Screenshots ≠ Preservation: Save the Source, Not the Picture

---

Case Summary: After a child drowned in the pool at Defendant’s home, Google Timeline, which logs location history, was intended to be used to support Defendant’s claim that they were not home during the time of the incident. Defense counsel relied on a family member to capture screenshots from Defendant’s Google Timeline, indicating that Defendant was at a grocery store at the time of the incident. A year later, the judge asked for an expert to verify the data, which resulted in the retention of DJS Associates, Inc.

The screenshots alone could not have been used in court, because they were not verifiable.  Edits could have been made to the timeline before the screenshots were taken, or they could have been screenshotted from a different account.

Upon attempting to access the historical cloud log of Defendant’s Google Timeline, DJS’ Digital Forensic Analyst identified changes to how this feature functions.  Google had transitioned Timeline data to on-device storage and deleted older cloud history, preserving only up to 90 days of recent data onto the first signed-in device, unless users took specific preventative actions.  The cloud copy of Defendant’s location history data, which could have provided the necessary evidence to corroborate their alibi, was simply gone.  

Understanding the Changes to Google Timeline:

• On-Device, By Default: Google shifted Timeline data from their servers to user devices.  The ability to view a person’s Google Timeline on the internet was retired as part of this transition.
• Shorter Data Retention: With the migration to on-device storage, Google introduced auto-delete defaults of three months.  Users can choose to extend the retention period with less frequent intervals.  However, if data exceeded the default window or the account wasn’t migrated in time, the older history was purged.
• 90-Day Carryover: Unless users opted to adjust their account settings by Google’s deadline, Google attempted to move only the last 90 days of their location history to the first device the user signed in on; the rest was deleted.
• Backups Exist, But They Must Be Enabled: Google Timeline data can be exported from the app, and encrypted copies of Timeline data can still be backed up to Google’s servers from on-device storage.  These steps must be taken before data ages out.

Case Impact: Because the initial “preservation” consisted of screenshots without original files or hashes, the court wanted a professional, repeatable extraction.  By the time an expert was retained, Google had completed the on-device storage move and auto-deleted the older cloud history that could have shown Defendant was running errands during the incident window.  

The evidentiary well had practically run dry.  There was no spoliation by Defendant; the platform’s retention changes and the passage of time were at fault.  

Practical Takeaways:

• Skip the DIY Screenshots: They are not defensible records.  Engage a qualified digital forensic expert to preserve original artifacts and metadata.  When courts ask for verification; screenshots cannot supply it.
• Preserve Early: Once Google Timeline or location history is identified as relevant, it needs to be exported and/or backed up as soon as possible.
• Device ≠ Account: Today, the device is the evidence.  Plan for device-level imaging, including Timeline backups, rather than relying on Google-account subpoenas alone.

Key Takeaway: If Google Timeline data could make a difference in your case, preserve it at the start.  Early collection allows for analysis later on.