One of the increasingly common problems with location artifacts and forensic investigations is that almost every application stores them, and a device doesn’t have to be in that location for the application to track this type of data. For example, sharing calendar invites, accepting Facebook Event invitations, and other seemingly normal activities may result in the application creating a geolocation artifact.
So how do you separate fact from fiction? If the location of a user at the time of an event is in question, test the application and review the results. It is easy to dispel an argument if you know where your test device has been and where it hasn’t.
Activity trackers are a common application type where the location data provides more trusted data. These applications rely on GPS satellites to triangulate a user’s position while they are engaged in an activity at a certain moment in time.
A fellow SANS student, David Bernal, shared his solution to a lesser-known application that was storing a treasure trove of location artifacts. Similar to the previous scripting example, he first determined what type of data was getting stored by the application and where this data was saved. One database, mmdk_user, was storing personal information about the user, while another, workout-db, contained the activities along with timestamp and GPS coordinates.
To operate this script, copy mmdk_user and workout-db from the application directory to the Python27 directory on your processing machine. Place the Python script, parseMapMyRide.py, in the Python27 directory as well.
Navigate to the Python27 directory:
From
C:\Python27>
TYPE: python.exe parseMapMyRide.py to execute the script.
Where:
1) python.exe is the executable
2) parseMapMyRide.py is the script
The script outputs three new files to the Python27 directory: userMapMyRide.csv, workoutSummary.csv, and workoutGPS.txt.
Per the instructions:
1) Open the workoutSummary.csv file
2) Import workoutGPS.txt into Excel by selecting DATA > Get External Data > From Text
3) Select Delimited and Semicolon from the Import Wizard to create the final output
The resulting file incorporates all of the evidentiary data that was carved from this application database and also supplies a link to view the results in Google Maps.
Thanks to David for taking the time to write such a comprehensive script for an application that may not otherwise be parsed. This script is available on David’s GitHub.1
Reference:
[1] https://for585.com/david-gitub
Output from the spreadsheet below has been redacted to protect the user’s location information.
