Decoding cache.cell and cache.wifi files

As everybody knows, Android is maintaining two cache files with location information. One is cache.wifi (a wifi router database with MAC and GPS of the router) the other is cache.cell (a database with mobile communication cells and their GPS). Due to the fact, that these files are in binary format the following Python code-snippet should help to encode the actual data:

cacheFile = open("cache.wifi", 'rb')
version, entries = struct.unpack('>hh', cacheFile.read(4))
i = 0
while i < entries:
   key = cacheFile.read(struct.unpack('>h', cacheFile.read(2))[0])
   (accuracy, confidence, latitude, longitude, readtime) = struct.unpack('>iiddQ', cacheFile.read(32))
   outputFile.write('%25s %7d %5d %10f %10f %s \n' % (key,accuracy,confidence,latitude,longitude,time.strftime("%x %X %z", time.localtime(readtime/1000))))
   i=i+1
cacheFile.close()

The cache files are located at:
/data/data/com.google.android.location/files/

This snippet works for both cache files, just change the filename 🙂

Sources of location information on Android phones

We investigated several well-known apps from the Android market with respect to the amount of location data stored. Some of these apps, their corresponding databases as well as the location data retrieved can be found in the following table.

App Storage Location Content
system cache.cell last 50 mobile telecommunication cells
system cache.wifi last 200 wifi routers
camera JPG pictures latitude and longitude of picture location
browser CachedGeopositions.db latitude, longitude, accuracy and timestamp
twitter author_id.db -> statuses latitude and longitude of status message
twitter author_id.db -> search_queries latitude, longitude and radius of location search queries
facebook fb.db -> user_statuses latitude and longitude of status message
facebook fb.db -> user_values latitude, longitude and timestamp of last checkin
google maps da_destination_history latitude and longitude of navigation start and destination

Reverse Engineering of the Android File System (YAFFS2)

We published a Technical-Report with id CS-2011-06 (ISSN 2191-5008) named Reverse Engineering of the Android File System (YAFFS2) today. This report originates from parts of the Diploma Thesis of Christian Zimmermann which was published earlier this year.

Abstract — YAFFS2 is a file system which is used in many modern smartphones. Allthough YAFFS2 is an open standard and there exists an open source implementation, the behavior of YAFFS2 is not very well understood. Additionally, several aspects like wear-leveling and garbage-collection are not well-specified in the standard so that their actual behavior has to be reverse engineered from the implementation. Here, we give an introduction to and describe the basic functionality of YAFFS2. We place a particular focus on the detailed analysis of both wear-leveling and garbage-collection mechanisms, since these are important within a forensic analysis of the file system.

ADEL (Android Data Extractor Lite)

 

We just submitted a Paper and forensic Tool with the name ADEL to a call for papers. The tool as well as the complete paper will be available very soon for people of law enforcement agencies.

The tool can, by now, recover and analyze the following data:
– Call logs
– Contact and Calendar entries
– SMS and MMS messages
– Meta information about the smartphone and SIM

Abstract of the submitted paper:
Nowadays, smartphones are one of the most popular mediums of communication in the world. They are not only used for ordinary private and business purposes, they are also used by criminals for communication and as a target. Due to the ubiquitous use of smartphones, these devices become an increasingly important source of digital evidence in forensic investigations. Thus, the recovery of digital traces from smartphones often plays an essential role for the examination and clarification of the facts in a case. Although some tools already exist regarding the examination of smartphone data, there is still a strong demand to develop further methods and tools for forensic extraction and analysis of data that is stored on smartphones. In this paper we describe the specifications of smartphones running the popular Andoid operating system. We further introduce a newly developed tool – called ADEL – that is able to forensically extract and analyse selected data from an Android device. Finally, a detailed report containing the results of the examination is created by the tool. The whole process is fully automated and and takes account of all forensic principles.