Archives For Mobile Devices

Ouch! Security Awareness

The December 2013 issue of OUCH! is out, and I am pleased to be this month’s guest editor.  The SANS Securing the Human team is impressive and it is always a pleasure to work with professionals with such diverse security backgrounds.  If you aren’t familiar with OUCH!, it is a free Creative Commons resource intended to supplement user awareness training.  OUCH! is translated into over 20 languages by a team of incredible volunteers.  Pass it along to any loved ones getting a tablet computer this holiday season!

Application Specific Geo-location

Web applications can often leave their own geo-location clues similar to those found via the mapping services.  While mapping artifacts are largely consistent, geo-artifacts created by applications are more haphazard.  Thus the number of available artifacts can be as numerous as the applications using geo-location services.  To illustrate this, we will analyze the artifacts left by two popular location-aware applications: Flickr and Twitter.

Mobile Flickr Geo-artifacts

Flickr Location

Continue Reading…

Understanding Browser Artifacts

Geo-location artifacts demonstrate an interesting concept with regard to browser-based evidence.  Among the various browser artifacts, Internet history is a fan favorite because it provides such rich information.  There is no easier place to look to identify sites visited by a specific user at a specific time.  Browser history is so useful, a critical shortcoming is often ignored; with today’s dynamic web pages, the vast number of web page requests go unrecorded.  When a user visits a website, a multitude of requests are completed in the background to retrieve images and advertisements, populate web analytics, and load content from third parties.  The content retrieved from these requests is stored within the cache, and an entry within the cache database is created.  While the browser history database may only show the page visited, the cache holds most of the components retrieved to dynamically build that page.

Most browser-based geo-location artifacts are not stored within the browser history.  Looking back at the HTML5 standard, this makes perfect sense.  The fact that the API is JavaScript dependent is the first clue.  Also, the multiple steps and asynchronous nature of a geographical lookup indicate a lot is going on behind the scenes when that initial web page is accessed.  Luckily, data collected from the host must be passed to a geo-location service and those interactions are often recorded within the browser cache.  When content is cached, the URLs associated with the web request are also stored.  It is within these requests that we can mine geo-location parameters and coordinates passed to third parties such as Google Maps.

Continue Reading…

Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats.  In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this post was originally published.

One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data.   Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics.  In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations.  With it, we now have the potential to answer who, what, when, why, and where.

Continue Reading…

“The Windows Mobile operating system is clearly sending information that can lead to accurate location information of the mobile device regardless of whether the user allowed it” 

– Samy Kamkar   http://cnet.co/qail1o

Windows Mobile Geolocation Collection