Location Tracking Forensics on Mobile Devices

Location Tracking Forensics on Mobile Devices Stefan Sack, Knut Kr¨oger and Reiner Creutzburg University of Applied Sciences Brandenburg, Fachbereich Informatik und Medien, P.O.B. 2132, D-14737 Brandenburg, Germany; ABSTRACT The spread of navigation devices has increased significantly over the last 10 years. With the help of the current development of even smaller navigation receiver units it is to navigate with almost any current smart phone. Modern navigation systems are no longer limited to satellite navigation, but use current techniques, e.g. WLAN localization. Due to the increased use of navigation devices their relevance to forensic investigations has risen rapidly. Because navigation, for example with navigation equipment and smartphones, have become common place these days, also the amount of saved navigation data has risen rapidly. All of these developments lead to a necessary forensic analysis of these devices. However, there are very few current procedures for investigating of navigation devices. Navigation data is forensically interesting because by the position of the devices in most cases the location and the traveled path of the owner can be reconstructed. In this work practices for forensic analysis of navigation devices are developed. Different devices will be analyzed and it is attempted, by means of forensic procedures to restore the traveled path of the mobile device. For analysis of the various devices different software and hardware is used. There will be presented common procedures for securing and testing of mobile devices. Further there will be represented the specials in the investigation of each device. The different classes considered are GPS handhelds, mobile navigation devices and smartphones. It will be attempted, wherever possible, to read all data of the device. The aim is to restore complete histories of the navigation data and to forensically study and analyze these data. This is realized by the usage of current forensic software e.g. TomTology or Oxygen Forensic Suite. It is also attempted to use free software whenever possible. Further alternative methods are used (e.g. rooting) to access locked data of the unit. To limit the practical work the data extraction is focused on the frequently used device sample of a specific class, as the procedure for many groups of devices can be similar. In the present work a Garmin Dakota 10, a TomTom GO 700, an iPhone 4 (iOS) and a Samsung Galaxy S Plus (Android) is used because they have a wide circulation. Keywords: Location, Tracking, Forensics, Mobile, TomTom, Garmin, iPhone, Android

1. INTRODUCTION At the beginning of the work should be clarified how a position exactly is defined and how can it be identified with certainty. A position is determined using locating. If this locating process is achieved with radio technology, so this is a radio location. The result of each location should be an indication of the coordinates of the current location. These position coordinates are usually defined by 3 features: • longitude • latitude • height Within the last few years, the scope of technologies and devices for locating has changed radically. 5 years ago, GPS was the only possibility to achieve a position. Nowadays there are various ways to determine the actual position. This process was notably influenced by the massively increased usage of smartphones and their additional technologies for locating. Actual techniques for locating are GPS, WLAN or GSM Location. All these Further author information: (Send correspondence to R.C.) S.S.: E-mail: [email protected], K.K.: E-mail: [email protected] R.C.: E-mail: [email protected], Telephone: +49 (0)3 38 13 55 0

different methods result in a position with the required properties. IT forensic also should be briefly explained at the beginning: ”IT forensics is strictly and methodically analyzing of data on disk and in computer networks to elucidate Incidents, including the possibilities of strategic preparation in particular from the perspective of the system operator of an IT system.”1 IT forensics can be divided regarding the timing in the post-mortem analysis and the live analysis. A forensic investigation can be generally divided by the incident handling and incident response (see also the discussion in Freiling et al.2 ). This incident is a working part of emergency management. The post-mortem analysis is a tool of investigation in which the incident is cleared up afterwards. This method is called off-line forensics because the investigation is taking place mainly on disk images. The analysis is therefore limited to the non-volatile traces of an incident in a limited period. This kind of forensic analysis mainly deals with the investigation and recovery of deleted, renamed or otherwise encrypted and hidden data on mass storage. The live analysis deals with data that is available at run time of the incident. It attempts primarily to examine and secure volatile data. Major contents of the even as online forensic known methods are information of running processes and existing network connections, and the main memory contents. In the practical part of the work, the post-mortem analysis is used as navigation devices store, due to the generally low memory, all position data. Only in the area of smartphones a live analysis is necessary because the current position of the device is found in the volatile cache.

2. PROCEDURES For storage and analysis of digital tracks it have to be used a generally accepted and traceable procedure. This is necessary for the future use of these data as evidence in court. In this next section some recognized procedures are presented. This is also referred as process models guidelines but they offer only a rough framework on which our own actions can be modeled. In the literature quite some procedural models for forensic analysis are available, but only a few are suitable for preservation of data on mobile devices. The following two distinct process models are suitable: The Investigative Process of Casey3 and the common model of Freiling2 . Subsequently will be discussed on the procedural model Guide for mobile phone seizure & examination of ACPO,4 since this approach provides techniques for forensics of mobile devices. Already at the beginning there can be determined that there is no universal process model, but that it is necessary to be guided by these models.

Figure 1. Investigative process by Casey

A general process model for digital investigations is the investigative process of Casey.3 This model contains the tasks for the forensic experts and classic police duties. The investigative process can be regarded as the standard in European countries. In figure 1 the investigative process is shown. The investigative process is divided into eleven stages, which are shown as a staircase, as the processing of the individual phases takes place in succession. Here this process model encompasses everything from alarm to presenting the facts before the court. In the following the individual steps are explained. This method focuses on a correct approach to the evidence as well as a precise documentation of the securing of the evidence as well as the methodology used. • Stage 1: Incident Alerts or Accusation The accusation is the beginning of the process. Here is first assessed what resources are available and what the scope of the entire incident is. • Stage 2: Assessment of Worth When weighing up the interests of the prosecution is set against the costs incurred during a pursuit. For tracking of incidents, for example to improve their own safety and to lower the chance of damages. Reasons not to follow are a high resource consumption, the possible downtime of the systems during the investigation as well as a negative impact on the public. For these reasons, minor incidents are usually not pursued. • Stage 3: Incident/Crime Scene Protocols The normal crime scene forensics provides for a long-range security of the crime scene. Securing digital traces should be realized by maintaining the current state, the so-called freezing. How this is realized for different evidences must be decided in each individual case, but it is important to minimize the risks of distortion of the evidence as far as possible. • Stage 4: Identification or Seizure In the Preservation all as evidence usable objects ensured, but it must also be noted here that there should be made no changes to the evidence. The surroundings of the evidence may be relevant and should be documented. With the seizure begins the chain of custody, which means that all measures carried out must be traceable. • Stage 5: Preservation In securing all evidence shall be photographed, packaged, documented and then locked up. Also here, a change of the evidence should be avoided. In the field of digital evidences first copies of the evidence should be created on which then further work can be continued. The authenticity of these copies (images) can be ensured with the help of hash algorithms. To create these copies it should be used only software that works forensically correct. • Stage 6: Recovery In the phase of recovery will try to recover deleted, hidden, disguised or otherwise inaccessible data. It is useful to examine other evidence to use for example any written down passwords to decrypt the data. • Stage 7: Harvesting The harvesting is usually the overview of very large data sets. The study should be performed first to metadata, to achieve the grouping of the data. A possible ordering of data according to modification date, size, file type is possible. The harvesting is a preliminary work for the reduction. • Stage 8: Reduction The reduction is used to remove unnecessary data. In this case can still be on worked the metadata, and the prepared sorts from Phase 7 can be used for data reduction. The aim of the reduction is to create the smallest possible amount of data with the highest probability, to contain as evidence. One possibility would be a reduction to all text files if such a case is suspected. • Stage 9: Organization and Search After the course of reducing the data is structured and organized. For this purpose, indexes will be created and the files were separated in groups. • Stage 10: Analysis The analysis phase is used to analyze the contents of the collected files and the production of connections between these data and persons. In the Analysis phase, the development of new methods for analyzing the data is quite usual, however, it must always be traded after a forensic procedure, that means it must be always worked with scientific methods and traceability must be guaranteed. As a result, all files are rated by means, motivation and opportunity. • Stage 11: Reporting The report contains in addition to the presentation of the results, the procedures performed and methods for achieving these results. There are also alternative interpretation opportunities identified and all documented results must be justified. • Stage 12: Persuasion and Testimony In the last phase, it is the testimony of the collected results in court. Here, a suitable representation to the audience is important to strengthen the credibility of the witnesses.

In summary, it should be noted that the different procedures are a very good framework to investigate, but they offer no concrete indications for the analysis of specific devices. Therefore special procedures have been developed for the analysis of single GPS device groups.

3. SPECIFICS FOR THE ANALYSIS OF MOBILE NAVIGATION DEVICES On the basis of a few cases in which position data from mobile devices used as evidence, it is apparent that the use of these data in comparison to other available evidence such as computer forensics, is really quite low. At the annual increase in sales of portable navigation devices, it is astonishing, however, is its potential for forensic analysis are often not used. There are different reasons why mobile navigation systems found little attention in forensic investigations: • The lack of proper forensic procedure First and foremost, there is no real forensic procedure for backing up data, to analyze this data and use the collected results of a mobile navigation device. • Uncertainty of evidence A mobile navigation device is not a reliable source of evidence. The problem is that not all the mobile navigation device position data is stored, even if it is used for navigation to a specific destination. The amount of position data to be found on a mobile navigations depends on the selected operating mode while using the device. Depending on the mode of operation there are positional data stored on the device but also little or full routes with turn instructions.5 It is also possible that there is a mobile navigation device in a place without recording the details there because there are problems receiving position data.6 • Too many different devices It is almost impossible to be always on the cutting edge of available devices, as the manufacturers release several new models of their devices per year. Again by new functionality of the devices an immense quantity of devices has emerged, which is constantly growing in this fast moving market. • Too little information while using non-invasive methods Navigation data is located, depending on the used device, on different components such as the internal flash memory, the internal hard drive or the external SD card. In the analysis of these devices, however, only the SD card can be analyzed with using non-invasive methods. The internal drives can be analyzed only by opening the unit and removing the drives. However, there is also the possibility to turn the device on, and read the data without opening the device. When the device is switched on and the drivers will be installed maybe forensically interesting data can be changed. Because of the reasons mentioned only a limited amount of data can be extracted with non-invasive methods, and some data is partially changed. • Too many proprietary technologies Although the underlying hardware of mobile navigation devices are often similar (for example the used processors), different manufacturers use different operating systems, different file systems and especially different proprietary methods to encrypt data. Even devices of the same manufacturer can use different encryption methods. It is therefore important to understand the specific file formats and encryption methods to perform an adequate forensic analysis and to develop forensic programs.5 For many devices the used encryption methods are not public, which means that the information collected for the encryption used by ”‘reverse-engineering”’ were exposed, and not by the manufacturer publications. These reasons make a development of a single forensic program to collect the location data on mobile devices impossible. • Insufficient forensic programs Despite the widespread use of mobile devices for navigation, there are only a limited number of programs for automatic forensic imaging of the devices. There are forensic programs to analyze some devices, such as TomTom, Garmin, iPhone and Android device entirelyc. However, in order to analyze all the data a manual analysis of the position data is often required. If manual processing must be taken, it is important not to change the data, as they are otherwise not criminally reliable. In the following procedures should be

developed for forensic analysis of positional data on mobile devices, with a focus on IT forensics presented by the BSI.1

4. ANALYSIS OF THE DIFFERENT DEVICES In the following chapter practical examples for the analysis of different classes of devices for mobile navigation systems are presented . There is an analysis of the respective device performed to extract the target position data. At the end of each device group an approach for analysis is developed. GPS handhelds are handy GPS devices for positioning. Equipment in this category consist of a GPS receiver, a display and an internal memory and an optional SD card. In these devices, a forensic examination is usually very easy to do, since the internal memory usually uses a known file format and all position data is stored in popular file formats on it. A typical GPS handheld contains of the internal memory, the position data and maps. On an optional SD card additional maps are stored. The material used in this work is a handheld GPS Garmin Dakota 10. This unit has a compact design and can be powered with batteries. It operates with an internal memory of 850 MB which can be accessed through an USB cable. Special device drivers are not required, since the device is provided as a drive on the computer. In the following chapters practical examples for different classes of devices are presented by mobile navigation systems. There is an analysis of the respective device to extract the target position data is performed. At the end of each device group an approach for analysis is developed.

4.1 GPS handhelds As mentioned before, GPS handhelds are for navigation and location recording in the field of leisure (e.g. hiking or boating) suitable. They offer functionalities, such as a positioning or a record of the track traveled. Furthermore, a navigation is possible to a position, wherein a consideration of buildings fails. The navigation with these devices is similar to a compass. Depending on the model and manufacturer the data on the device provide information about: • position data • device information • photos • user information The GPS handhelds offer easy access to the stored data. In most cases, a USB connection to the PC is sufficient to access the device as a volume. In the next section 4.2 the device is seizured in a forensic procedure, and then the resulting data is analyzed. In the following chapter 4.2.3 then a general process model for an analysis of GPS handhelds is presented.

4.2 Garmin Dakota 10 The Garmin Dakota 10 is a beginners unit in the field of GPS handhelds. However, it provides all the necessary features that are expected from such a device. The device has a high-sensitivity GPS receiver for navigation it is followed by the compact design and low weight (191g) very handy. It can be controlled via a 2.6-inch touchscreen display with a simple menu. It has an internal memory of 850 MB and can be powered by batteries, so it can be used regardless of the availability of power connection. An access to the device can simply be obtained via a USB interface. 4.2.1 Create System Image To create a system image, the Garmin Dakota is connected via USB to a computer where the forensic DEFT Linux distribution is installed. DEFT provides image creation by the dd command software that creates an exact image (bit by bit) of the disk of the Garmin Dakota 10. The command is: dd if=/dev/sda of=/media/STICK/explorer.dd

The contents of the GPS handhelds is copied on an external USB drive in the explorer.dd bit by bit. After a successful backup of the image file and generating the matching hash value, the backup is complete. The hash value should be the same in the review of the original file and copy. This also called check sum can be calculated with the command: md5deep/dev/sda 4.2.2 analysis The analysis of the image begins with the extraction of these data. The image can be opened opened with a forensic program, such as Encase. For forensics of positional data the contained folder GPX is interesting, because it contains all the recorded position data. For a general overview of the device being used, the system.xml provides important information. It offers information about the model used and the software version. Furthermore, information on the used cards and its version are included. Using this information a clear identification of GPS handheld is possible and further investigation may be adjusted to the device. The position data are located in the folder GPX. All stored tracks (distance traveled), which are saved with file name track .gpx are stored in there. Also in the GPX folder is a folder current, containing a file Current.gpx where the last track is stored. These *.gpx files are stored in the XML format and the included location data can be opened by most programs for the visualization of positional data (e.g. GPSBabel). To visualize the data, the map service Google Maps has been established. Also upload the GPX file to the service is very easy. The visualization of the distance traveled (see Figure 2) provides only a preliminary overview and no information about the waypoints. As the actual used file contains 32 waypoints from which start and end time and the distance traveled can be reconstructed. These waypoints are defined by a time stamp, the latitude, longitude and altitude. Using the individual waypoints, an accurate motion profile can be created. The information stored for a point includes the following information: • • 4.94 • 2013?01?10T13:51:23Z The first value is the latitude and longitude. The second value contains information about the geographical elevation of the point. The last value reflects the date and time in Universal Time Coordinated (UTC). More than these information can not be extracted from the present device.

Figure 2. Extracted track

4.2.3 Procedure In Figure 3 a procedure is provided which describes a general guide for the forensic analysis of GPS handhelds. Here, the general way of analyzing is specified. This may differ for special equipment, but it is usable for most of the existing equipment on the market. The Forensic analysis of the data in the last step, can also be made by using TomTology2 because this software now supports devices from multiple manufacturers.

Figure 3. How to analyze a GPS handheld

4.3 Mobile navigation device Mobile navigation devices offer compared to the handhelds a route guidance via roads. Furthermore it is possible to couple these devices to a mobile phone, and the mobile navigation device is used as a speakerphone. The structure of this device is comparable to a handheld, but portable navigation devices usually have a fixed internal battery. Also, the operating systems used are mainly proprietary, which makes access to the system. For reading these devices special drivers are necessary, which precludes the use of a write-blocker. However, it is possible to partially analyze a SD card externally. On the device itself are mostly positional data and information about the user as well as data of coupled devices with the mobile navigation system . The main part of the memory

consists of the card material, which provides information about the region in which the mobile navigation device is used.

4.4 TomTom Go 700 The unit used in this paper is the mobile navigation device TomTom Go 700. It possesses a built-in memory with 2.44 GB, which is accessible by the usage of a USB cable. 4.4.1 Create system image Depending on the used TomTom model different approaches to create a system image are needed. If the navigation systems have an SD card slot, before creating the image some work is needed. These devices uses two ways to connect to the PC. • without inserted SD card: The unit enters the UPDATE mode and looking on the computer for the TomTom Home software to start an Internet update of user data. If this software is not found, it will try to install the software, which is available as an installation package on the device. After that, the PC recognizes the navigation device and installs the latest drivers. During this process, data is updated on the navigation device and therefore changed. • with inserted SD card: The unit switches to the USB peripheral mode and is recognized by the computer, after which only the drivers for the USB connection will be installed. There were no files changed and the device does not look for the TomTom Home software. It only provides the SD card as a drive on the computer. Using this information, the following approach for creating system images of devices with SD card slot must be followed. The inserted SD card should be removed and examined separately. An empty forensic SD card should be inserted into the device and the device should be connected using a USB cable to the computer and then will be turned on. You should see the blank SD card to be available as a drive on the computer. After that, power off the unit and the SD card can be removed. If the device is turned on without a SD card the internal memory is also provided as a physical drive on the PC and an image can be created.7 To create a system image, the TomTom Go 700 is connected via USB to a computer where the forensic DEFT Linux distribution is installed. DEFT provides image creation by the dd command software that creates an exact image (bit by bit) of the disk of the TomTom Go 700 The command is: dd if=/dev/sdc of=/media/STICK/tomtom.dd The contents of the mobile navigation device is copied on an external USB drive in the tomtom.dd bit by bit. After a successful backup of the image file and generating the matching hash value, the backup is complete. The hash value should be the same in the review of the original file and copy. This also called check sum can be calculated with the command: md5deep /dev/sdc Analysis The analysis of the memory image begins with the extraction of these data. The image can be opened by a forensic program, such as Encase. The following are all forensically interesting data, which are present on the system:

• *.cfg - Contains position data, the file name depends on model and is found in the folder of the installed card in the device. The filename is either Mapsettings.cfg or .cfg. However, it is possible that multiple cards are installed on the device. To determine the currently used map the file currentmap.dat is used. • ttgo.bif or ttnavigator.bif - device information, model- and serial number and user data The position data in the *.cfg contains information about the home address,the favorites and navigation destinations. This machine readable file also contains the last known GPS location of the device. This position, which is the starting point of the last route is stored in the penultimate line of this file, providing information about the last residence. The active route is continuously calculated at each new GPS signal. Thus, the last starting point of a route is a very reliable guide to the last location of the device. All this information can be read using software like TomTology2. This software provides the possibility to read various navigation systems. The result of the analysis of the extracted files of the image of TomTom Go 700 was one home address and an address in the favorites. Furthermore, there were found 24 routes and 32 last entered destinations. Also the final position of the device could be determined by the software. Data about a possible connected telephone was not found and also the empty files show that the TomTom was not used in conjunction with a telephone. All this information can be documented by the software and it also provides an export function. Although it is possible to read out all of this information from the files individually, but this is very complicated and a precise knowledge of the order of the stored items in the file is necessary. For a simple illustration of navigation destinations the *.cfg file can be opened in a POI editor such as PoiEdit. The results obtained are shown in Figure 4. This software is only intended to provide an overview and does not offer the desired properties such as forensic documentation or user details. The developed procedure is similar to the one from GPS handhelds which is shown in Figure 3.

Figure 4. TomTom POIEdit

4.5 Smartphone Even smartphones today offer many opportunities to benefit location services. Depending on the hardware used in smartphones different forensic investigations are needed to obtain the desired position data. The smartphones include partially next to the built-in memory a microSD card on the system, however, the external cards did not offer any forensically interesting data. This MicroSD card can be analyzed externally, if it exists. On your smartphone, located next to the item data and other personal information of the user, making an investigation of smartphones because of the many different data from a forensic point of particular interest. It is however much more difficult to get the data of a smart phone, there. Different operating systems such as Google Android, Apple iOS and Microsoft Windows Phone, secure in different ways, the device data The many different systems

and their versioning provide a major problem in the analysis in order to get to the data of the system, an intrusion into the operating system is needed, which means a change of the system is required. This procedure is normally not the forensic targets, there were, however, developed methods that are considered forensically defensible, since they change only files of the operating system and let the user data unchanged. In this work, an Apple iPhone 4 with 8GB internal memory was used, which is equipped with the operating system iOS 6.0.1. For the investigation of Android smartphones Samsung Galaxy S Plus was used with 8GB internal memory and an 8GB microSD card. This smartphone operating system Android has version 4.1.2.

4.6 iPhone 4 As used herein, the Apple iPhone 4 offers both the possibility the usage as a smartphone or as a navigation system. All operations are controlled via a 3.5-inch touchscreen display with a simple menu. It has an internal memory of 8 GB and can, thanks to the integrated battery, several hours to be operated without a power source. To connect the smartphone to the computer a special iPhone cable must be used. It is also necessary to install the driver for the iPhone on the connected computer, otherwise the smartphone can not be accessed. The drivers are built into the software Apple iTunes. After installing the software the following settings should be selected: prevent automatic synchronization of iPods, iPhones and iPads. A review of the location services settings should also be done. After this preparation, the smartphone should be properly recognized and it can be started with the forensic investigation. The changes made in the smartphone for realizing the access by the computer do not cause any changes in the user data to the smartphone and are legitimate. However, the intervention in the smartphone should be documented exactly by using a video to demonstrate the procedure later to ensure the forensic analysis. 4.6.1 Logical analysis The first step is a logical analysis, while the stored contents collected with the help of a forensic application on the smartphone. The smartphone was analyzed with the Oxygen Forensic Suite 2013. The necessary preparations for connecting the device to the computer must be completed. After connecting the smartphone to the computer via USB, the Oxygen Forensic Suite can be started. For a successfully read the smartphone should be addressed as follows: Connect New Device→Connect via Cable. After that a successful connection exist and the correct name of the smartphoneshould be displayed. in the following menu case information can be entered, the hash algorithm and the data to be extracted can be selected. The analysis is done without changes in the smartphone, and is thus legitimate from a forensic point of view. To determine if the smartphone offers complete access to the file system (jailbroken - similar to the root access to Android smartphones) there is no information given. After successful reading, the software provides a good overview of the collected data. It could be collected information about the smartphone (Manufacturer, IMEI, iOS, etc.), all directory entries are extracted, all SMS to be read and a complete list of calls (event log) are issued. Furthermore, there is the possibility to store this information in a concise report. The desired position data can be found under the menu item Web connections and location services. From the present iPhone could be read out 508 location-related data. This is derived in 121 localizations through the radio cell and 101 localizations through wireless networks. Furthermore, data for Apple’s own location database were collected. 24 localizations for the radio cell, 6 cell radio measurements without localization and 476 WLAN measurements were performed. By the time stamp of each file, it is possible to trace the history of the device. The position with the most recent timestamp is therefore also the last position that the device has processed. The presentation in the Oxygen Forensic Suite also provides an output via Google Maps. So it is possible to determine the position of the course or individual items of the device. A display of the last position of the investigated iPhone is in Figure 5 shown. 4.6.2 Technical analysis It is possible to gain full access to the device by using a so called jailbreak. After that process the data on the device is altered and the integritity of the device is not given anymore. The forensically interesting files are in the file /private/var/root/Library/Caches/locationd to find. This folder also contains the file cache encryptedA.db, in which the previously extracted data using the program Oxygen Forensic Suite is stored in text form.

Figure 5. Extracted last known position of the iPhone

4.7 Samsung Galaxy S Plus The herein used Samsung Galaxy S Plus offers both the possibility of using as a smartphone or as a navigation system. The device is operated with a 4-inch touchscreen display with a simple menu. It has an internal memory of 8GB and a micro SD card with 8 GB of storage space and can, thanks to the integrated battery, several hours to be operated from a power source. Access to the device can be obtained via a USB interface. A basic prerequisite for the analysis of the smartphone was the fact that the device does not lock. An approach such as this barrier can be overcome, among other things in8 described. For storing spatial data remains a setting in the phone is necessary. These settings are found in the smartphone under settings→location access. Without activated location services no position data is stored. Furthermore, it was necessary for all access to the smartphone that the USB debugging mode is enabled. To connect the smartphone to the computer, a MicroUSB cable can be used. It is also necessary to install the driver for the Android ADB interface on the connected computer, otherwise the smartphone can not be accessed. After this preparation, the smartphone should be properly recognized and it can be started with the forensic investigation. The changes made in the smartphone for realizing the access by the computer do not cause any changes in the user data to the smartphone and are therefore legitimate. However, the intervention in the smartphone should be documented exactly by using a video to demonstrate the procedure later to ensure the forensic analysis. 4.7.1 Logical analysis The next step in the forensic analysis is the logical analysis, while the stored contents collected with the help of a forensic application on the smartphone. The smartphone was studied with the Oxygen Forensic Suite 2013. After connecting the smartphone to the computer via USB, the Oxygen Forensic Suite can be started. To successfully read the smartphone should be following these steps: Connect New Device → Connect via Cable → Upload and Install OxyAgent Into The Phone. After this a successful connection exist and displays the correct name of the smartphone be. To read the data on your phone an application called OxyAgent was installed, which sends the data to the computer. The application is intended for forensic analysis of smartphones, and thus the change of the smartphone through the installation process is legitimate. The following menu can be entered case information, the hash algorithm and the data to be extracted can be selected. Also to determine if the device has root access, is integrated into the program. After successful reading, the software provides a good

overview of the collected data. It could collect information of the smartphone (Manufacturer, IMEI, Android version, etc.), all directory entries are extracted, all SMS to be read and a complete list of calls (event log) are issued. Furthermore, there is the possibility to store this information in a concise report. The desired position data could not be extracted either from the device with and without root access. 4.7.2 Technical analysis It is possible to gain full access to the device by using a so called rooting process. After that the data on the device is altered and the integritity of the device is not given anymore. The forensically interesting files are in the folder \data\data\com.google.android.location to find. After successfully copying the files, they can be opened with any text editor. For this purpose the software NotePad++ was used. The analysis of the files in the folder gave no information about the position data of the smartphone. All files are protected by encryption. The file structure in the Android version used here is mainly changed. Manifest file name, such as cache.cell are no longer present. Even through the analysis of the individual files on the system no position data could be extracted.

5. SUMMARY Type of device GPS handheld Mobile navigation system Smartphone

pictures • • •

position data • • ◦

last whereabout • ◦ ◦

Table 1. Extractability of location data •-possible, ◦-partly possible

In summary there were positional data extracted from different example devices. Furthermore, there were 3 different procedures presented to analyze the positional data on different classes of devices. As a conclusion it can be stated, that the more personal data is on the device, the less accessible is the positional data. Additionally, the more current the operating system is, the more difficult it is to analyze the whole device and the positional data.

REFERENCES [1] BSI, “Leitfaden it-forensik,” (21.03.2011). [2] Freiling, F. C. and Schittay, B., “A common process model for incident response and computer forensics,” (2007). [3] Casey, E., [Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet ], Academic Press (2004). [4] ACPO, “Good practice guide for computer-based electronic evidence,” (2007). [5] Hannay, P., “Forensic acquisition and analysis of the tomtom one satellite navigation unit,” (2008). [6] Strawn, C., “Expanding the potential for gps evidence acquisition,” (2009). [7] Colombini, C. M., “Experimental testing of a forensic analysis method on the tomtom gps navigation device,” (2009). [8] Aviv, A. J., Gibson, K., Mossop, E., Blaze, M., and Smith, J. M., “Smudge attacks on smartphone touch screens,” (2010).