Paper accepted!

Today, we got the great message that two of our papers “Analyse und Vergleich von BckR2D2-I und II” and “Forensic Analysis of YAFFS2” had been accepted for the Sicherheit2012 in Darmstadt.

We are really looking forward to participate.

Paper accepted!

Today, we got the great message that our paper “Forensic Acquisition of Location Data on Android Smartphones” had been accepted for the Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics in South Africa. We are really looking forward to participate.

For all of you, who can’t wait until January, here is the abstract of our work:

It is now well-known that, for various reasons, smartphone operating systems persistently store location information in their local storage. Less well-known is probably that also various network applications (apps) do this too. In this paper we present a system with which all this information can be extracted and visualized at the same time. Our system is based on the forensic data extraction tool ADEL. During our evaluation we found that in contrast to data retained by the network operator, location data stored on the mobile device in many cases offers much more precise information than the rather coarse-grained data from the network operator. However, the availability of data shows a much higher variability on the mobile phone than at the network operator.

Android devices and JTAG

Today I got some new toys to improve the forensic investigation process on smartphones. These tools allow to connect directly to the JTAG interface on the smartphone and so it should be possible to get a real dump of the memory.

I’m really excited how this works out 🙂

Decoding cache.cell and cache.wifi files

As everybody knows, Android is maintaining two cache files with location information. One is cache.wifi (a wifi router database with MAC and GPS of the router) the other is cache.cell (a database with mobile communication cells and their GPS). Due to the fact, that these files are in binary format the following Python code-snippet should help to encode the actual data:

cacheFile = open("cache.wifi", 'rb')
version, entries = struct.unpack('>hh', cacheFile.read(4))
i = 0
while i < entries:
   key = cacheFile.read(struct.unpack('>h', cacheFile.read(2))[0])
   (accuracy, confidence, latitude, longitude, readtime) = struct.unpack('>iiddQ', cacheFile.read(32))
   outputFile.write('%25s %7d %5d %10f %10f %s \n' % (key,accuracy,confidence,latitude,longitude,time.strftime("%x %X %z", time.localtime(readtime/1000))))
   i=i+1
cacheFile.close()

The cache files are located at:
/data/data/com.google.android.location/files/

This snippet works for both cache files, just change the filename 🙂

Sources of location information on Android phones

We investigated several well-known apps from the Android market with respect to the amount of location data stored. Some of these apps, their corresponding databases as well as the location data retrieved can be found in the following table.

App Storage Location Content
system cache.cell last 50 mobile telecommunication cells
system cache.wifi last 200 wifi routers
camera JPG pictures latitude and longitude of picture location
browser CachedGeopositions.db latitude, longitude, accuracy and timestamp
twitter author_id.db -> statuses latitude and longitude of status message
twitter author_id.db -> search_queries latitude, longitude and radius of location search queries
facebook fb.db -> user_statuses latitude and longitude of status message
facebook fb.db -> user_values latitude, longitude and timestamp of last checkin
google maps da_destination_history latitude and longitude of navigation start and destination