Digital Forensics Incident Response, Purdue, Technology

Forensic analysis of a Garmin Nuvi 1390

by  •  • 0 Comments

Abstract

A Garmin Nuvi 1390 was accessed using three different software methods; Cellebrite Physical Analyzer s FTK Imager, and Linux command line. All three methods are capable of producing an image of the device.

The device stores user favorites and location history. Location history stretching back to the beginning of the service life of this particular unit (approximately one year) was recovered. Old user favorites known to have been on the device at one time were not recovered. There is one primary file, Current.gpx, which contains the bulk of the data of interest.

 

Steps of the Process

Device Tested

A Garmin Nuvi 1390 was examined using several different tools in order to determine the location of recoverable information and to see if there were any tools more suited for the task than others.

The test device has been in use for approximately one year. Usage has not been heavy, perhaps once a month on average. The device has never had its memory manually cleared nor has it been reset to factory defaults.

Acquisition

Cellebrite Physical Analyser 3

The GPS unit was connected to the workstation with a mini USB cable. Physical Analyser software was started. “Extract GPS/Mass Storage Device” was selected from the “Extract” item on the tool bar.

Fig 1

Figure 1 Physical Analyzer Extraction Menu

A pop-up box will appear with a list of possible devices. The proper device is selected and then the “Start Button” is pressed. The software will then produce a file with a .bin extension. Opening the binary in a hex editor reveals a FAT 32 boot sector:

fig 2

Figure 2 Hex view of Physical Analyzer Output File

The file size appears to be consistent with the expected size of the memory dump. Random browsing through the file with a hex editor reveals the information found in the gpx file (to be discussed more fully later). It appears that Physical Analyzer software simply makes a straight copy of the data from the GPS unit and that this acquisition could be easily used by other tools to parse through the data.

FTK Imager

The GPS unit was connected to the workstation with a mini-USB cable. One can either add the device as an evidence item and then create an image all from the tool bar, or under the “File” menu item one can select the “Create Disk Image” option.

In either case, the GPS will show up as a physical drive that can be imaged as desired. For this test, an EO1 image was created using a “1” compression setting.

Fig 3

Figure 3 FTK File Menu

Fig 4

Figure 4 FTK Imager Drive Selection Showing Garmin GPS

Linux

The GPS unit appears as a drive under Linux (in this particular case it showed as /dev/sdj). It was mounted and the file system could be navigated. Complete images were not actually made since one had already been created using Imager; it was simply verified that the process would start.

Other

Some other attempts to retrieve data were made, however they were unsuccessful and will be discussed in the Issues and Problems sections.

Analysis

All three acquisitions appear to result in access to the same data. Unless otherwise noted, the following results can be obtained from any of the three successful tools.

The Garmin GPS presents as a FAT 32 file structure. The root directory contains 9 directories within it. Most of these directories contain various system data that are not of any particular evidentiary value: End User License Agreements, the text of various messages displayed on the unit in a number of different languages, etc.

Fig 5

Figure 5 Garmin File Structure (as seen in FTK Imager)

The primary file of interest resides in the GPX directory. It is named “Current.gpx.” This is an XML document that records data.

Recoverable data includes:

  • User Favorites
  • Device Locations

Data not recovered includes:

  • Destinations entered by the user, but not saved as favorites,
  • Searches for types of locations (for instance a search for nearby gas stations),
  • Old Favorites that have been replaced or deleted.

The Physical Analyzer software presents this in the easiest to use fashion. It parses and displays to location information and organizes it by trips. It will also present all activity on a timeline display if desired. It will show the folder structure of the drive, and one can even see a hex view of the memory dump (or specific files) if desired.

Fig 6

Figure 6 Physical Analyzer Display

 

While Physical Analyzer recovered some data, there were other pieces of information that were present on the device at one time that were not recovered.

During the device’s known use history, a “Favorite” waypoint was periodically created named “Target.” For the next trip, the old “Target” waypoint was removed from the Favorites list and the next one was entered. They Physical Analyzer software was only displaying the current “Target.”

The E01 image created with FTK Imager was processed in AD Lab for a more detailed analysis. The processing included indexing and data carving.

Once processing was completed, an index search of the image was done looking for the string “Target.” This is what led to the discovery of the importance of the Current.gpx file, but it did not reveal any data for the old “Target” waypoints.

It did demonstrate the existence of a second file of evidentiary interest. GarminDevice.tmp in the “Garmin” directory also contains some data. This data included a subset of the “Favorites” locations and a small number of waypoints.

With the GPS unit attached live to a Linux workstation, it was attempted to find data on the old “Target” waypoints using the “grep” command. This was not successful.

The Current.gpx file appears to contain all of the evidentiary data that was recovered. The beginning of the file contains file information such as the website for more information on this particular xml extension. Next came the waypoints that were listed in the user favorites. After that are a series of waypoints that comprise points the GPS has been at. These were organized into discrete trips. The tags are largely self-evident, but it was necessary to refer to the website to discover that the tag refers to elevation. Further information on the xml tags can be found at:

www.topografix.com/GPX/1/1/gpx.xsd

The graphic image files that AD Lab was able to recover were also examined. Interestingly, there were some graphic images that are known to have been displayed by the GPS unit that were not present in the acquired image file. For instance, while approaching one particular exit on the Interstate which could potentially be confusing, the GPS unit shows an actual picture of the exchange. This picture was not discovered in the image file.

Index searches were conducted for address known to have been entered into the GPS as destinations to travel to, but were not saved as a “Favorite.” No data relevant to those destinations was recovered.

Issues or Problems

 

Acquisition

The website Forensicsfromthesausagefactory.blogspot.com suggested another method for attempting to obtain data from the Garmin. This attempt was not successful. It should be noted that the device used in the website example was a Garmin Streetpilot C510, not a Nuvi 1390.

The methodology was essentially to put the GPS into diagnostic mode and connect to a piece of software galled G7toWin. (Note: the instructions on the website call for certain drivers to be downloaded and installed. The workstation used already had the drivers installed and this step was not performed.)

The device was successfully placed in diagnostic mode. This is accomplished by powering on the unit and holding a finger over the battery symbol for approximately 10 seconds. This process seems to be rather finicky and it took around half a dozen attempts before it was done successfully.

Fig 7

Figure 7 Screenshot of Garmin in Diagnostic Mode. Screenshot captured with XImage software.

 

The G7ToWin software was launched and the configuration changed to allow communication via USB. The software successfully saw the GPS unit and returned some basic unit information, but it did not return any useful user related data.

Fig 8

Figure 8 G7ToWin Configuration Screen

It would appear that the software is capable of downloading waypoints, favorites and other information. Of forensic interest, it also appears that this software is capable of uploading information to the unit as well. This was not attempted but the possibility should be kept in mind.

Extensive trouble shooting of the problem was not attempted. The software does not appear to be supported by its author anymore, so it could simply be a case that the GPS unit was to new for it.

It should also be noted that being in diagnostic mode appears to have prevented the Windows operating system from seeing the unit as a mass storage device.

Missing Data

As was discussed in the previous section of the report, there was some historical data that was known to have been on the device at one time but is no longer present.

It is reasonable to suppose that information such as the current destination of a trip or a search for a nearby gas station or restaurant might only be kept in volatile memory. While it would be nice from a forensic examiner’s point of view to have that information, there is no particular need from a device operational standpoint for it to have been stored to a more permanent location. The old “Favorites,” on the other hand, would have necessarily been stored in non-volatile memory at some point in time. But no reference to those address were found. There are only a limited number of explanations. Those include:

  • The device is designed to over-write the new Current.gpx file on exactly the same memory location as the old file.
  • By pure coincidence, it just so happens that on this particular device, that information happens to have been over-written.
  • What is being presented as a physical imaging by the GPS device is in fact only a logical image.

The missing old Favorites, combined with the missing photographic images that have been displayed begs the question as to whether there is not more memory physically on the device than is being accessed.

This hypothesis was tested by typing an obscure and uncommon street name into the index search. This returned no hits at all from the image. However, when it was typed into the GPS unit, the Garmin did successfully locate the street in question.

This could be explained by the existence of compressed data that is not be indexed. However, it is also possible that there is information that is not being captured by the imaging processes used so far.

Clearing History Untested

As this is device is currently in service, it was decided for various reasons not to manually clear the trip history to determine its recoverability. That would be a logical follow-on test to perform.

Conclusions

 

At least some memory can be easily acquired from a Garmin Nuvi. When connected to a computer, the GPS unit presents itself as a mass storage device that can be imaged using a variety of tools over a USB cable.

The device uses a FAT 32 file structure. There are a fairly limited number of locations of interest. These are the Current.gpx file in the GPX directory and the GarminDevice.tmp file in the Garmin directory.

The Current.gpx and GarminDevice.tmp files are XML documents that contain the user entered favorites and waypoints the GPS unit has been to. The GarminDevice.tmp file is much smaller and more incomplete than the Current.gpx file.

It is easy to obtain much of the relevant data that is currently still stored on the device. Old, deleted “Favorite” locations were not successfully recovered.

There seem to be indications that there may be memory or data that is not easily accessible through the simple means of connecting the device to a computer as a USB mass storage device.

 

Leave a Reply