Forensics Android A...
 
Notifications
Clear all

Forensics Android App

30 Posts
11 Users
0 Reactions
2,337 Views
 Doug
(@doug)
Estimable Member
Joined: 16 years ago
Posts: 185
 

Upon reading your post, I did a bit of research into the type of devices that store data such as location. One of the examples given was a camera. Although i'm not surprised the camera stores the longitude / latitude - it got me thinking. How does the camera find and store such information without a connection?!

http//en.wikipedia.org/wiki/Geotagging

That shows the format of the common GPS coordinate formats as well as circumstances for recording and storing the data

Then information about EXIF data is always worth knowing for this type of project

http//www.exif.org/

http//en.wikipedia.org/wiki/EXIF


   
ReplyQuote
(@jwasley)
Eminent Member
Joined: 14 years ago
Posts: 30
Topic starter  

Cheers Doug. Will have a read through now.


   
ReplyQuote
(@jwasley)
Eminent Member
Joined: 14 years ago
Posts: 30
Topic starter  

For those interested in an update, here it is…..

Following on from this topic, I've made several changes to my FYP.

- The application is now based for desktops instead of android
- All data collected is stored on a local database using XAMPP
- All data stored on the database is displayed using PHP on a separate web page
- The program now generates it's own KML file linked to the photo examined

It's taken me around 2 months to get to where I want. The program isn't completed but thought I'd post a quick update.

Any suggestions - Fire them my way!

- James


   
ReplyQuote
(@forensicit_dude)
Active Member
Joined: 16 years ago
Posts: 11
 

Looks interesting mate.

Could you tell me a bit more about the technique you use to retrieve the data? You just copy the files from the phone to your desktop? Also, how about deleted files that aren't overwritten yet ;-)?


   
ReplyQuote
(@jwasley)
Eminent Member
Joined: 14 years ago
Posts: 30
Topic starter  

Hi ForensicIT_Dude,

Retrieving the data is a simple process of putting the phone into USB Debugging mode and sending the files across a java pipe. The down side to this is the fact the examiner needs to know where to photos are stored on the device as they are required to enter a destination.

With regards to deleted files - I haven't really thought about it. I believe retrieving deleted photos would be of great benefit to the program, but make it much more complicated. Perhaps something to look into once I have the basics completed. I assume the photos are stored in a DB?


   
ReplyQuote
(@trewmte)
Noble Member
Joined: 19 years ago
Posts: 1877
 

James, nice project. Some observations of possibilities

- where the images are stored on the desktops does PEAP differentiate between the file timestamps and timestamps recorded in the images?

- where your app shows timestamps in images created by particular mobile OSs, will the app identify the format of the timestamp?

- where you show the box containing 'GT-I9100' perhaps you may wish to consider adding another box underneath it or have a user selectable arrow from a corner of the GT-I9100 box that allows an IMEI to be displayed (if it is recorded in the EXIF data). My preference would be the former because I don't want to have an app that make me hunt for the basic info and invariably images do get transferred between mobiles/devices containing EXIF data?

- it would be useful to have a feature that allows exploration in hex view where your app viewer highlights the hex data relevant to the data shown in your image above?

- where images that have been deleted, recovered, and saved in the PEAP app folder (or wherever the images are stored on the desktop) perhaps PEAP could have access to competitive product viewers, e.g. Irfanview etc?

- how might your app comment to the investigator where all metadata is missing? I am still working on this project - http//www.forensicfocus.com/Forums/viewtopic/t=9071/

Given the timescale of your FYP I appreciate you may not include all or any of the above observations.

Good luck.


   
ReplyQuote
(@jwasley)
Eminent Member
Joined: 14 years ago
Posts: 30
Topic starter  

Hi Trewmte,

- where the images are stored on the desktops does PEAP differentiate between the file timestamps and timestamps recorded in the images?

When the picture is copied from the device, the date shown in PEAP is the date the photo was taken. I've just done some tests, and if the user was to right click the duplicated image and go to it's properties, the "date created" changes. However, as I've said - the date shown on PEAP is the original date. Not sure if this would be an issue?

- where your app shows timestamps in images created by particular mobile OSs, will the app identify the format of the timestamp?

What do you mean "the format of the timestamp"? If you mean the way in which the timestamp is layed out EG - dd/mm/yy, I wouldn't imagine so. The only devices I've tested the program on is Android (Icecream and Jellybean).

- where you show the box containing 'GT-I9100' perhaps you may wish to consider adding another box underneath it or have a user selectable arrow from a corner of the GT-I9100 box that allows an IMEI to be displayed (if it is recorded in the EXIF data). My preference would be the former because I don't want to have an app that make me hunt for the basic info and invariably images do get transferred between mobiles/devices containing EXIF data?

Adding the IMEI is a great idea. Never thought of that - thanks. Although i'm not sure if the IMEI is stored in EXIF data?

- it would be useful to have a feature that allows exploration in hex view where your app viewer highlights the hex data relevant to the data shown in your image above?

Another fantastic idea that I will definitely include if time isn't an issue.

- how might your app comment to the investigator where all metadata is missing? I am still working on this project - http//www.forensicfocus.com/Forums/viewtopic/t=9071/

Unsure what you mean by this question.

Thanks for the ideas trewmte. Definitely giving me something to think about!


   
ReplyQuote
cjfaiella
(@cjfaiella)
Active Member
Joined: 19 years ago
Posts: 5
 

There is an app for Androids that shows where texts are made from, where calls are made from, the top ten apps that have sent out data on the phone, and many other features. Its called "Sentrysp insight" on the google store.


   
ReplyQuote
(@jwasley)
Eminent Member
Joined: 14 years ago
Posts: 30
Topic starter  

Update 2

Thought i'd post a quick update as I have several people contacting me via private messaging regarding the project.

If you haven't read the above posts, the project has changed some-what from the original post.

WATSON (originally named PEAP) is a Java based application designed to run on Windows 7. Aimed at law enforcement agencies, WATSON allows you to perform secure forensic extraction of images from a wide variety of devices and unearth potential evidence from metadata.

From the data retrieved, WATSON enables the user to produce a timeline detailing when and where photos were taken using Google Earth. Furthermore, WATSON has an in-built feature which can produce both web and word based reports. The idea behind this is to help reinforce evidence used during a trial.


I'm at a stage where the project is nearly complete and I'm in need of suggestions / improvements. Good or bad, I'd like to get some feedback.

Cheers


   
ReplyQuote
(@armresl)
Noble Member
Joined: 21 years ago
Posts: 1011
 

JWasley,

So you are working on a final paper, why did you put for Law Enforcement on your program?


   
ReplyQuote
Page 2 / 3
Share: