Tuesday, September 5, 2017

Cellular GPS Evidence: Waze + Cellebrite + CellHawk




September 5, 2017

Cellular GPS Evidence: Waze + Cellebrite + CellHawk

It’s becoming common knowledge that location evidence on cellular devices can provide a wealth of evidence in any number of civil, criminal and investigative matters.  Law enforcement agencies use cellular location evidence from service providers to help place a criminal suspect at or near a crime scene in a given time frame.  Search and rescue analysts can use cellular call detail records to help locate missing persons as well.  And as we’ve detailed in previous articles, this type of evidence can be useful in any number of other matters, from divorce to alimony to fraud investigations and beyond.

So where does all of this evidence come from and how can we best utilize it?  It can come from a variety of different places, but the two main areas are the mobile device itself and the records from the cellular provider.  Proper legal authority needs to be in place to obtain the data from either source as well, but with the right training and experience, an investigator or consultant can help with obtaining those items.  Once the data is in-hand, any number of tools and approaches can help parse out the relevant data and map locations that may be of interest in the case.



In the example cited in this article, the data was extracted from an Apple iPhone 7 through an advanced logical extraction using Cellebrite Universal Forensic Extraction Device (UFED) Physical Analyzer.  Because I’ve been doing a lot of traveling lately and using the Waze app to find my way around various US-based locations, I decided to use Waze as a case study in location information.  Cellebrite UFED does natively parse this data (see fig. 1), but does not natively map the locations.  

  
Fig. 1: Waze Data parsed in Cellebrite PA

As you can see, Cellebrite adequately pulled GPS locations, dates, times and even addresses that were stored in Waze.  The list is longer, but figure 1 gives us a sample of a few months of Waze usage throughout various locations.

But again, Cellebrite does not natively map this data.  So how can we see this graphically and perhaps even create a demonstrative for use in court?  Enter the cellular record analysis and location mapping tool, CellHawk from Hawk Analytics.  CellHawk is an online tool that will natively read, parse and map location data from any of the major cellular providers as obtained through a search warrant or court order.  However, as I learned recently by attending the CellHawk training, it can also map anything with a date, time and GPS coordinates.  The tool just takes a little manual configuration once the data is exported in Cellebrite.

For this demonstration, I simply had to export the Waze Data into an Excel spreadsheet, which is natively supported in Cellebrite.  From there, the spreadsheet is uploaded into CellHawk, which natively reads the file column headers and asks for some direction about where the pertinent data (date/time/GPS location) is located within the spreadsheet.  Here’s an example of what we get when CellHawk reads and maps the data:


 Fig. 2: Northeast Waze Locations

Our office is located in Richmond, VA, which is listed as the starting point for many of these trips.  But this map details all of the client visits in/around Virginia, Maryland and DC as well as locations where training was delivered in the Philadelphia and Boston areas over a period of more than a year. 

When a map location is clicked, CellHawk natively tries to associate a phone number with that data point.  Because the CellHawk generic location finder was used, the identifier of "Waze" was entered instead of a phone number, but this is user-defined in CellHawk.  Interestingly, the dates and times of the data points are listed and viewable when clicked in CellHawk.  The figure below details a recent trip to Kansas City, KS for the Cellular Analysis and CellHawk training:

Fig. 3: Date, time & location detail in CellHawk

What’s even more interesting about the dataset in general is the historical nature of some of these locations.  Figure 3 also illustrates several locations in and around Chicago and Milwaukee.  I used Waze to navigate in/around the Chicago area and to the Harley Davidson museum in Milwaukee in August, 2012.  Since then, while the Waze user account hasn’t changed, the device has been upgraded through 3 or more different iPhone models. 

This historical data was not a one-off or isolated to this trip only.  Fig. 4 below shows map locations from a trip to and around the ALERRT Center in San Marcos, TX where I attended a conference in 2011:


Fig. 4: Waze historical data from 2011 mapped in CellHawk

That’s Great.  Now what?

The data gathered by Cellebrite and mapped by CellHawk is useful to help prove or disprove someone may have been to and navigated around a particular area during a specified time frame.  Further, if a subject of an investigation or litigation claims they cannot drive, Waze can help disprove that claim.  When we factor in dates, times and historical data that is maintained over years and across multiple devices, the potential weight of that data becomes apparent.

There are other ways (no pun intended) to parse and map this data, but both Cellebrite and CellHawk make it fairly easy and intuitive.  In the ever-present questions of who, what, where when, how and perhaps why of any incident, the ability to find, export and analyze this data simply and effectively is a fantastic investigative advantage!

P.S.  If you think this was a cool illustration, I highly recommend checking out CellHawk for you cellular call detail record and cell site mapping.  It’s a fantastic tool for mapping that particular set of data and that’s primarily what it was designed to do.  Be looking for a future blog diving into CellHawk for that purpose.

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple technical investigation schools. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6

Wednesday, July 5, 2017

Personal Injury & Insurance Fraud Investigation: Get the Mobile Device!



July 5, 2017

Personal Injury & Insurance Fraud Investigation: Get the Mobile Device!

As a registered Private Investigator in Virginia, I routinely see job postings and other opportunities for “surveillance investigators” to work insurance fraud cases.  This role involves a licensed private investigator going to the home and/or work place of someone who has filed an injury claim against another party for damages to surveil and document (i.e., videotape) their activities to help prove or disprove that an injury has taken place and is in line with the claim.   As an example, John Doe claims injury at his local grocery store by slipping on a grape and falling.  He files suit against the grocery store chain, whose insurance company now must work to defend this claim if they feel the claim is fraudulent.  John Doe may get a doctor to diagnose him with some sort of non-descript physical malady, bolstering his case, but medical science can be fooled by a good actor, so the insurance company hires a private investigator to follow and record John’s activities so they can dispute his claim that he is legitimately injured due to the fall and present that evidence to the plaintiff attorney and John Doe to combat the suit. 

This is big business in the private and insurance fraud investigation worlds.  It’s probably just as big (or close to it) as infidelity investigations.  But when a private investigator is charging $65 per hour or more to sit in his car with a video camera, those costs can add up quickly.  One of the reasons why this is done is the worst reason in the world to do anything:  “That’s the way we’ve always done it!”  But there is a better and more high-tech way to help prove whether or not John Doe is really injured… 

Also, I never liked surveillance work, so let’s talk about building a better proverbial mousetrap…

Wearable Technology

The simple fact is that in the modern era, smart phones are everywhere.  Apple, Android, Windows and Blackberry (yes, still) are all in the game to get consumer market share for smart phones.  Furthermore, smart phones are almost always connected to a network of some type, be it a cellular network, wi-fi network, GPS or other type of connection.  One huge area of the smart phone market is wearable technology.  Apple watch, FitBit, Nike & others all have the ability to track movement and calories burned for health & fitness purposes.  This data can be a huge benefit in insurance fraud investigations.  If John Doe is claiming he can’t walk more than 5 minutes at a time, would he really be taking 5,000 or more steps in a day?  Much of this data is available to us through mobile forensic data extraction and it really doesn’t go away unless the user chooses to make it go away.

Overall Data Sources

Even if there’s no wearable technology in place, the mobile device will often capture movement & health data by default.  In our experience, most users don’t turn off default setting such as location data & health tracking information, so if they’re using a device, it’s a pretty good bet the data is still there.  Consider the sample data extraction we performed on an iPhone 6s in April, 2017 using Cellebrite Universal Forensic Extraction Device (UFED).  The extraction is encrypted and must be on an iPhone to get the health data and, even though the Health app isn’t currently natively supported, there is still useful data contained in a number of the app database tables.

Figure 1 below shows when the health data first started being logged on the device, which is our first clue that the app is in use:



The next figure helps show us how much data the Health app has used since it’s initiation on the device, which further proves that the user was using this app to track activity:


Fig. 2: Data in & data out on wireless network through Health App

The “Wan In” & “Wan Out” are indicators that data has been sent and received through the Health app on the cellular network on this device.  It’s a simple equation, if there’s no data sent or received, the app is not in use.

Figure 3 details part of the healthdb.sqlite file, which is a database file that is associated with the Health app on the iPhone.  It details the data sources that the app is using to help track movement, calories burned, etc.:



Fig. 3: Data input devices

As you can see, the user is using not only the iPhone itself for the data input, but an Apple Watch as well.  The table even tracks the software version of each of the devices and we can see that the user has routinely updated the devices when new software versions were released.  If the user were syncing a FitBit or other wearable technology to this iPhone, that would likely be listed here as well and give us yet another clue about where to look for additional data.  Please note, the time frame listed here covers multiple devices through upgrades as well.

The native Health app on the iPhone has the ability to capture data from a number of different sources, such as Nike Run, FitBit or other apps which track movement, steps, etc.  Figure 4 below shows us the actual input data sources for data going to the health app and gives us more information. 


Fig. 4: Data Sources Input

So we know that the data may be coming from the Apple Watch, the Health App, the iPhone generally or the RunKeeper app.  The healthdb_secure.sqlite table is the real goldmine in this treasure hunt because it tells us more specific information about steps taken, dates, times, calories burned, goals set by the user, etc.  Fig. 5 below is a sample of this data in the activity cache:


Fig. 5: Health App Activity Cache Example

After obtaining this data from John Doe’s (or Patrick’s) device, it starts to get very hard to stand by the claim that he is injured beyond the ability to do normal every day activities.  But a further search of all the apps on the device reveals a number of other activity-tracking apps, such as Pacer, which is used to track movement and distance. 

Pacer app is also not natively supported by Cellebrite, but that doesn’t matter.  It still stores a ton of information we can pull out of the database tables and report, as is shown in Fig. 6 below:

Fig 6: Pacer App Data

This data can exist independently or be used to help corroborate the data that exists within the Health app.  Will they always be exactly the same?  No.  But the point is proven that there is a fair amount of movement happening and John Doe (or Patrick) is likely capable of earning a living and may not be injured to the degree he claims.

Getting the Device

The rub in civil cases like this is often getting access to the device.  This important step should not be overlooked.  First and foremost, Counsel should issue a spoliation letter to the plaintiff to preserve this data.  If this is not in place, you run the risk of the data being destroyed when an order to produce is issued.  Furthermore, consumers upgrade their devices all the time, and if the device is upgraded during the litigation process, we need to ensure the previous device is still accessible.  Next, when the timing is appropriate, we can petition the court for a Motion to Compel the opposing party to produce their device for the purposes of proving or disproving certain activity.  We see this done fairly often in divorce matters to help prove or disprove infidelity, malicious behavior/abuse, locations etc.  One very important piece about the petition to the court is to request that any and all passcodes and passwords to the device be supplied by the opposing party.  Without this, we may not be able to access the data on the device.

There are likely other data sources on the device that may serve to dispute the claim of injury, such as pictures, videos, etc.  But the health and activity data is often overlooked by the claimant in a civil action because it’s all stored automatically.  Furthermore, this data is not always easy to delete.  So start thinking outside the box and call a digital forensic consultant before you call your private investigator with his video camera.  You could save a lot of time and money and get better and less subjective evidence to help defend your client!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6