How Cellebrite Inspector’s Cluster Map Feature Can Unlock Valuable Location Data
Reviewing location data stored on devices has become a crucial part of many investigations. GPS coordinates stored across digital devices can provide valuable insights about where the user has been, and where pictures and video files were created. Location data can corroborate information that can place the subject at a location during a specific time period. Conversely, it can show that the subject was not at a location in question at all.
Location data can also be used to help identify victims seen in pictures and videos. I once worked on a case where the subject had pictures of many victims whose identities were unknown. The subject, who typically met the victims at their homes, took the photos using his iPhone. The GPS coordinates in the picture files were used to locate and identify the victims. Additional charges were added for each additional victim located and identified.
While Cellebrite Inspector has always provided geolocation filters to locate files with GPS data, access to offline maps, the ability to export location data to kmz, and a link to view data in Google Maps, the addition of the cluster map provide a visual way to view and analyze location data.
Locations stored in Google Maps and Apple Maps searches, bookmarks, dropped pins, and old tags, as well as media files and calendar items, are all shown as data points on the new cluster map. Also, social media apps that contain geolocation data are parsed into the cluster map.
Accessing the Cluster Map
The cluster map is generated in the “Locations” tab, in the “Map View” subview. While apps may store different pieces of data, at minimum, latitude and longitude are displayed. The map is generated using map tiles, installed on the system with the Cellebrite Inspector installer, based on OpenStreetMap. You no longer have to download and install the map pack separately.
All data containing geolocation information is represented on the cluster map by a blue dot. Densely populated regions of the map also display a numerical value indicating the number of data items mapped in that region.
Using the Cluster Map
The cluster map allows you to zoom out and in, accessed via the slide bar on the lower right side of the map. When zooming, the map will automatically focus on the area of the map centered in the window. To change the focus of the map, hold down the mouse button on the map and drag until the desired region is in the center of the window. After you zoom in, if the desired region is not in the window, drag the map until you see the region of interest.
As you zoom in, the map tile sizes change. You will be able to see the data associated with a map tile by clicking on the tile. Once a map tile is selected, it will be highlighted. All data points mapped in the selected map tile are displayed on the right side of the map (the right side of the ‘Content Pane’). The information for each data point may include Service, Date, Type, Name, Address, Latitude, Longitude, Distance, Altitude, Accuracy, and Speed.
Some data points will not contain all of this information, but if it is available, it will be parsed. You can select a specific data point by either clicking on a blue dot on the map or selecting an item listed on the right side of the ‘Content Pane.’ Once a data point is selected, the dot on the map changes to pink, and the corresponding data listed on the right is highlighted. A preview of the file containing the data point can be seen using the Preview tab in the ‘File Content Viewer.’
Sorting and Filtering Cluster Map
To better isolate data of interest, data can be sorted and filtered. Once you zoom in on a region of interest and select a map tile, you can sort the data points in that map tile by the latitude and longitude columns. All data points for the same location will be group together.
Another option for focusing the view is to use a filter. Filters can be created using any of the fields parsed. In the example below, the filter isolates picture files created between 1/1/2014 and 3/1/2014.
Next Level Analysis
So let’s say during your analysis you’ve identified and tagged picture files that are of interest, and you would like to see where these pictures were taken on the cluster map. Using the File Filter tab, you can filter for the tagged files. Highlight the files and export them to and .L01.
Learn more about Cellebrite Inspector here.