TomTom Triplog Decryption: Provided by Cellebrite Advanced Investigative Services

Global Positioning Systems (GPS) fall into the category of wireless communications that hold a considerable amount of evidence that can be used in an investigation. People’s whereabouts are recorded in “second-by-second” detail on their TomTom navigation system and retrieving this type of information can provide powerful digital evidence for your case.

In recent years, the law enforcement community has seen a dramatic increase in the use of GPS devices as an instrument of a crime or as a “witness device” collecting and logging positional data while the crime is being carried out. TomTom and Garmin units are by far the most popular devices law enforcement have been encountering. The sales of portable navigation devices are at an all-time high.

Last year, more than forty million portable GPS devices like TomTom’s GO series or Garmin’s Nuvi series were sold worldwide.* In Europe, TomTom is the most widely used navigation system; and the big market share (47%) could be attributed to the TomTom built-in installation in vehicles. Forensic analysis of vehicle movements records can provide evidence of considerable value in crime detection. (While Cellebrite does not provide data extraction from built-in systems, we support decoding of chip-off data extractions from them, and then decryption of the triplogs).

Cellebrite supports a select list of TomTom devices, which can be found here. Aside from extracting timestamped GPS locations from the trip log files using unique decryption technology, Cellebrite also provides decoding support for contacts, calls and locations. Forensic analysis of such records can provide evidence of considerable value in crime detection.

Upon setting up a TomTom device for the first time, it prompts the user for permission to collect information from the navigation device. The information or triplogs shared is used to improve maps and other services offered by TomTom, such as traffic information related to where the user is. (These services are disabled if a user chooses not to share the information).

If the user accepts, his or her TomTom device is set to log all trips in dedicated binary files known as triplogs. These files are saved in the device file system under a directory named STATDATA. The triplogs collected illustrate a breadcrumb trail of where the person travelled to with the navigation system in very high resolution. TomTom triplogs are encrypted in order to protect user privacy, but also accumulate additional encryption obstacles to the ones that already exist.

Cellebrite offers a unique decryption service to our customers, as part of Cellebrite Advanced Investigative Services, that enables the extraction of timestamps and locations from the triplog files that reside in the STATDATA folder. The triplog files hold complete trip GPS information (including latitude and longitude), and thousands of locations, in a resolution of 1 to 5 seconds.

TomTom Triplogs

How can I send Cellebrite these triplogs?

Using UFED Physical Analyzer, open the extraction and then select Tools,TomTom menu, select Export to save the XML file generated from the triplogs, and submit to Cellebrite via CAIS. The decrypted data will be sent back to you within a few days, and ready to be imported into UFED Physical Analyzer- where the triplogs can be viewed in detail (3 second log when device was active). A kml-file can then be generated and viewed in Google Earth and other similar applications.

UFED Physical Analyzer enables TomTom extraction and decoding of the following information: home, favorites, recent, user entered, locations, last journey, location, date & time, routes, GPS fixes (also deleted), deleted locations (of all categories), as well as recovery of geotag visualization of location based data on Google Earth/Maps.

UFED Physical Analyzer has also been equipped with a covert feature that enables silent activation of triplog files, which means that you can connect a TomTom device to the UFED system and activate the logging feature. As soon as this is carried out, the device will start saving triplogs, once TomTom is in use again.

Send us an email to learn how Cellebrite Advanced Investigative Services can help with your encrypted triplog files, along with Google Earth KML files.

Watch the webinar below to learn how you can use UFED Physical Analyzer to extract TomTom files:

References

*http://www.forensicfocus.com/tomtom-gps-device-forensics

Discover Best Practices and Advanced Decoding with UFED Physical Analyzer: Q&A from Cellebrite’s webinar

In a recent webinar, Dan Embury, our CAIS Technical Director, provided participants with tips and tricks, and best practices to help them get the most out of UFED Physical Analyzer. Overviews include Android custom recovery, Android UFS-based device unlocking, BlackBerry 10 backup encryption, Android backup APK downgrade, Apple iOS jailbreaking overview, as well as decrypting and decoding TomTom trip log files.

The webinar is available for viewing at the bottom of this post. During the webinar, participants asked a number of good questions, which we’ve compiled in this blog.

Note: If you don’t see your question answered below, please leave a comment at the end of this post!

Q: Can you confirm that TomTom decryption is not included in UFED Physical Analyzer

A: The decryption itself is not included in UFED Physical Analyzer. It requires offline processing, utilizing a large number of computers and processors. Ultimately, exportation of TomTom decryption in XML format can be forwarded to Cellebrite, and we will do the decryption. The decrypted results are then provided back to you to analyze in UFED Physical Analyzer, using the TomTom import function.  Please contact CAIS@cellebrite.com for more details and to submit your encrypted trip logs.

Q: WhatsApp recently announced that they have encrypted chat and voice chat, can UFED extract WhatsApp data after the WhatsApp upgrade?

A: In general, messages while in-transit are encrypted however this does not affect data-at-rest (forensics) stored in the WhatsApp databases. Cellebrite will release a solution in the coming days to decrypt the new WhatsApp encryption key – crypt9.

Q: When retrieving the BlackBerry encryption key using BlackBerry ID and password, how does this work?

A: Within UFED Physical Analyzer, you may retrieve the key associated with a BlackBerry ID using known credentials and decrypt the backup data from BlackBerry devices.

How to use: Open a file system extraction of a BlackBerry 10 device.  During the decoding process, a window is displayed: Enter the BlackBerry ID credentials and select Get Backup key (to retrieve a key, an Internet connection is required in order to communicate with the BlackBerry company servers).

You can save the key for future usage by selecting the Save button. If an Internet connection is not available, you can retrieve a key on any instance of Physical Analyzer connected to the Internet. Go to Tools and select Retrieve BlackBerry 10 Backup Key.

Enter the BlackBerry ID credentials and select Get Backup key. Click Save and load the key from the UFED Physical Analyzer disconnected from the network to continue with the decoding process.

Q: Are new Android devices encrypting the information in a unique fashion for each device?

A: The results of ongoing research both at Cellebrite and within the forensic community are exposing what sort of evidence can be extracted from these newer devices. The processors that are being integrated into Android, iOS, and BlackBerry devices are very powerful integrated circuits.  Since there has been such a focus on security over the past few years, these chips contain dedicated cryptography functionality to perform background tasks without impacting the user experience, all the while making security easier to implement and stronger against attack.

Q: Do you plan to incorporate jailbreaking into the product?

A: At this point in time, we do not plan on incorporating older jailbreaking methods into the UFED.  The best resource to find viable jailbreaks can be found at http://canijailbreak.com

Q: Are you recommending that we jailbreak all iPhones when possible in order to extract the maximum amount of data?

A: If your agency permits jailbreaking and the investigation warrants the additional effort to jailbreak the exhibit, then by all means, maximal effort should be expended to seek the truth and extract all evidence possible.  You simply don’t know what evidence you may be missing, whether inculpatory or exculpatory.  Major cases, cold case homicides, missing persons, and other exigent circumstances may justify jailbreaking, but always seek permission from stakeholders and test the method on a matching sample device.

Q: In iOS, how did you get emails using Methods 1 and 2 on an iPhone 5S?

A: The test case from the webinar was an iPhone5,2 (A1429) which is an iPhone 5, not an iPhone 5S.  Performing a jailbreak enables a Method 3 extraction to pull protected emails from the file system.  The emails pulled using Method 1 and 2 were from web-based emails that were clearly not protected with the file system.

Q: In your experience what is the success rate for jailbreaking phones?

A: From our research, the jailbreak will either work or not work, depending on a number of factors, including if the user upgraded the iOS firmware in the past using OTA (over-the-air).  The various jailbreaking teams work hard to prevent any adverse effects, but since the “first-to-finish” concept seems to apply for each iOS version, not a lot of effort is put into solving corner cases that would apply to forensics, versus the typical consumer not caring if the device needs to be reset prior to the jailbreak.

Q: Has Cellebrite been able to bypass the iOS pin on iPhones?

A: Cellebrite has the unique unlocking services provided by Cellebrite Advanced Investigative Services (CAIS).  The current offering is for iOS 8 running on the iPhone 4S, 5, and 5c, as well as associated iPad and iPod touch models.  The service helps investigators in important cases for which traditional mobile forensic tools do not have support.  Ongoing efforts by our leading team of researchers is continuing for newer models and those running iOS 9.  Please contact CAIS@cellebrite.com for more details.

Q: Does Cellebrite plan on including Android custom recovery partition flashing in the UFED?

A: The upcoming UFED release will add custom recovery for Samsung Galaxy S6, S6 Edge, and Note 5 to allow physical extraction while bypassing lock for models without locked boot loaders, such as Global models and those offered by Sprint, T-Mobile, and US Cellular.  Cellebrite’s UFED replaces the device’s original recovery partition with Cellebrite’s custom forensic recovery partition based on Team Win Recovery Project (TWRP).  Cellebrite’s recovery image does not affect any user data.  It is recommended to use the Forensic Recovery Partition method when other physical extraction methods (e.g. Bootloader) are not successful, or not available (i.e. if the Android’s firmware version is not supported).  For other carriers, including AT&T, Cricket, and Verizon, please contact CAIS@cellebrite.com for more details.

Q: Couldn’t a backup of the device give you the ability to go back to the starting point if custom recovery fails?

A: Unfortunately, it is not possible to do a backup of the device when there is a user lock code set and Android Debug Bridge (ADB) is disabled.  Cellebrite’s fully tested custom forensic recovery partition methods should not fail or cause any adverse effects (e.g. boot loop, etc.)

Q: Do you know if Windows 10 phones are encrypted at the chip level?

A: Research into less popular handsets can be performed if sufficient demand comes from our customers.  Some previous Lumia Windows 8/8.1 can be analyzed with our unique boot loader physical extraction, while other models can be supported with JTAG, chip-off, or In-System Programming (ISP).  We always welcome feedback via Technical Support for obscure mobile devices that you frequently encounter and we do not support.  Often times, minimal effort from our researchers is required to make the necessary additions to our UFED device coverage, all the while helping you solve more crimes.

Q: How does Android APK Downgrade work within UFED, and are there any risks to this method?

A: UFED downgrades encrypted Android apps in the device itself over Android Debug Bridge, by pushing an APK package to it, since it’s possible to then have an older version of the app do the interpretation of the newer inaccessible data. Within the UFED 4PC/Touch, connect to the device, and downgrade the app to an earlier version to extract the app database. There are some risks to this method since it makes changes to the device, thus, it’s advised to use as a last resort. If you know that a suspect is utilizing an application, and the extraction of all the other databases from the device do not produce any fruitful evidence, this method is recommended.  For example, if you believe that there was communication taking place via WhatsApp, then it’s important to squeeze out every last little bit of evidence from the device.

Click here to start your free trial for UFED Physical Analyzer.

View the full webinar below:

GPS Forensics and Link Analysis in Cellebrite’s August Webinars

webinar_header

LATAM customers! Did you know that Cellebrite’s exclusive capability to perform TomTom triplog files decryption and decoding can help you add vital evidentiary data to your investigation?

Join us for the upcoming webinars on GPS Forensics and TomTom Trip-Log Decryption, which will be hosted by our forensics solutions experts in Spanish and Portuguese, and will include a Q&A session.

GPS Forensics and TomTom Trip-Log Decryption (en español)

Speaker: Carlos Silva

Date: August 06, 2014 11:00 BRST (UTC-3:00)

Register here for the webinar on GPS Forensics and TomTom Trip-Log Decryption in Spanish!

GPS Forensics and TomTom Trip-Log Decryption (em Português)

Speaker: Frederico Bonincontro

Date: August 15, 2014 11:00 BRST (UTC-3:00)

Register here for the webinar on GPS Forensics and TomTom Trip-Log Decryption in Portuguese!

Link Analysis: Identify connections between suspects, victims, and others in less time

Did you miss our previous webinar on the UFED Link Analysis? Cellebrite will be hosting an additional live English-language webinar this month.

Speaker: Shahaf Rozanski

Date: August 20, 2014 06:00 UTC, 15:30 UTC

Learn how field investigators use UFED Link Analysis to rapidly visualize key relationships between entities and identify the connections and communication methods between multiple mobile devices. Join Cellebrite’s Forensics Senior Product Manager, Shahaf Rozanski, as he presents real world use case scenarios from a wide range of crime categories. The webinar will include a Q&A session.

Register here for the webinar on UFED Link Analysis!

Would you like to receive a webinar on our forensics solutions in your language? Leave us a comment and we’ll arrange it for you!

To view a past webinar, please visit the Webinars section on our website:  http://www.cellebrite.com/corporate/webinars