Mobile forensic tools like Cellebrite and XRY allow you to export evidence that contains geo-location information. However when this information is exported and even reported from within these tools it can still lack context and meaning. The examiner must further work with the resulting KMZ export within Google Earth to make the evidence presentable to other investigators or in court proceedings.
If you have ever been frustrated and wondered “What now?” when looking at a KMZ file given to you by an analyst or one you have exported yourself, you aren’t alone. I have asked myself the same question. In fact, asking that question lead me to write my own class and book on the subject – Google Earth In Forensic Investigations. I’ve taken five quick tips from my research to help you in shaping your own geo-location cases in Google Earth.
Google Earth Forensic Tip #1 — Use HTML
Not many people know that you can use Hypertext Markup Language or HTML in the feature balloon description box within Google Earth. HTML is extremely useful to help format text for readability, add links to further forensic reports or images to enhance the location.
Even knowing a few basic HTML tags such as <br> and <p> can help the readability of your geo-location feature. There are loads of HMTL tutorials on the web and since it involves straight text and markup tags its actually really easy to learn — unlike a lot of programming languages. I encourage you to learn some HTML for your Google Earth cases – you will be pleased with the results in your forensic work.
Google Earth Forensic Tip #2 — Organize!
The location features in your KMZ file may make sense to you, but are you looking at them from the viewpoint of an investigator or even someone further removed from the case such as a prosecutor? As you you begin to work on your exported geo-location evidence KMZ file in Google Earth, it is a good idea to separate similar features — for instance features in the same locations or having the same theme — into folders. Not only does this help you to keep from getting lost in the ‘weeds’ of your work, it helps the investigators and others who view the end result filter details of the case.
Google Earth Forensic Tip #3 — Think Visually
Unless you are looking at images or movies in a digital forensic case report, you are usually looking at plain text or hexadecimal. Geo-location evidence, while containing elements of this type of data — date and time stamps or coordinates — can mean nothing if not put in a proper visual context. This is a real strength of using Google Earth in your mobile forensic cases, it allows you to give visual context to the coordinates that are extracted from the smart phone or GPS device.
Visual context makes a powerful impact on people — so remember to think in visually and use Google Earth to tell a story by showing people the narrative of your geo-location evidence.
Google Earth Forensic Tip #4 — Branding
I’m not talking about coming up with a catchy slogan or tweeting about your forensic case — but putting an agency logo overlay on top of your evidence locations in Google Earth puts a professional polish to the case and can also help warn others that the file contains sensitive information. In addition to logos other overlays such as legends or banners an be added to your Google Earth forensic KMZ — the possibilities are limited only by your imagination.
Google Earth Forensic Tip #5 — Learn KML
This tip requires a little more work — but not much more than tip #1. KML stands for Keyhole Markup Language and is the underlying markup language that the Google Earth program uses to display details in its 3D viewer. KML is a descendant of the Extensible Markup Language or XML. XML also consists of text and markup tags called ‘elements’. Learning KML allows for greater control of the Google Earth program and how it displays information. I’ve used KML to create timelines and to get rid of the annoying directions link at the bottom of feature balloon.
Though there is a slight learning curve and sometimes takes some debugging, learning KML is a useful skill to have in your bag. You can get a basic KML tutorial from Google, though sometimes the best way to learn is to look at others code and cobble up your own from that.
So there you have it, five tips for using Google Earth with exported geo-location evidence in mobile forensic cases. I hope that the tips help you and spark your imagination in how to use Google Earth in your forensic endeavors.
If you want more detailed information on geo-location forensics and using Google Earth, check out my Google Earth In Forensic Investigations course. Drop me a line or a comment about the article — I appreciate all constructive feedback!
Well, I just wasted hours of my life that I’ll never get back.
“But Mike,” you say concerned, “Whatever do you mean? How can I help?”
You see, I foolishly tried to install a copy of Windows 8 64 bit as my OS to use with Cellebrite’s Physical Analyzer and MSAB’s XRY Complete. And I got…bubkes.
Oh the software seemed to run right, yes indeedy. But the dongles wouldn’t work. Neither WIBU or HASP.
“Mike, did you check to see if Win 8 was supported by Cellebrite or MSAB?”
I thought I’d give it a shot. I wanted it to work. I figured as long as I was updating my wheezy XP box, I’d go to the latest OS….
…and I got burned. No soup for me.
Ahh, well at least I’m a good example. Three things though
1. Dongle vendors UPDATE YOUR DRIVERS
2. DON’T TRY TO USE WIN 8 for PA or XRY (yet!)
3. Don’t be like me – RTFM!
Have a good one 😉