Presentation at CEIC 2014, Las Vegas, Nevada - Finding Data on Wearable Computing Devices. Forensics on Google Glass, Samsung Galaxy Gear, Jawbone Up, and Omate Truesmart.

1. www.encase.com/ceic
Finding Data on
Wearable Computing Devices
Steve Watson
PUBLIC
Presented
20 May 2014
At CEIC 2014

2. STEVE WATSON
TECHNICAL SOLUTIONS ENGINEER, INTEL CORPORATION
PHD RESEARCHER, GLASGOW CALEDONIAN UNIVERSITY
Introduction

3. Disclaimer
The opinions expressed and materials shared in this presentation are my own and may
not reflect the opinions, policies, nor procedures of my employer.

4. D i g i t a l
C r i m e
s c e n e
o f
t h e
f u t u r e
EMERGING
CLOUD
LEGACY

5. What is a Wearable computing device?

6. 6
Video:
First Bank –
Get Back to
the Real
World
youtu.be/FV8
WAMCoPdl

7. Why are we talking about this?

12. Database of wearable devices

16. Use Cases
Multiple players:
 Quantified Self
▫ Fitness
▫ Health
 Technology extension/accessory
First glimpses:
 Lifelogging
 Authentication

17. Form Factors
Current:
 Head mounted
 Wrist mounted
 Body mounted
 Jewelry
Future:
 Ingestable
 Implantable

18. Photo Credits (clockwise):
Google, Google Glass
Recon Instruments, Recon Jet
LaForge Optical, Icis model
Innovega, iOptik
Google, smart contact lens

19. Photo Credits (clockwise):
Fin
Cubit
Cuff.io
Cellini, CSR prototype
Sign Language Ring

20. Photo Credits (clockwise):
KGPS, hereO
Omate Truesmart
FiLip
Nike FuelBand
Jawbone UP
Samsung Galaxy Gear

21. Photo Credits (clockwise):
Proteus
MC10, Biostamp
QardioArm, QuardioCore

22. Connectivity
Network accessible
 Standalone network capability
 Tethered to another device for connectivity
Non-network accessible
 Tethered to another device to provide data real-time
 Local storage

23. Connectivity
network accessible “smart” device
Direct connection to internet via
mobile modem or WiFi
Standalone, independent device Internet
Example: Omate Truesmart
Mobile
WiFi

24. Connectivity
network accessible “Tethered” device
Tethered connection to internet via
Bluetooth or WiFi
Tethered to another device for
connectivity
Application parses data to/from
device
Internet
Example: Samsung Galaxy Gear
Bluetooth
Mobile
WiFi

25. Connectivity
non-network accessible device
Fitness and health devices
Data fed to application on device
Data capture continues when
device is disconnected
Example: Jawbone UP
USB
Bluetooth

26. Common features among Wearables
Operating system differences
Simple, low power microprocessors
Early entries to market –
 Local storage or tethered to another device for connectivity
Expect –
 More smart devices with independent network access abilities

27. Four devices
overview
DEVICES FORM FACTOR OS STORAGE CONNECTION
Google
Glass
head-mounted Android
local, phone,
cloud
WiFi, Bluetooth
Omate Truesmart wrist-mounted Android local
3G, WiFi,
Bluetooth
Samsung Galaxy
Gear
wrist-mounted Android local, phone Bluetooth
Jawbone
UP
wrist-mounted proprietary
local, phone,
cloud
physical

28. Four devices
Connectivity
DEVICES CONNECTIVITY MODEL
Google
Glass
network accessible tethered device
Omate Truesmart network accessible smart device
Samsung Galaxy
Gear
network accessible tethered device
Jawbone
Up
non-network accessible device

29. Where to start
Where does the device store data?
What is the operating system?
How does the device connect for setup, configuration or connection?
Is there any protection to access the data on the device?

30. Google Glass

31. Specifications – Google glass
OPERATING SYSTEM Android 4.0.4
DISPLAY 640 x 360 pixel
PROCESSOR OMAP 4430 SoC, dual-core
RAM 1GB RAM
INTERNAL STORAGE 16GB (12GB useable)
EXTERNAL STORAGE -
SIM -
NETWORK tethered and standalone (WiFi)
CONNECTIVITY Bluetooth, WiFi, USB

32. Teardown Photos
16GB storage onboard
Photo Credit, Additional Information:
Catwig

33. Where Can The Data Go
Google Glass
Local storage
Tethered
mobile device
Google
Account
Other cloud
locations

34. Cloud Account

36. Mobile Application
“MyGlass”
Data location:
/userdata/data/com.google.glass.
companion
Application:
/userdata/app/com.google.glass.c
ompanion-1.apk
On iOS, “MyGlass for iOS” (iOS)

37. How to Access the Data
None of the mobile vendors have a bootloader yet.
But…it’s Android…
Enable USB debug - Link to detail instructions

38. File Structure
Google Glass In your favorite mobile forensics tool,
Find the options for:
Android 4.x
Android Smart Phone
Android FS extraction
or use Google ADB backup.

39. Omate truesmart

40. Specifications – OMATE TRUESMART
OPERATING SYSTEM Android 4.2, Omate UI 1.0
DISPLAY 240 x 240 pixel
PROCESSOR Dual core ARM Cortex-A7, 1.0 or 1.3Ghz
RAM 512MB or 1024MB RAM (Extreme Edition)
INTERNAL STORAGE 4GB or 8GB RAM (Extreme Edition)
EXTERNAL STORAGE microSD
SIM Micro SIM
NETWORK
2G Quad Band: 900/1800/ 850/1900 GSM, GPRS, EDGE
3G Mono band: 2 versions 2100 (Europe) or 1900 (US)
UMTS, HSDPA, HSUPA, HSPA, HSPA+
CONNECTIVITY Bluetooth, WiFi, USB

41. Teardown Photo

42. Where Can The Data Go
Omate Truesmart
Local storage
micro SD
Full mobile
capabilities

43. How to Access the Data
Omate truesmart
Enable USB debug - Link to detail instructions
Notes for the techies:
Very sensitive to the micro-USB cable.
Significant driver issues with adb backup.
Cellebrite and XRY both collect successfully

44. Samsung galaxy gear

45. Specifications – Samsung galaxy gear
OPERATING SYSTEM Android
DISPLAY 320x 320 pixel
PROCESSOR Single-core 800 Mhz ARM
RAM 512MB RAM
INTERNAL STORAGE 4GB
EXTERNAL STORAGE -
SIM -
NETWORK tethered
CONNECTIVITY Bluetooth, USB

46. Teardown Photos

47. Where Can The Data Go
Samsung Galaxy gear
Local storage
Tethered
mobile device
Other cloud
locations

48. Mobile Application
Gear Manager Application
App:
/Root/app/com.samsung.android.app.w
atchmanager-1.apk
App data:
/Root/data/com.samsung.android.app.w
atchmanager/
Photos:
/Root/media/0/DCIM/Camera/Galaxy_G
ear/20140312_220623.jpg

49. How to Access the Data
Samsung galaxy gear
Enable USB debug - Link to detail
instructions
Notes for the techies:
Find the charging dock!

50. Jawbone up

51. Specifications and Teardown
Jawbone UP

52. Where Can The Data Go
Jawbone up
Local storage
Tethered
mobile device
Cloud account

53. Application Controlling Device
Jawbone up

54. Cloud Account
Jawbone up
1. Login to account at www.jawbone.com
2. Click the profile
3. Click the devices

55. Mobile application
Jawbone up
iOS application:
com.aliphcom.Armstrong
iOS location:
/Data/Data/mobile/Applications/[applic
ation id]/Library/[user
id]/CoreData/Armstrong.sqlite

56. Next Steps
Jawbone UP
Retrieve data off of the Jawbone UP
Obstacles:
Proprietary operating system on the device.
Non-standard connection.
No existing documentation – vendor or community.

57. Summary
This is just the beginning.
We have options.
We need to challenge our vendors to be ready for what is coming.

58. Thank you
Contact Options:
01100110 01101111 01110010 01100101 01101110 01110011 01101001 01100011 01000000
01110011 01110100 01100101 01110110 01100101 01110111 01100001 01110100 01110011
01101111 01101110 00101110 01101110 01100101 01110100
stevewatson.net
Twitter @stevewatson
LinkedIn - watsonsteve

59. Reference slides
1. Google Glass – Enable debug
2. Google Glass - ADB backup or Vendor collection via ADB
3. Omate Truesmart – Enable debug
4. Samsung Galaxy Gear - Tether to mobile device
5. Samsung Galaxy Gear – Enable debug

60. Please reach out for assistance,
additional information or for
access to the remainder of the
slides in backup material.
Where is the rest of the slide deck?
60