Gps
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share
  • 1,812 views

 

Statistics

Views

Total Views
1,812
Views on SlideShare
1,812
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Gps Presentation Transcript

  • 1. GPS forensic analysis Damir Delija Insig2 2012
  • 2. What we will talk about• GPS – how to acquire evidence – where we can find GPS (device or just functionality)• What we can find on a GPS – What tools and procedures to use ?• Examples in EnCase: Magellan, TomTom, Exif data .. – examples slides are here as help/idea for practitioners Page 2
  • 3. Sources• Materials are compilation of various sources – Celebrite “Portable GPS Forensic” http://www.cellebrite.com/gps.html – “GPS Device Acquisition and Examination”, CEIC 2012 by Nathen Langfeldt, Guidance Software, Inc – “Forenzika GPS uređaja”, Filip Baričevid, DATAFOCUS 2012 GPS Device Acquisition and Examination Page 3
  • 4. GPS• GPS -Global Positioning System• http://en.wikipedia.org/wiki/Global_Positioni ng_System• Not only GPS, but other systems Russia, China, India, EU .. Page 4
  • 5. GPS embedded in another device• Mobiles / smartphones• Tablets – PC’s• car, robots (?)• Usually direct connection to Internet and live map access Page 5
  • 6. GPS standalone devices• Garmin• Magellan• MIO• TomTom• Maps are prepared and sold by vendor• Maybe small vendors will go extinct
  • 7. Forensic tools and GPS• Today all commercial tool have support GPS data extraction, level can vary, depends on model, encryption...• Idea is to get out geolocation data and put in on the map, also and all other available data from device – location data can be obtained from other sources too• There is a BIG difference among mobile device forensic tools and general purpose forensic tools Page 7
  • 8. Forensic Tool Examples• EnCase - general purpose forensic tool – support for geolocation data extracted from evidence as part of smartphone support module – support for standalone device as disk image and enscripts to extract data• UFED ultimate / UFED physical analyzer - mobile device forensic tool – support only for geolocation data extracted from evidence as part of smartphone support (some magic can be done too) – support for standalone device but in a way as mobile phones or smartphones – support for encrypted logs and data on some standalone devices (tom-tom) – python scripts for additional processing• It is almost impossible to mix results of both tools .... – it takes a lot of effort – there is no standardization (like E01 format in traditional digital forensic) Page 8
  • 9. GPS information1. travel path2. trackpoints (coordinates)3. waypoints (coordinates and names)4. route (list of waypoint)5. saved locations6. video, pictures7. all other available data from device related to locations / positions Page 9
  • 10. Example Tom-Tom data • *.cfg – locations. • ttgo.bif, ttnavigator.bif – general info on device, S/N, model ... • password (encrypted) • settings.dat – IDs, user data ... • triplog files – encrypted files – user route data Page 10
  • 11. GPS seizure• Device seizure is the first step and can be difficult• These devices send and receive signals when powered on – precautions need to be taken• How do you stop a GPS from updating its location? − If possible, a Faraday bag• What if a Faraday bag is not available???• Once the device is protected, what next? • Page 11 Page 11
  • 12. What is needed for acquisition• Once the device has been seized, the next logical step is to acquire the device.• The following is a list of tools that could be important: • USB cable to connect the device to an acquisition machine/tool • Faraday bag (as mentioned previously) • write blocker (either software or hardware will be acceptable) • Card reader (optional) Page 12 Page 12
  • 13. Examples• ENCase details in CEIC 2012 “GPS Device Acquisition and Examination” – EnCase and Garmin – EnCase and TomTom – Encase and Magellan – Encase and Exif data Master Title Page 13 Page 13
  • 14. EnCase and TomTom/Garmin• Encase can acquire Garmin and TomTom GPS devices trough the use of a write-block deviceNote:• If a media card is in use by the GPS device, the card must be removed and imaged separately. If it is not removed, the media card may be the only thing that shows up during a preview Page 14 Page 14
  • 15. EnCase and Magellan• Similarly to Garmin or TomTom, acquisition of a Magellan GPS device can be accomplished by using a write-block device and a forensic acquisition tool (EnCase)• Some Magellans may not be imaged in this fashion• The only solution may be to use a backup of the device on a media card supported by the device• Or to use another tool like UFED . Page 15 Page 15
  • 16. Garmin device examination through EnCase More can be done for Garmin .gpx...• Aside from viewing the .gpx file within EnCase or an XML browser, the file can be viewed in Google Earth.• This can be accomplished one of two ways: − Bring the .gpx file out of EnCase and use a website to convert the file to KML − This site is used for the conversion: http://www.gpsvisualizer.com/map_input?form=googleearth Page 16 Page 16
  • 17. EnCase Garmin examination• Once at this site, the settings can be observed. Page 17 Page 17
  • 18. EnCase Garmin examination• Click the “create KML” button• A new page will be loaded• The KML file can then be downloaded Page 18 Page 18
  • 19. EnCase Garmin examination• With the KML file brought into Google Earth, we can begin the examination.• When it is brought in, the data will show up under Temporary Places. Page 19 Page 19
  • 20. EnCase Garmin examination • The data is broken down into two main pieces: − Waypoints − Tracks • Waypoints contains data like address book entries • Tracks can contain data from recent routes that were traveled Page 20 Page 20
  • 21. EnCase Garmin examination• An example of a Waypoint Page 21 Page 21
  • 22. EnCase Garmin examination• The other option is to bring the KML file straight into Google Earth• If this option is used, you will be presented with three options.• “Create KML LineStrings” is unchecked by default − It is recommended that this be checked Page 22 Page 22
  • 23. EnCase Garmin examination• In summary, Garmin GPS devices are super easy to examine and can be the most fruitful• The data is easy to access and should not be overlooked• Some upcoming challenges: − Who uses a portable GPS device? − Garmin now has multiple apps available for download Page 23 Page 23
  • 24. EnCase TomTom examination• TomTom GPS devices have been around for some time and are widely used• The examination of these devices is a bit different• TomTom GPS devices can in some ways store more info than Garmin Page 24 Page 24
  • 25. EnCase TomTom examination• With TomTom GPS devices, a few files will be of interest to us• To start, we can look at the CurrentMap.dat• In this example the file is sitting at the root of the device• This will give the name of the map that is currently in use• As you can see in the example, “North_America_2GB” is the name of the map being used Page 25 Page 25
  • 26. EnCase TomTom examination• In summary, TomTom GPS can be examined through the use of an EnScript module or third-party tools• If trip logs are present, a request could be made to TomTom in an attempt to get the logs decrypted (or trough UFED tools)• Some upcoming challenges: − Who uses a portable GPS device? − TomTom now has multiple apps available for download Page 26 Page 26
  • 27. EnCase Magellan examination• Magellan devices can be more difficult in part because of the the acquisition process• Some Magellan devices may not be able to be acquired at the physical level• In those cases it might be possible to create a backup through the device directly to an SD card• The SD card containing the backup can then be acquired Page 27 Page 27
  • 28. EnCase Magellan examination• In summary, Magellan GPS devices are the most difficult to examine due to the limited information available• Though third-party tools are available, their ability to parse data may be limited by the actual models supported• Some upcoming challenges: − Who uses a portable GPS device? − Magellan now has multiple apps available for download Page 28 Page 28
  • 29. Examination of EXIF GPS Data• The examination of EXIF GPS can be made simple• This data can be extracted and made invaluable through the use of various third-party tools or an EnScript program• The “Exif GPS Information Reader” EnScript module will be used here The images used here were taken with a BlackBerry Page 29 Page 29
  • 30. Examination of EXIF GPS Data• The exported KML file can be viewed in Google Earth Page 30 Page 30
  • 31. Conclusion ?• It is wild area• in developement, new models, new features, encryption, applications od devices• legal issuses• a lot to learn Master Title Page 31 Page 31
  • 32. Questions ?damir.delija@insig2.hr Master Title Page 32 Page 32