This repository contains a writeup of research done on forensic artefacts found in the map_cache.db database found in apps using Google's Maps SDK.
The writeup is submitted for publication on https://dfir.pubpub.org/ and can be found in dfir_review.
Accompanying the writeup is some code that can be used to reproduce results and perform your own experiments and analyses. The code can be found under src.
Create a virtual environment and install the dependencies.
python3 -m venv venv
. venv/bin/activate
python3 -m pip install -r requirements.txt
Decrypt a map_cache database:
python3 src/decrypt_map_cache.py <KEY_PATH> <DB_PATH> <OUT_PATH.geojson>
Record your own (short) experiment for later analysis and visualization using adb access to a rooted device (an AVD is recommended).
This will delete the existing map_cache.db for ease and clarity.
A screen recording of the device will start, and the device location will be polled periodically.
You can then manually perform actions on the device to produce traces:
- Pan and zoom the map
- Replay a GPS route
python3 src/experiment.py
# Press ctrl-c to stop, defaults to saving in /tmp
# Decrypt the pulled map_cache
python3 src/decrypt_map_cache.py /tmp/map_cache.key /tmp/map_cache.db /tmp/experiment.geojson
Visualize your experiment side by side with the tiles using example cells in src/visualize.ipynb.