Pinpointing TomTom location records: A forensic analysis
Introduction
TomTom claims to be ‘the world's largest portable navigation solutions provider’,1 with 9.6 million devices sold in 2007,2 and the increased ubiquity of these devices provides significant forensic potential. The navigation functionality of TomTom devices allows the user to plan routes, save favourite destinations, and look up points of interest (POIs). The devices can also pair with phones (and if so, can yield call history and contact data) and, when connected to a computer, act as a USB Mass Storage device. Newer versions have inbuilt MP3 players and picture viewers. If used with TomTom HOME, the desktop software, the device tracks journeys taken and sends these anonymous statistics to TomTom to provide data for the new IQ Routes functionality, in order to improve the accuracy of route prediction.3
The TomTom itself is operated via a touch-screen menu-driven interface, which allows the user to enter locations, plan routes or itineraries, save favourites, or look up POIs. The user can also operate a paired mobile phone via the TomTom, to make calls, read or write text messages. If a wireless connection has been set up, the user can access additional services via a TomTom PLUS account, such as weather information, real-time traffic information, or additional downloads like extra voices or updated maps.
Additional maps or downloads can also be installed using TomTom HOME; if the TomTom device is connected to a computer with TomTom HOME installed, the TomTom's software can be updated or additional paid-for material such as new maps can be installed. The TomTom can be operated using TomTom HOME (rather like remote desktop functionality; the user can interact with the TomTom using the same menu, but on the PC) and offline routes can be planned in this way. This is also the only way to set a PIN lock code on the TomTom device.4
As the device appears as a USB Mass Storage device when connected, it is also possible to copy files directly to the TomTom – for instance, using Windows Explorer. Any type of file can therefore be copied to the device.
The evidential value of TomTom analysis is obvious in many cases. Recent cases the author has worked on involving TomToms or other navigation devices include offences of kidnap, murder, ‘grooming’ of children and terrorism, where the presence of a specific address in the recent destinations can be a strong indication of links between the owner and that address. In cases of the theft of a TomTom itself, the saved home location is likely to identify the device's original owner. In fact in any offence where a person's movements are of interest, analysis of a TomTom device to retrieve the stored locations is likely to be useful.
Although examination of TomTom devices can yield diverse information, such as details of contact numbers and stored text messages, this article will focus only on the analysis of location records. The devices store records of the recent destinations, favourites, home location and start and end of last calculated trip in a file in the map directory, named either MapSettings.cfg or <map>.cfg. (For example, if the device is using a map named ‘Great_Britain-Map’, this file will be \Great_Britain-Map\Great_Britain-Map.cfg for application versions prior to 6, and \Great_Britain-Map\MapSettings.cfg thereafter.)
Section snippets
Previous work
There is little published information available relating to the analysis of TomTom .cfg files. Despite an active open-source community (centred on the OpenTom wiki at www.opentom.org), development for the TomToms has tended to be of additional or alternative software to run on the device. Therefore, analysis has been focused on the bootloader, since rewriting this allows alternative software to be run. Nor is there much information available within the forensic community.
Weall (2006), in a
Types of device
TomTom devices can be broken down into three main types: those with SD cards, those with internal hard drives and those with internal flash memory (with or without SD card slots).6 Devices which have both internal memory and an external SD slot typically store the user data on the internal memory,
Contents of the .cfg file
As noted above, the .cfg file is found in the active map directory – from version 6 onwards this file is called MapSettings.cfg and versions prior to this named it according to the map in use (e.g. Great_Britain-Map.cfg). This file holds details of recent destinations, entered addresses, home locations, favourites and the start and end of the last calculated route. The file holds many more locations than are shown as recent destinations on the device, and includes addresses entered and then
Identifying GPS fix locations
Possibly the most significant benefit is that it is possible from this to identify locations where the TomTom has actually been. Siezenga (2008) has noted that the second to last location in the cfg file is the start of the last calculated route. In the majority of journeys, this will be the location where the TomTom was when the route was calculated, as it only begins calculating a route when a GPS fix is obtained. If deviating from the route the TomTom has planned, a new route is calculated,
Future work
This article has focused only on the format of a location record as found in the .cfg file, but there is increased scope for further work on the analysis of this file.
POIEdit
POIEdit (produced by DNote Software, www.poiedit.com) was the first available tool to interpret the .cfg file. It is a shareware program which can read and write many formats from different GPS devices, and is intended for use in creating and editing POI files. Useful features are the low cost of the software (available for free with an optional donation), the number of formats it can interpret, the ability to filter out duplicates, and the ability to parse a raw image if it is renamed .cfg. It
Conclusion
This article has outlined known features of the location record format from a TomTom .cfg file, to enable automated extraction of these records and classification of them by type. It has also shown that it is possible to identify locations where the TomTom has been, as locations recorded due to a GPS fix being obtained are differentiated from locations entered. In addition, a brief overview has been given of a procedure for the forensic acquisition of data from TomTom devices and of tools
Acknowledgements
Much help has been received whilst carrying out this research from colleagues at the Metropolitan Police's Computer Systems Lab. In particular Tony Darby and Shamir Amin, from their experience and knowledge of different TomTom devices, and Gregory Webb for his assistance with writing the EnScript.
The EnScript itself is based on code written by Simon Key, a Guidance Software Master Instructor, and the author is grateful for the permission to use this code.
Thanks are due to Andy Sayers for
References (2)
Forensic analysis of TomTom route planners (English translation)
(2008)- Weall Paul. Sat nav forensics. Presented at First Forensic Forum (F3) conference;...
Cited by (12)
Challenges and opportunities for wearable IoT forensics: TomTom Spark 3 as a case study
2021, Forensic Science International: ReportsForensic analysis of newer TomTom devices
2016, Digital InvestigationCitation Excerpt :UserPatch.dat (not available in all first version devices): contains last GPS fix and home location The method to process this first hardware version of TomToms has been extensively discussed (Nutter, in press) and needs no further research. The second generation of TomTom devices was sold from the end of 2010 with the launch of the Go 1000 Live (according to Wikipedia (2015)).
Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]
2015, Digital InvestigationThe Linux FAT32 allocator and file creation order reconstruction
2014, Digital InvestigationForensic acquisition and analysis of the Random Access Memory of TomTom GPS navigation systems
2010, Digital InvestigationCitation Excerpt :Siezenga (2008) described the structure of the configuration file stored on the non-volatile media in dept. His description of this file was used during analysis to decode items like favourites and the home location. Nutter (2008) described the process of extracting and decoding individual location records from the non-volatile media even when they are found in any unallocated clusters or slack space. Little is known on acquisition and analysis of data stored in the volatile memory of these navigation systems.