Acquisition and Analysis
Faisal Talal Alaskandrani
Due Date : 14/03/2014
CNIT 58100 CFM
Under the direction of
Dr. Samuel Liles
Google Glass developed by Google is an embedded device with an android operating system. The device operates with an android operating system. The device is only available to a limited number of users for testing and development purpose. Google also provides a limited number of applications however the platform and development kit is available for owners and developers to explore the device. The device can be used to take photos, videos, and listen to music. Nevertheless, when connected to a phone more capabilities become available to the user such as searching the web, reading and sending emails, reading and sending text massages, and providing navigation directions via GPS. In this Lab exercise a Google Glass device will be explored forensically to provide an insight to the process of data accusation and analysis.
The device has been physically acquired, and will be Imaged using the proper devices, and then forensically examined using appropriate tools. Evidence will be collected methodically for further use. The Use of manufacture manuals and other known forensically sound methods are going to be used as general guidelines for the process.
Keywords: Google Glass, Digital Investigation, Forensic Evidence.
Glass Acquisition and Analysis
Steps of the process
After having the proper legal documents for acquiring the Google Glass device in question the device should be inspected immediately and different steps should be taken based on the status of the device:
- Powered On:
- Seal in proper material to prevent connectivity and signals
- Maintain Battery and Power
- Powered Off:
- Do not turn it on
- Seal in proper material to prevent connectivity and signals
During this phase all outside information such as device name, serial number, owner of the Device, Time of Acquisition, location, Investigator’s name, and all chain of custody information should be noted down and writing on the transportation medium.
The device was identified as Google Glass Explorer Edition, and was inspected physically to note down inputs and output of the system. From Figure 1 the following inputs were noted (Google Glass Team, 2013).
- A small glass display screen
- Camera with 5 MP and Video of 720P resolution
- Wi- Fi 802.11b, 802.11g
- Side panel touch pad
- Bone Conduction Transducer
Reading more about the device specs and capability will provide insight and recognize limits of its capabilities and therefore the boundaries of our search and analysis. Google Glass has the following:
- The device has a modified version of an Android 4.0.4 known as Ice Cream Sandwich.
- 1.20GHz Texas Instruments OMAP 4430 CPU
- 2100mAh battery
Applications & Tools
The following applications are used to forensically examine the device. The following descriptions have been captured from the developer’s website and manuals.
FTK® Imager, “is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as AccessData® Forensic Toolkit® (FTK) is warranted. FTK Imager can also create perfect copies (forensic images) of computer data without making changes to the original evidence” (AccessData, 2012).
Autopsy®, “is an open source digital investigation tools (a.k.a. digital forensic tools) that run on Windows, Linux, OS X, and other Unix systems. They can be used to analyze disk images and perform in-depth analysis of file systems (such as NTFS, FAT, HFS+, Ext3, and UFS) and several volume system types” (SleuthKit, 2003).
Android SDK, The Android SDK provides you the API libraries and developer tools necessary to build, test, and debug apps for Android (Android, Na.).
SIFT 3.0 Beta, SANS Investigate Forensic Toolkit (SIFT) Workstation Version VM Image (MantaRay , Na.).
Shattered, a script written to pull out data from Google glass, as a result of a research done in Champlain College by Professor Jon Rajewski, Julie Desautels and Chapin Bryce (Bryce, Desautels, & Rajewski, 2013).
The device uses the Media Transfer Protocol MTP protocol which is used to limit access to the storage media in the device. MTP Devices connected via USB cannot be imaged via FTK or similar software. The MTP provides access to two folders DCIM and Pictures. Pictures and Videos are the type of Files available and could be easily copied and investigated. However, deleted files are not shown and at this stage are not retrievable.
By further investigating the device and contacting Google it was confirmed that the device has only one partition that includes the firmware, Operating system, user settings and user files.
Nevertheless, if root access was provided the following steps could be used to acquire an image and pull information out of google glass.
1- Install VMware Workstation
2- Run SIFT 3.0 Beta
3- Install Android SDK
4- Install Java
5- Install Python
6- Download & Run Shatter Script
7- Examine Script output for evidence and artifacts.
The image acquired will provide information such as phone logs, duration of calls, Contacts, Images and videos taken, GPS inquiries, browser history, voice recordings and Wi-Fi Connections. Paths and directions are shown in the bellow table (Investigation, 2014) (Desautels, 2014).
Issues or problems
Embedded devices are made to be user friendly and hassle free for the provider company. Therefore, limitations are put in place to limit user capabilities which in order will lower the number of issues that the companies support will need to deal with. Unfortunately, that also puts a burden and another layer of difficulty to properly and forensically analyze such devices. Nonetheless, some forensic sciences are destructive in nature and evidence collected do not stay intact or the same after examination. Being at the edge of technology such fact might come into play in dealing with embedded devices such as Google Glass.
Proper administrator privilege is important to access all files and sectors available. However, by finding a vulnerability that can be exploited such privilege can be obtained temporarily or permanently. With Root level access in Google Glass all information available could be easily obtained and deleted images could be recovered. However, without it limited number of information is available. In this lab I was faced by two choices, try exploiting the Android system to gain privilege, or root and unlock the device which might in the process delete evidence. In Conclusion a strong background in Linux systems in order to interact with Google glass and Android OS system would be very helpful.
AccessData. (2012, 03 21). User Guide. Retrieved 02 18, 2014, from AccessData: http://marketing.accessdata.com/acton/attachment/4390/f-000d/1/-/-/-/-/file.pdf
Android. (Na.). Get the Android SDK. Retrieved 03 14, 2014, from Android: https://developer.android.com/sdk/index.html
Bryce, C., Desautels, J., & Rajewski, J. (2013). Google Glass Forensics. Retrieved from Shattered: https://code.google.com/p/shattered/
Desautels, J. (2014, 01 19). Google Glass Forensics Timeline Project by Julie Desautels. Retrieved from Google Glass Timeline Forensics: http://desautelsja.blogspot.com/
Google Glass Team. (2013, 12 17). Tech specs. Retrieved 03 11, 2014, from Google Glass: https://support.google.com/glass/answer/3064128
Investigation, L. C. (2014, 02 19). Google Glass Forensics part 2. Retrieved 03 14, 2014, from Champlain College: http://computerforensicsblog.champlain.edu/2014/02/19/google-glass-forensics-part-2/
MantaRay . (Na.). Downloads. Retrieved 03 14, 2014, from MantaRay : http://mantarayforensics.com/downloads/
SleuthKit. (2003). Home. Retrieved 02 18, 2014, from SleuthKit: http://www.sleuthkit.org/index.php