Smartwatch Forensic...
 
Notifications
Clear all

Smartwatch Forensics  

  RSS
alex1010
(@alex1010)
New Member

I am a Digital Forensics student who is currently conducting research into budget Smartwatch Forensics, to determine what, if any, information if any can be retrieved from them. I have opted to research the growing market of cheap Chinese replicas which hold around a 5% market share in the West, although very little information is available on these devices. The watch I am investigating is a DZ09 Smartwatch running Nucleus OS and has MTK chip, MT6261A and is around £10 from ebay. It is surprisingly full of features considering the price such as camera, media player, etc. The watch is compatible with Android and iOS, uses bluetooth to connect to the phone, has SIM Card and external storage compatibility and can be connected via a micro USB cable. The watch can pretty much act as its own device whereas before it would've just mirrored the phone.

The scenario is a Android smartphone (Nexus 5) will be connected to a budget smartwatch which has a SIM card and micro SD card and the phone connects to the watch through an app. Both will have separate evidence planted on each and paired information through bluetooth. Some evidence will be deleted from the phone and while it is not synced to see if a footprint is left. If successful I aim to try different scenarios such as full disk encryption on the phone and seeing if the watch acts as potential back door to retrieving evidence.

So far I have managed to run XRY against the watch under its predecessor the U8 smartwatch which gathers some information from it. I have also used SP Flash tool to perform a RAM test and back up the firmware from the device. The watch is very temperamental with Windows and Linux OS, which keep auto disconnecting it as it is not a recognised device. The watch appears on Linux under terminal commands however, cant be accessed or mounted.

The main question I have is if anyone has any experience with smartwatches or Chinese replicas running unfamiliar OS's and how best to tackle them? And additionally any tools or techniques which are be able to gather data from the device? I have researched various Russian forums and attempted to find source code through Baidu but it is very covered up.

I am also planning on assessing the data stored in the app on the phone for evidence and through adb on the phone when connected to the watch. But mainly I am looking for guidance to help me conduct this investigation.

Quote
Posted : 17/01/2017 6:30 pm
jaclaz
(@jaclaz)
Community Legend
mobileforensicswales
(@mobileforensicswales)
Active Member

Also https://brimorlabs.app.box.com/v/bsides-wwtws

ReplyQuote
Posted : 18/01/2017 2:12 pm
jaclaz
(@jaclaz)
Community Legend

Also https://brimorlabs.app.box.com/v/bsides-wwtws

Isn't that (besides a crappy presentation) ONLY about the Pebble and MS Band 2?

I will never understand the (bad IMHO) taste of making presentations about serious things become laughing matter by introducing every kind of (presumably funny) images in them.
One (to break the ice with a quick laugh) may be OK, but that's it, if someone aspires to become a standing comedian, he should be aware that they don't use powerpoint …
… definitely I am getting older (and grumpier) ( .

jaclaz

ReplyQuote
Posted : 18/01/2017 7:11 pm
alex1010
(@alex1010)
New Member

Perfect thank you, does anyone know any tools that offer smartwatch support apart from XRY?

ReplyQuote
Posted : 22/01/2017 8:01 pm
alex1010
(@alex1010)
New Member

Just in case anyone is interested, I have managed to retrieve data from the smartwatch via two other methods on top of XRY.

First way, was to image the phone through adb where I found a log file for the app which connects to the phone. Within here all interactions and timestamps between the devices are noted within a text file.

The other method was through using a tool called SP Flash Tool, where the ROM was extracted from the device and loaded into a hex editor for analyse.

ReplyQuote
Posted : 03/02/2017 11:09 pm
jaclaz
(@jaclaz)
Community Legend

The other method was through using a tool called SP Flash Tool, where the ROM was extracted from the device and loaded into a hex editor for analyse.

I guess (thought) that the difficult part in using SP Flash Tool is to create the "scatter file", it would be interesting if you could detail the way it worked for you, i.e. something*like*
http//www.droidgyan.com/scatter-file/
or you managed to find an appropriate pre-built "scatter file" for that watch model.

jaclaz

ReplyQuote
Posted : 03/02/2017 11:27 pm
alex1010
(@alex1010)
New Member

Yeah at first I struggled with creating an appropriate scatter file and the majority of pre built scatter files for this watch are for the MT6260 instead of the 61. However, I managed to fall upon a suitable file.

general
config_version alpha # config file version (alpha, beta is used before SQC done.)
# After SQC done, the version should be 1 for the first release version.
platform # It is used for tool to identify the right setting for specific target

boot_region
alignment block # block[default], page(NAND2K/512B, NOR 1KB, eMMC 512B, SF 256B)
rom
- file INT_BOOTLOADER
- file EXT_BOOTLOADER

control_block_region
rom

main_region
alignment block # block[default], page(NAND2K/512B, NOR 1KB, eMMC 512B, SF 256B)
rom
- file FILE_01_mtk
- file FILE_02_mtk

file_system_region
rom

external_memory
parameters_version v1
parameters
# EMI 1
- flash_info
flash_type SF
id_length 3
flash_id [0xC2, 0x25, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00]
memory_type PSRAM_166MHz
EMI_Setting

# EMI 2
- flash_info
flash_type SF
id_length 3
flash_id [0xEF, 0x40, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00]
memory_type PSRAM_166MHz
EMI_Setting

# EMI 3
- flash_info
flash_type SF
id_length 3
flash_id [0xC2, 0x20, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00]
memory_type PSRAM_166MHz
EMI_Setting

# EMI 4
- flash_info
flash_type SF
id_length 3
flash_id [0xEF, 0x70, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00]
memory_type PSRAM_166MHz
EMI_Setting

# EMI 5
- flash_info
flash_type SF
id_length 3
flash_id [0xC8, 0x60, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00]
memory_type PSRAM_166MHz
EMI_Setting

# EMI 6
- flash_info
flash_type SF
id_length 3
flash_id [0xC2, 0x25, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00]
memory_type PSRAM_166MHz
EMI_Setting

ReplyQuote
Posted : 04/02/2017 12:09 am
alex1010
(@alex1010)
New Member

Its actually very interesting if you get any spare time to undertake it, from the ROM dump I have found contacts from my gmail account which I never used. So the next step is to reset all devices and full disk encrypt the phone to see if it acts as a sort of backdoor to a secure device.

ReplyQuote
Posted : 04/02/2017 12:12 am
Share: