2. What we will talk about
• GPS
– how to acquire evidence
– where we can find GPS (device or just functionality)
• What we can find on a GPS
– What tools and procedures to use ?
• Examples in EnCase: Magellan, TomTom, Exif
data ..
– examples slides are here as help/idea for practitioners
Page 2
3. Sources
• Materials are compilation of various sources
– Celebrite “Portable GPS Forensic”
http://www.cellebrite.com/gps.html
– “GPS Device Acquisition and Examination”, CEIC
2012 by Nathen Langfeldt, Guidance Software, Inc
– “Forenzika GPS uređaja”, Filip
Baričevid, DATAFOCUS 2012
GPS Device Acquisition and Examination Page 3
4. GPS
• GPS -Global Positioning System
• http://en.wikipedia.org/wiki/Global_Positioni
ng_System
• Not only GPS, but other systems
Russia, China, India, EU ..
Page 4
5. GPS embedded in another device
• Mobiles / smartphones
• Tablets – PC’s
• car, robots (?)
• Usually direct connection to Internet and live
map access
Page 5
6. GPS standalone devices
• Garmin
• Magellan
• MIO
• TomTom
• Maps are prepared and sold by vendor
• Maybe small vendors will go extinct
7. Forensic tools and GPS
• Today all commercial tool have support GPS data
extraction, level can vary, depends on model,
encryption...
• Idea is to get out geolocation data and put in on the
map, also and all other available data from device
– location data can be obtained from other sources too
• There is a BIG difference among mobile device forensic
tools and general purpose forensic tools
Page 7
8. Forensic Tool Examples
• EnCase - general purpose forensic tool
– support for geolocation data extracted from evidence as part of smartphone support
module
– support for standalone device as disk image and enscripts to extract data
• UFED ultimate / UFED physical analyzer - mobile device forensic tool
– support only for geolocation data extracted from evidence as part of smartphone
support (some magic can be done too)
– support for standalone device but in a way as mobile phones or smartphones
– support for encrypted logs and data on some standalone devices (tom-tom)
– python scripts for additional processing
• It is almost impossible to mix results of both tools ....
– it takes a lot of effort
– there is no standardization (like E01 format in traditional digital forensic)
Page 8
9. GPS information
1. travel path
2. trackpoints (coordinates)
3. waypoints (coordinates and names)
4. route (list of waypoint)
5. saved locations
6. video, pictures
7. all other available data from device related to
locations / positions
Page 9
10. Example Tom-Tom data
• *.cfg – locations.
• ttgo.bif, ttnavigator.bif –
general info on
device, S/N, model ...
• password (encrypted)
• settings.dat – IDs, user data
...
• triplog files – encrypted files
– user route data
Page 10
11. GPS seizure
• Device seizure is the first step and can be difficult
• These devices send and receive signals when
powered on – precautions need to be taken
• How do you stop a GPS from updating its location?
− If possible, a Faraday bag
• What if a Faraday bag is not available???
• Once the device is protected, what next?
• Page 11
Page 11
12. What is needed for acquisition
• Once the device has been seized, the next
logical step is to acquire the device.
• The following is a list of tools that could be
important:
• USB cable to connect the device to an
acquisition machine/tool
• Faraday bag (as mentioned previously)
• write blocker (either software or hardware
will be acceptable)
• Card reader (optional)
Page 12
Page 12
13. Examples
• ENCase details in CEIC 2012 “GPS Device
Acquisition and Examination”
– EnCase and Garmin
– EnCase and TomTom
– Encase and Magellan
– Encase and Exif data
Master Title Page 13
Page 13
14. EnCase and TomTom/Garmin
• Encase can acquire Garmin and TomTom GPS devices
trough the use of a write-block device
Note:
• If a media card is in use by the
GPS device, the card must be
removed and imaged separately.
If it is not removed, the media
card may be the only thing that
shows up during a preview
Page 14
Page 14
15. EnCase and Magellan
• Similarly to Garmin or TomTom, acquisition of a
Magellan GPS device can be accomplished by
using a write-block device and a forensic
acquisition tool (EnCase)
• Some Magellan's may not be imaged in this
fashion
• The only solution may be to use a backup of the
device on a media card supported by the device
• Or to use another tool like UFED .
Page 15
Page 15
16. Garmin device examination through EnCase
More can be done for Garmin .gpx...
• Aside from viewing the .gpx file within EnCase or an XML
browser, the file can be viewed in Google Earth.
• This can be accomplished one of two ways:
− Bring the .gpx file out of EnCase
and use a website to convert the
file to KML
− This site is used for the
conversion:
http://www.gpsvisualizer.com/map_input?form=googleearth
Page 16
Page 16
18. EnCase Garmin examination
• Click the “create KML”
button
• A new page will be loaded
• The KML file can then be
downloaded
Page 18
Page 18
19. EnCase Garmin examination
• With the KML file
brought into Google
Earth, we can begin
the examination.
• When it is brought
in, the data will show
up under Temporary
Places.
Page 19
Page 19
20. EnCase Garmin examination
• The data is broken down into two main pieces:
− Waypoints
− Tracks
• Waypoints contains data like address book entries
• Tracks can contain data from recent routes that were
traveled
Page 20
Page 20
22. EnCase Garmin examination
• The other option is to bring the KML
file straight into Google Earth
• If this option is used, you will be
presented with three options.
• “Create KML LineStrings” is
unchecked by default
− It is recommended
that this be
checked
Page 22
Page 22
23. EnCase Garmin examination
• In summary, Garmin GPS devices are
super easy to examine and can be the
most fruitful
• The data is easy to access and should
not be overlooked
• Some upcoming challenges:
− Who uses a portable GPS device?
− Garmin now has multiple apps
available for download
Page 23
Page 23
24. EnCase TomTom examination
• TomTom GPS devices have been
around for some time and are
widely used
• The examination of these devices
is a bit different
• TomTom GPS devices can in some
ways store more info than Garmin
Page 24
Page 24
25. EnCase TomTom examination
• With TomTom GPS devices, a few
files will be of interest to us
• To start, we can look at the
CurrentMap.dat
• In this example the file is sitting
at the root of the device
• This will give the name of the
map that is currently in use
• As you can see in the
example, “North_America_2GB”
is the name of the map being
used Page 25
Page 25
26. EnCase TomTom examination
• In summary, TomTom GPS can be examined
through the use of an EnScript module or
third-party tools
• If trip logs are present, a request could be
made to TomTom in an attempt to get the
logs decrypted (or trough UFED tools)
• Some upcoming challenges:
− Who uses a portable
GPS device?
− TomTom now has
multiple apps available
for download
Page 26
Page 26
27. EnCase Magellan examination
• Magellan devices can be more difficult in
part because of the the acquisition
process
• Some Magellan devices may not be able
to be acquired at the physical level
• In those cases it might be possible to
create a backup through the device
directly to an SD card
• The SD card containing the backup can
then be acquired
Page 27
Page 27
28. EnCase Magellan examination
• In summary, Magellan GPS devices are
the most difficult to examine due to the
limited information available
• Though third-party tools are
available, their ability to parse data may
be limited by the actual models
supported
• Some upcoming challenges:
− Who uses a portable
GPS device?
− Magellan now has
multiple apps
available for
download
Page 28
Page 28
29. Examination of EXIF GPS Data
• The examination of EXIF GPS
can be made simple
• This data can be extracted
and made invaluable through
the use of various third-party
tools or an EnScript program
• The “Exif GPS Information
Reader” EnScript module will
be used here
The images used here were taken with a BlackBerry
Page 29
Page 29
30. Examination of EXIF GPS Data
• The exported KML file can
be viewed in Google Earth
Page 30
Page 30
31. Conclusion ?
• It is wild area
• in developement, new models, new features,
encryption, applications od devices
• legal issuses
• a lot to learn
Master Title Page 31
Page 31