SWGDE Best Practices for Portable GPS Device Examinations

bp-gps-12

Disclaimer:

As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in any judicial, administrative, legislative or adjudicatory hearing or other proceeding (including discovery proceedings) in the United States or any Foreign country. Such notification shall include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; 3) subsequent to the use of this document in a formal proceeding please notify SWGDE as to its use and outcome; 4) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Notifications should be sent to secretary@swgde.org.

It is the reader’s responsibility to ensure they have the most current version of this document. It is recommended that previous versions be archived.

Redistribution Policy:

SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met:

Redistribution of documents or parts of documents must retain the SWGDE cover page containing the disclaimer.
Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents.
Any reference or quote from a SWGDE document must include the version number (or create date) of the document and mention if the document is in a draft status.

Requests for Modification:

SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of the response:

Submitter’s name
Affiliation (agency/organization)
Address
Telephone number and email address
Document title and version number
Change from (note document section number)
Change to (provide suggested text where appropriate; comments not including suggested text will not be considered)
Basis for change

Intellectual Property:

Unauthorized use of the SWGDE logo or documents without written permission from SWGDE is a violation of our intellectual property rights.

Individuals may not misstate and/or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material and/or curriculum vitae.

Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE.

1. Purpose

The purpose of this document is to describe the best practices for portable global positioning system (GPS) device examinations.

2. Scope

This document provides basic information on the logical and physical acquisition of data from portable GPS devices.

3. Limitations

This document only addresses portable devices with GPS as its primary function. Some examinations are limited by the ability of the software used to extract the data. Manual examination may be needed if software is unsuccessful. This does not address GPS devices that do not store the data locally, considerations may be needed to collect data from cloud storage.¹

Some limitations encountered are as follows:

Cables – Data cables are often proprietary and difficult to obtain.
Circular Memory – New data overwrites old data once the on-board memory capacity has been exceeded under a first in / first out storage configuration.
Condition of the Evidence – Commercially available tools may not provide solutions to deal with physically damaged devices.
Equipment – Equipment used during examinations may not be the most recent version due to agency verification requirements of hardware, firmware, and/or software.
Memory Cards – Processing these cards inside the device poses risk (e.g., not obtaining all data including the deleted data, altering date/time stamps, etc.).
Passwords – Some devices may be protected by user-applied passwords.
Training – The individual copying data from a mobile device should be trained to ensure the integrity of the data.
Unallocated Data / Deleted Data – Many forensic tools may only acquire a logical copy of the data. Deleted data may only be recoverable from a physical acquisition².

4. Evidence Collection

4.1 Seizing Evidence

Immediately upon seizure of a GPS device, document the on-screen data, power down the device and document the on-scene weather conditions. If available, document the GPS position with a secondary device. Disconnect all cables and antennas. Collect all power, data cables and memory cards directly connected to the device. If possible, acquire PIN or passcode information from user.

Note: Some GPS devices utilize subscriber identity module (SIM) cards, frequently embedded into the power cable or in the body of the device, to receive firmware, mapping & POI updates through a cellular data network. These SIM cards contain microprint on their exterior (ICCID) and data within (IMSI) that may be used to retrieve extensive historical network transactional data (e.g. cell site location information or multilateration estimates) from the SIM card’s service provider pursuant to consent, exigency or legal process.

4.1.1 Handling Evidence

Evidence should be handled according to agency policy while maintaining a chain of custody.
Network isolation of the GPS device should be maintained by keeping the device turned off until processing in the laboratory setting. This isolation should include GPS, Wi-Fi, cellular, and Bluetooth networks.
Additional forensic analysis – Occasionally, there may be a need to conduct traditional forensic processes on a GPS device (DNA, latent prints, etc.). These are case dependent and should be discussed with the investigator about the need for such evidence as well as the order in which they should be performed. Contact appropriate crime lab personnel for guidance on processing order to avoid the destruction of forensic evidence.
Biological contaminants and physical destruction provide unique challenges to the recovery of data. Universal precautions should be utilized to protect the health and safety of the examiner.

4.2 Equipment Preparation

“Equipment” in this section refers to the non-evidentiary hardware and software the examiner utilizes to conduct data extraction and analysis of the evidence.

Equipment and software applications should be verified³ to ensure proper performance.
Current information (e.g., user’s manual) describing the manufacturer’s software/hardware and other relevant documentation should be recently reviewed and accessible.
Data Cables are often proprietary and difficult to obtain. Some cables are specific to a single device while others support multiple models.

4.3 Data Acquisition

Prior to data acquisition, the examiner should conduct a thorough review of the device’s features/functions related to the storage of user data as outlined in user manual and remove any connected antennas. Obtain appropriate power/data cables and memory cards.

During data acquisition, isolate the GPS device from Wi-Fi, GPS, cellular and Bluetooth networks.
GPS devices and their media cards should be protected with some form of hardware or software write-protection.
Associated media cards, if any, and the GPS device, where possible, should be forensically imaged using an acquisition tool.

4.4 Data Analysis

Analysis of data can be conducted using various tools. Data of importance may include:

Device configuration settings (Bluetooth pairing)
Maps
Tracks/archived tracks
Waypoints
Routes/journey
Saved locations
Favorites
Owner information
“Home” location

Recent destinations
City and state history
Contacts/addresses
Points of interest (POI)
Last GPS fix
Pictures (including Geotags)
Text messages
Text files
Call logs (incoming, outgoing, missed calls)

4.5 Documentation

Documentation should meet the requirements of the examiner’s agency and applicable policies. Evidence handling documentation should include, but not limited to:

Copy of legal authority;
Chain of custody;
Detailed description and/or photographs of the device (make, model, serial number and condition), including an inventory of cables or other accessories seized;
Photographs or documentation of any visible damage;
Information regarding the packaging and condition of the device.

Examination documentation should:

Contain sufficient detail to allow another examiner, competent in the same area of expertise, to identify what has been done and to access the findings independently.
Include communication notes regarding the case.
Be preserved according to the examiner’s agency policy.

4.6 Archive

Depending on agency policy, acquisition case files should be archived.

Maintain archives according to departmental policy and applicable laws.
GPS device acquisitions may capture data using proprietary formats and archiving the tool version used may be required.
Identify hardware, software and version control numbers and cables or other accessories provided or used by the agency to conduct the examination.

5. Report

Reports should:

Contain a graphical representation of the data acquired;
Seek to address case specific requests from the investigator;
Provide the reader with all the relevant information in a clear and concise manner;
Be reviewed according to agency policy.

6. Reference Sites and Publications

The below listed resources provide information that may prove helpful to the examiner:

Garmin and Delorme – https://www.garmin.com
Lowrance – https://www.lowrance.com
Navigon – https://www.navigon.com
Mio – https://www.mio.com
TomTom – https://www.tomtom.com
PC Planner – http://lightmarine.c-map.com/it/chart-plotters/pc-planner
GPS Utility – http://www.gpsu.co.uk
Magellan – https://www.magellangps.com
TomTology – https://www.forensicnavigation.com
Google Earth – https://www.google.com/earth/
GPS Visualizer – http://www.gpsvisualizer.com
GPSBabel – https://www.gpsbabel.org
AVMAP GPX Converter – http://www.avmap.us/index.php?swt=0601&id=514
EasyGPS – https://www.easygps.com
Free GPS Software – http://www.maps-gps-com/fgpfw.html
GPSForensics.org – http://www.GPSForensics.org

History

Revision	Issue Date	Section	History
1.0 DRAFT	2012-06-04	All	Release for Public Comment
1.1	2012-09-12	All	Incorporated general edits and voted to release as an Approved document, version 1.1.
1.2 DRAFT	2018-06-14	3; 4.1; 4.3; 4.6; 6	Reviewed as part of SWGDE 5-year review process and the following updates were made: Added further clarification and “Circular Memory” to 3. Limitations; Added a note to 4.1 Seizing Evidence; Expanded 4.3 Data Acquisition; Expanded 4.6 Archive; Updated content/links in 6. Reference Sites and Publications. Voted by SWGDE for release as a Draft for Public Comment.
1.2 DRAFT	2018-07-17	—	Formatting and technical edit performed for release as a Draft for Public Comment.
1.2	2018-09-20	—	No changes were made following the Public Comment period. SWGDE voted to publish as an Approved document.
1.2	2018-11-20	—	Formatted and published as Approved version 1.2.

¹ For best practices on acquiring the data contained within infotainment and telematics systems installed in motor vehicles, see SWGDE Best Practices for Vehicle Infotainment and Telematics Systems at https://www.swgde.org/documents.

² Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a memory chip)

³ The validation process is discussed in SWGDE Recommended Guidelines for Validation Testing, available at https://www.swgde.org/documents.

Version: 1.2 (November 20, 2018)