In this issue, data recovery experts from the Key Laboratory of Sichuan Province will explain the process from raw data scanning to specific data extraction for iOS/Android mobile devices. This issue covers the analysis of common locating trace data and its analysis methods, and methods of using GPS service and base station service provided by the third-party for further data analysis and map display.

I GPS and LBS Base Station Locating are Main Sources of Cellphone Locating Data

Many applications installed in iOS and Android mobile devices, such as Weather Forecast, City Greeting, Maps, and Chatting Apps, provides the current location of users. Locating is realized mainly through the using of GPS locating and LBS base station locating, but other locating methods such as WiFi, A-GPS, and GPS-one are also used for locating. For digital forensics, location information is extracted from local application files.

II Five Common Cellphone Locating Data Sources and Analyzing Methods

GPS locating and LBS base station locating are the main data sources for cellphone locating data, but different applications may also use different data sources. Five common cellphone locating data sources and corresponding analyzing methods are explained in this issue.

1. Simple xml

For Simple xml, longitude/latitude and time information can be easily analyzed through its field name. As shown in picture 1, msc.lat indicates latitude 30.572313, msc.lng longitude 104.06245, location_last_update time; 1459495885804 is Unix time stamp and can be converted to UTC time as 04/01/2016 15:31:25.

1

Picture 1: Simple xml

2. App Log File

Txt., log., ini. and other log files contain log data in a certain format, and the scanning of locating data can be realized by using regular expression of certain algorithm. As shown in picture 2, altitude 30.570579, longitude 104.063774, and time 07/15/2017  17:46:20 are all contained in GPS locating data.

2

Picture 2: App log File

3. Android Device Log

Log. is a device log format used only in Android devices and contains base station locating data and the beginning of CellIdentityGsm indicates base station information. As shown in the picture below, mMcc in CellIdentityGsm is country code (China as 460), Mnc network type (1 for China Mobile and 0 for China Unicom), mLac location area code for base station, and mCid is serial number for the base station.

Note: CellIdentityGsm identifies base station information for China Mobile, and the field for China Unicom is CellIdentityWcdma.

3

Picture : Android Device Log

4. DB Database

DB database is commonly used in iOS and Android applications to store basic parameters for application operation and data saved for user settings during their operation. In an opened DB database file, as shown in picture 4, loc field contains encrypted data indicating location information and time field Unix time stamp, both of which can be decrypted as specific latitude and longitude.

4

Picture 4: DB Database

5. Media File

Users can choose whether to save location information for pictures and videos; if saving is chosen, location information of the shooting is contained in the file attribute of media files such as JPG, MP4 and MOV.

5

Picture 5: JPG Media File by iPhone

III Methods of using GPS service and base station service provided by the third-party for further data analysis and map display

Through data extraction and analysis of cellphone location data source explained in the former chapter, locating point of cellphones can be obtained (GPS locating data structure as: time, longitude, altitude; base station data structure as: time, country code, network type, base station serial number, location area code). Further data analysis and map display can be realized through using third party locating data query platforms such as Google Location, Baidu Location Analysis API, LBS data warehouse, Haoservice, and Aggregated data.

Note: Access to VPN is needed during using Google Location; Baidu API can only analyze location information within China; other third-party professional data service providers such as Aggregated Data charge their analyzing services.

Methods of using GPS service and base station service provided by the third-party for further data analysis and map display is explained by taking locating point data in picture 1 to 3 as examples. ①GPS Point [Time 04/01/2016 15:31:25, Longitude 104.06245, Latitude 30.572313]; ②GPS Point [Time 07/15/2015 15:31:25, Longitude 104.063774, Latitude 30.570579] ; ③Base Station Point [Time 04/29/2015 14:14:34, Country Code 460, Network Type 0, Serial Number of Base Station 37341, Location Area Code 33067].

1. API Interface Mode (For GPS Location Point)

For ①GPS Point [Time 04/01/2016 15:31:25, Longitude 104.06245, Latitude 30.572313], Baidu Map API can be used for display and formatted_address field is the specific street location (picture 6).

Note: Users need to apply for ak for using Baidu API, which is applicable for background programs to invoke API.

6

Picture 6: Baidu Map API Interface

2. Website with Maps Mode (For GPS Location Point)

For ②GPS Point [Time 07/15/2015 15:31:25, Longitude 104.063774, Latitude 30.570579], website with maps can be used for display. Open latitude and longitude query website (http://www.gpsspg.com/maps.htm), enter latitude and longitude to the searching bar, and specific street location will be displayed on the map (picture 7).

Note: This method is suitable for small data amount when quick access to specific street location is needed.

7

Picture 7: Website with Maps Mode

3. Analyzing Base Station location data

For ③Base Station Point [Time 04/29/2015 14:14:34, Country Code 460, Network Type 0, Serial Number of Base Station 37341, Location Area Code 33067], third-party query platforms can be used for display and LBS Data Warehouse is used here as an example. Open websitehttp://api.cellocation.com/cell.html, enter base station data information in input box, and access specific street location and longitude and altitude information.

8

Picture 8: Access Specific Street Location of Base Station Using LBS Data Warehouse

 Conclusion

In this issue, data recovery experts from the Key Laboratory of Sichuan Province explained the process from raw data scanning and analyzing of locating points for IOS/Android cellphones to using services provided by the third-party for further data analysis and map display. This method is currently integrated in SalvationDATA MTF(MobileTrack Visualization Forensic), and helps to improve efficiency through the realization of software automatic retrieval, extraction, analysis and map display.

Click HERE to learn more about MTF.