Blog: DFIR
Advanced forensic techniques for recovering hidden data in wearable devices
TL;DR
- A walk-through of forensic data recovery
- Detailed example of how to retrieve potentially sensitive deleted data
- Includes location, sleep and activity tracking
- Understand the security and privacy implications of wearable device data
Introduction
This blog post covers how forensic skills and tooling can be used to recover potentially sensitive data left on phones from devices such as Google’s Fitbit. . The principles and techniques here also apply to similar products with similar functionality.
A Fitbit test account was created for the investigation, and a Fitbit Versa was worn and used over a 3 month period.
The test account was populated with personal information such as height, weight, and a profile picture. Food plans were also added. Apps were downloaded onto the device and posts made on the public dashboard.
Essentially the test account and details replicated those of a true user.
Messages and posts
Messages were exchanged within the app and the profile was changed from public to private to see if certain posts remained visible. Various exercises were automatically tracked by the Fitbit Versa.
Figure 1 – Deleted Messages
To analyse these results, I exported the fitbit.sqlite file from the app’s sandbox on the linked phone and analysed the contents using DB Browser for SQLite. The ‘ZCONVERSATION’ table in the fitbit.sqlite database shows messages that have been sent and later deleted by the user.
Several columns of interest can be seen in Figure 1. ‘ZUNREADMESSAGES’ indicates whether the message has been opened by the user (0) or hasn’t been opened yet (1). ‘ZLASTCHANGED’ provides date and time information relating to when the message was deleted. In this instance, the time shown is 21:44:12, which corroborates with the actual time the message was deleted, which was recorded for testing purposes at 21:44:12.
Sleep data analysis
Figure 2 – Sleep Consistency
The details provided on user sleep and location are important to note. The ‘ZSLEEPCONSISTENCY’ table (figure 2) shows the consistency levels of the user’s sleep data, and ‘ZSLEEPLOG’ shows sleep data. We can see the efficiency level of the sleep; this can help gain a further insight into what instance of sleep may be considered abnormal for the user.
The ‘ZLEVELDATA’ column is much more detailed and provides an overview of the date and time the sleep occurred as well as every instance where the user had woken up and for how long. This section also shows how long the user was active in light, deep and REM sleeping instances.
This column also includes the time in seconds that the user was restless for and at what time waking occurred. This data can become extremely confusing to analysts if they are not aware of what the information means.
Figure 3 – Sleep Data
Figure 3 shows the time the user fell asleep. The user was recorded by the Fitbit Versa to have fallen asleep on 08/02/2020 at 23:09:00. The table also details when the first instance of broken sleep occurs. To follow the example of the first line, the user wakes up for 840 seconds and then falls back to sleep at 08/02/2020 at 23:23:00. If investigators have pinpointed a specific date and time they are interested in; this data then becomes extremely important in proving or disproving an incident.
Steps
Tools like XRY can be used to parse data to provide a list of the daily steps taken by the user, and analyse those steps further by producing a graph which shows how many steps were taken each hour. Figure 4 shows the number of steps taken on a certain day and more specifically, how many of those steps were completed in each hour.
Figure 4 – Hourly Steps
Activity tracking
Data regarding user activities are in the ‘ZFBACTIVITYLOG’ table shown in Figure 5. ‘ZACTIVEMINUTES’ shows the number of minutes the user has been active for during the activity taken place. This can then be brought together with the subsequent columns. ‘ZAVERAGEHEARTRATE’ shows what the users average heart rate was during this activity – this combined with the average minutes can help figure out what activity was taking place.
Figure 5 – User Activities
Although Fitbit attempts to predict what activity is taking place, this is not always accurate as numerous biking activities were recorded on this account, which had not taken place. ‘ZCALORIES’ provides an estimation of how many calories were burned during the activity.
The ‘ZHASGPS’ column proves to be of great interest for forensic investigations. Where GPS has been used, a 1 will be shown in this column and where GPS was not used, a 0 is shown. Where GPS has been used, the distance covered will be shown. ‘ZDURATIONACTIVE’ and ‘ZDURATIONOVERALL’ depict the overall duration of an activity and the amount of time an individual was active, measured in seconds. Again, where GPS is used the column ‘ZSPEED’ gains significance as the speed the user was travelling during the activity can be tracked by the Fitbit device.
Figure 6 – Activity Log
The ‘ZNAME’ section shows the workout that either the user has manually started, or the device has automatically predicted, using the Fitbit Versa’s smart tracking feature. All the activities listed here are accurate, apart from the bike activities, which the Fitbit Versa has automatically recorded but did not take place. ‘ZSOURCETYPE’ shows the source device that recorded the activity. This information derives from tables ‘ZFBACTIVITYLOG’ and ‘ZFBLOCATION’ – which evidence the activity taking place and the location of the activity.
Figure 7 – GPS Activity Information
Figure 8 – Automatically Tracked Run
Figures 7 and 8 show automatically tracked activity information containing GPS data. This feature, as well as the enabled location data, is on by default. There are 548 waypoints in this 10-minute journey.
What’s next? GPS data…
Location tracking with GPS
Figure 9 shows overview of the location in which the automatically tracked, 10-minute activity took place, based on GPS data stored on the Fitbit device. This activity contained a total of 548 entries, which equals 548 seconds of GPS data being recorded. Fitbit records location activity on a second-by-second scale, resulting in accurate results. These 548 instances can then be detailed further, to discover where the activity took place in Liverpool.
Displaying this was done by extracting the Fitbit account GPS co-ordinates from the linked mobile phone and putting them as an overlay in Google Maps.
Figure 9 – Tracked GPS Data
Figure 10 – Mapped GPS Data
Figure 11 – Second-by-Second GPS Data
This location data, due to the nature of second-by-second recording – is extremely accurate.
Figure 12 – Automated GPS Recordings
As mentioned, the Fitbit Versa uses smart tracking features. They infer what activity a user is performing by constantly recording their movements. When the tracker has an idea of what activity is being performed, this is recorded and uploaded to the Fitbit application. I will now show the results of activities that have been automatically tracked by the watch over a period of just a few months:
Figure 13 – Detailed GPS Entries
Figure 13 shows where most location data is located, coincidently, this depicts the home address of the user. The instance depicting over 1600 GPS entries is where user resides. Further analysis of this address again provides a detailed, second by second overview of the user’s whereabouts.
The above GPS recordings were not manually recorded by the user; these activities were in fact activated by Fitbit’s SmartTrack feature, which then links with the paired mobile phone to produce accurate connected GPS recordings.
The sheer amount of data stored at this address indicates that this is where a lot of activity takes place. Forensic analysis of this data and the resulting information could be used in many ways. Users may be unaware of the automatic tracking that is used across Fitbit’s newer models.
Figure 14 – Further Detailed GPS
Figure 14 above shows further insight into the user’s activity in and around their residential area. We can see over 1,000 GPS entries at the user’s home address. 643 of these entries appear to have come from the user’s garden.
This could indicate that the user frequently performs exercise in their garden, and as a result SmartTrack has been used, causing GPS activity to take place. Fitbit automatically tracks walking exercises, however that does not activate GPS. Running does activate GPS tracking on the Fitbit Versa device. This in effect can build a user profile, where investigators can gain an understanding of the user’s typical exercise routes and where they spend the most time performing high intensity activities.
Further analysis of the GPS activities that have been automatically recorded by the device show what looks like the user attending University.
Figure 15 – Further GPS Data
To uncover the exact location of the individual in the university building. In terms of comparing this to a real-life scenario, this data could potentially help uncover a missing person – to the point where an individual could potentially be located at the exact building and room, they are residing via the recovery of Fitbit data from the cloud.
Figure 16 – GPS Data from the cloud
Figure 16 above depicts further analysis of the highlighted area. Using Google’s measuring feature within the My Maps segment, the distance from the entrance to a location not far from the entrance where many location pinpoints are located can be measured, I believe that the 19 metres distance between the initial pinpoint and the area containing vast amount of GPS data evidence both the entrance to the building and the set of stairs on the first floor of the building.
Given the smart track feature used on the Fitbit device tracks continuous and high movement, the fact that the stairs ‘exercise’ has been recorded on more occasions than anywhere else in the building would make sense.
Figure 17 – Location image
The automatically recorded GPS pinpoints evidenced where the user has entered the building, climbed the stairs shown above, and then walked towards another set of stairs – where the user frequently walked up 7 flights of stairs to reach the computer science department.
Further analysis
To continue the database analysis, fitbit.*UniqueID*.db contains a lot of significant information in relation to user account information, analysis of the settings.dat file evidences this.
This file can be sited at the following location: Users/*User*/AppData/Local/Packages/Fitbit.Fitbit_6mqt6hf9g46tw/Settings/settings.dat
The first section of significance in this file is the ‘Fitbit.ProfileId’ this section shows the user ID of the Fitbit account.
Figure 18 – Fitbit Profile ID
Figure 19 – Fitbit Email Address
The user’s email address used to sign up to Fitbit can be found in the ‘Fitbit.LastUser’ section within the settings.dat file. This has been converted from its hexadecimal value to ‘███.████████@2016.ljmu.ac.uk’ (redacted), evidenced in Figure 19.
Figure 20 below shows instances where the Fitbit Forensics account has been accessed, the timestamp shows the time and date of when this occurred, we are then subsequently provided with the user’s email address used to sign in and the location of where the action took place.
As well as this, figure 21 shows further information of the data recovered from the ‘Account_Access_Events_1.csv’ file. This section evidences the IP address used to access the account. The outcome section shows whether account access was successful or not and the device_info column then evidences the device used to access the account, this may include information relating directly to a mobile phone or computer.
Figure 20 – Fitbit Logins
Figure 21 – Further Information
In summary, the aforementioned points highlight significant security risks for consumers. The integration of smart tracking features in IoT devices, which are often activated by default, allow for precise monitoring of users’ movements and locations. Should a user’s sensitive information fall into the wrong hands, the potential for harm is considerable and warrants serious attention.
Privacy concerns and legal issues
Recently, Fitbit has faced a trio of privacy complaints in the European Union, alleging that the company is illegally exporting user data in violation of the EU’s General Data Protection Regulation (GDPR). The complaints, filed by the noyb privacy group, argue that Fitbit forces users to consent to international data transfers to the US and other countries with different data protection laws, which does not meet the GDPR’s standards for informed, specific, and freely given consent.
Users are reportedly unable to withdraw consent without deleting their accounts, which would result in losing all their tracked data. The complaints have been filed with data protection authorities in Austria, the Netherlands, and Italy.
There are ongoing concerns about the security of the data collected by Fitbit devices and how well it is protected against breaches. Given the sensitive nature of health data, there is significant scrutiny over how this information is stored and protected.
Reports have highlighted that while Fitbit and Google claim to use data responsibly, there is a lack of transparency about how the data is used and shared, raising concerns about potential misuse or insufficient protection against cyber threats. The combination of Fitbit’s health data with Google’s other data has also raised fears about potential discrimination and exploitation in areas like healthcare and insurance.
Privacy advice
These are some simple steps to disable default tracking features:
Disable Smart Tracking
- Launch the Fitbit app on your phone.
- Go to Account. Tap on your profile picture in the top left corner to access your account settings.
- Select Your Device. Choose your Fitbit device from the list.
- Exercise Shortcuts. Scroll down and tap on “Exercise Shortcuts.”
- SmartTrack Settings. Look for the SmartTrack section and tap on it.
- Disable Activities. You can toggle off the activities you don’t want SmartTrack to automatically recognize and record.
Turn Off GPS
- On your Fitbit device, open the Exercise app.
- Select Exercise. Tap on the exercise you want to disable GPS for.
- Access Settings. Swipe up to access the exercise settings.
- Disable GPS. Locate the GPS option and toggle it off.
Turn Off Location Services in the Fitbit App
- On your phone, go to Settings > Apps > Fitbit > Permissions.
- Turn off the location permission for the Fitbit app.
Turn Off All-Day Sync
- Open the Fitbit app on your phone.
- Go to Account. Tap on your profile picture, then select your device.
- Disable All-Day Sync. Toggle off the All-Day Sync option.