Pages

Saturday, February 25, 2017

Waze for Android forensics


Lots of Location Information


All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
Magnet Forensics App Simulator
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
MTPwn
Introduction
Many years ago, I spent an evening at my grandparents' house before taking off for a day-long there-and-back trip across state lines to my soon-to-be university.  The trip was just before I started grad school at the university and I was interviewing for a graduate assistantship, which I earned.  I had been to the campus a few times, but I can't say I was overly familiar with the turf and I had never driven there from my grandparents' house.  So my grandfather gave me an old US atlas of his.  An old Rand McNally US highway atlas that Wal-Mart published every year.  Remember those?  They would publish a new highway atlas each and every year in the off-chance that Main Street might get up and move between this year and next.

Anyways, I used that atlas to navigate.  I'm a natural with maps - I grew up backpacking and therefore relying upon trail maps - so I found my way there and back.  And of course, this was towards the beginning of the smartphone era, so I did not have a digital device for navigation.  Paper was just fine.

I kept that atlas around for other trips.  One year, a friend of mine and I drove from the Midwest down to Alabama and back for a football game.  It was an awesome trip, including a stop at the Louisville Slugger factory and museum and another at the Space and Rocket Center in Huntsville.  That friend of mine also is old-school like me, not needing an LCD screen to get from point A to point B.  I kept that same old atlas around for other road trips, for football games, skiing, and so forth.

Where is that old atlas now?  It's been cut up and turned into a Christmas present.  No, I'm not kidding.  My dad is a marathon runner, aiming to run a marathon in all 50 states, so my wife and I made a little scrapbook for him to document each run, photos and such, against a map of each state.  And why was I willing to sacrifice that atlas?  Because, you know, who uses an atlas anymore?

Waze
There are several maps and navigation apps out there for Android.  I find Waze to be such a novel app in that it is a combination of navigation and social networking.  Meaning app users report road incidents so other users can be aware of accidents, construction, roadkill, traffic jams, and other slowdowns.  Waze effectively crowdsources traffic information.

You can use Waze as a GPS navigation app, for communicating slowdowns, for sharing your location and trips with friends, and I've found it has an incredibly loyal following.  Waze-ers seem to never flip back to Google maps.  Point is, as a this app gives you, the forensic examiner, locations, times, and a social network.  That is gold for an investigation if the target uses Waze.

So I populated a phone with Waze, imaged it, and disected the data.  There's a lot of geo-location there, and it is quite easy to comprehend.  So ... here we go.

user.db
The package name for the app is com.waze.  So once you've got your image, check out the directory com.waze within the data app of the userdata partition.

The main file to check out is user.db - in that directory com.waze, not in any subdirectory.  The database has a bunch of tables.  I will highlight the ones of interest.  This is a SQLite database.  I did a post a while back on viewing SQLite databases.

First, the table PLACES.  This one stores places the user has searched for and selected as a navigation destination.  Here's the columns of interest:
  • name: Name of the destination, such as "Home", or "Safeway"
  • street:  Street address of the destination
  • city:  City of the destination
  • state:  State of the destination
  • country:  Country of the destination
  • house:  Apartment or other unit number
  • longitude:  Longitude, multiplied by 1,000,000.  Add a decimal accordingly
  • latitude:  Latitude, also multiplied by 1,000,000
  • created_time: Epoch time it was searched.
I was going to screencap the database, but it would not be worth much after I would black out all the personal sensitive data, which is all of it.  I'm not about to let the Internet know where I live, where I work, and when I go to where!

This is all plain text.  All you need to do is an epoch time conversion and you've got a listing of when each destination was searched for, exactly where on the planet it is, and the street address.  This table alone can be a goldmine for an examiner.

Next the table PEOPLE.  With Waze, you can connect people via Facebook, and then you can share your location and coordinate travel.  Here's the columns of interest:
  • waze_id: The Waze ID of the user in order to link to the right Waze user.  More on the device's Waze ID later.
  • facebook_id: Facebook's ID of the contact in order to link to the right person.
  • first_name: First name of the contact
  • last_name: Last name of the contact
  • create_time: Epoch time the contact was added
  • modified_time: Epoch time the contact was modified last
So far, Waze has provided your location search history and your contact history.

Next, the table SHARED_PLACES.  This table includes locations the user has shared, which may mean the location is of significance.  Really there are only a few columns of interest, so check out the created time, the place name, and the share time.  Pretty self explanatory.

There are some other interesting tables in the database.  Feel free to browse around and see if anything else is of interest.

XML Files 
Next up, check out the directory shared_prefs.  This includes some xml files.  I'll highlight two of interest.

First, the file com.waze.appuid.xml .  I previously mentioned the Waze ID.  Here it is.  Linking the Waze ID of one device in this XML file to another device in the user.db, table PEOPLE, indicates these two users know each other.

Second, com.waze.parked.xml.  Here's what mine looks like:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="dest_lon">[REDACTED]</string>
    <string name="dest_name">[REDACTED]</string>
    <string name="dest_venueId">[REDACTED]</string>
    <string name="dest_lat">[REDACTED]</string>
</map>


When you finish a Waze trip, which should naturally end with parking the car, this file is created.  It stores where the car is and when the trip ended.  Nifty, huh?

Log
Finally, go back up a directory and check out the file waze_log.txt.  This is a massive log file with some decent goodies.

There are geo-coordinates which represent different stops along the way on a trip.  I also found information about routes from point A to point B.  Of interest, there is a list of each route of highlights along the way - anything from airports to groceries to gas stations.  This may be of interest.  There are all kinds of businesses listed that are near the route - which may also be of interest.

This was a rather simple app study - and I did not go all too deep into the app data.  If you have a specific app you would like me to do a deep dive, let me know.  I may be up for it.  Additionally, the data in this post could be easily transformed into a simple forensic parser.  If you would like a simple Python script to parse all this data, let me know.  It shouldn't take me too long. 

Another blog
As an influential member of the mobile forensics community, I believe in promoting each other's work.  There is a blog from a few years ago that appears to still be valid today. Apps change and so sometimes findings for one version of an app are invalid when the app upgrades. These findings look good on current versions of the app. The blog was a capstone project for undergrad on this topic.  Check out this link for some excellent Waze work.


Summary
  • Waze stores a good amount of geo-history in easily accessible plain text, mostly in a single database
  • An XML file stores the last place and when the car parked at the end of a Waze trip
  • The waze_log.txt file has a lot of data and I've barely checked it out
Questions, comments, suggestions, or experiences?  Fun road trips?  Leave a comment below, or send me an email.

7 comments:

  1. Pretty interesting stuff mate , i m dissapointed you got so little atention around here but it turns out that not a lot of people are interesting in forensics , I m pretty interested to develop a forensics App for Android as a school project so I m going to stick here for a while , maybe you ll get me some help when u got time , cheers and good work

    ReplyDelete
    Replies
    1. Waze For Android Forensics >>>>> Download Now

      >>>>> Download Full

      Waze For Android Forensics >>>>> Download LINK

      >>>>> Download Now

      Waze For Android Forensics >>>>> Download Full

      >>>>> Download LINK nw

      Delete
  2. Hi Mark, really interesting post which has sparked a few ideas. I'm going to try and correlate the digital artefacts from Waze with that of IMs or Personal Assistants. Would be interesting to see what events could be reconstructed. Thanks for all your great work - Arbee

    ReplyDelete
    Replies
    1. That's a great topic idea! Good luck and I'd love to hear any results.

      Delete
  3. Waze For Android Forensics >>>>> Download Now

    >>>>> Download Full

    Waze For Android Forensics >>>>> Download LINK

    >>>>> Download Now

    Waze For Android Forensics >>>>> Download Full

    >>>>> Download LINK nJ

    ReplyDelete
  4. Android apps have become increasingly popular over the years due to their convenience and easy access. However, it can sometimes be difficult to understand exactly how certain apps work, or what kind of code is used to create them. In this article, we will explore the concept of decompiling an Android app in order to better understand the code that has been used. Decompiling an app means taking apart its code and examining each component separately.

    ReplyDelete