The team has continued to make progress searching for forensic artifacts from the wearable technology devices. Data parsing for the Apple Watch from the iPhone has been completed, while the search for artifacts from the Samsung Gear S2 and newly added FitBit Surge continues. As we near the end of the semester, we find that forensic artifacts directly from these wearable devices are still difficult to locate.
Analysis of wearable technology
The team is currently waiting for an iOS 9.2 jailbreak or cloud extraction support for watchOS. As previously mentioned, the iCloud data extraction script, iLoot, does not support iOS 9.2 or watchOS. The team has received insight that this may be because CloudKit API may be used for cloud storage for iOS 9.2 and watchOS operating systems. Ultimately, if the team is unable to gain physical access to the data on the Apple Watch or gain access to the cloud storage for the watch, intercepting data in transmission may be of interest in continuing this project.
We have started collecting data with the Fitbit Surge over the past week; however, we have yet to fully analyze the data.The Fitbit Surge is the first model to have an onboard GPS, meaning the paired device does not need to be in range to use the GPS feature. The Surge collects other types of data that the Flex could not, such as heart rate. The heart rate data can already be analyzed using the current Fitbit extraction script, but we have yet to find location data from the Surge’s GPS. The GPS functionality was the primary reason that we decided to add the Fitbit Surge to the project. All GPS data is exported to the device it is connected to, so our next step is to extract the application data again to see if we can find any GPS data.
A second data pull was done on the Samsung Gear S2 over a private wireless network using Samsung’s Debug Bridge tool. This data pull yielded more data than the 7 MB from the previous pull, but the information received had no forensic value for the team to document. At this stage, we highly believe that without root access to the watch we will be unable to get any important data. With very little chatter on the internet about a root method for the Samsung Gear S2, the team is not expecting anything anytime soon. We still have information from the connected Samsung Galaxy S6 Edge to parse through; however, with the watch having 4GB of internal memory we do not believe that much data will reside on the cell phone.
Time is running out for the Wearable Technology project, but the team feels strongly that forensic artifacts can be found from these devices. As these devices gain popularity and further research is done, the forensic community should start seeing improved methods of data extraction from wearable devices.