Commercial tools are making great strides to provide an examiner with everything that is geo-tagged, but don’t use this as an excuse to overlook seemingly unimportant database files. One important thing to remember is that each application stores its data in a slightly different manner, making it nearly impossible for an automated process to uncover every piece of evidence. Research the application; does it require GPS access upon installation? If so, it’s probably socking away some handy geo-coordinates.

Many commercial tools focus on the geo-coordinates stored in the metadata of files and do not list each geolocation that is stored within every SQLite database or .plist file.

To handle the bulk of applications that could contain geolocation data, tools may rely on any or all of the following:

•  Analyzing app folders indicative of containing map data

•  Looking for database files within applications that refer to map/location data

•  Reviewing database files for tables with coordinates or addresses

•  Searching file metadata for coordinates

If the app is more obscure and is not being parsed by your tool, then the location data won’t be included in Cellebrite’s parsed LOCATIONS directory. This is also true for Oxygen, as their NAVIGATION folder is geared toward applications that are used for navigation and not applications that may contain coordinates. It is also possible that only certain databases or files within an application are parsed while other data is left untouched.

Bottom line, if you don’t see evidence that the application data has been parsed, do a manual inspection.