We are excited about this latest GeoTime Workflow video, as we have been asked many times how to import forensic data taken from mobile devices. We asked one of the industries leading providers of mobile extraction technology, Cellebrite, if they could help us out and we were able to get a sample extraction from them to demonstrate how this data can be imported into GeoTime for analysis.
Directory structure of a logical extraction from a BlackBerry Curve
We started off by just looking through the vast array of data that is extracted via UFED Logical. The way that the data is stored is in a simple directory structure, with a PDF report that summarizes the complete extraction. The first thing that caught our eye was the “GPS” directory.
The GPS and Image folders both contained geolocated data that can be easily imported into GeoTime.
The GPS directory contains location information that the mobile has collected and is presented in many different formats, including KML, HTML and XML. For our purposes, we dropped the XML into Excel, then sent it over to GeoTime for import. The result was about 120 events that created a movement path for whoever was holding the mobile during that time frame. Very cool stuff!
We focused on the locations.xml file that contained a gold mine of location data.
The movement of the mobile was pretty easy to follow with just the location data but we wanted to bring in some more geolocated data that the mobile had recorded. Most smartphones have the ability to add geographical coordinates to photos when the user takes a snap with the onboard camera. In this extraction, all of the photos were stored nicely in the “Image” directory. All we had to do was do a “File>Open Folder of Images” in GeoTime and boom, we had the images merged into our visualization. Now we had both the location information, as well as the geotagged images imported into GeoTime.
The location and photo data imported into GeoTime for visual analysis.
We found this to be a much more useful way to view this data, versus the typical 2D map view that most analysts are used to look at, which have no way of showing movement. Where someone came from and where they were headed is an important part of any analysis task. And the beauty of this approach is that most analysts already have this data, if they have a forensic dump of the mobile device.
View of the same data in Google Maps
Here is the workflow video that we put together to walk you through the process.
What’s next? We will be creating a follow up workflow video that looks at how to take call and SMS logs to create a social network for another level of analysis of this mobile device data.
Cheers, The GeoTime Team