Categories
Blog Cell Phone Forensics GPS Forensics iPhone Forensics Location Data Forensics MFC 2012 Mobile Forensic Conference 2012 Mobile Forensics

iPhone Forensics / Location Information – MFC 2012

Don’t Try Hiding Where You Have Been If You Use An iPhone!

Terry McGuire, of CMD Labs, went over some test data he had acquired in relation to location data on his iPhone and TomTom GPS. If you are familiar with the forensic examination of these two devices this maybe an overview, but you make learn something too. Terry activated a new number with a iPhone to obtain new data between his trip from VA to SC for the Mobile Forensic Conference 2012. Within the iPhone there are 3 main files that the maps/directions will be stored in and these can be found under mobile/library/maps:

bookmarks.plist

directions.plist

history.plist

If you are unfamiliar with what a .plist is, it is simply means property list. You can obtain these files and view them with a plist editor or even just a hex editor. In the bookmarks.plist file the data contains is just that, bookmarked locations within your maps app. You have have bookmarked address for home, work, school, or a favorite restaurant you went to a few month ago. Within the directions.plist file you will find the actual data for a trip. It will give you the turn by turn directions along with date and time stamps (usually, not always). You must be aware though that even if a location is mapped out and the directions are shown in the directions.plist file does not automatically mean the trip was made. Someone could have entered the address for directions and canceled them without ever making a trip. This information should be used to corroborate other evidence you have. Within the history.plist you will find a list of past trips, but only the starting and ending spots will appear here.

When dealing with photos on the device you can find location data in the metadata. The pictures/videos can be found in the 100APPLE folder. This is located under the DCIM and holds all of the USER interacted pictures and videos. This will not include any cached photos from the web. This is a nice folder to look at when you don’t want to deal with the parsed pictures that include buttons, caches, and what not. The metadata within theses user interacted pictures and videos is rather accurate. Terry took a photo the night before at a local restaurant and than showed the location data within that image. It was dead on.

Within the iPhone you can also find cell tower data. This data will not tell you exactly where each call was made, but it will give you a list of towers that the phone, you’re investigating, has picked up on. So, if I am sitting in Myrtle Beach right now using “tower 1” my iPhone will show that, but it will also show about 5-10 other towers that I drove by or that it already knows are near me. This could be helpful when added to other pieces of evidence or putting someone at a specific spot. The  storage for this information is different in the iPhone 3G/3GS and iPhone 4. Here are the files where this data is held:

3G/3GS – Cells.plist, H-Cells.plist, and H-wifi.plist

4 – data/root/library/caches/locationd/consolidated.db

4 w/ 5.1.1 iOS – data/root/library/caches/locationd/cache_encryptedA.db

As of now the cache_encryptedA.db file is no longer backed up with the phone when connected to the PC. So when examining an iPhone backup with 5.1.1 iOS you will no longer see that database file with the cell tower data.

Something very interesting about a specific APP that some of you may user regarding location sharing. Foursquare saves your location information for places you have never even been. (I have not had the chance to personally test this, but per Terry he tired and tested this on his device). Foursquare will save location information for nearby spots and could give the examiner false presumptions about the whereabouts of a suspect. Be aware of this for your investigations.

TomTom GPS forensics seems to be pretty straight forward. The TomTom can be acquired with Cellebrite and examined with it. TomTom will store this specific data (some early versions saved a TON more):

Fixes – Locations

Journeys – Trip Info

Locations – Home addresses or saved address

other data (depending on if they used it to save photos or what not)
Until next time! Thanks!