1. No category

Geo-location data in iOS and Android services

Geo-location data in iOS and Android services
and applications: Finding, Processing and
Validation
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Techno Forensics Conference, Myrtle
Beach, October 31 – November 1, 2011
Oxygen Software Company
• Founded in 2000 by Oleg Fedorov, CEO and Oleg
Davydov, CTO
• 11 years of PC-to-mobile communication software
development
• Oxygen Forensic Suite 2011 - Smart Forensics for Smart
Phones
• Strong support for Android OS, Apple iOS, Symbian OS,
Windows Mobile OS, Blackberry OS
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Importance of geo-location data
Necessity to link device locations to timestamps is one of the toppriority tasks for forensic experts
• Much more data is generated by
smartphones
• iOS, Android OS have built-in location
API
• GPS, Cell (GSM/CDMA), WiFi data can
be used for geo-location
• Geo data is used by system services,
standard apps, 3rd party apps
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Photos with EXIF headers containing GPS data
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
WiFi geo location services
• Google (Google Maps, Google Latitude)
• Apple crowd-sourced database
• Blackberry WiFi Geolocation Service (officially since September
9, 2011)
• Microsoft WiFi Geolocation Service
• Navizon, Skyhook, others…
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
iOS - Geo-location cache
• /root/Library/Caches/locationd/consolidated.db (since iOS 4.*)
• Data not included into iTunes backups since 4.3.3
• Accessible only in jail-broken phones or decrypted DMG images
• /root/Library/Caches/locationd/lockCache_encryptedA.db (since
iOS 5.0)
• Hundreds of records for every timestamp
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
iOS - Automating points averaging and getting
maps for every timestamp
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Android - data under file rights protection
•
•
•
•
Data caging; no access to other apps data
/data/data/ folder is protected; need to have root rights
Temporary rooting possible for 1.6 – 2.2, 2.3 – 2.3.2, 3.0
Exploitation gives access to app data files, service settings,
some passwords etc.
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Android - location data
• Location cache : /data/data/com.google.android.location/files
• WiFi data: cache.wifi; Cell Id data: cache.cell
• Proprietary binary format; timestamps, latitudes, longitudes, accuracy
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Android - WiFi and Cell data harvest
• Several records of both types can be found for the same timestamp
• Automated averaging technique can be applied
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Location-aware applications
•
•
•
•
•
Navigation
Social networks
Weather
Travel services
Banking apps
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Foursquare
• Social network, the most popular of its kind (Gowalla and
others); created in 2009
• Lets you inform your friends where you are at the moment,
make comments and leave tips about visited venues
• More than 10 million users worldwide; more than 3 million
check-ins every day
• Mobile versions, SMS
• Check-ins, friends, photos, mayors, badges
• Discounts from brands and venue hosts
• Generates lot of data in application cache
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
iOS - Foursquare
• SQLite database
• Contacts (Owner,
friends and others)
• Check-ins
• Top places
• Shouts
• Tips
• Venues
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
iOS - Foursquare
• User activity
• Friends, interests
• User locations at specific times
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Android - Foursquare
• /data/data/com.joelapenna.foursquared
• JSON-formatted files
• Geo-locations, timestamps etc.
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Common obstacles
• Need to have phone’s image in most cases
• Data protection, encryption
• Different versions of the same app have different feature set
• Dozens of geo-aware apps
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
iOS - Wi-Fi Access Points connections history
When we don’t have anything else…
One of the last possibilities to get geo-location
data is to look into the file storing all Wi-Fi access
points this device has ever been connected to:
/mobile/Library/Preferences/com.apple.wifi.plist
This file is a text plist file and can be read from any
iPhone/iPod Touch/iPad regardless of its jailbreak
state (backup / raw image / file system reading)
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
iOS WiFi Access Points connections history
• Entries in the file are created automatically when the device owner connects
to any Wi-Fi network; device can “forget" the network while being in its sight
only; no possibility to view or edit the list of points manually from the phone
• No expiration period for the points: data is stored “forever"
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Forensically important fields
• SSID_STR (Beeline_WiFi_FREE) - text name of an AP
• BSSID (0:19:e1:2:dc:c0) - MAC address of the AP hardware
• lastJoined (13.04.2010 6:53:15) - last connection time with auto-connect
option set off (since iOS 3.1)
• lastAutoJoined (10.03.2011 14:05:22) - last connection time with autoconnect option set on (since iOS 3.1)
• isWPA (0) - if the AP provides password-protected access
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
From Access Point to geo-coordinates
• MAC addresses from the list can be used in geo location procedures
• Oxygen Forensic Suite 2011 uses Google service for coordinates
acquisition (https://www.google.com/loc/json)
• Other free and commercial services (e.g., www.location-api.com)
• Request example: http://www.locationapi.com/cps/?key=********************&id=35780303xxx47334&nr=1&wifi=00:11:50:e8:6a:63,Flat%20One,-51
• Response example: status=0;nr=1;lat=52.5006;lon=-0.18373;acc=84
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
From Access Point to geo-coordinates
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Access Points types (1)
• home / private / standalone access points
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Access Points types (2)
• countrywide / worldwide networks
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Access Points types (3)
• mobile access points
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Access Points types (4)
• ad-hoc access points
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Can we trust all these coordinates?
• AP location accuracy can be (a little) worse than stated by Google
• Coordinates are usually correct for home/private and network APs
• The challenge is to identify the type of the point
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Timestamp verification
• Timestamp is made according to the phone internal clock and
does not use mobile network information
• Timestamps are stored it UTC format; you need to add current
time zone offset to get local times
• For iOS WiFi Access Points: if both “last joined time” and “last
auto joined time” are stored for an AP, only “last auto joined time”
timestamp must be safely associated with the point (unless you
are sure that both timestamps can be linked to this particular
point)
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Location verification
• Geo Coordinates in the phone are not necessarily taken
straight from GPS receiver
• GPS, WiFi and GSM/CDMA data is used together to get
coordinates; no way to determine data sources and algorithm
used
• Google accuracy estimates are in question (as well as other
services)
• WiFi locations are given for today, not for any date in the past
• User can intentionally create false data (fake check-ins)
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Anti-forensics for jailbroken/rooted devices
• 5% of all iPhone devices are jailbroken; more Android devices are
rooted
• In the most cases the phone must be rooted/jailbroken to install
any spyware or malware products
• In these phones the whole file system is accessible to user
• Any user files can be erased from the phone, edited or substituted
by modified version of the file
• iOS - the files can be modified in the backup and restored back
the phone (need to calculate new hash)
• There is a number of tricks to create fake evidence (e.g. you can
always use an AP with deliberately selected name, to overwrite
initial information about the original point with the same name)
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com
Resume
• Geo locations are doubtfully to be used as an evidence in court
• Must be used as starting point for field investigations
(C) Oxygen Software, 2000-2011
http://www.oxygen-forensic.com

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2024 Paperzz