Mobile App Forensics: Travel Apps

Introduction

What kinds of information can be found on applications such as Kayak and Google Trips? This project involves analyzing mobile travel apps installed on android-based devices. Our goal is to analyze these applications using UFED Cellebrite in order to give forensic analysts good information on what to look for when extracting data from these applications.

Findings

Using UFED’s Cellebrite 4PC and Physical Analyzer, we found user-generated data from the internal storage of two phones and tablets. Our team chose to use two Huawei H1511 Nexus 6P’s and two Nexus K009 7’s. Each team member wiped their devices, installed the travel app on their mobile devices, and logged in to said app with their fake Gmail account. Then each member then created a new trip from Burlington to Montreal for a particular date. We created Watchlists with flights, car rentals, etc.

After we generated bits of data on the devices, we would take Physical Extractions of each device. Most data considered to be useful we found to be in the form of .sql files (database files). Our team found the database files containing information like the company of the airline ticket we  Watchlisted, the model/make/price of the rental car we searched for, the user’s email and username, and the timestamps for trips created by user.

4.5_Touch2_Standard_01.jpg https://cf-media.cellebrite.com/wp-content/uploads/2017/07/4.5_Touch2_Standard_01.jpg

Cellebrite.com

Conclusion

For our next steps, we will be using UFED Cellebrite to analyze more applications such as Google Trips. Our team will use the information found that’s extracted from Google Trips, we plan to take a closer look at what artifacts are important for forensic analysts when extracting data from these applications. Stay tuned for updates by checking out @champforensicslcdi on Instagram and @ChampForensics on Twitter!