by Patrick Siewert, Principal Consultant, Pro Digital Forensic Consulting
It’s becoming common knowledge that location evidence on cellular devices can provide a wealth of evidence in any number of civil, criminal and investigative matters. Law enforcement agencies use cellular location evidence from service providers to help place a criminal suspect at or near a crime scene in a given time frame. Search and rescue analysts can use cellular call detail records to help locate missing persons as well. And as we’ve detailed in previous articles, this type of evidence can be useful in any number of other matters, from divorce to alimony to fraud investigations and beyond.
So where does all of this evidence come from and how can we best utilize it? It can come from a variety of different places, but the two main areas are the mobile device itself and the records from the cellular provider. Proper legal authority needs to be in place to obtain the data from either source as well, but with the right training and experience, an investigator or consultant can help with obtaining those items. Once the data is in-hand, any number of tools and approaches can help parse out the relevant data and map locations that may be of interest in the case.
In the example cited in this article, the data was extracted from an Apple iPhone 7 through an advanced logical extraction using Cellebrite Universal Forensic Extraction Device (UFED) Physical Analyzer. Because I’ve been doing a lot of traveling lately and using the Waze app to find my way around various US-based locations, I decided to use Waze as a case study in location information. Cellebrite UFED does natively parse this data (see fig. 1), but does not natively map the locations.
As you can see, Cellebrite adequately pulled GPS locations, dates, times and even addresses that were stored in Waze. The list is longer, but figure 1 gives us a sample of a few months of Waze usage throughout various locations.
But again, Cellebrite does not natively map this data. So how can we see this graphically and perhaps even create a demonstrative for use in court? Enter the cellular record analysis and location mapping tool, CellHawk from Hawk Analytics. CellHawk is an online tool that will natively read, parse and map location data from any of the major cellular providers as obtained through a search warrant or court order. However, as I learned recently by attending the CellHawk training, it can also map anything with a date, time and GPS coordinates. The tool just takes a little manual configuration once the data is exported in Cellebrite.
For this demonstration, I simply had to export the Waze Data into an Excel spreadsheet, which is natively supported in Cellebrite. From there, the spreadsheet is uploaded into CellHawk, which natively reads the file column headers and asks for some direction about where the pertinent data (date/time/GPS location) is located within the spreadsheet. Here’s an example of what we get when CellHawk reads and maps the data:
Our office is located in Richmond, VA, which is listed as the starting point for many of these trips. But this map details all of the client visits in/around Virginia, Maryland and DC as well as locations where training was delivered in the Philadelphia and Boston areas over a period of more than a year.
When a map location is clicked, CellHawk natively tries to associate a phone number with that data point. Because the CellHawk generic location finder was used to upload the spreadsheet, the identifier of “Waze” was entered instead of a phone number, but this is a user-defined customization in CellHawk. Interestingly, the dates and times of the data points are listed and viewable when clicked in CellHawk. The figure below details a recent trip to Kansas City, KS for the Cellular Analysis and CellHawk training:
What’s even more interesting about the dataset in general is the historical nature of some of these locations. Figure 3 also illustrates several locations in and around Chicago and Milwaukee. I used Waze to navigate in/around the Chicago area and to the Harley Davidson museum in Milwaukee in August, 2012. Since then, while the Waze user account hasn’t changed, the device has been upgraded through 3 or more different iPhone models.
This historical data was not a one-off or isolated to this trip only. Fig. 4 below shows map locations from a trip to and around the ALERRT Center in San Marcos, TX where I attended a conference in 2011:
That’s Great. Now What?
The data gathered by Cellebrite and mapped by CellHawk is useful to help prove or disprove someone may have been to and navigated around a particular area during a specified time frame. Further, if a subject of an investigation or litigation claims they cannot drive, Waze can help disprove that claim. When we factor in dates, times and historical data that is maintained over years and across multiple devices, the potential weight of that data becomes apparent.
There are other ways (no pun intended) to parse and map this data, but both Cellebrite and CellHawk make it fairly easy and intuitive. In the ever-present questions of who, what, where when, how and perhaps why of any incident, the ability to find, export and analyze this data simply and effectively is a fantastic investigative advantage!
P.S. If you think this was a cool illustration, I highly recommend checking out CellHawk for your cellular call detail record and cell site mapping. It’s a fantastic tool for mapping that particular set of data and that’s primarily what it was designed to do. Be looking for a future blog diving into CellHawk for that purpose.
About Patrick Siewart
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting (www.ProDigital4n6.com), based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.