Location, Location, Location

Location PinAs a former law enforcement officer, I am cognizant of the importance of location information. Using this type of data we were often able to tie a party involved in an investigation to a particular place and time. Back then, location data might have come from a witness statement, surveillance video, audio capture, or another archaic source. Today, there are almost 8 billion beacons around the world carried in the pockets of humans, offering investigators a wealth of information about individuals’ whereabouts. However, many times this captured location information from an individual’s mobile device is overlooked by the agent.

Digital forensic investigators often rely on the data at hand on the physical device (e.g., parsed applications on the device, chat messages, media) to make a determination of location at a particular date and time. This is often fruitful using digital examination tools and training, but what if the necessary data is not stored on the device?  What if the device is locked with a passcode, wiped, unavailable, or destroyed?  This has been, and will more often be, a problem with investigations into digital data on mobile devices. With these limitations investigators will need additional sources of data.

The data stored within the cloud for each individual using a mobile device can be many times larger than that of the mobile device. From backups to the storage of app data, a user’s cloud can be massive. Just think of your own device. When you uninstall an app or switch out a phone, you simply have to download the app and re-authenticate, and magically the app populates the data. This data in the cloud can be a treasure trove of evidence. What about services on the device that are not really an app, but are just a digital breadcrumb of a service?

Google Location is a service that is not new, but collects a scary amount of user data – fantastic as a digital forensic examiner. Google flat out explains, much like Amazon or other data companies, that data will be used to make their services better. With that being said, Google will capture the location of the device to better the usage of an application’s location services, their own Wi-Fi Positioning Service, or other “additional” services. The use of the Wi-Fi positioning service is brilliant for examiners, especially when users do not have GPS on their devices or even turn it off.  Since the capture of GPS data is done by crowd sourcing, a user’s Wi-Fi can actually determine their location because a previous user had their GPS enabled and reported that location of the access point BSSID. Now, a user walks by and the location simply registers (not even authenticates) the coordinates onto the user’s device. BOOM, a GPS point is created into Google Location services for the user’s account.

A great example can be seen in the image below, which shows the area surrounding our headquarters in Alexandria, Virginia, USA. This is a simple dump of data using Oxygen Forensic Detective’s built-in Oxygen Forensic Cloud Extractor and the selection of my Google Location.  Those are not crayon marks or added lines, but routes created by the raw data extraction containing location information. By closer inspection along the Potomac there is a great running path I frequent in the mornings and there is a clear line up and back. It should be noted I do not have a tracking application running at anytime, simply my device in my pocket. Furthermore, Google Location is not an app that is installed but a service that other apps can access when needed and also used by Google to “improve” services. This means the app is not parsed or generally supported by commercial tools.

Figure 1. Oxygen Forensics office in Alexandria, VA, USA

So, what does this mean to you the investigator? Maybe you do not have an application which shows the device was in the area. However, with a cloud extraction an investigator can filter the data to the date/time in question and determine location of the account and possibly the individual. Google Location data, along with other app data, can be the smoking gun an investigator needs. Best yet, Google Locations are captured for any device (laptop, Apple, Android) where the user is signed into their account. Again, this information can be extraordinary in today’s investigations.

By using data from multiple sources (e.g., mobile device, cloud backups) an investigator can turn a circumstantial case into one that is bullet proof. Today’s investigators need to be ready to look in other sources for that digital gold. Good luck!

Oxygen Forensic Detective 10.4 is here! Examine more data from more sources than ever before

The latest version of our flagship software, Oxygen Forensic® Detective is now live and available for download by customers with current licenses.

In addition to added support for dozens of application updates, version 10.4 offers several major new features to enable investigators to extract and examine more data than ever before.

Decrypt WhatsApp Backups

In some cases, you may have a WhatsApp backup file extracted from an SD card or the internal memory of an Android device, but you do not have a key file to decrypt it. Oxygen Forensics now offers a new method to decrypt WhatsApp backups in such cases. All you need to do is import a WhatsApp backup into Oxygen Forensic® Cloud Extractor by clicking “Decrypt WhatsApp backup files” on the startup window. You will be offered two options for backup decryption – using the phone number associated with the backup or a WhatsApp Cloud token extracted from the Android device. Once data is decrypted you can open it in Oxygen Forensic® Detective for detailed analysis and reporting.

Import GrayKey iPhone Images

Oxygen Forensic® Detective 10.4 supports import and parsing of GrayKey images made from Apple iOS including devices ranging from iPhone 5S to iPhone 8 as well as iPhone X, running iOS versions up to 11.4.1. To import a GrayKey image select Import Apple backup/Import GrayKey image from the Import menu on the toolbar. Oxygen Forensic® Detective parses and recovers all available data including contacts, messages, calls, calendars, pictures and files, application data, passwords, geo coordinates, and much more.

Acquire Locked Samsung Devices

Oxygen Forensic® Detective 10.4 enables partial acquisition of locked Samsung devices via MTP. The method is compatible with devices running Android 4.4.x, 5.x, 6.x, 7.x. with the security update no later than October 27, 2017. All you need to do is connect a device via cable in Oxygen Forensic® Extractor and select Search for MTP devices in Automatic connection settings. The software will bypass screen lock and extract pictures and databases that are available via MTP.

Detect Similar Photos with PhotoDNA

We’ve added the ability to identify pictures with similar images using PhotoDNA hash sets. Select Search similar images in the Search menu. The software will automatically find similar images and group them together. This method allows to identify similar images that were, for example, modified or edited and allows forensic experts to find sensitive content within a short period of time.

Extract Wi-Fi Hotspot Connections

We’ve extended the functionality of Oxygen Forensic® KeyScout to support discovery of previously accessed Wi-Fi hotspots and their passwords on the subject’s computer. To collect Wi-Fi hotspots, run KeyScout on a computer. Once they are acquired you will see a Wi-Fi Access Points tab in KeyScout. You can save collected Wi-Fi data to an OCPK file for use in Oxygen Forensic® Cloud Extractor OCPK Viewer.

Examine Bluetooth Connection History

Oxygen Forensic® Detective 10.4 offers extraction of Bluetooth connections from iOS devices. Now you can acquire the information about both paired and nearby devices: MAC address, device name, and last detected time.

Authenticate via Google Prompt

We’ve added the ability to sign in to Google services with 2FA enabled by using Google Prompt. Four authentication types are now available for Google services: SMS, authenticator code, backup code, and Google Prompt.

Extract Qualcomm Devices with Improved EDL

EDL method for Qualcomm devices has been improved in the latest version. Manual selection of EDL bootloader is now available along with automatic bootloader upload. EDL method allows extraction of data from 450+ Qualcomm-based Android devices.