Editor’s note: In this article, SalvationDATA forensic experts will explain the process from raw data scanning to specific data extraction for iOS/Android mobile devices. This issue covers the analysis of common locating trace data and its analysis methods, and methods of using GPS service and base station service provided by the third-party for further data analysis and map display.

I GPS and LBS Base Station Locating are Main Sources of Smartphone Geographic Data

Many applications installed in iOS and Android mobile devices, such as Weather Forecast, City Greeting, Google Maps, and social media Apps, provides the current location of users. Locating is realized mainly through the using of GPS locating and LBS base station locating, but other locating methods such as WiFi, A-GPS, and GPS-one are also used for locating. For digital forensics, location information is extracted from local application files.

II Five Common Smartphone Geographic Data Sources and Analyzing Methods

GPS locating and LBS base station locating are the main data sources for smartphone locating data, but different applications may also use different data sources. Five common smartphone geographic data sources and corresponding analyzing methods are explained as below.

1. Simple XML

For Simple XML, longitude/latitude and time information can be easily analyzed through its field name. As shown in picture 1, msc.lat indicates latitude 30.572313, msc.lng longitude 104.06245, location_last_update time; 1459495885804 is Unix time stamp and can be converted to UTC time as 04/01/2016 15:31:25.

1

Picture 1: Simple XML

2. App Log File

Txt., log., ini. and other log files contain log data in a certain format, and the scanning of locating data can be realized by using the regular expression of the certain algorithm. As shown in picture 2, altitude 30.570579, longitude 104.063774, and time 07/15/2017  17:46:20 are all contained in GPS locating data.

2

Picture 2: App Log File

3. Android Device Log

Log. is a device log format used only in Android devices and contains base station locating data and the beginning of CellIdentityGsm indicates base station information. As shown in the picture below, MCC in CellIdentityGsm is country code (China as 460), Mnc network type (1 for China Mobile and 0 for China Unicom), into location area code for the base station, and mCid is the serial number for the base station.

Note: CellIdentityGsm identifies base station information for China Mobile, and the field for China Unicom is CellIdentityWcdma.

3

Picture 3: Android Device Log

4. DB Database

DB database is commonly used in iOS and Android applications to store basic parameters for application operation and data saved for user settings during their operation. In an opened DB database file, as shown in picture 4, loc field contains encrypted data indicating location information and time field Unix time stamp, both of which can be decrypted as specific latitude and longitude.

4

Picture 4: DB Database

5. Media File

Users can choose whether to save location information for pictures and videos; if saving is chosen, location information of the shooting is contained in the file attribute of media files such as JPG, MP4, and MOV.

5

Picture 5: JPG Media File by iPhone

III Methods of using GPS service and base station service provided by the third-party for further data analysis and visualization on the maps.

Through data extraction and analysis of smartphone location data source explained in the former chapter, locating the point of smartphones can be obtained (GPS geographic data structure as: time, longitude, altitude; base station data structure as: time, country code, network type, base station serial number, location area code). Further data analysis and map visualization can be realized through using third party geographic data query platforms such as Google Location, Baidu Location Analysis API, LBS data warehouse, Haoservice, and Aggregated data.

Note: Access to VPN is needed during using Google Location; Baidu API can only analyze location information within China; other third-party professional data service providers such as Aggregated Data charge their analyzing services.

Methods of using GPS service and base station service provided by the third-party for further data analysis and map visualization is explained by taking geographic data in picture 1 to 3 as examples.

(1)GPS Point [Time 04/01/2016 15:31:25, Longitude 104.06245, Latitude 30.572313].

(2)GPS Point [Time 07/15/2015 15:31:25, Longitude 104.063774, Latitude 30.570579].

(3)Base Station Point [Time 04/29/2015 14:14:34, Country Code 460, Network Type 0, Serial Number of Base Station 37341, Location Area Code 33067].

1. API Interface Mode (For GPS Location Point)

For (1)GPS Point [Time 04/01/2016 15:31:25, Longitude 104.06245, Latitude 30.572313], Baidu Map API can be used for display and formatted_address field is the specific street location (picture 6).

Note: Users need to apply for ask for using Baidu API, which is applicable for background programs to invoke API.

6

Picture 6: Baidu Map API Interface

2. Website with Maps Mode (For GPS Location Point)

For (2)GPS Point [Time 07/15/2015 15:31:25, Longitude 104.063774, Latitude 30.570579], the website with maps can be used for display. Open latitude and longitude query website (http://www.gpsspg.com/maps.htm), enter latitude and longitude to the searching bar, and specific street location will be displayed on the map (picture 7).

Note: This method is suitable for small data amount when quick access to specific street location is needed.

7

Picture 7: Website with Maps Mode

3. Analyzing Base Station Geographic data

For (3)Base Station Point [Time 04/29/2015 14:14:34, Country Code 460, Network Type 0, Serial Number of Base Station 37341, Location Area Code 33067], third-party query platforms can be used for display and LBS Data Warehouse is used here as an example. Open website http://api.cellocation.com/cell.html, enter base station data information in the input box, and access specific street location and longitude and altitude information.

8

Picture 8: Access Specific Street Location of Base Station Using LBS Data Warehouse

 

Conclusion

In this issue, SalvationDATA forensic experts explained the process from raw data scanning and analyzing of locating points for IOS/Android smartphones to using services provided by the third-party for further data analysis and map visualization. This method has already integrated in SmartPhone Forensic System(SPF) and helps to improve efficiency through the realization of software automatic retrieval, extraction, analysis and map visualization. You can download SPF from our resources page of the website and have a free trial.