Authors: Lauren R. Pace, LaSean A. Salmon, Christopher J. Bowen, Ibrahim Baggili, Golden G. Richard III
DFRWS USA 2023
Abstract
The rise in popularity of personal Bluetooth trackers has incited a need for forensic analysis tools that aid law enforcement in artifact recovery. With 40 million Tile devices reportedly sold at the time of writing, Tile trackers are one of the most popular personal Bluetooth trackers. This growth has not been without consequence, as reports of Bluetooth trackers being used for malicious activities have also escalated. Our work presents a forensic analysis of the Tile ecosystem and the Tile application on iOS, Android, and Windows. This analysis revealed valuable forensic artifacts that contained a diverse set of sensitive user data, including SQLite databases, XML files, cache files, and event logs. This data included information such as geolocation coordinates from the previous 30 days. As part of our analysis process, we developed an open-source tool capable of parsing these forensic artifacts from the Tile application: Tile Artifact Parser (TAP). TAP parses SQLite databases and virtual memory files, mapping geolocation coordinates and linking them according to timestamps. The ability to quickly and efficiently parse and map these location points provides valuable information in an investigation. TAP also aids investigators by detecting potentially spoofed data and flagging it. The robustness of TAP was tested to ensure its effectiveness and behavior in cases of incomplete or missing data.