Wearable devices collect information about the behaviour of the user. In principle, this information can be used as evidence in criminal investigations. However, there are technical, legal and practical issues that make this challenging. In this paper, we consider the potential of such devices for forensic investigation. We focus primarily on wearable fitness trackers. These are simple devices that track the movement of the wearer to help them achieve certain fitness goals. Users can share progress online, which is normally done by syncing the fitness tracker to their phone and then using the phone to communicate data over the Internet. As such, there may be a great deal of data about a user involved in a crime that is being shared and stored for analysis.
Before fitness trackers can be used effectively in an investigation, we first need to understand exactly what information is being stored and synced. Wearable fitness trackers such as Fitbits are relatively new and can offer a wealth of information to investigators as the device constantly monitors the physical status of its wearer. There are vast amounts of information that can be extracted from these devices, including geolocation data, distance traveled, heart rate data, and activity time. There is great value in this data as it can describe the state of the person wearing the Fitbit during physically violent moments.
Although various fitness trackers have been tested for their accuracy in the field of health sciences, little information about the forensic applications of these devices is available. As such, we need to determine if commercial fitness trackers are actually collecting and sharing data that can be useful in identifying criminal activity.
This paper makes several contributions to existing literature on social network forensics. While there is a great deal of technical documentation and health related information about fitness trackers, this paper is unique in that we explicitly consider the challenges faced when using the data for investigating purposes. Moreover, to the best of our knowledge, this paper includes the first experimental study that attempts to use a fitness tracker to identify when a violent attack has been perpetrated. Methodologically, our paper is distinct in the computing literature as we advocate for the importance of physical experimentation with wearable devices; this is an important step towards correlating the actions with the data being stored.
Legal: What information can be stored, and where can it be maintained?
Technical: How easily can we obtain stored information from the device, or from a paired smartphone?
Empirical: How do we demonstrate conclusively that the information on the device is evidence that a given behaviour has occurred?
This challenges are all related. In this paper we focus primarily on the third, and only remark on the first two challenges as they relate to identifying behaviours.
With all the different sensors built into a wearable device, there is a lot of data being collected, and therefore a lot of ways the data can be useful. For example, we can try to identify the activities being performed based on the data. This has been done for various forms of exercise [2], but other activities can be detected as well. One novel application of wearable devices comes from [5]. In this study, the police officers, construction workers, members of the general population each wore a wearable device to compare whether the detection of gunshots was accurate or if the device would confuse a gunshot with the usage of construction equipment, for example. The results found 98.9% of gunshots were correctly identified, and only 0.4% of non-gunshots were misidentified as gunshots. In this study, the AX3 Watch was used as a wearable device; the data was obtained from an accelerometer.
Several studies have tested the accuracy, validity, and reliability of fitness trackers as they measure energy expenditure, physical activity, and heart rate [7, 9]. In one study, participants engaged in an hour routine of running and cycling with some time to rest between the exercises. The results found that although the fitness trackers produce poor estimates of energy expenditure, they all accurately measure heart rate [10]. The same conclusion was drawn in [6]. It is worth noting that these two studies differed in several respects, including the physical placement of the wearable devices. Note, for example, that a Fitbit worn on the wrist will detect arm motion more accuratelly than one worn on the hip. This must be taken into account when setting up new experiments for activity detection.
In terms of measuring physical activity, [8] tested a Fitbit on 25 university students performing a variety of activities such as treadmill walking, incline walking, jogging, and stair stepping. This study concluded that the Fitbit had “moderate” validity in identifying activities. Roughly speaking, the Fitbit is able to be used to identify certain kinds of exercise, but it is not useful for activities such as climbing stairs.
In stark contrast with [10] regarding heart rate measurements, [3] concluded that the Fitbit Charge failed to accurately measure heart rate during more intensive physical activities, but the device still could adequately measure heart rate during rest and recovery. There are many differences between these two studies. First of all, the test equipment was slightly different. Second, the exercise protocols were not the same. In order to validate the data obtained through the use of wearable tech to monitor physical activity, other studies have used statistics to interpret the results and draw conclusions. For example, [1] measures the range of motion using three different apparatus which all measuredchanges in joint angles and reach distance. To interpret the results, means and standard deviations were calculated for each set of data to perform an analysis of variance. Going further, coefficients of determination were computed between two pairs of apparatus for all the movements to be able to determine how much variability can be explained by the model used. Loeffler [5] calculated feature statistics for each spike in that data that could potentially be a gunshot. Furthermore, a logistic regression model was used to predict the identification or misidentification of a gunshot. All of the statistical features for the potential gunshot detections were entered into this model to support the predicted classifications of whether the spike was a gunshot or not.
Accelerometer: Senses device acceleration.
Gyroscope: Senses angular velocity.
Heart Rate: Senses the heart rate of the user.
Orientation: Senses orientation of the device.
In principle, these sensors can give a great deal of information about the activities being carried out by the user.
The Device: Information gathered is stored for a short term on the device before syncing. For Fitbit trackers, for example, information is stored for 7 days.
Local Machine: Information is synced with a local PC or smart phone.
Remote storage: Information is stored on the cloud indefiinitely.
Information stored on the device or locally should be useful for criminal investigation. There is a legal issue surrounding remote storage, however. In many countries, privacy laws dictate that information can only be stored for a specified purpose. Obtaining this information for investigative purposes may therefore be problematic. For this reason, we focus on the first two storage locations in this paper.
The data gathered by fitness trackers is stored in a way that allows the user to track their activity, and overall health. This is quite different than the way we would store information to identify particular activities. For this reason, it is an open question how useful the data will actually be in a criminal investigation. In order to make such a determination, we actually need to look at specific activities and determine if they can be associated with particular stored profiles.
Having specified the sensors and the storage locations for information, we now describe a case study intended to demonstrate how data gathered may be used in a criminal investigation. Ther purpose of this case study is not necessarily to give precise, legally admissible results. Instead, the purpose is to show a methodology that can be used to evaluated the utility of fitness trackers to identify particular behaviours.
We remark that the primary contribution of this case study is actually methodological. By setting up a precise scenario, we hope to demonstrate how a controlled experiment can be useful in determining which kinds of physical activity a fitness tracker can be used to identify. But this is a preliminary paper on work in progress; at present we are actually refining the methodology and studying teh data available on different devices. As such, the results to date have not been particularly useful. Neverheless, this report will describe our general methodology in order to start a useful discussion about the value of activity detection through fitness tracker data.
Our case study uses a commercial fitness tracker, a rooted Android smart phone, and digital forensic tools for investigation. We list the hardware and software that was used in our work.
Cellebrite UFED: Hardware designed for mobile device forensics that can take an image of the internal digital storage of many different mobile devices.
EnCase: A professional digital forensic software toolkit designed to analyze a multitude of digital information including disk images, memory dumps, and individual files.
Fitbit: A brand of wearable fitness tracker devices that can measure the wearer’s fitness levels, heart rate, steps taken, distance traveled, length of time spent being physically active or inactive, hours of sleep, and so on. Throughout this paper, “Fitbit” will refer to the Fitbit Charge 2 which is the specific device that we used.
The Fitbit Charge 2 used in this study came fresh out of the box with the absolute minimum amount of setup completed for the device to function. Fitbit was selected as the brand due to its popularity in the marketplace.
Experiment flowchart
The participant walked for 30 min. During this phase the Fitbit collected data about the participant during a normal, non-violent state.
After 30 min, the participant stopped at a designated, safe location.
The participant kneeled on the ground and used a rock to hit the ground in front of them 10 times.
The participant then walked for a second round of 30 min.
Following these steps, the fitbit was removed and placed in a safe location (with the paired smartphone) until the next trial. The experiment was repeated three times to ensure consistency in the resulting fitness data.
After the experiment had been performed three separate times with adequate time for the participant to recover in between the tests, the rooted smartphone with the synced Fitbit data on it was analyzed with EnCase sofware. This involved several steps to complete the acquisition process, which was repeated twice for the sake of consistency in the data. The two images were each hashed through two separate hashing algorithms, MD5 and SHA1, to check if the images matched each other.
For both images, the folder for the Fitbit app was exported using Autopsy and all the files in the two exports had their write permissions removed. Because the hashes of the two images did not match, all the files from the two exports had their SHA1 hashes computed, saved to a file and the files were compared. At this point, we need to manually look at the data to determine if the fitbit had stored any evidence on the smartphone that could be used as evidence of a violent act. A complete flow chart for the case study experiment is given in Fig. 1.
Directories in Fitbit app data
The exported Fitbit app data contains cache directories, a preferences directory, a database directory, and several other miscellaneous directories, as shown in Fig. 2.
Database directory
The last and most notable directory is “databases”. This directory contains pairs of files where one file is an SQLite3 database and the other contains the name of the database file with the text “-journal” appended to the end of the file name. Some of the names of these SQLite3 databases are as follows: “activity_db”, “exercise_db”, “fitbit_db”, “heart_rate_db”, and “mobile_track_db”. The full listing of the database directory is in Fig. 3.
The names of columns in the tables of the databases indicate that the databases hold metadata. There are several columns for timestamps including creation time, time updated, start time, and stop time. Other columns hold various identification values such as server ID, session ID, and UUID. Some of the tables also include information about certain kinds of activities, such as thresholds. For example, Fig. 4 shows the contents of “activity_db”.
Similarly, “heart_rate_db” contains thresholds for differing levels of activity, except “heart_rate_db” actually has data describing the amount of time spent in each of the ranges and the amount of calories burned, but it is unclear why several records contain duplicate ranges with different times spent in the ranges. There are no associated timestamps with the records to possibly explain this as different results for different days.
Manual investigation of all database files indicates that none of the databases contains any information about the actual times when different levels of activity were recorded. As such, there is no information on the phone that allows us to determine when vigorous activity occurred.
It is not immediately clear why the phone contains no useful data about the actual activities performed by the user. Given that the fitbit itself does in fact have the activity data, there are several possibilities. It may be the case that the Fitbit app simply does not store such data on the phone by default. Instead, this data may bestored on Fitbit’s servers, and the phone app is only used to retrieve simple metadata about activities.
Database directory
In any event, using standard mobile forensic tools, we were unable to find any useful data on the phone for an investigation. It may be the case that this is not true for other brands on wearable fitness trackers. It may also be the case that the Fitbit data could in fact be retrieved through JTAG or Chip-off.
Despite the results of this case study, we certainly expect that, for some phones and some wearable fitness trackers, we will be able to obtain useful data about activity levels with timestamps. The point of this study is not, therefore, to reject the utility of this approach. Instead, the point of this paper is to demonstrate a viable methodology for studying the investigative potential of fitness tracker data for activity detection. The methodology here is experimental: we need to first produce behaviour that replicates a criminal activity, and then we use forensic tools to dtermine if that behaviour can be detected. Once we are able to detect our “fake” criminal activity, then we can try to determine how closely our fake activity resembles a real violent act. As such, this is a long term project, and we are just at the outset.
The case study presented here failed for technological reasons, as the phone did not record activity from the device. However, even if the phone had collects the data, there is an empirical question about the degree of granularity that we can expect from the device. Activity recognition on the Fitbit basically operates by matching the information recorded with an “expected” profile for different activities. For example, aerobic activity can be distinguished from sport activity by looking at fluctuating heart rates and accelerations.
Activity matching in this manner requires a characteristic set of a data for a given activity. We can then compare the sensed movements with the characteristic set; if it is close, then we can conclude that the given activity was taking place. There are two problems here. First, the precise notion of “close” for activity recognition is not clear. Second, we essentially need to know the activity that we are looking for in advance.
The notion of determining “closeness” is actually a question of statistical variation; there are known methods for addressing this problem. The second problem is an empirical one. If we want to get a profile for a given activity, how can we do it? The case study here suggests a simple solution: we simply replicate the action on a new device.
Retrieve all available data from the suspect’s device and paired hardware.
Generate a hypothesis h about what actually occurred in the crime under investigation.
Recreate the physical activity described in h, with a collection of actors wearing the same Fitbit.
Perform a similarity comparison between the suspect’s device data and the data obtained from the actors.
At step (1), we address all technological and legal issues related to gathering the activity data collected by the wearable device. Step (2) is essentially traditional investigation; based on any available information about the crime, we come up with a possible explanation. Step (3) is essentially what we have outlined in our case study. By replicating the physical performance of a given crime, we can get an activity profile for that crime. The final step is a statistical matching. The evidence provided by this step is similar to DNA evidence, in a sense. We are able to conclude some level of certainty in the activity matching, based on the data.
We remark that repeatedly performing recreations of physical acts is a difficult process. It would certainly be better over time to collect activity profiles for different criminal acts that are resilient to small variation. In this manner, we would be able to use device data to identify activity without the costly recreation process. Better yet, using Machine Learning techniques, we should be able to learn the profiles for different activities without specifically labelling them. However, this requitres a great deal of data that is not currently available. Moreover, in terms of a criminal investigatino, it would be more convincing to demonstrate close correlation with a specific story rather than a complicated mathematical explanation.
This study attempted to find potential forensic evidence originating from a Fitbit tracker that was worn during a simulated attack. The reason for this study was to contribute to the field of digital forensics and benefit forensic investigators by exploring the potentials for new digital devices such as fitness trackers to provide data that is useful as evidence in an investigation. To acquire the data from the Fitbit, an Android smartphone synced with the fitness tracker via the official Fitbit app and the Android device was rooted and forensically imaged with EnCase. The Fitbit app data located at “/data/com.fitbit.FitbitMobile/” was exported from the images and the files contained within were analyzed. Among the exported files were preferences saved in XML format, cache files, and SQLite 3 databases. Although the SQLite database files were named appropriately for some given tracking feature of the Fitbit, they did not contain very useful information or sometimes did not contain any information at all. Therefore, this study finds no useful evidence present on the Android smartphone.
While the case study experiment did not obtain useful information, in future work in this area could extract the data straight from the Fitbit by performing a Chip-off or JTAG technique to skip using a smartphone entirely and give the best chances at obtaining the device data. In addition, other Fitbit trackers could be tested since several different types are available and this study used one of the higher-end models. A final area of further study would be analyzing other brands of fitness trackers as other companies would most likely design their product differently and other kinds of data could be extracted and the success of syncing with a smartphone to obtain data may be different with these other brands as well.
Significantly, the case study suggests an approach to using wearable devices in an investigation. By replicating criminal activities and performing statistical analysis, we should be able to determine with great confidence if the wearer of a device was performing a given activity. This information could surely be useful in a criminal investigation.
Powered by huaxindc.com Inc.Copyright © 2002-2017 HUAXIN. Detective Agency in China
Address:Xinhua Airlines building.,The East Third Ring Road,Chaoyang District,Beijing,China
Postal code:100071 Tel: +86 153-2191-0511 Email: info@huaxindc.com