Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
-
Upload
magnetforensics -
Category
Internet
-
view
530 -
download
0
description
Transcript of Geolocation Artifacts & Timeline Analysis: A Digital Forensics Case Study
Geolocation Artifacts and Timeline Analysis: A Case Study
JAMIE MCQUAID, FORENSICS CONSULTANT
The background story
Pre-Incident
18 year old male - really 29 year old male using alias
16 year old female
16 year old female29 year old male
Incident
how to get away with murder
murder sentences
29 year old male 16 year old female
male friend29 year old male
29 year old male
Post-Incident
IP AddressGPS
The artifacts recovered
Artifacts Involved
PC artifacts:
• Facebook chat
• Gmail
• Google Maps
Android artifacts:
• Facebook chat / geolocation data
• Kik Messenger chat
• Web browser history / searches
From the victim – PC artifacts
Facebook Chat
• Used to be left behind on the hard drive in temporary text files, only a few formats
• Now mainly found in live RAM captures (more reason to do them!), and the pagefile.sys and hiberfil.sys files.
• Multiple formats, “emails” and chat sharing formats
Let’s look at a couple examples from our scenario
{"msg":{"text":"we shud meet up sometime","messageId":"msg.4962aae42bf457169292f6cca7a3d10771","time":1376178524576,"clientTime":137617852157,"msgID":"137617852457:3505393901","offline_threading_id":null},"from":1234532352361,"id":744370832,"to":1654639384933,"from_name":"John Smith","from_first_name":"John","to_name": "Jane Doe","to_first_name":"Jane","tab_type": "friend","sender_offline":false,"show_orca_callout":false,"window_id":"3016689585","type": "msg”}
{"from":1654639384933,"to":1234532352361,"time":1376178495576,"msgId":" 1376178495576 :339157531","msg":{"text":"how old are you?","messageId":"id.2 46200318749902"},"type":"msg"}
Gmail Webmail
• Traces of data seen in the Inbox view left behind, sometimes full messages as well
• Found in live RAM (again! ), the pagefile.sys / hiberfil.sys, and sometimes unallocated space / temporary internet files
Let’s take a look at an example from the scenario
"\u003cspan class\u003d\"yP\" email\u003d\"[email protected]\"\u003eme\u003c/span\u003e, \u003cspan class\u003d\"yP\" email\u003d\"[email protected]\"\u003eJohn\u003c/span\u003e","\u003cb\u003e\u0026raquo;\u003c/b\u003e\u0026nbsp;","\u003cb\u003eMap for Bass Lake\u003c/b\u003e","hey there sweetie, here's a map of the lake \u0026hellip;",0,"","map.jpg","\u003cb\u003eAug 10\u003c/b\u003e","Thu, Aug 10, 2013 at 8:28 PM",1376180932576983,1,[],0,0,[]
Google Maps• Depending on the browser used, URLs may or may not be
found in web history records
• However, data is left behind containing URLs and other data regarding the addresses searched / directions obtained
• Can be found in live RAM, pagefile.sys, hiberfil.sys, temporary internet files, and unallocated space
• Useful in many types of cases (homicides, child luring, terrorism) to see where someone was searching ona map or getting directions to
Let’s take a look at an example from our scenario
x3e\x3c/p\x3e\x3cp\x3e\x3ca href=\"/maps?f=d\x26source=s_d\x26saddr=178+Tunbridge+Road,+Barrie,+ON\x26daddr=2+Beach+Road,+Orillia,+ON\x26hl=en\x26geocode=FVYJmgId7c1E-ykrvt5kMsvUiTG5ip6SijM5eA%3B\x26authuser=0\x26aq=0\x26oq=2+beach+road,\x26vps=2\x26jsv=470c\x26sll=44.610512,-79.502563\x26sspn=0.361728,0.837021 \x26vpsrc=6\x26dirflg=d\x26ttype=now\x26noexp=0\x26noal=0\x26sort=def\x26mra=ls\x26ie=UTF8\x26ct=clnk\x26cd=1\"\x3eGet driving directions\x3c/a\x3e from \x3cb\x3e178 Tunbridge Rd, Barrie, ON L4M\x3c/b\x3e to \x3cb\x3e2 Beach Rd, Orillia, ON L3V 6H1\x3c/b\x3e.\x3c/p\x3e\x3c/div\x3e\x3cdiv id
From the suspect – Android artifacts
• Focusing on chat in this scenario and the geolocation data stored
• Data is located in the following folder on the ‘data’ partition: com.facebook.katana
• File we’re interested in is named “threads_db2”
• SQLite database
Let’s take a look at the data from our case
The ‘databases’ folder
threads_db2 – main.messages
threads_db2 – main.messages
Kik Messenger
• Again, focusing on chat in this webinar but there is potentially a lot of great data here
• Data is located in the following folder on the ‘data’ partition: kik.android
• File we’re interested in is named “kikDatabase.db”
• SQLite database (surprise!)
Let’s take a look at the data from our case
The ‘databases’ folder
kikDatabase.db – main.messagesTable
Android Browser
• Quick overview of the native browser in Android
• Data is located in the following folder on the ‘data’ partition: com.android.browser
• File we’re interested in is named “browser2.db”
• SQLite database (noticing a theme?)
Let’s take a look at the data from our case
The ‘databases’ folder
browser2.db – main.history
browser2.db – main.history
Now that we’ve had a look behind the scenes…
Let’s see how timeline visualization and geolocation artifacts can help with cases like this.
All Content Copyright ©2013 Magnet Forensics Inc.
Thanks for your time!
Questions?