Since its launch, Uber has become a popular alternative to taxi rides in many cities globally. As Uber is controlled through a mobile app, it only makes sense to add support for it in Magnet AXIOM and Magnet IEF. With the launch of AXIOM 1.0.4 and IEF 6.8.1, we’ve added support to parse data from the popular app to help identify any potential evidence stored on a user’s device.Why Uber should be on your radar
There have already been several investigations reported in the media involving Uber either directly or indirectly. One of the biggest cases in Michigan occurred in February where an Uber driver shot several people and picked up fares between locations (http://www.cnn.com/2016/02/21/us/michigan-kalamazoo-county-shooting-spree/).
Both iOS and Android store most of the Uber data in cache and LDB files located here:
Library\Application Support\com.ubercab.UberClient\19AE427F-5005-4970-A784-C864109E4659\00000X.ldb
Library\Application Support\com.ubercab.UberClient\Cache.db
And here:
data\data\com.ubercab\files\rider\0000XX.ldb
data\data\com.ubercab\cache\
The cache data stores information about trips and payment information while the LDB files store account info, profiles, and locations. On iOS, these LDB files store multiple binary plist files that can be read and carved out, whereas the Android ones are stored in a different format that we cannot currently decode. This means you will be able to recover trips and payments from both iOS and Android, but we will also recover the account info, profiles, and locations from iOS.
For further details on Magnet AXIOM support of Uber in forensic investigations, click here: https://www.magnetforensics.com/blog/magnet-axiom-adds-forensic-support-uber/
