A METHOD FOR AUTOMATED GPS COORDINATES RETRIEVAL FROM IOS DEVICE DATA FOR FORENSIC INVESTIGATION INTRODUCTION
18.01.2024 15:46
[1. Інформаційні системи і технології]
Автор: Taras Fedynyshyn, Postgraduate Student, Lviv Polytechnic National University, Lviv, Ukraine; Olha Mykhaylova, Candidate of Physical and Mathematical Sciences (Ph. D.), Lviv Polytechnic National University, Lviv, Ukraine
With the rapid growth of communication technologies, GPS, and the mobile internet, an increasing amount of location information is collected by mobile devices which are widely used in all over the world [1]. GPS data from mobile devices plays a pivotal role in counterterrorism, counterintelligence, and forensic investigations for a multitude of reasons. GPS data serves as a crucial corroborative tool in verifying the reported whereabouts of individuals during specific time frames, aiding investigators in establishing reliable timelines. The analysis of historical GPS data enables authorities to discern patterns in individuals’ movements, facilitating the identification of recurring behaviors and potential associations. Linking suspects to specific locations provides investigators with valuable insights, helping ascertain whether an individual was in proximity to a crime scene or related incident. GPS data offers investigators leads by revealing the locations frequented by suspects, aiding in the formulation of targeted investigative strategies. By tracking the movements of individuals, especially within known networks, GPS data assists in mapping out connections, revealing potential relationships, and aiding in the identification of key figures. Utilizing GPS data, forensic experts can reconstruct events leading up to a particular incident, enhancing the understanding of the sequence of activities involved. In legal proceedings, GPS data serves as a robust form of evidence, strengthening cases by providing concrete information about an individual's presence at critical locations. In essence, the utilization of GPS data in counterterrorism, counterintelligence, and forensic investigations [3] empowers authorities to piece together comprehensive narratives, strengthen evidentiary trails, and make informed decisions critical to national and international security.
MOBILE DEVICE FORENSICS
Smartphones have a lot of useful information that can be used as evidence in crimes. Digital forensics, which is about analyzing electronic data as evidence, follows a specific process to gather this information properly. This section looks at how user data is taken from smartphones in digital forensics [4]. Mobile devices store various types of evidence, including call history, contacts, messages, multimedia, internet history, photos, videos, location coordinates, emails, and social media data. Proper acquisition of this data is crucial for its admissibility in legal cases, yet mobile extraction is complex due to the diffuse and volatile file structure across numerous apps and services.
Forensics process usually consists of the following steps [5]:
• Seizure - during the evidence collection phase in mobile device forensics, investigators aim to preserve the device in its original state by seizing involved cell phones to prevent alterations; this involves cutting off wireless networks to avoid changes in evidence, and any failure in this phase can jeopardize subsequent stages, highlighting the primary goal of seizure as preserving evidence while avoiding device shutdown.
• Acquisition - process of gathering and copying data from a mobile device for further analysis.
• Analysis – application of various methodologies and tools, such, to recover evidence material, often starting with the retrieval of deleted data; the types of recovered data, including email, chat logs, images, internet history, or documents, depend on the nature of the investigation, and the data can be retrieved from accessible disk space, deleted (unallocated) space, or within operating system cache files.
• Reporting – demonstration of the result of the analysis phase.
GPS COORDINATES RETRIEVAL ALGORITHM
GPS data in mobile devices may be collected by operating system (iOS, android) or by user applications. Operating systems (OS) and applications may handle and store location data in a different way. In some cases, location data may be just used and not stored on device, but in some cases, it may be a part of data that application’s business logic rely on. So, in such cases this data is persistently stored.
The mechanisms OS use to store location data is well researched [6] since they are not changing frequently and there are not so many operating systems on the market. The way 3rd party applications store data is less researched since there are millions [7] of applications in app stores and their variety is changing.
Mobile applications may use a variety of methods to store data on the device. The most popular are sqlite database, property lists (Plist), protocol buffers, Java serialization, realm and others [8]. In this paper authors want to introduce an algorithm of automated search of GPS coordinates in sqlite and plist files.
Fig. 1 visualizes developed algorithm that searches for GPS data in sqlite and plist files. The algorithm loops through each file extracted from iOS device and tries to open it as sqlite database. The reader may wonder why not to rely on file extension instead of trying to open each as a database. The answer is simple – sqlite database (as well as plist) file may be named with any name and any extension, so it doesn’t make sense to use the extension in file interpretation logic. If file is a database file – next step is to check if any table contain keywords in its name. The examples of keywords are: gps, location, latitude, longitude, etc. If table name contains keywords – most likely table contains locations data, so this file is marked. If table names don’t contain keywords – each column name of each table is checked if it contains keywords. If any column name contains keywords – file is marked. In other case – from each table a sample data row is selected.
Fig 1. Location data detection algorithm flowchart
Each cell in row is examined if it’s JSON and if yes – if it contains keywords. In case of success – file is marked, otherwise file is opened as plist file. If the file is a plist file – it’s converted into dictionary structure. Then all keys of dictionary are recursively extracted and checked if any of key names contain keywords. In case of success – file is marked, and then next file processing starts.
EXPERIMENT IMPLEMENTATION
The scope of experiment included data extraction from iOS device (iPhone 13 mini running iOS 17.2.1), implementing algorithm in Fig. 1 in python programming language and testing. Data acquisition was done using Imazing [9] tool using “Export Raw Files” option. Python code was written using built-in json, plistlib, sqlite3 and os modules. The code accepts path to directory with iPhone backup files as an input and outputs list of folders where GPS data was found. The folders represent user installed and Apple preinstalled applications and iOS modules.
RESULTS
The experiment was conducted on an iPhone backup data where 117 user applications were installed. 51 of them had requested access to Location service, and 44 were approved by user to use Location service. These numbers where manually checked and calculated by authors. So before running the experiment authors expected the algorithm to find location data in mentioned above 44 user installed applications and in some Apple applications and OS modules.
The algorithm was able to find location data in 32 user installed applications and 14 Apple preinstalled applications and OS modules. The interesting part of results is that algorithm has found location data on applications for which Location service usage was restricted. One of such examples is Instagram app. Another interesting finding are Glassdoor and Viber application data. Those applications had not requested access to Location service at all - but examined files contain user location data - latitude and longitude.
CONCLUSIONS
A novel location data retrieval algorithm for forensic investigation is introduced. The algorithm is implemented with python programming language and tested on iPhone device.
The main takeaways from this research are:
• introduced algorithm wasn’t able to find location data in some application that actually use Location service. It may mean that location data is stored using other storage mechanisms different from sqlite and plist files. This could be a direction for future algorithm improvement.
• some applications don’t have access to Location service but still operate and store user location data. This may be interpreted as user privacy violation.
Location data is important in forensic investigation and may be utilized in a process of “person of interest“[10] searching.
REFERENCES
1. Anthony D. Patire, Matthew Wright, Boris Prodhomme, Alexandre M. Bayen, How much GPS data do we need?, Transportation Research Part C: Emerging Technologies, Volume 58, Part B, 2015, Pages 325-342, ISSN 0968-090X, https://doi.org/10.1016/j.trc.2015.02.011.
2. J. Bays and U. Karabiyik, “Forensic Analysis of Third Party Location Applications in Android and iOS,” IEEE INFOCOM 2019 – IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Paris, France, 2019, pp. 1-6.
3. Marina Dodevska, Vesna Dımıtrova, Jovana Dobreva, Elissa Mollakuqe, “Android vs iOS phone forensics: tools and techniques”
4. Wilson, Rodney & Chi, Hongmei. (2017). A Case Study for Mobile Device Forensics Tools. 154-157. 10.1145/3077286.3077564.
5. Dasari Manendra Sai, Nandagiri R G K Prasad, Satish Dekka, "The Forensic Process Analysis of Mobile Device", International Journal of Computer Science and Information Technologies, Vol. 6 (5), 2015, 4847-4850
6. https://cellebrite.com/en/ios-location-artifacts-explained/
7. https://en.wikipedia.org/wiki/App_Store_(Apple)
8. Christian Hummert, Dirk Pawlaszczyk, "Mobile Forensics – The File Format Handbook", 2022, https://doi.org/10.1007/978-3-030-98467-0
9. https://imazing.com/
10. Fedynyshyn T., Mykhaylova O., Opirskyy I. Method to Detect Suspicious Individuals through Mobile Device Data// Ukrainian Scientific Journal of Information Security, 2023, vol. 29, issue 3, pp. 154-161