As a former law enforcement officer, I am cognizant of the importance of location information. Using this type of data we were often able to tie a party involved in an investigation to a particular place and time. Back then, location data might have come from a witness statement, surveillance video, audio capture, or another archaic source. Today, there are almost 8 billion beacons around the world carried in the pockets of humans, offering investigators a wealth of information about individuals’ whereabouts. However, many times this captured location information from an individual’s mobile device is overlooked by the agent.
Digital forensic investigators often rely on the data at hand on the physical device (e.g., parsed applications on the device, chat messages, media) to make a determination of location at a particular date and time. This is often fruitful using digital examination tools and training, but what if the necessary data is not stored on the device? What if the device is locked with a passcode, wiped, unavailable, or destroyed? This has been, and will more often be, a problem with investigations into digital data on mobile devices. With these limitations investigators will need additional sources of data.
The data stored within the cloud for each individual using a mobile device can be many times larger than that of the mobile device. From backups to the storage of app data, a user’s cloud can be massive. Just think of your own device. When you uninstall an app or switch out a phone, you simply have to download the app and re-authenticate, and magically the app populates the data. This data in the cloud can be a treasure trove of evidence. What about services on the device that are not really an app, but are just a digital breadcrumb of a service?
Google Location is a service that is not new, but collects a scary amount of user data – fantastic as a digital forensic examiner. Google flat out explains, much like Amazon or other data companies, that data will be used to make their services better. With that being said, Google will capture the location of the device to better the usage of an application’s location services, their own Wi-Fi Positioning Service, or other “additional” services. The use of the Wi-Fi positioning service is brilliant for examiners, especially when users do not have GPS on their devices or even turn it off. Since the capture of GPS data is done by crowd sourcing, a user’s Wi-Fi can actually determine their location because a previous user had their GPS enabled and reported that location of the access point BSSID. Now, a user walks by and the location simply registers (not even authenticates) the coordinates onto the user’s device. BOOM, a GPS point is created into Google Location services for the user’s account.
A great example can be seen in the image below, which shows the area surrounding our headquarters in Alexandria, Virginia, USA. This is a simple dump of data using Oxygen Forensic Detective’s built-in Oxygen Forensic Cloud Extractor and the selection of my Google Location. Those are not crayon marks or added lines, but routes created by the raw data extraction containing location information. By closer inspection along the Potomac there is a great running path I frequent in the mornings and there is a clear line up and back. It should be noted I do not have a tracking application running at anytime, simply my device in my pocket. Furthermore, Google Location is not an app that is installed but a service that other apps can access when needed and also used by Google to “improve” services. This means the app is not parsed or generally supported by commercial tools.
So, what does this mean to you the investigator? Maybe you do not have an application which shows the device was in the area. However, with a cloud extraction an investigator can filter the data to the date/time in question and determine location of the account and possibly the individual. Google Location data, along with other app data, can be the smoking gun an investigator needs. Best yet, Google Locations are captured for any device (laptop, Apple, Android) where the user is signed into their account. Again, this information can be extraordinary in today’s investigations.
By using data from multiple sources (e.g., mobile device, cloud backups) an investigator can turn a circumstantial case into one that is bullet proof. Today’s investigators need to be ready to look in other sources for that digital gold. Good luck!