Geolocation Artifacts and Timeline Analysis: A Case Study

JAMIE MCQUAID, FORENSICS CONSULTANT

The background story

Pre-Incident

18 year old male - really 29 year old male using alias

16 year old female

16 year old female29 year old male

Incident

how to get away with murder

murder sentences

29 year old male 16 year old female

male friend29 year old male

29 year old male

Post-Incident

IP AddressGPS

The artifacts recovered

Artifacts Involved

PC artifacts:

• Facebook chat

• Gmail

• Google Maps

Android artifacts:

• Facebook chat / geolocation data

• Kik Messenger chat

• Web browser history / searches

From the victim – PC artifacts

Facebook Chat

• Used to be left behind on the hard drive in temporary text files, only a few formats

• Now mainly found in live RAM captures (more reason to do them!), and the pagefile.sys and hiberfil.sys files.

• Multiple formats, “emails” and chat sharing formats

Let’s look at a couple examples from our scenario

{"msg":{"text":"we shud meet up sometime","messageId":"msg.4962aae42bf457169292f6cca7a3d10771","time":1376178524576,"clientTime":137617852157,"msgID":"137617852457:3505393901","offline_threading_id":null},"from":1234532352361,"id":744370832,"to":1654639384933,"from_name":"John Smith","from_first_name":"John","to_name": "Jane Doe","to_first_name":"Jane","tab_type": "friend","sender_offline":false,"show_orca_callout":false,"window_id":"3016689585","type": "msg”}

{"from":1654639384933,"to":1234532352361,"time":1376178495576,"msgId":" 1376178495576 :339157531","msg":{"text":"how old are you?","messageId":"id.2 46200318749902"},"type":"msg"}

Gmail Webmail

• Traces of data seen in the Inbox view left behind, sometimes full messages as well

• Found in live RAM (again! ), the pagefile.sys / hiberfil.sys, and sometimes unallocated space / temporary internet files

Let’s take a look at an example from the scenario

"\u003cspan class\u003d\"yP\" email\u003d\"janedoe1997@gmail.com\"\u003eme\u003c/span\u003e, \u003cspan class\u003d\"yP\" email\u003d\"johndoe29yrsold@yahoo.com\"\u003eJohn\u003c/span\u003e","\u003cb\u003e\u0026raquo;\u003c/b\u003e\u0026nbsp;","\u003cb\u003eMap for Bass Lake\u003c/b\u003e","hey there sweetie, here's a map of the lake \u0026hellip;",0,"","map.jpg","\u003cb\u003eAug 10\u003c/b\u003e","Thu, Aug 10, 2013 at 8:28 PM",1376180932576983,1,[],0,0,[]

Google Maps• Depending on the browser used, URLs may or may not be

found in web history records

• However, data is left behind containing URLs and other data regarding the addresses searched / directions obtained

• Can be found in live RAM, pagefile.sys, hiberfil.sys, temporary internet files, and unallocated space

• Useful in many types of cases (homicides, child luring, terrorism) to see where someone was searching ona map or getting directions to

Let’s take a look at an example from our scenario

x3e\x3c/p\x3e\x3cp\x3e\x3ca href=\"/maps?f=d\x26source=s_d\x26saddr=178+Tunbridge+Road,+Barrie,+ON\x26daddr=2+Beach+Road,+Orillia,+ON\x26hl=en\x26geocode=FVYJmgId7c1E-ykrvt5kMsvUiTG5ip6SijM5eA%3B\x26authuser=0\x26aq=0\x26oq=2+beach+road,\x26vps=2\x26jsv=470c\x26sll=44.610512,-79.502563\x26sspn=0.361728,0.837021 \x26vpsrc=6\x26dirflg=d\x26ttype=now\x26noexp=0\x26noal=0\x26sort=def\x26mra=ls\x26ie=UTF8\x26ct=clnk\x26cd=1\"\x3eGet driving directions\x3c/a\x3e from \x3cb\x3e178 Tunbridge Rd, Barrie, ON L4M\x3c/b\x3e to \x3cb\x3e2 Beach Rd, Orillia, ON L3V 6H1\x3c/b\x3e.\x3c/p\x3e\x3c/div\x3e\x3cdiv id

From the suspect – Android artifacts

Facebook

• Focusing on chat in this scenario and the geolocation data stored

• Data is located in the following folder on the ‘data’ partition: com.facebook.katana

• File we’re interested in is named “threads_db2”

• SQLite database

Let’s take a look at the data from our case

The ‘databases’ folder

threads_db2 – main.messages

threads_db2 – main.messages

Kik Messenger

• Again, focusing on chat in this webinar but there is potentially a lot of great data here

• Data is located in the following folder on the ‘data’ partition: kik.android

• File we’re interested in is named “kikDatabase.db”

• SQLite database (surprise!)

Let’s take a look at the data from our case

The ‘databases’ folder

kikDatabase.db – main.messagesTable

Android Browser

• Quick overview of the native browser in Android

• Data is located in the following folder on the ‘data’ partition: com.android.browser

• File we’re interested in is named “browser2.db”

• SQLite database (noticing a theme?)

Let’s take a look at the data from our case

The ‘databases’ folder

browser2.db – main.history

browser2.db – main.history

Now that we’ve had a look behind the scenes…

Let’s see how timeline visualization and geolocation artifacts can help with cases like this.

All Content Copyright ©2013 Magnet Forensics Inc.

Thanks for your time!

jamie.mcquaid@magnetforensics.comwww.magnetforensics.com

Questions?