Geo-location data in iOS and Android services and applications: Finding, Processing and Validation (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Techno Forensics Conference, Myrtle Beach, October 31 – November 1, 2011 Oxygen Software Company • Founded in 2000 by Oleg Fedorov, CEO and Oleg Davydov, CTO • 11 years of PC-to-mobile communication software development • Oxygen Forensic Suite 2011 - Smart Forensics for Smart Phones • Strong support for Android OS, Apple iOS, Symbian OS, Windows Mobile OS, Blackberry OS (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Importance of geo-location data Necessity to link device locations to timestamps is one of the toppriority tasks for forensic experts • Much more data is generated by smartphones • iOS, Android OS have built-in location API • GPS, Cell (GSM/CDMA), WiFi data can be used for geo-location • Geo data is used by system services, standard apps, 3rd party apps (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Photos with EXIF headers containing GPS data (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com WiFi geo location services • Google (Google Maps, Google Latitude) • Apple crowd-sourced database • Blackberry WiFi Geolocation Service (officially since September 9, 2011) • Microsoft WiFi Geolocation Service • Navizon, Skyhook, others… (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com iOS - Geo-location cache • /root/Library/Caches/locationd/consolidated.db (since iOS 4.*) • Data not included into iTunes backups since 4.3.3 • Accessible only in jail-broken phones or decrypted DMG images • /root/Library/Caches/locationd/lockCache_encryptedA.db (since iOS 5.0) • Hundreds of records for every timestamp (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com iOS - Automating points averaging and getting maps for every timestamp (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Android - data under file rights protection • • • • Data caging; no access to other apps data /data/data/ folder is protected; need to have root rights Temporary rooting possible for 1.6 – 2.2, 2.3 – 2.3.2, 3.0 Exploitation gives access to app data files, service settings, some passwords etc. (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Android - location data • Location cache : /data/data/com.google.android.location/files • WiFi data: cache.wifi; Cell Id data: cache.cell • Proprietary binary format; timestamps, latitudes, longitudes, accuracy (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Android - WiFi and Cell data harvest • Several records of both types can be found for the same timestamp • Automated averaging technique can be applied (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Location-aware applications • • • • • Navigation Social networks Weather Travel services Banking apps (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Foursquare • Social network, the most popular of its kind (Gowalla and others); created in 2009 • Lets you inform your friends where you are at the moment, make comments and leave tips about visited venues • More than 10 million users worldwide; more than 3 million check-ins every day • Mobile versions, SMS • Check-ins, friends, photos, mayors, badges • Discounts from brands and venue hosts • Generates lot of data in application cache (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com iOS - Foursquare • SQLite database • Contacts (Owner, friends and others) • Check-ins • Top places • Shouts • Tips • Venues (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com iOS - Foursquare • User activity • Friends, interests • User locations at specific times (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Android - Foursquare • /data/data/com.joelapenna.foursquared • JSON-formatted files • Geo-locations, timestamps etc. (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Common obstacles • Need to have phone’s image in most cases • Data protection, encryption • Different versions of the same app have different feature set • Dozens of geo-aware apps (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com iOS - Wi-Fi Access Points connections history When we don’t have anything else… One of the last possibilities to get geo-location data is to look into the file storing all Wi-Fi access points this device has ever been connected to: /mobile/Library/Preferences/com.apple.wifi.plist This file is a text plist file and can be read from any iPhone/iPod Touch/iPad regardless of its jailbreak state (backup / raw image / file system reading) (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com iOS WiFi Access Points connections history • Entries in the file are created automatically when the device owner connects to any Wi-Fi network; device can “forget" the network while being in its sight only; no possibility to view or edit the list of points manually from the phone • No expiration period for the points: data is stored “forever" (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Forensically important fields • SSID_STR (Beeline_WiFi_FREE) - text name of an AP • BSSID (0:19:e1:2:dc:c0) - MAC address of the AP hardware • lastJoined (13.04.2010 6:53:15) - last connection time with auto-connect option set off (since iOS 3.1) • lastAutoJoined (10.03.2011 14:05:22) - last connection time with autoconnect option set on (since iOS 3.1) • isWPA (0) - if the AP provides password-protected access (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com From Access Point to geo-coordinates • MAC addresses from the list can be used in geo location procedures • Oxygen Forensic Suite 2011 uses Google service for coordinates acquisition (https://www.google.com/loc/json) • Other free and commercial services (e.g., www.location-api.com) • Request example: http://www.locationapi.com/cps/?key=********************&id=35780303xxx47334&nr=1&wifi=00:11:50:e8:6a:63,Flat%20One,-51 • Response example: status=0;nr=1;lat=52.5006;lon=-0.18373;acc=84 (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com From Access Point to geo-coordinates (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Access Points types (1) • home / private / standalone access points (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Access Points types (2) • countrywide / worldwide networks (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Access Points types (3) • mobile access points (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Access Points types (4) • ad-hoc access points (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Can we trust all these coordinates? • AP location accuracy can be (a little) worse than stated by Google • Coordinates are usually correct for home/private and network APs • The challenge is to identify the type of the point (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Timestamp verification • Timestamp is made according to the phone internal clock and does not use mobile network information • Timestamps are stored it UTC format; you need to add current time zone offset to get local times • For iOS WiFi Access Points: if both “last joined time” and “last auto joined time” are stored for an AP, only “last auto joined time” timestamp must be safely associated with the point (unless you are sure that both timestamps can be linked to this particular point) (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Location verification • Geo Coordinates in the phone are not necessarily taken straight from GPS receiver • GPS, WiFi and GSM/CDMA data is used together to get coordinates; no way to determine data sources and algorithm used • Google accuracy estimates are in question (as well as other services) • WiFi locations are given for today, not for any date in the past • User can intentionally create false data (fake check-ins) (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Anti-forensics for jailbroken/rooted devices • 5% of all iPhone devices are jailbroken; more Android devices are rooted • In the most cases the phone must be rooted/jailbroken to install any spyware or malware products • In these phones the whole file system is accessible to user • Any user files can be erased from the phone, edited or substituted by modified version of the file • iOS - the files can be modified in the backup and restored back the phone (need to calculate new hash) • There is a number of tricks to create fake evidence (e.g. you can always use an AP with deliberately selected name, to overwrite initial information about the original point with the same name) (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com Resume • Geo locations are doubtfully to be used as an evidence in court • Must be used as starting point for field investigations (C) Oxygen Software, 2000-2011 http://www.oxygen-forensic.com
© Copyright 2024 Paperzz