I blogged earlier this year about the Garmin Nüvi 200 Sat Nav device and I have now had a crack at a Garmin Streetpilot C510.
The Streetpilot like the Nüvi 200 stores waypoints in a file Current.gpx found within the Garmin folder. This folder is accessible when the device is connected to a computer due to the fact that the device is designed to act as a mass storage device. It is probably worth expanding on what a waypoint is. Garmin's FAQs define them as
Waypoints may be defined and stored in the unit manually, by taking coordinates for the waypoint from a map or other reference. This can be done before ever leaving home. Or more usually, waypoints may be entered directly by taking a reading with the unit at the location itself, giving it a name, and then saving the point.
Essentially as far as both the Garmin devices discussed here are concerned the waypoints recovered from Current.gpx are the users favourites and home location. Apologies for teaching granny to suck eggs but it is probably worth stating that waypoints are not Track Logs. Most Streetpilots and Nüvi 200s do not store any tracking information (there is an unsupported hack which allows the modification of some units firmware to store tracking information).
As commented in my previous posting and within the SatNav forensics forum over at Digital Detective these Garmin devices do store other data not contained in Current.gpx. This data is the Recently Found locations which are effectively the last fifty locations a user chose to navigate to (or at least look at on the device). Evidentially this data may be useful. Up to now a manual exam using something like Fernico ZRT has been the answer. I have tried out a slightly different methodology.
Suggested Methodology for the examination of Garmin Streetpilot C510
(May work with other models)
- Download Garmin USB drivers
- Download Garmin xImage version 2.3
- Download G7toWin
- Install Ximage on your workstation
- Turn on Garmin sat nav and press and hold your finger over the onscreen battery symbol for about 10 seconds
- This should take you into a hidden diagnostics menu
- On your Forensic Examination workstation run the Garmin USB drivers executable and work through to this screen
- Connect Garmin sat nav to your Forensic Workstation and complete the USB driver installation (the sat nav must be displaying the hidden service mode - if it isn't it will act as a mass storage device)
- Run G7toWin on your workstation (it does not need to be installed) and adjust the configuration to allow communication via USB
- Within G7toWin via the menu bar select GPS/Download from GPS/ All
- All available waypoints will display
- Via File/Save As you can save the data to your filetype of choice (e.g. .gpx, .kml, .xml)
- It is possible that one of the fields may contain an illegal character - in my testing the comment field did. I dealt with this in my exported kml and xml files with a decent text editor (PSPad) and the find and replace feature. Applications that support xml and Google Earth are not usually tolerant of any illegal characters/formatting.
Downloading of the waypoints is now taken care of. Next I want to deal with the
Recently Found
locations. I am going to suggest two approaches, which although relatively simple I have not seen documented elsewhere. The version of the device you are using may dictate which approach you try.
- Approach 1
- You should still be at the Diagnostics Menu - press the Exit icon
- Via the main navigation menu select Where to?/ Recently Found
- You should now see the first five Recently Found locations
- On your Forensics Workstation launch xImage, your device should appear in the Device field then click Next
- Select Get Images from the GPS then click Next
- Set Image Type to Screen Shot
- Clicking Next will allow you to save a screen shot of the currently displayed screen on the device
- Using this method you can quickly screenshot all the screens you would have photographed in a manual exam, after each screenshot click back to prepare for the next one
Approach 2 is more invasive, however I think principal 2 of ACPO guidelines applies.
- Approach 2
- You don't initially have to have your device connected to your workstation for this to work
- On the device select Settings/ Display
- In the Display menu enable Screen Shot
- This will cause a small camera icon to appear in the top right of the display
- Pressing this icon will cause a screen shot to be saved into the Garmin/scrn folder upon the device
- Screen shot all the screens you would have photographed in a manual exam
- Connect device to workstation as mass storage device and cut and paste screenshots from it
Artemus has been looking at a Garmin Nüvi 310. He tried Approach 1 above and found that to enter the diagnostics mode he had to push and hold the top right of the display (as opposed to the battery symbol). HOWEVER he then encountered a message asking if he wished to delete all user data, so I guess for Nüvi 310 Approach 1 is a no go. So he tried Approach 2. He enabled the Screen Shot feature however on this device no camera icon appears. Screen shots are created by pressing the power button. Screen shots are saved into a folder entitled Screenshot on the media card.
1 comment:
Hi,
I am a maths and computing undergrad at Derby Uni, and am current developing a piece of opensource software to forensically investigate satnav devices.
Just wanted to say, I have a Garmin Nuvi device, and it is worth noting that all the saved favourites as well as complete logs of the trips can be recovered as excel files.
From the root navigate to the reports directory and there is a file labelled "mileage.csv"
(If I'm reiterating something that people already know I apologise, but I was quite excited to discover this - couldn't resist sharing!
Ben
Post a Comment