![]() Where VOICE_STRING looks like a localized pronunication guide for the system. Due to our lack of test devices, we can't guarantee the vehicle was at the exact location spoken but it might be used to show the user was in or aware of the area.Īs an example, the voice log contained lines like:ĭ Map Phonetics: VOICE_STRING (MDB Lang: 23) ![]() This text file appears to chronologically log GPS spoken instructions. However, BJ also brought our attention to an interesting artifact that spawned this post. Searching the entire dump for the " trkpt" and " trkType" keywords did not find any GPX formatted data though. Looking up the file format for GPX logs showed that they are XML text files which use certain keywords/field names to record the latitude and longitude. I'm not sure why there was a discrepancy - perhaps it was due to regional differences or the user settings? Sasha from Rusolut confirmed that his test unit had these files. gpx files (which did not exist in our device). It also mentioned a GPX directory with references to. Unknown file format which possibly contains the current trip log?Ĭontained various settings, version and model info. However, the file also contained non-ASCII/binary bytes.įAT16/.System/SQLite/quick_search_list.dbĬontained potential timestamped search information.Ĭontained ASCII latitude/longitude strings (search for "GPS main") Note: Garmin timestamps measure seconds since (Garmin launch date) - see here for further details.īy adding 631065600 seconds to the Garmin numeric timestamp, you have the number of seconds since the 1970 Unix epoch which then makes it easier to find the human readable time (there are more tools supporting Unix epoch time than for Garmin time).Ĭontained possible latitude/longitude coordinates with timestamps. The "history" table had start latitude/longitude, end latitude/longitude and start times. The "route_segment" table contained timestamp and latitude/longitude route info (unsure if these were travelled). By multiplying these raw numbers by 180/2^31, we were able to obtain plottable latitude/longitude coordinates. Note: This was based on the contents of ONE device, other devices/models probably store their data differently.Ĭontained a "history" table with scaled latitude/longitude numbers. ![]() Some noteworthy files were found while looking for timestamped latitude/longitude coordinates. Maybe Garmin used 8 GB chips for commonality/ease of upgrade reasons?) There were 2 extracted partitions - FAT16 (128 MB) and FAT32 (3.3 GB - a little smaller than expected. Sasha from Rusolut suggested using R-studio to recover/extract the filesystems from the dump. Unfortunately, the first 512 byte sector of the dump did not end with the usual 55AA for an MBR so we needed to find a way to extract the filesystems. Ken from Berla advised that Garmin usually use a FAT32 partition which contains the GPX tracklogs. X-Ways, Autopsy, Oxygen Forensic Detective and FTK Imager did not recognize partitions from the dump.Ĭellebrite Physical Analyzer's Garmin Legacy chain also did not not extract any information from the dump.ĪSCII plaintext was visible in dump though so not all hope was lost. Multiple reads of the chip produced the same hash so the chip seemed pretty stable. Unfortunately, our device was damaged beyond repair so chipoff was our only option. Google found an interesting paper from around that time - "Garmin satnavs forensic methods and artefacts: An exploratory study" by Alexandre Arbelet (August 2014).Īnd while it did not cover our model, it mentioned GPX files as a potential source of GPS tracklogs. Wikipedia states it was released in 2014. Our story begins with a damaged Garmin nuvi 56LM which "provides easy-to-follow, spoken turn-by-turn directions with street names". Katie Russ for creating her helpful website Ken Case from Berla for his advice regarding GPS data logsīenjamin "BJ" Duncan for sharing his findings regarding the voice log Sasha Sheremetov from Rusolut for his advice with the data recovery Special Thanks to the following people for their assistance: It was a bit of an unusual process so we thought it might be interesting to share the story.Īs a result of this effort, monkey wrote a Python3 script ( parse_garmin56LM.py) that uses the free espeak-ng library to convert the Garmin 56LM voice log text to WAV files for better place name recognition. We had a damaged Garmin nuvi 56LM GPS unit from which we recovered a text file containing a voice log. Wait a minute monkey, did you say Carmen or Garmin?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |