SlideShare une entreprise Scribd logo

Gps

Télécharger en tant que PPTX, PDF
Damir Delija
Damir Delija
Formation
1  sur  32
GPS forensic analysis Damir Delija Insig2 2012
What we will talk about • GPS – how to acquire evidence – where we can find GPS (device or just functionality) • What we can find on a GPS – What tools and procedures to use ? • Examples in EnCase: Magellan, TomTom, Exif data .. – examples slides are here as help/idea for practitioners Page 2
Sources • Materials are compilation of various sources – Celebrite “Portable GPS Forensic” http://www.cellebrite.com/gps.html – “GPS Device Acquisition and Examination”, CEIC 2012 by Nathen Langfeldt, Guidance Software, Inc – “Forenzika GPS uređaja”, Filip Baričevid, DATAFOCUS 2012 GPS Device Acquisition and Examination Page 3
GPS • GPS -Global Positioning System • http://en.wikipedia.org/wiki/Global_Positioni ng_System • Not only GPS, but other systems Russia, China, India, EU .. Page 4
GPS embedded in another device • Mobiles / smartphones • Tablets – PC’s • car, robots (?) • Usually direct connection to Internet and live map access Page 5
GPS standalone devices • Garmin • Magellan • MIO • TomTom • Maps are prepared and sold by vendor • Maybe small vendors will go extinct
Forensic tools and GPS • Today all commercial tool have support GPS data extraction, level can vary, depends on model, encryption... • Idea is to get out geolocation data and put in on the map, also and all other available data from device – location data can be obtained from other sources too • There is a BIG difference among mobile device forensic tools and general purpose forensic tools Page 7
Forensic Tool Examples • EnCase - general purpose forensic tool – support for geolocation data extracted from evidence as part of smartphone support module – support for standalone device as disk image and enscripts to extract data • UFED ultimate / UFED physical analyzer - mobile device forensic tool – support only for geolocation data extracted from evidence as part of smartphone support (some magic can be done too) – support for standalone device but in a way as mobile phones or smartphones – support for encrypted logs and data on some standalone devices (tom-tom) – python scripts for additional processing • It is almost impossible to mix results of both tools .... – it takes a lot of effort – there is no standardization (like E01 format in traditional digital forensic) Page 8
GPS information 1. travel path 2. trackpoints (coordinates) 3. waypoints (coordinates and names) 4. route (list of waypoint) 5. saved locations 6. video, pictures 7. all other available data from device related to locations / positions Page 9
Example Tom-Tom data • *.cfg – locations. • ttgo.bif, ttnavigator.bif – general info on device, S/N, model ... • password (encrypted) • settings.dat – IDs, user data ... • triplog files – encrypted files – user route data Page 10
GPS seizure • Device seizure is the first step and can be difficult • These devices send and receive signals when powered on – precautions need to be taken • How do you stop a GPS from updating its location? − If possible, a Faraday bag • What if a Faraday bag is not available??? • Once the device is protected, what next? • Page 11 Page 11
What is needed for acquisition • Once the device has been seized, the next logical step is to acquire the device. • The following is a list of tools that could be important: • USB cable to connect the device to an acquisition machine/tool • Faraday bag (as mentioned previously) • write blocker (either software or hardware will be acceptable) • Card reader (optional) Page 12 Page 12
Examples • ENCase details in CEIC 2012 “GPS Device Acquisition and Examination” – EnCase and Garmin – EnCase and TomTom – Encase and Magellan – Encase and Exif data Master Title Page 13 Page 13
EnCase and TomTom/Garmin • Encase can acquire Garmin and TomTom GPS devices trough the use of a write-block device Note: • If a media card is in use by the GPS device, the card must be removed and imaged separately. If it is not removed, the media card may be the only thing that shows up during a preview Page 14 Page 14
EnCase and Magellan • Similarly to Garmin or TomTom, acquisition of a Magellan GPS device can be accomplished by using a write-block device and a forensic acquisition tool (EnCase) • Some Magellan's may not be imaged in this fashion • The only solution may be to use a backup of the device on a media card supported by the device • Or to use another tool like UFED . Page 15 Page 15
Garmin device examination through EnCase More can be done for Garmin .gpx... • Aside from viewing the .gpx file within EnCase or an XML browser, the file can be viewed in Google Earth. • This can be accomplished one of two ways: − Bring the .gpx file out of EnCase and use a website to convert the file to KML − This site is used for the conversion: http://www.gpsvisualizer.com/map_input?form=googleearth Page 16 Page 16
EnCase Garmin examination • Once at this site, the settings can be observed. Page 17 Page 17
EnCase Garmin examination • Click the “create KML” button • A new page will be loaded • The KML file can then be downloaded Page 18 Page 18
EnCase Garmin examination • With the KML file brought into Google Earth, we can begin the examination. • When it is brought in, the data will show up under Temporary Places. Page 19 Page 19
EnCase Garmin examination • The data is broken down into two main pieces: − Waypoints − Tracks • Waypoints contains data like address book entries • Tracks can contain data from recent routes that were traveled Page 20 Page 20
EnCase Garmin examination • An example of a Waypoint Page 21 Page 21
EnCase Garmin examination • The other option is to bring the KML file straight into Google Earth • If this option is used, you will be presented with three options. • “Create KML LineStrings” is unchecked by default − It is recommended that this be checked Page 22 Page 22
EnCase Garmin examination • In summary, Garmin GPS devices are super easy to examine and can be the most fruitful • The data is easy to access and should not be overlooked • Some upcoming challenges: − Who uses a portable GPS device? − Garmin now has multiple apps available for download Page 23 Page 23
EnCase TomTom examination • TomTom GPS devices have been around for some time and are widely used • The examination of these devices is a bit different • TomTom GPS devices can in some ways store more info than Garmin Page 24 Page 24
EnCase TomTom examination • With TomTom GPS devices, a few files will be of interest to us • To start, we can look at the CurrentMap.dat • In this example the file is sitting at the root of the device • This will give the name of the map that is currently in use • As you can see in the example, “North_America_2GB” is the name of the map being used Page 25 Page 25
EnCase TomTom examination • In summary, TomTom GPS can be examined through the use of an EnScript module or third-party tools • If trip logs are present, a request could be made to TomTom in an attempt to get the logs decrypted (or trough UFED tools) • Some upcoming challenges: − Who uses a portable GPS device? − TomTom now has multiple apps available for download Page 26 Page 26
EnCase Magellan examination • Magellan devices can be more difficult in part because of the the acquisition process • Some Magellan devices may not be able to be acquired at the physical level • In those cases it might be possible to create a backup through the device directly to an SD card • The SD card containing the backup can then be acquired Page 27 Page 27
EnCase Magellan examination • In summary, Magellan GPS devices are the most difficult to examine due to the limited information available • Though third-party tools are available, their ability to parse data may be limited by the actual models supported • Some upcoming challenges: − Who uses a portable GPS device? − Magellan now has multiple apps available for download Page 28 Page 28
Examination of EXIF GPS Data • The examination of EXIF GPS can be made simple • This data can be extracted and made invaluable through the use of various third-party tools or an EnScript program • The “Exif GPS Information Reader” EnScript module will be used here The images used here were taken with a BlackBerry Page 29 Page 29
Examination of EXIF GPS Data • The exported KML file can be viewed in Google Earth Page 30 Page 30
Conclusion ? • It is wild area • in developement, new models, new features, encryption, applications od devices • legal issuses • a lot to learn Master Title Page 31 Page 31
Questions ? damir.delija@insig2.hr Master Title Page 32 Page 32

Recommandé

Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Bridging Between CAD & GIS: 8 Ways to Automate Data Integration
Bridging Between CAD & GIS: 8 Ways to Automate Data IntegrationBridging Between CAD & GIS: 8 Ways to Automate Data Integration
Bridging Between CAD & GIS: 8 Ways to Automate Data IntegrationSafe Software
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power pointtutannandi
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESVenkatesh Pensalwar
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 

Recommandé

Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Bridging Between CAD & GIS: 8 Ways to Automate Data Integration
Bridging Between CAD & GIS: 8 Ways to Automate Data IntegrationBridging Between CAD & GIS: 8 Ways to Automate Data Integration
Bridging Between CAD & GIS: 8 Ways to Automate Data IntegrationSafe Software
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Data recovery power point
Data recovery power pointData recovery power point
Data recovery power pointtutannandi
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESVenkatesh Pensalwar
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2Manu Mathew Cherian
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistrySam Bowne
 
RDBMS to Graphs
RDBMS to GraphsRDBMS to Graphs
RDBMS to GraphsNeo4j
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...Andrea Praitano
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Basics of Maltego
Basics of MaltegoBasics of Maltego
Basics of MaltegoYash Diwakar
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Capture image on eye blink
Capture image on eye blinkCapture image on eye blink
Capture image on eye blinkInnovationM
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Introduction to Digimap's Ordnance Survey Collection
Introduction to Digimap's Ordnance Survey CollectionIntroduction to Digimap's Ordnance Survey Collection
Introduction to Digimap's Ordnance Survey CollectionEDINA, University of Edinburgh
 
hiking_tuto.pdf
hiking_tuto.pdfhiking_tuto.pdf
hiking_tuto.pdfSaka32
 

Contenu connexe

Tendances

CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistrySam Bowne
 
RDBMS to Graphs
RDBMS to GraphsRDBMS to Graphs
RDBMS to GraphsNeo4j
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...Andrea Praitano
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensicsGaurav Ragtah
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1Jinalkakadiya
 
Capture image on eye blink
Capture image on eye blinkCapture image on eye blink
Capture image on eye blinkInnovationM
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry AnalysisHimanshu0734
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - NotesKranthi
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful toolsmilad mahdavi
 

Tendances (20)

CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
 
Cyber Forensics Module 2
Cyber Forensics Module 2Cyber Forensics Module 2
Cyber Forensics Module 2
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifacts
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
RDBMS to Graphs
RDBMS to GraphsRDBMS to Graphs
RDBMS to Graphs
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...
Le misure minime di sicurezza AgID e come questi si intrecciano all’applicazi...
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Basics of Maltego
Basics of MaltegoBasics of Maltego
Basics of Maltego
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Computer forensics 1
Computer forensics 1Computer forensics 1
Computer forensics 1
 
Capture image on eye blink
Capture image on eye blinkCapture image on eye blink
Capture image on eye blink
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
03 Data Recovery - Notes
03 Data Recovery - Notes03 Data Recovery - Notes
03 Data Recovery - Notes
 
Kali linux useful tools
Kali linux useful toolsKali linux useful tools
Kali linux useful tools
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 

Similaire à Gps

hiking_tuto.pdf
hiking_tuto.pdfhiking_tuto.pdf
hiking_tuto.pdfSaka32
 
Topo na9manual
Topo na9manualTopo na9manual
Topo na9manuallatium
 
Apps, Maps and Drones: Technology for the Forest Landowner and Manager
Apps, Maps and Drones: Technology for the Forest Landowner and ManagerApps, Maps and Drones: Technology for the Forest Landowner and Manager
Apps, Maps and Drones: Technology for the Forest Landowner and ManagerArkansas Forestry Association
 
Collector app mipn presentation
Collector app mipn presentationCollector app mipn presentation
Collector app mipn presentationslogankoby
 
International Shipping Finals/Group A /C.P.I
International Shipping Finals/Group A /C.P.IInternational Shipping Finals/Group A /C.P.I
International Shipping Finals/Group A /C.P.IJoshua Morisson
 
Maps and Apps
Maps and AppsMaps and Apps
Maps and AppsAddy Pope
 
2018 GIS in Education: Car Racing With Collector
2018 GIS in Education: Car Racing With Collector2018 GIS in Education: Car Racing With Collector
2018 GIS in Education: Car Racing With CollectorGIS in the Rockies
 
Geopaparazzi workshop on FOSS4G2015 Seoul
Geopaparazzi workshop on FOSS4G2015 SeoulGeopaparazzi workshop on FOSS4G2015 Seoul
Geopaparazzi workshop on FOSS4G2015 SeoulHirofumi Hayashi
 
Navigating on bikes using a smartphone
Navigating on bikes using a smartphoneNavigating on bikes using a smartphone
Navigating on bikes using a smartphoneHugh Davis
 
Londe mobile devices appropriate uses
Londe mobile devices appropriate usesLonde mobile devices appropriate uses
Londe mobile devices appropriate usesGeCo in the Rockies
 
Operating System for Undergraduates. level 200 course
Operating System for Undergraduates. level 200 courseOperating System for Undergraduates. level 200 course
Operating System for Undergraduates. level 200 courseReubenMawukoDordunu
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Network Implementation and Support Lesson 09 Group Policy - Eric Vanderburg
Network Implementation and Support Lesson 09 Group Policy - Eric VanderburgNetwork Implementation and Support Lesson 09 Group Policy - Eric Vanderburg
Network Implementation and Support Lesson 09 Group Policy - Eric VanderburgEric Vanderburg
 

Similaire à Gps (20)

Introduction to Digimap's Ordnance Survey Collection
Introduction to Digimap's Ordnance Survey CollectionIntroduction to Digimap's Ordnance Survey Collection
Introduction to Digimap's Ordnance Survey Collection
 
hiking_tuto.pdf
hiking_tuto.pdfhiking_tuto.pdf
hiking_tuto.pdf
 
Topo na9manual
Topo na9manualTopo na9manual
Topo na9manual
 
Apps, Maps and Drones: Technology for the Forest Landowner and Manager
Apps, Maps and Drones: Technology for the Forest Landowner and ManagerApps, Maps and Drones: Technology for the Forest Landowner and Manager
Apps, Maps and Drones: Technology for the Forest Landowner and Manager
 
Collector app mipn presentation
Collector app mipn presentationCollector app mipn presentation
Collector app mipn presentation
 
International Shipping Finals/Group A /C.P.I
International Shipping Finals/Group A /C.P.IInternational Shipping Finals/Group A /C.P.I
International Shipping Finals/Group A /C.P.I
 
Maps and Apps
Maps and AppsMaps and Apps
Maps and Apps
 
Hardware
HardwareHardware
Hardware
 
2018 GIS in Education: Car Racing With Collector
2018 GIS in Education: Car Racing With Collector2018 GIS in Education: Car Racing With Collector
2018 GIS in Education: Car Racing With Collector
 
manual global mapper
manual global mappermanual global mapper
manual global mapper
 
Geopaparazzi workshop on FOSS4G2015 Seoul
Geopaparazzi workshop on FOSS4G2015 SeoulGeopaparazzi workshop on FOSS4G2015 Seoul
Geopaparazzi workshop on FOSS4G2015 Seoul
 
Navigating on bikes using a smartphone
Navigating on bikes using a smartphoneNavigating on bikes using a smartphone
Navigating on bikes using a smartphone
 
3.1 storage devices_and_media (1)
3.1 storage devices_and_media (1)3.1 storage devices_and_media (1)
3.1 storage devices_and_media (1)
 
Londe mobile devices appropriate uses
Londe mobile devices appropriate usesLonde mobile devices appropriate uses
Londe mobile devices appropriate uses
 
Storage Technologies
Storage TechnologiesStorage Technologies
Storage Technologies
 
Operating System for Undergraduates. level 200 course
Operating System for Undergraduates. level 200 courseOperating System for Undergraduates. level 200 course
Operating System for Undergraduates. level 200 course
 
COMPUTER STORAGE
COMPUTER STORAGECOMPUTER STORAGE
COMPUTER STORAGE
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Research skills
Research skillsResearch skills
Research skills
 
Network Implementation and Support Lesson 09 Group Policy - Eric Vanderburg
Network Implementation and Support Lesson 09 Group Policy - Eric VanderburgNetwork Implementation and Support Lesson 09 Group Policy - Eric Vanderburg
Network Implementation and Support Lesson 09 Group Policy - Eric Vanderburg
 

Plus de Damir Delija

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...Damir Delija
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...Damir Delija
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Damir Delija
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1Damir Delija
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Damir Delija
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Damir Delija
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Damir Delija
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Damir Delija
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection Damir Delija
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Damir Delija
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Damir Delija
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsDamir Delija
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Damir Delija
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload managerDamir Delija
 

Plus de Damir Delija (20)

6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...6414 preparation and planning of the development of a proficiency test in the...
6414 preparation and planning of the development of a proficiency test in the...
 
6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...6528 opensource intelligence as the new introduction in the graduate cybersec...
6528 opensource intelligence as the new introduction in the graduate cybersec...
 
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
Uvođenje novih sadržaja u nastavu digitalne forenzike i kibernetičke sigurnos...
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
Ecase direct servlet acess v1
Ecase direct servlet acess v1Ecase direct servlet acess v1
Ecase direct servlet acess v1
 
Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1Cis 2016 moč forenzičikih alata 1.1
Cis 2016 moč forenzičikih alata 1.1
 
Draft current state of digital forensic and data science
Draft current state of digital forensic and data science Draft current state of digital forensic and data science
Draft current state of digital forensic and data science
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
 
Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations
 
Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2Datafoucs 2014 on line digital forensic investigations damir delija 2
Datafoucs 2014 on line digital forensic investigations damir delija 2
 
EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection EnCase Enterprise Basic File Collection
EnCase Enterprise Basic File Collection
 
Ocr and EnCase
Ocr and EnCaseOcr and EnCase
Ocr and EnCase
 
Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2Olaf extension td3 inisg2 2
Olaf extension td3 inisg2 2
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013 Moguće tehnike pristupa forenzckim podacima 09.2013
Moguće tehnike pristupa forenzckim podacima 09.2013
 
Usage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics toolsUsage aspects techniques for enterprise forensics data analytics tools
Usage aspects techniques for enterprise forensics data analytics tools
 
Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt Cis 2013 digitalna forenzika osvrt
Cis 2013 digitalna forenzika osvrt
 
Ibm aix wlm idea
Ibm aix wlm ideaIbm aix wlm idea
Ibm aix wlm idea
 
Aix workload manager
Aix workload managerAix workload manager
Aix workload manager
 

Dernier

ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxannathomasp01
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17Celine George
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxDr. Ravikiran H M Gowda
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - Englishneillewis46
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfSherif Taha
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...Nguyen Thanh Tu Collection
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxPooja Bhuva
 

Dernier (20)

ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 

Gps

  • 1. GPS forensic analysis Damir Delija Insig2 2012
  • 2. What we will talk about • GPS – how to acquire evidence – where we can find GPS (device or just functionality) • What we can find on a GPS – What tools and procedures to use ? • Examples in EnCase: Magellan, TomTom, Exif data .. – examples slides are here as help/idea for practitioners Page 2
  • 3. Sources • Materials are compilation of various sources – Celebrite “Portable GPS Forensic” http://www.cellebrite.com/gps.html – “GPS Device Acquisition and Examination”, CEIC 2012 by Nathen Langfeldt, Guidance Software, Inc – “Forenzika GPS uređaja”, Filip Baričevid, DATAFOCUS 2012 GPS Device Acquisition and Examination Page 3
  • 4. GPS • GPS -Global Positioning System • http://en.wikipedia.org/wiki/Global_Positioni ng_System • Not only GPS, but other systems Russia, China, India, EU .. Page 4
  • 5. GPS embedded in another device • Mobiles / smartphones • Tablets – PC’s • car, robots (?) • Usually direct connection to Internet and live map access Page 5
  • 6. GPS standalone devices • Garmin • Magellan • MIO • TomTom • Maps are prepared and sold by vendor • Maybe small vendors will go extinct
  • 7. Forensic tools and GPS • Today all commercial tool have support GPS data extraction, level can vary, depends on model, encryption... • Idea is to get out geolocation data and put in on the map, also and all other available data from device – location data can be obtained from other sources too • There is a BIG difference among mobile device forensic tools and general purpose forensic tools Page 7
  • 8. Forensic Tool Examples • EnCase - general purpose forensic tool – support for geolocation data extracted from evidence as part of smartphone support module – support for standalone device as disk image and enscripts to extract data • UFED ultimate / UFED physical analyzer - mobile device forensic tool – support only for geolocation data extracted from evidence as part of smartphone support (some magic can be done too) – support for standalone device but in a way as mobile phones or smartphones – support for encrypted logs and data on some standalone devices (tom-tom) – python scripts for additional processing • It is almost impossible to mix results of both tools .... – it takes a lot of effort – there is no standardization (like E01 format in traditional digital forensic) Page 8
  • 9. GPS information 1. travel path 2. trackpoints (coordinates) 3. waypoints (coordinates and names) 4. route (list of waypoint) 5. saved locations 6. video, pictures 7. all other available data from device related to locations / positions Page 9
  • 10. Example Tom-Tom data • *.cfg – locations. • ttgo.bif, ttnavigator.bif – general info on device, S/N, model ... • password (encrypted) • settings.dat – IDs, user data ... • triplog files – encrypted files – user route data Page 10
  • 11. GPS seizure • Device seizure is the first step and can be difficult • These devices send and receive signals when powered on – precautions need to be taken • How do you stop a GPS from updating its location? − If possible, a Faraday bag • What if a Faraday bag is not available??? • Once the device is protected, what next? • Page 11 Page 11
  • 12. What is needed for acquisition • Once the device has been seized, the next logical step is to acquire the device. • The following is a list of tools that could be important: • USB cable to connect the device to an acquisition machine/tool • Faraday bag (as mentioned previously) • write blocker (either software or hardware will be acceptable) • Card reader (optional) Page 12 Page 12
  • 13. Examples • ENCase details in CEIC 2012 “GPS Device Acquisition and Examination” – EnCase and Garmin – EnCase and TomTom – Encase and Magellan – Encase and Exif data Master Title Page 13 Page 13
  • 14. EnCase and TomTom/Garmin • Encase can acquire Garmin and TomTom GPS devices trough the use of a write-block device Note: • If a media card is in use by the GPS device, the card must be removed and imaged separately. If it is not removed, the media card may be the only thing that shows up during a preview Page 14 Page 14
  • 15. EnCase and Magellan • Similarly to Garmin or TomTom, acquisition of a Magellan GPS device can be accomplished by using a write-block device and a forensic acquisition tool (EnCase) • Some Magellan's may not be imaged in this fashion • The only solution may be to use a backup of the device on a media card supported by the device • Or to use another tool like UFED . Page 15 Page 15
  • 16. Garmin device examination through EnCase More can be done for Garmin .gpx... • Aside from viewing the .gpx file within EnCase or an XML browser, the file can be viewed in Google Earth. • This can be accomplished one of two ways: − Bring the .gpx file out of EnCase and use a website to convert the file to KML − This site is used for the conversion: http://www.gpsvisualizer.com/map_input?form=googleearth Page 16 Page 16
  • 17. EnCase Garmin examination • Once at this site, the settings can be observed. Page 17 Page 17
  • 18. EnCase Garmin examination • Click the “create KML” button • A new page will be loaded • The KML file can then be downloaded Page 18 Page 18
  • 19. EnCase Garmin examination • With the KML file brought into Google Earth, we can begin the examination. • When it is brought in, the data will show up under Temporary Places. Page 19 Page 19
  • 20. EnCase Garmin examination • The data is broken down into two main pieces: − Waypoints − Tracks • Waypoints contains data like address book entries • Tracks can contain data from recent routes that were traveled Page 20 Page 20
  • 21. EnCase Garmin examination • An example of a Waypoint Page 21 Page 21
  • 22. EnCase Garmin examination • The other option is to bring the KML file straight into Google Earth • If this option is used, you will be presented with three options. • “Create KML LineStrings” is unchecked by default − It is recommended that this be checked Page 22 Page 22
  • 23. EnCase Garmin examination • In summary, Garmin GPS devices are super easy to examine and can be the most fruitful • The data is easy to access and should not be overlooked • Some upcoming challenges: − Who uses a portable GPS device? − Garmin now has multiple apps available for download Page 23 Page 23
  • 24. EnCase TomTom examination • TomTom GPS devices have been around for some time and are widely used • The examination of these devices is a bit different • TomTom GPS devices can in some ways store more info than Garmin Page 24 Page 24
  • 25. EnCase TomTom examination • With TomTom GPS devices, a few files will be of interest to us • To start, we can look at the CurrentMap.dat • In this example the file is sitting at the root of the device • This will give the name of the map that is currently in use • As you can see in the example, “North_America_2GB” is the name of the map being used Page 25 Page 25
  • 26. EnCase TomTom examination • In summary, TomTom GPS can be examined through the use of an EnScript module or third-party tools • If trip logs are present, a request could be made to TomTom in an attempt to get the logs decrypted (or trough UFED tools) • Some upcoming challenges: − Who uses a portable GPS device? − TomTom now has multiple apps available for download Page 26 Page 26
  • 27. EnCase Magellan examination • Magellan devices can be more difficult in part because of the the acquisition process • Some Magellan devices may not be able to be acquired at the physical level • In those cases it might be possible to create a backup through the device directly to an SD card • The SD card containing the backup can then be acquired Page 27 Page 27
  • 28. EnCase Magellan examination • In summary, Magellan GPS devices are the most difficult to examine due to the limited information available • Though third-party tools are available, their ability to parse data may be limited by the actual models supported • Some upcoming challenges: − Who uses a portable GPS device? − Magellan now has multiple apps available for download Page 28 Page 28
  • 29. Examination of EXIF GPS Data • The examination of EXIF GPS can be made simple • This data can be extracted and made invaluable through the use of various third-party tools or an EnScript program • The “Exif GPS Information Reader” EnScript module will be used here The images used here were taken with a BlackBerry Page 29 Page 29
  • 30. Examination of EXIF GPS Data • The exported KML file can be viewed in Google Earth Page 30 Page 30
  • 31. Conclusion ? • It is wild area • in developement, new models, new features, encryption, applications od devices • legal issuses • a lot to learn Master Title Page 31 Page 31
  • 32. Questions ? damir.delija@insig2.hr Master Title Page 32 Page 32