Presentation at CEIC 2014, Las Vegas, Nevada - Finding Data on Wearable Computing Devices. Forensics on Google Glass, Samsung Galaxy Gear, Jawbone Up, and Omate Truesmart.
3. Disclaimer
The opinions expressed and materials shared in this presentation are my own and may
not reflect the opinions, policies, nor procedures of my employer.
4. D i g i t a l
C r i m e
s c e n e
o f
t h e
f u t u r e
EMERGING
CLOUD
LEGACY
22. Connectivity
Network accessible
Standalone network capability
Tethered to another device for connectivity
Non-network accessible
Tethered to another device to provide data real-time
Local storage
23. Connectivity
network accessible “smart” device
Direct connection to internet via
mobile modem or WiFi
Standalone, independent device Internet
Example: Omate Truesmart
Mobile
WiFi
24. Connectivity
network accessible “Tethered” device
Tethered connection to internet via
Bluetooth or WiFi
Tethered to another device for
connectivity
Application parses data to/from
device
Internet
Example: Samsung Galaxy Gear
Bluetooth
Mobile
WiFi
26. Common features among Wearables
Operating system differences
Simple, low power microprocessors
Early entries to market –
Local storage or tethered to another device for connectivity
Expect –
More smart devices with independent network access abilities
27. Four devices
overview
DEVICES FORM FACTOR OS STORAGE CONNECTION
Google
Glass
head-mounted Android
local, phone,
cloud
WiFi, Bluetooth
Omate Truesmart wrist-mounted Android local
3G, WiFi,
Bluetooth
Samsung Galaxy
Gear
wrist-mounted Android local, phone Bluetooth
Jawbone
UP
wrist-mounted proprietary
local, phone,
cloud
physical
28. Four devices
Connectivity
DEVICES CONNECTIVITY MODEL
Google
Glass
network accessible tethered device
Omate Truesmart network accessible smart device
Samsung Galaxy
Gear
network accessible tethered device
Jawbone
Up
non-network accessible device
29. Where to start
Where does the device store data?
What is the operating system?
How does the device connect for setup, configuration or connection?
Is there any protection to access the data on the device?
37. How to Access the Data
None of the mobile vendors have a bootloader yet.
But…it’s Android…
Enable USB debug - Link to detail instructions
38. File Structure
Google Glass In your favorite mobile forensics tool,
Find the options for:
Android 4.x
Android Smart Phone
Android FS extraction
or use Google ADB backup.
42. Where Can The Data Go
Omate Truesmart
Local storage
micro SD
Full mobile
capabilities
43. How to Access the Data
Omate truesmart
Enable USB debug - Link to detail instructions
Notes for the techies:
Very sensitive to the micro-USB cable.
Significant driver issues with adb backup.
Cellebrite and XRY both collect successfully
55. Mobile application
Jawbone up
iOS application:
com.aliphcom.Armstrong
iOS location:
/Data/Data/mobile/Applications/[applic
ation id]/Library/[user
id]/CoreData/Armstrong.sqlite
56. Next Steps
Jawbone UP
Retrieve data off of the Jawbone UP
Obstacles:
Proprietary operating system on the device.
Non-standard connection.
No existing documentation – vendor or community.
57. Summary
This is just the beginning.
We have options.
We need to challenge our vendors to be ready for what is coming.
59. Reference slides
1. Google Glass – Enable debug
2. Google Glass - ADB backup or Vendor collection via ADB
3. Omate Truesmart – Enable debug
4. Samsung Galaxy Gear - Tether to mobile device
5. Samsung Galaxy Gear – Enable debug
60. Please reach out for assistance,
additional information or for
access to the remainder of the
slides in backup material.
Where is the rest of the slide deck?
60