Elsevier

Digital Investigation

Volume 5, Issues 1–2, September 2008, Pages 10-18
Digital Investigation

Pinpointing TomTom location records: A forensic analysis

https://doi.org/10.1016/j.diin.2008.06.003Get rights and content

Abstract

TomTom GPS navigation devices are one of the most popular kinds of satellite navigation devices in the UK, and are increasingly being examined in criminal cases to identify data of evidential value. This article outlines the format of TomTom location records and shows how these can be automatically extracted, enabling deleted location entries to be recovered. In addition, it shows how the type of a record – e.g. home or favourite location – can be determined and how to identify locations where the TomTom has actually been, as opposed to destinations which have been entered into the device. This information has been used in a number of different investigations including cases of kidnap, grooming, murder and terrorism, and can be of vital importance in cases where hundreds or even thousands of location entries are recovered from a TomTom device.

Introduction

TomTom claims to be ‘the world's largest portable navigation solutions provider’,1 with 9.6 million devices sold in 2007,2 and the increased ubiquity of these devices provides significant forensic potential. The navigation functionality of TomTom devices allows the user to plan routes, save favourite destinations, and look up points of interest (POIs). The devices can also pair with phones (and if so, can yield call history and contact data) and, when connected to a computer, act as a USB Mass Storage device. Newer versions have inbuilt MP3 players and picture viewers. If used with TomTom HOME, the desktop software, the device tracks journeys taken and sends these anonymous statistics to TomTom to provide data for the new IQ Routes functionality, in order to improve the accuracy of route prediction.3

The TomTom itself is operated via a touch-screen menu-driven interface, which allows the user to enter locations, plan routes or itineraries, save favourites, or look up POIs. The user can also operate a paired mobile phone via the TomTom, to make calls, read or write text messages. If a wireless connection has been set up, the user can access additional services via a TomTom PLUS account, such as weather information, real-time traffic information, or additional downloads like extra voices or updated maps.

Additional maps or downloads can also be installed using TomTom HOME; if the TomTom device is connected to a computer with TomTom HOME installed, the TomTom's software can be updated or additional paid-for material such as new maps can be installed. The TomTom can be operated using TomTom HOME (rather like remote desktop functionality; the user can interact with the TomTom using the same menu, but on the PC) and offline routes can be planned in this way. This is also the only way to set a PIN lock code on the TomTom device.4

As the device appears as a USB Mass Storage device when connected, it is also possible to copy files directly to the TomTom – for instance, using Windows Explorer. Any type of file can therefore be copied to the device.

The evidential value of TomTom analysis is obvious in many cases. Recent cases the author has worked on involving TomToms or other navigation devices include offences of kidnap, murder, ‘grooming’ of children and terrorism, where the presence of a specific address in the recent destinations can be a strong indication of links between the owner and that address. In cases of the theft of a TomTom itself, the saved home location is likely to identify the device's original owner. In fact in any offence where a person's movements are of interest, analysis of a TomTom device to retrieve the stored locations is likely to be useful.

Although examination of TomTom devices can yield diverse information, such as details of contact numbers and stored text messages, this article will focus only on the analysis of location records. The devices store records of the recent destinations, favourites, home location and start and end of last calculated trip in a file in the map directory, named either MapSettings.cfg or <map>.cfg. (For example, if the device is using a map named ‘Great_Britain-Map’, this file will be \Great_Britain-Map\Great_Britain-Map.cfg for application versions prior to 6, and \Great_Britain-Map\MapSettings.cfg thereafter.)

Section snippets

Previous work

There is little published information available relating to the analysis of TomTom .cfg files. Despite an active open-source community (centred on the OpenTom wiki at www.opentom.org), development for the TomToms has tended to be of additional or alternative software to run on the device. Therefore, analysis has been focused on the bootloader, since rewriting this allows alternative software to be run. Nor is there much information available within the forensic community.

Weall (2006), in a

Types of device

TomTom devices can be broken down into three main types: those with SD cards, those with internal hard drives and those with internal flash memory (with or without SD card slots).6 Devices which have both internal memory and an external SD slot typically store the user data on the internal memory,

Contents of the .cfg file

As noted above, the .cfg file is found in the active map directory – from version 6 onwards this file is called MapSettings.cfg and versions prior to this named it according to the map in use (e.g. Great_Britain-Map.cfg). This file holds details of recent destinations, entered addresses, home locations, favourites and the start and end of the last calculated route. The file holds many more locations than are shown as recent destinations on the device, and includes addresses entered and then

Identifying GPS fix locations

Possibly the most significant benefit is that it is possible from this to identify locations where the TomTom has actually been. Siezenga (2008) has noted that the second to last location in the cfg file is the start of the last calculated route. In the majority of journeys, this will be the location where the TomTom was when the route was calculated, as it only begins calculating a route when a GPS fix is obtained. If deviating from the route the TomTom has planned, a new route is calculated,

Future work

This article has focused only on the format of a location record as found in the .cfg file, but there is increased scope for further work on the analysis of this file.

POIEdit

POIEdit (produced by DNote Software, www.poiedit.com) was the first available tool to interpret the .cfg file. It is a shareware program which can read and write many formats from different GPS devices, and is intended for use in creating and editing POI files. Useful features are the low cost of the software (available for free with an optional donation), the number of formats it can interpret, the ability to filter out duplicates, and the ability to parse a raw image if it is renamed .cfg. It

Conclusion

This article has outlined known features of the location record format from a TomTom .cfg file, to enable automated extraction of these records and classification of them by type. It has also shown that it is possible to identify locations where the TomTom has been, as locations recorded due to a GPS fix being obtained are differentiated from locations entered. In addition, a brief overview has been given of a procedure for the forensic acquisition of data from TomTom devices and of tools

Acknowledgements

Much help has been received whilst carrying out this research from colleagues at the Metropolitan Police's Computer Systems Lab. In particular Tony Darby and Shamir Amin, from their experience and knowledge of different TomTom devices, and Gregory Webb for his assistance with writing the EnScript.

The EnScript itself is based on code written by Simon Key, a Guidance Software Master Instructor, and the author is grateful for the permission to use this code.

Thanks are due to Andy Sayers for

References (2)

  • Simon Siezenga

    Forensic analysis of TomTom route planners (English translation)

    (2008)
  • Weall Paul. Sat nav forensics. Presented at First Forensic Forum (F3) conference;...

Cited by (12)

  • Forensic analysis of newer TomTom devices

    2016, Digital Investigation
    Citation Excerpt :

    UserPatch.dat (not available in all first version devices): contains last GPS fix and home location The method to process this first hardware version of TomToms has been extensively discussed (Nutter, in press) and needs no further research. The second generation of TomTom devices was sold from the end of 2010 with the launch of the Go 1000 Live (according to Wikipedia (2015)).

  • Forensic acquisition and analysis of the Random Access Memory of TomTom GPS navigation systems

    2010, Digital Investigation
    Citation Excerpt :

    Siezenga (2008) described the structure of the configuration file stored on the non-volatile media in dept. His description of this file was used during analysis to decode items like favourites and the home location. Nutter (2008) described the process of extracting and decoding individual location records from the non-volatile media even when they are found in any unallocated clusters or slack space. Little is known on acquisition and analysis of data stored in the volatile memory of these navigation systems.

View all citing articles on Scopus
View full text