Narrowing down coordinates within the application files is a bit more difficult, so this is where test data can be very beneficial. Upon initial inspection, all of the coordinates for 34794810, 32106010 can be eliminated because they are suggestive of where the application was created (Israel) and do not reflect user-related activity. Both Location.Position and ORIG_GPS.Position are entries that should be reviewed for the starting point of a direction search. Here, we can eliminate ORIG_GPS.Position because the coordinates do not make sense based on our investigation. This particular application asks for the device owner’s current location when providing directions. With location services permissions, that search results in a unique identifier being stamped in the session file, in this case, Location.Position. This is the only coordinate shown above that truly identifies the device at a particular location.

For further clarity:

•  The multiple coordinates for 34794810, 32106010 are for the developer address in Israel.

•  The Destination.Position is the end location for which the user asked for directions.

•  The Location.Position is the coordinates for the start of the trip when allowing the application to use the Current location.

Forensics tools have gone through a bit of evolution when it comes to pulling location data. In the beginning, the results proved to be very accurate. Over time, it seemed as if all coordinates from any application that could be parsed were lumped into the location data headings of these forensic tools. The problem became when you then had to confirm or deny that the device was actually in these locations at a particular time. In addition to some of the artifacts that could be easily explained as to how they made it onto a device, like coordinates in EXIF data for example, there were addresses from emails, meeting invites, third-party application “check-ins,” and more that were making analysis difficult.

Most tools have reverted back to reporting less location-specific data, but it is oftentimes still readily available for you to make sense of as the examiner. Locating the source of that information is of the utmost importance, and then understanding how that application functions and how coordinates become populated is necessary in being able to verify a device in a location at a specified time.