How to Uncover Geolocation Artifacts for Mobile Device Investigations

Geolocation artifacts are forensically valuable data created by GPS or other location-based technologies on a device that determine an individual’s geographic location. This data can be useful in various investigations related to crimes or other incidents.

In today’s digital age, the use of mobile devices has become pervasive across different domains. With the increase in usage, the role of geolocation in mobile device investigations has become more crucial than ever.

Geolocation Artifacts in Investigations

In mobile device investigations, geolocation data can provide valuable information about the locations of suspects, victims, and witnesses. It can help investigators to track a person’s movements and verify their alibis. For example, if someone claims to have been at a particular location at a certain time, geolocation data collected from his or her mobile device can be used to confirm or refute the claim. Moreover, geolocation data can help investigators reconstruct crime scenes and establish timelines. When analyzing the geolocation data from multiple devices, investigators can correlate the data from various sources to better understand the events that occurred. This information can be used to build a case against the accused and provide evidence in court.

Geolocation data can also help investigators locate lost or stolen devices. Using the GPS coordinates provided by the mobile device, investigators can identify the device’s last known location and track it down.

Top Geolocation Artifacts for Android and iOS

Magnet Forensics has curated the following list of top geolocation artifacts and where they can be found on a given device. Magnet AXIOM and AXIOM Cyber will surface these artifacts for you quickly and easily, and Magnet GRAYKEY and VERAKEY provide same-day access to the latest iOS and Android devices; but it’s important you know where to look:

Leveraging Geolocation Artifacts

While many examiners spend the bulk of their time using the artifact explorer in AXIOM Examine, other features like Timeline and Connections can help surface items of interest. The volume of artifacts from a modern mobile device examination can make it easy for potential geolocation artifacts of interest to blend into the noise, almost hiding in plain sight.

Using the Timeline explorer can help to profile when a particular activity occurred on a device or provide context as to what a user was doing on their device at a certain time. The use of absolute and relative time filters can also help examiners find key details around points of interest in the timeline of a specific investigation.

The connections explorer provides a visual representation of how the various artifacts in your case are related. By using the distinct properties of each artifact, called artifact attributes, you can show relationships between an artifact of your choosing – such as a screen name or phone number – to see how they relate to the geolocation artifacts in your case.

These days, mobile devices often have greater storage capacity, even rivaling traditional computers. Still, the always-on, always-connected nature of mobile devices means that cloud stored data cannot be overlooked. The Potential Cloud Evidence Leads dashboard is a great resource for identifying other sources of data which may be relevant to your investigation – particularly when mobile devices are involved.

Applications on a device may not always store data locally or there may be additional logs, usage, and analytics data available directly from the connected cloud account. The potential cloud evidence leads dashboard helps examiners by surfacing potential sources of cloud-stored data and accounts from the installed applications and accounts recovered on a device. This can help to provide an efficient method for directing further investigative efforts in a case.

If you haven’t tried Magnet AXIOM or AXIOM Cyber, request a free trial today.