CBS223 Digital Forensics and Analysis

WEEK 7

MOBILE FORENSICS

1.1 Overview of Digital Forensics

Digital forensics is a branch of forensic science that deals with the recovery,
investigation, and analysis of data from electronic devices, including computers,
mobile devices, and networks. It plays a critical role in modern investigations,
helping uncover evidence for criminal cases, corporate disputes, cybersecurity
incidents, and more. In today’s world, where nearly every interaction or
transaction is captured digitally, digital forensics has become essential in
providing accurate and reliable information to legal entities and organizations.

1.2 Importance of Mobile Forensics

Mobile forensics has grown in importance because of the increasing reliance on

smartphones for daily tasks and communications. In many cases, mobile devices
contain more personal and sensitive information than computers, making them
treasure troves of evidence.

The key reasons why mobile forensics is important include:

Volume of Data: Mobile devices store a large volume of personal and

professional data. Text messages, emails, social media interactions, banking
transactions, and location history can all provide vital clues in investigations.

Accessibility: Because people carry mobile devices with them everywhere, they
generate continuous logs of activity, including location and communication
records, that are essential in both criminal and civil investigations.

Encryption and Security: Mobile devices often feature encryption and security
measures like passwords, biometrics (fingerprints, facial recognition), and
encrypted messaging apps. Mobile forensics experts need specialized tools and
techniques to access and decrypt this data legally.

Broad Range of Applications: Mobile forensics is used not only in criminal

investigations but also in corporate espionage cases, civil litigation, employee
misconduct investigations, and cybersecurity incidents.

1.3 Types of Mobile Devices

Prepared By Muhammad Ubale Kiru 1

CBS223 Digital Forensics and Analysis

Mobile devices vary in form and function, but they share key characteristics that
make them important in forensics. The most common types of devices
investigated in mobile forensics include:

Smartphones: These devices, including popular models like iPhones and

Androidbased devices, are central to mobile forensics. Smartphones store vast
amounts of personal information, and their advanced security features can make
forensic analysis challenging.

Tablets: Similar to smartphones but with larger screens, tablets also store a
significant amount of personal and professional data. They are often used for
media consumption, communication, and even professional work, making them
targets for forensic analysis.

Wearables: Devices such as smartwatches and fitness trackers store health,

fitness, and location data. In some investigations, such as cases involving stalking
or physical activity timelines, data from wearables can provide critical evidence.

Feature Phones: While less common today, feature phones are basic mobile
phones that offer calling, texting, and limited multimedia functionality. These
devices are simpler than smartphones but can still contain important evidence
such as call logs and SMS messages.

1.4 Legal and Ethical Considerations

Mobile forensics involves handling sensitive data, often with privacy and legal
concerns attached. Forensic investigators must be aware of both the legal and
ethical boundaries of data retrieval and analysis to ensure that evidence is
admissible in court and that the privacy rights of individuals are respected.

Key legal and ethical considerations include:

Search Warrants: Investigators typically need a legal warrant to access data

stored on mobile devices. Unauthorized access to a mobile device can lead to the
exclusion of evidence in court and potential legal consequences for investigators.

Chain of Custody: It is essential to maintain a strict chain of custody for any

data or device involved in an investigation. This ensures that evidence remains
untampered and its integrity is preserved from collection to courtroom
presentation.

Prepared By Muhammad Ubale Kiru 2

CBS223 Digital Forensics and Analysis

Data Privacy: Mobile devices contain highly sensitive personal information, and
mishandling that data can lead to privacy violations. Forensic investigators must
be cautious about accessing and sharing personal data, ensuring that only
relevant information is used in an investigation.

Data Destruction: Once data is retrieved, forensics experts must handle it

carefully, ensuring that the process of extracting evidence does not destroy or
modify the original data. Tools used for mobile forensics are designed to prevent
data corruption during the analysis.

Jurisdictional Challenges: Mobile forensics can involve devices that are subject
to different local or international laws. Investigators must be aware of the legal
frameworks governing data access in different countries, especially in cases
involving international crimes or data stored on cloud services.

2: Mobile Operating Systems

In the world of mobile computing, two operating systems dominate the

landscape: iOS by Apple and Android by Google. Both systems have transformed
how we use smartphones, influencing millions of developers and billions of users
globally. While they share some similarities in functionality and application
usage, they differ significantly in their architecture, security, and underlying
technologies.

2.1. iOS

iOS is the operating system exclusive to Apple devices, such as the iPhone and
iPad. Built on a Unixlike architecture known as Darwin, iOS is designed with an
emphasis on simplicity, security, and performance. The operating system tightly
integrates with Apple’s hardware and software ecosystem, allowing for highly
optimized performance and seamless experiences across devices.

Some key features of iOS include:

App Store Ecosystem: iOS apps are distributed via the Apple App Store, which
undergoes strict review processes for quality and security.

Closed System: Apple exercises strict control over the operating system,
limiting what thirdparty apps and developers can do within the system.

Prepared By Muhammad Ubale Kiru 3

CBS223 Digital Forensics and Analysis

Uniform Updates: Apple manages updates centrally, ensuring that all devices
receive the latest security patches and software features as soon as they are
released.

2.2. Android

Android, on the other hand, is an opensource operating system built on the Linux
kernel. Developed by Google, it is used by a wide variety of manufacturers,
including Samsung, Google Pixel, Huawei, and many others. This open nature
makes Android highly customizable but also more fragmented, as different
manufacturers may modify the OS to suit their needs.

Some key features of Android include:

Google Play Store: Android’s primary app distribution platform allows a wide
range of apps, but with fewer restrictions compared to iOS.

OpenSource: Android is open to modifications by both device manufacturers

and individual developers.

Customizability: Users can modify their Android devices with custom ROMs,
launchers, and widgets, making it a favorite for tech enthusiasts.

Fragmentation: Due to its openness, Android updates are often fragmented

across different devices and regions, meaning some users may not receive
updates as quickly as others.

2.2.1. Versions of Android OS

1. Android 1.0 to 2.3 (2008–2011): The early versions introduced fundamental

features like the notification system, app drawer, and Google services
integration. Android 2.2 (Froyo) added better performance, Flash support, and
mobile hotspot functionality.

2. Android 4.0 Ice Cream Sandwich (2011): This version introduced a more
polished and unified design for smartphones and tablets, incorporating the
"Holo" visual style. It brought swipe gestures, facial recognition unlock, and
improved multitasking.

Prepared By Muhammad Ubale Kiru 4

CBS223 Digital Forensics and Analysis

3. Android 4.4 KitKat (2013): KitKat optimized Android to run efficiently on

devices with lower specs, making it accessible to a broader range of users. It also
introduced immersive mode, cloud printing, and better memory management.

4. Android 5.0 Lollipop (2014): With Lollipop, Android introduced Material

Design, a more vibrant, responsive, and modern UI. It also enhanced
notifications, battery life (Project Volta), and added support for 64bit processors.

5. Android 6.0 Marshmallow (2015): Marshmallow focused on security and

performance, introducing app permissions, Doze mode for better battery
management, and native fingerprint sensor support.

6. Android 7.0 Nougat (2016): This version brought multiwindow support,

enhanced notifications with direct replies, and Daydream, a VR platform. It also
improved performance with Vulkan API for better gaming graphics.

7. Android 8.0 Oreo (2017): Oreo improved background app management for
battery life and introduced PictureinPicture mode, notification dots, and Project
Treble to streamline software updates.

8. Android 9.0 Pie (2018): Pie introduced gesturebased navigation, Digital

Wellbeing tools for managing screen time, and adaptive battery/brightness
features powered by machine learning.

9. Android 10 (2019): This version dropped the dessert naming tradition and
introduced a systemwide dark mode, enhanced privacy controls, improved
gesture navigation, and Live Caption for media.

10. Android 11 (2020): Android 11 focused on enhancing user control over

permissions and notifications. Features included bubbles for messaging apps,
onetime app permissions, and builtin screen recording.

11. Android 12 (2021): Android 12 introduced Material You, allowing users to

customize the UI with dynamic colors based on their wallpaper. It also improved
privacy features, with indicators for camera and microphone usage.

12. Android 13 (2022): Android 13 refined many of the visual and functional
features from Android 12, offering improved appspecific language settings,
enhanced theming options, and further privacy enhancements like better media
file permissions.

3: Mobile Device Acquisition

Prepared By Muhammad Ubale Kiru 5

CBS223 Digital Forensics and Analysis

The field of digital forensics plays a critical role in investigating cybercrimes,

fraud, and other malicious activities by securing and analyzing data from digital
devices. Mobile devices, in particular, have become significant sources of
valuable evidence. This chapter delves into the processes of mobile device
acquisition, detailing the techniques used to secure, preserve, and extract data
from smartphones and tablets while maintaining the integrity of the information.

3.1. Mobile Device Seizure and Preservation Techniques

When conducting a digital investigation, it is crucial to ensure that mobile

devices are properly seized and preserved to prevent any potential tampering or
data loss. Mobile devices are highly dynamic, with data constantly changing due
to background processes, wireless connections, and user actions. Improper
handling can result in data being altered or deleted, which compromises the
integrity of the evidence.

3.1.1. Best Practices for Securing Mobile Devices

The first step in mobile device seizure is securing the device to prevent any
alteration of the data. This involves physically controlling the device and
ensuring that no one can access or tamper with it. Investigators must:

1. Isolate the device from networks: Disconnecting the device from all wireless
connections is essential to prevent remote wiping or syncing, which can alter or
delete important evidence. The investigator should disable any active network
interfaces such as WiFi, Bluetooth, and cellular connections.

2. Document the device condition: Before taking any steps, it is essential to

document the device’s state, including power status, battery level, screen lock
status, and any visible damage. Photographs and detailed notes are necessary to
create a record of the device’s initial condition.

3. Maintain a chain of custody: To ensure the evidence is admissible in court, a

documented chain of custody must be established and maintained. This involves
logging who handled the device, when it was seized, and all subsequent actions
performed on it.

4. Secure the device physically: Once the mobile device is seized, it should be
stored in a secure container or location to prevent unauthorized access.

Prepared By Muhammad Ubale Kiru 6

CBS223 Digital Forensics and Analysis

3.1.2. Preventing Data Modification (Faraday Bags, Airplane Mode)

Preventing data modification is a critical component of evidence preservation. If

a device remains connected to a network, it can be remotely accessed, causing
potential loss of critical data. To mitigate this risk, the following techniques are
commonly employed:

1. Faraday Bags: These are specialized pouches designed to block all wireless
signals to and from a mobile device. By placing a device in a Faraday bag,
investigators can prevent any external communication with the device, thus
safeguarding it from remote wiping or networkbased data changes.

2. Airplane Mode: In some cases, switching the device to airplane mode is a

viable option to disconnect it from all communication networks. This step
effectively prevents further wireless communications while still allowing access
to the device’s stored data.

In scenarios where airplane mode cannot be activated due to a locked device or

other complications, the use of Faraday bags is considered the best practice.

3.2. Acquisition Methods

Once a mobile device has been seized and preserved, the next step is to acquire
the data stored within it. The process of acquisition involves extracting
information from the device in a forensically sound manner. Several methods
exist depending on the type of device, the operating system, and the nature of the
investigation.

3.2.1. Logical, Physical, and File System Acquisition

Three primary types of mobile device acquisition methods are employed by

forensic investigators:

1. Logical Acquisition: This method involves extracting data through the

device's operating system. It provides access to easily retrievable files such as
text messages, call logs, contact lists, and application data. While this method is
less invasive and quicker, it might not retrieve deleted files or lowlevel data,
which limits the scope of analysis.

Prepared By Muhammad Ubale Kiru 7

CBS223 Digital Forensics and Analysis

2. Physical Acquisition: This method extracts a complete image of the device's

storage, including files, metadata, and deleted data. It allows the investigator to
retrieve information from unallocated space and perform a more thorough
analysis. Physical acquisition is more complex and requires specialized tools and
expertise but provides a higher level of data recovery.

3. File System Acquisition: This method focuses on retrieving the file system
structure, including directories, files, and permissions. It provides an
intermediate level of data extraction between logical and physical acquisition
and is useful for recovering systemlevel data that may not be available through
logical acquisition.

3.2.2. Imaging Techniques (JTAG, ChipOff, etc.)

Imaging techniques are crucial in mobile device forensics, especially when

traditional methods fail due to device damage or encryption. Some of the most
advanced imaging techniques include:

1. JTAG (Joint Test Action Group): This method involves connecting to the
mobile device's circuit board to extract data directly from the device's memory
chips. JTAG is typically used when other methods are not viable, such as when a
device is damaged or inaccessible through software.

2. ChipOff: This technique involves physically removing the memory chip from
the device's motherboard and using specialized equipment to read the data
directly. ChipOff is often employed when a device is severely damaged, or
encryption prevents other acquisition methods.

Both JTAG and ChipOff methods are invasive and require specialized knowledge
and tools. They are often used as a last resort due to the risk of causing
irreparable damage to the device.

3.2.3. Tools for Mobile Acquisition

Several software tools are available to assist investigators in acquiring data from
mobile devices. These tools offer varying levels of functionality and support
different acquisition methods:

1. UFED (Universal Forensic Extraction Device): Developed by Cellebrite,

UFED is one of the most widely used tools for mobile device forensics. It
Prepared By Muhammad Ubale Kiru 8
CBS223 Digital Forensics and Analysis

supports logical, physical, and file system acquisitions, providing a

comprehensive solution for extracting data from a wide range of devices and
operating systems.

2. Magnet AXIOM: This tool by Magnet Forensics allows investigators to acquire,

analyze, and report on data from mobile devices. AXIOM supports a broad range
of acquisition methods and includes advanced analytics for identifying key
evidence.

3. Oxygen Forensic Suite: Oxygen provides powerful acquisition and analysis

capabilities for mobile devices. It supports logical, physical, and file system
acquisitions, as well as advanced features for extracting data from encrypted
devices and cloud services.

Prepared By Muhammad Ubale Kiru 9

CBS223 Digital Forensics and Analysis

Each of these tools offers distinct advantages depending on the case

requirements, and they are essential for conducting thorough and reliable
mobile device forensics.

4. Mobile Communication Analysis

4.1. Cellular Network:

A cellular network is made up of different "cells," which are geographic areas

within the network. Each cell has a cell tower (also known as a cell site). When
you make a call, your phone connects to the nearest cell tower. The signal is then
sent to the Mobile Switching Center (MSC). The MSC manages the routing of calls
and data. If you're calling someone who uses a different network, the MSC
connects to the Public Switched Telephone Network (PSTN), which links all
phone networks worldwide. This is also where toll charges for crossnetwork
calls are calculated.

4.2. Base Transceiver Station (BTS):

A cell site or tower can be a standalone structure or attached to a building. These

towers typically have antennas with panels on each side. The Base Transceiver
Station (BTS) is the equipment located at the cell site that allows communication
between your phone and the carrier’s network.

4.2.1. Base Transceiver Station Evidence:

In forensics, understanding how a cellular network works is crucial.

Investigators can request cell site records from mobile carriers to find out where
a user was, based on the data from the BTS, even without having the user’s
phone.

4.3. Subscriber Evidence:

Law enforcement can also obtain subscriber information, call detail records
(CDRs), and PUK codes from carriers.

Prepared By Muhammad Ubale Kiru 10

CBS223 Digital Forensics and Analysis

Subscriber records include personal details like name, address, and alternative
phone numbers.

Call Detail Records (CDRs) show details of calls made and received, such as
phone numbers, dates, times, and locations based on the cell sites used.

The PIN Unlock Key (PUK) is a code used to reset and unlock a phone’s SIM card
if it's locked.

4.4. Mobile Station:

The mobile station consists of the mobile device (handset) and, in the case of
GSM networks, the Subscriber Identity Module (SIM) card. Every handset has a
unique identifier called the International Mobile Equipment Identity (IMEI)
number. The first six or eight digits of the IMEI are called the Type Allocation
Code (TAC), which identifies the device model. Investigators can use websites
like nobbi.com/tacquery.php to look up details about a device using its TAC or
IMEI.

5. SIM Cards in Mobile Forensics

A SIM card (Subscriber Identity Module) is a small, removable chip found in

mobile devices, especially in those using GSM (Global System for Mobile
Communications) and iDEN (Integrated Digital Enhanced Network) technologies.
The primary role of the SIM card is to identify a user on a cellular network
through the International Mobile Subscriber Identity (IMSI), a globally unique
number stored on the SIM. This IMSI allows cellular networks to recognize
individual subscribers, facilitating services like calling, texting, and data usage.

The IMSI is divided into two components:

1. Mobile Country Code (MCC) – The first three digits that identify the
subscriber's country.

2. Mobile Network Code (MNC) – The next two or three digits that specify
the mobile network provider.

5.1. SIM Card Forensics

Prepared By Muhammad Ubale Kiru 11

CBS223 Digital Forensics and Analysis

In mobile forensics, the SIM card plays a crucial role as it contains vital
information beyond just identifying the user. The SIM is a type of smart card,
consisting of a processor and memory, making it capable of storing various types
of data. Investigators can retrieve valuable evidence from a SIM card, such as:

1. Contact Information: Stored phone numbers and contact names.

2. Call Logs: Information on incoming and outgoing calls.

3. Short Message Service (SMS): Stored text messages.

4. Location Data: Last connected cell towers and location updates.

5. Service Provider Information: Details about the network provider and

country.

6. Network Keys: Encrypted data that secures communication between the

mobile device and the network.

5.2. Accessing SIM Data

Accessing the data stored on a SIM card can be challenging, especially if the card
is PINprotected. Typically, a SIM card PIN is a 4digit code, although it can be up
to 8 digits. For an investigator to gain access:

1. PIN Attempts: There are three attempts allowed to input the correct PIN.
After three incorrect attempts, the SIM card becomes locked.

2. Personal Unblocking Key (PUK): Once locked, the investigator or user must
enter a PUC (also called a Personal Unblocking Code, or PUK) to unlock the SIM.
This code is usually obtained from the mobile network provider, and it is
necessary to regain access to the SIM data.

3. PUC Functionality: Entering the correct PUC will disable the PIN protection,
allowing access to the stored data.

5.3. SIM Card Cloning in Forensics

Prepared By Muhammad Ubale Kiru 12

CBS223 Digital Forensics and Analysis

Forensic examiners often clone SIM cards as a best practice to avoid

manipulating the original card during the examination. SIM cloning is the process
of creating an exact copy of the SIM card onto another SIM, which allows
investigators to conduct analysis without risking damage or alteration to the
original data. Cloning ensures the preservation of the original evidence and
enables more efficient investigations. Several mobile forensic tools enable the
cloning process.

Why Clone a SIM?

1. Data Integrity: Preserves the original SIM card in its exact state for later use
or verification.

2. Risk Mitigation: Avoids data corruption or accidental overwriting of

information during analysis.

3. Efficiency: Allows the forensic investigator to conduct multiple tests or

attempts without the risk of damaging the original SIM.

5.3.1. Tools for SIM Cloning

There are several tools available in mobile forensics to clone SIM cards. These
tools ensure that the clone is an exact duplicate of the original SIM, preserving
the evidence. Some common tools used in SIM card cloning and analysis include:

Cellebrite UFED: A widely used mobile forensic tool that supports the
extraction and analysis of SIM data, as well as SIM cloning.

MOBILedit Forensic Express: A tool that provides the capability to clone SIM
cards and extract SMS, contacts, and other important data.

XRY by MSAB: Another forensic solution that allows SIM card cloning and
extraction of evidence from mobile devices and SIM cards.

5.4. Challenges in SIM Card Forensics

Prepared By Muhammad Ubale Kiru 13

CBS223 Digital Forensics and Analysis

1. Encryption: Some modern SIM cards may have encryption mechanisms that
make it difficult to retrieve data.

2. PIN/PUK Protection: A PINprotected SIM limits access until a PUC can be

obtained from the carrier.

3. Network Dependencies: While the SIM contains userrelated data, certain

forensic information (like communication content) may need to be retrieved
from the service provider, adding an extra layer of complexity.

4. Data Retention: SIM cards have limited storage capacity, so certain logs and
messages may not be retained for long periods, especially in cases of heavy
usage.

6.0. Methods for Screen Lock Bypass

6.1. Commercial Screen Lock Bypass Tools:

Commercial tools provide the highest success rates for bypassing screen locks
with minimal risk of data loss. These tools are available for both Android and iOS
devices. Examples include dr. fone – Unlock, iSkysoft ToolBox, and Pangu FPR
Unlocker Tool. They are userfriendly, support a wide range of models, and offer
reliable bypass solutions.

6.2. Flashing Custom Recovery/ROM:

This method is commonly used by developers for Android devices. It involves

flashing the phone with a custom recovery, which is software that allows for
advanced modifications. It’s important to ensure the custom recovery is
compatible with the specific device model to avoid issues. This method is
technical and often used in development environments.

6.3. Manual Extraction

Manual extraction is one of the simplest and least invasive techniques in forensic
examinations. It is straightforward, making it ideal for law enforcement or
professionals who are less familiar with advanced technical methods. With this

Prepared By Muhammad Ubale Kiru 14

CBS223 Digital Forensics and Analysis

technique, investigators can manually select and extract only the data they need,
saving time and avoiding the complexity of full data imaging. A tool like AF
Logical OSE by NowSecure is effective for this process.

6.4. Jailbreak vs. No Jailbreak (iOS)

Jailbreaking is a method used to remove the software restrictions Apple places

on iOS devices. It works by applying a series of kernel patches to give root access
to the device. Jailbreaking enables users to install apps, extensions, and themes
not available through the official Apple App Store. However, jailbreaking is not
always necessary, and its use depends on the need for unrestricted access to the
device’s operating system.

7. Location and GPS Data Forensics

Location and GPS data forensics is a crucial area of mobile forensics that involves
identifying, extracting, and analyzing locationbased data from mobile devices.
This data is often used in investigations to track movements, establish patterns,
and provide evidence in criminal cases or civil disputes. The following notes
expand on the key subtopics in this area.

7.1. Tracking Location Information

Tracking location information refers to the process of obtaining data that

indicates the geographical position of a mobile device over time. This can include
GPS coordinates, WiFi connection logs, Bluetooth interactions, and cell tower
information.

a. Importance in Investigations: Location data can help establish a suspect’s

or victim’s whereabouts at a particular time, correlate them to crime scenes,
and provide timelines for investigative purposes.

b. Sources of Location Data: Mobile devices store location data in various

ways, such as GPS logs, app data (e.g., Google Maps, fitness trackers),
metadata in photos, and embedded location information in messaging apps
or social media posts.

Prepared By Muhammad Ubale Kiru 15

CBS223 Digital Forensics and Analysis

7.2. Understanding GPS and Cell Tower Data

Understanding how GPS and cell tower data work is critical in forensic analysis.

a. GPS Data: Global Positioning System (GPS) relies on satellites to determine

the exact geographical location of a device. It is highly accurate, typically
providing location within a few meters, and is often used in apps like
navigation or tracking services.

i. Key Attributes: Latitude, longitude, altitude, and timestamp are the

most common elements.

ii. Forensic Relevance: GPS data can pinpoint exact locations and
movement paths, which is highly valuable in investigations.

b. Cell Tower Triangulation: When GPS data is unavailable (e.g., inside

buildings or areas with poor signal), cell tower triangulation can estimate a
device's location based on its connection to nearby cellular towers.

i. Accuracy: Cell tower triangulation is less accurate than GPS but can
provide a general idea of a device's location within a larger radius.

ii. Forensic Use: Useful when GPS data is absent or deliberately disabled,
such as in cases where a mobile device was in a rural or dense urban
area with limited satellite connectivity.

7.3. Extracting and Interpreting Location Metadata

Location metadata refers to the underlying data that stores locationrelated

information, often embedded in files or app records.

a. Sources of Metadata: Metadata can be found in various files and apps,

including:

i. Photos and Videos: Images often contain EXIF (Exchangeable Image

File Format) data, which can include GPS coordinates.

Prepared By Muhammad Ubale Kiru 16

CBS223 Digital Forensics and Analysis

ii. Messaging Apps: Many messaging platforms, such as WhatsApp or

iMessage, attach location metadata to media files or even text messages
if location sharing is enabled.

iii. Apps: Apps like Google Maps or Facebook also record precise location
metadata in user activity logs.

b. Interpretation of Metadata:

i. Geolocation and Time Data: Extracting coordinates and timestamps is

critical in correlating location with other forensic evidence, such as
timestamps on texts or calls.

ii. Temporal Analysis: By looking at the sequence of location data,

forensic analysts can reconstruct the timeline of a user’s movement and
detect anomalies such as stops, detours, or deviations from known
routes.

7.4. Mapping Techniques for Forensics

Mapping techniques are employed in mobile forensics to visualize and analyze

the extracted location data. This is essential for presenting data in a way that is
understandable to investigators, lawyers, and juries.

a. Visualizing Movement Paths: Using specialized software, forensic

investigators can map the movement of a device across a geographical area
over time. This can help establish:

i. Patterns of Movement: Regular locations like home, work, or frequent

travel paths.

ii. Behavioral Insights: Deviations from normal patterns that may

indicate suspicious activity.

iii. Correlations with Crime Scenes: Identifying whether the device was
near crime scenes or relevant locations during key timeframes.

Prepared By Muhammad Ubale Kiru 17

CBS223 Digital Forensics and Analysis

b. Tools for Mapping:

i. Geospatial Tools: GIS (Geographical Information Systems) tools allow

forensic experts to overlay location data onto digital maps, which can
include routes, timestamps, and other contextual information.

ii. Automated Mapping: Some forensic tools, like Cellebrite or Magnet

AXIOM, have builtin capabilities to generate maps and timelines based
on location data extracted from mobile devices.

7.5. Use of Tools like Google Earth and OpenStreetMap

Free, widely accessible tools like Google Earth and OpenStreetMap play a
significant role in forensic analysis by providing detailed, realworld geographical
data to visualize extracted location information.

a. Google Earth:

i. Allows forensic investigators to input GPS coordinates and visually

examine the terrain and geographical details of the area.

ii. Offers historical satellite imagery, which can be helpful when

investigating past events or identifying changes in a location over time.

iii. Features like Street View provide groundlevel perspectives, which can
be used to validate certain forensic findings, such as the visibility of
landmarks or potential witnesses.

b. OpenStreetMap:

i. A collaborative mapping project offering opensource geographic data,

particularly useful for investigations in regions where commercial tools
might lack sufficient detail.

ii. Can be used to crossreference other location data, especially in rural or

underrepresented areas where satellite imagery may not be as
comprehensive.

Prepared By Muhammad Ubale Kiru 18

CBS223 Digital Forensics and Analysis

c. Advantages of Using Public Tools:

i. Costeffective: Since these tools are free, they are accessible to

investigators without the need for specialized or expensive forensic
software.

ii. Integration with Forensic Tools: Many forensic software platforms

allow integration with tools like Google Earth for realtime mapping and
analysis.

Prepared By Muhammad Ubale Kiru 19