Today’s mobile devices, which are basically small computers with enormous computing power, are continually working in the background even when we are not actively interacting with them. They are looking for updates to software, checking the closest available cellular towers for incoming information, checking remote servers for email, etc. Ever wonder why your battery drains even on those days when you barely touch your phone? This is why. The upside to this for the forensic investigator is that much of this activity, some of which includes geolocation data, is recorded and stored within databases and files on the phone. The downside for criminals and civil litigants is exactly the same. The key for attorneys is knowing that this evidence exists and either protect their client from it, or exploit it if it is exculpatory.
What we want to focus on in this article is geolocation data stored on the phone and more specifically how this can be used in conjunction with call detail records obtained from the service provider via a properly worded court order – remember to never use a subpoena to obtain call detail records.
Geolocation Geolocation, which is the process or technique of identifying the geographical location of a person or device by means of digital information processed via the Internet, can be extremely damning or exculpatory. Either way it is critical information to have in any case where location of your client is at issue.
Not all location data is stored on the phone, therefore, it is important to conduct a forensic analysis of both the mobile and the associated call detail records. Using both, an accurate timeline of geolocation data can be created and utilized in such a way it will be very difficult to refute.
Geolocation in Action In recent case, we analyzed approximately 3,500 photos obtained from an iPhone6 in conjunction with call details records obtained via court order. From the photos alone, we could trace the whereabouts of the owner on various days throughout the past year. Combining this with the information we obtained from the subscriber call detail records, (CDRs) we could pinpoint the user’s location numerous times every day for the past year. This provided the attorney with valuable information from which he could prepare his argument and counter the prosecution’s assertions regarding his client.
Don’t Get Buried in Data As we have discussed in previous articles, the amount of information available from a mobile device can be enormous and often overwhelming. In a recent case, we were asked to produce a report for text messages along with their associated timeline. This report totaled over 2,500 pages. A complete report with all the information extracted from the phone would have easily approached 15,000 pages. Without being provided specified search parameters, the amount of information obtained from a mobile device can quickly become impossible to manually parse. It is therefore critical that a forensic mobile device analysis be confined to specific information, e.g., numbers, persons or timelines, otherwise money can be needlessly wasted on unneeded analysis of irrelevant data.
In Conclusion Most mobile device forensic experts will offer a free consultation regarding best practices as it relates to your case. You should take advantage of their expertise and prepare an educated battle plan rather than blindly pursue a mobile device forensic analysis. If your client had a mobile device during the time period in question, you cannot afford not to know what information this device contains. To do so would be doing your client a disservice. Darryl Bullens, CPE, CTF, CCLO, CCPA
