Auckland University of Technology, New Zealand
Auckland University of Technology, New Zealand
Cusack, B. & Simms, M. (2011). Evidential recovery from GPS devices. Journal of Applied Computing and Information Technology, 15(1). Retrieved October 28, 2020 from http://www.citrenz.ac.nz/jacit/JACIT1501/2011Cusack_EvidentialRecovery.html
Global Positioning Systems (GPS) have become more affordable, are now widely used in motor vehicles and in other frequently used applications. As a consequence GPS are increasingly becoming an important source of evidential data for digital forensic investigations. This paper acknowledges there are only disparate documents for the guidance of an investigator when extracting evidence form such systems. The focus of this paper is to provide the technical details of recovering artifacts from four GPS currently available to the New Zealand market. Navman brand GPS are used, following a forensically robust process. The steps of the process are described, results analysed and the associated risks are discussed. In addition, the paper discusses techniques related to the visual presentation of evidence suitable for Google Maps. Automation attempts to speed up the analysis to visualization steps are also included. The outcome is a road map that may assist digital forensic investigators develop GPS examination strategies for implementation in their own organizations.
GPS, Evidential Data, Journey Data, Examination Strategy
Law enforcement computer forensic laboratories are expected to face an upsurge in the number of GPS devices requiring examination on account of the greater public use of the devices. In a forensic context, the popularity of these small and affordable vehicle mounted navigation devices has made the extraction of log and user related information an increased priority. The data recovered can be used to assist a diverse array of criminal and civil investigations. In particular dates, times and geographical positions may be valuable in reporting events of interest.
The 'Navman' is one such popular GPS device that is used by many people while tramping, and also for vehicle mounted applications. The recent upsurge in GPS usage has brought with it a parallel upsurge of publications aimed at the forensic investigator audiences. However the literature is both recent and limited in standardized advice on how to proceed in evidence extraction and analysis.
GPS related research has focused on the forensic analysis of TomTom devices. Nutter (2008) provided a detailed forensic account of identifying and extracting GPS location records from a .cfg file on a TomTom device which attracted the attention of United Kingdom based privacy experts and the TomTom manufacturer themselves. Following a different approach van Eijk and Roeloffs (2010) expanded on earlier JTAG (Joint Test Action Group) research by Breeuwsma (2006) and developed imaging methodologies to assist an examiner in capturing volatile data from the Random Access Memory (RAM) on TomTom GPS devices. They used JTAG boundary scanning and a modified Linux distribution called 'TomCopy' to directly access the RAM via a preloaded SD (Secure Digital) memory card.
The Navman device has had less exposure in the literature and there have been few local reports of related forensic research to date. Online forensic resources such as GPSForensics.org (2010) and Forensics from the sausage factory (2009) do however provide examiners with basic recovery techniques and also identify some files of interest to be used as baseline examination reference points. From an examiner's point of view, these references are incomplete and are not detailed enough to provide procedural guidance. In addition the market place for devices is continually changing. Most models and the related literature out-date quickly and the new releases all have different hardware and software innovations. The international literature often reports devices and models that have not been or will not be released onto the New Zealand market. Another related issue is that of 'regionality': as normally a GPS device is region specific there is a need for standardization with respect to extracting and processing evidence from such devices.
The aim of this paper is to report on the findings from a laboratory investigation into four GPS recently released into the New Zealand market. A number of standardized techniques to assist examiners with the extraction and analysis of data from Navman GPS devices are identified. The four devices are the MY-50, the S-90i, the C40, and the F20 models. The method is case descriptive and the intention is to disclose technical detail relevant to an investigator. Each device is forensically imaged using FTK Imager (Access Data, 2010) so that a standardized extraction and analysis methodology can be created to allow the decoded navigation information to be easily displayed to investigators or for disclosure purposes. Attention is also paid to the case where an end user may have deleted information, and the related recovery processes.
The paper is structured as follows. The next section provides the technical details of location and information storage relevant to the device imaging phase. The following section demonstrates how to extract evidence and proceed with an analysis using the FTK Imager tool. In the last two sections other software tools are recommended and the potential to automate the evidential visualization is discussed.
Forensic Imaging is the first phase of a digital investigation where images of the evidence are acquired by performing a pre-set procedure and applying technically defendable processes that maintain the integrity of the evidence. Late model Navman GPS devices such as the MY and S-Series contain internal non-volatile and volatile RAM memory. There is at the same time the provision for additional mapping and data storage purposes through the use of a MicroSD memory card bay. Under normal circumstances the easiest and simplest method for extracting data from these types of devices is to make a bit-for-bit forensic image copy of the physical device. This can be achieved by connecting the device to a computer system via USB mass storage mode with a software write-blocker enabled (hardware write-blockers are not applied using this methodology). Standard industry forensic software tools such as FTK Imager or EnCase Forensic (Guidance Software, 2010) are widely used by examiners for imaging purposes and are applicable. Figure 1 shows a successful connection to a Navman MY-50 GPS device in Windows using FTK Imager.
Earlier models such as the F-Series contain DAT files which store journey, destination and system information on a MicroSD memory card. The memory card is hidden under a sticker on the rear of the unit (Forensics from the sausage factory, 2008) and can be removed and imaged using standard forensic software tools and additional equipment such as a Tableau USB hardware write-blocker (Tableau, 2010) with a read-only card reader.
The devices were imaged and verified using FTK Imager and EnCase Forensic software to provide sample data for the research and to illustrate the method. Table 1 displays an extract of the computed message digest results and verification notes for each of the four devices that were imaged during the research. The hash algorithm applied was MD5 - an industry standard hashing algorithm used to create a "digital fingerprint" ( signatures") of data streams. It is widely used to validate and verify the integrity of forensic images after the imaging process or when an image file (also known as an evidence file) is moved to another storage location. Any sector or verification error(s) will be noted by most forensic software applications that support the feature. Hence the integrity of the technical processes is maintained and any alterations to evidence quickly found. An investigator usually takes three images of any one storage device. The original is stored (but not used) and an image is used for the extraction phase. Two images are usually kept on site for the extraction phase and the third at a remote (but secure) location.
After the imaging phase, system and log files were examined using EnCase Forensic (Version 184.108.40.206) software to extract the files of interest to an investigation. These files and file types are itemized below. In Table 2 a full tabulation of the files is presented.
On later model Navman devices the path.xml file in Table 2 provides the examiner with a starting point to quickly identify the common storage locations. This step is pivotal in starting the investigation. Based on results from the current research and on previous Navman examinations, a number of additional files stored in the \Program Files\Navman folder have been identified as containing potential evidence for investigators to review. Examples include:
Further files of potential evidential value were also found under the \My Documents folder:
The results are summarized in Table 3. The C, MY and S series provide similar data stores. On the older F-Series device, the ROUTE.DAT file contains the last journey information; the FAVVER4.DAT file contains saved favorite journeys and the RECENT.DAT file contains a list of destination locations. Further analysis techniques related to these DAT files are elaborated on below.
Late model Navman GPS can contain up to 10 log files that conform to the specification known as NMEA 0183 (NMEA 2008; 2009; 2010). This standard data protocol consists of code structures called 'sentences'. It is maintained by NMEA (National Marine Electronics Association) and is used by a large number of maritime and land based GPS receivers. Device manufacturers such as Garmin also produce their own proprietary NMEA 'sentence' formats to provide additional sensor, beacon and output sentence information for the device. Knowledge of these sentence structures can help the examiner reconstruct actual occurrences and also create the link to visual models such as the ones provided by Google Maps.
NMEA data that could potentially assist an examiner during the analysis phase of a GPS examination include:
Figure 2 provides an example that was extracted in the simulation exercise. A standard 12 element comma-delimited $GPRMC sentence is analyzed in order to provide information that can guide an investigator.
Each sentence contains coded 'elements' or 'entries' . In the example, the string $GPRMC is the first element of the sentence. As shown each element has been decoded in order to establish its meaning.
According to Forensics from the sausage factory (2008) a device such as the Navman F20 saves GPS data records in blocks of 520 bytes within a .DAT file. Each record contains a location name in ASCII text and latitude and longitude coordinates which are stored in 8 byte length each near the end of the block. The GPS coordinates at Record Offset 512 in the ROUTE.DAT file and at Record Offset 508 in the RECENT.DAT file were decoded by using the built-in EnCase 32-bit integer decoder as shown in Figure 3.
The Latitude and longitude integer values require a further calculation (i.e. division by 100,000) so they are more easily displayed with online mapping applications such as Google Maps.
Deleted journey related xml data can also be recovered from unallocated clusters by mounting the forensic image with forensic software (e.g. EnCase) and searching for unique strings that are commonly found in such records. Keyword search techniques are often the best starting point if no xml files can be located in the UserData storage location (Refer Table 2). An extract from a deleted MyRecentLocations.xml file that was located in unallocated clusters by searching for a portion of the xml header using forensic software is shown in Figure 4. The original file had previously been deleted to simulate the actions of a user who had deleted user saved xml data via the Settings menu on a Navman MY-50 GPS device. The recovered files provide explicit and detailed information that can be helpful in an investigation.
The recovery of deleted files is critical in the forensic examination of a device. Many users delete records after use and some employ anti-forensic techniques to conceal records. However it may be possible to recover these files as demonstrated.
After extracting log data from $GPRMC using forensic analysis techniques (as demonstrated above), the next step is to provide a review and reporting format. The process described next was tested in the course of the study and worked very reliably.
First option is to import the xml files of interest. $GPRMC data was imported into Microsoft Excel and the data was converted into a Keyhole Mark-up Language (kml) format (Google, 2010b) for use in Google Earth (Google, 2010a). Figure 5 demonstrates the use of Excel in converting the xml file format into a more user-friendly format which would allow investigators to review the results in Google Maps.
The Excel platform enables individual $GPRMC sentences to be filtered out of the extracted log files. So formulas can then be applied to convert the $GPRMC date and time stamps from UTC into local time offset values, to convert the speed from knots to kilometers per hour (km/h) and to provide the investigator with a hyperlink option for route logging via Google Maps.
Pearl and Visual Basic Scripting (VBS) languages also provide a platform for $GPRMC data to be converted into a kml file format. As part of this research a VBS programmed GPS Log Analysis software application was built to automate the extraction and kml conversion processes for Navman devices. The application provides an easy to use interface and fully automated process for examiners and first responders. At present it has built-in functionality for $GPRMC log extraction, individual sentence checksum validation, the identification of invalid sentence data and raw data conversion to a Google Earth supported kml format. Figures 6, 7 and 8 show screenshots of the logging output of the GPS Log Analysis application. The logging functionality is intended to be part of an examiner's case analysis records and could in the future be used for disclosure purposes.
Each output in figures 6-8 provides valuable access to potential evidential trials. As these figures were created to demonstrate the tool capability no factual information is delivered. However in Figure 7 for example the type of output is visible. The log shows audit data of a simulated event and the type of data available from the analysis. These outputs form the examiner's case analysis set of records and serve as the basis of an event report.
Few vendors offer extraction software solutions for Navman GPS devices. To date Navman support is limited to Micro Systemation's XRY Physical software product (msab, 2010).XRY Physical currently allows for the physical imaging of GPS devices in the form of hex-dumps and supports the decoding of associated data for Navman F35 and N188 models only. Figure 9 gives a screen shot of the interface of the example software tool that has the potential for a professional application.
In April 2010, Micro Systemation released XRY version 5.0 which supports the exporting of data into compressed Keyhole Markup Language files known as kmz files. This functionality allows an examiner in the field to extract and view GPS data using a standalone Google Earth application without the need for an active Internet connection. Further liaison with vendors such as Micro Systemation would be required in order to expand the extraction and imaging support for Navman GPS, and to develop further applied research in these visualization areas.
In this research all test devices and associated GPS data were able to be forensically imaged and successfully extracted without any technical issues being encountered when using the methodologies described above. The Microsoft Excel application developed by one of the authors and associated formulas have been tested on a number of actual cases as well. The application has increased the speed of evidence extraction while maintaining integrity. The ease of use and visual appearance of the extracted $GPRMC data when viewed with Google Maps and Google Earth has also enhanced the results of the reporting phase.
Whilst no technical issues were encountered during the imaging phase of this research, at least one of the three Navman S-90i GPS devices that were recently imaged in a local computer forensic laboratory had difficulty connecting to a software write-blocked Windows operating system via mass storage mode. This resulted in a number of system and log file timestamps being inadvertently changed as the particular device momentarily started from sleep mode before switching into USB mass storage mode. The issue is noted and was inadvertently replicated when one of the Navman devices was accidently dropped onto a hard surface which resulted in similar USB mass storage mode failures after the incident. No further issues of this nature have been noted whilst examining other Navman models in a laboratory environment. Further research and testing with shielded cable Faraday bags (Disklabs, 2008) still has to be completed to provide a more forensically sound solution for examinations and USB connection issues in the future.
A number of examination and reporting methodologies to enable an examiner to easily identify files of interest and to interpret NMEA specified log data from Navman GPS devices have been reported to fill in a gap in the related forensic methodologies literature: GPS forensic research and the creation of brand specific software applications have predominantly focused in recent years on TomTom devices. In contrast, this paper presents a method developed to support investigation involving Navman devices.
The paper describes in detail the imaging, extraction, analysis and reporting phases. The exploratory work on an automation application and the potential utilization of proprietary applications was also introduced . A major issue that needs to be mentioned is regionality. Almost every GPS device is region specific and driven by the dominant market players in the region. Future digital forensic tools will need to use a standardized format to extract evidence from region specific devices and to provide an automated solution for evidential visualization and reporting.
The resources at the Auckland University of Technology Digital Forensic Research Laboratories were used to facilitate this research.
Access Data. (2009). FTK imager - FTK imager 2.9.0. Retrieved 12 July, 2010, from http://www.accessdata.com/downloads.html
Breeuwsma, M. (2006). Forensic imaging of embedded systems using jtag (boundary-scan). Digital Investigation 2006, 3(1), 32-42.
Disklabs. (2008). Cable shield - Cable faraday solution (LDF/1). Retrieved 12 July, 2010, from http://www.faradaybag.com/faraday_bag_cable_shield.html
Forensics from the sausage factory. (2008). Navman F20 sat nav device. Retrieved 13 July, 2010, http://forensicsfromthesausagefactory.blogspot.com/2008/09/navman-f20-sat-nav-device.html
Forensics from the sausage factory. (2009). Navman S30 sat nav device. Retrieved 13 July, 2010, http://forensicsfromthesausagefactory.blogspot.com/2009/12/navman-s30-satnav-device.html
Google. (2010a). Google earth. Retrieved 13 July, 2010, from http://earth.google.com/
Google. (2010b). KML tutorial. Retrieved 13 July, 2010, from http://code.google.com/apis/kml/documentation/kml_tut.html
GPSForensics.org. (2010). GPSForensics. Retrieved 13 July, 2010, http://www.gpsforensics.org/
Guidance Software. (2010). Encase forensic. Retrieved 12 July, 2010, http://www.guidancesoftware.com/computer-forensics-ediscovery-software-digital-evidence.htm
msab. (2010). XRY physical software. Retrieved 12 July, 2010, from http://www.msab.com/products/xry0/overview/page.php
NMEA. (National Marine Electronics Association). (2008-2010). NMEA 0183 standard. Retrieved 12 July, 2010, from http://www.nmea.org/content/nmea_standards/nmea_083_v_400.asp
Nutter, B. (2008). Pinpointing tomtom location records: A forensic analysis, Digital Investigation 2008, 5(1-2), 10-18.
Tableau. (2003-2010). Tableau T8-R2 forensic usb bridge. Retrieved 12 July, 2010, fromhttp://www.tableau.com/index.php?pageid=products&model=T8-R2
Van Eijk, O., & Roeloffs, M. (2010). Forensic acquisition and analysis of the random access memory of tomtom GPS navigation systems, Digital Investigation 2010, 6 (3-4), 179-188.