Google's database of geolocated MAC addresses is helping New Zealand Police verify the location of crimes and offenders particularly when the criminals use mobile phones.
Google came under fire recently for collecting location data on wireless access points along with the photographic images it collects with StreetView, and particularly for small samples of traffic collected -- accidentally, according to Google -- during the exercise. But what Police use is the less controversial MAC (Media Access Control) wireless access-point data.
Many criminals are up-to-date enough (and reckless enough) to collect digital photographic evidence of their crimes, for instance to email images of stolen goods to prospective buyers, Police e-Crime Laboratory head Maarten Kleintjes told a series of NZ Computer Society meetings; some are at the same time careless of the metadata the mobile phone or portable computer is collecting.
A modern mobile, if it has no GPS location information because it is being used indoors, will look for the MAC address of any nearby wireless access point, Kleintjes says. When the offender processes or transfers the pictures, particularly using Google-related software such as Picasa, the program can refer to the Google database of MAC addresses and deduce and record the location of where the photograph was taken.
So if Police have access to a suspect's cellphone with pictures, "we know what they stole, and when and where they took it," Kleintjes says. This is very helpful when matched against Police records of the location of reported thefts.
Even if photography is not involved, a modern cellphone can still "tell us where you've been and when and what time you go to bed and get up," he says.
Mobile devices are themselves more like small computers nowadays, says Kleintjes, and likely to contain much more detailed and valuable information than early cellphones; but exploring this fully takes correspondingly longer.
At the NZCS meetings, he ran through some of the techniques the e-crime lab uses to recover data from chips in mobile phones and other digital equipment the suspect has attempted to destroy. Data has been recovered from phones found on bodies underwater and in at least one Australian case, a phone that had been through a bomb explosion.
He acknowledges, however, that some secure file deletion techniques and operating systems that do not keep a journal of file changes may at present still defeat the lab's investigative techniques.
The electronic crime lab was founded in 1984 and its workload has expanded rapidly. In the first year, 20 electronic exhibits were handled; by 2004, that number had reached 16,000. Now the lab no longer counts individual data storage elements because there can be so many involved in one case. There are few cases of any kind these days that do not have an electronic element in the evidence, he says.
The rise in the lab's staff numbers, to 31, has not kept pace with the rise in volume of evidence to be examined but the tools available have helped bridge the gap. A key role is played by EVE (Environment for Virtualised Evidence) which allows all collected evidence to be transferred to a consistent environment for concurrent examination by a number of officers through the Police network. EVE has a suite of tools for cataloguing filtering and preliminary testing of evidence (for example recognising images with large expanse of apparent skin-tone as possibly pornographic).