Call Detail Records Analysis with Connected Data

Call Detail Records (CDRs) offer a wealth of potential insights, but their analysis is hindered by several challenges. Traditional tools struggle to handle the massive volume and intricate structure of CDR datasets, often limited to static and linear data views. This makes it difficult to identify complex patterns, relationships, and anomalies. Furthermore, fragmented workflows and manual tasks slow down analysis and increase the risk of errors. To fully harness the value of CDR data, more advanced, integrated solutions are necessary to address these limitations and enable efficient, comprehensive analysis.

Call Detail Records (CDRs) hold immense potential, but their complex and interconnected nature makes extracting actionable insights a challenge for traditional tools. Static, table-based approaches fail to reveal the hidden relationships and multi-step connections that are critical in investigation

Why Connected Data is Ideal for Call Detail Records Analysis 

GraphAware Hume, a graph-native connected data analytics platform, transforms CDR analysis by leveraging the inherent relationships within the data. With its ability to map dynamic networks, handle massive datasets, detect patterns, and integrate external intelligence sources, Hume empowers analysts to uncover hidden connections, identify key players, and generate actionable insights with speed and precision.

This chapter explores how connected data and Hume’s graph-native capabilities address the limitations of traditional tools, enabling a more comprehensive and effective approach to CDR analysis.

The Power of a Graph-Native Tool 

GraphAware Hume leverages graph databases, such as Neo4j, to represent CDR data as networks of interconnected entities, which aligns naturally with the structure of communication records. 

• Modelling Relationships Naturally: Graph databases excel at representing connections—whether between phone numbers, locations, or timestamps—making it easier to map interactions and associations within large datasets. 
• Intuitive Visualisation: GraphAware Hume provides powerful visualization tools that allow analysts to see complex connections at a glance. Networks of calls, common contacts, or geospatial overlaps can be explored interactively, enabling faster and more informed decision-making. 

This graph-native approach transforms static, linear data into dynamic, relational insights, empowering users to uncover patterns that traditional tools often miss. 

This graph-native approach transforms static, linear data into dynamic, relational insights, empowering users to uncover patterns that traditional tools often miss. 

Advanced Data Visualisation 

GraphAware Hume’s Action Boards are a game-changer for analysts working with complex datasets, providing a centralised, interactive dashboard that delivers a comprehensive snapshot of the data at once. These boards allow users to visualise the entirety of their dataset in an intuitive and structured format, showcasing key metrics, relationships, and trends in real time. By integrating data from multiple sources into a single interface, Action Boards eliminate the need to switch between tools or manually cross-reference information, saving valuable time and reducing the risk of oversight.

With customisable widgets and dynamic visualisations, analysts can tailor their view to focus on the most relevant data points, such as high-priority alerts, anomalies, or emerging patterns. This holistic approach enables rapid identification of critical insights and connections, empowering users to make informed decisions with confidence. Whether it’s mapping networks, identifying clusters, or monitoring real-time activity, GraphAware Hume’s Action Boards transform raw data into actionable intelligence, providing the clarity and efficiency needed for high-stakes investigations and analysis.

Advanced Analytics for CDR Data

GraphAware Hume enhances CDR analysis through advanced features designed to identify entities, relationships, and anomalies in vast datasets.

• Entity Extraction and Linking: GraphAware Hume automatically extracts and links critical entities, such as phone numbers, call timestamps, and geolocations, from structured and unstructured data sources.
• Relationship Detection: By analyzing the graph structure, GraphAware Hume can identify key relationships, such as frequent contacts, clusters of interconnected individuals, or suspicious communication patterns.
• Pattern Recognition: Advanced algorithms detect anomalies, such as unusually high call volumes or calls outside of typical time ranges, which could indicate fraud or illicit activities.

These analytics capabilities reduce manual effort and ensure that actionable insights are surfaced efficiently.

Seamless Integration and Enrichment

Hume Orchestra is a powerful component of GraphAware Hume that enables real-time data processing, advanced analytics, and seamless enrichment of Call Detail Records (CDRs). Designed to handle complex and dynamic datasets, Hume Orchestra ensures that analysts can extract actionable insights quickly while maintaining a holistic view of the data.

Key Capabilities of Hume Orchestra

• Real-Time Data Ingestion and Processing
  Hume Orchestra can ingest CDR data streams in real time from multiple sources, including telecom providers, internal databases, and external intelligence feeds. By processing data as it arrives, analysts can monitor live communication patterns, detect emerging events, and respond to time-sensitive scenarios instantly.
• Automated Data Enrichment
  One of Orchestra’s standout features is its ability to enrich raw CDR data by integrating it with external datasets. This includes:
  • OSINT Data: Overlay open-source intelligence to provide additional context, such as connections to individuals, locations, or organisations.
  • Geospatial Enrichment: Combine cell tower data with location intelligence to track movement patterns or identify meeting points.
  • Alias Resolution: Cross-reference device dumps (e.g., Cellebrite) to resolve individuals using multiple SIM cards or devices.
  • Financial and Internal Data: Integrate transaction records, criminal reports, and internal intelligence to build a complete investigative picture.
• For example, Orchestra can automatically identify if multiple phone numbers (e.g., from CDRs) share the same device, linking alias identities in fraud or organised crime cases.
  
• Advanced Analytics and Automation
  Hume Orchestra leverages graph algorithms and machine learning to perform advanced analytics, such as:
  • Pattern Detection: Identify frequent communication groups, unusual spikes, or outlier behaviours.
  • Network Analysis: Detect brokers, influential nodes, and multi-step connections within large datasets.
  • Anomaly Detection: Highlight irregular patterns in call duration, timing, or frequency that could indicate illicit activity.
• By automating these processes, Orchestra reduces manual effort and accelerates the discovery of meaningful insights.
  
• Scalable and Flexible Integration
  Hume Orchestra supports flexible workflows, allowing analysts to integrate data seamlessly from multiple formats and sources. It normalizes and aligns data dynamically, ensuring consistency across records even when formats vary (e.g., +420123456789 vs. 00420123456789). This flexibility enables analysts to focus on analysis rather than manual data reconciliation.

This seamless integration streamlines workflows, eliminates the need for tool switching, and amplifies the power of CDR analysis with additional context and insights.

With its graph-native capabilities, advanced analytics, and seamless data integration, GraphAware Hume is uniquely positioned to overcome the challenges of traditional CDR analysis. Whether for law enforcement, intelligence, or corporate investigations, GraphAware Hume equips analysts with the tools they need to uncover the hidden stories within complex datasets. For example, the Western Australia Police Force deployed a graph database platform powered by GraphAware Hume and Neo4j: ​​within four months, they were able to ingest data from data silos scattered throughout the organisation and create a consolidated single view of intelligence. Data queries that once took hours now happen in an instant, empowering law enforcement to act swiftly and dynamically react to changes in real time.

Why It Matters for CDR Analysis

Traditional CDR tools struggle with static, fragmented, and incomplete data. Hume Orchestra overcomes these limitations by:

• Delivering real-time processing for time-sensitive investigations.
• Automating data enrichment to provide deeper context and connections.
• Applying advanced analytics to uncover hidden patterns and relationships.

With Hume Orchestra, analysts can dynamically process, enrich, and analyze CDR data at scale, ensuring a faster and more comprehensive understanding of communication networks. This empowers investigative teams to make informed decisions, uncover hidden narratives, and act with confidence.

Graph Data Science for CDR Investigations

Graph Data Science (GDS) enhances the analysis of Call Detail Records (CDRs) by leveraging sophisticated algorithms to uncover hidden patterns, relationships, and behaviors. By applying graph algorithms to CDR data, investigators can gain deeper insights into communication networks, making GraphAware Hume an indispensable tool for CDR investigations. 

Graph algorithms for community detection identify clusters of interconnected nodes—such as groups of phone numbers that frequently communicate. These clusters are pivotal for identifying relationships and patterns within Call Detail Records (CDRs), providing actionable insights for investigators.

Uncovering Criminal Networks

Community detection can reveal clusters of individuals that form tight-knit groups, such as organised crime rings or fraud syndicates, by analysing patterns of frequent, reciprocal, or highly specific communication. For example, if multiple phone numbers exhibit repetitive, closed-loop calling behaviour within a short time frame, it could indicate coordination within a criminal cell. Analysts can then overlay additional data—like location patterns or external intelligence—to confirm the existence of a network.

Detecting Close-Knit Groups

These algorithms also help identify social or professional groups based on shared communication behaviour, enabling investigators to focus on relevant entities. For instance, detecting a group of employees who frequently communicate outside of working hours might suggest potential information leaks, collusion, or corporate espionage.

Benefits for CDR Investigations

• Prioritising Investigations: By automatically clustering entities into communities, analysts can quickly prioritise areas of interest and focus resources on the most relevant or suspicious groups.
• Behavioural Insights: Community detection helps uncover behavioral dynamics, such as key communication hubs (e.g., leaders or coordinators), brokers connecting separate groups, or outliers whose communication behaviour differs significantly.
• Dynamic Visualisation: With tools like GraphAware Hume, community detection outputs can be visualised dynamically. Investigators can explore clusters interactively, identify connections within and between communities, and track changes over time.

By identifying these communities, analysts can quickly prioritize areas of interest and focus resources on groups that exhibit suspicious or anomalous activity. 

PageRank and Centrality Analysis in CDR Analysis

In Call Detail Records (CDR) analysis, PageRank and centrality measures play a critical role in identifying key nodes (individuals, devices, or entities) and understanding the structure of communication networks. These graph algorithms provide insights into the influence, importance, and roles of specific nodes within a network, enabling investigators to uncover hidden relationships and prioritise targets.

1. Identifying Key Nodes with PageRank

PageRank, originally developed to rank web pages, measures the relative importance of nodes within a network based on their connections. In CDR analysis, this translates to identifying individuals or devices that serve as central hubs of communication.

• Practical Use Case:
  Consider a criminal network where multiple phone numbers are communicating frequently. PageRank highlights the most influential nodes—those with numerous connections or connections to other highly connected individuals.
  • For instance: If Person A communicates with 20 different individuals, while Person B connects to only 2, Person A will have a higher PageRank. However, if Person B’s connections are to other central figures, their importance increases, as PageRank accounts for both quantity and quality of connections.
• Value in Investigations:
  • Identify leaders or coordinators in organized crime or fraud networks.
  • Prioritise key individuals who act as information hubs in the network.

Example: A CDR analysis reveals Person X as the “most important” node because they have direct and indirect connections to all other critical individuals. PageRank allows investigators to focus efforts on Person X as a likely leader or facilitator.

2. Highlighting Network Roles with Centrality Measures

Centrality algorithms determine the position and influence of nodes within a network based on various metrics. Different centrality measures provide unique perspectives on the structure and behaviour of communication networks:

• Degree Centrality:
  Measures the number of direct connections a node has.
  • Use Case: Detect individuals making a high volume of calls or messages, indicating key communicators or coordinators.
  • Example: A suspect with a high degree centrality may be managing communications within a fraud ring.
• Betweenness Centrality:
  Identifies nodes that act as bridges or intermediaries between other nodes.
  • Use Case: Highlight individuals who facilitate communication between disconnected groups (e.g., brokers in criminal networks).
  • Example: A person connecting two isolated clusters could indicate a middleman or information courier. Removing this node could disrupt communication flow.
• Closeness Centrality:
  Measures how quickly a node can reach all others in the network.
  • Use Case: Identify individuals who are well-connected and capable of disseminating information quickly.
  • Example: In a time-sensitive investigation, nodes with high closeness centrality might be key for spreading instructions or coordinating activities.

3. Describing the Network

PageRank and centrality measures together allow investigators to understand the broader structure and dynamics of a communication network:

• Hubs and Influencers: Key individuals who drive communication, such as leaders or coordinators.
• Brokers: Intermediaries who bridge otherwise disconnected parts of the network.
• Clusters: Groups of tightly interconnected nodes that may indicate coordinated activity.
• Outliers: Individuals who are weakly connected but may play niche or emerging roles.

Practical Examples in CDR Analysis

Imagine analysing CDR data for a suspected drug trafficking ring:

• PageRank identifies the most influential phone number (e.g., the leader) as the central hub of communication.
• Betweenness Centrality highlights a broker who connects multiple groups (e.g., supplier, transporter, and distributor).
• Degree Centrality reveals a heavily connected node making frequent calls to multiple individuals.

By combining these insights, investigators can:

1. Map out the hierarchy of the network (leaders, intermediaries, and subordinates).
2. Prioritise targets for surveillance, questioning, or further investigation.
3. Understand communication flow and identify critical points where disrupting connections can collapse the network.

PageRank and centrality measures are essential tools for analyzing CDR data, as they highlight key players, communication hubs, and network structures. By visualizing these insights in a graph-native tool like GraphAware Hume, investigators can quickly uncover critical relationships, prioritize nodes for investigation, and describe the full scope of a communication network with clarity and precision.

High-Risk Nodes and Behavioural Analysis

In Call Detail Record (CDR) analysis, identifying and prioritising high-risk nodes—individuals or entities exhibiting suspicious or abnormal behaviours—is critical for effective investigations. By leveraging graph analytics and behavioural analysis, investigators can surface anomalies, detect influential nodes, and uncover hidden patterns in communication networks.

1. Identifying High-Risk Nodes

High-risk nodes are identified based on behavioural deviations and their structural roles in the network. Investigators can use advanced analytics to detect:

• Anomalies: Unusual communication patterns, such as sudden spikes in call frequency, odd call durations, or communications at irregular hours.
• Outliers: Nodes that connect to otherwise isolated groups or exhibit behavior inconsistent with others in the network.
• Brokers: Nodes that act as intermediaries between disconnected groups, facilitating the flow of information.

Key Techniques:

• Degree Analysis: Identify nodes with unusually high or low connections.
• Temporal Analysis: Highlight irregular call patterns (e.g., nighttime calls or bursts of activity).
• Behavioural Comparison: Compare node behavior to the baseline network activity to detect deviations.

2. Prioritising Targets

Once high-risk nodes are identified, investigators can prioritise them based on their role, behaviour, and significance in the network:

• Central Hubs: Nodes with the most connections or influence (e.g., leaders or coordinators).
• Anomalous Nodes: Individuals whose activity deviates from the norm (e.g., irregular calls or connections to new, suspicious entities).
• Intermediaries: Brokers or bridges connecting disparate parts of the network, whose removal can disrupt communication flow.

3. Real-World Scenarios

Scenario 1: Counter-Terrorism Investigation

A group of suspected extremists is under investigation, and CDR analysis reveals:

• High-Risk Node: A phone number (Node A) with sudden spikes in call activity to new, previously unrelated contacts during the lead-up to an attack.
• Behavioural Insight: Temporal analysis shows late-night calls and communication bursts inconsistent with the rest of the group.
• Outcome: Investigators prioritise surveillance on Node A, uncovering the individual as a coordinator organising activities across different cells.

Scenario 2: Financial Fraud Network

A fraud ring is suspected of executing coordinated scams across multiple locations:

• High-Risk Node: A phone number (Node B) communicating with several disconnected entities, acting as a broker between groups executing the scam.
• Behavioural Insight: The node has short-duration calls at regular intervals, suggesting structured and repetitive coordination.
• Outcome: Investigators focus on Node B, identifying them as the middleman who distributes instructions and connects different participants in the fraud.

Scenario 3: Human Trafficking Operation

In a human trafficking investigation, CDR analysis uncovers:

• High-Risk Node: A single phone number (Node C) appearing across multiple locations and frequenting calls with two known traffickers.
• Behavioural Insight: Geospatial analysis shows Node C’s location aligning with drop-off points, while behavioural analysis detects calls during transit hours.
• Outcome: Node C is identified as a logistics coordinator, facilitating the movement of victims between regions.

4. Benefits of Behavioural Analysis in CDR Investigations

Behavioural analysis combined with graph insights allows investigators to:

• Surface Hidden Threats: Identify nodes with abnormal behaviour that may otherwise remain unnoticed.
• Disrupt Networks: Prioritise high-risk targets like coordinators or brokers whose removal can destabilise operations.
• Detect Emerging Patterns: Uncover new behaviours or entities entering a network, signalling potential threats.

Structural Insights: Triangle Nodes and Network Patterns 

In Call Detail Record (CDR) analysis, understanding the structural properties of a communication network can provide valuable insights into relationships, behaviours, and coordinated activities. By analysing network patterns—such as triangle nodes, clusters, and recurring motifs—investigators can uncover hidden connections, identify trusted relationships, and detect signs of organised or anomalous activity.

1. Triangle Nodes: Identifying Trusted Relationships

A triangle node occurs when three entities (e.g., phone numbers) are all interconnected. This triadic closure is often indicative of strong, trusted relationships or coordinated activity within a group.

• Use Case in CDR Analysis:
  • Investigators analysing a criminal network may find multiple triangle nodes among individuals frequently communicating with each other.
  • For example, if Person A, Person B, and Person C all call one another regularly, it suggests a tightly knit subgroup—likely core members of an organisation, such as a leadership cell.
• Insights Gained:
  • – Core Group Detection: Triadic patterns highlight tightly bound entities, enabling investigators to focus on the most active or critical nodes.
  • – Trust and Collaboration: Triangles often indicate strong trust between individuals, common in organised crime, fraud rings, or corporate collusion.

2. Network Patterns: Uncovering Coordination and Emerging Threats

Network patterns, such as recurring motifs and clusters, reveal higher-level behaviours and organisational structures in CDR data.

• Key Patterns to Analyse:
  • – Tightly Knit Clusters: Groups of interconnected nodes indicate coordinated teams, such as operational units or social circles.
    • Example: In a drug trafficking case, a cluster of phone numbers communicating repeatedly at odd hours points to a distribution team.
  • – Star Patterns: A central node connected to multiple others may represent an influencer, broker, or communication hub.
    • Example: A single phone number coordinating calls to ten other nodes might indicate a leader distributing instructions to subordinates.
  • – Chains or Paths: Linear paths of nodes represent communication relays, where intermediaries pass messages along a chain.
    • Example: In human trafficking, intermediaries acting as “middlemen” relay instructions between coordinators and field operators.
• Benefits:
  • – Detect hierarchies or information flow within a network.
  • – Identify brokers whose removal would disrupt communications.
  • – Surface outlier nodes—entities weakly connected to others but exhibiting unusual behaviour.

Figure 7 – Triangular Relationships

3. Motifs: Repeating Patterns That Signal Systematic Behaviour

Motifs are recurring subgraphs or patterns within a network. They often signal systematic workflows, repeated behaviours, or coordinated operations.

• Use Case in CDR Analysis:
  • Detecting a repeating pattern where certain phone numbers exhibit a structured call order— e.g., Node A → Node B → Node C—at the same time daily.
  • Such motifs may indicate:
    • – Call Relay Mechanisms: To evade detection, individuals may use structured relays to pass messages.
    • – Automated Activity: Fraud schemes where scripted calls occur at regular intervals.
• Insights Gained:
  • – Highlight systematic behaviours that deviate from normal patterns.
  • – Uncover sophisticated coordination in criminal operations.

Figure 8 – Recurring network patterns

4. Structural Analysis to Detect Anomalies

By examining structural properties, investigators can detect nodes that break expected patterns:

• – Missing Connections: Gaps in an otherwise interconnected network may indicate deliberate isolation (e.g., lone actors or burner phones).
• – Outlier Nodes: Nodes with unusual structural positions—like weakly connected entities suddenly linked to multiple clusters—can signal new or emerging threats.

Example: In a fraud investigation, a phone number previously inactive becomes highly connected to multiple nodes across different clusters, signalling a potential new operator entering the network.

5. Real-World Scenarios

• Organised Crime: Triangular relationships between three phone numbers reveal a trusted group coordinating activities. Identifying these core clusters enables law enforcement to prioritise surveillance on key players.
• Fraud Detection: Star patterns highlight central figures who distribute instructions across the network, making them high-value targets for disruption.
• Terrorism Investigations: Chains or relay patterns expose communication workflows between leaders and field operatives, helping analysts uncover hierarchies and disrupt operations.

Conclusion

Call Detail Records (CDRs) are a vital resource for uncovering communication patterns, identifying key players, and driving investigations across law enforcement, intelligence, and corporate sectors. However, the sheer scale, complexity, and interconnected nature of CDR data present significant challenges for traditional tools.

GraphAware Hume provides a transformative solution through its graph-native analytics, real-time processing, and seamless data enrichment capabilities. By leveraging advanced techniques such as community detection, PageRank and centrality analysis, and structural insights, Hume empowers analysts to reveal hidden relationships, detect anomalies, and prioritise high-risk targets efficiently.

Hume’s ability to integrate CDR data with external intelligence sources, normalise inconsistent formats, and visualise dynamic networks ensures that investigators can extract actionable intelligence with clarity and precision. Whether uncovering organised crime, fraud networks, or operational workflows, GraphAware Hume turns static CDR data into a living, connected narrative.In a world where timely, data-driven decisions can make all the difference, Hume equips investigative teams with the tools they need to connect the dots, uncover the truth, and act with confidence.

Iulian Timischi

Intelligence Analyst Consultant