Tom Tom GPS forensics under Linux

Philip,

Once you manage to perform an extraction, please read this thread about data that is available on TomTom devices that is not generally accessible. These an encrypted trip-log files in the STATDATA root folder, that once decrypted have 5 second time stamp resolution of the TomTom trips.

See this link for sample decrypted such triplog files
http//www.forensicfocus.com/Forums/viewtopic/t=8456/

Many Cellebrite UFED users have already used that free service to decrypt these files.

Ron

I appreciate the answer RonS ) .

Now the name of the original device is /dev/sdb1. Why did the name of data on the original device change from hda1 to sdb1? Is it the SD card?

They are two different Linux devices/subdevices. Which is which … well, you should be able to get that information from dmesg. Try 'dmesg | grep sdb'.

hda1 and sdb1 are not necessarily the devices names to use in *your* particular case.

Is the data on the GPS device write protected or is it deleted if the if and of parameters switch in the second dd command (making the forensic image command)?

'if' should refer to the device you are imaging. 'of' should refer to the device you are storing the image on, and typically it's a file on a mounted device,

There's no 'write protection' anywhere here – unless you're using a write blocker. It's up to you (or the particular Linux distrubution you are using) to fix that.

If you point 'of' to the device you should be imaging, you're more than likely to destroy the contents of it. dd doesn't care if it's a raw device or a file on a mounted device.

Thank you for the answer athulin.

The device mentioned is not in my posession.
It was described in an article writen by Clara Maria Columbini.
Are there other ways of finding out why is the original device given two different names?

hda = IDE drives (hard disk)

sda = SCSI drives…. and SATA drives too. (SCSI disk)

That's my understanding of the differences anyway.