Determine Starbucks...
 
Notifications
Clear all

Determine Starbucks Physical Location From Browsing History

8 Posts
5 Users
0 Likes
473 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Colleagues,

I am trying to determine geo-location information from the below browsing history (if possible)

http//digital.starbucks.com/?vh=a88eb0f6c7e5422b81917e3d9dcf0fd1&MacAddr=24%3Ac6%3A96%3A51%3A7d%3Aa8&venue=02661&ts=1407353476

1) I determined that the "ts=1407353476" is a Time Stamp = 8/6/2014 (source TimestampConvert.com).

2) I see "venue=02661", which I am guessing could be a Starbucks store number.

I noted that typing in "http//www.starbucks.com/store/2661" shows a Starbucks location in London, England.

3) I have no clue what this value means "vh=a88eb0f6c7e5422b81917e3d9dcf0fd1". Perhaps "vh" is "view history"?

Any help would be greatly appreciated!

Regards,

Larry

 
Posted : 05/08/2015 7:56 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

02661 is the zip code for Harwich MA (according to Google)

 
Posted : 05/08/2015 11:00 am
(@dandaman_24)
Posts: 172
Estimable Member
 

Using mans best friend, Mr Google I typed in the following 'starbucks UK store number 2661' and first result came back with what I assume is store number 2661, located in Notting Hilll London.

Link to 1st google result for starbucks 2661

I have then gone to Starbucks store finder, picked a random starbucks

Store number 2677
Cardiff Store number 2677

Store number 1008978
Montanna Store number 1008978

Cant help more than that I'm afraid

 
Posted : 05/08/2015 12:29 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Colleagues,
3) I have no clue what this value means "vh=a88eb0f6c7e5422b81917e3d9dcf0fd1". Perhaps "vh" is "view history"?

Given that what follows is a 32-character length hexadecimal string, I'm guessing the "h" in "vh" stands for "hash". The most likely candidate is our pal MD5, but who knows what it's hashing? "V"enue is a tempting choice, but the value provided doesn't match the md5 hash of either 02661 or 2661 (or even "Notting Hill, London"). It might even just stand for "Value", I guess.

 
Posted : 05/08/2015 2:43 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Think you have an opportunity here to buy coffee and cake from your nearest starbucks on the company credit card.

 
Posted : 05/08/2015 3:19 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Paul,

Ironic that you commented on my post as I was actually able to use your SQL Forensic tools software successfully on this project - thank you for the excellent tool set.

As yet another example of why it is important to run multiple tools on the same data to compare results, the opponent's Cellebrite tool was able to extract internet browsing history from the target Samsung Galaxy Tab 3, but Katana's Lantern and Compelson's Mobiledit Forensic were not.

Rooting the Tab allowed me to create a physical image of the device, which I then ingested into GetData's Forensic Explorer ("FEX"). However, although I was able to identify the internet browsing history database file and view it using FEX, I was not able to create a report of the database file contents nor extract the database contents using FEX.

So, I used FEX to extract the entire DB file from User\data\com.android.browser\databases\browser2.db to my forensic workstation and then ran it in your SQL Forensic tool and was able to create an Excel file report of the "history" tab of the browser2.db database.

Does your tool have the ability to automatically convert the millisecond time stamps into normal format Date and Time values in a separate column? That would be awesome if it did.

Regards,

Larry

 
Posted : 05/08/2015 7:09 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Hi Larry

I am very pleased my software was able to assist. Without seeing the time stamp I cannot be certain but assuming the date was unix milliseconds then yes it can convert this date.

The current conversion set is as follows.

If a date format isn't supported then I can easily add it - and you could of course use SQL to convert a date (but this can get a bit messy and it is pretty much impossible to apply timezone offsets this way)

 
Posted : 05/08/2015 9:04 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

Oops might have misunderstood

If you wnat to add the same column twice - once with the "raw" data and once with a converted timestamp then it is easy - just check the column to add it to the centre 'columns designer' and build the SQL query and then drag the column down to add it again (or just type the relevant SQL and a column alias - something like below (using a skype unix10 date as an example)

Hope this helps.

Paul

[updated to change to animated gif]

 
Posted : 05/08/2015 9:11 pm
Share: