As it’s adapted to the digital age, American law enforcement (LE) has found a valuable resource in Google. As the tech giant amassed the location histories from up to 500 million user accounts in its enormous Sensorvault database, seeking “geofence” warrants for that data became a common way for investigators to unearth which of them were around certain locations at certain times. Although data was sourced from just a single vendor (Google), it provided an invaluable starting point for solving countless crimes.
In December 2024, however, Google’s internal storage of that information ended – and users’ location histories came to exist only on their own enabled devices. Seemingly, that should make them much harder for investigators to access – unless LE pivots again to adopt new methods.
According to location forensics expert Spencer McInvaille, “Once this change takes effect, law enforcement must identify the person and device from which they seek to obtain location data” – you will need knowledge or possession of the actual phone itself. The days of “polling” an area for Google users based on a specific event/date/time are over. However, there are other viable methods to surface similar intelligence.
THE MISSING PIECES OF THE PUZZLE
Location data and other key investigative information like time stamps and user identities are still out there. Criminals leave trails of digital breadcrumbs. Law enforcement needs the ability to follow them.
A company gaining market momentum, Cybercheck, has created a platform that leverages advanced open-source intelligence (OSINT) investigation techniques driven by machine learning and automation to identify, locate and analyze vast amounts of open-source data that’s otherwise very difficult for investigators to uncover and correlate using traditional investigation tool sets and manual approaches.
The efficient automation of open-source intelligence gathering and correlation offers Cybercheck a unique ability to surface not only the location information criminals leave in their wakes but the entire spectrum of digital forensic residue that persists across our connected world. The company refers to this online residue as “CyberDNA.”
That data can be widely dispersed and hard to extract and correlate, but it can be incredibly valuable. Like Google data once did, it can offer critical intelligence that can identify suspect locations, help reconstruct travels and provide the initial leads to suspects’ identities. This can help crack challenging cases and restart those that have grown cold.
“I’ve spent the last 20 years of my career serving various levels of government in a technical surveillance capacity, mostly around covert and communication technologies. All too often, I have seen how frustrating policy, technical and judicial changes can plague the investigative and legal phases,” said Rob Lindsay, Cybercheck’s executive vice president. “The judicial process can put roadblocks in the way or limit when, where and how LE can use other surveillance technologies and investigative means to support their cases.
“What I find so attractive about Cybercheck and the OSINT world is that so much data can be found and leveraged at various phases in an investigation. Data openly found on all layers of the web can be leveraged at any point and might just provide the missing piece to your investigative puzzle. Since joining Cybercheck, I have seen firsthand how our support of the LE community has positively impacted many investigations nationwide. Cybercheck offers a unique vantage point for current and historical investigations,” Lindsay added.
“It is paramount for law enforcement and intelligence agencies to stay at the forefront of innovation. For Cybercheck’s technology and our customers, the open-source data world is the key to unlocking the future. With the power of machine learning and automation, the investigative techniques we use can provide the kind of credible intelligence that moves cases forward or injects new life into them, offering a different vantage point to physical evidence or DNA.”
IDENTIFY THE UNIDENTIFIABLE
Starting with as little as a victim’s name or the address of a crime scene, Cybercheck can gather current and historical data from the layers of the internet, including the deep and dark web. From that beginning place and event, it correlates identities, interactions, locations and other profiles. This saves investigators substantial time and effort and provides focused and pointed technical detail.
The Catch-22 being averted here is a familiar one to law enforcement: Investigators need evidence to support their requests for court orders, subpoenas, etc., to collect more evidence. By exploring open-source data, Cybercheck does not need to rely on warrants, subpoenas or protracted procedures to start digging up actionable results.
“We surface credible intelligence in varying investigative phases to confirm theories, identify suspects or even just confirm alibis,” Lindsay said. “There’s a broad spectrum of what we can uncover in the investigation without having to gain judicial authority or start subpoenaing telecommunications and internet service providers. We can identify intelligence quickly. I always say we help identify the unidentifiable.”
To start to understand the concept of CyberDNA, imagine visiting your local Starbucks. As you sit down with your order and pull out your phone, it automatically detects the location’s wireless access points in range, such as local Wi-Fi or other communicative devices like smart TVs, wireless printers, etc., and prompts you to access the local router. Even if you ignore or decline that prompt – even if you never extract your phone in the first place – that attempt at communication occurs and has confirmed your cyber presence in that Starbucks. Unlike fingerprints, which could have been left at any time, even when declined or ignored, the Wi-Fi access attempt record is time-stamped.
Now, extrapolate to every wireless access point you encounter in a day. This alone can help reconstruct a largely unimpeachable record of your travels. We all realize this must happen when we get real-time updates on traffic jams, updated weather forecasts and targeted advertising. Location, identity and time all come together to facilitate these features that make our lives easier. No service provider network, Wi-Fi database, application, protocol or dataset houses this; it has to be discovered in open-source data and correlated across the vast Internet. Crowdsourcing, for example, Wi-Fi location data and analyzing normal community usage contributes extensively to anomaly detections.
It’s not just about location, though. Nearly everything else you’re doing on your smartphone leaves the same permanent traces: messaging, photos and financial activity. CyberDNA, Cybercheck says, is “a complex amalgamation of data, interactions and connections that forms an indelible record of one’s digital existence.” And instead of just querying Google, Cybercheck collects it everywhere.
As wireless connection/attempt logs can confirm presences and alibis, they can also suggest confederates. Imagine a shooting during the dinner rush at your local Cheesecake Factory. Whose online presence placed them there at that time?
“I don’t care that there’s 100 people there, 20 of them waiting for tables, 80 of them eating. What I might care about most is, who are the five people who showed up just before the shooting happened, and is there a known association to the victim or some other indicator?” explained Lindsay. “When all 100 people ran away from the building, there are only going to be a few who showed up just before that date and time of the event. So, let’s grab those few and have a closer look. Maybe three of them turn out to be a small family going for dinner, but the other two have gang affiliation and are associated with the victim in some manner.”
KEEP THE POOL FRESH
That’s not the foolproof identification of a killer, of course – innocent diners may have entered alongside any shooter(s). Cybercheck emphasizes the importance of “backstopping” the intel it discovers. That means cross-referencing, validating and substantiating the platform’s findings, supporting a thorough, coherent, corroborative narrative to drive further investigations. Cybercheck provides support and a pointed technical direction for where to do so.
One danger Cybercheck helps mitigate is the reliance on old or outdated information, such as previous addresses or emails, that persists online. Open-source intelligence tools may locate that and, absent any correlation, point in a misleading direction that wastes time and agency resources. “They often grab data from prepaid databases – information someone’s bought and sold,” Lindsay said. “It can be a stagnant data pool. What is more valuable to the investigation, a) information highlighting where a person filed their income tax from or receives their cell phone bill – potentially a parent’s address – or b) where their CyberDNA is seen most often on a specific wireless access point, showing where they bed down at night or locations they frequent most?”
Cybercheck provides a broader canvass of the internet’s far reaches that’s more deliberate but produces more specific results. “Disqualifying pieces of information are just as important as identifying and qualifying information,” Lindsay noted.
The company provides extensive guidance around backstopping, such as webinars, as well as a downloadable guide and white paper on leveraging open-source intelligence tools to substantiate info. The guide, new in 2025, explains how to validate identifying details around people, elements of their digital trail such as emails and aliases, digital markers like IP addresses and URLs, and geolocation data that suggests their activities.
The white paper explores the Open-Source Intelligence Framework, a flowchart guide to free OSINT resources developed by cyber threat expert Justin Nordine that can guide backstopping efforts. It can help law enforcement turn up useful facts like domain information, social media profiles and online information such as IP addresses and Mac IDs.
The reports produced by Cybercheck are valuable intelligence, the company emphasizes – a starting point, not necessarily an ending point. By informing and fueling further investigation, intelligence can grow into evidence, jump-started by very pointed leads.
“We don’t claim to ‘solve’ cases. What we do is we provide intelligence to help move investigations forward, offering an alternative perspective,” said Lindsay. “Then we help educate our customers on when, where and how to backstop that information to take things forward as evidence through the judicial process, which would then increase the rates of successful prosecution, advance plea deals and ultimately improve conviction rates. If we can increase those rates, we’re helping those who help us make the world a safer place.”
THE FUTURE IS OPEN-SOURCE
As the Internet of Things grows around us and points of connection to the digital world proliferate, the volume and usefulness of open-source data will only grow. Given Google’s December changes and recent privacy-focused jurisprudence like U.S. v. Jones (the Supreme Court’s ruling that using GPS trackers on vehicles represents searches under the Fourth Amendment), law enforcement’s attention to it – and versatility with it – will also need to grow.
“With Google location tracking, a functionality that’s been very critical for law enforcement, going away, law enforcement must continue to find ways to be at the technical edge,” said Lindsay. “With Cybercheck, we can identify the suspect’s CyberDNA at the scene, which is very similar to what law enforcement is trying to find. And we can do it with a much more narrow and accurate approach.”
For more information, visit www.cybercheck.ai.
