Subscribe to RSS
	Email Notifications
	LinkedIn Group

• Home / Projects
  • White Papers
  • Projects
    • Iridium Satellite Phones
    • Hash Sets
  • Common Terms
  • Downloads
• Device Overviews
  • TomTom
• Specific Techniques
  • Freeware Tools
• Product Reviews
  • Blackthorn
  • Device Seizure
  • Forensics Analyzer
  • TomTology
• GPS Forum
  • Login
  • Register
• Site Contributors
  • Contact Form

 

TomTom Forensics

Introduction:  TomTom provides a range of devices for automotive navigation. Depending on the capabilities of the model several different kinds of information can be acquired including data commonly found on cell phones. All models have either an SD card slot or an internal hard drive and allow pictures, audio & video files, documents, etc.  to be stored. TomTom Specific files may include:

All TomTom models will have a Locations file which contains Home address, a list of any recent destinations and sometimes the last journey. It will also have a device information file which contains the device serial number, model number, software version and other general information about the device. TomTom Go models can act as a hands free device for mobile phones and may contain call data, text messages, contacts and a list of paired phones (MAC ID).

Data Acquisition: Different versions of TomTom devices vary as to whether they store the information on a removable SD Card or on an internal Hard Drive. If it is an SD Card then this should be removed and write protected. For added safety the card reader it is inserted into should be connected to a write blocked USB port. TomToms do not check whether an SD Card is write protected and will write to it anyway. It is not forensically sound to write protect an SD Card and re-insert it into the TomTom. If necessary, a clone should be made preserving the original.

If the TomTom has an internal hard drive then you will have no alternative but to connect the device via usb cable to your computer. You will have to turn it on in order for it to appear as a device in Windows. Precautions should be taken to ensure that the device is connected to a write blocked USB port but also a faraday bag should be used to ensure that the TomTom cannot establish a lock from the GPS satellites. If it establishes a satellite lock, the device will overwrite the Last GPS Fix information in the CurrentLocation.dat file.

Forensically, it is best to acquire an image of a TomTom device and work from the disk image. AccessData’s FTK Imager is available from the download area or the AccessData Support website and will acquire devices without a license. FTK 1.80 will parse up to five thousand files without a license dongle and is sufficient for devices with 2gb hard drives or less.

Security/Pin Code: TomTom devices locked with a pin code can be put into disk mode and imaged as long as they have software version 7 or earlier. Software version 8, released in Summer 2008, requires the pin code to be entered before the device will go into disk mode. There is a simple process that will circumvent the required pin code and unlock the TomTom and allow the data to be accessed.

We will only release the unlock technique to law enforcement. If you need assistance, please use the contact form on this site to make your request and we will email you the process.

Target Files:

Data Analysis: TomTom devices will typically store information relating to the owner’s home address and a list of their ‘Favorite’ locations.  If a user selects to navigate to either their Home, a Favorite or an address entered as a destination then this information is stored in the ‘Recent destination’ file that ends with a .cfg extension.

.cfg files contain:

For each of the locations a Latitude and Longitude is stored along with both an automatically assigned name and a user editable name and a house number. It also stores how the user chose to navigate to the address (entering the postal code, selecting it from the favorites list, etc…).

TomTom devices can be paired to a mobile phone and used as a handsfree kit in the car. If this has happened it is possible to recover information that an examiner would normally find in a mobile phone. These files are text files and can be viewed with any text editor.

‘Contacts’ folder contains: (earlier versions have these files in the root folder)

Unallocated Space - Useful information can be found in the deleted space on a TomTom. If the user has ‘reset’ their device then no live information will be available. Also in the deleted space will be records of previous journeys plotted as well as potentially the actual GPS position of the device when the journey was plotted and its last GPS fix for that journey.

Last Journey - When a journey is plotted using a TomTom it takes the current GPS Position of the device as the start point of the journey. Until the destination is reached the TomTom stores both the Origin and the Destination. If a wrong turn is taken in the journey the TomTom will initially attempt to make the user turn around or will try to steer the user back on to the route. If this fails then the TomTom will be forced to re-plan the journey. If this happens then the TomTom will again take the current GPS Position as the origin, leaving the destination the same. When examined, the Last Journey Origin will be a place where the TomTom has been but it may not be the place the entire journey started from.

Last GPS Fix - The TomTom always records where it is when it has a GPS fix, this is the ‘Last GPS Fix’ It may be in mid journey if the TomTom was turned off mid journey or it may be a place where the TomTom has been turned on since. Like the ‘Last Journey Origin’, this is a place where the TomTom has been. The last GPS fix can be found in the CurrentLocation.dat file and is only available on newer TomTom device. Older models may store the information in the .cfg file.

Recommended Seizure Techniques: Like any other GPS device, TomToms are continuously collecting information and writing data to memory whenever they are powered on. When a device is seized, power the unit off and do not turn it on until you are ready to examine it. Turning a TomTom device off that is password protected will not prevent you from accessing the device with a computer if it has version 7 software or earlier. For devices with version 8 software or newer, refer to the above section, security code. When you are ready to examine the device you should be inside away from windows so the device does not have a clear view of the sky. A faraday bag should be used to ensure that the TomTom cannot establish a lock from the GPS satellites. If it establishes a satellite lock, the device will overwrite the Last GPS Fix information in the CurrentLocation.dat file.

Tools: A full review of these tools and others can be found under the Product Review section of this website.

TomTology - TomTology is a forensic tool used for examining TomTom satellite navigation devices and provides users with the capability to; Decode live data (Home Location, Favorites, Recent Destinations, Last Journey Start and End Point, Stored Phonebook, Called Phone Numbers, and Received Phone Numbers), automatically retrieve deleted journeys from unallocated space, locate deleted phone numbers, export all or selected locations to Google Earth, and produce detailed HTML reports. TomTology will automatically perform a full analysis of a TomTom including unallocated space.

EnCase Enscript - There is also an EnCase Enscript available to parse files from an image file using EnCase. It is freely distributed to forensic examiner. Contact us for information or to request a copy.

 

SatNav and GPS forensics is a continuously evolving specialty. The site contributors make every effort to stay on top of technology and document the “best practices” for seizing devices, acquiring the data, and analyzing the information.  If you come across additional information, errors on this site or contradicting information please use the contact form to let us know.