every step you take: application and network …june 8, 2018 jessica hyde director of forensics...
TRANSCRIPT
![Page 1: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/1.jpg)
Jessica Hyde
![Page 2: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/2.jpg)
June 8, 2018
Jessica HydeDirector of Forensics – Magnet ForensicsAdjunct Professor – George Mason University
Every Step You Take:Application and Network Usage in Android
![Page 3: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/3.jpg)
Jessica
SANS DFIR Summit - 2018
Director Forensics, Magnet Forensics Adjunct Professor, George Mason University
Previous:• Basis Technology• Ernst and Young• American Systems• United States Marine Corps
![Page 4: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/4.jpg)
Traditional Mobile Analysis
SANS DFIR Summit - 2018
Looks
Focus on App analysis Artifacts First
● Web Browsers● Chat App● Email
![Page 5: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/5.jpg)
Traditional Mobile Analysis
SANS DFIR Summit - 2018
Looks
Digging for Application Data● Taught in courses, ie FOR585● Methodology for unsupported app data
○ Discover○ Test○ Find○ Parse○ Script
![Page 6: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/6.jpg)
Why Android Application Usage Analysis
SANS DFIR Summit - 2018
Looks
● We do this for computer investigations!○ OS Artifacts
● Why don’t we apply this concept to our Android applications?
● Why would it be useful?
![Page 7: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/7.jpg)
Using Application Analysis
SANS DFIR Summit - 2018
Looks
● Pattern of Life Analysis
![Page 8: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/8.jpg)
Using Application Analysis
SANS DFIR Summit 2018
Looks
● Pattern of Life Analysis● Showing a lack of a particular usage
![Page 9: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/9.jpg)
Using Application Analysis
SANS DFIR Summit - 2018
Looks
● Pattern of Life Analysis● Showing a lack of a particular usage● Supporting artifacts for sync’d data
![Page 10: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/10.jpg)
com.vending.Android
Looks
SANS DFIR Summit - 2018
![Page 11: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/11.jpg)
com.vending.Android
Looks
● Tracks purchases BUT● It LIES!
○ Multi-user○ Second Device
● \data\com.android.vending\databases\library.db
SANS DFIR Summit - 2018
![Page 12: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/12.jpg)
Android Usagestats
Looks
● Tells you what file was in the foreground, background, etc.
● \data\system\usagestats\0\● ..\daily, \monthly. \weekly,
\yearly● .xml file named as epoch
timestamp
SANS DFIR Summit - 2018
![Page 13: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/13.jpg)
Android Usage History
Looks
● https://developer.android.com/reference/android/app/usage/UsageEvents.Event○ User Interaction○ Move to Foreground○ Move to Background○ Configuration Change
SANS DFIR Summit - 2018
![Page 14: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/14.jpg)
Android Usagestats
Looks
SANS DFIR Summit - 2018
![Page 15: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/15.jpg)
Android Usagestats
Looks
SANS DFIR Summit - 2018
![Page 16: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/16.jpg)
Battery Status
Looks
● Monitors Battery usage● system\batterystats-daily.xml● \data\data\com.google.androi
d.gms\shared_prefs\Batterystats.xml
● Think of this as SRUM for Android
SANS DFIR Summit - 2018
![Page 17: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/17.jpg)
Battery Status
Looks
● \data\data\com.google.android.gms\shared_prefs\Batterystats.xml
SANS DFIR Summit - 2018
![Page 18: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/18.jpg)
BatterystatsDumpsysTask
Looks
● \data\data\com.google.android.gms\files\BatterystatsDumpsysTask.gz
SANS DFIR Summit - 2018
![Page 19: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/19.jpg)
BatterystatsDumpsysTask
Looks
SANS DFIR Summit - 2018
![Page 20: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/20.jpg)
BatterystatsDumpsysTask
Looks
SANS DFIR Summit - 2018
![Page 21: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/21.jpg)
Recent Images
Looks
● \system_ce\0\recent_images
SANS DFIR Summit - 2018
![Page 22: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/22.jpg)
Recent Images
Looks
● \system_ce\0\recent_images
SANS DFIR Summit - 2018
![Page 23: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/23.jpg)
Recent Images
Looks
SANS DFIR Summit - 2018
![Page 24: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/24.jpg)
Recent Tasks
Looks
● \system_ce\0\recent_tasks
SANS DFIR Summit - 2018
![Page 25: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/25.jpg)
Recent Tasks
Looks
● \system_ce\0\recent_tasks
SANS DFIR Summit - 2018
![Page 26: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/26.jpg)
Recent Tasks
Looks
SANS DFIR Summit - 2018
![Page 27: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/27.jpg)
Recent Tasks
Looks
SANS DFIR Summit - 2018
![Page 28: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/28.jpg)
Recent Tasks
Looks
SANS DFIR Summit - 2018
![Page 29: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/29.jpg)
Recent Tasks
Looks
SANS DFIR Summit - 2018
![Page 30: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/30.jpg)
Recent Tasks
Looks
SANS DFIR Summit - 2018
![Page 31: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/31.jpg)
Recent Tasks
Looks
SANS DFIR Summit - 2018
● task_id - 244● effective_uid = 10103● first active time = 1526045035484
May 11, 2018 1:23:55:484 PM● last active time = 1526045600000
May 11, 2018 1:33:20 PM● last time moved = 1526045563392● May 11, 2018 1:32:43:392
![Page 32: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/32.jpg)
Snapshots
Looks
SANS DFIR Summit - 2018
● \system_ce\0\shortcut_service\ snapshots
![Page 33: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/33.jpg)
Snapshots
Looks
SANS DFIR Summit - 2018
![Page 34: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/34.jpg)
Snapshots
Looks
SANS DFIR Summit - 2018
![Page 35: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/35.jpg)
Snapshots
Looks
SANS DFIR Summit - 2018
![Page 36: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/36.jpg)
3rd Party
Looks
● com.cleanmaster.security○ On lots of devices○ Logs battery usage○ Logs application usage
SANS DFIR Summit - 2018
![Page 37: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/37.jpg)
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
media\0\Android\data\com.cleanmaster.security\files\logs\
![Page 38: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/38.jpg)
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
media\0\Android\data\com.cleanmaster.security\files\logs\AppLockLog
![Page 39: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/39.jpg)
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
![Page 40: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/40.jpg)
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
![Page 41: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/41.jpg)
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
media\0\Android\data\com.cleanmaster.security\files\logs\PerfMetricsReport
![Page 42: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/42.jpg)
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
![Page 43: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/43.jpg)
Cheetah Mobile Apps
Looks
SANS DFIR Summit - 2018
![Page 44: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/44.jpg)
Google Cloud Activity
Looks
● Takeout○ Download “My Activity” from
https://takeout.google.com/u/1/settings/takeout with credentials
SANS DFIR Summit - 2018
![Page 45: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/45.jpg)
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
![Page 46: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/46.jpg)
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
![Page 47: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/47.jpg)
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
![Page 48: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/48.jpg)
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
![Page 49: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/49.jpg)
Google Cloud Activity
Looks
SANS DFIR Summit - 2018
![Page 50: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/50.jpg)
Putting it all together
SANS DFIR Summit - 2018
Artifact Task ID Effective
UID
app Event UNIX Timestamp Time Date
com.vending.android com.twitter.android Purchase 1524064586032 4/18/18 3:16 PM
uid stats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 12:00 PM
recent tasks 244 10103 com.twitter.android first active time 1526045035484 5/11/18 1:23 PM
snapshots 244 Twitter jpg of @CollinRusty
twitterpage5/11/18 1:25 PM
snapshots 244 Twitter reduced .jpg of
@CollinRusty5/11/18 1:25 PM
recent tasks 244 10103 com.twitter.android last time moved 1526045563392 5/11/18 1:32 PM
snapshots 244 Twitter .proto file 5/11/18 1:32 PM
recent tasks 244 10103 com.twitter.android last active time 1526045600000 5/11/18 1:33 PM
uid netstats 10103 com.twitter.android UID Stats Twitter Cell 1526040000 5/11/18 2:00 PM
![Page 51: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/51.jpg)
SANS DFIR Summit - 2018
![Page 52: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/52.jpg)
• Founded in 2007
• Headquartered in San Francisco, California, USA
• On December 7, 2016, Fitbit officially announced that they acquired assets from Pebble
• January 2017, Fitbit acquired Romania-based smartwatch startup Vector Watch SRL
• June 2011: Fitbit criticized for its website's default activity-sharing settings, which made users'
manually-entered physical activities available for public viewing
• Some users were including details about their sex lives in their daily exercise logs, and this
information was, by default, publicly available
SANS DFIR Summit - 2018
![Page 53: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/53.jpg)
• Fitbit as evidence in investigations:
• “Woman’s fitness watch disproved rape report”
• http://abc27.com/2015/06/19/police-womans-fitness-watch-disproved-rape-report/
• http://fusion.net/story/158292/fitbit-data-just-undermined-a-womans-rape-claim/
• “When Fitbit Is the Expert Witness” (personal trainer – civil case)
• https://www.theatlantic.com/technology/archive/2014/11/when-fitbit-is-the-expert-
witness/382936/
• http://theconversation.com/how-your-fitbit-data-can-and-will-be-used-against-you-in-a-
court-of-law-34580
SANS DFIR Summit - 2018
![Page 54: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/54.jpg)
• Fitbit as evidence in investigations:
• “Big Brother was definitely watching as George Burch killed Nicole VanderHyden”
• https://www.greenbaypressgazette.com/story/news/2018/03/04/big-brother-phone-
george-burch-nicole-vanderheyden-murder-trial-gps-fitbit-snapshot-google/390236002/
SANS DFIR Summit - 2018
![Page 55: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/55.jpg)
Profiles
SANS DFIR Summit - 2018
![Page 56: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/56.jpg)
Profiles
SANS DFIR Summit - 2018
![Page 57: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/57.jpg)
Fitbit – Profiles
SANS DFIR Summit - 2018
![Page 58: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/58.jpg)
Fitbit – Profiles
SANS DFIR Summit - 2018
![Page 59: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/59.jpg)
How this could help
• Name associated to
User ID
• Personal info / profile
pic
• Stride length could
come in handy
depending on your
case
Profiles
SANS DFIR Summit - 2018
![Page 60: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/60.jpg)
Caveats
• Stride length calculated
by using your gender
and height (user entered)
• Can be adjusted
• https://help.fitbit.com/arti
cles/en_US/Help_article/
1135
Profiles
SANS DFIR Summit - 2018
![Page 61: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/61.jpg)
Steps
Steps
SANS DFIR Summit - 2018
![Page 62: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/62.jpg)
Steps
Steps
SANS DFIR Summit - 2018
![Page 63: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/63.jpg)
Fitbit – Steps
SANS DFIR Summit - 2018
![Page 64: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/64.jpg)
How this could help
• Great evidence to show
a person’s level of
activity, time of activity,
and amount at a
particular time
• Ties back to the false
rape case
• Presence/lack of
movement during a
crime
Steps
SANS DFIR Summit - 2018
![Page 65: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/65.jpg)
Floors
Climbed
Floors Climbed
SANS DFIR Summit - 2018
![Page 66: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/66.jpg)
Floors Climbed
SANS DFIR Summit - 2018
![Page 67: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/67.jpg)
Fitbit – Floors Climbed
SANS DFIR Summit - 2018
![Page 68: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/68.jpg)
How this could help
• Indicates overall activity
for the day
• Can show a trend of
activity over a number of
days
Floors Climbed
SANS DFIR Summit - 2018
![Page 69: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/69.jpg)
Heart Rate
Heart Rate
SANS DFIR Summit - 2018
![Page 70: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/70.jpg)
Heart Rate
SANS DFIR Summit - 2018
![Page 71: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/71.jpg)
Fitbit – Heart Rate
SANS DFIR Summit - 2018
![Page 72: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/72.jpg)
How this could help
• Great indicator of the
user’s physical exertion
at points in time (5 min
segments)
• Can especially help if
graphed over time
• Why was there a spike at
specific time? (e.g. time
crime committed)
Heart Rate
SANS DFIR Summit - 2018
![Page 73: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/73.jpg)
Sleep
Sleep
SANS DFIR Summit - 2018
![Page 74: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/74.jpg)
Sleep
Sleep
SANS DFIR Summit - 2018
![Page 75: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/75.jpg)
Fitbit - Sleep
SANS DFIR Summit - 2018
![Page 76: Every Step You Take: Application and Network …June 8, 2018 Jessica Hyde Director of Forensics –Magnet ForensicsAdjunct Professor –George Mason UniversityEvery Step You Take:](https://reader030.vdocuments.us/reader030/viewer/2022040600/5e89538083f57d385c62087f/html5/thumbnails/76.jpg)
How this could help
• Another very helpful
indicator
• Remember the false
rape case mentioned
earlier
• Place someone at
specific times
• Some questions around
time awake/time asleep
numbers
Sleep
SANS DFIR Summit - 2018