Weather data is a great place to find location artifacts. Physical Analyzer parses the weather plist from iOS however, for Android, it is not always parsed.

Android Weather Data

There is a file on Samsung Devices named Weather Clock. It gives you the date and time and additional information about the most recent location as well as other aspects such as cloud conditions, current city, Latitude/Longitude, timezone offset, and much more.

However, when you follow the source data to the file system, you will see that there is a write-ahead log associated with this. You’ll want to examine this write-ahead log as it stores other information about where the phone user has been.

In the video, you’ll see that I conducted a physical search by clicking on the magnifying glass in the Hex View. Then, in the Find Menu, I’ll search for Location Name. When the search is done, you will notice that every location name has a timestamp.

Watch this episode for a step-by-step walkthrough.

 

Share this post