Wearable Technology Forensics Update 1


The team has been making significant progress on our wearable technology project. All of the devices that were connected to our wearable devices have been imaged. The examination process is now under way and we are looking into finding  key artifacts that are relevant to previous data generation or carry significant importance.

Analysis of wearable tech

The Samsung Galaxy S2 was successfully imaged using Cellebrite.  Examination of the phone’s artifacts has yet to be done but will be completed in the following weeks.  We are currently focusing our efforts on the Samsung Gear S2 watch, which was the main focus of the project.  The Gear S2 was more difficult to image as there is no physical connection port on the device.  Instead we had to perform a USB over WiFi task, which essentially breaks down to turning the USB debugging on, finding the IP address of the network that the watch is connected to, and then connecting the computer to the same WiFi as the watch.  All of the data was extracted through the command prompt of the computer and saved onto the machine itself for examination.  It wasn’t the easiest option, but with watch being so new there were limited extracting capabilities.  There is still data that is on the watch and we will be looking into how to extract that additional information in the following weeks.

Since the Apple Watch has no physical connection the team made the decision to image the iPhone 5 that was connected to the Apple Watch. Using a Cellebrite Touch, we were able to extract data from the iPhone 5 and then used UFED Physical Analyzer 4.4 to view the extracted data. Thus far we have not made very much ground in finding significant forensic data from the Apple Watch. We have also imaged the iPhone 5 using the new Magnet Acquire software from Magnet Forensics. This image will be loaded into Internet Evidence Finder and examined. Currently, we are examining property list files (.plist) to see what data we can find. We have found Google Map data from the Apple Watch, but that is all we have been capable of retrieving so far for this device. We are currently looking for alternate methods of retrieving information.

Fitbit has limited functionality without the use of a smartphone or tablet, so a Nexus 7 tablet was used to sync data to and from the Fitbit. We decided that the most fundamental data would reside on the Nexus tablet, not the Fitbit itself, and with this in mind, we rooted the Nexus 7 and extracted the data from the Fitbit application using the pull command from the Android Debug Bridge command tool. The application data was then imaged and examined in FTK 5.5. The analysis of the data is still in early stages, but we were able to find a few interesting pieces of data, such as stride length while walking and running, along with height and weight. The team is unsure what units these values are in, as it claims our examiner is 1752.0 undefined units tall.


As we conducted our data generation over break, we have been afforded a significant gain in time for analysis of these devices. We will continue parsing through the data to see what we can locate. Keep watch for our next blog post, Wearable Technology Forensics Update 2, in the next few weeks, as we believe that our findings will be very interesting.  

As always, if you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at lcdi@champlain.edu. Don’t forget to like us on Facebook for the most recent updates!

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team