Now, with the advent of more and more apps focusing on mapping I may be dating myself. If you’ve ever purchased a GPS enabled device from someone, did you check that it was factory reset? Some amount of digital forensics could be worse for you than the loose lipped hunting partner you have.
Image Copyright Garmin Inc
Often I trawl Facebook marketplace, Craigslist, and other places for good deals on hunting gear or electronics that are on my wish list. That’s how I found the ill-fated Garmin Monterra I loved so much. It’s also where this idea first came about to me.
Digital Forensics on Outdoor Gear
See, I bought the unit 2015 off an eBay user that was offering a decent discount on the unit. When it arrived on my doorstep it had all the accessories and was, as described, gently used. However, I noticed when charging and powering it up that it had been previously customized. See, the selling points of the Monterra unit was that it ran on Android, had WiFi, a camera that automatically geotagged, and more. What I found when downloading the original data to my computer was that the user had taken selfies from their home with the camera, but also left marked waypoints and trails from hiking on the unit!
Had the person been a hardcore hunter or angler I’d have just picked up a little black book of hunting locales. Had that person not lived across the country I’d have had waypoints I could scope out on person, or hints o could further research to become my own.
Should this unit have been factory wiped before sale? Absolutely. Does it seem ethically dubious to take “their” spots, even if located on public land? Maybe. Finders keepers? Don’t know.
On an early Meateater podcast I’d listened to, Steven Rinella speculated on the value of an elder hunter’s “little black book” of hunting locations. What would the encyclopedic knowledge of the Shockey family’s spots be worth? While most older hunters I’ve encountered are a little more free lipped about places they’re unlikely to hunt again, others are far more protective and rightfully so. They put their time into finding spots, it seems likely that if they pass those spots down it would be to friends and family. Not complete strangers.
Looking at the Humminbird Helix
I recently started ice fishing with a friend of mine. We rented a Humminbird Ice 55 from our base gear shop, and it was nice but we had to share it with every other sergeant running around central Colorado. So towards the end of the season on the Front Range I began deal hunting. Looking for a flasher or a fancy GPS enabled fish finder with an ice fishing kit.
Looking through Facebook Marketplace there were actually a lot of options. A few pages of Marcum, Vexilar, and Humminbirds were available in mid March when the first lakes iced out in the Front Range. So I took a shot.
I found a deal on a Humminbird Helix 7 with the ice transducer and battery. It took more than a little logistics between us and a friend in Colorado Springs to be able to make it happen, but $370 later I had a used fish finder equally good on the ice as it was off.
True digital forensics experts, avert your gaze. There’s no low level inode scrubbing, I probably won’t be booting into Kali to mount the SD card. But what I will be doing is pulling the card, and checking the waypoints, trails, and any user notes and settings.
Dumping the Waypoints
In the end it was an easy task. Following the instructions from Humminbird’s website I inserted a 32GB MicroSD card and was able to dump the saved waypoints. The unit actually had very little use and only had five waypoints stored in ice fishing mode. Moving the MicroSD card over to my reader on the computer the file of interest is DATA.HWR. I flashed a grimace across my face. In order to get this into OnX maps I’d need to convert it.
I had a couple of options, you can use gpsbabel on a Linux box, or use one of a few online webapps to convert the file to KML or GPX — something that most apps can understand. GPS Visualizer has just such a web front end for gpsbabel allowing me to quickly and efficiently convert the file.
Now you have a Data.GPX (GPS Exchange File) file that you can use to import it into a web mapping software like OnX Maps, Gaia, HuntStand, or your favorite mapping app of choice. I imported it into OnX quickly, and was able to review the spots. Will they produce fish? Who knows! Unfortunately for me, the ice on those lakes is all but gone. I might get to them during the summer, but I likely won’t hit them again until hardwater season. Thanks for the tips, unwitting stranger!
That Was Too Easy!
Yep. With the Humminbird Helix it was as easy as dumping your waypoints to a spare MicroSD. Ultimately the low hanging fruit for digital forensics on these types of devices is data that hasn’t been hidden at all.
Now, the average user won’t be able to recover data from the internal storage once it’s deleted — and it’s beyond the scope of this post. However, there are options to recover deleted data from an external MicroSD card. That’s where real digital forensics come in. For this exercise I simply deleted the data from the MicroSD I just exported. This will emulate to an extent a user doing a factory wipe of a device that had a MicroSD still in it.
Recovering the Deleted Data
To begin this experiment I fired up a Kali Linux Virtual Machine in VMWare Player. Logging in I then fired up a terminal window. To take a quick and easy image of the microSD card in question you can mount the reader and then run:
| sudo dd if=/dev/sdb of=sd_image.img bs=512 |
Bear in mind you need as much free space as the hard drive you’re recovering from. Despite that being a MicroSD card the size of a fingernail, the image will be 32GB in size. This will take a while.
Next, we’re going to run PhotoRec, a photo recovery app that’s free and open source available and already loaded on your Kali image and point it at the sd_image.img file you just created.
| sudo testdisk sd_image.img |
This will launch a text user interface where you can select the partition, and where to put the recovered files. Let it run, this may take a while depending on the files recovered and the size of the image. Once it finds the partition of your choosing, browse for deleted files.
Looks like we found what we were looking for! The deleted DATA.HWR file is sitting there waiting to be recovered. It was the same 288 byte file that resulted in 5 waypoints being recovered. Easy peasy undeletey.
What You Should Do
When you get ready to finally sell your gear, make sure to give it a factory reset. If a fishfinder has a map card, ensure that waypoints aren’t stored on there. If it’s a handheld GPS ensure that it gets a factory reset. Then probably reset it again if you value those waypoints. Trail Cameras get wiped of their cards and look on the websites for cellular cams to see if there’s a recommended procedure for unlinking them from your account.
The idea is that you’re looking to remove ties to you and your spots, markers in digital forensics that will lead to you.
