDE, 2017, https://www.swgde.org/17-f- 001/.
  • Shakir, Zaenab, et al. “Measurement-based Geolocation in LTE Cellular Networks.” 2018 IEEE 8th Annual Computing and Communications Workshop and Conference (CCWC), Las Vegas, NV, 2018, pp. 852-856.
  • Third Generation Partnership Project (3PPG). https://www.3gpp.org/. Accessed 14 Jan. 2025.
  • Third Generation Partnership Project (3PPG). “Release 17 Description; Summary of Rel- 17 Work Items.” 3PPG, Mar. 2022.
  • United States, House of Representatives, United States Code. Title 18, section 2702(b)(8), U.S. Government Publishing Office, 2010.

13. History

Revision Issue Date History
1.0 DRAFT
01/15/2025
Initial draft created. SWGDE voted to approve as Draft for Public Comment.
1.0 DRAFT
02/10/2025
Formatted for release as a draft for public comment.
1.0 DRAFT
05/21/2025
Response to public comments and additional content added. Formatted for release as a draft for public comment.
1.0 DRAFT
05/21/2025
Definitions updated to be consistent with other documents. Updated RAR process (Section 6). Terms were updated in the document to be consistent with definitions.
1.0 DRAFT
06/29/2025
SWGDE voted to release as a Draft for Public Comment. Formatted for release for public comment.

Version: 1.0 (6/29/2025)

View Pdf