Five Quick Tips For Using Google Earth In Mobile Forensic Investigations

Mobile forensic tools like Cellebrite and XRY allow you to export evidence that contains geo-location information. However when this information is exported and even reported from within these tools it can still lack context and meaning. The examiner must further work with the resulting KMZ export within Google Earth to make the evidence presentable to other investigators or in court proceedings.

If you have ever been frustrated and wondered “What now?” when looking at a KMZ file given to you by an analyst or one you have exported yourself, you aren’t alone. I have asked myself the same question. In fact, asking that question lead me to write my own class and book on the subject – Google Earth In Forensic Investigations.  I’ve taken five quick tips from my research to help you in shaping your own geo-location cases in Google Earth.

Google Earth Forensic Tip #1 — Use HTML

Not many people know that you can use Hypertext Markup Language or HTML in the feature balloon description box within Google Earth. HTML is extremely useful to help format text for readability, add links to further forensic reports or images to enhance the location.

HTML Enhancement For Google Earth Feature Balloon

Feature Balloon in Google Earth showing HTML enhancement

Even knowing a few basic HTML tags such as <br> and <p> can help the readability of your geo-location feature. There are loads of HMTL tutorials on the web and since it involves straight text and markup tags its actually really easy to learn — unlike a lot of programming languages. I encourage you to learn some HTML for your Google Earth cases – you will be pleased with the results in your forensic work.

Google Earth Forensic Tip #2 — Organize!

The location features in your KMZ file may make sense to you, but are you looking at them from the viewpoint of an investigator or even someone further removed from the case such as a prosecutor? As you you begin to work on your exported geo-location evidence KMZ file in Google Earth, it is a good idea to separate similar features — for instance features in the same locations or having the same theme — into folders. Not only does this help you to keep from getting lost in the ‘weeds’ of your work, it helps the investigators and others who view the end result filter details of the case.

Google Earth Forensic Tip #3 — Think Visually

Unless you are looking at images or movies in a digital forensic case report, you are usually looking at plain text or hexadecimal. Geo-location evidence, while containing elements of this type of data — date and time stamps or coordinates — can mean nothing if not put in a proper visual context. This is a real strength of using Google Earth in your mobile forensic cases, it allows you to give visual context to the coordinates that are extracted from the smart phone or GPS device.

Visual context makes a powerful impact on people — so remember to think in visually and use Google Earth to tell a story by showing people the narrative of your geo-location evidence.

Google Earth Forensic Tip #4 — Branding

I’m not talking about coming up with a catchy slogan or tweeting about your forensic case — but putting an agency logo overlay on top of your evidence locations in Google Earth puts a professional polish to the case and can also help warn others that the file contains sensitive information. In addition to logos other overlays such as legends or banners an be added to your Google Earth forensic KMZ — the possibilities are limited only by your imagination.

Logo In Google Earth

Agency Logo and Legend Overlaid In Google Earth

Google Earth Forensic Tip #5 — Learn KML

This tip requires a little more work — but not much more than tip #1. KML stands for Keyhole Markup Language and is the underlying markup language that the Google Earth program uses to display details in its 3D viewer. KML is a descendant of the Extensible Markup Language or XML. XML also consists of text and markup tags called ‘elements’. Learning KML allows for greater control of the Google Earth program and how it displays information. I’ve used KML to create timelines and to get rid of the annoying directions link at the bottom of feature balloon.

Directions Removed From Google Earth Feature Balloon

The Directions link Removed From The Google Earth Feature Balloon

Though there is a slight learning curve and sometimes takes some debugging,  learning KML is a useful skill to have in your bag. You can get a basic KML tutorial from Google, though sometimes the best way to learn is to look at others code and cobble up your own from that.

So there you have it, five tips for using Google Earth with exported geo-location evidence in mobile forensic cases. I hope that the tips help you and spark your imagination in how to use Google Earth in your forensic endeavors.

If you want more detailed information on geo-location forensics and using Google Earth, check out my Google Earth In Forensic Investigations course. Drop me a line or a comment about the article — I appreciate all constructive feedback!

Advertisements

7 comments

    • numenorian

      Thanks Matt! I agree, with just a little bit of elbow grease you can make a compelling visual case for your geo-evidence in Google Earth.

  1. Don McIntyre

    Mike –

    Good tool. However, I’ve reconsidered using aerial imagery in court, except for closeup situations (i.e. the defendant running down the alley scenaro). I noticed more than once, a few jurors really (way more then normal) concentrating on the aerial. After trial, I queried those witnesses and they told me they were “Looking for their relatives house” or “counting the swimming pools in their subdivision”, etc.
    Uh, not good. Really not good to have the jurors attention wander.

    So we’ve been using either Maps by Google or Microsofts Streets and Trips software. For closeup imagery, I’ve used various; G/E, Bing (especially the oblique view) or our county purchased aerials.

    Regards –
    Don McIntyre – St. Clair County Prosecutor’s Office – Port Huron, MI

    • numenorian

      Don-

      Thanks for your reply. You never know what a jury is going to do do you? Its something to keep in mind – in my Google Earth class and book I talk about using perspectives and angles to present the case narrative. This would be a good instance where you would want to use the camera in Google Earth to keep attention focused on just the route the suspect took or the placemarks at the scene.

      You can look at the placemarks you have placed in Google Earth in Google Maps from within the 3D viewer – and then take a snapshot from within the tool as well. Google Maps now supports KML/KMZ files created in Google Earth, including support for overlays etc- but this requires that the file be hosted on a web server. It would be worth exploring how to make a local webserver to harness the Google Maps API to use this function and still keep it from being propagated. Thinking off the top of my head perhaps the XAMPP project and Dynamic DNS?

      Google Earth is so feature rich and best of all ‘free’. It would be a shame not to use it. Microsoft maps and Google Maps are great, though the latter is not free and both don’t have the nice visual tools that can add punch to your presentations.

      Good food for thought. Thanks for reading!

  2. Mattias

    Great post. Have hade thoughts about using Google Earth and KML files but never done it in real-life situations.
    How does the information flow go or do Google Earth work offline?
    If I have a KML file with GEO points that the suspect or suspects have been or at least there hardware have been, can I be sure that none of that information will be sent over the network and only map areas will get pulled down?
    Mattias

    • numenorian

      Mattias-

      All work done in GE is local unless you explicitly tell it to share the your maps – the master KML file is stored at the following locations

      C:\Documents and Settings\username\Application Data\Google\GoogleEarth\myplaces.kml (XP)
      C:\Users\username\AppData\Roaming\Google\GoogleEarth\myplaces.kml (Vista)
      C:\Users\\AppData\LocalLow\Google\GoogleEarth (Windows 7)

      “Macintosh HD” > username > “Library” > “Application Support” > “Google Earth” > “myplaces.kml” (Mac)

      Linux:
      /home/username/.googleearth/
      or more generically
      ~/.googleearth/
      (~/ is a shortcut for your own home directory).

      I would never recommend internet access at a trial like Don says, however GE has a nifty record feature that allows you to record what you are seeing in the 3D viewer. You can even lay down voice narration. This allows you to present your evidence in a controlled manner – and can be done offline.

      GE itself does work offline – you cannot download new imagery though. However, the last imagery that Google Earth has cached is still available.

  3. Don McIntyre

    Mattias –

    While G/E would be fine for the investigative stages of an investigation, we’ve (plural, I’m part of a group that teaches visual trial techniques for our state association) never recommended using any program that needs internet access during any part of the trial. We don’t even recommend depending on access to the county LAN. Murphy can strike in the form of the IT Department deciding to reboot a server right in the middle of the trial. The one advantage of MS’s Streets and Trips is that it allows for easy importation of a spreadsheet that has lat/long columns. Disadvantage of S&N is that the maps, visually are not great. I prefer GoogleMaps for an overall view, then G/E for closeup work, as mentioned in a previous post.

    Regards – Don

Let Me Know Whatcha Think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s