Insights Blog

BlackLight’s Cluster Map

Reviewing location data stored on devices has become a crucial part of many investigations.  GPS coordinates, stored across digital devices, can provide valuable insights about where the user has been and where pictures and video files were created.  Location data can corroborate information that the subject was at a location during a specific time period, or conversely show that the subject was not at a location.  It can also be used to help identify victims seen in pictures and videos.  I once worked on a case where the subject had pictures of many victims whose identities were unknown.  The subject, who typically met the victims at their homes, took the photos using his iPhone.  The GPS coordinates in the picture files were used to locate and identify the victims.  Additional charges were added for each additional victim located and identified.


While BlackLight has always provided geolocation filters to locate files with GPS data, access to offline maps, the ability to export location data to kmz, and a link to view data in Google Maps, the addition of the cluster map provides a visual way to view and analyze location data.  Locations stored in Google Maps and Apple Maps searches, bookmarks, dropped pins, and old tags, as well as media files and calendar items are all shown as data points on the new cluster map.  Also, social media apps that contain geolocation data are parsed into the cluster map.


Accessing the Cluster Map

The cluster map is generated in the Locations tab, the ‘Map View’ subview.  While apps may store different pieces of data, at minimum, latitude and longitude are displayed.  The map is generated using map tiles, installed on the system with the BlackLight installer, based on OpenStreetMap.  You no longer have to download and install the map pack separately.  All data containing geolocation information is represented on the cluster map by a blue dot.  Densely populated regions of the map also display a numerical value indicating the number of data items mapped in that region.



Using the Cluster Map

The cluster map allows you to zoom out and in, accessed via the slide bar on the lower right side of the map.  When zooming, the map will automatically focus on the area of the map centered in the window.  To change the focus of the map, hold down the mouse button on the map and drag until the desired region is in the center of the window.  After you zoom in, if the desired region is not in the window, drag the map until you see the region of interest.



As you zoom in, the map tile sizes change.  You will be able to see the data associated with a map tile by clicking on the tile.  Once a map tile is selected, it will be highlighted.  All data points mapped in the selected map tile are displayed on the right side of the map (the right side of the ‘Content Pane’).  The information for each data point may include:  Service, Date, Type, Name, Address, Latitude, Longitude, Distance, Altitude, Accuracy, and Speed.  Some data points will not contain all of this information, but if it is available, it will be parsed.  You can select a specific data point by either clicking on a blue dot on the map or selecting an item listed on the right side of the ‘Content Pane.’   Once a data point is selected, the dot on the map changes to pink and the corresponding data listed on the right is highlighted.  A preview of the file containing the data point can be seen using the Preview tab in the ‘File Content Viewer.’


Sorting and Filtering Cluster Map

To better isolate data of interest, data can be sorted and filtered.  Once you zoom in on a region of interest and select a map tile, you can sort the data points in that map tile by the latitude and longitude columns.  All data points for the same location will be group together.



Another option for focusing the view is to use a filter.  Filters can be created using any of the fields parsed.  In the example below, the filter isolates picture files created between 1/1/2014 and 3/1/2014.



Next Level Analysis

So let’s say during your analysis you’ve identified and tagged picture files that are of interest, and you would like to see where these pictures were taken on the cluster map.  Using the File Filter tab, you can filter for the tagged files.  Highlight the files and export them to and .L01.



Add the exported .L01 into BlackLight.  With only the .L01 evidence item selected in the ‘Component List,’ go to the ‘Map View’ subview in the Locations tab.  You will now see the cluster map view containing only the tagged files that were exported to the .L01.




The cluster map is only one of many new features in BlackLight 10.1.  For more information about the release, please read the BlackLight 10.1 Release Notes and learn more about BlackLight here.

BlackBag Team
Latest posts by BlackBag Team (see all)