Join Us!

TomTom GPS Forensic...
 
Notifications
Clear all

TomTom GPS Forensics  

  RSS
bs531
(@bs531)
New Member

I have an image of a TomTom One 3rd edition and I need to open the triplog-YYYY-MM-DD.dat files. These files are in the "statdata" folder on the deivce. I can look at the files in a hex editor but I would like to find something that will interpret the files in the same manor as the TomTom would. Is there any software (preferably free) that can read the triplog files?

Also Where does the GPS get its date and time from? The triplog files are all named with date/time stamps. Does this date and time come from the satellites when the GPS connects or is this a user entered date and time?

Thank You
Brian

Quote
Posted : 30/10/2008 9:35 pm
darren_q
(@darren_q)
Junior Member

According to the following about the dat files;

"The way this functionality works is by TomToms collecting
anonymous usage data from users who allow it. If a user allows it
then they will see lots of files named 'triplogxxxxxx' in a folder called
'statdata'. The contents of these files is encrypted and so only
TomTom themselves actually know what is in them."
http//www.gpsforensics.org/phpBB3/viewtopic.php?f=6&t=8

I've had success with using POIEdit and the cfg files. I've also exported all the unallocated from the SD card (I used Encase) with a .cfg extension. Then point POIEdit at the Unallocated Clusters.

Tomtology is another option, as is Tomtom Home software on a copy of the SD card.

ReplyQuote
Posted : 31/10/2008 2:03 am
bs531
(@bs531)
New Member

Thanks for the response. POI Edit does a good job of getting the stored addresses. I was hoping to find something that could place the GPS at the scene of the crime but it seems like the only thing that would contain that information would be the triplog files, which dont seem too accessible. Has anyone ever successfully used Tomtology or TomTom Forensic Analyzer by Digivence? These tools are about $200 so I would like to know how well they work before buying anything.

ReplyQuote
Posted : 31/10/2008 4:47 pm
andysayers
(@andysayers)
New Member

The CFG files also contain 'last GPS Fixes', one per CFG file. These are generally where the TomTom was turned off. It's possible that this could place your TomTom at the scene.
POIEdit won't extract these from the CFG files.

ReplyQuote
Posted : 07/11/2008 10:11 pm
darren_q
(@darren_q)
Junior Member

If you view the cfg file with a hex editor (or encase) you can convert the hex values to signed 32-bit integer which is the co-ordinates in decimal (forgive the brevity, I'm at home and haven't got access to a cfg file to give an example)

From the files I've looked at, the location is in freetext, the hex values of interest are before the text, go back 9 values, select the 8 values from here and convert to signed 32-bit integer, which should give something like 35.87655 and -135.56474 (I'm sure it's possible to write a script to do this, just need some time!)

ReplyQuote
Posted : 08/11/2008 2:34 am
andysayers
(@andysayers)
New Member

If you view the cfg file with a hex editor (or encase) you can convert the hex values to signed 32-bit integer which is the co-ordinates in decimal (forgive the brevity, I'm at home and haven't got access to a cfg file to give an example)

From the files I've looked at, the location is in freetext, the hex values of interest are before the text, go back 9 values, select the 8 values from here and convert to signed 32-bit integer, which should give something like 35.87655 and -135.56474 (I'm sure it's possible to write a script to do this, just need some time!)

This is true but it can't be said that these addresses have ever been visited, only that a route was plotted. The only way you can ever place a tomtom at any location is by it's 'journey origin' or its 'last gps fix'. This involves you interpreting a cfg file completely in order to find out what type each location is.

ReplyQuote
Posted : 08/11/2008 4:14 pm
Share: