According to an exhibit introduced in the Dzhokhar Tsarnaev trial, the government subpoenaed T-Mobile on April 19, 2013  for the subscriber information from the two pre-paid phones used by the brothers during the attack. T-Mobile (unsurprisingly) replied that same day. The government appears to have redacted the fax time stamp to hide what time that occurred. But at that point, they were only getting subscriber information based off the phone numbers from phones they may or may not have had in custody.

Tamerlan had gotten his phone immediately after returning from Russia, but Dzhokhar got his just the day before the attack. Presumably, Tamerlan’s phone would have been used regularly (though we don’t know that — unless I’m mistaken, the government never submitted a summary of his calls). In addition to three calls with his brother during the actual attack and one between the time Sean Collier was killed and the time Tamerlan hijacked the Mercedes (Dzhokhar also communicated with Tamerlan via Skype during this period), Dzhokhar contacted several other people using his phone.

The government claims (dubiously) that it did not identify the brothers until after Tamerlan was fingerprinted at the hospital, which would have happened sometime around 1:06AM on April 19.

In a hearing against Dzhokhar’s buddies from summer 2014, a prosecutor questioning FBI Agent John Walker tried to place this time closer to 6:50AM, though I think this is based on the public release of Dzhokar’s ID, not the identification of Tamerlan’s.

Q. And by 6:50 a.m. Friday morning, April 19th, had the suspected bombers in those photographs been identified?

Walker. By 6:50 a.m. the FBI was certainly aware of the identity of one of those persons, then deceased, and the FBI publicized the name of the second person in the photograph, colloquially referred to as “White Hat” or “Bomber Number Two.” But, yes, we had.

Q. And how was it that the FBI was able to identify the individuals in those photographs?

Walker. We identified the first individual based on a positive comparison of his known fingerprints. A fingerprint from the decedent was transmitted to our facility in West Virginia, the repository for fingerprints, and within moments we had a positive identification on that person.

From Walker’s description, though, it should have taken place “just moments” after they got his fingerprints, so closer to 1:06 AM than 6:50 AM.

I’m interested in this because of Walker’s description of how they obtained and responded to information on Dzhokhar’s previous phone, one of four phones tied to an AT&T Friends and Family account under his name but billed to the buddies’ address.

Walker seems to suggest that they found these phones by Dzhokhar’s name, not by phone number, and only then discovered that Azamat Tazhayakov had been in contact with Dzhokhar (though I don’t see that in the phone records submitted at trial). This means that by 10, they were doing significant call record analysis on the AT&T phones, regardless of what they were doing on the T-Mobile phones.

Q: On the morning of April 19th, had the FBI received any information about telephones subscribed to Tsarnaev?

Walker: We had. We knew that Tsarnaev, Dzhokhar Tsarnaev, subscribed to four telephones with AT&T, and that the address that he provided and the address to which his telephone bills were sent was 69 Carriage Drive, New Bedford, Massachusetts.

One of those phones was significant to us immediately, because the telephone showed enormous and continuing and temporally significant connectivity with the late Tamrelan Tsarnaev, including around the time of the bombings.

Almost as importantly for my work there that day, a second of the telephones again subscribed by Tsarnaev happened to show connectivity with Dzhokhar Tsarnaev a few hours before the bombings that Monday, April 15th. The other two phones showed little, if any, recent connectivity to either of the Tsarnaev brothers.

Q: Was there a belief at the FBI at the time that telephones, mobile phones, were used during the execution of the bombing attack?

Walker: Yes.

Q: So, based on that information, this telephone information that you had received, subscriber information, what did the FBI do next?

Walker: Well, we were naturally all week long very concerned with regard to phones, because, as I have mentioned, we suspected that phones were used in the general commission of the act of terrorism on the Monday. We were also interested in potentially exploiting intelligence from the phones to locate the fugitive Tsarnaev.

[snip]

I received a call from the FBI Command Post in Boston that about 20 minutes earlier — and the time I received it I thought about 10:40 a.m. — but about 20 minutes earlier that the second phone in question that I just mentioned had transmitted a message to Russia, and that message had bounced off a tower located about a mile from the campus at UMass Dartmouth.

So, I believed at the time that there was a stronger possibility that Tsarnaev may have actually eluded capture in Watertown and might be transmitting communications from down in the New Bedford/North Dartmouth area.

Q: Now, talking about this phone, were the last four digits 9049?

Walker: Yes.

Q: And did you subsequently learn that the phone was used by one of the defendants?

Walker: I did.

Q: And which defendant was that?

Walker: Mr. Tazhayahkov. [sic]

Q: And a moment ago you said approximately shortly after 10:00 a.m. that one of the phones had sent a text message or had some activity with Russia?

Walker: Yes.

Q: How far was that tower that it bounced off from the defendants’ apartment?

Walker. From the defendants’ apartment it was — and I know this because I mapped it out after the fact — but it’s approximately 900 meters.

Q: Now, what, if any, belief — sorry. Strike that. During the afternoon of April 19th, 2013, was the FBI able to determine the location of any of Tsarnaev’s phones, Dzhokhar Tsarnaev’s phones?

Walker: Yes.

Q: And can you tell us what was learned that afternoon about where that phone was located?

Walker: We learned that the phone ending or having the suffix 9049 was physically present within, because we could not see it on the outside, but within 69 Carriage Drive in New Bedford. It’s a two-story, four-apartment building amidst a larger complex of similarly constructed buildings.

Q: So, based on that information, the FBI believed that one of Tsarnaev’s phones was located in 69 Carriage Drive; is that what you said?

Walker: Yes.

I’m still trying to make sense of this — I have no conclusions about it. I’m mostly trying to understand whether discovery of these phones followed one from another or not, and what database they used to do the analysis. I think it most likely they used AT&T’s onsite response, which should have had both AT&T and T-Mobile records, probably without a formal subpoena. You would think they would have formally served a subpoena before using the AT&T account to raid the New Bedford apartment, but they certainly didn’t get a warrant.

Update: There’s one more detail I can’t make sense of. Walker said that Dzhokhar logged into UMass Dartmouth’s system at 6:19 AM.

I learned later, but not too much later, we received a report on campus from the campus technology infrastructure that at 6:19 a.m. on the morning of Friday, April 19, that Tsarnaev had logged onto the system on campus. While I was determining whether that logon was remote or was — would suggest that he was physically present on campus, I received a second report from campus authorities that he logged on and was thought to be physically present on campus at 6:21 a.m. that Friday.

He would have been hiding in the Slip Away by this point.