The Forensic examination of Embedded device such Global Position System (GPS


By Tchatchoua Nkwenja Mathias 20081405

BSc (Hons) Forensic computing 30 April, 2009

This report is submitted in part of fulfillment of the requirements for degree of BSc (hons) Forensic computing

Declaration. This work has not previously been accepted in substance for my degree and is not being concurrently submitted in candidature for any degree. Signed ……………………………………… (Candidate) Date……………………………………….

Statement 1. This dissertation is being submitted in partial fulfilment of the requirements for the degree of “Your degree goes here” Signed ……………………………………… (Candidate) Date……………………………………….

Statement 2. This dissertation is the result of my own independent work, except where otherwise stated. Other sources are acknowledged by explicit reference to the bibliography section. Signed ……………………………………… (Candidate) Date……………………………………….

Statement 3. I hereby give consent for my dissertation, if accepted, to be available for photocopying and for inter library loan, and for the title and synopsis to be made available to outside organisations. Signed ……………………………………… (Candidate) Date……………………………………….


Declaration form…………………………………………………………………I Abstract…………………………………………………………………………..VI Acknowledgements………………………………………………………………VII

Chapter 1: Introduction………………………………………………………………………..1 1.2 Aim………………………………………………………………….1 1.3 Objective…………………………………………………………….1 1.4 Motivations………………………………………………………….1 1.5 The benefits of forensics examination of GPS satellite……………..2 1.5.1 Law Enforcement Officers………………………………….3 1.5.2 Prosecutors………………………………………………….3 1.5.3 Defence Lawyers…………………………………………....3 1.5.4 Employers…………………………………………………...3 1.5.5 Member of the Public……………………………………….4 1.6 The Project Plan…………………………………………………….4 1.7 Chapter Summary…………………………………………………...6 Chapter 2: The embedded system storage and GPS satellite navigation………6 2.1 Chapter Introduction……………………………………………….. 6 2.2 What is embedded device?.................................................................7 2.3 The memory of Embedded system………………………………….7 2.3.1 How does NOR memory works?............................................7 2.3.2 How does NAND memory Works…………………………..8 2.4 The understanding of Global Positioning System(GPS)…………..10 2.5 The early methods of Navigation…………………………………..11 2.6 The history of Global Positioning System – Transit……………….14 2.7 Different type of GPS receivers……………………………………17 2.7.1 Type One………………………………………………….. 17 2.7.2 Type Two…………………………………………………..17 2.7.3 Type Three…………………………………………………17 2.7.4 Type Four…………………………………………………..18 2.7.5 Type Five…………………………………………………..18 2.8 Automobile Navigation GPS features……………………………...18 2.9 Chapter Summary…………………………………………………..20


Chapter 3: Literature review of the forensics examination of embedded device…..21 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 Chapter Introduction……………………………………………………..21 Literature review…………………………………………………………21 The Global Positioning System (GPS) receivers………………………...22 The value of GPS receiver in forensic analysis………………………….23 Previous work done on forensic examination of GPS (TomTom one)…..23 Remarks on the acquisition of a GPS receiver Storage media……….......24 Files of forensics interest when analyzing TomTom one………………..24 Issues and limitation of TomTom one in forensic examination…………25 Identifying GPS fix location……………………………………………..25 Chapter Summary………………………………………………………..26

Chapter 4: The policies and procedures of carrying out forensics examination…..26 4.1 4.2 4.3 4.4 Chapter Introduction…………………………………………………….26 The Policies and procedure……………………………………………...26 Equipment in a basic forensics kit………………………………………27 The methodology of carrying out forensics examination………………..29 4.4.1 4.4.2 4.4.3 4.4.4 4.5 Collection………………………………………………………..29 Preservation………………………………………………………29 Analysis or Filtering……………………………………………..29 Presentation………………………………………………………30

Principles of digital evidences as prescribe by (ACPO)…………………30 4.5.1 4.5.2 4.5.3 4.5.4 Principle One…………………………………………………….30 Principle Two…………………………………………………….30 Principle Three…………………………………………………..30 Principle Four…………………………………………………….31


Methodology of forensics investigation of embedded device such as GPS Receivers…………………………………………………………………31


GPS receiver’s storage media……………………………………………32

IV 4.8 4.9 The Acquisition of an SD Card…………………………………………..33 Chapter Summary………………………………………………………..35

Chapter 5: The trend of GPS navigation system receiver and a case study.....……36 5.1 5.2 5.3 Chapter Introduction…………………………………………………….36 The trend of GPS navigation system……………………………………36 The imaging methodology………………………………………………37 5.3.1 5.3.2 5.4 The bit stream image…………………………………………....38 Verification of imaging and the hash value……………………..39

Case study: Forensic Examination of GPS receiver such as TomTom One device……………………........................................................................39

5.5 5.6 5.7 5.8 5.9

The tools use for imaging GPS receivers devices……………………….40 Live bootable CD ROM…………………………………………………40 Getting Helix bootable CD ROM………………………………………..41 Methodology of imaging TomTom one GPS receiver…………………..43 Identification of the source and destination drive………………………..44 5.9.1 5.9.2 5.9.3 5.9.4 5.9.5 Starting Adepto………………………………………………......45 Device Info……………………………………………………….46 The Acquiring Tab……………………………………………….47 The log Tab………………………………………………………48 The Chain of Custody …………………………………………...49


Chapter Summary……………………………………………………......49

Chapter 6: The Analysis of Image TomTom one receiver………………………….50 6.1 6.2 6.3 6.4 6.5 Chapter Introduction……………………………………………………50 The analysis of the bit stream image of TomTom One…………………50 The importance of using TomTology in analysis TomTom devices……51 Deleted space on a TomTom device…………………………………….52 Methodology of using TomTology in analysis………………………….53 6.5.1 6.5.2 Files of forensic interest to be analyzed…………………………56 Live CFG data files……………………………………………...57

V 6.5.3 6.5.4 6.5.5 6.5.6 6.5.7 6.5.8 6.5.9 The CFG data files………………………………………………57 Viewing the Address or location in Google Earth……………….58 The GPS fix and the last Journey………………………………..59 The Orphaned Location………………………………………….61 Phone numbers and messages stored in TomTom device……….62 The User ‘s information………………………………………….63 Production of a report…………………………………………....63

6.5.10 Type of report desired……………………………………………64 6.5.11 Information gathered from analyzing TomTom One image……..65 6.6 Chapter Summary………………………………………………………..65

Chapter 7: Evaluation of the experimental process and Reflection………………...66 7.1 7.2 7.3 7.4 7.5 7.6 Chapter Introduction…………………………………………………….66 Evaluation of the experimental process…………………………………66 Imaging process of the TomTom one device……………………………66 Analysis of TomTom one image with TomTology software……………67 The latitude and longitude of a location…………………………………68 Reflection on the whole process…………………………………………68 7.6.1 7.6.2 The scope of the work……………………………………………68 The TomTology Software………………………………………..70

Chapter 8: Conclusion………………………………………………………………….71


References and Bibliography…………………………………………………………78


Embedded devices are some combinations of computer hardware’s and software’s which are either fixed in their capabilities or programmable. They are specifically designed for particular types of application devices. Examples are Global Positioning System (GPS), Personal Digital Agenda (PDA), Mobile phone etc. these embedded devices use flash memory storage technology for storage, and their storage capacity is now a days very large in such a way that data and information can be stored without any fundamental problem of physical lack of space. The GPS is used to track the geographical position of any object or person found on earth in a particular point in time. This GPS navigation are now been used in cars, aeroplanes, ships and military vehicle. The GPS receivers communicate with the satellites in order to do the tracking of the routes. There is actually, not much work done in the area of GPS forensics but this project has been done to bring out the process and technique to forensically investigate, a GPS satellite such as GPS receiver. The basic process that should be followed, when carrying out a forensic investigation of GPS should include the guide lines of the Association of Chief Police Officers, rules and principles of digital forensic. The feasibility of the processes and the eventual problems of investigating a GPS receiver have been highlighted in the report. A case study have been carry out bearing, in mine the basic fundamentals in carrying out a digital investigation from seizure to report writing in a way that will be admissible in a court of law. This is done following the golden rules of digital investigation that is by carry out a bit stream image of what the potential evidence is and also calculating the hash value in order to maintain the integrity of the evidence. The conclusion is the summary of the processes and the result of the digital investigation of GPS receiver, the problems encountered during these processes and the eventual recommendations that could be used in order to mitigate the problem arising from the experiment.


In life we hardly ever go it alone. The same holds true when taking on writing a project such as forensic examination of embedded device in Global Positioning System (GPS). I would like to thank all those who have help me from start to finish of this project. First, thanks go to my supervisor Dr Torbjorn Dahl, for his relentless effort in various forms of guidance, knowledge and moral support during my entire difficult period of writing this project. My appreciation goes to Dr. Stilianos Vidalis for all his advice and knowledge given to me since I did embark upon this project. I would like to specifically call attention to and thank Senior lecturer Angharad Jones for her support and mentoring me over the years. This project could not have been realised without your vast cumulative knowledge. Mr. Andy Sayers deserves special recognition for his extensive knowledge of Global Positioning System investigation and his exacting standards, your advice and TomTology software have helped me to arrive at a fabulous conclusion about the forensic investigation of GPS receivers such as TomTom. Angeline Mpetchaqouo Nyabia, dedicated and delicate wife. This project will not have come to fruition without you. I could count on your support and enjoy the joy of have you like marry. This project is the fruit of the sacrifices which you authorised. With my daughter, Tasiane loris Tchatchoua, for this thesis my presence near you was not possible all the time. But I love you more than you can imagine. My sister, Rose Tapet, for her moral and financial support. May the lord almighty bless you to continue in that spirit. And to the rest of my families and friends, who have supported me in one way or the other to see that this project comes to completion.

Thank you


1. Chapter One

1.1 Introduction

This chapter is defining the boundaries of the project. It basically shapes the project in giving a clearer picture of the aim and objectives of the project. It also gives us a run down of my motivations of writing the project and how significant such a project is vital in our society of today and in the future. It finally out line the project plans from start to finished.

1.2 Aim: The aim of this project is to investigate the feasibility of a methodology for forensically examine an embedded device such as Global Positioning System receivers.

1.3 Objectives: The objectives of this project are: a) Investigate the states of the art regarding forensics investigation methodology of an embedded device such as GPS receiver. b) To make a research on classification of Global Positioning System (GPS) c) Develop a methodology for forensically examine satellite navigation d) Evaluating the aforementioned methodology through a series of experiments using different models of GPS

1.4 Motivations

The field of digital forensics has long been centered on traditional media like hard drive. Being the most common digital storage device in distribution it is easy to see how they have become a primary point of evidence. However, as technology brings digital storage to be more and more of larger storage capacity, forensic examiners have needed to prepare for a change in what types of devices hold a digital fingerprint. Cell phones, GPS receiver and PDA (Personal Digital Assistant) devices are so common that they have become standard in today’s digital examinations. These small devices carry a large

2 burden for the forensic examiner, with different handling rules from scene to lab and with the type of data being as diverse as the suspects they come from. Handheld devices are rooted in their own operating systems, file systems, file formats, and methods of communication. Dealing with this creates unique problems for examiners. Performing a forensic examination on a GPS receiver takes special software and special knowledge of the way these devices work, as well as where possible evidence could be stored. Having a basis of knowledge to build on in order to start adding these types of devices into your forensic examination will help us not only be more comprehensive in our methods, but also gain new insight to our suspect. Since the GPS receivers have been ubiquitous and more prevalent in the commission of crime, it is worth while to understand how these devices work forensically. The GPS receiver has proved to be excellent in tracing position world wide and provide evidentiary data if the following areas are examined: Track logs, Track points, Routes store locations, Home, Office, favorite, Call Logs, (miss, Dialed, received calls) and incoming and outgoing text messages. In some GPS receivers we can also have video, photos and Audio. If all the above mention point are examine forensically, a good deal of information will be harvested which could be used as an irrefutable evidence in a court of law. Due to the fact that today’s technology is advancing rapidly and when it comes to embedded devices, it’s even growing quicker especially in their capacities and in their use. The common forensic investigation of digital evidence is always about desktop and laptop in a couple of years ago. Nowadays embedded devices such as Global Positioning System or Satellite Navigation, Personal Digital Assistant (PDA), or smart phones has a much processing power as would have held a normal desktop computer in a couple of year ago. With those amazing embedded devices, their storage capacities are phenomenon and keep increasing even though these digital devices are getting ultra light in weight. Handheld or embedded devices are rooted in their own operating systems, file systems, file formats and methods of communication. Dealing with this creates unique problems for examiners. Performing a forensic examination on a Satellite Navigator like GPS, cell phone or PDA takes special software and special knowledge of the way these devices work, as well as where possible evidence could be stored. Having a basis of knowledge to build on in order to start adding these types of devices into your forensic examination will help us not only be more

3 comprehensive in our methods, but also gain new insight to our suspect. They are the only devices that the suspect can have with them at all times based on their size, and they have immediate access to them because they have immediate boot cycle devices. In addition, these are the devices that typically hold all our dirty little secrets with colorful pictures and descriptive text messages. The information ranged from complete address books, work related e-mails, to pictures that were of intimate moments.

1.5 The benefits of forensics examination of Global position system or Satellite navigation The obvious benefits of the service of an examination of Satellite navigation are law enforcement officers, prosecutors, defense lawyers, employers and members of the public. 1.5.1 Law Enforcement Officers: The police or other law enforcement agencies may be able to exactly pinpoint the position of an accused person if that person used a Satellite Navigation system. If an accused person states that he was in one place, but his car Satellite Navigation system states that at the time that the vehicle was 200 miles away, the information given adds to the intelligence that the law enforcement agency has against the accused, or is even enough to charge the said accused person. 1.5.2 Prosecutors: The prosecutors often work alongside the law enforcement agencies, and as such will use the information gained in Satellite Navigation forensics in the same way. 1.5.3 Defense Lawyers: Defense lawyers are there to examine any and all evidence and try and pick flaws in it. If a law enforcement agency has not yet examined the Satellite Navigation system, the evidence produced may well be enough to have the accused proved innocent or cast doubt over his guilt. It is this reason that the more and more defense lawyers are turning to Satellite Navigation Forensics. 1.5.4 Employers: Subject to the company handbook, the employees’ contract, and the company acceptable usage policy, (AUP), the employer may have the right to examine the Satellite Navigation systems of its mobile employees. This service is

4 being used as employees want to know that their staff are indeed using their working hours efficiently. They may also use this service if they believe that the employee is not being as honest with their work details as they perhaps should. 1.5.5 Members of the Public: In rare instances, a parent may want to check that a child has been where the child states they are going. There may be a history of drug abuse, of unsafe relationships, and using the Satellite Navigation system in their car, they would be able to get a true idea of whether or not the person in question has indeed been where they said they had. The same is true of a husband who suspects that his wife or partner is having an affair. It may seem that this service is taking a rather Big Brother approach, but if the relationship is about to fail, there is often hundreds of thousands of pounds at stake. This evidence would be used by a judge to associate blame to one party, and therefore a larger percentage of the partnership equity may be give to the 'innocent' partner. The embedded devices can carry some of the most crucial pieces of evidence in forensic examination. The digital fingerprint on a handheld device is much larger than most assume. So now that we know how important a device can be in forensic processing, it is important to have a good understanding of how handheld forensics works. From the above mentioned summaries, I am going to investigate the feasibility of a methodology for forensically examining embedded devices, such as Global positioning System (GPS) receiver.

1.6 The project plan

The scope of this project will be broken down into chapters and sections. The first chapter will be on the introduction of the project, which will talk basically on the aim, objectives and motivation of carrying out this project. This section will also cover the benefit of carrying out forensics examination of embedded devices such as GPS.

The second chapter will be talking on the understanding of embedded device and the functionality of there storage medium. The storage media of GPS receivers and the file

5 system. The different types of GPS receivers, it features and the popular model in used today.

The Third chapter will be on the literature review of the project and its limitation. It will point out what others have carry out when it comes to investigation of a GPS receiver and the possible challenges that have emerge during their investigation.

The fourth chapter will discuss the rules and principles of computer forensics examination as regard to the guideline of the Association of the chief Police Officers. The methodology of forensically examine GPS receiver and it limitations. It will also talk on the tools use for forensically examine GPS receivers.

The Chapter five will be on a case study, which will be like an experiment to carry out a forensic examination of a GPS receiver such as Garmin or Tom-Tom from seizure to report writing. This chapter will also elaborate on the methodology of carry out this experiment and finally it will talk on acquisition and Analysis of the experiment.

The chapter six discusses the process and evidence found, when the bit stream image of TomTom one was analysis with the used of TomTology. It brings out the importance of TomTology software in the analysis of TomTom devices and also point out the areas of the devices that the information of evidential value can be seen. It finally conclusion by bringing out some of the evidence found in the TomTom one device that has been analysis as a case study in this project.

The chapter seven deals with the evaluation of the technology used in forensically examines TomTom devices. It point out the imaging process and the analysis process with the use of the different software tools. It also talks on my reflection about the TomTology software that has been used for the analysis and also suggests the possible ways of carrying out the experiment with the software in other to make it more robust and user friendly

6 The last chapter will be on conclusion, which deals basically on the discussion about the whole process and learning in general. Observations during the experimental phase of examining the GPS receiver, it short coming and it limitations, and finally possible solutions from my observation and opinion.

1.7 Chapter summary

The forensic examination of embed devices such a GPS can have a significant contribution in solving a criminal or civil case, when it comes to digital evidence. It is very import to mention that due to the ubiquity of GPS receiver, the payoff of using it as an instrument of crime will never be negligible. The benefits will always satisfy the entire society that is ranging from Law enforcement officers to common member of the public. Thus a good grip of understanding of how this forensics process can be used to track down a potential criminal who has used an embedded device such as GPS to commit a crime or an instrument of a crime is paramount. This chapter simple give us a good understanding of how and why this process is being carried out.

Chapter Two 2. The embedded system storage and types of GPS satellite navigation 2.1 Chapter introduction

The embedded system has apparently a different type of forensics investigation procedure as opposed to the normal forensic examination of a hard disk. Most of the embedded devices use the Flash memory technology in data storage. The existence of global navigation system and its early method of navigation are well discussed. The history of the global positioning system and the different type of GPS receiver is well elaborated in this chapter, and narrowly stream down to the automobile Navigation GPS

7 2.2 What is embedded device?

According to, an embedded system is some combination of computer hardware and software, either fixed in its capability or programmable. It is specifically designed for a particular type of application device. The impact of this design in forensics is dramatic because the tools the examiner uses must understand not only the operating system on the device that chooses how the data is stored, but also the design of the device to the chip set level to gauge how much storage is available on the device. The forensics tool used must understand how to communicate with the device in order to gain access at a low enough level to acquire all data available on that device for evaluation. (AMBER, S. 2007)

2.3 The Memory of Embedded system

The embedded devices use the Flash memory technology. Flash is an extension of the floating gate method of manufacturing non-volatile memory. There are two kinds of flash memory namely the NOR and NAND. These two terms are names of types of logic gates, the negated OR function and the negated AND function. There is a big difference between the type of architecture, the NAND has a significantly die size than does the NOR. This translates to significant cost savings. NAND does not behave as other memory while NOR, SRAM, DRAM are random access devices. The RAM means Random Access Memory. The NAND is part random and part serial. Once an address is given to the device, there is a long pause, then that address and several adjacent addresses’ data come out in a burst like a machine gun. The life time of a flash memory is measured as being 100,000 erases per block. (THOMAS, M. 2008)

2.3.1 How Does NOR Memory Work?

8 The picture of a classroom analogy is best describe how the NOR memory works. Let’s assume that, it is picture of a class where there is space around all the desks. Each of the desks will represent a bit of transistor in the memory, with the student representing the data. The teacher represents the system interface that handles the data transaction between the rest of the system and the memory bits. Let’s assume that there are fourteen column labelled (A to N Desks) and five rows labelled (one to five). In this example there are fourteen columns and five rows giving seventy students all in total. Most memories are designed similar to this class room. There are rows and columns, and word lines to tell the memory bits which row is being requested and bit lines to access a column within that row.

When a memory bit is requested, it is similar to the teacher calling a student to the front of the room. Let’s say the teacher in this example called for student B3 to come to the front of the room. That student will simply walk from the aisle to go to the teacher’s desk. All students could get to the teacher desk about the same amount of time, and it would not take very long to get there. This is very similar to the way that a NOR memory works. All data can be accessed rapidly, and all accesses take about the same amount of time. Data can be requested form individual locations in a completely random sequence. (THOMAS, M. 2008. 79 - 83)

2.3.2 How does NAND Memory work?

Let’s continue our analogy from the NOR memory’s classroom. Let’s say that some cost cutting measures were implemented by this school. The administration found that they could sell one of their building if the use their existing buildings more efficiently. Their plan is to shrink the size of each classroom, which they can do if they push all the desks up against each other, with the desks on one side of the classroom pushed right against the wall. There will be some significant saving of space by taking this approach. When the teacher calls for student B3 to the front of the room, due to congestion f all the desks together in one row, all the student in B3’s row must get up and walk to the front of the room in a line. There is simple not enough space for them to it in any other way. Once the

9 row is in front then, then B3 or C3 or N3 or any of these students can get to the teacher rapidly. But none of these students can reach the front of the room until all the students blocking the way have gone to the front.

This is similar to the way NAND is laid out. Just as the students share a single aisle at the far side of the classroom, many bits in NAND share a bit line, dramatically reducing the amount of space used on the NAND die to move data back and forth to the bit transistors. Like the classroom analogy, NAND takes a longer time to get a memory bit (a student) that is randomly called to the rest of the system ( the front of the class). Once that bit line’s data is ready (the student’s row is in the front) then data from that word line can be presented to the system at a rapid fire rate (just as every student in that row can get to the teacher’s desk very quickly). From these analogies, it is crystal clear that NAND is less expensive to manufacture than NOR, since the manufacturing cost of silicon chip is a function of its size. The NOR seems easier to use but the NAND is better fit than the NOR in applications where serial accesses are preferred to random accesses. A good example is the Video and audio streaming where serial access is preferable to random. (THOMAS, M. 2008. PP. 79 - 83)

The NOR is mostly used for code storage and the NAND for data storage. This means that the end user will continually be erasing and rewriting the data in the NAND. The erase and write cycles in the NAND is said to be 100, 000 times. Most of the embedded devices normally use the NAND technology in storing data. Some of the flash memory formats are the PCMCIA card, Compact Flash, Memory Sticks, Secure Digital (SD) cards, multi media card etc.

An excellent example will be our GPS receivers. These devices use processor as one of the main components on the device. This processor would determine the true capacity of the ROM (Read Only Memory) section of the device. The Operating System (OS) would see a size that was reflected as smaller than what was actually writable to the device by the processor. The processor would set the size of memory allocation for the operating system to see, when in fact the device had more usable space that could be used by the

10 savvy user. For the forensic examiner, it was crucial they used tools that would be able to communicate to the processor itself as opposed to the OS on the device in order to get all the potential evidence from the unit. The embedded nature of the device is what causes the extra steps to go into effect with the forensic processing. Some examples of embedded devices are the GPS receiver, Smart phone, Personal digital Assistant (PDA) etc.

2.4 The understanding of Global Positioning System

The Global Positioning System (GPS) was invented in order to geographically position any object or person found on earth in a particular point in time. Airplanes and ships have been using it in order to display through out their journey on a video screen in the passenger cabin and their travelling trajectory. These same GPS is found today in cars and mobile phone simply for the reason of displaying your position on a map and given you verbal and writing messages like “the name of the street, the turn to take and arrival at your destination. This remarkable navigation capability is made possible by the Global Positioning System. This system was originally designed jointly by the U.S Navy and the U.S Air Force to permit the determination of position and time for military troop and guided missiles. But however, it has also become the basis for position and time measurement by scientific laboratories and a wide spectrum of applications in a multi – billion dollar commercial industry. Roughly one million receivers are manufactured each year and the total GPS market is expected to approach ten billion dollar by the end of next year. (ROBERT, A. 1999)


GPS Satellite Photo courtesy US Department of Defense

2.5 The early Methods of Navigation

The shape and size of the earth has been known from the time of antiquity. People have been educated about the spherical nature of the earth as far back as the fourth century BC. Aristotle gave two scientifically correct arguments in his book name “On the Heavens”. Firstly, the shadow of the earth projected on the moon during a lunar eclipse appears to be curved and secondly, the elevations of stars change as one travels north or south, while certain stars visible in Egypt cannot be seen at all from Greece. The actual radius of the earth was determined within one percent by Eratosthenes in about 230 BC. He knew that the sun was directly overhead at noon on the summer solstice in Syene (Aswan, Egypt), since on that day it illuminated the water of a deep well. At the same time, he measured the length of the shadow cast by a column on the grounds of the library at Alexandria, which was nearly due north. The distance between Alexandria and Syene had been well established by professional runners and camel caravans. Thus Eratosthenes was able to compute the earth’s radius from the difference in latitude that he inferred from his measurement. In terms of modern units of length, he arrived at the figure of about 6400

12 km. By comparison, the actual mean radius is 6371 km (the earth is not precisely spherical, as the polar radius is 21 km less than the equatorial radius of 6378 km). The ability to determine one’s position on the earth was the next major problem to be addressed. In the second century, AD the Greek astronomer Claudius Ptolemy prepared a geographical atlas, in which he estimated the latitude and longitude of principal cities of the Mediterranean world. Ptolemy is most famous, however, for his geocentric theory of planetary motion, which was the basis for astronomical catalogs until Nicholas Copernicus published his heliocentric theory in 1543. (ROBERT, A. 1999)

Historically, methods of navigation over the earth's surface have involved the angular measurement of star positions to determine latitude. The latitude of one’s position is equal to the elevation of the pole star. The position of the pole star on the celestial sphere is only temporary, however, due to precession of the earth's axis of rotation through a circle of radius 23.5 over a period of 26,000 years. At the time of Julius Caesar, there was no star sufficiently close to the north celestial pole to be called a pole star. In 13,000 years, the star Vega will be near the pole. It is perhaps not a coincidence that mariners did not venture far from visible land until the era of Christopher Columbus, when true north could be determined using the star we now call Polaris. Even then the star’s diurnal rotation caused an apparent variation of the compass needle. Polaris in 1492 described a radius of about 3.5 about the celestial pole, compared to 1 today. At sea, however, Columbus and his contemporary have depended primarily on the mariner’s compass and dead reckoning. The determination of longitude was much more difficult. Longitude is obtained astronomically from the difference between the observed time of a celestial event, such as an eclipse, and the corresponding time tabulated for a reference location. For each hour of difference in time, the difference in longitude is 15 degrees. (ROBERT, A. 1999) Columbus himself attempted to estimate his longitude on his fourth voyage to the New World by observing the time of a lunar eclipse as seen from the harbor of Santa Gloria in Jamaica on February 29, 1504. In his distinguished biography Admiral of the Ocean Sea, Samuel Eliot Morrison states that Columbus measured the duration of the eclipse with an

13 hour-glass and determined his position as seven hours and fifteen minutes west of Cadiz, Spain, according to the predicted eclipse time in an almanac, he carried aboard his ship. Over the preceding year, while his ship was marooned in the harbor, Columbus had determined the latitude of Santa Gloria by numerous observations of the pole star. He made out his latitude to be 18, which was in error by less than half a degree and was one of the best recorded observations of latitude in the early sixteenth century, but his estimated longitude was off by some 38 degrees. Columbus also made legendary use of this eclipse by threatening the natives with the disfavor of God, as indicated by a portent from Heaven, if they did not bring desperately needed provisions to his men. When the eclipse arrived as predicted, the natives pleaded for the Admiral’s intervention, promising to furnish all the food that was needed. New knowledge of the universe was revealed by Galileo Galilei in his book The Starry Messenger. This book, published in Venice in 1610, reported the telescopic discoveries of hundreds of new stars, the craters on the moon, the phases of Venus, the rings of Saturn, sunspots, and the four inner satellites of Jupiter. Galileo suggested using the eclipses of Jupiter’s satellites as a celestial clock for the practical determination of longitude, but the calculation of an accurate ephemeris and the difficulty of observing the satellites from the deck of a rolling ship prevented use of this method at sea. Nevertheless, James Bradley, the third Astronomer Royal of England, successfully applied the technique in 1726 to determine the longitudes of Lisbon and New York with considerable accuracy. In the twentieth century, with the development of radio transmitters, another class of navigation aids was created using terrestrial radio beacons, including Loran and Omega. Finally, the technology of artificial satellites made possible navigation and position determination using line of sight signals involving the measurement of Doppler shift or phase difference. (ROBERT, A. 1999)

14 2.6 The history of Global Positioning System - Transit Transit, the Navy Navigation Satellite System, was conceived in the late 1950s and deployed in the mid-1960s. It was finally retired in 1996 after nearly 33 years of service. The Transit system was developed because of the need to provide accurate navigation data for Polaris missile submarines. As related in an historical perspective by Bradford Parkinson, et al. in the journal Navigation (Spring 1995), the concept was suggested by the predictable but dramatic Doppler frequency shifts from the first Sputnik satellite, launched by the Soviet Union in October, 1957. The Doppler-shifted signals enabled a determination of the orbit using data recorded at one site during a single pass of the satellite. Conversely, if a satellite's orbit were already known, a radio receiver's position could be determined from the same Doppler measurements. The Transit system was composed of six satellites in nearly circular, polar orbits at an altitude of 1075 km. The period of revolution was 107 minutes. The system employed essentially the same Doppler data used to track the Sputnik satellite. However, the orbits of the Transit satellites were precisely determined by tracking them at widely spaced fixed sites. Under favorable conditions, the “rms” accuracy was 35 to 100 meters. The main problem with Transit was the large gaps in coverage. Users had to interpolate their positions between passes. The success of Transit stimulated both the U.S. Navy and the U.S. Air Force to investigate more advanced versions of a space-based navigation system with enhanced capabilities. Recognizing the need for a combined effort, the Deputy Secretary of Defense established a Joint Program Office in 1973. The NAVSTAR Global Positioning System (GPS) was thus created. In contrast to Transit, GPS provides continuous coverage. Also, rather than Doppler shift, satellite range is determined from phase difference. There are two types of observables. One is pseudo range, which is the offset between a pseudorandom noise (PRN) coded signal from the satellite and a replica code generated in the user’s receiver, multiplied by the speed of light. The other is accumulated delta range (ADR), which is a measure of carrier phase. The determination of position may be described as the process of triangulation using the measured range between the user and four or more satellites. The ranges are inferred from the time of propagation of the satellite signals. Four satellites are required to determine the three

15 coordinates of position and time. The time is involved in the correction to the receiver clock and is ultimately eliminated from the measurement of position. High precision is made possible through the use of atomic clocks carried on-board the satellites. Each satellite has two cesium clocks and two rubidium clocks, which maintain time with a precision of a few parts in 1013 or 1014 over a few hours, or better than 10 nanoseconds. In terms of the distance traversed by an electromagnetic signal at the speed of light, each nanosecond corresponds to about 30 centimeters. Thus the precision of GPS clocks permits a real time measurement of distance to within a few meters. With post-processed carrier phase measurements, a precision of a few centimeters can be achieved. The design of the GPS constellation had the fundamental requirement that at least four satellites must be visible at all times from any point on earth. The tradeoffs included visibility, the need to pass over the ground control stations in the United States, cost, and sparing efficiency. (ROBERT, A. 1999)

The orbital configuration approved in 1973 was a total of 24 satellites, consisting of 8 satellites plus one spare in each of three equally spaced orbital planes. The orbital radius was 26,562 km, corresponding to a period of revolution of 12 sidereal hours, with repeating ground traces. Each satellite arrived over a given point four minutes earlier each day. A common orbital inclination of 63 was selected to maximize the on-orbit payload mass with launches from the Western Test Range. This configuration ensured between 6 and 11 satellites in view at any time. As envisioned ten years later, the inclination was reduced to 55 and the number of planes was increased to six. The constellation would consist of 18 primary satellites, which represents the absolute minimum number of satellites required to provide continuous global coverage with at least four satellites in view at any point on the earth. In addition, there would be 3 onorbit spares. The operational system, as presently deployed, consists of 21 primary satellites and 3 on-orbit spares, comprising four satellites in each of six orbital planes. Each orbital plane is inclined at 55. This constellation improves on the “18 plus 3” satellite constellation by more fully integrating the three active spares. (ROBERT, A. 1999)

16 The Global Positioning System (GPS) is a U.S. space-based radio navigation system that provides reliable positioning, navigation, and timing services to civilian users on a continuous worldwide basis -- freely available to all. For anyone with a GPS receiver, the system will provide location and time. GPS provides accurate location and time information for an unlimited number of people in all weather, day and night, anywhere in the world. The GPS is made up of three parts: satellites orbiting the Earth; control and monitoring stations on Earth; and the GPS receivers owned by users. GPS satellites broadcast signals from space that are picked up and identified by GPS receivers. Each GPS receiver then provides three-dimensional location (latitude, longitude, and altitude) plus the time. Individuals may purchase GPS handsets that are readily available through commercial retailers. Equipped with these GPS receivers, users can accurately locate where they are and easily navigate to where they want to go, whether walking, driving, flying, or boating. GPS has become a mainstay of transportation systems worldwide, providing navigation for aviation, ground, and maritime operations. Disaster relief and emergency services depend upon GPS for location and timing capabilities in their lifesaving missions. Everyday activities such as banking, mobile phone operations, and even the control of power grids, are facilitated by the accurate timing provided by GPS. Farmers, surveyors, geologists and countless others perform their work more efficiently, safely, economically, and accurately using the free and open GPS signals.

GPS satellite constellation Photo courtesy US Department of Defense


2.7 Different type of GPS receivers

The Global Positioning System (GPS) receiver uses satellites to pinpoint locations on the earth crust. The GPS is actually a constellation of twenty seven earth orbiting satellites. Twenty four of these satellites are in operation and three extras in case of any failure. The US military developed and implement this satellite network as a military navigation system but soon opened it up to everybody. Each of these 3000 to 4000 pound solar powered satellites circle the globe at about 12000 miles (19,300 km), making two complete rotations every day. The orbits are arranged in such a way that at any time, anywhere on Earth, there are at least four satellites visible in the sky. A GPS receiver’s job is to locate four or more of these satellites, figure out the distance to each and use this information to deduce it own locations. . (MARCHALL, B. 2008) The different types of GPS receivers are: 2.7.1 Type one: Not self contain receivers (without screen), also known as R232

receivers or also GPS mice. This type needs a computer often a pocket Pc or Palm PDA and according program in order to visualise the actual positioning of the GPS receiver. The link between the GPS and the computer can be wireless, blue tooth, by means of cable or via a card slot or sleeve. This type is often used for car navigation systems without moving map on the computer screen and for Gold GPS system. 2.7.2 Type two: Self contained receiver (without screen), with this one the computer is

integrated in a GPS receiver. We have distinguished between non mapping devices which are often handheld and mapping devices which can be handheld or mounted in boat, car or plane. It has often external antenna. This type sometimes has extra features as a barometer, altimeter, an electronic compass or even a radio transmission receiver. 2.7.3 Type three: This type is one of the most sophisticated receivers and it is used by

professional in agriculture, mapping and GIS, military, oil and Gas, Public safety, Survey. The principle of these receivers are the same but this type often use extra

18 receivers and special antenna for higher accuracy and can often store and enormous amount of data collected in the field which can be treated later in the office. 2.7.4 Type four: Dedicated single purpose GPS systems as there are in the car GPS

systems with a build in GPS receiver, using maps from device manufacturer. It is very useful for this purpose especially because you can take the system from one vehicle to another without hassle. So it can also be use in he rented car or jeep during holiday, contrary to the fixed in GPS systems. This type can only use map of the device manufacture and different map can not be uploaded. 2.7.5 Type five: GPS receiver incorporated with phones. These could be used in car

navigation with street maps coming in through the air. In May 2005 Sylvan Ascent Inc. launched Topophone which provides outdoor recreation enthusiast with better GPS solution by turning a cell phone with a built in GPS into a complete topographic mapping system. Topophone is superior to traditional GPS units because it uses the phone to download maps automatically and allows you to see where friends and family are located with a comparable mapping GPS that you can do everything that you will do with none mapping GPS and more. For example the Garmin GPS map 76 and the GPS 76. But neither into mapping system nor non mapping version could extra map be loaded. Only maps of the GPS manufacturer can be loaded into the mapping GPS and if you want to use it out of Europe or USA, it will be difficult to find a suitable maps. (MEHAFFEY, J. 2007). In all the above mentioned type of GPS, we are interested in the types that are used in cars because our main objective is to use it to track down the position and time of a hypothetical offender who was using a GPS receiver.

2.8 Automobile Navigation GPS features There are two types of GPS units for car navigation these days. First is the true car navigation, these types has large right screen suitable for comfortable viewing at arm length on your dashboard. These types also provide voice guidance which we obviously

19 are depending on it more as we gain familiarity with GPS car navigation. The type or model is known as the handheld car navigator. It typically has smaller screen with battery or 12 volt power and do have voice guidance. Some of these features of this automobile navigation are: a) Address to address routing: Most of the Tom-Tom and Garmin model has this feature. But however, handheld models all require optional at extra cost mapping software for car navigation b) Voice prompt for turns and guidance: those that provide these functions are Garmin Street Pilot- all models, Nuvi – all models, Quest, Magellan, Tom-Tom Road Mate – all models, Cobra Nav One. Etc. c) Built in Road Map: Built in and detailed road map display of your area of interest is an essential feature of a good automobile GPS receiver. d) Routes capability and waypoint: All GPS receivers have an automatic destination routing and some car navigators use only street address, road intersection, point of interest, Restaurant and hotel, filling stations etc. This is a pretty good minimum requirement and most Garmin model offers “mark waypoint” which is the capability for locations and the ability to point to a desired destination on a map. e) Datums: Many if not all now have only WGS – 84 datum. Thus it does not needs any things else when they are loaded with ref. datum WGS – 84 maps f) Mounting and turns: Most of the units have the capability of being mounted neatly and securely into the vehicle and the give a prompt signal for the next turn. g) Maps and track backs: Most of the models have uploaded maps capability or maps on it built – in CD ROM, SD card or other memory device for the area you need. They also have a track back function which is design to change the routes in case of a one way route system. (MEHAFFEY, J. 2007)

20 The picture of automobile GPS receiver

(Photo of automobile GPS receiver form GPS forensics website)

2.9 Chapter Summary

The embedded devices have a different storage medium as compare to our computer hard disk. The embedded devices use the flash memory technology in storing data and this flash memory is the flash extension of the floating gate method of manufacturing non volatile memory. Basically the two type of flash memory is the NOR and the NAND. The global positioning system was invented by the U.S Navy and the U.S Air Force in order to trace the geographical position of any object or person found on Earth in a particular point in time. The idea of navigation started as far back as fourth Century BC, where people were using the Moon and the stars in order to explain the shape of the Earth. The GPS receivers use satellites to pin point location on the Earth Crust and this satellite is made up of a constellation of twenty seven earth orbiting satellites whereby twenty four are operational and three extra in case of failure. The GPS are made up of different type of receivers, which can be used in Air Crafts, Ships, cars etc. The understanding of the history of the GPS and its satellite and how they are meant to work together is an exiting experience.

21 3 Chapter Three Literature review of the forensics examination of embedded device such as GPS 3.1 Chapter Introduction

This chapter deals with the work that other people has done in forensically examine a GPS device such as TomTom. The component of the GPS receiver and how important is the GPS receiver in tracking down criminals. It also elaborates the different type of files system found in the GPS receivers and the type of information that can be found in those files. It also talks on how a GPS fix can be identify and analyse. And finally point out some of the issues and limitation of GPS receivers in forensic examination base on the work of what others have done.

3.2 Literature review

The satellite navigation uses Global positioning System (GPS) for pinpointing location on the earth crust. GPS was developed by the department of defence in the United States of America. It was designed to be a high quality system for navigation accuracy. The GPS system works by using a network of 24 NAVSTAR satellite orbiting the earth. NAVSTAR stands for Navigation System using Timing and Ranging. It function round the clock that 24/7 at a height of 10,900 – 12,625 miles above the earth surface. The satellites with an impressive two tons are 18.5 feet long; transmit on two frequencies 1575.42 MHz for civilians and 1227.60 MHz for military service. The NAVSTAR obits the earth in just 12 hours. These satellites are designed to be resistant to interference and jamming thus the make incredibly good positioning beacons when use in conjunction with one another to give accurate position. The GPS receiver then communicates with the GPS in order to have an accurate position world wide.

22 3.3 The Global Positioning System (GPS) receivers

The GPS receiver can play and integral part of an investigation. Since GPS receiver has be come widely use in cars these days, there is a high change of finding useful information about the route and time of an event. Satellite navigation is used commonly as a route finder on all forms of transport. These incredibly useful devices are now use by the public, and have a high availability. Most modern vehicles use satellite navigation system, and it is the information in this system that can give assistance in providing information to others, be they law enforcement officers, defence lawyers, employers or member of the public. These satellite navigation systems have logs and configuration files that need to be examined and broken down into readable and understandable information. The satellite navigation or GPS receiver has both hardware coding written to itself and software. Examination and interpretation of this software enables us to find waypoints, predominantly on marine satellite navigation systems and directions requested on vehicle satellite system along with directions given and time that the journey was taken.

The GPS receiver like TomTom or Garmin can be broken down into three main types, those with SD cards, those with internal flash memory and those with internal hard drive. The goal of forensically examine a GPS receiver is to find out whether information of importance can be harvested in the storage media. Forensically we need to first of all acquire a bit stream image of the memory card or acquire it directly from the receiver itself (those with internal hard drive). TomTom GPS navigation devices are one of the most popular kinds of satellite navigation device in the UK. It is increasingly been examined in criminal cases to identify data of evidential value. The GPS receiver allows the user to plan routes, save favourite destination and look up point of interest (POI) Some devices can also pair with phones and if so can yield call history and contact data and connected to a computer act as a USB mass storage device. New version have inbuilt MP3 players and picture viewers. The GPS receiver is operated via touch screen menu driven interface, which allows the user to enter locations, plan routes or itineraries, save favourites or look up POI. The user can also operate a paired mobile phone via the

23 TomTom to make calls, read or write text messages. If a wireless connection has been set up, the user can access addition service via a TomTom Plus account, Such as weather information real time traffic information or additional downloads like extra voices or updated maps. (NUTTER, B.2008)

3.4 The value of GPS receiver in forensic Analysis

The evidential value of GPS receiver like TomTom is obvious in many cases. Recent cases that the author has worked involving TomTom or other navigation devices include offences of kidnap, murder, grooming of children and terrorism. The present of a specific address in the recent destination can be a strong indication of links between the owner and that address. In case of theft of the GPS receiver itself, the saved home location is likely to identify the device’s original owner. In fact in any offence where a person’s movements are of interest, analysis of GPS receiver device to retrieve the store location is likely to be useful.

3.5 Previous work done on the forensic examination of GPS receiver (TomTom)

The GPS receivers store information in a file called dot cfg file (.cfg file). The analysis has been focus on the boot loader, since rewriting this allows alternative software to be run. In a presentation, at the first forensics forum, Weall, 2006 noted that each record contained two set of coordinates, (the longitude and the latitude in the WGS 84 datum), a text label for the address and further two sets of coordinates. His hypothesis was that since the first set of coordination seemed to relate to the actual location, the other three related to nearby feature that is nearest road and junctions. The analysis of the ‘dot cfg file’ point out that the first destination in ‘dot cfg file’ is the home location if entered, and that the last two entries relate to the start of the last calculated route and the last entered destination .(NUTTER, B.2008)

With this information much more is known about the structure of a file, but this less useful when applied to unallocated clusters. It might be possible to say that a location was

24 the start of a route, but it is likely that a location may be found in the slack space with no information about the original location in the file. In that case, it will be difficult to say how significant it might be. To understand more than that, decoding the individual record is required.

3.6 Remarks on the acquisition of a GPS receiver storage media

Since there is always a significant amount of data found in unallocated clusters and file slack, the best approach is to carry out a bit stream image of the storage media. Bit stream copying of the storage device means that all the (.cfg fles) will definitely be imaged. When an image is acquired form the hard drive of TomTom viaUSBthe Timestamp of the following files are changed: TTPnPD.log, clmdata, settings.dat, ITN\temporary.iti. And when imaging a flash memory of a TomTom via USB, the time stamp of the same files are changed including the map directory\MapSettings.cfg. The device which store data on a removable SD card reader are easy to deal with, as the memory card can be removed from the device and imaged as normal using forensic software and write protected card reader.

3.7 Files of forensic interest when analysing TomTom

Once a forensic image has been obtained, that image can then be analyzed. There are a number of files of possible interest to the examiner, including: • \contacts\called.txt – which contains numbers called by the phone paired to the TomTom; • \contacts\callers.txt – which contains numbers of phones which have called the phone paired to the TomTom; • \contacts\contacts.txt – which contains details of numbers in the address book of the phone paired to the TomTom; • • \contacts\inbox.txt – contains incoming text messages; \contacts\outbox.txt – contains outgoing text messages;

25 • TTGO.bif – contains device information (e.g. serial number) and current home location (in later application versions); • settings.dat – contains the name and MAC address of a paired phone, if one has been connected, wireless data settings and data provider if this has been set up, and home phone number information and owner information, if set10; • \itn\ – directory containing itineraries, if any have been entered (temporary.iti is the currently active itinerary).

3.8 Issue and limitation of TomTom one in forensic examination

As discussed in Siezenga (2008), removing the memory card, making a USB connection or total battery power loss will cause changes to the device; it seems that the TomTom, during normal usage, is in a standby state when switched off, and that any of the three conditions mentioned will cause a cold start when next powered on normally without a USB connection (the device will show the TomTom two hands logo, instead of powering on straight to the last displayed screen). The main effect Siezenga notes is that the device ‘forgets’ whether it has visited the last destination. There is, though, no alternative to this which will enable the data to be extracted. (Also, as Siezenga mentions, the only way to see whether the last entered destination has been visited is to switch the device on in a location with GPS coverage, which will lead to changes in the (dot cfg file) and the loss of the last GPS fix.) has never successfully obtained one.

3.9 Identifying GPS fix Location

Possibly the most significant benefit is that it is possible from this to identify locations where the TomTom has actually been. Siezenga (2008) has noted that the second to last location in the cfg file is the start of the last calculated route. In the majority of journeys, this will be the location where the TomTom was when the route was calculated, as it only begins calculating a route when a GPS fix is obtained. If deviating from the route the TomTom has planned, a new route is calculated, and the point of deviation becomes the

26 new starting point for that route. Upon driving past an entered destination, the TomTom will then begin calculating a route back. Or when turning a TomTom on without clearing a route, a new route will be calculated to the last entered destination. Any of these four events will result in a start location being recorded which is a location where the TomTom has obtained a GPS fix.(NUTTER, B.2008)

3.10 Chapter summary

The GPS receiver can or has been using to track down criminal if the suspect was with the GPS device during the commission of the crime. The information about the journal of any person in possession of a GPS receiver can be found in the (.cfg file) where all the entries can be seen such as home and destination location. It now understood the type of maps GPS uses in tracing it Longitude and latitude. The significant of the GPS fix location and its implications are well elaborated. The limitation and issues on the forensics examination of GPS receiver such as TomTom has been explicitly understood.

4. Chapter four The policies and procedures of carrying out forensics examination 4.1 Chapter introduction

The goal of this chapter is to look at the policies and procedures of carrying out forensic investigation. The types of equipment found in the basic forensics tool kit and Methodology of forensic investigating from collection to presentation. It also elaborates on the guide lines of the Association of Chief Police Officers (ACPO) and on the methodology of carrying out forensics examination of GPS devices and finally, the acquisition phase of an SD card.

27 4.2 The policies and procedures

Forensics can be defined as the use of science and technology to investigate and establish facts in criminal or civil courts of law. The investigator must be unbiased, qualified and understand the legal issues. The first thing to consider when presented with a case is whether or not to accept it. Many factors influence and ultimately determine whether to accept or take in a case. Some of the common criteria for taking a case include: Whether it is a criminal or civil case. The impact on the investigating organization Whether the evidence is volatile or nonvolatile Legal considerations, such as the types of data that might be exposed The nature of the crime Potential victims, such as children in child pornography cases or murder cases Liability issues for the organization The age of the case Amount of time before the court date A general case intake form needs to be completed when reviewing a potential case and determining whether to accept it. Among other issues, the form requests information to check for any conflict of interest between the forensics company, investigators and other concerned parties. The completion of this form is often overlooked when developing standard operating procedures. This form confirms the understanding and agreement among the parties involved and sets the stage for everything else about the case, such as chain of custody and basic evidence documentation. This intake forms differ depending on whether the case is being accepted by a law enforcement agency or a private company. (LINDA, V. et al. 2006. P. 124.)

4.3 Equipment in a basic Forensics Kit

As a matter of policy and procedure, a basic computer forensics kit should always be used. Every investigation will have some unique characteristics, but the basic equipment

28 required by a forensic expert remains the same. The following list is a guideline for what should be included in a forensics kit: • Cellular phone: There will always come a time when you need to find additional information or call for help of some kind • Basic hardware toolkit: Items such as standard screwdrivers, pliers, scissors, duct tape, and so on should always be part of your forensics kit. • Watertight or static resistant plastic bags: We make sure we have Ziploc type bags of various sizes to store collected evidence • Labels: Included in our tool kit various types of labels to tag items such as cables, connections and evidence bags. • Bootable media: We always need to have handy a variety of bootable media such as DOS startup disks, bootable CDs, and even bootable USB drives. Our choice of bootable media will varies depending on the type of forensics software we are going to use • Cables (USB, printer, FireWire): Depending on what type of forensic software we plan to use, our choice of cables will vary. Always carry at least a CAT 5 crossover cable, straight through cable and rollover cable. A spare power cable always comes in handy. • Writing implements: We should have a soft permanent marker to write on labels, floppies, or CDs. A sharpie type marker is always preferable because these markers are felt tipped and will not damage CD labels. • Laptop: A laptop is always a good tool to have even if it is not your forensics examination platform. A laptop allow us to carry a veritable library of forensics tools, give us access to the Internet, lets us keep updated manuals or schematics on hand, allow us to store information immediately if need be (volatile information such as that stored in embedded devices such as GPS receivers and PDAs) and give us flexibility to adjust to different investigative situations. • High resolution camera: In order to document everything properly, we should take a series of photographs before you start working. Photograph taken during and after are always recommended, but you must photograph the initial scene. A camera that labels the date and time on the photo is always a good idea.

29 • Hardware write blocker: We never know when we will need to take a storage media out and do drive transfer, so a hard ware write blocker such as Fast Bloc or Drive Lock is a small device that we should carry just in case • Log book: It is a good practice to have a habit of carrying a log book to record investigator actions • Gloves: As a forensic examiner, we always need to keep in mind that there are other forms of evidence such as fingerprints to keep intact. Additionally, a good set of gloves used when handling evidence shows our attention to even smallest details of evidence preservation. • Forensic examiner Platform: Platforms vary from laptops to fully equipped desktop units. The next generation of mobile forensic platforms should make the acquisition of data in the field or in entrusted environments more convenient with faster connection speeds via wired transfers, wireless acquisitions and smaller forensic platform units (LINDA, V. et al. 2006. PP. 126 – 127).

4.4 The methodology of Carrying out forensics examination

The primary goal in computer forensics is collecting, preserving, filtering and presenting digital artifacts. It can also be used as guidelines to describe the computer forensics processes. The different phases can be summarised as follows; 4.4.1 Collection: The collection phase of computer forensics is when artifacts considered to be of evidentiary value are identified and collected. Normally these artifacts are digital data in the form of disk drives flash memory drives or other forms of digital media and data. In this case the storage media of the suspect’s computer or GPS receiver was identified as artifacts of potential evidentiary value. 4.4.2 Preservation: In the preservation phase of computer forensics focuses on preserving original artifacts in a way that is reliable, complete, accurate and verifiable. The Cryptographic hashing, checksums and documentation are all key component of the preservation phase.

30 4.4.3 Analysis or Filtering: In this phase the investigators will attempt to filter out data which is determined not to contain any artifacts of evidentiary value and filter in artifacts of potential evidentiary value. A wide array of tools and techniques are utilized in the filtering phase. Some of which include comparing cryptographic has values of known good and known suspect files against a known dataset. 4.4.4 Presentation: This is of course the final phase of computer forensics investigation. It is in this phase that the potential artifacts of evidentiary value are presented in a variety of forms. Presentation normally starts with the investigator extracting the artifacts from the original media, and then staging and organizing them on CDROM or DVD-ROM. The investigator’s reports, supporting documentation, declarations, depositions and testimony in court can all be considered the presentation phase of computer forensics.(CHRISTOPHER, L. 2006 PP 6 - 8). Electronic evidence is valuable evidence and it should be treated in the same manner as traditional forensic evidence with respect and care. The methods of recovering electronic evidence whilst maintaining evidential continuity and integrity may seem complex and costly, but experience has shown that, if dealt with correctly, it will produce evidence that is both compelling and cost effective. In United Kingdom all digital forensics examination must follows the guide line of the Association of Chief Police Officers (ACPO).

4.5 The principles of digital evidences as prescribed by the ACPO

The Association of Chief Police Officers in the United Kingdom have made public the principles of computer based electronic Evidence. The four principles are:

4.5.1 Principle one: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court 4.5.2 Principle two: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be

31 competent to do so and be able to give evidence explaining the relevance and the implications of their actions. 4.5.3 Principle three: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. 4.5.4 Principle four: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. (ACPO guide line P.6. 2008)

4.6 Methodology of forensics investigation of embedded device such as GPS receiver

The use of satellite navigation systems has become increasingly common in recent years. The wide scale adoption of this technology has the potential to provide a valuable resource in forensic investigations. The potential of this resource is based on the ability of retrieve historical location data from the device in question. This methodology aims to be comprehensive and straightforward, while maintaining forensic integrity of the original evidence. Automotive satellite navigation systems such as TomTom and Garmin, aim to provide navigational assistance to it’s’ users. Often the user will provide a destination point then based on this the device will provide a map and verbal turn by turn directions to the specified destination. Such devices are becoming more common and are decreasing in price. It should also be noted that many new cars now come with Satellite Navigation System as standard.

The ability to acquire forensic images from satellite navigation devices is becoming increasingly relevant with the aforementioned increase in availability of the devices. Satellite Navigation units have the potential to provide valuable historical location of data to investigators.

In the application of forensic procedure to satellite navigation systems and indeed any digital evidence as a whole there are a number of issues that must be understood. The primary issue faced by digital forensics is the intangibility of the evidence being

32 collected. As the evidence only exists in digital form the method of acquisition heavily depends on the nature of the storage media on which the target information is located. An example is that data stored in volatile memory can often be erased if power to the device is lost (Noblett, Pollitt, and Presley, 2000). In addition to this the contents of volatile often changes constantly as data is re arranged. In such cases special methods may be needed to forensically preserve evidence that is located in volatile memory.

Digital forensics procedure is focused on preserving the integrity of the original evidence and allowing the integrity to be verified at a later stage as stated by the ACFO guide line. This verification is normally performed by the use of hashing algorithms and careful documentation.

In order for the evidence to be useful a copy must be acquired, this copy can then be used as part of an investigation without the possibility of compromising the original in the process. In order for this copy to be useful it must be what is known as a bit stream copy of the original (ACPO Guide line, PP 20 – 21). A bit stream copy is a complete duplicate of the original data, instead of copying the files or other logical structures of the original device the raw data that comprises these structures is read piece by piece and copied to a specified location or device. This method allows for an analysis to be performed on data that has been deleted or otherwise exists in unallocated space.

4.7 GPS receiver’s storage media

GPS receiver devices can be broken down into three main types: those with SD cards, those with internal hard drives and those with internal flash memory (with or without SD card slots). Devices which have both internal memory and an external SD slot typically store the user data on the internal memory, using the SD card slot only for additional storage, unless the device is set to use maps which are stored on the SD card, in which case the ‘dot cfg file’ will be found in that map directory.3.2. Acquiring a forensic image

33 As there is usually a significant amount of data found in unallocated clusters and file slack, the best approach is always to take a complete forensic image rather than simply extracting the live .cfg file. Devices which store data on a removable SD card are the simplest to deal with, as the memory card can be removed from the device and imaged as normal using forensic software. (NUTER, B. 2008)

The acquisition methods of an SD card will be different from that of a GPS receiver internal memory. Thus the acquisition methods will be broken down in two fold those of an SD card and those with internal memory.

4.8 The acquisition of an SD card

The SD card must be inserted into the device at all times in order for the device to function as its core operating system resides on the card. Initial research suggests the data on the SD card is comprised of at least the following:

• • • • •

X86 Boot Sector Mapping data Operating system files Configuration files Swap space

The SD card is easily accessible in a non invasive manner and it is possible to acquire the SD card with a minimum of equipment and experience. In addition to this it is possible to acquire an image of the SD card in a covert fashion, in many cases it is not possible to determine that the device has been tampered with. The procedure for acquiring a forensic image of this media involves attaching the device to a system in read only mode and acquiring a bit stream copy of the SD card. As with any forensic procedure the media should be hashed before and after acquisition, the resulting copy of the data should also be hashed in order to verify its integrity. It should be noted that powering the satellite

34 navigation unit on whilst the SD card is inserted will result in data being written to the SD card and the hash changing. In this case the position of the write protect tab on the SD card reader is irrelevant as most of the Automobile GPS receivers do not discriminate if writing should be permitted based on the tab’s position. Instead the SD card is treated as writable regardless of the tab’s position. In order to perform the acquisition of the SD card it is necessary to have a write blocking SD card reader. (PETER, H. 2007)

Initial examination of commercially available SD card readers has shown that it is possible to modify the devices so that they will not perform write operations. This modification can be performed as shown in the diagram below.

(SD card reader with read only modification (PETER, H. 2007)

A movable tab on the side of SD cards is commonly used to set the media to operate in Read only mode. This tab is similar to that on three quarter inch floppy drives, in that the accessing device detects the tab’s position rather than the read only logic existing on the media itself. This modification does works by manually bending the pin that detects the position of this tab so that the device will always detect the tab as being in the read only

35 position. The result of this is that all media will be treated as read only, regardless of the position of the tab. The acquisition of the SD card can be done by using Helix 3 ISO. This is a distribution of Ibuntu Linux operating system with access to a terminal to enter the dd command with standard Linux command line interface (CLI). The “dd” software is capable of performing low level data operations such as performing a bit stream copy of the data to be acquired. The processes are: • • • • • • • • • • • • • • • Attach write blocked USB SD card reader Insert a non critical SD card for testing purposes Perform a hash of the SD card Ensure the file system if any present on the SD card has not been mounted Attempt to write to the SD card Ensure that the hash matches the original Remove the SD card Insert the SD card to be acquired Perform a hash of the SD card Ensure the file system if any present on the card has not been mounted Acquire a copy of the SD card using dd command Perform a hash of the SD card Perform a hash of the acquired file Ensure that the hashes match the original Remove the SD card form the reader

After the acquisition has been done, the analysis of the bit stream image can be carry out with the used of Encase or Forensics Tool Kit. (PETER, H. 2007)

4.9 Chapter summary

The rules and principle of a forensics examination of digital devices must always be followed. And the guide lines of the Association of Chief Police Officers should always be taking into consideration when carrying out a forensic examination of digital evidence. The methodology of carrying out a forensic investigation of digital devices has four phases, and these phases must be followed meticulously in order not to damage a piece of

36 evidence of potential evidentiary value which can be admissible in a court of law in order to solve a puzzle in a crime. The methodology of a forensic examination of GPS receivers is now well understood, incorporated with the method of Acquisition of an SD card.

5 CHAPTER FIVE The trend of GPS Navigation System receiver and a case study on a GPS receiver 5.1 Chapter introduction

This Chapter is basically telling us the reasons of using TomTom device in the experimental phase of the project. And subsequently discuss the imaging tools and give details about the imaging methodologies as stated in the forensics community. And finally describe the imaging method that is used to carry out the acquisition of TomTom one device.

5.2 The trend of GPS Navigation System

The are many types of GPS navigation in the world today but the most popular ones being TomTom, Garmin, Mio Technology, Navman, and Magellan. Research from the Canalys Q2 2007 on global mobile navigation has proven that TomTom and Garmin both increased their share year on year and sequentially. After two years at the top by several percentage points, TomTom was narrowly overtaken by Garmin as the leader in the global mobile navigation device market in Q2 2007, according to the latest estimates from analyst firm Canalys. The Canalys figures include all mobile devices used for turn by turn road navigation with built in GPS and on board software including not only Portable navigation Device (PND) such as the TomTom GO range and Garmin Nuvi but also smart phones, handhelds and other similar classes of device. The total device shipments for the quarter stood at 7.4 million, up 116% on the same quarter one year ago and almost 2 million above last quarter’s figure. The statistics below proves that the TomTom and Garmin is actually the most popular device used world wide. (CANALYS. 2007)

37 (Statistics of the most popular GPS devices used world wide)

(CANALYS. 2007)

Due to the above statistics it was worth while to carry out a forensics examination of the most popular devices since many people are using it today and thus can give a good leads in crime investigation if GPS navigation was used during or after the commission of the crime.

5.3 The imaging methodology

It is unarguable that disk evidence is easily the cornerstone of computer forensics, if for no other reason than digital evidence on disk is as easy to relate to a judge and jury as files in a file cabinet. How ever, the completeness and accuracy of digital evidence collection is often questioned in the legal arena. In an effort to fend off evidentiary challenges relating to the evidence dynamics of disk collection and analysis, computer forensics investigators have for some time placed a major emphasis on careful disk collection and handling. Due to the volatility of disk data and potential destructive nature of handling and analysis, computer forensics investigator agree that creating a bit stream copy of a disk is a necessary component of disk evidence collection and analysis. This bit stream copy with obviously include both the allocated and unallocated clusters. In order to keep with the court acceptable standards of completeness and accuracy, computer

38 forensics investigators should created a bit-stream image of the original evidence when copying form source media to destination media whenever reasonable. According to the National Institute of Standard and Technology (NIST) guideline, imaging tool must have the following features:

The tool shall be able to acquire a digital source using each access interface visible to the tool

The tool shall be able to acquire either a clone of a digital source or an image of a digital source, or provide the capability for the user to select and then create either a clone or an image of a digital source

The tool shall operate in at least one execution environment and shall be able to acquire digital sources in each execution environment.

• • •

The tool shall completely acquire all visible data sectors form the digital source The tool shall completely acquire all hidden data sectors form the digital source All digital sectors acquired by the tool form the digital source shall be acquired accurately

If there are unresolved errors reading from the digital source then the tool shall notify the user of the error type and location.

(CHRISTOPHER, B. 2006. PP 236 – 237)

5.3.1 The Bit Stream Image

A forensic investigator will always collect a bit stream image of the original media. This image collection allows for subsequent analysis and reporting, leaving the original media safely locked away. The bit stream image collection takes place when the investigator will essentially access the data through a software tool and stream the data sector by sector from the evidence media into a file or group of files residing elsewhere. The bit stream image data will always contain the head and the trailer information. It is also very important to note that the file size of the destination drive of FAT32 file system when imaging could not store more than four Gigabytes of data at one time but the NTFS file system does not have this limitation.

39 5.3.2 Verification of imaging and the hash value

A cryptography hash is an algorithm used to produce fixed-length character sequence based on input of arbitrary length. Any given input will always produce the same output call he hash. If an input bit changes, the output hash will change significantly and in a random manner. In addition, there is no way the original input can be derived form the hash. The two of the most common used hashing algorithms are MD5 and SHA1. This cryptography hashes are normally used in the forensics field as a tool to ensure data integrity. A cryptography hashing function or algorithm has the following technical characteristic: • A hash algorithm transforms an arbitrarily block of data into a large number called a hash value • The value has no correlation to the original data, and nothing about the original data can be inferred from it • Small changes in the original data produce large, essentially random changes in the hash value • Generated hash values are evenly dispersed throughout the space of possible values(that is all possible values are equally likely to occur) (CHRISTOPHER, B. 2006. P. 247)

When a bit stream image of a digital device is completed the hash value will always be generated and it is used to prove the integrity of the imaging process.

5.4 Case study: Forensic Examination of GPS receiver such as TomTom one

TomTom GPS navigation devices are one of the most popular kinds of Satellite navigation devices in the UK, and are increasingly being examined in criminal cases to identify data of evidential value. The navigation functionality of TomTom device allows the user to plan routes, save favorites destinations, and look up points of interest (POIs). The device has the potential to yield call history and contact data if paired with phones connected to the computer, it acts as a USB mass storage device. Newer versions have

40 inbuilt MP3 players and picture viewers. The TomTom receiver under the forensic investigation must follow the rules and principle of carrying out the forensics investigation of digital devices as stipulated in the ACPO guide lines. When the device has been collection for investigation the next point will be the imaging of the memory found inside the device. This imaging supposed to be done by the used of an imaging tool world wide known in digital forensic communities.

5.5 The tools use for imaging GPS receivers or Satellite Navigation devices.

The tool used for imaging TomTom receivers are many out there such as Forensic Tool Kit imager V2.5.4, Blackthorn, EnCase version Six with the used of Write Blocker and Helix 3 ISO with the used of DD command. The tool that was used to image the TomTom device used for this project was Helix 3 ISO with the used of DD command lines. The Helix 3 ISO is a customized distribution of Ubuntu Linux and it is more than just a bootable live CD. It can still boot into a customized Linux environment that includes customized Linux kernels, excellent hardware detection and many applications dedicated to incident Response and Forensics. Helix works properly and do not touch the host computer and it is forensically sound. This Helix product do not auto mount space or any attached devices. A copy of the helix software was downloaded on their website and backup on a CD. (

5.6 Live bootable CD ROMS

Bootable disks containing a clean operating system and specialized utilities are not new to the security arena. For some time now, information security professionals have used the Trinux boot floppy disk, which contained a stripped down version of the Linux Kernel. Bootable CD-ROMs allow the investigator to reboot a suspect system to the “clean” operating system and utilities, allowing for on site static bit stream disk image collection and analysis. The bootable CD-ROM can be used to host the base operating system and tools used by an investigator during live investigation in suspect net

41 environments. By using write protected media, the investigator can keep the base operating system and utilities safe from compromise, or at least permanent compromise. The Helix 3 CD ROM provides users with a full desktop platform and is configured to leave little or no disk artifacts; the platform is of great interest to users conducting criminal activities and misuse. (CHRISTOPHER, B. 2006. PP. 230 - 231)

5.7 Getting Helix bootable CD ROM:

The Helix was downloaded free as an ISO image from After downloading, the check sum was been check in order to maintain the integrity of the product. That is to make sure that the files were properly downloaded. This was done by using the MD5 signature of the file and the MD5 value for Helix 1.7 is 90d751e1be36ee24025d8a635f2a9e1d. (See screen dump below)

(Screenshot of Hash value of helix 3 software)

We used a window or DOS based MD5 generator to make sure the helix file downloaded has the same signature. This check sum was carried out because if even a single bit is different, a different MD5 will be generated. After that it was burn to a CD with the use of Nero which is a burning or copying program. (See screen dump below)


(Screenshot of the burning process of a Helix 3 CD ROM)

When the Nero burning Program is opened and click on burn image. It will automatically take you to your document where you will be ask to select the file, you want to burn. (See screen dump below)

(Screenshot of extracting Helix 3 file for a burning process)

Select the Helix_1.7 ISO image that you have downloaded and click open. When it is open, it took us to another window known as burn compilation. We click on burn and it creates the Helix CD from the ISO Image. And once the CD is ejected at the end of the burn process, we had our bootable Helix CD. (See screen dump below)


After a copy of a bootable Helix CD was copied, the next step was to image the TomTom receiver using that bootable Helix CD.

5.8 Methodology of imaging TomTom One GPS receiver

Before starting the imaging process we must make sure that there is enough free space to put the image. A 500 GB external hard drive which has an NTFS file system was use as the destination device and the TomTom receiver was about 254 MB. The external hard drive was connected via a USB. And the computer was been boot from a bootable CD of Helix 3 ISO and follow the on screen instruction. When the Helix CD opens in to the GUI, we select application and choose Forensic IR and from there we select Adepto. Adepto is one of the programs found in Helix 3 ISO which is used for imaging. The advantages of creating a disk-to-disk bit stream image are that the resulting evidence disk can be mounted with write protection in a forensic workstation and many different tools can be used for evidence analysis. The second point is that it maintains the integrity of the suspect’s drive by automatically calculating of the hash algorithm, which will use to later verify the disk or image integrity. (See the screen dump below) (CHRISTOPHER, L. 2006. PP 242 – 243)


(Screenshot of the window of the beginning of an imaging process)

5.9 Identification of the source and destination drive: The source and destination drive need to be mounted and check before an effective imaging process can begin. The destination drive was mounted by clicking on the drive after been connected via USB and choose mounted. This will enable us to know the name and the partition of the drive because it is useful during the entering of the dd command. The Source drive was identify as “sdc” and the destination drive as “sdb1” Thereafter the both drives are unmounted and will then be mounted with the use of dd command line. Since the destination drive has the New Technology File System (NTFS), the force command was used to mount the NTFS file system. The command been used is “Sudo mount –t ntfs-3g –o force /dev/sdb1 /media/sdb1. (See screen dump below)


(Screenshot of window where the DD command line is been entered)

The Adepto is a Graphical User Interface (GUI) front end to dd commands and was designed to simplify the creation of forensic bit images, and automatically create a chain of custody. The adepto has several features and abilities, they include the following: • • • • • • Auto detection of IDE and SCSI drives, CD-ROM, and tape drives Choice of using either dd, dcfldd, or dd command line Image verification between source and destination that is the MD5 or SHA1 Wiping or Zeroing drives or partitions Splitting images into multiple segments Detailed logging with date time and complete command line used

5.9.1 Starting Adepto

When adepto is started, it will prompt you for a username and a case number. This is a perfect way for keeping track of multiple cases, as well as maintaining a chain of custody. The case number is based on the current date but can be modified to fit the format of any case numbering system. When those to information is entered then click on “GO”, the program allows access to another window with tabs like Device info, Acquire,

46 Restore/Clone, Log, and chain of custody. This window is where all the other information is entered before acquisition can begins. (See screen dump below)

(Screenshot of the windows of Helix 3 used for imaging TomTom one)

5.9.2 Device Info: The device info tab is used to display information about the various devices the have been mounted on the system. The name of the device that we want is selected from a pull down window. In this case the drive known as “sdc” was selected and it is our source drive which is the TomTom one to be imaged. Immediately the drive was selected, the information about it will be seen, such as the size, model and the name of the drive. If should in case the drive does not appear, the “Rescan Devices” button should be used. (See screen dump below) (Screenshot of the window where information about the drive to be imaged is entered)


5.9.3 The Acquire Tab: Once a device has been selected, the Acquire tab will become available, it is here that the destination drive was been entered or selected. In this case the destination drive was “sdb1”. This is where our bit stream image will be place after the imaging process is completed. When the destination drive has been entered in the mount point, then the bit stream image process is about to begin. This process should not be disturbed until the whole imaging process is completed. (See screen dump below)

(Screenshot of the acquiring process of an image of TomTom one)

The imaging process did start when the start button was click. This process is actually being the use of the dd command in Adepto. When the imaging process is completed, the information about the log and the chain of custody can then be viewed. Taking in to consideration the size of the TomTom drive the actual imaging time lasted only for about seven minutes including verification.(See screen dumb above)

48 5.9.4 The Log Tab: The log tab will display the log of all the action that has been used in order to image the drive. And it is here that the hash value (MD5) will be seen, which is of course to prove the integrity of the drive been copied. Forensically it is proven that every thing is done as it should be, if the Message digest 5 (MD5) of the original drive is equal to that of the copied image. (See screen dump below)

(Screenshot of the log including the hash value of imaging)

49 5.9.5 The chain of custody: The chain of custody was created automatically based on the device that was imaged. In forensic investigation the chain of custody is also very vital because it tells the examiner all what he has been doing in the past. And during the imaging of the TomTom one drive the Adepto program created a chain of custody base on the information entered, such as the username and the case number. (See screen dump below)

(Screenshot of the chain of custody of an imaged TomTom one device)

The imaging process of TomTom one was completed and the hash value was also generated which is a proof that the integrity of the bit stream image of a GPS device is guaranteed. The next step of the process will be the analysis of the imaged TomTom One device.

5.10 Chapter Summary

The TomTom devices and Garmine are world known to be the most used GPS navigation. The methodology of acquisition of TomTom One with the used of Helix 3 as an acquisition software tool has given us an amazing result. The hash value is calculated automatically and it can be viewed only when the imaging process is completed. To start the imaging, the source and destination drive was identified and the DD command line is

50 used in the imaging process since we are using the Helix 3 ISO which contains a stripped down version of the Linux kernel. The imaging process was successful and the bit stream image of the TomTom one was saved in a safe location in order to use in the analysis phase.

Chapter six 6. The analysis of Imaged TomTom one receiver

6.1 Chapter Introduction

This chapter discusses the process and evidence found, when the bit stream image of TomTom one was analysis with the used of TomTology software. It brings out the importance of TomTology software in the analysis of TomTom devices and also point out the areas of the devices that the information of evidential value can be found. It finally conclusion by bringing out some of the evidence found in the TomTom one device that has been analysis as a case study in this project.

6.2 The analysis of the bit stream image of TomTom one

The analysis of all TomTom products can be done by the use of TomTology software. TomTology is a software for forensically examine TomTom satellite navigation devices. The TomTology software is capable of decoding the files on a TomTom that store journey and address information. A TomTom is used to store information relating to the owner’s home address and a list of their favorite location. If a user selects to navigate to either their Home, a favorites or an address entered as a destination then this information is stored in the recent destination list.

51 6.3 The importance of using TomTology in analyzing TomTom devices

TomTology will automatically decode all the information found in all TomTom navigation receivers and will give you detail information about the following: • • • • • • The Home location The Favourites The recent Destinations A list of addresses that have been entered manually The last journey that was plotted( if stored) The location of the TomTom when it last had a GPS Fix( if available)

For each of the location mentioned above, we will find the Latitude and Longitude stored along with both an automatically assigned name and a user editable name and a house number. It will also tell us how the user chose to navigate to the address being entered; this could be by entering the postcode or selecting it form the favorites list.

TomToms can be paired to a mobile phone and used a hands free kit in the car. If this happened, it is possible for TomTology to recover the following: • • • • The contact list of the mobile phone A list of numbers called A list of calls received A list of detail address and telephone number

TomTology has the potentials of providing us with the information about the TomTom itself such as serial number (useful if the sticker has been removed from the device), TomTom version and username.

52 6.4 Deleted space on a TomTom devices

A lot of useful information can be found in the deleted space on a TomTom. Unfortunately, if the user has reset their device then no live information will be available. If not, in the deleted space, records of previous journeys plotted as well as potentially the actual GPS position of the device when the journey was plotted and it’s last GPS fix for that journey can be extracted. When a journey is plotted using a TomTom device, it takes the current GPS position of the device as the start point of the journey. Until the destination is reached the TomTom stores both the Origin and the Destination. If a wrong turn is taken in the journey the TomTom will initially attempt to make the user turn around or will try to steer the user back on the route. If this fails then the TomTom will be forced to re plan the journey. In case of this type of situation, the TomTom will again take the current GPS position as the origin, leaving the destination the same. When examined, the last journey origin will definitely be a place where the TomTom has been but it may not be the place the entire journey started from. The TomTom always records where it is when it has a GPS fix, this is the last GPS Fix. It may be in mid journey if the TomTom was turned off mid journey or it may be a place where the TomTom has been turned on since. Like the last journey origin, this is a place where the TomTom has been. (ANDY, S. 2008)

53 6.5 Methodology of using TomTology in analyzing

TomTology can be used as a tool to decode the files containing location information in basic, or it can be used to perform a full analysis of a TomTom. The files on a TomTom containing the location information are of the form dot cfg (.cfg). When TomTology software has been install then click on the icon of TomTology and it will open in a window (See screen dump below)

(Screenshot of TomTology software window)

This window is the TomTology software window where we can then load the image which we want to analyze. The procedure is fairly the same as that of Encase, by clicking on new case, where the information about the case to be investigated will be entered. These are some sort of standard information like Case reference number, Organization, Examiner, defendant and exhibit reference number. From this point, check the box with stipulate show advanced option in order to be able to seen the scan drive that we will use to load or TomTom one image. Click on scan so that it will scan all the drive found on the system and you will select the one the contain the image under investigation (See screen dump below)


Screenshot of where information is being entered about a case)

When the scan button is hit it will open up to another window (See screen dump below)

(Screenshot of where a drive can be chosen for scan)

We will now be prompted to select the drive you want to parse and which is of course where the image of the TomTom one is found and then click on Parse. It will search for the image drive selected and eventually load it in TomTology.

When the drive has been parsing and the image has been retrieved and loaded in to TomTology. A small window will be open with the information of the image drive been

55 found. In this window a summary of all what will be analysis will be seen. It will gives us details about the CFG files found, Orphaned locations found, the Phone numbers found and the SMS found (see screen dump below)

(Screenshot of a scan drive to carves out data from TomTom one device by TomTology)

When all this has been retrieve then another window will be opened which will be the window with all the statistics of what is to be analyzed and this happened when the scan has been completed. In the screen dump below, we have about 946 CFG files to be analyzed. (See screen shot of TomTology view pane below)

56 This window is where the analysis process will take place. It is where that we find all the (.cfg files) which is of course where all the addresses been entered are kept), GPS fix, orphaned location, phone numbers and text messages if any.

6.5.1 Files of forensics interest to be analyzed

Files of forensic examination interest are files that contain information about the movement of the suspect and places where the GPS devices have been. Such files are: • • • • • • Live CFG file data Live phone numbers( if the TomTom has been paired with a phone) Device information All deleted CFG files All locations found that are no longer in a CFG files(orphaned locations) All recovered phone numbers

In any location been discovered, can actually be viewed in a Google maps if there is an internet connection.

6.5.2 Live CFG data files

The details from the live CFG files are presented under the live files tab with information about the current home, favorites, recent destinations, entered locations, last journey, Device information, Callers and called phone numbers and contacts. The caller and contacts will only be populated if the TomTom is paired to a mobile phone. It is optional for a user to import their mobile phone phonebook and so even if it is paired to a phone, this may be blank. The last journey contains details of the last journey that was platted using the TomTom. This last journey is not always stored every time especially if the journey was completed before the device was turned off. (ANDY, S. 2008)

57 6.5.3 The CFG data files

The CFG files contain all the location that has been entered in the device even the ones found in unallocated cluster which has been deleted or overwriting. It means that in an investigation of TomTom devices, the CFG files are one of our main priorities. In this case study, the TomTom One bit stream image has about nine hundred and forty six entries in the CFG files. Clicking on the arrows or by typing the number directly into the box and pressing enter, we will be presented with the address that has been entering into the device. It is also possible to see the previous journey and previous GPS positions of the TomTom In this first entry, we will see the addresses entered into the device including the postcode, house number (if entered) and the latitude and Longitude. The TomTology will even tell us how the address was been entered. (See screen dump below) (ANDY, S. 2008)

(Screenshot of locations found in CFG files)

58 6.5.4 Viewing the address or location in Google Earth

In any of the address found in the CFG files, it is possible to view that address live by clicking on “Google Earth this CFG” and will see the real location of that address. The presence of the latitude and longitude is also a good confirmation that the address has been navigated into by somebody. The first address in the CFG files was selected and presses the tab “Google Earth this CFG”. The Google Earth give use the exact location of the address as found on the map including the names of the neighboring street of that address (See screen dump below)

(Screenshot of a location visited by the TomTom one device)

It is also possible to view this address live if Google-Earth will be able to present to use the street view link. On the about screen dump there is a Street view link which was click and the result of the address in question was been presented to us as it is found today in real life. (See screen dump below.)


(Screenshot from Google Earth of where TomTom one device has been)

6.5.5 The GPS Fix and Last Journey

The last GPS fix shows where the TomTom was when it was turned off or where an uncompleted route was recalculated. This usually happen when the user was not able to follow the instruction of the navigation and the device at some point want to make a new calculation of the route. At this point the device will take where they are at that moment as the “Last Journey Start” and the aimed destination as the “Last Journey End”. This process is call the GPS fix. An example was taken from one of the journey plan found in the CFG files. The user entered an address from McDonald road EH7 13, Edinburgh to Newport Road CF24 1, Cardiff. At some point of the journey, there was an interruption and the GPS needs to calculate a new route for that journey. This was at Leckwith Road, which the GPS took as the “Last Journey Start” and the destination as the “Last Journey End which is still the Original Journey destination which has been entered. From this example, it is possible to deduce that the TomTology software can trace the route of any

60 journey been entered even when the journey was not success full. The entire journey which was enter and delivered successfully will never have a GPS fix and the Last journey information (See screen dump below) (ANDY, S. 2008)

(Screenshot of where GPS Fix information can be obtained)

61 6.5.6 The Orphaned Locations

The Orphaned locations are locations stored on the TomTom that were originally in a CFG file but due to the constant writing to storage, they are no longer found in a CFG file. These have been termed “Orphan Locations.” According to Andy Sayers, these address may be those that the header of the CFG file that were originally residing within has been overwritten and so they would not be present in the “Found CFGs section. These Orphan locations can also be of potential evidentiary value and can be viewed by clicking on the Orphans tab. Functionality has been provided to view each location once if it is identical to another found location. This is enabled by default but can be disabled by clicking on the “Show Unique Hits Only” tick as seen on the screen dump below. It is also possible to show only organs of a certain type e.g. Home or GPS Pos this can be implemented by using the filter drop down menu. These Orphans location will gives us the addresses, the users has entered which can not be found in the CFG files. (ANDY, S. 2008)

(Screenshot of Orphaned location)


6.5.7 Phone Numbers and messages stored in TomTom device

TomTology will automatically scan the TomTom device for any phone numbers stored. It will definitely presents all found numbers under the ‘Found Phone Numbers’ tab. Number on this tab are a combination of both live and deleted phone numbers. This phone numbers can be retrieved only if the TomTom has been paired with a phone. By default only one instance of each phone number is shown, this can be disabled and all duplicates shown by unselecting the unique the ‘Unique Hit Only’ tick. It is also possible to show the possible home numbers by selecting the ‘Show Possible Home Number’ tick. As an example to demonstrate this event was not possible because the TomTom did not paired with any phone as proven. If it was paired with a phone and a text message exchange by the user it would have been possible for use to used the same technique to view the messaging send and received by the user (See screen dump below) ANDY, S. 2008)

(Screenshots of where phone numbers and messages can be found)


6.5.8 The user’s Information

TomTom has the potential to store certain information entered by the owner. This information can be four lines of personal data, chosen by the current user. TomTology will automatically fine this data and display it to you under the ‘Device Info’ tab. It will also display the mobile phone’s blue tooth name and ID if one is paired. The TomTology will scan for any deleted user data or mobile phone pairings as standard during the examination. (See screen dump below)

(Screenshot of the device information and the phone details if been paired)

6.5.9 Production of a report

The TomTology can produce a report of the result of all the location found in the TomTom device. This can be done be clicking on the report button or selecting ‘Export’ then ‘export HTML report. In this section, we can select the type of information we want to include in the report. For example, all the live files, deleted CFGs orphaned locations, phone numbers or any selection thereof. This can be done by clicking on ‘report tab’ and a small window is open where we are prompted to select the type of report we want to view. The report include a definitions page and it self explanatory. (ANDY, S. 2008)

64 (See screenshot below)

(Screenshot of the print form, which we can choose the type of report wanted)

6.5.10 Type of report desired

TomTology also provide us with the opportunity to choose the type of report we want to produce. This report at the end of the day will be presented in a HTML format, which means an Internet connection is paramount in order to produce a report. This report will give us all the locations that have been entered into the TomTom since it was bought. It also provides us with detail information about the Home location, Favorites, and recently entered location. A print of a report was chosen from one of the entries of the user and detail information about the home location and favorite was display. (See Screenshot below)


(Screenshot of a report in a HTML format)

6.5.11 Information gathered from analyzing TomTom one image

TomTology has provides us with a pool of information about the user’s GPS device. It was possible to see all the locations that the user has entered even those that he has not been to, and in addition, we were able to even have the method the user chose to enter the information. The CFG files are where the users entered information is been stored including even text message and phone number. When all this information were analysis a great deal of the user’s movement were revile, and it is very possible to decide where the user has been as opposed to the address been entered.

6.6 Chapter Summary

The analysis of TomTom devices with the use of TomTology can be very rewarding in the digital investigation of GPS receivers. It was possible to bring out all the addresses that the user has entered into the device including phone numbers and messages if, paired with a phone or a blue tooth. It also point out if an address has been entered and the journey not made and also give details of the GPS fix that is when the GPS satellites decide to recalculate a route.

66 Chapter seven 7.0 Evaluation of the experimental process and Reflection 7.1 Chapter Introduction

This chapter deals with the evaluation of the technology used in forensically examine TomTom devices. It point out the imaging process and the analysis process with the use of the different software tools. It also talks on my reflection about the TomTology software that has been used for the analysis and also suggests the possible ways of carrying out the experiment with the software in other to make it more robust and user friendly

7.2 Evaluation of the experimental process

The TomTom devices can be separated into three main types: those with SD card, those with internal hard drive and those with internal flash memory which may contain the SD card slots. Those with SD card slot and internal memory, do stored user’s data on the internal memory. The one that was used in this case study was the one with the internal memory and SD card. As demand, by any digital forensic process, the digital device must be imaged forensically. This forensic image is the process whereby, a software tools is used to copy both the allocated and the unallocated clusters in order to have all the data stored on the device even those that have been deleted or overwritten.

7.3 Imaging process of the TomTom one device

The imaging process of the TomTom one device when on pretty well, and the imaging is different from the standard forensics image which is extracting a hard drive from a system and image it. With TomTom device the imaging must be carried out live which means the TomTom device must be set on. Since it is a device which can communicate with the satellite when expose to the light from the sky, the imaging must be done when the device is cover in a faraday bag or somewhere, there is no electromagnetic signals. In this case, an aluminum foil was used to cover the TomTom device and it was been image

67 in a basement of the school laboratory. The imaging process went on well and after completed the hash value was calculated in order to maintain the integrity of the data been copied. In TomTom device the file of evidential value is found in ‘MapSetting.cfg’ (.cfg file) which is where all the location been enter are stored. The TomTom will always attempt to connect to GPS satellites when powered on, and if successful will update its current location that is by altering the content of the ‘.cfg files’. To remedy this, the USB was connected to the device and to the computer before powering it on. The TomTom will detect the USB connection and ask the user to confirm whether thy wish to connect to the computer. The navigation software is not running whilst the USB connection is active, which simply means that the device will not update the (.cfg files) with its current GPS Fix location. The software used for imaging is the Helix 3 ISO. This is an Ibuntu Linux version which is used to copy digital devices forensically. This imaging process took about ten minutes in imaging and verifying and the imaged copy was not subject for analysis by using the TomTology software tools.

7.4 Analysis of TomTom one image with TomTology software

After the imaging of the TomTom one device the next process was to analyze it to find out if all the locations been entered by the user can be traced and obtain. The file of evidential value is called the (.cfg files). During the analysis the TomTology software was able to carve all the files present in the CFGs and even bring out the number of phone number and text messages if the TomTom device has been paired with a mobile phone. During analysis, the files of forensic interest are: • The files which contain numbers called by the phone paired to the TomTom. It is found in contacts\called.txt. • The files which contain numbers of phones which have called the phone paired to the TomTom (contacts\called.txt) • The files which contain detail of numbers in the address book of the phone paired to the TomTom • • The file containing the incoming text messages The file which contains the out going text messages

68 • The ‘TTGO.bif’ files which contains the device information e.g. serial number and the current home location. • • The setting.dat file which contains the MAC address of a paired phone The directory containing itineraries if any have been entered

TomTology software can analyze the CFG files found and provide us with information of all the above mentioned files system. The TomTology software was able to produce all the locations found in the (CFG files) including the deleted and overwriting files. (Orphaned files).when all these files was analysis, it was then possible to have all the movement of the user of the image TomTom one device. It was also possible to have his favorite and the home location found on the TomTom device that has been entered by the user. A report can also be product that will give us in detail of all the addresses, current location, recent location, and GPS fix of the entire routes been entered by the user.

7.5 The latitude and longitude of a location

In any location been entered in the TomTom device the TomTology software will identify the location with its latitude and longitude. This latitude and longitude are in the WGS84 datum map system. The latitude is the horizontal line in angular distance, in degrees, minutes and seconds of a point north or south of the equator. The lone of latitude are often refer to as parallels, whilst the longitude or vertical line is also the angular distance, in degrees minute and seconds of a point East or west of the prime Greenwich meridian. These latitude and longitude will give us a precision of location as found on the map and moreover it can also be used to calculate the distance between two addresses or location, when subjected under investigation.

7.6 Reflection on the whole process

The whole process of forensic examination of embedded devices, such as GPS receiver is broken down into different thresholds. The forensics investigation of digital evidence has its own rules and principle that must be followed by the forensics community. The process of imaging and analysis of TomTom one device as prescribed by the goals of

69 forensics digital investigation can always be done by one or more tools. In this research, one tool is used for the imaging and the other tool was used for the analysis. The tools use for imaging is an open source tools and that use for analysis is a close source tools or commercial tool. In the further work on forensic investigation of GPS receiver, it would make some sense if one software tool can eventually carry out the process of imaging and analysis as does by many different tools in digital investigation such as Encase and Forensic tool kit (FTK).

7.6.1 The scope of the work

The scope of the research was to confirm or denied whether it is feasible to forensically examine an embedded device such GPS receivers. This work was supposed to be done by using difference software tools in other to compare the result and see if there any irregularities. Unfortunately, every manufacturer of GPS receiver has it own embedded technology that if we want to carry out a forensic analysis on any model; we need to have its own software tool for analysis. Due to financial constraint, it wasn’t possible for us to have all the necessary software tools needed to carry out the experiment separately on different GPS receiver’s models. So if this work is to be done in future, it is demanding to have a software tool that can analyze all the different bit stream image of GPS models.

The project was to provide some sort of evidential value by tracking the movement of the user of a GPS receiver if need be. This was to provide detail information about all the locations and time that a GPS receiver has been visiting since it was bought. We know that in any criminal investigation, the place and time of the offender’s movement is paramount but by using the TomTology software tools in analysis, we could only have all the details of the movement found in a TomTom one image without any time mentioned about any the activities. If the user’s activities was been traced with the time of the event beside it, it would have been fabulous. The further research work will be to bring out the time of the user’s activity besides the location.

70 7.6.2 The TomTology software

The tool has been able to provide us with some detailed information about the movement of the user that is providing us with the address that the user has visited including the latitude and the longitude of every location been mentioned. Since the latitude and longitude give us the precise location on earth as seen by the satellite, it will worth while to incorporate the distance tab in the TomTology software because this will give us an approximate distance of the start and end of a location been enter in our GPS receiver, just by a single click. This will in effect helps in calculating the distance of a criminal location if the offender has been using a GPS receiver in carry out his activities. The TomTology software has the potential to bring out all the file found in the (.cfg), be it deleted or orphaned files but what we do not know, is whether the files were deleted or not from the TomTom one device. Labeling or showing a deleted file as seen in Encase or FTK would have been handier and user friendly because deleted information are often a good lead in digital investigation. The TomTology software provides us with the important features that are needed in digital investigation such as locations, phone numbers, messages and information about the devices but it does not specify whether this information can be obtained from viewing the TomTom devices live or viewing from an image of the TomTom devices. The reason been that we have analysis TomTom one imaged with the use of TomTology software, but we couldn’t fine the user’s information and we couldn’t know if the device has been paired with a phone before or even had any of the location or address been deleted.

71 Chapter 8

8. Conclusion

The forensic examination of an embedded device such as GPS receiver has been carefully researched and experimented with one of the product from one of the largest manufacturer of GPS receiver. There are much different types of GPS receivers but the chosen one was done on the basis of its popularity. The reason of forensically carry out an investigation on a GPS device was to test the feasibility of the forensic investigation of GPS devices as opposed to our standard forensic investigation of digital devices such as computer hard drive. Due to the ubiquity of the GPS device in our contemporary world, the forensics examination of such a device can be used to as a piece of irrefutable evidence in a court of law which can be used to solve some of the serious crimes in the society such as murder, kidnap, grooming, terrorism etc.

The GPS devices is used to help users plan routes, save favorite destination and look up point of interest (POI) such as Filling Stations, Hotels and Restaurants. This device communicate with the satellite which is made up of 27 constellations and out of this 27 constellations, 24 are operational and three reserves. The determination of position may be described as the process of triangulation using the measured range between the user and four or more satellites. These four satellites are required to determine the three coordinates of position and time. The high precision of the time is made possible through the use of the atomic clocks, which is always carried on-board of the satellites.

The most popular GPS device are the TomTom and Garmin but only TomTom was used in the experimental phase of this report due to the difference type of software resources needed in the forensic investigation of any brand of GPS receiver. The TomTom one receiver was been examine forensically following the methodology and principle of carrying out forensic examination in order to credit its admissibility in a court of law. The forensic methodology was been followed form collection to presentation following the Association of Chief Police Officers (ACPO) guide lines. As in any forensic process the

72 digital device under investigation must be image and the hash value calculated in order not to damage or modify the original digital device under investigation and to maintain the integrity the investigation. Some of the TomTom devices have an internal hard drive then with an SD card slot and in this type, the data found in the device are stored in the internal memory thus the when the device is subjected under investigation, a bit stream image of the whole device is done with the use of a USB write blocker.

The bit stream image was carried out of a TomTom one device following the rules and principle of digital investigation. Taking into consideration that the GPS receivers will always communicate with the satellite with switch on which of course will lead to the update of the current location where the GPS receiver was switch-on, a preventive measure was in place by either using a faraday cage or carrying the process where there is no radio interference. And moreover the TomTom one was connected to a USB write blocker then connect to a computer and thereafter the device asked our opinion whether, we intent to put on the device. When these rules are followed the device will not be connect to the satellite because it has been connected to the computer with a write blocked USB cable. The bit stream image was been done with the used of a software known as Helix 3 ISO. This helix 3 ISO is a distribution of Ibuntu Linux operating system which is used in the imaging process of a forensic investigation of digital devices. The imaging process was done under a control environment which means the process was carry out on a bootable CD ROM of Helix 3. When the bit stream image of the TomTom one device was finished a hash value was calculated automatically. This is very important as to maintain the integrity of the process which is of course demanding by the forensic rules and principles of carrying out a digital investigation.

The analysis of the bit stream image of TomTom one device was been done with a software tools called TomTology. TomTom device always stored it activities in a map called CFG files and in this CFG files we can have all the location been entered by the user of the device since it was bought. This TomTology is a new tool developed by Andy Sayers and Paul Weall. This tool has the potentials of providing us with the location type of the following record: (home, favorite, start of last calculated route, POI, location

73 entered by address or by lookup and the GPS fix location). This tool automatically carves out all these location by extracting it from the (.cfg files) including the deleted and overwriting location. This TomTology also provide us with the detail report of the user activity since the device was bought. Beside any location provided a latitude and longitude of the location in question was also given. This tools can parse a live (.cfg files) and other TomTom data file, automatically extract files from a connected TomTom or scan a whole drive to extract deleted location and orphaned location from (.cfg files). It provides the ability to filter out the orphaned locations by type and to filter out duplicates. It also extracts phone numbers found on the device and all this information can be outputted as an HTML report containing location hyperlinks which utilize Google map which we can used Google earth to view a précised location under investigation if it is connected to the Internet.

After carry out the imaging and analysis of the TomTom one device, it is worth while to mention that some of the cloud which was visible around the analysis of a TomTom device such as deleted location, entered location and the journey not made, GPS fix, phone numbers and messages been exchanged by the user, can now be clarified with the use of TomTology software. Thanks to Andy Sayers and Paul Weall of bringing out such explicit software which can parse, extract and organized user’s information from a TomTom device.



Bit stream image

Bit stream image is the copying of both the allocated and the unallocated of a digital storage device.

Cat 5 cross over cable.

This is a cable wire use to connect tow hubs or switches or even two computers together.

CFG files

This is a file in TomTom where all the data entered into the device are stores for example addresses and phone numbers


It is an area of the sky that contains all the stars and other celestial objects within that area. The International Astronomical Union (IAU) divides the sky into 88 official constellations with exact boundaries, so that every direction or place in the sky belongs within one constellation. For example all the satellites for navigation are in one constellation.

Digital evidence

It is data that supports or refutes a hypothesis that was formulated during the investigation. This is a general notion of evidence and may include data that may not be court admissible because it was not properly or legally acquired.

Digital investigation

It a process to answer questions about digital states and events. The basic digital investigation process frequently occurs by all computer users when they, for example, search for a file on their computer. They are trying to answer the question "what is the full address of the file named important.doc?". In general, digital investigations may try to answer questions such as "does file X exist?", "was program Y run?", or "was the user Z account compromised?".


Digital forensic investigation.

It is a special case of a digital investigation where the procedures and techniques that are used will allow the results to be entered into a court of law. For example, an investigation may be started to answer a question about whether or not contraband digital images exist on a computer. An average Microsoft Windows user may be able to answer this question by booting the computer and using the Find Files function, but these results may not be court admissible because steps were not taken to preserve the state of the computer or use trusted tools.

Digital storage

It is a format for storing and backing up computer data on magnetic tape that evolved form digital audio tape for example Secure Digital (SD) card, CD ROM, Hard Disk etc

Embedded system

Embedded system is some combination of computer hardware and software, either fixed in its capability or programmable. It is specifically designed for a particular type of application device.

Hash algorithm

It is the transformation of a string of characters into a usually shot fixed length value or key that represents the original string. This hash function is usually used in order to maintain the integrity of the information been hash. Examples of hash algorithms are the MD5 and the SHA 1


Forensic can be defined as the use of science and technology to investigate and establish facts in criminal or civil courts of law.

Flash memory

Flash is an extension of the floating gate method of manufacturing non-volatile memory. There are two kinds of flash memory namely the NOR

76 and NAND. These two terms are names of types of Global positioning system The Global Positioning System (GPS) was invented in order to geographically position any object or person found on earth in a particular point in time. Airplanes and ships have been using it in order to display through out their journey on a video screen in the passenger cabin their travelling trajectory.


This is the actual GPS Position of the TomTom. It is used as the Origin on a journey.


The latitude is the horizontal line in angular distance, in degrees, minutes and seconds of a point north or south of the equator


The line of latitude are often refer to as parallels, whilst the longitude or vertical line is also the angular distance, in degrees minute and seconds of a point East or west of the prime Greenwich meridian.

Orphaned Locations

It is possible that part of the (dot cfg file) may be overwritten with other data, if this is the case TomTology cannot say whether the found locations are Homes, Recents etc. These are known as orphaned locations.

Slack Space

It is the used space in a disk cluster. The file system of DOS and Windows used fixed size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file. The unused space is called the Slack Space


It is a destination entered in TomTom either by entering the Postcode or selecting a Point on the Map


Point Of Interest (POI)

TomToms come pre-loaded with certain Points Of Interest and others can be freely downloaded off the internet. These could be police stations, railway stations, Hotels etc.

WGS 84 Datum

It is a standard coordinate reference system developed to describe geographic position for surveying, mapping and navigation


References and Bibliography
THOMAS, M. 2008. Digital Storage in Consumer Electronics: The Essential Guide. First Edn. Oxford. Elsevier Inc. Dr ROBERT, A. 1999 Satellite Engineering Research cooperation. Applied Technology Institute) BUNTING, S. 2008. Encase computer Forensics, The official EnCE: Encase Certified Examiner Study Guide. 2 Edn. Canada. Wily Publishing, Inc LINDA, V. et al. 2006. computer forensics principle and practice. First edn. New Jersey. Pearson Prentice Hall CHRISTOPHER, B. 2006. Computer Evidence Collection and Preservation. First Edition. Hingham. Charles River Media, INC. Andy, S. 2008. The user manual of TomTology software NUTTER, B. 2008. Pinpointing TomTom location records: A forensic analysis. Science Direct. (CANALYS, 2007) The trend of GPS navigation system E-DEFENCE. 2008. HELIX 3 Incidence Response: Electronic Discovery Computer Forensics Live CD. [WWW] Accessed 07/01/2009 Automobile Navigation GPS features (MEHAFFEY JOE. 2007) References used for the final project Forensics Data Recovery from flash memory NANA, L. 2008. Tuxfiles. [WWW]

accessed 10/01/2009


File System Forensic Analysis by Brian Carrier.

Excellence in evidence writing By Bond Solon

Real digital Forensics: Computer security and incidence response. By Jones K Guidance software Encase Forensic Users manual version 6

Forensic Took kit user manual Version 1.71

Logo of the university.from careers website. [WWW] Accessed 18/01/2009 .

Sign up to vote on this title
UsefulNot useful