Forensic Science International: Digital Investigation
Volume 45,
June 2023
, 301555
Author links open overlay panel, ,
Abstract
This paper studies the post-mortem digital forensic artifacts left by the Android Zepp Life (formerly Mi Fit) mobile application when used in conjunction with a Xiaomi Mi Band 6. The Mi Band 6 is a low-cost smart band device with several sensors that allow for health and activity monitoring, collecting metrics such as heart rate, blood oxygen saturation level, and step count. The device communicates via Bluetooth Low Energy with the Zepp Life application, which displays its data, provides some controls, and acts as a bridge to the Internet.
We study, from a digital forensics perspective, the Android version of the mobile application in a rooted smartphone. For this purpose, we analyze the data repositories, namely its databases and XML files, and correlate the data on the smartphone with the corresponding usage of the Mi Band device. The paper also presents two open-source scripts we have developed to ease the task of forensic practitioners dealing with Zepp Life/Mi Band 6: ZL_std and ZL_autopsy. The former refers to a Python 3 script that extracts high-level views of Zepp Life data through the command-line, whereas the latter is a module that integrates ZL_std functionalities within the popular open-source Autopsy digital forensic software. Data stored on the Android companion device of a Mi Band 6 might include GPS coordinates, events and alarms, and biometric data such as heart rate, sleep time, and fitness activity, which can be valuable digital forensic artifacts.
Introduction
Since the inception of the first Apple's iWatch in 2015, smartwatches – that is, digital devices worn at the wrist – have been gaining popularity, merging commodity features such as phone calls and message notifications, with activity tracking, acting as an appendix of the ubiquitous smartphone. This popularity trend has increased with the emergence of low-cost and feature-charged wrist-worn devices, also known as smart bands (Canalys Newsroom, 2021). Examples include Samsung Gear Fit, Huawei's Band, Huami's Amazfit Band, and Xiaomi's Mi Band, to name just a few. Smart band devices can perform basic functions such as timekeeping, alarm clock, displaying received SMS, and notifying of incoming phone calls or messages. They can also perform more advanced functions such as triggering the paired smartphone to ring to facilitate its localization, or displaying the weather prediction for the next few days. In addition, they can also collect health metrics, such as heart rate, level of blood oxygen saturation, perform sleep analysis, and track calorie consumption, as well as gather activity-related metrics, such as steps taken, running, biking, or pool swimming.
A significant portion of a smart band's usefulness comes from its companion mobile application, which is usually a vendor-specific app that runs on a smartphone and communicates with the smart band via Bluetooth Low Energy (BLE). The companion app is an essential part of the smart band/smartphone pair, as it receives and processes data collected by the band and provides internet connectivity for tasks such as uploading data to the band vendor's cloud, downloading firmware updates for the band, or simply accessing weather forecast data.
Smart bands companion apps also serve as a rich source of digital forensic evidence, as they gather a vast amount of sensitive personal information and usage patterns, which can be used to reconstruct the user's activities and provide valuable insights into criminal investigation (Kim and Lee, 2020; Reedy and Houck, 2023). For instance, heart rate may provide evidence on the time of death of a victim, as it was the case in a murder in the USA in 2015, where data from the Fitbit device worn by the victim was used to establish a precise time of death and refute the alibi of a suspect (BBC News; Dorai etal., 2018). The murder in the USA of Karen Navarra in 2018 is another case where data from a Fitbit device worn by the victim assisted investigators in contradicting the alibi of the suspect, as the victim's heart rate soared then slowed and stopped in a period coincident with the suspect's presence at the victim's house (BBC News, 2018). In the Crouch case, heart data rate from a biometric watch worn by the victim along with the paired smartphone was used to disprove the alibi of the main suspect (BBC News, 2021). UK's Mitesh Patel case is another example where data from the suspect's Fitbit showed intense physical activity following the female victim's death, contradicting his testimony (Franqueira and Horsman, 2020). Recognizing the growing importance of adequately assessing mobile and wearable devices, Scotland Yard has announced plans to strengthen its resources for collecting data from wearables and IoT devices, namely FitBit, doorbells, and others (France, 2021).
This paper analyzes the digital forensic artifacts left by the Zepp Life Android application (formerly Mi Fit) coupled with the Mi Band 6. The Mi Band is a lineage of low-cost wrist-worn wearable activity monitors. Version 6 is identified as Mi Band 6 and packs a vast set of activity-related features for a cost of around 35 euros. Its long list of features, low price, and several-week-long battery life have made the Mi Band a commercial success, with each model selling several million units and establishing itself as a market leader in the realm of smart bands (Canalys Newsroom, 2021). For instance, in Q2 2021, Xiaomi sold around eight million Mi Band 6, leading the market with a share close to 20% (Canalys Newsroom, 2021). This market leadership is also visible for the Mi Band default companion application – Zepp Life – whose Android version has more than 100 000 000 downloads, and over nearly 2 500 000 reviews in Google Play,1 with an average score, at the time of this writing, of 4 out of 5. Note that Xiaomi's Mi Fit was renamed in 2022 as Zepp Life. As observed by Gadgets & Wearables (Xiaomi re, 2022), Zepp is the name of Huami's Amazfit bands software,2 with Huami being the manufacturer of the Xiaomi Mi Bands. The two applications share many similarities. In this paper, we present a case study of the Zepp Life mobile application in an Android rooted smartphone paired with the Xiaomi Mi Band 6.
The main contributions of this paper are: i) identification and analysis of the digital forensic artifacts available in a post-mortem examination of a rooted Android smartphone with Zepp Life installed; ii) Development of an open source digital forensic software consisting of a Python 3.6+ script called ZL_std and a module called ZL_autopsy for the open-source Autopsy software.
The remainder of this paper is organized as follows. Section 2 reviews related work, while Section 3 describes the materials and methods of this study. Section 4 analyzes the Zepp Life application, highlighting its primary forensic artifacts. Section 5 presents our open-source software tools ZL_std and ZL_autopsy. Finally, Section 6 concludes the paper.
Section snippets
Related work
We now analyze related work, focusing primarily on the forensics of wrist-wearable health trackers.
Baggili etal. presented a pioneer work focusing on wrist-worn digital devices (Baggili etal., 2015). The paper analyzes the digital forensic traces left by two smartwatches – i) Samsung Gear 2 Neo and ii) LG G – by directly accessing the smartwatches. For this purpose, the authors needed to root the smartwatches. Other works focus on Fitbit, which is a more capable but also more expensive
Materials and methods
We present materials – hardware and software – and the main research methods used to study the Mi Band 6/Zepp Life pair. First, we describe the hardware and software ecosystem and then the main methods used in this study.
The Zepp life application
The main screen of the Zepp Life Android application comprises several panels, as shown in Fig.1. If the panel does not fit on a single screen, the interface can be scrolled up, revealing more panels. By default, Zepp Life displays the live count of steps taken so far in the current day on its main screen. This provides an indication of the user's progress towards their daily step goal. For example, Fig.2 shows detailed information when the Steps panel is pressed on the main screen.
When the
Zepp life forensic data analyzer
To ease and speed up the analysis of Android Zepp Life data in a digital forensic post-mortem environment, we developed two programs: ZL_std and ZL_autopsy. The former is a Python 3.6+ standalone script that analyses the SQLite 3 databases of a Zepp Life to produce a set of reports. The ZL_autopsy is a Jython-based module which runs within the well-known digital forensic software Autopsy and is able to provide the interaction between Autopsy and ZL_std. First, we present ZL_std and then
Conclusion
We analyzed, from a digital forensic point of view, the forensic artifacts left by the Zepp Life application ran on a mobile Android device and coupled to a Xiaomi Band 6. Due to its plethora of sensors, the Mi Band 6 collects a meaningful amount of data – heart rate, SpO2, sleep periods, step counting, and workouts, to mention a few. Some of these data are sent over the cloud and can be collected from there, as long as the access credentials – email and password – are known. Additionally, a
Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgment
CIIC partially supported this research under the project UIDB 04524/2020 by FCT/MCTES and EU funds under the project UIDB/EEA 50008/2020.
References (33)
- N. Zisko et al.
Personal activity intelligence (pai), sedentary behavior and cardiovascular risk factor clustering–the hunt study
Prog. Cardiovasc. Dis.
(2017)
- M.M. Vink et al.
Likelihood ratio method for the interpretation of iphone health app data in digital forensics
Forensic Sci. Int.: Digit. Invest.
(2022)
- P. Reedy
Mobile device forensics
- D. Kim et al.
Study of identifying and managing the potential evidence for effective android forensics
Forensic Sci. Int.: Digit. Invest.
(2020)
- J. Gregorio et al.
Forensic analysis of Nucleus RTOS on MTK smartwatches
Digit. Invest.
(2019)
- A. Fukami et al.
Anew model for forensic data extraction from encrypted mobile devices
Forensic Sci. Int.: Digit. Invest.
(2021)
- V.N. Franqueira et al.
Towards sound forensic arguments: structured argumentation applied to digital forensics practice
Forensic Sci. Int.: Digit. Invest.
(2020)
- L. Dawson et al.
Challenges and opportunities for wearable IoT forensics: TomTom Spark 3 as a case study
Forensic Sci. Int.: Report
(2021)
- F. Barr-Smith et al.
Dead man's switch: forensic autopsy of the nintendo switch
Forensic Sci. Int.: Digit. Invest.
(2021)
- I. Baggili et al.
Watch what you wear: preliminary forensic analysis of smart watches
Yet Another Great-Value Fitness Tracker from Xiaomi
(2021)
Fitbit Contradicts Husband's Story of Wife's Murder - Police
(2017)
Fitbit Data Used to Charge US Man with Murder
(2018)
Greece Killing: Husband Confesses to Caroline Crouch Death
(2021)
Canalys Newsroom - Global Wearable Band Shipments up 6% as the Market Shifts to Wristwatches
(2021)
BreakMi: reversing, exploiting and fixing xiaomi fitness tracking ecosystem
IACR Transactions on Cryptographic Hardware and Embedded Systems
(2022)
Cited by (0)
Recommended articles (6)
Research article
Use of the frontal sinus to evaluate sexual dimorphism in a Brazilian sample
Forensic Imaging, Volume 33, 2023, Article 200548
The frontal sinuses are commonly used in sexual estimation due to the considerable variation in size, shape and number. Previous studies have shown average accuracy measuring frontal sinus area, height and width; however, authors have associated such measurements with the frontal sinus index, obtaining better results. Therefore, the aim of the present study was to evaluate sexual dimorphism of the frontal sinus in Brazilian adults. The sample consisted of 255 lateral cephalometric radiographs of subjects between 20 and 40 years of age, 132 females and 123 males. Based on the methodology of Luo etal. (2018), the area (S) and the maximum frontal sinus height and width (AB and EF, respectively) were measured using computer-aided design software; and the ratio between AB and EF was taken as the frontal sinus index (R). The discriminant function developed by the authors was then applied to evaluate sexual dimorphism in the Brazilian population. Descriptive statistics were performed for the variables according to gender, as well as Student's t-test and the Mann-Whitney test to see if there was a difference between the variables. A new discriminant formula was calculated with the study data and machine learning techniques, neural networks and decision trees, were used to improve the prediction of sex. The variables showed significant differences in relation to gender, and with the exception of R, where the male mean was 2.00 and the female mean was 2.40, all the means were higher for males. The original formula of the study had low accuracy, with a level of accuracy of only 8.33% for females. However, the formula calculated for Brazilians presented an accuracy of 70.20%; of the machine learning techniques, only the neural network presented a higher value than the one already obtained, of 73.30%. In conclusion, the new formula showed an accuracy of 70.20% and can be applied as an auxiliary method in the assessment of frontal sinus sexual dimorphism in Brazilian adults.
Research article
Suicidal poisoning by sodium nitrite: A dangerous mode from Internet. In regard of a case
Spanish Journal of Legal Medicine, Volume 49, Issue 1, 2023, pp. 37-40
A case of suicide by nitrites ingestion is reported: a young woman was found death into a car with various objetcs around her, such as a white powder bag labelled as “Sodium nitrite” and pills of lorazepam, acetaminophen and metoclopramide. The autopsy revealed signs compatible with methemoglobinemia and samples of blood, vitreous and gastric content were submitted to the Drugs Service of the National Institute of Toxicology and Forensic Sciences in Madrid, as well as the powder bag, the pills and other objects. The white powder was identified as sodium nitrite, and nitrites concentrations similar to other fatalities were detected in biological samples. The methemoglobin level was 80%. The existence of websites where suicide with nitrites and metoclopramide is described step-by-step, joined to the increasement of reports about these fatalities, alert us to a possible trend.
Se reporta un caso de suicidio por ingesta de nitritos. Se trata de una joven que fue hallada muerta en un vehículo junto a una serie de objetos como una bolsa de polvo blanco etiquetada como “Nitrito sódico” y comprimidos de lorazepam, paracetamol y metoclopramida. La autopsia reveló signos compatibles con metahemoglobinemia. Se remitieron muestras de sangre, humor vítreo y contenido gástrico, así como la bolsa con polvo, los comprimidos y otros objetos al Servicio de Drogas del Departamento de Madrid del Instituto Nacional de Toxicología y Ciencias Forenses. El polvo fue identificado como nitrito sódico, y se detectaron concentraciones de nitritos en las muestras biológicas similares a las de otras intoxicaciones letales. El porcentaje de metahemoglobina en sangre fue del 80%. La existencia de páginas en Internet donde el suicidio con nitritos y metoclopramida es detalladamente descrito, así como el aumento del reporte de este tipo de suicidios, alertan acerca de una posible tendencia.
Research article
Digital evidence strategies for digital forensic science examinations
Science & Justice, Volume 63, Issue 1, 2023, pp. 116-126
Given the size and complexity of many digital forensic science device examinations, there is a need for practitioners to formally and strategically determine a course of conduct which allows them to undertake the most robust and efficient examination possible. This work outlines both the need for practitioners to have a digital evidence strategy (DES) when tackling any given examination scenario, how to construct one and the concerns which exist when no formal DES is in place. Approaches to DES development are examined and the context to which they should be deployed are analysed, with focus being on the use of DESs at the examination/processing stage of the investigative workflow. Finally, a ‘DES skeleton’ is offered to guide practitioners as they seek to create their own DES.
Research article
Digital Forensic Practices and Methodologies for AI Speaker Ecosystems
Digital Investigation, Volume 29, Supplement, 2019, pp. S80-S93
Various Internet of Things (IoT) devices, such as AI speakers, are being released with different functions to improve user convenience and better life. An AI speaker ecosystem is a cloud-based IoT system built around an AI speaker and IoT devices. In the near future, citizens in whole countries worldwide will be helped in real life when AI-equipped devices are deployed in their homes. Typically, because AI speakers are always operating, they can be used to provide vital evidence for digital forensics; however, privacy issues may arise. AI speakers have provided evidence of murders in the United States and Mexico and are being released without specific regulatory guidelines. In this study, we propose five digital forensic analysis methods for four AI speaker models from different manufacturers released in the Republic of Korea. The five proposed methods are applied to all the AI speaker models, and the results are presented in the Appendix. In particular, we developed a forensic tool for collecting user command history for NAVER Clova.
Research article
Experiences of a Suicidologist in three Swiss prisons
Forensic Science International: Mind and Law, Volume 3, 2022, Article 100111
Research article
Review on the methodology for the design of quality strategies in forensic pathology services
Spanish Journal of Legal Medicine, Volume 49, Issue 1, 2023, pp. 28-36
The culmination of the process of creating the Institutes of Legal Medicine (IML) with the commissioning of the IML of Madrid in 2020 homogenizes the competences of forensic medicine throughout the country. Recent legislative reforms in specialized medical training, expand their responsibilities to cover, in addition to the expert function, a stronger role in teaching and research. The design and implementation of quality systems must become a priority for IMLs in order to guarantee their effectiveness and efficiency by providing accurate, reliable and timely results. This article provides a detailed review of the procedure to be followed to design a quality strategy in Forensic Pathology Services.
La culminación del proceso de creación de los Institutos de Medicina Legal (IML) con la puesta en funcionamiento al IML de Madrid en 2020, homogeniza las funciones de la medicina forense en todo el territorio nacional. Recientes reformas legislativas en materia de formación médica especializada amplían sus competencias para abarcar, además de la función pericial, responsabilidades en materia docente y de investigación. El diseño e implementación de sistemas de calidad, debe convertirse en una prioridad de los IML, con el objetivo de garantizar su eficacia y eficiencia ofreciendo resultados exactos, fiables y en los plazos apropiados. El presente artículo ofrece una revisión detallada del procedimiento a seguir para diseñar una estrategia de calidad en los Servicios de Patología Forense
© 2023 Elsevier Ltd. All rights reserved.