The Wearable Tech team is trying to discover new ways to extract data from our devices. With the Apple Watch and Samsung Gear S2 having no physical connection, data extraction seems nearly impossible from these devices. Most of the data that has been retrieved thus far holds no significant forensic value, and can be obtained through the other mobile device it has been synced with. We have collected some Fitbit data that has potential forensic use, meaning investigators could potentially analyze an individual’s minute-by-minute actions to judge whether a person was physically active at a specific time.
Analysis of wearable tech progress
The Samsung Gear S2 has been a little more difficult to extract data from than we originally thought. Since the device could be linked to a wireless connection directly, we used ADB to extract data directly from the watch. However, when performing the pull, only 7 MB of the 2 GB on the device is being extracted. We have looked high and low for any information that might allow us to solve this problem, but so far we have had no luck. If anyone has any information on how to pull more data from the watch using SDB or any other method, please let us know.
Apple has proven that their security has increased with iOS 9.2. It has been a tough task to grab data that can be linked directly to the Apple Watch. Since the Apple Watch has its own space on the iCloud account that the iPhone is connected to, we attempted to use iLoot- an open-source tool written in python to extract iCloud data. However, at this time iLoot does not support watchOS or iOS 9.2. Until we have support for watchOS cloud extraction or a jailbreak for iOS 9.2, getting data significant to the Apple Watch will be extremely difficult, if not impossible.
The Fitbit parsing script is finished, and working, but not finalized. The script currently exports 9 different variables including calories burned and amount of time the user was lightly active, fairly active, and very active in minutes. The cool thing about this script is that it pulls data directly from Fitbit’s servers, so our previous method of using ADB to pull data from the Nexus 7 is no longer necessary. The tablet is still necessary to sync data from the Fitbit to Fitbit’s server, however.
With the semester about half way through, the team has picked up the pace on the search for forensic artifacts from these devices. We have also added the FitBit Surge to the project to try and grab location data from the newer Fitbit. For the Apple Watch and Samsung Gear S2, the end of the tunnel seems rather dim. However, we will continue to parse data and search for artifacts on these devices. Please contact the LCDI if you have any information regarding the extraction of data from these devices.