Wednesday, 8 October 2008

Sony NV-U50 G Sat Nav device

Some of you may be thinking that this blog has stopped being a computer forensics blog and is now only covering sat navs. It seems that way lately, but it is just that my computer cases are all run of the mill whilst sat navs are nearly always new and exiting!

The Sony NV-U50 G sat nav I looked at is running Sony Personal Navigation System version 1.06 software within Windows CE. It has 512mb of internal memory and no external flash media. I accessed it via Mobile Device Centre in Vista (probably Active Sync will suffice but I did not test with this) and discovered a My Flash Disk volume as normal. A folder named Sony will be accessible and within the NAV-U sub folder the following notable files can be found:
  • recent.txt
  • favourites.txt
  • prefs.ini
All three files are plain text.

prefs.ini is used to store user preferences but also contains three useful values:
  • hometarget
  • lasttarget
  • LastVisibleArea
hometarget contains the postcode and latitude and longtitude coordinates of the user set home location. lasttarget was not populated on the device I examined but I understand from colleagues that it can contain the last navigated to location. Both these values comprise of seventeen fields separated by the pipe symbol (|).

LastVisibleArea
contains the lat/long coordinates of the bottom left and top right corners of the last map displayed on the device prior to being switched off. I had seen that the manual for the device contained the note:
The Sony Personal Navigation System always opens with the screen that was active at the time you switched off the device.

recent.txt and favourite.txt contained recently navigated to locations and user stored favourite destinations respectively. Each location record comprised of seventeen fields separated by the pipe symbol (|) in both files allowing them to be imported into an excel spreadsheet using the text data import wizard.


Example of a single favourite record.
GFRIEND|-|48|12366|-|-|SW1 1AA|-|-|-|-|-0.142076|51.50107|-|-|-|-|
Field 3
in most cases contained the value 48 which I understand to be the Country Code used by Sony/Navteq for the UK, Field 4 had in some cases a five digit number beginning with the digits 12. I speculate that these fields have something to do with the RDS/TMC facility available with this device. Fields 12 and 13 contained the Longtitude and Latitude coordinates of the location record (stored in decimal notation). Fields 16 and 17 if populated contained a second set of Longtitude and Latitude coordinates which I can only speculate may be journey origins.

The device can also store pre-planned itineraries and these are stored within files with a .rte file extension in the Sony/NAV-U/Routes folder. These files are plain text formatted the same way as recent.txt and favourite.txt .

By carrying out a live examination of the device most the data above can be ascertained, however where a user has allocated a name to a favourite or itinerary only the allocated name will be displayed - not the underlying address and lat/long coordinates.

UPDATED 17th December 2008

I have been asked whether the order of the entries in Recent.txt had any significance. I have carried out some further testing and established:

i) Recent.txt will contain a maximum of thirty entries.

ii) If the entry is generated by a user choosing to navigate to a Favourite via the Favourites menu button the display name will be stored along with other location information within Recent.txt.

iii) The most recently entered location is recorded last.

iv) Once there are thirty entries within Recent.txt when a new location is added the oldest record at the top of the list is deleted. An exception to this is if a new location duplicates an entry already stored in Recent.txt the older entry is deleted (wherever it was stored in the list) and a new location appended to the end of the list.

I also had another look at the secondary lat/long values and I am now of the view that they DO NOT contain journey origins. During testing all the values I was able to populate in these fields were fairly near to the location chosen to navigate to. I could not however discern their relevance.





Tuesday, 7 October 2008

Transition to XP 64

We upgrade our forensic workstations every eighteen months or so have just taken delivery of four shiny new ones. This time I decided that the time had come for us to enter the brave new world of 64 bit operating systems. I have read many peoples experiences of this on Digital Detective, Forensic Focus and so on and was expecting a number of difficulties. However the driver for change is utilising 8gb ram so XP 64 bit was specified. To be on the safe side I had the machines built in a dual boot configuration with XP 64 bit on one partition and XP 32 bit on another. As an additional safeguard on the 64 bit side I installed VMWare Workstation and created an XP 32 bit VM.

So if it helps anyone here is a list of what works (and what doesn't).

XP 64 Software installations

64 bit programs

Encase 6.11.2 x64
Encase installed OK. Help About shows that the PDE, VFS, EFS and Fastbloc SE modules are installed and I have successfully tested PDE.

Tomtology
Tomtology x64 1.162, .NET 3.5 Redistributable and the keylock dongle drivers all installed and working.

7Zip

Ultramon

Firefox

CodeMeter
CodeMeter Runtime 3.30a is needed for the FTK codemeter dongle.

Gimp 2.5.4
http://downloads.sourceforge.net/gimp-win/gimp-2.5.4-r26790-x64-setup.exe?modtime=1219882476&big_mirror=0


32 bit programs that work within the 64 bit OS

Encase 6.11.2 32 bit version
The 32 bit version installs and runs OK.

Access Data FTK
I had hoped to upgrade to FTK2 but a 64 bit version has not been released. I did however decide to transfer our licences from the green keylock dongle to the Codemeter dongle. There are detailed instructions on how to do this within the FTK2 box. I used an internet connected laptop with the latest version of Licence Manager installed to carry out the transfer. Once the licences were on the codemeter dongle I installed CodeMeter Runtime 3.30a (64 bit) onto the XP 64 bit box and then inserted the dongle. It was successfully recognized. FTK 1.81 and Registry Viewer 1.5.3 have been installed and they work OK.

Microsoft Office 2007
The office programs are 32 bit but are designed to work with a 64 bit MS OS.

VFC
I have installed VFC 1.2.4.3, the green keylock dongle drivers and VMWare Diskmount Utility. All seem to work OK.

C4P
C4P v3.3.4 runs without issue. However some work is needed to get the C4P graphics extractor enscript running.

For Encase v6 64 bit running on XP 64 bit install the 64 bit MySQL 3.51 ODBC connector driver found at http://dev.mysql.com/downloads/connector/odbc/3.51.html#winx64
and also a MS hotfix found at http://www.microsoft.com/downloads/details.aspx?FamilyID=000364db-5e8b-44a8-b9be-ca44d18b059b&displaylang=en

The latest C4P v4 graphics extractor enscript contains a mySQL database connection string which needs modification (if you are using mysql). The string needs to be edited to read:

Conn.Open("PROVIDER=MSDASQL;DRIVER={MySQL ODBC 3.51 Driver};SERVER=" + Com.serverName + ";DATABASE=" + DbName + ";" + "UID=c4p_user;PASSWORD=password;OPTION=3")


NetAnalysis
NetAnalysis 1.38 beta 6 is running OK

Irfanview
Irfanview 4.20 is a running OK

Saminside
Saminside v2.5.7.1 is running OK

Isobuster 1.9 Pro
Isobuster 1.9 Pro works OK

Various other utilities such as PSPad, FileAlyzer, WRR and WFA are also working OK.

Things that did not work

Well not much really. The Microsoft powertoy picture resizer does not work but is adequately replaced with http://adionsoft.net/fastimageresize/