Investigator’s compass – Health apps

Market for Health apps is growing rapidly, which is understandable, considering the increasing user demand. Currently, there are more than 318 thousand health apps available in various app stores. This overwhelming supply is understandable, given that over 60 percent of people have a health app downloaded on their phone. Even more have the app pre-installed by the manufacturer, such as Apple Health on all Apple devices, which tracks user physical activity by default since the release of iOS 8 in 2014 or Samsung Health. In short, being healthy is a modern trend the manufacturers cannot dismiss. And neither can we.

What is also important, the data in some health apps is synchronized with the extensive activity report from a fitness bracelet or a smartwatch, which record it by default. The devices often are recording the data autonomous without user intervention.  What is more, device users are often unaware of all the data on them recorded by Health and Fitness apps, especially if those are pre-installed.

Data from health apps can often aid the investigation by restoring behavioral habits and daily routines, including physical and sleeping activity and dietary habits (when logged). Using this type of information, and often the deviation from normal habits, an investigator can paint a picture of what might have occurred Thus, data from Health apps could be seen as a compass, aiding the investigator in the direction of the investigation.

The extracted and analyzed data could also point out whether the suspect is lying or a crime scene was staged, as happened in the UK in 2018, when a man murdered his wife and tried to make it look like a burglary. The automatically recorded data in the Health app helped solve the case: it recorded frantic activity on a man’s phone as he was trying to stage the burglary, whereas phone of his wife, the victim, recorded only the 14 steps taken after her death. Data recorded by Apple Watch and synchronized with the victim’s iPhone helped solve another murder case in Australia in 2016.  It was in this case the heart rate measurements established the time of death, contradicting the story told by and the killer.

The acquired data could become the ”smoking gun” needed to convict a criminal, filling the evidence gaps and restoring a timeline. Another great example  took place in Germany in 2018. The health app recorded, and documented, “climbing stairs” during a missing chunk of surveillance video as the criminal dragged his victim down the river embankment, and then climbed back up. Investigators should be aware that much of this data is recorded without the suspect or victim’s knowledge.

Oxygen Forensic® Detective is an industry leader in mobile app support and currently supports 12.000+ app versions and 475 unique apps, some of which are from Health & Fitness category.

Let’s take a look at the most popular ones, all of which are supported in Oxygen Forensic® Detective.  These include Apple Health, Samsung Health, Endomondo and FitBit. All apps can be extracted from both Apple and Android devices, and from the Cloud as well.

Apple Health

Apple Health is a pre-installed health & fitness app which is present on all the iPhones. By default, it tracks walking and running distance and number of steps and flights climbed. Any additional data can also be logged in manually. The application gathers data from various sources, mostly from other applications, such as Nike Run Club, Runtastic, Pokemon Go or paired devices, such as the Apple Watch.

Apple Health is available only on iPhones. This data is stored within the iTunes backup and is easily extracted during a standard logical Oxygen Forensic® Detective extraction. It is also possible to extract Apple Health from the Cloud. An investigator can always import the cloud credentials from Accounts and Passwords in Oxygen Forensic Detective  or enter credentials or token manually.

With Oxygen Forensic® Detective, the investigator can also obtain access to the suspect’s account information, list of data sources, paired devices and to health data, including activity, nutrition, mindful minutes, sleep, body measurements, heart, reproductive health, vitals and activity summary. All the data is accessible both from user’s device and the cloud.

Samsung Health

This application is installed by default on Samsung smartphones, but not limited to them as it is available to Android and Apple users. It tracks physical activity, diet, and sleep. The app allows the user to set goals so that all the tracked activity is shown in accordance with the overall goal. By default, the app tracks the number of steps by default. There is more data automatically recorded when paired with Galaxy watch.

Samsung Health is available both on Android and iOS-operated devices. In iOS, the data from Samsung Health can be found within an iTunes backup and can be easily extracted and decrypted during a standard logical Oxygen Forensic® Detective extraction. In Android devices, data from the app does reside in an ADB backup and  will only be obtained and decrypted via physical dump.

It is also possible to extract Samsung Health from the cloud. The investigator can import the cloud credentials from the  Accounts and Passwords section of the device extraction home screen or enter credentials or token manually. Proxy settings are available for Samsung Health cloud extraction to ensure the non-disclosure of investigator’s location.

With Oxygen Forensic® Detective, the investigator could get access to suspect’s account information, data sources, activity summary, steps, body measurements, workout, food, and sleep logs. More importantly, all attached geo-coordinates can be viewed in the built-in Oxygen Forensic maps. All the data is accessible both from user’s device, be it iOS or Android and the cloud.

Parsed Samsung Health data with app categories on the sidebar and workout points at the main screen
The workout points shown on the built-in map
Logging in Samsung Health with Oxygen Forensic® Cloud Extractor

Endomondo

Endomondo is a social fitness network, mostly used to track the user’s workout activity. When tracking activity, the user can choose from a wide range of workouts supported, each resulting in slightly different set of data recorded, including the number of calories burned.

Endomondo is available both on Android and iOS-operated devices. In iOS, the data from Endomondo can be located within an iTunes backup and thus is easily extracted during a logical Oxygen Forensic® Detective extraction. In Android devices, data from the app does  is not extracted using an ADB backup and is only obtained via a physical dump.

However, It is also possible to extract Endomondo from the cloud. The investigator can import the cloud credentials from the Accounts and Passwords section in Oxygen Forensic  home screen or enter credentials or token manually.

With Oxygen Forensic® Detective, the investigator can access a suspect’s workout history as well, which includes the category of sports, start time stamp, distance, note and picture attached to the workout, maximum speed, minimum/ maximum altitude, calories, hydration and ID. All the data is accessible both from user’s device and the cloud. All the data is accessible both from user’s device, be it iOS or Android or the cloud.

Parsed Endomondo data with app categories on the sidebar and workout logs at the main screen
The workout points shown on the built-in map
Logging in Endomondo with Oxygen Forensic® Cloud Extractor

Fitbit

Fitbit app is designed mostly for users of Fitbit wearables. When used without a wearable, it automatically tracks the number of steps, distance and the calories burned. All other data, including workouts, weight and nutrition must be manually logged. The app also provides its users access to Fitbit community, thus being a fitness social network as well.

Fitbit is available both on Android and iOS-operated devices. . In iOS, the data from Fitbit can be located within an iTunes backup and thus is easily extracted during a logical Oxygen Forensic® Detective extraction. In Android devices, data from the app does  is not extracted using an ADB backup and is only obtained via a physical dump.

However, it is also possible to extract Fitbit from the cloud.

The investigator can import the cloud credentials from the Accounts and Passwords section in Oxygen Forensic  home screen or enter credentials or token manually.

Proxy settings are available for Fitbit cloud extraction to ensure the non-disclosure of investigator’s location.

With Oxygen Forensic® Detective, the investigator can access a suspect’s account information, list of connected devices and friends, cached files, workout and sleep logs, food history and all the social interactions within the Fitbit community. All the data is accessible both from user’s device, be it iOS or Android or the cloud.

Parsed Fitbit data with app categories on the sidebar and user posts at the main screen
Logging in Fitbit with Oxygen Forensic® Cloud Extractor

Leave a Reply

Your email address will not be published. Required fields are marked *