The Buzz About HummingBad
July 14, 2016
Case Study: Employee Data Theft
July 25, 2016
Show all

Oh, No – Pokémon Go! A Sneak Peek at Forensic Artifacts

A Sneak Peek at Pokémon Go Application Forensics

UPDATED 7/22/16 – Thanks to Warren Raquel (@warquel) a Senior Security Engineer at the National Center for Supercomputing Applications, Android location information has been SOLVED! See the Android Location Information section below.

“Some trainers have no fear. To them this is just one more challenge. They follow their hearts. That is what sets them apart, and will make them Pokémon Masters.” – Miranda, Pokémon: The First Movie

Pokemon Go Gameplay

Go, Pokémon Go!

I admit it. I was anxious to play Pokémon Go, the hot new “augmented reality” app. Not because I follow the newest styles and trends. Not because I spend a lot of time playing games on my phone. Not because I wanted to join zombie-like hoards in blind pursuit of invisible pocket monsters. I was anxious to play after reading about the application’s Gmail privacy issues. I really wanted to see what the app stores on the phone it’s installed on.

And for that, I needed test phone data!

I installed the app on a test iPhone and Android devices, created a “Trainer” account with a test Gmail account, and went to work…. er, play. Sometimes it turns out that work and play are one and the same. In the name of science.

Shortly after installation, I found myself in position to capture a blue, swirly, Poliwag near a curb. A few seconds later, “Gotcha!” Less than a minute later, up popped a Pidgey, in the middle of the road. So I stopped to grab him too, fully aware that I was in the middle of the road. I quickly gained insight into how this game could get dangerous.


Things got strange pretty quickly. As I walked down towards the Wisconsin National Guard, Pokémon Go alerted me that there was a Pokestop and two Pokémon to be captured – behind the fence. Restricted AreaI decided not to go there. And as I swung my cell phone camera towards the secured area, I wondered if the images I might capture were going anywhere. And if so, where? Hundreds and thousands of Trainers running around the world photographing every nook and cranny in the name of capturing imaginary creatures? Conspiracy theorists will be having a field day. Gate guards will be having headaches!

I returned to the Gillware offices to find that my research was generating interest and enthusiasm. Or maybe it’s that I’m working with like-minded people. Either way, the Gillware gang was also busy gathering data for research purposes (and fun, too), and they were anxious to share what they were finding with me. So, we sat down at lunch and geeked out over the forensic possibilities. Here’s a little bit of what we found:

Pokémon Go on iOS

The iOS test phone data I used contained data for a level 20 Pokémon Go trainer (that’s a lot of research, right?). I performed a file system extraction using Cellebrite Physical Analyzer, and examined the data using a variety of mobile forensic tools – Physical Analyzer, Oxygen Forensics Suite 2015, and Magnet Axiom. The basic file system for the Pokémon Go app looks like this on iOS:

iOS Pokémon Go basic file structure.

iOS Pokémon Go basic file structure.

Forensic Artifacts – iOS

Much of the data we’re interested in from a forensics standpoint on the iOS version of Pokémon Go is located in .plist files and .sqlite database files within the app. In fact, a number of the .sqlite database files located within the app contain embedded .plist files.

The com.nianticlabs.pokemongo.plist file contains the plain text Pokémon Go trainer user name and device information including the iPhone model number and iOS version, carrier information, and related data, and a hashed device ID.

pokemon go data


iOS Date and Time Stamps

The data stored in the “bundles” directory was not in human readable format, and is encoded or encrypted. The date and time stamp for each of the blob-like files corresponds to when the game was being played. For now though, I have yet to answer the question about where those pictures are going, and also about how and if geo-location data related to user activity is stored within the app. If it is, it’s likely in those mysterious “bundles,” or maybe in the “com_upsight” folder.

The “com_upsight” sub directory in the Application Support folder contains three SQLite database files, each of which has multiple .plist formatted entries. A Google search shows that Upsight is a marketing and analytics platform for web & mobile application developers that assists in improving engagement and tracking user behavior. I’m still working on the .plist files stored there. Their dates and times also correspond with user activity. From a forensics standpoint, date and time stamps from these files can help us determine whether the game was being played when a particular incident happened.

Pokémon Go on Android

The Android test phone data I used contained data for a level 5 Pokémon Go trainer. I performed a file system extraction using Cellebrite Physical Analyzer, and examined the data using Physical Analyzer, Oxygen Forensics Suite 2015, and Magnet Axiom. The basic file system layout for the Pokémon Go app looks like this on Android:


Pokémon Go data

The com.nianticlabs.pokemongo.PREFS.xml file contains the account name for the user in plain text:

Pokémon Go data

Android Date and Time Stamps

Inside the app data for the Android device there are a variety of Pokémon Go “encounter” dates and times logged in the com.crittercism folder in the subdirectory named “f”. Crittercism (now known as Apteligent) is an Application Performance Management system. I don’t know at this point in my research whether all events are logged or only events related to errors. Either way, there are a large number of individual files with the naming format 1.1468422937026.00000000X (where X is a sequentially progressing number) which contain really interesting data.

When these files are sorted by date/time, the sequential nature of the file names is clearly noted.

Date and time information is contained in text within the file in the format “YYYY-MM-DDTHH:MM:SS.MMM+00000”, in addition to specific information about the event being logged. I noted a 5 hour offset in the time stamp. For example, the time stamp “2016-07-13T17:55:06.986+0000” corresponds to a file dated 7/13/2016 at 10:55 PM.

sequential log filesLogged events appear to include:

  • Application errors
  • Application loads
  • Session starts
  • Session finishes
  • Wild Pokémon encounters
  • Pokémon captures
  • Encounter updates
  • Successful encounters of wild Pokémon
  • Additions of wild Pokémon
  • Attempted encounters
  • Caught Pokémon
  • Cell removals

This is good for forensic examiners. If we need to know whether someone was playing Pokémon Go at the time of a particular incident – say for example an armed robbery or a traffic accident, these Android based application files will be of great assistance.

Each of these files is a logged event in plain text that gives a short explanation of the event being logged and the time stamp. Location Information appears to be identified as “cells” with a long numeric number. It seems logical that these cells are likely mapped to GPS coordinates, but I’m still researching this.

Android Location Information -UPDATED 7/22/16

Collaboration is an amazing and rewarding thing. Thanks to Warren Raquel (@warquel) a Senior Security Engineer at the National Center for Supercomputing Applications, the Android cell location mystery has been SOLVED! Warren somehow came across this post and reached out to me shortly after it was published to tell me he had some theories about the location cell identifiers I had described above. He asked for some test data to work with.

I was exceptionally happy to have a new member of team Pokémon Go Forensics, and obliged. I sent him six examples of various cell identifiers from different Crittercism log files. Here’s what the data I sent him looked like:

crittercism cell logs

I have highlighted each individual entry so that you can see them better. Remember, each of these log entries would be stored individually in the native app as its own file, using a file name similar to 1.1468422937026.00000000X. I pointed out that each cell identifier was 19 digits long, as were the identifiers associated with the various Pokémon encountered. I theorized that they were encoded somehow and/or mapped to an unknown index.

Warren theorized that the 19 digit cell ID number could be two concatenated numbers which, when divided by 1e6 resulted in lat/long information. I found this post, and thought he was likely onto something.We both went to work (or is it play?).

Warren took the cell ID numbers and played with them in various ways. Shortly later, he emailed me and sent me the cell numbers converted to Hex:

Int -> HEX


And he apologized (yes, really!). He’d been wrong and messed up the conversions. It didn’t work. He said he hoped he’d been of some small help. Are you kidding me? Every little bit helps. Knowing the wrong answers gets us closer to the right ones. That’s science. Warren made some guesses (let’s call these alternate theories) and we both went back to the drawing board.


Warren emailed me this morning to let me know he’d had a Pokémon Go “Gotcha!” moment. He captured this difficult artifact with a great deal of persistence and diligence. The cell numbers refer to Google’s representation of the global map in a Hilbert Curve. He used the s2 library in order to convert one of my example cell ids (8806542340000000). Here’s the output:

>>> import s2
>>> str(s2.S2CellId_FromToken(“8806542340000000”).ToLatLng())
‘[43.1182500, -89.3309966]\x00’
>>> s2.S2CellId_FromToken(“8806542340000000”).level()

Yep! That’s right in the Gillware neighborhood! Here’s what that location looks like on a map:

mapFor those mapping and python scripting geeks out there, here’s a great presentation on the S2 library and google’s map coordinate system. I’m guessing it won’t be too long before we have scripts to parse out Pokémon Go location information from the Crittercism folder in the Android app.

As far as the 19 digit encounter ID is concerned, Warren and I both think that it’s likely a 64bit representation of a particular Pokémon that contains bits to represent characteristics like type of Pokémon, strength, and that sort of thing. I’ll be looking into my Pokédex to make some comparisons, for sure. Thanks again, Warren (@warquel) for the time and effort you took researching this location artifact and figuring out the cell location mystery. Nicely done!

The Android App

I used the tools and tips from last week’s HummingBad post to peek into the Pokémon Go app. There’s a lot there to get through, but it gives some insight into some of what we see stored on the phone itself, and potentially about the way data is stored on the device and where it might go. Here’s what the layout of the apps classes looks like in Dex2Jar:

App Structure

And there we find Crittercism and Upsight again, not to mention a whole lot more clues, hints, and questions to be answered. Our research on Pokémon Go is a work in progress, and a fun one at that! I look forward to compiling all of the cool and interesting artifacts we’re finding and sharing them in a future post. Pokémon are being collected at Gillware, and so is test data. Before too long, the unanswered questions posed here will be answered and that new ones will pop up in front of us.

That’s the way forensics goes most of the time, and part of why it’s such an adventure. Anything you dig into can potentially send you down another interesting path in pursuit of forensic artifacts. And digging into an app like Pokémon Go is just as much fun (if not more) than playing the game itself.


  1. Eric says:

    Great idea! Sounds like fun too. Thanks for posting

  2. Hi Cindy,

    Thank you for the great and informative blog. I myself have been playing and testing it out to see the artefacts it leaves behind. It is in my opinion one of the biggest suppositories of data from what I can see. Maybe as a point of reference have a look at Ingress which is the basis it was built off. It was very interesting to compare the two. Keep up the excellent work.

  3. Really cool post – I was also wondering what kind of data was being stored by Pokemon Go as I was chasing a Charmander down the street yesterday. The app is an unlikely but creative place to look for digital artefacts. There will probably be no shortage of users that have it – my local university’s campus is full of large groups of people staring intently at their phones without saying a word.

    Either way, really interesting article.I look forward to see what you discover in terms of the user’s geolocation data and if something, ah, interesting is being done with any captured AR images.

  4. Becky says:

    I am clearly working for the wrong company! Awesome article. Work and fun combined! Dad would be proud!

  5. Dave Russell says:


    Enjoying reading your blog posts, good stuff! The Pokemon bit is particularly interesting given its extreme popularity, and it’s been something that I think most of us security researchers have been a little on edge about. Good to know that our suspicions seem to be reasonably well-founded. Keep up the awesome work!

  6. […] I really wanted to see what the Pokémon Go app stores on the phone it's installed on. So we got a test phone and installed the app to test it out.  […]

  7. […] A very informative blog post about forensic artifacts left by the popular Pokémon Go app! Read more here: […]

  8. Wade says:

    Thank you for the post Cindy! Very interesting, and fun to learn about what you have found!

  9. Swapnil Goud Tadkal says:

    Hello Cindy,
    Your investigation has been of great help for me.
    I was working on a project “Pokemon Go and its forensic Artifacts” and your your information has given a good heads up for my investigation and paper.

  10. Chris says:

    Hi Cindy,

    Do you have any details on how, for example, 9801614157982728192 was converted to 8806542540000000? I’m not able to make the connection.

  11. Carlos Gil says:

    Can you confirm if there is an accessible database with the data for the pokemon that you have caught? (names, CP, whatever)

    • Ashley Toy says:

      Hi Carlos,

      Our investigators have found where the information would likely be located, but have not yet interpreted the data to confirm. The artifacts related to a player’s location and usage time inside the game are more valuable from a forensic investigation standpoint, so interpreting those took priority. For example, if someone ran a red light and caused a traffic accident while playing the game, the location/time information would be most useful.

      Our investigators also have other forensic casework to focus on so unfortunately Pokemon hasn’t been able to be their top priority. 🙂

      Cindy talks a lot about the different artifacts found in this recorded webinar:

      Ashley at Gillware

  12. Albert says:

    BTW, there was extensive analysis a month ago of the RPC protocol spoken by the game servers and the data sent and received by the game, including device sensor and location data. (That would have clarified your mystery of the s2 cell IDs!). It uses Google’s protobuf format extensively. See e.g. and

    A note is encounter IDs are derived from their spawn points (also s2 cell IDs) which have fixed cycles, and Pokémon stats for encounters are sent separately.

  13. Jürgen Lehmann says:

    Maybe someone could help. We found on an HTC desire 626ph the files upsight.db and upsight.db-journal. The timestamp is 18. August 2016, 21:34 h. Exactly at that time the mobil was in an car, and the driver crashed in another car. 2 people nearly died. Could anyone explain us, when this two files are written? Are they written, when you start PokemonGo?
    Unfortunally we can read this type of phone only in logical mode with UFED 5.2.5. XTC2Clip does not work for physical extraction.
    kind regards

    Jürgen from Germany

Leave a Reply

Your email address will not be published. Required fields are marked *