tag:blogger.com,1999:blog-55546281463878914842024-02-19T07:21:22.181-08:00Waze Forensics A Digital Forensic Capstone Research Project Unknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-5554628146387891484.post-60145919223279093342014-04-16T17:23:00.000-07:002014-04-16T17:23:17.472-07:00Final Update and Conclusions<br />
<div class="MsoNormal" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;">
</div>
<br />
<h2>
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif; font-size: small;">Conclusions
and Results.</span></span></h2>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><span style="line-height: 107%;">Over the
last four months analyzing Waze has had its successes and failures. After the analysis
ended I was successfully able to discover relevant artifacts such as direct
messages, GPS coordinates, text messages, and user preference files. However, it was determined that the majority
of relevant artifacts are located on a remote Waze server. This was discovered
during the memory analysis. There were numerous http calls to a Waze server proxy
protocol buffer and also generic function processes. Ultimately, my goal is for my complete paper to be </span><span style="line-height: 17.1200008392334px;">publicly</span><span style="line-height: 107%;"> available soon to serve as an investigator's guide to Waze. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif;"><br /></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif;"> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5bI2WJVVyr2OM996MxNGaYsDCZaRVm5WiQHoOAOqTYy-Jcbz3TmsvBHmzap-_bkJbkDj0oFubAvc5KYgPgdKQRowzoxB2JJj_FIo9whSdLYRDNQvD2gKX_pEZjUBC9_bfs1tzo2DDmMW1/s1600/2014-04-16_20-14-01.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5bI2WJVVyr2OM996MxNGaYsDCZaRVm5WiQHoOAOqTYy-Jcbz3TmsvBHmzap-_bkJbkDj0oFubAvc5KYgPgdKQRowzoxB2JJj_FIo9whSdLYRDNQvD2gKX_pEZjUBC9_bfs1tzo2DDmMW1/s1600/2014-04-16_20-14-01.png" height="203" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Evidence of Artifacts on Server</td></tr>
</tbody></table>
</span></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif;"><br /></span></span></div>
<h2>
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif; font-size: small;">Forensic
Relevance and Future Implications</span></span></h2>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif;">Waze
continues to add user’s everyday even recently surpassing 20 million users
world-wide. With a growing number of users switching to applications that
provide social media functionality, Waze will continue to gain popularity on
the mobile application markets. Recently Waze also announced an update to their
application that will only emphasize the importance of this research. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif;"> Waze announced that they have purchased a
dating application known as single-spotter. Waze intends to allow users set up their
profile in a way that allows them to view other singles within the area. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: Times, Times New Roman, serif;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.promodo.com/blog/wp-content/uploads/2014/04/Waze-buys-Single-Spotter.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: Times, Times New Roman, serif;"><img border="0" height="160" src="http://www.promodo.com/blog/wp-content/uploads/2014/04/Waze-buys-Single-Spotter.png" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: Times, Times New Roman, serif; font-size: small;">WazeDates</span></td></tr>
</tbody></table>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><span style="line-height: 107%;"> </span><span style="line-height: 107%;">The user can
then begin messaging singles in their area and even drive to them if that
option is enabled. </span><span style="line-height: 107%;"> </span><span style="line-height: 107%;">This in-app
functionally will without doubt launch Waze’s popularity even more and further
create more essential digital forensic artifacts. </span></span></div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-5554628146387891484.post-86367553808222193412014-03-12T22:10:00.000-07:002014-03-19T14:29:07.402-07:00Progress Update and Log File Analysis<h2>
<span style="font-family: inherit; font-size: small;">Brief Update</span></h2>
<div>
<div class="MsoNormal">
<span style="font-family: inherit;">This blog post will consist of general updates to the progress
of my project as well as some interesting artifacts I found in one particular log
file. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;">Over the last 6 weeks my project has emerged and changed pretty significantly.
Due to the fact that I have ran into
some large roadblocks along the way in terms of discovering relevant data, I have had to change my course of action to uncover some of the data that just </span>was not<span style="font-family: inherit;"> where
I was expecting it to be.</span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;">My project has branched out into three main categories of analysis
and examination. The categories are the following:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal">
</div>
<ul>
<li><span style="font-family: inherit;">Android memory analysis using LiME and Volatility</span></li>
<li><span style="font-family: inherit;">Python scripting to parse through a log file to pull GPS
coordinates</span></li>
<li><span style="font-family: inherit;">Physical image analysis of rooted Android device using
Oxygen Forensic Suite.</span></li>
</ul>
<span style="font-family: inherit;"><o:p></o:p></span><br />
<div class="MsoNormal">
<span style="font-family: inherit;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;">Perhaps the biggest problem I ran into during this project
is that any direct, private messages sent from one Waze user to another was not
located in any file or folder even after rooting the device and subsequently
gaining access to folders such as /data/data. Ultimately, I had to pull Android
Memory which took some time to learn exactly how loadable kernels operate. I am
still analyzing the output of the ram dump with Volatility but a quick look at
it with a hex editor showed that the direct messages due in fact exist within
memory. *Note these are test messages they do not reflect actual crimes being committed. </span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGnnIMgACiHVX9_meutZzALjMzQ5S7FG5YKWLHnzI2p2CVkDFayFB1Kj9uBj3NazTEAj9QDeFaFBorG41kVtD5wy92ejO2cN9axdi4R17IaYQHVrJL8CfftJ_Py1jcr_EoSuQGPpucqBXp/s1600/adb_list+devices.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGnnIMgACiHVX9_meutZzALjMzQ5S7FG5YKWLHnzI2p2CVkDFayFB1Kj9uBj3NazTEAj9QDeFaFBorG41kVtD5wy92ejO2cN9axdi4R17IaYQHVrJL8CfftJ_Py1jcr_EoSuQGPpucqBXp/s1600/adb_list+devices.PNG" height="122" width="640" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: inherit; font-size: small;">Waze Direct Messages from Memory Dump</span></td></tr>
</tbody></table>
<h2>
<span style="font-family: inherit; font-size: small;">Log File Analysis</span></h2>
</div>
<div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: inherit;">One of the most
crucial files located during analysis of this application is the file named
waze_log.txt. </span></span><span style="line-height: 17.1200008392334px;">The file was located under </span><i style="line-height: 17.1200008392334px;">/sdcard/waze/waze_log.txt. </i><span style="font-family: inherit; line-height: 107%;">This file logs a large amount of data ranging from errors, to
voice commands, to general processes of the Waze App. However, the reason this file is so
essential is because it also logs GPS coordinates of all routes driven using
the Waze application. This file is broken up by sessions. This means every time
the app is opened and then either closed or left, this file will log a new “session”
An example of this is shown below. </span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><i><span style="font-family: inherit;"><br /></span></i></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwHQrrXqd_52YyFkqyXDXPw6QJUZ34PQPf3LhXdutNPsFhh50ujJbrxDcxj_0rbxwSRNq9eREcB4m55E01PTNcWYDV0FH8vqdUAoXpnui_V2XNBGeBXLC-hh0eeVAuZbXWmwn92MEx6uCr/s1600/1.png" height="140" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Session Logged</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="clear: left; float: left; font-family: inherit; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"></span></span></div>
<div class="MsoNormal">
<span style="line-height: 17.1200008392334px;">As seen in the image above this file logs a time stamp for every occurrence of a process.</span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<h4>
<span style="line-height: 17.1200008392334px;">Routing Requests </span></h4>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: inherit;">The waze_log.txt
file saves GPS coordinates of drives via what is called a Routing Request. Much
like the creation of a new session, every time a user searches for a new
address to drive to or even clicks on a saved favorite or previously searched
address, this file logs it via a RoutingRequest. The Routing ID which is part
of the RoutingRequest is a unique 10 digit number that is incremented
sequentially by one every time a new request is initiated. </span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: inherit;">An important note which came up a few times
throughout this research is even if the device running Waze loses connection
during a drive, when the connection is reestablished, the same routing request
is used until the drive reaches its destination or is canceled. After the initial RoutingRequest is given
the file also logs the location of the user in two places. Below is an example
of a RoutingRequest as well as the log listing the location of the user. <o:p></o:p></span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2HjlxIyUjwtED4LjeD80PnbLPmfWUF0lcvzld3A0CJJmLT3tu2NgPiK4Kdx8N_od7NyBno_N4Mk3QGFBpR-kSN3ROxLLx3XbzFy0x8-iHwZv56WEAorEgckEi8ggX-MNrBVlYZLx_Gvuy/s1600/2.png" height="34" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Unique Routing ID</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLPTfnM80Rd-9wlNcbcjHCiVGPSvSJDEdkNM82xyVggIUGAHhnhaNT3ENPXKnsbaLGuFS2LNOzaJ-muQVMGa5fB08fE4WKQAba-hiv90_qlGFMEdwYp2A0DYN2CGVk9euh-m4KX4P0cWJx/s1600/Capt32ure.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLPTfnM80Rd-9wlNcbcjHCiVGPSvSJDEdkNM82xyVggIUGAHhnhaNT3ENPXKnsbaLGuFS2LNOzaJ-muQVMGa5fB08fE4WKQAba-hiv90_qlGFMEdwYp2A0DYN2CGVk9euh-m4KX4P0cWJx/s1600/Capt32ure.PNG" height="58" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Logging Devices Current Location</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: inherit; line-height: 107%;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: inherit; line-height: 107%;"> <o:p></o:p></span><span style="font-family: inherit; line-height: 107%;">Below this line
in the log file is the RoutingRequest that contains numerous GPS coordinates.
The GPS coordinates contained in this line are both the current location of the device and the destination of the drive. Also on this line is the unique routing
id seen in the Routing ID screenshot above.</span><span style="font-family: inherit; line-height: 107%;"> </span><span style="font-family: inherit; line-height: 107%;">The street name is
also listed however, not every RoutingRequest line will list the street the
device is currently on.</span></div>
<br />
<div class="MsoNormal">
<span style="line-height: 107%;"><i><span style="font-family: inherit;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuftsSFh0Q-jdkiZkTSit6EYEp5DTmmcbyUtV5EWi4hOKOpeojMw_6Tu37P51Fg08ktWZloTpYWefPP88S7O8P96k9G-ciBsmAMU198O-oE2mwTRDtjNInFdGsOi8j0RNWb8rdMEAwnAX_/s1600/Capture1.PNG" height="120" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">RoutingRequest logging current and destination GPS coordinates</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<span style="clear: left; float: left; font-family: inherit; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"></span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><i><span style="font-family: inherit;"><br /></span></i></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: left;">
</div>
<div class="MsoNormal">
<span style="font-family: inherit;"><span style="line-height: 107%;">The unfortunate
part of this log file is on the line that contains the RoutingRequest and subsequent
GPS coordinates there is no logged time. However, within milliseconds above and
below this line are logged times. The screenshot below gives an example of
logged time above and below the RoutingRequest. It is important to note that every
RoutingRequest logged in this file has a </span></span><span style="line-height: 17.1200008392334px;">time stamp</span><span style="font-family: inherit;"><span style="line-height: 107%;"> above and below.</span></span></div>
<div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9OZ7IZVmZe7s60SjblKNep8quIfpVTCa2T1wdcW54qQFmnPcMMEl8yBsNSK_qe36V1DAVODyy61WwOjxzRmSDI79bqsjNAdz7D3MwVZxtoaZXOfWge4ctC-d0KBgIj9YRae_Wy8t2E2lT/s1600/5.png" height="100" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small;">Relevant time stamps in waze_log.txt</span></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9OZ7IZVmZe7s60SjblKNep8quIfpVTCa2T1wdcW54qQFmnPcMMEl8yBsNSK_qe36V1DAVODyy61WwOjxzRmSDI79bqsjNAdz7D3MwVZxtoaZXOfWge4ctC-d0KBgIj9YRae_Wy8t2E2lT/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: inherit;"></span></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: inherit;">The </span>time stamps<span style="font-family: inherit;"> seen above are only about 2.3 seconds apart
from each other, giving the examiner a </span>relatively<span style="font-family: inherit;"> accurate picture of what time
the device logged the coordinates. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: inherit;"><br /></span></div>
<h2>
Automating the process</h2>
<div>
I am currently working on a python script that will essentially pull out all the above information and put it in a folder structure that is easily maneuverable. The following is a screenshot of the file structure output that I intend to incorporate in the script. </div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL5TBOqkQC6D3PCRxtLHJkAJ_02rAOc0AkbWrnI58C-qTAQ5-3yKqIVs0kkyWMZHDwsAmqjimlvpWxQPmRbG-jj2zGwiUGHMYHfe9cP8ZlNaoa-w-WjOO0qdWe0sFvivOnZ-QzEQTFPw9-/s1600/Capturerew.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL5TBOqkQC6D3PCRxtLHJkAJ_02rAOc0AkbWrnI58C-qTAQ5-3yKqIVs0kkyWMZHDwsAmqjimlvpWxQPmRbG-jj2zGwiUGHMYHfe9cP8ZlNaoa-w-WjOO0qdWe0sFvivOnZ-QzEQTFPw9-/s1600/Capturerew.PNG" height="128" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Script Output File Structure</td></tr>
</tbody></table>
<div>
<span style="font-family: inherit;">The Directory is set up as the following folders</span></div>
<div>
<ul>
<li>WazeOutput after script is run</li>
<ul>
<li>The session date and time for each log on session</li>
<ul>
<li>The Unique RoutingID for each drive</li>
<ul>
<li>xls file that contains all the mapped coordinates </li>
</ul>
</ul>
</ul>
</ul>
</div>
<div class="MsoNormal">
<span style="line-height: 17.1200008392334px;">My ultimate goal is to also take each of the GPS coordinates and map out the coordinates using a Google API key in a way that the street names can be exported to the excel file as well.</span></div>
<div class="MsoNormal">
<span style="line-height: 17.1200008392334px;"><br /></span></div>
<h2>
<span style="line-height: 17.1200008392334px;">Next Steps </span></h2>
<div>
<span style="line-height: 17.1200008392334px;">The next phase of this project will consist of finishing the analysis of the memory dump using Volatility as well as finishing the python script seen above. I also will be hopefully posting a tutorial on how to configure and use LiME to pull memory from an Android device as there are not too many tutorials out there that are geared toward non-developers. </span></div>
<div class="MsoNormal">
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5554628146387891484.post-85257985493498788352014-01-22T20:48:00.001-08:002014-01-30T07:36:48.938-08:00Project Introduction<h2>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: x-large;">
What Waze is</span></h2>
<div class="MsoNormal">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">From a first glance, Waze, now owned by Google (isn’t
everything?) might look like a typical GPS application. From one perspective it
is. It offers your average garden variety GPS features. From favorite locations, to restaurants, to
even cheapest gas prices in the area, Waze just seems like another typical GPS
app. However, dive a little deeper and
you begin to see that Waze is much more. Waze is an entire community of
users. Waze gives the user the ability
to communicate with other “Wazers” through a variety of methods such as direct
messages. </span><br />
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-tGyNMKeCp9j-5k5Y4vbwO_kX0C4ibyD7MupnW8U1DL_k92sahvsLutY-kwMAfcF89stJ8O8FRoYSABiFCnx6h36bFRZxR7i5-Mn8HhuZeTeKr-nsHE3adc1VyutkreTfG2g9RQdg3suh/s1600/photo+(1).PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img 400="" alt="Waze Forensic Map Chat Feature" border="0" bp.blogspot.com="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-tGyNMKeCp9j-5k5Y4vbwO_kX0C4ibyD7MupnW8U1DL_k92sahvsLutY-kwMAfcF89stJ8O8FRoYSABiFCnx6h36bFRZxR7i5-Mn8HhuZeTeKr-nsHE3adc1VyutkreTfG2g9RQdg3suh/s1600/photo+(1).PNG" imageanchor="1" o="" photo="" s1600="" s85kq3bszb0="" style="margin-left: auto; margin-right: auto;" title="Waze Forensic Map Chat Feature" tr-caption="" uci3ujmcvi="" width="375" ygqfi_krbe="" /></a><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-tGyNMKeCp9j-5k5Y4vbwO_kX0C4ibyD7MupnW8U1DL_k92sahvsLutY-kwMAfcF89stJ8O8FRoYSABiFCnx6h36bFRZxR7i5-Mn8HhuZeTeKr-nsHE3adc1VyutkreTfG2g9RQdg3suh/s1600/photo+(1).PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-size: small;">Map Chat Feature </span></a></td></tr>
</tbody></table>
</div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Here is a list of some of the other features that are available on the Waze App.</span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<ul><span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #444444;">
<li>Native Group Forums</li>
<li>Pick Up (allows a user to text or email another Wazer their location to get “picked up”)</li>
<li>Save Parking Location (friends on Waze can see where you parked)</li>
<li>Link to Facebook, Twitter, and FourSquare.</li>
<li>Drive Sharing (watching other Waze Friends drive to a location)</li>
<li>Map Chat and direct messages </li>
<li>Picture Taking (Built in Camera) </li>
</span></span></ul>
<span style="font-family: Arial, Helvetica, sans-serif;">
</span>
<br />
<ul><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">
</span></ul>
<ul><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">
</span></ul>
<ul><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">
</span></ul>
<ul><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">
</span></ul>
<ul><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">
</span></ul>
<ul><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">
</span></ul>
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">
</span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #444444;">As their motto goes, the goal of Waze it to outsmart traffic together. Users can post where they have seen accidents, slow roads, construction, or even where speed cameras and police are located.</span></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h2>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: x-large;">Waze and Forensics</span></span></h2>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<div style="text-align: right;">
</div>
<span style="color: #444444;"><span style="font-family: Arial, Helvetica, sans-serif;">So why is Waze forensically relevant? </span><span style="font-family: Arial, Helvetica, sans-serif;">All these features, all this data. </span><span style="font-family: Arial, Helvetica, sans-serif;">To an
average user</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"></span></div>
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Waze is a great way to combine communication and navigation. But from
a forensic perspective it could be a potential goldmine of hidden, critical information.
This is where my capstone comes in. Is all this data retrievable? I certainly hope
so! <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">The amount of data, and therefore the amount analysis required
for this the App is extensive. To make this project feasible in the amount of
time I have, I decided to solely focus on data that I believe could impact a
digital forensic investigation. I have broken up the potential artifacts into five main categories</span></div>
<div class="MsoNormal">
</div>
<ul>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">Artifacts relating to the GPS functionality.</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">Artifacts relating to unique Waze features found
on the device</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">Web Browser History (my Waze profile online)</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif; text-indent: -0.25in;">Social Media data (Waze links to FB, Twitter and
FourSqaure)</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 7pt; text-indent: -0.25in;"> </span><span style="text-indent: -0.25in;">SMS and Email Artifacts relating to Waze.</span></span></li>
</ul>
<div style="text-indent: -24px;">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5X6hbBl6epTBVWbeonLZYA8-a7HzfpsbjdsVtI89hIq8ITOkI279QW-Q5W7PZk4wBAVnh7_ZqPaS9ggsqTyubLXja3bF-Qx7rtnOHR7ulriTv1z3Ba1jUkcFw_KwxKSSRiVyw6JBEVOlH/s1600/photo+(3).png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="waze forensics" border="0" center="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5X6hbBl6epTBVWbeonLZYA8-a7HzfpsbjdsVtI89hIq8ITOkI279QW-Q5W7PZk4wBAVnh7_ZqPaS9ggsqTyubLXja3bF-Qx7rtnOHR7ulriTv1z3Ba1jUkcFw_KwxKSSRiVyw6JBEVOlH/s1600/photo+(3).png" font-size:="" height="377" small="" style="border: 7px solid grey;" text-align:="" title="Direct Message Feature" tr-caption="" width="400" /></a><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5X6hbBl6epTBVWbeonLZYA8-a7HzfpsbjdsVtI89hIq8ITOkI279QW-Q5W7PZk4wBAVnh7_ZqPaS9ggsqTyubLXja3bF-Qx7rtnOHR7ulriTv1z3Ba1jUkcFw_KwxKSSRiVyw6JBEVOlH/s1600/photo+(3).png" imageanchor="1" style="margin-left: auto; margin-right: auto;">Direct Message Feature</a></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">To accomplish this I will be generating data using a mobile
phone. The mobile phone I have selected is the <a href="http://www.boostmobile.com/shop/phones/lg-optimus-f7/" style="font-size: 11pt; line-height: 107%;">Android LG Optimus
F7</a> running Jellybean 4.1 which was
bought specifically for this project and will only be used when generating Waze
evidence.</span><br />
<br />
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: large;">Questions to be answered</span></span></h3>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #444444;">This project will be focused around a few main questions.</span></span></div>
<div class="MsoListParagraphCxSpFirst">
</div>
<ul>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Can I forensically uncover any data?</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Is there any recoverable deleted data?</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Can I create a timeline of events based on
GPS coordinates or timestamps?</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Is there any data stored in memory? (Live
routes or shared drives?)</span></li>
</ul>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;"><br /></span></h3>
<h3>
<span style="font-family: Arial, Helvetica, sans-serif; font-size: large;">Tools</span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: #444444;">Although I have not finalized the tools I plan on using to
uncover this data, currently I plan at least using the following:</span></span><br />
<div class="MsoListParagraphCxSpFirst">
</div>
<ul>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Cellebrite UFED touch</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">XRY</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Volatility</span></li>
<li><span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Oxygen Forensic Suite</span></li>
</ul>
<div>
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">Over the next few weeks I will begin to create the evidence
on the mobile device. My plan is to create evidence based on each category
and then analyze the data for that category before moving on to the next.</span><br />
<div class="MsoNormal">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;">If you would like to read more about Waze in the meantime
here is a link to their manual.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><a href="https://www.waze.com/wiki/Waze_Version_3.5">https://www.waze.com/wiki/Waze_Version_3.5</a>
<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="color: #444444; font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="MsoNormal">
<br /></div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5554628146387891484.post-12807060996365051342014-01-19T21:44:00.000-08:002014-01-30T07:37:13.424-08:00 David Storozuk's Waze Forensic Blog<h2>
</h2>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6msEHnzQpRYBTHlJtq02IkjAh9v4hOQI3ec1p8drqsVrXDKx75ffLdUgSdYVX_UZNPoI3_IfVy2V97hR5FjXwAm1TbCuD-n1tPWeM4s-4tawLR1EaZ-6UsrrhToOMLXdzjEu9K77oXc4n/s1600/share-image.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span black="" color:=""><img alt="waze, forensics, waze forensics" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6msEHnzQpRYBTHlJtq02IkjAh9v4hOQI3ec1p8drqsVrXDKx75ffLdUgSdYVX_UZNPoI3_IfVy2V97hR5FjXwAm1TbCuD-n1tPWeM4s-4tawLR1EaZ-6UsrrhToOMLXdzjEu9K77oXc4n/s1600/share-image.png" height="200" style="border: 5px solid grey;" title="Waze" width="200" /></span></a></div>
<div class="MsoNormal">
<div style="margin-bottom: .0001pt; margin: 0in;">
<div style="margin-bottom: .0001pt; margin: 0in;">
<div style="margin-bottom: .0001pt; margin: 0in;">
<div style="margin-bottom: .0001pt; margin: 0in;">
<div style="margin-bottom: .0001pt; margin: 0in;">
<h4>
<div class="MsoNormal">
<h2>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: 13.5pt;"><span style="color: #444444;">Hello and welcome to Waze
Forensics! </span></span></b></span></h2>
</div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: inherit, serif;"><br /><span style="font-weight: normal;"><span style="color: #444444;">
As a digital forensic senior at <a href="http://www.champlain.edu/computerforensics">Champlain
College</a> , my capstone project requires me to choose a topic
that has yet to be researched within the digital forensic community. </span></span></span><span style="font-weight: normal;"><span style="color: #444444;"><o:p></o:p></span></span></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: inherit, serif;"><span style="font-weight: normal;"><span style="color: #444444;"><br />
As part of this project, I will be blogging about the progress I make
uncovering artifacts relating to Waze.To stay up to date on my blog, you can
follow me on <a href="https://plus.google.com/u/0/110378360495771386347/about">Google +</a> or <a href="https://twitter.com/dcStorozuk">Twitter</a>. </span></span></span></span></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt;">
<br /></div>
</h4>
</div>
</div>
<u1:p></u1:p>
<u1:p></u1:p>
<br />
<div class="MsoNormal">
<br /></div>
</div>
<u1:p></u1:p>
<u1:p></u1:p>
<br />
<div class="MsoNormal">
<br /></div>
</div>
<br />
<div class="MsoNormal">
<br /></div>
</div>
<div style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Calibri, sans-serif;"><br /></span></div>
</div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="text-align: right;">
</div>
<br />Unknownnoreply@blogger.com0