In the previous post, I discussed the ability to locate someone’s phone via their Google account location data. However, it takes more than just that data to prove the person had been using their phone at the time. Being able to link a user to a phone, and subsequently prove that phone was in use during the time of the alleged incident, is vital to any case.
Usually, I can access and dump the data from a client’s phone. This will usually provide us information with the use of the phone in the form of text/picture messages, phone calls, or internet usage. However, there are the occasional cases where the client did not send any messages or make any calls at the time in question.
Luckily, Google will track certain application usage across logged in devices. I mentioned in my last post that I use two phones; an LG G6 and a OnePlus 5. Both phones had location services turned on, and both phones were in use throughout the day. The OnePlus gave me calendar alerts to let me know when/where my next appointment was, and the LG G6 used Google Maps to locate the address and plan my route.
I rarely used my phones as phones throughout the day, showing only the occasional call/text to let someone know I was on the way. If those communications didn’t occur, and if I was only able to obtain a logical and file system extraction on my phones, would there be any way to prove I was using either of the phones at the time?
When viewing the Google Takeout data, you can select to backup Calendar information as an ICS file. Here’s what a typical event looks like when you open the file in Notepad:
BEGIN:VEVENT
DTSTART:20180120T153000Z
DTEND:20180120T160000Z
DTSTAMP:20180302T175114Z
UID:6o22mc34jkdcpqf1ntlc7auu4j@google.com
CREATED:20180118T173413Z
DESCRIPTION:
LAST-MODIFIED:20180119T185204Z
LOCATION:300 Quinton Ct\, Lexington\, KY 40509\, USA
SEQUENCE:1
STATUS:CONFIRMED
SUMMARY:Showing @ 300 ATC
TRANSP:OPAQUE
BEGIN:VALARM
ACTION:DISPLAY
DESCRIPTION:This is an event reminder
TRIGGER:-P0DT0H30M0S
END:VALARM
END:VEVENT
You can see the start/end dates/times, created date/time, modified date/time, summary of the event, and an address/location. Some of this data is entered by the user, but it seems the created and modified dates are entered by Google. You can also see an Alarm event, but I am unable to determine what the “TRIGGER” value means or references. I did notice that all the alarm “TRIGGER” events had the same or near-similar value in my Calendar, so it may have something to do with the Google username or the time of the alarm before the event.
Other Google activity can appear in the form of notification dismissals. They come in the form of “cards”, which will have various values depending on the card. Depending on user activity, this can show that certain notifications have been viewed or dismissed. The number of card in each grouping of cards is relative to the activity throughout the day. The timestamp associated with the cards seems to correspond to the last card action in the feed. The card feed does not appear to be updated every day and is not included in the Google Takeout.
I had also been using Google Maps often that day and had searched for several places from different locations around Lexington, KY. Included in the Takeout is some search activity from both Maps and Google Search. Neither one points a specific device, but both include the GPS coordinates of the device at the time the search was performed.
If these same searches were found on a suspect’s cell phone at the same time, we can conclude the location of the cell phone at the time of search.
Keep in mind that every time you log in to the account, you are making changes to it, so here are a few suggestions to mitigate the changes you make:
- Only log in once. The first time you log in you are adding your workstation to the list of logged in devices. Google will keep track of the last login time from each device, so logging in twice will alter the date/time of last login.
- Keep track of which pages you visit. Google will show which pages were visited within the activity log but does not differentiate between which device browses which page. So, if someone else were to be accessing the account at the same time and deleting/altering data, there would be no accountability of whom performed what actions.
- Stay logged in until you complete a download of the Takeout. Some of these Takeouts could be several GB (8+, based on my experience), and take a long time for Google to gather and for you to download. Your first download could fail, and you may have to re-initiate it. Staying logged in prevents you from having to deal with issues presented in Suggestion 1.
- The only way to request the data is to have a notification emailed to the account; this cannot be disabled. Instead of going to the user’s email account to initiate the download, stay on the page you are brought to after selecting how to receive the archive. You should be able to download the data directly from that page. Otherwise, you can go to the Manage Archives page to check when it is available.
- Do NOT use your browser for anything else until you log out of the account after the Takeout data has completed downloading. Every page you visit and every search you make are stored by Google under that account.
As always, if you plan on using any location data pulled from the account, you should attempt to match it with data pulled from a phone using that account. Generally, email account information is provided from a physical or file system extraction via Cellebrite. Showing that account was in use on the phone at the time is imperative but can be easily done by showing the account receiving emails on that device or, if a physical acquisition is possible, that the Google account was used to set up the phone.
Do you have a case that requires location reconnaissance? Contact us below.