Benefits of advanced digital forensics mapping.

June 24, 2024

Unlock the secrets of digital forensics with advanced mapping tools. Visualize movements, verify locations, and reconstruct events with ease.

Hands holding a phone and a magnify glass to the phone looking at a location on a digital map

Uncovering patterns, relationships, and connections are vital elements of most digital forensic investigations. Mapping capabilities and tools allow practitioners to visualize, analyze, and interpret data verifying physical locations and movements related to an investigation.

Mapping and geo data acquisition

Basic mapping capabilities allow investigators to acquire geo coordinates from all sources including mobile devices, drones, cloud storage, media cards, and imported images. Analysis of extracted geo coordinates can provide the following basic types of evidence:

  • Identify a phone or device’s frequently visited locations
  • Pinpoint common locations of multiple devices
  • Visualize a device’s movements and direction of travel within specific periods of time

Geo data sources

Digital forensics software should enable investigators to extract geo data from various sources including:

  • Applications and clouds – Geo data shared among users via apps is often backed up onto the cloud. Locations are sent in messengers, geotags are added to social media posts, workouts, food orders, and ride shares are recorded. Data generated on separate devices can be synchronized to the same cloud.
  • Media files – Photos and videos taken by a user often include geotags.
  • WiFi points – Most devices leave geo data when connecting to WiFi networks.
  • Drones – When a drone is viewed in the wrong location, investigators can use geo data to determine the flight’s origin and route to help determine whether a drone trespassed intentionally or by mistake.

Timeline creation of events and activities

The ability to create timelines or views of all device events in a single list allows investigators to view geo coordinates, filter data, and track activity. Events and activities that can be viewed in a timeline include:

  • Chats within apps
  • Calls
  • Web activity
  • Web connections
  • Photos
  • Videos
  • Calendar events

Advanced mapping capabilities

Once geo data is obtained from multiple sources, advanced mapping capabilities can provide practitioners higher levels of analysis and context. This can be achieved by layering multiple types of data onto one map or timeline to create the full picture of a target or event. These advanced mapping capabilities include:

  • Event reconstruction – Combining various mapping techniques to reconstruct the sequence of events leading up to, during, and after an incident, building a holistic view of the digital evidence and establishing a comprehensive narrative.
  • Obtain addresses from geo locationsThe ability to obtain addresses from geo coordinates is important when piecing together an investigation. This function may rely on a software’s ability to access address database services and platforms.
  • Route display – Use Call Detail Records (CDR) and third-party extraction outputs to establish common locations between the layers and create playable routes showing direction of travel.
  • Timeline features – Added filter, data export, and customizable display capabilities include:
  • Filter entries by source
  • Use tabs to view specific records
  • Export data directly from the timeline
  • Select how, which and how much data to display
  • Learn more about entry of interest using tags, notes, and evidence marks
  • View checked locations
  • Time zones – Analyze and sync events by multiple devices within multiple time zones
  • Social network – Track social media contacts and contact paths
  • Smart filters – Allow investigators timeline options to view and display:
    • Show all messages from contacts:
  • Who have mentioned entered word or phrase
  • Who shared geo data
  • Show messages from all contacts, including group members who have mentioned entered word or phrase
  • Show events that happened:
    • Before and after key evidence
    • Before and after the events with geo coordinates
  • Show events within the timeframe that happened before and after:
    • Key evidence
    • The events with geo coordinates
  • Time filter – Allow records to be grouped by year, month, or day, and set time range
  • Activity filters – Allow investigators to analyze and view activity within:
    • A specific hour
    • Multiple hours
    • Specific hours or weekdays
    • Preset time frame
    • Specific applications

Oxygen Forensic® Detective provides advanced mapping and geo data capabilities including our Activity Matrix, a powerful time filter and behavioral tracker to help identify geo data that may contradict or prove the person’s story.

Interested in learning more? Contact us.

By submitting a form you are agreeing to our Privacy Policy.