An interesting tidbit on the Android AGPS capability was discovered when just driving around testing the Faraday Pouch from forensicfonefabric.com. First, the Faraday Pouch is an easy way to drop your device into the bag, snap the metal closure like the old school plastic clams you put your change in; pinch the edges and it opens up. Also, the bag has a see-through mesh front which allows you to watch the device to check the phone status and move the keys to quickly put the device into a standby mode. Once in standby mode you can remove it and do your processing; isolated from the massive cell signals. Enough about the pouch, lets talk about the testing.
So, the device I used was a Samsung Fascinate running Android FroYo. The device was fully charged and operational. The test was first targeted at not only celluar signal but the GPS signal; the aim was to see if AGPS signals are blocked as well.
I initiated an application for running called Runtastic and immediately was shown the blue dot on the screen at my exact location, my office. Runtastic allows you to not only track the route, but also the time and miles. I jumped on the road and at approximately 1 mile away from the start I checked the device. On the map the blue dot was now hovering at my NEW location, showing a blue track from the start to my current location. All seemed to be working correctly with the device and the Runtastic software. At this new location I placed the device into the Faraday Pouch from forensicfonefabric.com. I observed the signal bars dive to none and I then continued my journey. Immeditely I noticed that the blue dot still remained at the location I had placed the device into the pouch. This was what I believed would occur, but I continued to monitor the blue dot. The time on the device continued to advance but the mile indicator remained the same. Again, this was not a new revelation and of course was expected. I completed the journey and arrived back at the location I had started, my office. It was when I removed the device from the pouch that I had the, “huh?” moment.
When the device was removed it regained it’s signal from the carrier and I watched the Runtastic application show my current posistion via the blue dot; of course this was expected. It was when I noticed a new path emerge from the location I had placed the device into the pouch and back to my office, I dropped the brick. The device, or application, actually filled in the track; even showing the path in blue! Let me break this down a little farther. I looked at the overview map that showed the inital path FROM the office to the point where I placed the device into the path and then BACK to the office along the same route. What was missing was the track from the place I placed the device into the pouch and the additional 1.5 miles when it was isolated. And when I removed the bag it FILLED IN the path by estimating my path from the location I placed the device in the bag BACK to the OFFICE, still missing the other 1.5 miles. So the device appeared to assume I just had stopped and turned around, going along the same route back to the OFFICE where the signal was again picked up. What are the implications as an examiner?
The implications of this find when we might be conducting an examination of the device began to start to pile up. For example, what if the owner of the device you are examining for a criminal trial suddenly lost service and then it was picked up again? The device, believing it is smart , fills in the missing data, and completes the trip connecting the dots. We extract this data from the applications cache and put it together for trial weighing our testimony on this particular find when the data might just be a guess by the device. As I found on my own track, this data quite possibly might not be the actual street or path taken. A huge deal for court purposes. How can we overcome this find?
Knowing that service might have been inhibited, either by manual manipulation or network issues, it should be very important to determine if the device had network connection at the time of the incident. This can be done by looking at data usage at that particular time, as in calls made/received, packets transmitted, SMS/MMS and others. If this research yields that the device did utilize these services at that particular time we can assume the AGPS signal is valid. If we cannot ascertain this information you should use ANY location services very cautiously when examining devices capable of storing this kind of data.
This phenomenon is also evident with iOS devices as well when using the consolidated.db file. I will also be testing the Runtastic application for this OS as well using the same methods as outlined for the Android device. I will also be looking at other location based applications using both these operating systems because this information if not explained can come back and haunt us should we use it without corroborating with additional evidence.