AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

Pattern of Life – Tracking Through Mobile Applications

So getting back into blogging finally! Thanks for hanging in there with me. 

Unlike my last posts, time to roll up the sleeves and try to make this community better from a technical perspective. To do that, I’ve decided to look at individual applications from iOS (first) so I can see what we are looking at. This is most important to me, because as we all know, our tools will lie to us if we let it. Case in point — let us take a look at Pattern of Life artifacts. When we look at tools like Cellebrite, the Travel data comes from an assortment of artifacts…but is it hitting them all? Surely there aren’t that many apps that Cellebrite needs to parse right?

So sure…we probably have the tool hitting those Top 3, but what about the rest of these? I can tell you that one of these we are going to look at is not…..

 

So as a frequent traveler with this airline, I wanted to look at what data was actually being recorded. Here is what you can get after doing an Advanced Logical with Cellebrite Physical Analyzer version 7.26.0.206: 

That is whole lot of stuff! And I wonder how much of this is actually relevant to tracking down someone. That is where the DTX_7.0.12.1011.sqlite file is going to come into play. When we opened this up in our favorite database browser, we are greeted with 2 tables that will be relevant to us: RumMeasurement and RumSessionInfo. Below are the columns: 

 

 

So a lot of this can be extra juicy for us in the forensics world. First, lets get rid of some of the noise and focus in on what could help track someone down. Below is a SQL statement I created to pull in these two tables and rename the columns so we can better understand what we are looking at. Big thanks to those SANS FOR585 classes =]. 

SELECT
DATETIME(
startTimestamp, 'UNIXEPOCH', 'localtime'
) AS "Started Timestamp",
DATETIME(
stopTimestamp, 'UNIXEPOCH', 'localtime'
) AS "Ended Timestamp",
devicelocation AS 'Lat/Long of Device',
name AS "What User Viewed",
networkprotocol AS "Network Protocol",
bytesReceived AS "Bytes Received to User",
bytesSent AS "Bytes Sent from User",
deviceId AS 'Device ID',
deviceCarrier AS 'Carrier',
os AS 'OS Version',
CASE WHEN isJailbroken = 0 then "No" ELSE "Yes" End AS "Jailbroken"
FROM
RumMeasurement,
RumSessionInfo
ORDER BY
"startTimestamp" ASC;

When you run that bad boy — you get this in return: 

 

 

 

 

 

 

 

 

This makes for a GREAT forensic/investigative application now doesn’t it? In here we have: 

Start Timestamp – Time the person first opened the application (initiated the session) 

Ended Timestamp – Time the person exited the application

Lat/Long – Precise Latitude and Longitude of where the person is at with an X depicting when Lat stops and Long begins 

What User Viewed  – While not in the screenshot, it will show you what screen the person is on. This could the My Trips, Wallet, etc. pages

Network Protocol – I purposefully scrolled down to show the difference. This is showing you if the person is on Cellular or WiFi from the application 

Bytes Received to User – What is the App sending to the user 

Bytes Sent from User – What is the user requesting (Example, booking a ticket) 

Device ID  – What type of phone are they using 

Carrier – What carrier is the phone on 

OS Version  – What iOS is the phone using 

Jailbroken – Especially handy in today’s realm with Checkra1n/Checkm8 exploitation

 

All for now — but more to come! The point is just because an application may be extremely popular doesn’t mean that our tools are actually parsing all the goodies out of the databases and files. While there are dozens more files, this is the one which will truly be the most beneficial — especially if you’re trying to show someone may have been somewhere. Also to note, when using a VPN (I used PIA) this app crashes…so the reliability is such that these Lat/Long should be sound. More to test on that! 

Related Posts