The value of collecting evidence from GPS devices has been well established over the last several years. GPS evidence has played a major role in several high profile cases ranging from terrorism to homicide to kidnapping. Most of the time as investigators, we tend to focus on collecting evidence as part of criminal investigations, however GPS evidence can play a significant role in many other types of investigations such as accident reconstruction and search and rescue cases.
Most investigators think in terms of being able to obtain GPS evidence in the form of the “breadcrumb trail” known as trackpoints, but much more data is available from these devices. This article will provide some basic information on the types of evidence and devices an investigator may come across.
Standard GPS Data
There are four main types of data that are constantly available across almost all GPS devices. These data types can be divided into two categories: system level information and user inputted data.
- Trackpoint: A trackpoint is a location stored by the unit as a record of where the GPS has been. When the GPS unit is turned on, and has acquired satellites, it will begin to record an "electronic breadcrumb trail." The trackpoints are created automatically by the unit and cannot be changed by the user. The unit, by default, automatically decides how often to create trackpoints. The user may also specify to create track points based on a specific time or distance interval.
- Track Log: The track log is the complete list of trackpoints that the unit has created. This track log is created such that if a user wants to retrace his or her steps, it is possible to perform a TrackBack. The unit will then navigate the user from point to point in the track log to take the user back to his or her starting location.
- Waypoint: A waypoint is a location that a user stores in the GPS. This location can be a point where the user was physically present and wanted to store, or it can be a location that the user enters into the unit from coordinates, as an address, or selects a point of interest (POI) to which the user wants to navigate in the future.
- Route: A route is a series of waypoints that the user wants the unit to navigate in a specific order. The advantage of using a route is that upon arrival at an intermediary waypoint, the unit automatically starts navigating the user to the next waypoint in the route.
Generally speaking, system level information like trackpoints, can be used to prove actions, as they show that a device has been to a specific location. User data like waypoints, can be used to show intent, as user inputted data does not prove that the device has been to the location specified in the waypoint but it can show intent to go to the location.
There are four main categories of GPS Devices or Portable Navigation Devices—Automotive, Aviation, Maritime, and Handheld—the most popular being automotive devices. The handheld category includes a range of devices used for hiking, biking, geocaching, fitness, golf, etc.
There are four basic types of devices in the portable navigation marketplace; simple, smart, hybrid, and connected. Smart devices are the most proliferated devices as they are easily accessible to consumers at mainstream retail outlets.
Simple devices are devices that are basic in nature and used to navigate from point A to point B. They may or may not have the ability to store maps or plot a location on a map. They are also generally capable of storing trackpoints, tracklogs, waypoints, and routes. On average they will hold 10,000 trackpoints and will have a serial or USB connection.
Smart devices generally fall into the automotive category and are USB mass storage devices. They normally have at least 2 GB of internal data storage and an SD card slot. They are more consumer friendly and have features like point of interest lookup, the ability to save favorite locations like home or office, a built-in picture viewer, and an mp3 player. They will also store the same GPS type information as a basic device: trackpoints, tracklogs, waypoints, and routes. Not all smart devices will save trackpoints, but a vast majority will.
Hybrid devices will have the same characteristics and features as a smart device but will also have a Bluetooth radio that allows the GPS device to connect to a mobile phone. This connection allows the GPS device to be used as a hands free calling device. Devices that have been connected to a mobile phone and used for hands free calling will generally have call logs (incoming, outgoing, and missed), an address book (which is normally imported from the mobile phone), the MAC address of the last ten mobile phones connected to it, and sent and received SMS messages.
Connected devices have the same characteristics and features as hybrid devices but with one additional capability. They have an embedded GSM cellular radio and SIM card that has GPRS data service enabled. Connected GPS devices offer real-time online content from fuel prices to Google searches to live traffic updates. However, these services require a subscription. To help encourage users to buy into these high-end devices, companies will offer the first 1-2 years of service for free.
Trackpoints are the Holy Grail in GPS forensics. They are the electronic breadcrumb trail that tells an investigator exactly where and when the device was in a specific location. With trackpoints, criminal acts can be pinpointed down to almost the exact second a crime was committed. Almost all GPS devices collect trackpoints but even without trackpoints, GPS devices still hold a significant amount of data. Waypoints and routes will show the location to which the user intended to navigate or has navigated and a timestamp when the location was put into the device. Hybrid devices that have been connected to a mobile phone will contain much of the same information that an investigator would find on a mobile phone: call logs, SMS messages, and contacts. These can prove very valuable, particularly when paired with a track log. The call logs and track logs allow an investigator to see what time a phone call was made and from what location.
Because some of these devices are USB mass storage devices, any type of file could be found. Pictures, videos, documents, password files, encrypted containers, anything that can be stored on a computer can be stored on a USB mass storage GPS device. Connected devices add the complexity of having online content associated with them. Web history like Google searches, white pages lookup, etc. can all be critical information when assembling details for an investigation.
In closing, GPS forensics is still an emerging field in the mobile devices community. As device manufacturers continue the race to win consumers and battle to convince customers they still need a dedicated navigation system, the sources of location based data relevant to an investigation will only continue to grow. True GPS forensics used to be limited only to dedicated navigation systems but has moved more into the Geo Referenced meta-data realm. GPS Forensics Specialists now find themselves analyzing smart phones, cameras, tablets, personal trackers, all for location based information.
Ben LeMere is a Senior Forensic Specialist and currently serves as a contractor, through Basis Technologies, for the U.S. Government as a certified Computer Forensic Examiner where he specializes in mobile device exploitation. He has more than 14 years of military and federal government service, and his career has afforded him extensive technical, analytical, and operational experience. Ben also serves as a technical consultant and instructor for BerlaCorp. He is widely recognized as a subject matter expert in GPS forensics and was responsible for developing and implementing one of the first GPS forensic analysis programs for the Department of Homeland Security.