That One Artifact: Mapping the “Where”, proving the “Why”
In this series, Chad Gish draws on more than two decades of digital investigative experience to examine cases that were solved, or dramatically advanced, by a single piece of digital evidence.
Note: This series is based on real-world criminal investigations, and some content may be graphic or disturbing.
In our “That One Artifact” series, I’m often asked what kinds of digital evidence most consistently move a case forward. In my experience, two of the most powerful are communication and location. Those who know me know I’ve long called them “two sledgehammers” for the witness stand: text messages in one hand, geolocation in the other. Together, they can pin down intent and place with a level of detail that’s hard to explain away.
Over the years, I’ve seen that pairing matter in case after case, sometimes as the headline evidence, sometimes as the thread that ties everything else together. When you’re staring at thousands of pages of reports, hours of video, and multiple devices, communication and location are often what help you cut through the noise and answer the two questions juries care about most: What did he say and where was he?
Why communication and location matter in a case
Text messages can reveal planning, relationships, and post-crime conduct, often exposing false alibis. Location artifacts can show where a device (and, frequently, its user) traveled before and after the event. When you put the two together, you don’t just have digital breadcrumbs. You have a narrative.
I’ve relied on the same two pillars across homicides, shootings, robberies, sexual assaults, and countless other investigations: messages to establish relationships and intent, and location to confirm presence, movement, and opportunity.
Even when each artifact is small on its own, the combination can turn a pile of disconnected facts into a timeline you can defend.
The incident
Not long ago, that combination proved to be a game-changer in a shooting investigation. A young man had been fatally shot in a parking lot. When detectives arrived, the victim’s phone had been destroyed, likely during the altercation, which immediately limited what we could learn from his communications and recent movements. But another phone recovered nearby stood out. It didn’t fit with the victim’s belongings, and its proximity to the struggle suggested it may have been dropped in the chaos as the shooter fled toward a waiting vehicle.
From the start, our working assumption was simple: if that phone belonged to the suspect, it could place him at the scene and identify where he came from, and where he went next.
At the same time, we had to keep an open mind. Phones change hands, and a device left behind could be a secondary (burner) phone, a borrowed handset, or a device that wasn’t involved in the crime. That uncertainty made the next step critical: extract what we could and let the artifacts tell us who the phone actually belonged to.
The phone left behind
Even though the device was passcode-locked, Magnet Graykey provided access quickly, and the phone turned out to be a goldmine of iOS cached location data. Using Magnet Axiom’s Worldmap View and Route View, we tracked the suspect’s movements throughout the day.
Roughly 45 minutes before the shooting, the device left the suspect’s presumed home, stopped at two different houses, and then arrived at the victim’s location. Follow-up investigation indicated the first stop was where the firearm was obtained and the second was where an accomplice was picked up. The map created with Axiom’s Route View didn’t just show movement, it gave detectives locations they could validate immediately, developing more leads and evidence.
Location tells the “where”
That location trail helped confirm the suspect’s identity and residence, and he was arrested the next day. During the arrest, investigators recovered another passcode-protected iPhone that was out of power. Because of the device’s newer operating system, we couldn’t attempt a brute-force unlock. In digital forensics, though, alternative solutions are often available. Here, the solution came from the original phone dropped at the scene: Graykey recovered historical PIN codes that had previously been used on that device.
Those PIN code hashes (in Hashcat format) were included in the Passcode_History.txt file generated by Graykey during the extraction. After running the file through Hashcat, one of the previously used PINs successfully unlocked the suspect’s phone.
It’s a simple reminder of two things: Graykey can recover passcode history from full file system extractions, and people are creatures of habit — they reuse passcodes.
Messages tell the “why”
The phone seized from the suspect became invaluable. The dropped phone established movement but contained limited conversation. The second device, however, held the messages that filled in motive and intent, texts that not only recounted plans to rob the victim during a drug deal (premeditation), but also revealed the suspect’s efforts to build a cover story to avoid detection.
When the pieces come together
This case underscores why communication and location are so often decisive. Geolocation artifacts established the suspect’s movements, put him at the scene, and dismantled a fabricated alibi. The messages supplied the “why” and the “how,” strengthening the overall case and supporting the physical evidence recovered during the investigation.
Using Graykey and Magnet Axiom we built a precise timeline that showed what happened, when it happened, and where. Location artifacts that can look mundane in isolation, like cached geolocations, became the turning point once they were visualized and placed in context. Whether it’s mapping device movements in Axiom’s Route View or analyzing message histories to establish motive and sequencing, clear communication and location artifacts remain foundational to modern digital investigations, and to presenting a defensible story in court.
Chad Gish, Forensic Consultant at Magnet Forensics, is a former police detective with 26 years of service at the Metro Nashville Police Department. Chad is a recognized expert in digital forensics, playing a key role in high-profile cases and the development of forensic labs and crime centers.
The video output from Axiom records the Route View pane itself, adding context to hundreds, or even thousands, of geolocation points. In practice, Route View can quickly highlight when and where travel occurred. In the case described earlier, it helped investigators identify the suspect’s residence and the two stops made en route to the crime.
Magnet Forensics is constantly innovating to make analysis easier and more efficient. By staying ahead of emerging trends and integrating advanced technologies, they ensure their tools are always optimized to streamline the investigative process and enhance the accuracy and speed of digital forensics analysis. Axiom now offers an innovative perspective through its Mobile View feature, further streamlining the analysis of mobile data to mimic the intuitive experience of using a smartphone. The feature provides a visual depiction of both iOS and Android operating systems, featuring clickable app icons for supported applications. Upon selecting an app icon, AXIOM immediately displays the relevant data in its view pane. The functionality empowers frontline investigators and prosecutors, enabling them to confidently identify and flag pertinent evidentiary data with ease.
