Location, Location, Location

Location PinAs a former law enforcement officer, I am cognizant of the importance of location information. Using this type of data we were often able to tie a party involved in an investigation to a particular place and time. Back then, location data might have come from a witness statement, surveillance video, audio capture, or another archaic source. Today, there are almost 8 billion beacons around the world carried in the pockets of humans, offering investigators a wealth of information about individuals’ whereabouts. However, many times this captured location information from an individual’s mobile device is overlooked by the agent.

Digital forensic investigators often rely on the data at hand on the physical device (e.g., parsed applications on the device, chat messages, media) to make a determination of location at a particular date and time. This is often fruitful using digital examination tools and training, but what if the necessary data is not stored on the device?  What if the device is locked with a passcode, wiped, unavailable, or destroyed?  This has been, and will more often be, a problem with investigations into digital data on mobile devices. With these limitations investigators will need additional sources of data.

The data stored within the cloud for each individual using a mobile device can be many times larger than that of the mobile device. From backups to the storage of app data, a user’s cloud can be massive. Just think of your own device. When you uninstall an app or switch out a phone, you simply have to download the app and re-authenticate, and magically the app populates the data. This data in the cloud can be a treasure trove of evidence. What about services on the device that are not really an app, but are just a digital breadcrumb of a service?

Google Location is a service that is not new, but collects a scary amount of user data – fantastic as a digital forensic examiner. Google flat out explains, much like Amazon or other data companies, that data will be used to make their services better. With that being said, Google will capture the location of the device to better the usage of an application’s location services, their own Wi-Fi Positioning Service, or other “additional” services. The use of the Wi-Fi positioning service is brilliant for examiners, especially when users do not have GPS on their devices or even turn it off.  Since the capture of GPS data is done by crowd sourcing, a user’s Wi-Fi can actually determine their location because a previous user had their GPS enabled and reported that location of the access point BSSID. Now, a user walks by and the location simply registers (not even authenticates) the coordinates onto the user’s device. BOOM, a GPS point is created into Google Location services for the user’s account.

A great example can be seen in the image below, which shows the area surrounding our headquarters in Alexandria, Virginia, USA. This is a simple dump of data using Oxygen Forensic Detective’s built-in Oxygen Forensic Cloud Extractor and the selection of my Google Location.  Those are not crayon marks or added lines, but routes created by the raw data extraction containing location information. By closer inspection along the Potomac there is a great running path I frequent in the mornings and there is a clear line up and back. It should be noted I do not have a tracking application running at anytime, simply my device in my pocket. Furthermore, Google Location is not an app that is installed but a service that other apps can access when needed and also used by Google to “improve” services. This means the app is not parsed or generally supported by commercial tools.

Figure 1. Oxygen Forensics office in Alexandria, VA, USA

So, what does this mean to you the investigator? Maybe you do not have an application which shows the device was in the area. However, with a cloud extraction an investigator can filter the data to the date/time in question and determine location of the account and possibly the individual. Google Location data, along with other app data, can be the smoking gun an investigator needs. Best yet, Google Locations are captured for any device (laptop, Apple, Android) where the user is signed into their account. Again, this information can be extraordinary in today’s investigations.

By using data from multiple sources (e.g., mobile device, cloud backups) an investigator can turn a circumstantial case into one that is bullet proof. Today’s investigators need to be ready to look in other sources for that digital gold. Good luck!

Support the Unsupported

Mobile forensic software is often heralded as the end all, do all, completer of all cases.  However, the probability that an examiner will be faced with the dissection of an unsupported app is quite great. Lets take it a step further and point out, at least in a most basic way, how an examiner can uncover valuable data without relying on the automated solution in this often inevitable situation.

In this document we will examine a SQLite database from built in browsers of both Android and iOS file systems.  Understanding the examiner has to go the extra mile if they are to find the 0’s and 1’s in the digital haystack the results are significant to the overall case. These examples can be used with any SQLite database that an examiner might run into during the investigation so long as they are not encrypted.

The first step in any investigation should be to run a series of search queries to identify relevant material for the case.  This is a necessity. Simply thumbing through the volume of data now found on a mobile device is not practical. I find it extremely beneficial to use Oxygen Forensic® Detective to search within the file content. Searching within files is a necessity to uncover strings within database files that are not fully supported, not supported at all, or simply not decoded.

Figure 1: Search in file content


Figure 2: Database within an app using webkit.

Once you have your search hits, and are focused on the files of interest, the deep dive of these files can start. In my example in Figure 1 I used a regular expression ((\W|^)[\w.+\-]{0,25}@(yahoo|hotmail|gmail)\.com(\W|$)) to search for free (i.e. gmail, yahoo, hotmail) email addresses in an effort to uncover any additional addresses of interest. This search uncovered an email address within a database file within the Android built in browser. The interesting fact this database; it is not the stock database for the android browser, but rather a database created by the application for storage of mobile enabled websites. A website within a browser that stores data? Much like a nesting doll that continues to contain a replica of the doll that housed the smaller doll.

Browsers are ripe with databases similar to this example when the WebKit platform is utilized. The fact that these types of databases are processed by only a few tools, Oxygen Forensic Detective is one of them.  So, if a user used the browser to surf their Facebook account, the examiner will surely miss this data if they are simply looking at the Facebook app that was parsed by the mobile solution. In this example, this artifact, housed in this particular Android browser, is one that very few even realize or even understand is available. Again, the critical take-a-way is to comprehend the idea that modern mobile browsers from iOS to Android are packed with these user created manifestations, but few solutions have the ability to even recognize this valuable artifact, let-alone automatically parse the information.   However, do not just concentrate on browsers, but also with the built in browsers in messaging, or other apps.

Let us take a look at an example. In Figure 3 is a database file from the Dolphin browser from an Android device.  This file is viewed in Oxygen Forensics® SQLite Viewer. This file hosts content (yes content) of gmail messages. Not just the snippet HTML but the actual message in it’s entirety. Granted, the data in the database is only going to be the most recently cached emails when the user visited their email account, but it is possible it contains information critical to your case and no modern tool at this date will parse and decode this information automatically. This is not the gmail app, but the user accessed their gmail page from a browser. Since there are multiple tables that make up a database file, Oxygen Forensic® SQLite Viewer can build and execute SQL Queries across a single file and even multiple database files.  You can use the built-in query builder to drag and drop tables and match keys without knowledge of a single SQL command.  The Visual Query builder will create the command while you are building the data to be extracted.


Figure 3 : Single table of Webkit database found in Dolphin Browser for Android.

If you have a strong sense of SQL and have custom commands you can use directly in the SQL Query Editor as shown in Figure 4.  So, you do not have to rely on the Visual Query builder to create the SQL command just write away to create powerful commands against the database.  What is even more impressive is the power to run the query against the free-page area of the main database and WAL files.  This means to you….DELETED DATA.  So, using the powerful tool built into Oxygen Forensic Detective will be of great assistance.

Figure 4: Complex SQL Query from SQLQuery Builder now used in Oxygen Forensic® SQLite Viewer, creates a powerful query over multiple tables.

These treasure troves are created on the fly, per the user’s activity. Now, throw in the multitude of internet browsers, messaging apps, or any with built in browsers it becomes an impossibility that the mobile forensic solution of choice will be able to parse and decode this data in all situations. Again, it comes down to the expert behind the keyboard and their commitment to performing a complete examination.

Oxygen Forensics, Inc. is committed to supporting the forensic community and offers world leading solutions to uncover, recover, and analyze data from mobile devices, cloud services, and IoT devices.