Mobile devices and cell phones are frequent sources of evidence in modern legal cases and investigations, and a common question involves where a phone was at a particular time. Although CSI makes this seem like a question that can be solved in a few minutes by a quirky-looking character in a lab coat, it’s not always that simple. Below are the basics of finding where a phone has been, including the sources of that data, WHAT, and a case study.
Geolocation Data Sources
There are three sources of information for where a phone is at a point in time:
- The phone’s operating system location information
- Third party application location information
- Carrier records location information
The phone’s operating system can track events but it is generally not as comprehensive as the other two types of location information. The advantage of this tracking is that typically it is more accurate.
Third party application information is data associated with applications such as Google Timeline and photo date stamping. Many of these can provide a wealth of information that is reasonably accurate – but the feature has to be turned on. For example, Google’s Timeline is incredibly valuable information but has to be enabled. It can provide particularly good information in areas that contain a number of hotspots.
Carrier records are the information that AT&T, T-Mobile, and other providers have with respect to the tower the cell phone is talking to. This gives an approximate location and works only when the phone is contacting the tower.
Taken separately, each of these can give some information but together they provide a more comprehensive view of location and activity. Of course, some legal situations may mean that all three pieces of information aren’t available, but the more data you have the more precise a location you can determine.
Data Use
This is another area that is tangential to geolocation, but can be used in a more roundabout way to figure out where the phone was located. Frequently, the carriers will report data use for the phone, however the date use is only provided as an aggregate value over time, so there is no way to determine the applications in use that caused that use solely from the CDR. However, the amount of data may give some insight into the general activity on the phone. For instance, very high levels of use can often be associated with streaming video.
If an investigation of the cell phone itself is allowed, then it may be possible to locate information about the last time applications were used. If nothing else this provides a roadmap to what third party applications and social media sites that are in play. For instance, seeing Facebook and Instagram on the phone indicates potential use.
While most social media content is not present on the phone, the presence of those programs may inform decisions regarding questions at deposition. A collection and investigation of the social media site might provide context clues regarding location, like photos of locations visited.
So while the data usage may not be directly useful, it can be used to open other avenues in many cases.
Case Study
Using the above data sources for geolocation, we have handled several cases where phone location was a critical piece of evidence.
In the first – a case of arson – the owners of a home indicated they were not on premises when the blaze started. However, geolocation placed them in the neighborhood at the time as the fire.
The second was a wrongful termination suit where we used third third-party application data from Google to show that a salesperson was making the rounds he said he was making. He had been fired for not following the route prescribed by his company but a search of his Google Timeline data showed that on all occasions, he had in fact followed the route and made stops consistent with visiting customers.
In a stalking case, a man was accused of violating a protective order against his ex-girlfriend. A search of his Google Timeline compared to hers showed numerous instances when he was geographically close to her location, some she didn’t even know about. This was turned over to law enforcement as evidence that he violated the protective order.
Conclusion
Cell phones are ubiquitous and knowing where they are at a certain time can provide crucial information for litigation or investigations. They may not always contain pinpoint information, but by using several sources of data, often a fairly clear picture can be painted.
Dr. Manes routinely serves as an expert witness including consulting with attorneys on data preservation issues. He contributes academic content to peer-reviewed journals and delivers classroom lectures. See his full CV at gavinmanes.com.
Dr. Manes has published over fifty papers on eDiscovery, digital forensics, and computer security, countless blog posts, and educational presentations to attorneys, executives, professors, law enforcement, and professional groups on topics from eDiscovery to cyber law. He’s briefed the White House, the Department of the Interior, the National Security Council, and the Pentagon on computer security and forensics issues.
At the University, Dr. Manes formed the Tulsa Digital Forensics Center, housing Cyber Crime Units from local, state, and federal law enforcement agencies. He’s a founder of the University of Tulsa’s Institute for Information Security, leading the creation of nationally recognized research efforts in digital forensics and telecommunications security.