“Will you help me with my research?” – Professor Willow
In my blog post on Pokemon GO, I discussed some early observations about forensic artifacts stored on a game player’s phone. For an augmented reality game like Pokémon GO which is heavily geolocation based, forensic artifacts related to location, date, and time are of obvious interest.
At Gillware Digital Forensics, we were curious to see what geolocation artifacts were stored within the game player’s phone, and whether it would be possible to determine a Pokémon GO player’s past movements based on the data the application collects.
The Pokedecoder.py Script
One of our super-smart engineers, Maggie O’Leary, who is a level 23 Pokémon GO trainer and enthusiastic app tester helped by writing a Python script. The script, named “pokedecoder.py” parses location artifacts from Android phone data. The script is run by issuing the command:
python pokedecoder.py topDirectory outputfile.xl[x]s
Pokedecoder.py begins by taking the Android “comm.crittercism” folder and gathering the cell IDs of any type of “encounter.”
Cell IDs are 64-bit integers that, when converted to hex, represent a physical location based on the Hilbert Curve. Google’s S2 library helps with the conversion to human readable latitude and longitude.
It isn’t exactly clear what counts as an encounter is at this point. We think “encounters” include essentially any in-game action that triggers an event, such as seeing a Pokémon, hatching an egg, or evolving a Pokémon. If we assume that encounters only include encountering a Pokémon (basing the assumption on the word ‘encounter’), those are still probably the most common events in the game, so there is a decent amount of geolocation data to be gained from encounters.
After collecting the cell IDs of each encounter, the pokedecoder.py script uses the Google S2 library to convert that data to latitude and longitude coordinates. It provides a degree of accuracy for those coordinates and then displays a timestamp for when each encounter occurred.
For the S2 dependency, it is easiest to use Linux and follow the instructions on this Github page: https://github.com/micolous/s2-geometry-library. The Github page also contains instructions for OS X users.
You can learn more about the different forensic insights I’ve gained from my research on Pokémon GO by watching my recorded webinar via the SANS Institute (login required), or checking out the slides from the presentation here.
If you would like to take a look at the script we’ve created, please follow the link below for a free download.