Thice.nl

Thice Security

De Star 6, 1601 MH Enkhuizen
Thice Security

Recovering data from Garmin Edge 500 GPS

24/04/2014, by Thice, category Forensics, Hardware

A friend of me asked me if I wanted to take a look at his Garmin Edge 500 GPS bike computer, since it was missing some of his tracks. After opening the flash drive of the device in FTK Imager I noticed that the Activities directory did not contain any of the track data (.fit files) for 2014. Since I could not find the data on the device as lost or deleted items or something I decided to try some file carving. The first thing I did was creating an image of the full flash drive (which also included the currently present .fit files) with FTK Imager, the resulting image (uncompressed) was just 56MB big. There does not seem to be a lot of storage in the unit.

To be able to carve you need to know some specific information from the file type the device uses, such as the header, footer and filesize. If you are lucky this information is present in the config file of the carving tool you use (Scalpel in this case), however .fit files are not in that config file.

Looking at the different .fit files on the device the header of the the file type can be spotted:


Header3

Header2

Header

 

It seems that all Garmin .fit files start with the following HEX values:

 

The question-marks are different for each file on the device. Looking at the footer of the files we can spot the footer of the .fit files as well:

 

Footer1

Footer3

Footer2

 

The Garmin .fit files all seem the have the following footer:

 

Again, the question-marks are different values for every file.

The largest .fit file I could find on the device was 650KB, so I decided that I would take a maximum of 1MB as file-size. Combining this information results in the following Scalpel rule:

 

After adding this rule to the scalpel.conf file we can start the carving:

 

 

Scalpel seems to have found 398 files. There were still 275 files present in the in Activities directory, which are of course included in this total. However that means that Scalpel was able to identify 123 possible lost .fit files.

To be able to quickly read information from all the .fit files and identify them I used the Perl script fitdump. For this tool to work you will need the Garmin::FIT Perl module.

The commandline I used to find out the creation dates from the fit files:

 

In this commandline the Scalpel output directory is named “fit-0-0”, which contains the carved fit files. The output of this commandline looks like:

 

This way I was able to identify which .fit file was from which date. In the end I was able to recover 50 .fit files from 2014 which were no longer on the device.

6 Comments

  1. Didier |

    Thats great! Would you know how to access the drive of a garmin 910xt which uses ant to connect? I was not able to view or mount the drive.

    Thanks
    Didier

  2. Josh |

    Everything works perfectly, except…it can’t find any fit files, even the ones on the device right now (EDGE 500)

    I tested this by doing the following.
    Went onto the GARMIN usb, and pulled out the two current .fit files on the device.
    Created an image of a folder containing those files, then ran scalpel
    It found those files and pulled them out

    When I use the image I’ve created, it finds no files matching the header, but the image should have the two current activities on there, right?

    Please help, I’ve debugged this as best I can, but I’m lost why it’s not finding the current activity files on there.

  3. Thice |

    @Josh
    It could be that in the meantime the file format has been changed. Please send one of the fit files to me to analyze.

So, what do you think ?