Projects:2017s1-165 Forensic Investigation of Fitness Devices
Contents
Project Group Members
Sanjam Kohli
Yuan Li
Project Supervisor
Dr. Matthew Sorell
Introduction
High-tech wearable devices have always been objects of interest in science fiction. From cheap plastic activity bands or rudimentary watches, these gadgets have evolved into elegantly designed devices that can provide greater connectivity, location services, and more importantly, incredible insights into people’s health. These nifty instruments have the capability to monitor a consumer’s heart rate, sleep patterns, and even one’s blood oxygen levels. The smartwatch and fitness band market is dominated by global technology leaders Apple, Samsung, and FitBit. More than 50% of the Australians now own a smartwatch [1]. As these devices are being adopted by a growing number of users, there is an increasing potential for them to become a haven for digital evidence in criminal investigations.
Aim
The project aims to explore the use of wearable fitness devices as forensic evidence, and to establish movement and activities of victims or suspects involved in a homicide investigation. This was achieved by analysing the heart beat and activity records which can be extracted and analysed from the Apple Watch and a FitBit device or their respective paired phones.
Motivation and Significance
A victim’s time of death is crucial to every criminal investigation. Currently, it is extremely challenging to determine the time of death in a homicide investigation using conventional methods. The project attempts to develop a mechanism to establish a more accurate timeline of the incident and a precise time of death using the heart beat and activity logs extracted from fitness devices. The method devised could further assist the South Australian Police (SAPOL), and other law enforcing agencies in future investigations.
Technical Background
Determining the time of death
Estimating the time of death is very crucial to a homicide investigation. It is a critical element of the case timeline. A specific and accurate time of death can corroborate any statements given by suspects in a crime. Despite years of research by forensic experts, no conclusive method has been devised to estimate a victim’s time of death. Presently, the estimation is based on various case specific factors and pathological changes in the human body like changes in body temperature, muscle stiffness, and lividity. In the absence of any witnesses, the complexity of this process increases. By using the current methods, the time of death is usually placed within a range of hours. These processes are highly subjective to errors, and thus it is ‘utterly impossible’ to fix an exact time [2].
Resting and Active Calories
The Basal Metabolic Rate (BMR) is defined as the amount of energy (measured in kilojoules, kJ) burned at rest [3]. BMR is calculated using one’s biometrics like weight, height, age, and sex. Resting calories signify the caloric base burn rate, and are calculated by using the individual’s BMR. Active calories are the calories that are burned due to additional activity.
1 kilocalorie (kCal) = 4.184 kilojoules (kJ)
Total Energy (kJ) = Basal Energy (kJ) + Active Energy (kJ)
Calorie expenditure is relatively linear to heart rate for an average individual, provided that the individual’s heart rate remains within the safe range of 90-150bpm [4].
Biometrics
Biometrics is defined as the ‘the science and technology of analyzing biological data’ [15]. For the purpose of this project, the following biometrics are considered:
1. Heartrate (beats/min)
2. Steps (steps/min)
3. Total Energy (kJ) = Resting Energy (kJ) + Active Energy (kJ)
Apple Watch Series 1
Device Specifications
The specifications [5] for the Apple Watch used in this project are as follows:
1. 38mm (vertically)
2. 290ppi screen
3. Custom designed Apple S1 SiP (system in package) chip.
4. NFC +WiFi 802.11b’g’n + Bluetooth 4.0
5. 8 GB onboard storage
6. Sensors: Heart rate monitor, gyroscope, accelerometer
Photoplethysomography
The Apple Watch uses the concept of photoplethysomography (PPG) to measure the user’s heart rate [6]. The technology uses a simple principle of light absorption. The red color of the blood is due to the reflection of the red light, and the absorption of the green light. The Watch has infrared and green LED lights which are paired with light sensitive photodiodes (Fig 2.1). These lights are flashed at a high frequency (>400 Hz), to measure the blood flow in the user’s wrist. When the heart beats, there is an increase in the blood flow in the wrist, thus resulting in an increase in the rate of green light absorption, which is then measured by the photodiodes. The LED brightness and sampling rate can be adjusted automatically by the Watch in low signal level conditions.The heart rate data is transmitted to the Health app every 10 minutes on average through a stable Bluetooth or Wi-Fi connection. The data can then be compiled in a graph for users to study.
Steps Count
The Apple Watch has an accelerometer sensor which acts as a built-in step counter or pedometer. The steps are counted based on the height and stride length of the user.
Calorie Count
The Apple Watch measures the basal and active calories burnt using the biometrics (sex, weight, height) entered by the user, the user’s heart rate, and average human statistics. The activity being performed by the user is identified by the accelerometer, and is also considered for calculating energy expenditure.
Apple Watch memory and storage
The device consists of 512 MB of dynamic RAM, and 8 GB of flash memory. The Watch uses an HFS+ (hierarchical file system) created by Apple Inc., which has limited storage capacity than a device using removable SD cards
Device Syncing
The Apple Watch does not consist of a physical diagnostic port for users to transmit their data between devices. Thus, all the data is transferred and backed up in a companion iPhone by using either a Wi-Fi or Bluetooth connection. Once both the devices are in range, a stable ‘data stream’ is established. All the data is also backed up automatically in iCloud. The heart beat logs acquired by the Watch are sent to the paired iPhone. Using the built-in Health app, the user can access this data
FitBit Alta HR
Device Specifications
The hardware specifications of the device used for the project are as follow [9]:
1. 15mm wide
2. OLED tap display
3. Bluetooth 4.0
4. Sensors: Optical heart rate tracker, 3-axis accelerometer, vibration motor
5. Memory: 7 days of detailed data storage (minute by minute), daily summaries for 30 days
PurePulse
The PurePulse [10] is the continuous and automatic heart rate tracker used by FitBit. The sensor uses the principle of photoplethysomography, like the Apple Watch (Section 2.2.2). However, unlike the Apple Watch, the PurePulse sensor is capable of continuously monitoring the user’s heart rate during an activity and the resting heart rate too.
Step Count
FitBit consists of a 3-axis accelerometer which is used to detect motion. The sensor calculates the step count, distance, and calories burnt based on the duration, frequency, and intensity of the activity [13].
Calorie Count
FitBit considers the user’s biometrics like weight, age, height, and sex to determine the user’s BMR, and thereby calculate the energy expenditure based on the user’s activity.
Device Memory and Storage
The Alta HR can store detailed minute-by-minute data for up to 7 days in the device. Daily summaries can be stored for up to 30 days in the device if the data is not synced to cloud [9]. For investigative purposes, the device data needs to be exported within 4-5 days to ensure the details are preserved and data is not lost.
Device Syncing
The Alta HR uses Bluetooth Low Energy (LE) wireless technology and an internet connection (Wi-Fi/mobile data) to sync with mobile devices and computers. The device syncing range is up to 6.1 metres [9]. The device can also be synced with a computer using the dongle. If ‘All-day’ syncing is turned on, the devices should automatically sync every 15-30 minutes. Manual syncing is also available [14].
Related Work
There is no decisive method to estimate the time of death in a murder case. The project aims to devise a technique to accurately calculate the victim’s time of death by analysing the user’s heart rate data logs acquired by the Apple Watch. There have been several studies and research for using wearable and mobile devices for forensic investigations, however these are mostly limited to device imaging and data examination of call, text, and location logs. No known research has been undertaken earlier to estimate a murder victim’s time of death using a fitness device.
Methodology
Data Extraction – Apple Watch
Data extraction from the Apple Watch can be done by 4 ways:
1. Apple Health App (requires user’s phone password)
2. iCloud backup (requires user’s Apple ID)
3. iTunes backup (requires user’s phone password)
4. Chip-off
Health App
iCloud Backup
If the paired iPhone is unavailable, the health data can be accessed through iCloud and iTunes backup. Data from all iOS devices is automatically backed up in iCloud when a stable Wi-Fi connection is available. However, iCloud can only be accessed if the Apple ID username and password is known. In the case where the user’s credentials are unknown, a third-party software like the Elcomsoft Phone Breaker (EPPB) can be used to gain access. This software can retrieve all data backed up in the cloud by using a ‘binary authentication token’ [17] formulated by the iCloud Control Panel to acquire the account log-in credentials.
iTunes Backup
The Apple iTunes software can also be used to create a backup for all iOS devices. However, the iTunes backup is stored on an Apple Mac or a PC, and not online. If the log-in details are known, data can be directly acquired from iTunes. If not, data can be extracted by using forensic tools like UFED Touch/UFED Physical Analyser.
Chip-off
Chip-off is the least preferred method to extract data. Chip-off is the removal of the flash memory chip which stores the device’s data [18]. This invasive method allows the user to decode data in the absolute raw form from the memory, thus decoding it is quite challenging. Chip-off also requires the use of special tools to safely isolate the data chips. To read the data from the flash memory chips, small wires must be connected to certain ‘contact points on the monolithic package’s hidden ball grid array’. This process is called ‘spiderwebbing’.
Data Extraction – FitBit Alta HR