Forensics of location data collected by Google Android

mobile devices
Knut Kröger and Reiner Creutzburg1
Brandenburg University of Applied Sciences, Department of Informatics and Media,
Magdeburger Straße 50, D-14770 Brandenburg, Germany

ABSTRACT

This paper deals with forensic investigation of stored location data collected by Android mobile devices. The main
aspects of the study are the extraction and examination of the location data and the possibilities for additional use of the
extracted data.

Keywords: Android forensics, mobile forensics, rooting Android, Oxygen Forensic Suite 2011, location data forensics

1. INTRODUCTION – DIGITAL FORENSICS

Today IT security and IT forensics play a more and more central role within the field of Information Technology. The
number of incidents and crimes targeted at IT systems or carried out by IT users increase every year. Public authorities
and companies are more and more confronted with security incidents of their IT infrastructure.
Mostly IT forensics has been applied for the investigation of a single computer, of a network, and mobile devices. The
most common technique used is the post-mortem analysis. This technique is applied if the computer is shut down and a
forensic disk image is created. All investigations are carried out only on the forensic disk image. If the computer is still
running, an investigation with the help of live analysis can be carried out. Often, the forensic analysis of network traffic
can only be done in a live system. Ideally, the potential attacker is still in the system and the evidence can be collected in
real time. Frequently, the traffic is recorded constantly, usually implemented with an intrusion detection system.
In the field of forensic examination of mobile devices, an exact distinction between post- mortem and live analysis is not
possible, as most mobile phone manufacturers use proprietary hardware and many different operating systems.
Therefore, from a forensic point of view it is very difficult to find a consistent approach. Especially the creation of a
forensic disk image is very difficult [5]. The most commonly used mobile devices are Windows Mobile, Apple iPhone,
Nokia Symbian und Google Android.
Under any circumstances the wrong approach could result in unusable results of the recorded information. To prevent
this, the steps Crime scene forensics, Identification, Backup\Recovery and Documentation\Evaluation should be used in
a forensic investigation of a smartphone.
The investigation usually begins with the securing of the smartphone and the entire periphery. This includes charger,
docking station, and memory cards. After the sighting the smartphone needs to be subjected to special procedures. To
better illustrate the approach, in the following section the necessary steps are explained in detail. It is important to ensure
that only the use of standard procedures and exact documentation of evidence leads to good results in the court room.

K. Kröger: E-Mail: kroeger@fh-brandenburg.de

R. Creutzburg: E-Mail: creutzbu@fh-brandenburg.de, Phone: +49 (0) 3381 355 442
 2. MOTIVATION
In the mobile market, a positive trend can be observed. According to media reports more than 4.4 billion people use
mobile phones worldwide, with over 33 million Android smartphones sold in the second quarter of 2010 [1].
In May 2011, the developer Pete Warden and scientist Alasdair Allan found out in their investigations, that the iPhone
stores its entire user's location data to a file and stores it on the automatic iTunes back-up on the user's computer.
According to Warden, the file is not encrypted or otherwise protected. In addition, the data collection cannot be switched
off completely but will still collect a lot of location data. Other media reports demonstrated that even Google uses such
mechanisms in its Android operating system in order to save the location and movement data of the user.
From a forensic point of view, this location data are very interesting, because they give a good overview of the last
locations of a suspect and may allow an accurate movement profile of a person. For this reason, this work is to provide
an overview of how the location data is collected in Android, where to find it and especially how the data can be
extracted and analyzed.
For each forensic investigation, it is important to use a defined process model. On of the most used models in a forensic
analysis is the “Investigative Process Model” of Eoghan Casey [6].This model is helpful to carry out a correct forensic
investigation and to do a accurate forensic report. In addition, a very helpful process model is the “Schematic flow of a
forensic analysis of a mobile phone” of Alexander Geschonneck [7]. From this model was derived the “Procedure of
forensic investigation of an Android smartphone” [8]. This model is use for the following investigation (see fig.
appendix).

3. INTRODUCTION TO ANDROID
Android is an open-source operating system for mobile devices. Android is developed by the Open Handset Alliance that
consists of more than 50 companies made up of the mobile sector. Google plays a leading role in this Alliance, but other
companies from the mobile phone manufacturing, network operation and software development are involved. Android
for smartphones is interesting, since it is available for free and it is customizable on the users own hardware. Currently
there are more than 100 phone models running Android as their standard operating system. The activation of Android
smartphones every day 300 000 (December 2010) shows the rapidly increasing spread of the mobile operating system
[9]. The goals set by the Open Handset Alliance to advance the development and to enable mobile users a
comprehensive, cost-effective and better “mobile experience” seem to convince more and more the end user [10].

The technical structure of Android is shown in Figure 1 and can be divided into the following five parts:

 Linux kernel,
 Android runtime environment (Android Runtime),
 Libraries,
 Application framework,
 Applications.

An Android operating system always consists of the Linux kernel 2.6 as a basic element. A flash transition layer is also
used, because Linux can only control devices that work block-based. The used integrated flash memory has a different
way of working that the structure of flash memory is owed. The flash memory of the smartphone is divided into several
Memory Technology Devices (MTD), which can be accessed like normal block-based drives. The Android runtime
environment uses the Dalvik virtual machine, whose special feature is that each program is executed on a separate virtual
machine (VM). The applications running are compiled here for the VM *. dex files. To improve security in the execution
of programs, every application has a unique user ID. The application itself can then only access to data within the VM,
unless the application has been previously determined access rights granted. In the forensic investigation primarily the
libraries and SQLite databases are interesting, since there the forensically relevant data are available. Due to the
architecture used in separate virtual machine the access to respective files is very difficult. The access security is realized
through the use of group and user rights.
 Figure 1: Architecture of the Android Operating System

Crime scene forensics

In the first step of the forensic investigation of a smartphone it is important to identify all interesting objects for the
computer forensics investigation. This includes even simple things like for example the charging cable that can be used
to identify the phone model. Furthermore, this also includes charging stations and any docking stations. This, however,
represent a significant risk, since these stations mostly a connection to the computer have, and this compound in the
forensic procedure to be separated be. Consequently, however, are also devices (e.g. computers) are interesting, with
which the phone has synchronized.

Identification
The next step is the correct identification of the smartphone. In determining the model peripherals are usually helpful.
Also a check of the serial number helps to indicate which model is in use. After observing the model and type of the
smartphone it is helpful to analyze the operating system version and to check if more than one operating system is
available on the device.

Recovery, Preservation
The investigation is now so advanced that all devices and peripherals have been secured. This includes all memory cards
and the device itself. For the extraction of smartphone data different programs are available. The main task should be to
create an identical (forensic) image of the device, called an image. The effectiveness of the programs used will be
described later in this paper. Furthermore, it should be noted here that for the forensic investigation the power supply
should be ensured and any connection to a mobile network should be suppressed and avoided.

Documentation, Evaluation
The last step of the investigation deals with the analysis of the collected data and the documentation of the results.
The data analysis is nowadays largely done by the forensic software (image search, e-mail communication process,
etc.). In the documentation it should be taken into account that it should be understandable and the ”chain of custody”,
the so-called traceability of procedures carried out, is guaranteed. In addition, the documentation should also describe the
status and condition of the device, in which it was found [11].
 4. MOBILE FEATURES
In mobile devices such as a smartphone, it is important to note some special procedures. Due to their permanent wireless
connection these devices can be modified, altered (or even deleted) almost always by external use. In the case of
smartphones it is still important to note that the attempt to gain access to the device to procure in some respect leads to
an alteration or deletion of the entire device. Moreover, in the analysis of mobile devices it cannot be always guaranteed
that the device is altered during the investigation. The memory of a smart phone can not be removed as a normal hard
disk in order to create a forensic image using write-blocker. Furthermore, the analysis of the SIM card is very difficult
without prior removal from the device. To summarize, the result of a forensic investigation of a smartphones will in
many cases modify the phone, however, the necessary interventions will be legitimized by a very good and detailed
documentation and justification.

Device switched on
Should it be determined at the beginning of the forensic investigation that the smartphone is turned on, one
should try to let the device remain in this state and the power supply to ensure a possible loss of information
when the device shuts down, e.g. through a dead battery.

Device switched off

If the phone is switched off in the beginning of the investigation, it should also remain in this state. If later the
device is switched on, the status of the battery should be noted.

Device is in a docking station

In the special case that the smartphone is in a docking station, it should be checked whether a connection to a computer
exists. If this is the case, then this computer will contain interesting data and should be included in the forensic
investigation. The connection between the docking station and the phone should be separated, even at the risk that a
disconnection of this link starts a script to delete or change any or all important data on the device.

Wireless connections
It should be prevented that after finding the device will continue to connect to wireless communication networks in order
to prevent any possibility to change or delete data on the device over the wireless network. One simple possibility is to
use shielding bags, which have a built-in shielding and prevent any wireless communication.

Memory card inserted

As evidence no changes to the device should be made. Both SIM and memory cards should remain in the device and can
be investigated either internally or be read externally.

Device blocked
An important feature of Android smartphones is that the content can be blocked by a blocking pattern can. This pattern
can be either a pattern that needs to be redrawn (see fig. 3), a PIN or password. Furthermore, it is possible to use any
content block. The access to the Android smartphone is possible only after successful unlocking the device, unless the
USB settings already allow full access. An alternative possibility to get the unlock code provides an analysis of the
display to possible grease residues of the finger [12]. Another way to unlock the device, the smartphone offers only after
repeated incorrect input of the pattern / PIN / password. The device will show a button labeled ”Pattern / PIN / Password
forgottten”. After pressing this button the smartphone offers the unlocking by entering the e-mail address and the
corresponding password used during the activation of the device. Should all those unlock possibilities fail, an access to
the flash memory of the smartphone is impossible.

5. COLLECTED AND STORED LOCATION DATA

One of the important questions is how many location data are collected by Android and where the data are stored. Here
we will only give a short overview of the main facts and do not claim completeness.

Android saves a lot of location data. These include GPS information of pictures, Wi-Fi hotspots and cell locations. To
use the location services of Android, the options “Use wireless networks” and “Use GPS satellites” must be activated
under Settings - Location and security settings (see fig. 2). These options are not automatically switched on and must be
activated by the user.

Figure 2: The Location Services must be activated

One of the important places for location data is the Camera App. This App saves the current location in each photo. The
easiest way to view this information is the integrated Camera App. The App can show all photos on a Google Map and it
is very easy to find out the location where the photo was taken (see figs. 3 and 4). It is very important to know that this
App is not a forensic tool and it cannot be used for a forensic investigation, but it can be helpful to get a first overview.

Figure 3: The current location of a photo

 Figure 4: Location of taken photos

The location data for cell info and for Wi-Fi info can also be analyzed directly on the smartphone, but only if the phone
is rooted. To view the cell and Wi-Fi information it is necessary to install an App from the Google Market (in this case
the Android Location Cache Viewer). If this App is installed and started, it shows the location data on a Google map (see
fig. 5).

Figure 5: Collected location data

 6. EXTRACTION AND ANALYSIS OF STORED LOCATION DATA
To extract the location data for cell and Wi-Fi information of an Android smartphone, it is necessary for the phone to be
rooted. Only the photos or user data can be copied directly from the flash drive. The files are called "cache.cell" for cell
related information and "cache.wifi" for Wi-Fi related information. They can be found inside the folder
"/data/data/com.google.android.location/files".

For the extraction of these files, the ADB-Shell of the Google Android SDK [3] is very helpful or a file manager from
the Google Market can be used to extract the data, for example the File Expert App (see fig. 6).

Figure 6: The cache.cell and cache.wifi shown with File Expert

After the cache.cell and cache.wifi data base files have been copied to the flash drive and transferred to the computer, the
analysis can be started. The easiest way to analyze the data is to open it with the tool MyPhoneTracker.
MyPhoneTracker is an application used to visualize the location tracking database of iPhones and Androids on Google
Maps. The saved location can be visualized with markers, dots and numbers (see figs. 7 - 8). This tool can import the
Android databases directly and then shows the information on a map [4].

Figure 7: Import the Android Databases [4]

 Figure 8: The MyPhoneTracker Tool [4]

For a forensic investigation, the MyPhoneTracker is not suitable. However, the tool gives a first overview and the
forensic investigator can decide whether an investigation is necessary or not. If it is, the investigator can apply a
specialized forensic tool like Oxygen Forensic Suite or .XRY Physical.

7. CONCLUSION - FORENSIC POINT OF VIEW

From a forensic point of view, the problem is that the Android smartphone gets the location data from the Google server
and not from the built-in GPS. For example, in our own tests it was not possible to find out the actual location of a taken
photo, if the smartphone had no Wi-Fi connection. Another problem is that all location data have the same time and date
if there is more than one location information (for example: many Wi-Fi hotspots in the same range) at the same place.
Furthermore, the investigator is dependent on the correct data from Google.

A general problem is that the Android OS exists in so many versions and all smartphone manufacturers modify the
original Android sources. For the forensic investigator this means that any Android smartphone is different and needs
another forensic investigation strategy. This is a big problem for vendors of forensic software since they have difficulties
making their software compatible with all the different versions of Android smartphones.
 REFERENCES

[1] Canalys, “Google’s android becomes the world’s leading smartphone platform 2011.
[2] OHA, “Open handset alliance”, 2011.
[3] google.com, “What is android? — android developers”, 2011.
[4] http://mac-and-i.blogspot.com/2011/04/myphonetracker-analyze-iphone.html
[5] Andrew Hoog, “Android Forensics Investigation Analysis and Mobile Security for Google Android“, Syngress,
2011, ISBN: 978-1-59749-651-3
[6] Casey, Eoghan: Digital Evidence and Computer Crime Forensic. Academic Press, 2004
[7] Geschonnek, Alexander: Computer Forensik - Computerstraftaten erkennen, ermitteln, aufklären, 4. Auflage.
dpunkt.verlag, 2010
[8] Stefan Sack, Knut Kröger, Reiner Creutzburg: Overview of potential forensic analysis of an Android
smartphone, Paper SPIE, 2012
[9] www.derstandard.at, 2011.
[10] OHA, “Open handset alliance,” 2011.
[11] R. V. Dharaskar and R. Ahmed, “Mobile forensics: an overview, tools, future trends and challenges from law
enforcement perspective,” 2008.
[12] A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith, “Smudge attacks on smartphone touch
screens,” 2010

Appendix 1: Procedure of forensic investigation of an Android smartphone (next page)

Procedure of forensic investigation of an Android smartphone