In this episode, I want to clarify some misunderstandings about timestamps associated with Carve locations.

In Physical Analyzer, you can carve for locations when loading the extraction in the case wizard or you can do it after the fact by going to Tools, Get more data (Carving), and Carve locations.

When you carve for locations, what you are going to notice at the bottom of the screen is a little pickaxe which means it is carved. When you see a timestamp associated with a carved location, you must understand what this means. It does not mean the device was in that location at the time. Nor does it mean that the user searched for a location or shared a location at that time.

This timestamp represents the last time that service saw that particular location.

You must verify carved locations which means that if you have the cursor on a location of interest and go over to the right-hand side you will see the Source file. As you click on different files under Position you will see that the source locations change. You must ensure as you go through that it is validating that artifact.

There is a short movie and a cheat sheet on location artifacts for both Android and iOS that you can trust which can be found on Cellebrite’s website. Please go to Resources and look for I Beg to DFIR and you will see Location Artifacts. Please make use of this file because it is extremely important that you understand the locations that you can trust and what timestamps mean so that you can put the truth behind the artifact.

Watch the full episode to learn more.

Share this post