Not all geolocation data is created equal
Geolocation data has become an indispensable tool in criminal investigations, offering unparalleled insights into the movements and whereabouts of mobile devices. This technological advancement provides law enforcement with the ability to reconstruct crime scenes, establish timelines, and verify alibis with a level of precision that was previously unattainable. The forensic examination of mobile digital devices can yield a wide variety of GPS-source information. With this information, investigators can track suspects and victims through their mobile devices, potentially leading to faster and more accurate case resolutions.
However, the integration of geolocation data into criminal investigations is not without its challenges and risks. Despite its powerful capabilities, reliance on this data must be approached with caution. Geolocation data alone may not provide the full context needed for a comprehensive understanding of an incident. Misinterpretation of location data or its use without corroborating evidence can lead to incorrect conclusions, which could significantly slow the investigative process.
It is crucial to understand both the strengths and limitations of geolocation data. Ensuring that this data is accurately collected, meticulously verified, and appropriately corroborated with other evidence is essential for maintaining the integrity of investigations. As the reliance on digital forensics grows, developing robust protocols and continuous training for handling geolocation data will be key to leveraging its benefits while mitigating its potential pitfalls. This balanced approach will help uphold the principles of justice and protect against the risks of technological errors in criminal investigations.
Importance of GPS data
Geolocation data offers several critical benefits that make it an indispensable resource in criminal investigations. Below, we delve into why geolocation data is helpful, highlighting its ability to pinpoint locations, establish timelines, and corroborate testimonies.
Pinpointing locations
Geolocation data allows investigators to determine the precise locations of individuals or devices at specific times. This capability is crucial in numerous scenarios:
- Crime scene analysis: By pinpointing the exact location of a suspect or victim at the time of a crime, geolocation data can place individuals at the scene, providing strong evidence of their involvement or presence.
- Tracking movements: Law enforcement can use geolocation data to track the movements of suspects over time, identifying patterns that might indicate criminal behavior or planning.
For instance, in recent cases, investigators have used geolocation data from suspects’ devices and vehicles (telemetry) to place them at the crime scenes, leading to their conviction on various crimes. This geolocation data was instrumental in building a solid case against the perpetrators.
Establishing timelines
One of the most valuable aspects of geolocation data is its ability to establish accurate timelines of events. This helps in:
- Reconstructing events: Investigators can use timestamped location data to reconstruct the sequence of events leading up to, during, and after a crime. This detailed timeline is vital in understanding the dynamics of the incident.
- Corroborating alibis: Suspects often provide alibis that can be verified or refuted using geolocation data. If a suspect claims to have been in a different location at the time of the crime, geolocation data can confirm or challenge that statement.
- Identifying key moments: By pinpointing critical moments when key events occurred, investigators can focus their efforts on specific timeframes, making the investigation more efficient and targeted.
A recent case illustrates illustrates how geolocation data from mobile devices and accessories (watches) were analyzed to place the suspects at the crime scene.
Corroborating testimonies
Geolocation data serves as an objective source of information that can corroborate or contradict witness testimonies and suspect statements:
- Validating statements: Witnesses and suspects may provide details about their whereabouts and activities. Geolocation data can be used to verify these claims, adding credibility to accurate statements, and exposing falsehoods.
- Supporting witnesses: In some cases, witnesses may be reluctant or unable to provide detailed accounts. Geolocation data can fill in the gaps, providing independent verification of their testimonies.
- Strengthening evidence: When combined with other forms of evidence, such as CCTV footage, forensic data, and physical evidence, geolocation data can significantly strengthen the overall case.
For example, in a kidnapping case, the victim’s account of their movements was corroborated by geolocation data from their mobile phone. This not only validated the victim’s testimony but also provided law enforcement with critical leads to identify and apprehend the kidnapper.
Case Study
In a recent case that utilized Magnet Graykey and Magnet Axiom to access and parse mobile devices, a group of individuals were engaging in a series of “Juggings”. A Jugging is where thieves look for individuals leaving banks or ATMs with large sums of cash and then follow them hoping to find an opportunity to steal that money.
In this example, detectives identified a possible individual associated with the group, however, there was no evidence that could tie them fully to the string of Juggings. By focusing their efforts on the one individual, they were able to get enough probable cause to search for evidence of this and other crimes. The seizure of the mobile device and quick examination revealed a wealth of geolocation data tying the individual to several of the crimes.
After providing information about the other related individuals, searches and arrests were made. The analysis of the other seized devices revealed additional connections to robberies and juggings that took place around the city. The interconnectedness of the devices and robust geolocation data built a strong case against the group.
Geolocation data sources utilized in this investigation
EXIF data:
This data embedded within an image taken can contain valuable information. The information can include the date/time of the image’s capture, geolocation data, and device information. An example of EXIF data parsed within Axiom looks like this:
Cached locations:
This data contains information about whenever the device attempts to find its location. Fortunately, it contains an accuracy measurement, which we will see later is critical to the fully interpreting of this data. It is located at: /private/var/mobile/Library/Caches/com.apple.routined/Cache.sqlite. Data parsed by Axiom looks like this:
Axiom also provided a map preview with the geolocation data points. The preview is located just above the “details” pane and looks like:
Wi-Fi locations:
This information shows Wi-Fi networks identified by the phone. This information needs to be verified by other information as it could grab the MAC address of a Wi-Fi that was simply “driven by.”
However, in this case, the investigator was able to corroborate the MAC address of the Wi-Fi identified and obtain security camera footage that placed the subjects at one of the locations. This offense would not have been identified and/or tied into the string of robberies had the approximate location not been found in this category.
The data is contained within /private/var/root/library/caches/location/cache_encryptedB.db. Axiom parses this database, and the data looks like this:
Limitations of geolocation data
Mobile devices contain multiple sources of geolocation data, providing details like the location, time, and date of photos and other activities. However, care must be taken due to the possibility of potential incorrect interpretations and susceptibility to tampering. Environmental factors, device settings, and user actions can all affect the accuracy of geolocation data leading to potential errors in forensic analysis.
EXIF data is metadata contained within images. This data can contain information about date, time, capturing device, and geolocation data. However, EXIF data and cell phone artifacts can be manipulated or spoofed. Various tools are available that allow users to alter metadata in photos and other files, undermining the integrity of this data.
It is crucial to corroborate EXIF and cell phone artifacts with other evidence. Forensic analysts should adopt a comprehensive approach, integrating multiple data sources such as digital communications, witness statements, and physical evidence to form a more accurate and reliable picture. This multi-faceted strategy helps to mitigate the risk of errors and ensures a more thorough and just investigation process.
Let’s take a look at some test data and see why we need this corroboration. In this scenario, we have an “event” that takes place at 2:55:55 CST (7:55:55 UTC). From the “Cached Locations” artifacts parsed by Axiom, we find the following:
However, a few seconds later, the next data point places the device a considerable distance away from the event:
Why is this? Accuracy of the data captured by the device. Although the device had not moved, the two data points had significantly different accuracy. Below is listed the accuracy difference between the two geolocation points.
In addition, located on the phone was an image. This image had embedded EXIF data with a geolocation data point at almost exactly the same time, but miles away from the location.
How can this be? In this case, the image was texted to the phone from another device. A review of the other EXIF data revealed that it was taken by a completely different device. A complete review of the metadata was required to understand that the device was indeed at the location at the time in question.
Timestamps and geolocation data can be manipulated utilizing common software to make it look like a device was actually somewhere else. It is important to know that not all geolocation data is created equal. In this instance, if care wasn’t taken during the examination of geolocation data, incorrect assumptions could be made about the device’s location that could hamper prosecution.
Conclusion
In conclusion, geolocation data has undeniably transformed the landscape of criminal investigations, offering law enforcement agencies unprecedented capabilities to pinpoint locations, establish timelines, and corroborate testimonies with remarkable precision. The integration of this data has proven instrumental in solving complex cases more efficiently and accurately, as evidenced by numerous successful investigations.
However, it is essential to recognize and address the challenges and limitations inherent in the reliance on geolocation data. The potential for misinterpretation and tampering underscores the necessity for a cautious and comprehensive approach. Investigators must meticulously verify geolocation data and corroborate it with other forms of evidence to ensure the integrity and accuracy of their findings.
As the field of digital forensics continues to evolve, it is imperative to develop robust protocols and invest in continuous training for handling geolocation data. This balanced approach will enable law enforcement to harness the full potential of geolocation technology while safeguarding against its potential pitfalls. Ultimately, a judicious combination of geolocation data with traditional investigative techniques will help uphold the principles of justice, ensuring accurate and just outcomes in criminal investigations.
Reviewing evidence to include geolocation data is easy in Magnet Review and Magnet Axiom. In Magnet Review’s World Map view, you can easily navigate through the plotted data points to find the critical piece of evidence you are looking for:
Need to supplement your existing budget? Learn more about the grant assistance offered by Magnet Forensics here.