8th Annual IFIP WG11.9 International Conference on Digital Forensics

We published and presented the paper “Forensic Acquisition of Location Data from Android Smartphones” at the IFIP WG11.9 conference in January this year. This paper covers the forensic acquisition of location data from Android smartphones (system and applications) and the corresponding generation of movement profiles. It will be published in the upcoming edition of “Advances in Digital Forensics”.

Paper accepted!

Today, we got the great message that our paper “Forensic Acquisition of Location Data on Android Smartphones” had been accepted for the Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics in South Africa. We are really looking forward to participate.

For all of you, who can’t wait until January, here is the abstract of our work:

It is now well-known that, for various reasons, smartphone operating systems persistently store location information in their local storage. Less well-known is probably that also various network applications (apps) do this too. In this paper we present a system with which all this information can be extracted and visualized at the same time. Our system is based on the forensic data extraction tool ADEL. During our evaluation we found that in contrast to data retained by the network operator, location data stored on the mobile device in many cases offers much more precise information than the rather coarse-grained data from the network operator. However, the availability of data shows a much higher variability on the mobile phone than at the network operator.

Decoding cache.cell and cache.wifi files

As everybody knows, Android is maintaining two cache files with location information. One is cache.wifi (a wifi router database with MAC and GPS of the router) the other is cache.cell (a database with mobile communication cells and their GPS). Due to the fact, that these files are in binary format the following Python code-snippet should help to encode the actual data:

cacheFile = open("cache.wifi", 'rb')
version, entries = struct.unpack('>hh', cacheFile.read(4))
i = 0
while i < entries:
   key = cacheFile.read(struct.unpack('>h', cacheFile.read(2))[0])
   (accuracy, confidence, latitude, longitude, readtime) = struct.unpack('>iiddQ', cacheFile.read(32))
   outputFile.write('%25s %7d %5d %10f %10f %s \n' % (key,accuracy,confidence,latitude,longitude,time.strftime("%x %X %z", time.localtime(readtime/1000))))

The cache files are located at:

This snippet works for both cache files, just change the filename 🙂

Status Meeting at the Federal Ministry of Education and Research

As our work is sponsored by the Federal Ministry of Education and Research we had the chance to give a presentation of our ongoing work at a status meeting of the ministry in Bonn last week. It was a really interesting two day meeting because many other sponsored projects were invited, too.

Due to the fact that our Mobile-Sandbox attracted a lot of attention there were many interesting discussions afterwards. Let’s see how these discussions will influence the further development of the system.

We also had the chance to present our forensic framework – ADEL – in a poster session. The presented poster can be viewed here:

Dagstuhl Seminar

Schloss Dagstuhl

I was invited to this years Dagstuhl Seminar “Forensic Computing” to give a talk on mobile phone forensics. For all of you who hadn’t been there, here is the abstract of my talk:

Due to the ubiquitous use of smartphones, and the high amount of stored data on these devices, they become an increasingly important source of digital evidence in forensic investigations and they also implicate a vast risk of a potentially privacy leak for its users. In this paper we describe a new version of our developed tool – ADEL – that is able to forensically extract and analyze data from SQLite databases on Android devices and is also able to build a movement profile out of these data. Within the scope of a study we compared the data, gathered with the help of ADEL, with the data which a mobile-telecommunication-provider has from his customers. In the conclusion we also give some hints on how to stop your droid from gathering this much location data.