Wednesday, March 6, 2013

Where am I?

I'll have to admit that I have been slacking lately with this project as I've been so busy with school and work. Now that I'm on spring break for a week, I finally have plenty of time to get some things done. Every time I think I'm done gathering data, I think of something else I'd like to do. So in respect to doing a full analysis, I am not there yet. In the mean time, I have been playing around with Oxygen and Santoku. I haven't deleted any data yet, but I wanted to forensically look at the data I have so far.

I downloaded Oxygen Forensic Suite 2013 and surprisingly, the camera was recognized. This was not the case when I first tried Oxygen, but that was before the camera was rooted and I was using an older version of the software. Knowing that both EnCase 7 and Oxygen can acquire the camera, I decided to dabble some more into Santoku.

Today I found my Android Forensics book (which I've been looking for this whole time) and used Santoku's terminal to try the logcat and dumpsys commands. I used the command "adb shell logcat > log.txt" to  dump the logs from the camera to a text file on Santoku. I found that this dump didn't capture as much data as the command "adb logcat" did. Using the latter, the results were presented within the terminal and were updated every couple of seconds. I noticed that when I touched the screen on the camera, the log was updated with the word PUSHED and when I shut the display off, a number of LCD requests were created. It was pretty interesting to watch the log do a live update and it's something I'd like to look further into.

What I found more interesting though, was the command "adb shell dumpsys > dump.txt" This dump consists of account data, application data, network data, and much more. It turns out to be a pretty extensive word document and can take a while to sort through if you don't know what you're looking for specifically. Thanks to Andrew Hoog's android forensic book, I was able to filter through the dump and find what I wanted.

I ran the command and opened the dump.txt file. I found the 6 accounts created on the camera:

You'll notice the dump says 7 accounts, but this is because it is associating the name Sammy Sung with the Facebook account.

Next, I looked for Last Known Locations, which provided me with pretty exciting data:

Looking at the mTime under Passive, we can convert that number to:

Beneath the mTime is mLatitude and mLongitude. This is the location of the camera when it last connected to a cell tower. I threw these numbers into this website to see if the locations were accurate. I had expected the locations to be somewhat close to where I was, but to my surprise, they were dead on:

I'm still looking more into what logcat and dumpsys have to offer. Andrew's book goes into numerous other Linux commands to run in order to find all sorts of data on the camera. I plan on spending the rest of my week trying out these commands and gathering as much data as possible from them.


  1. Wow looks like things are going along great Cat. What version of EnCase where you using? 7.06 which was just released on Feb 21 has increased support for android devices. But it looks like you are doing awesome, I cant wait to see your final paper.

  2. Thanks Josh! I was using EnCase 7.04, but I'll look into 7.06 so thanks for the tip.