Home > Forensics, Hardware > Recovering data from Garmin Edge 500 GPS

Recovering data from Garmin Edge 500 GPS

April 24th, 2014 Leave a comment Go to comments

A friend of me asked me if I wanted to take a look at his Garmin Edge 500 GPS bike computer, since it was missing some of his tracks. After opening the flash drive of the device in FTK Imager I noticed that the Activities directory did not contain any of the track data (.fit files) for 2014. Since I could not find the data on the device as lost or deleted items or something I decided to try some file carving. The first thing I did was creating an image of the full flash drive (which also included the currently present .fit files) with FTK Imager, the resulting image (uncompressed) was just 56MB big. There does not seem to be a lot of storage in the unit.

To be able to carve you need to know some specific information from the file type the device uses, such as the header, footer and filesize. If you are lucky this information is present in the config file of the carving tool you use (Scalpel in this case), however .fit files are not in that config file.

Looking at the different .fit files on the device the header of the the file type can be spotted:


Header3

Header2

Header

 

It seems that all Garmin .fit files start with the following HEX values:

 

The question-marks are different for each file on the device. Looking at the footer of the files we can spot the footer of the .fit files as well:

 

Footer1

Footer3

Footer2

 

The Garmin .fit files all seem the have the following footer:

 

Again, the question-marks are different values for every file.

The largest .fit file I could find on the device was 650KB, so I decided that I would take a maximum of 1MB as file-size. Combining this information results in the following Scalpel rule:

 

After adding this rule to the scalpel.conf file we can start the carving:

 

 

Scalpel seems to have found 398 files. There were still 275 files present in the in Activities directory, which are of course included in this total. However that means that Scalpel was able to identify 123 possible lost .fit files.

To be able to quickly read information from all the .fit files and identify them I used the Perl script fitdump. For this tool to work you will need the Garmin::FIT Perl module.

The commandline I used to find out the creation dates from the fit files:

 

In this commandline the Scalpel output directory is named “fit-0-0”, which contains the carved fit files. The output of this commandline looks like:

 

This way I was able to identify which .fit file was from which date. In the end I was able to recover 50 .fit files from 2014 which were no longer on the device.

  1. Didier
    August 31st, 2015 at 15:01 | #1

    Thats great! Would you know how to access the drive of a garmin 910xt which uses ant to connect? I was not able to view or mount the drive.

    Thanks
    Didier

  2. Thice
    September 1st, 2015 at 13:47 | #2

    @Didier
    Sorry, I have no experience with the Garmin 910xt.

  1. August 24th, 2014 at 19:06 | #1
  2. November 19th, 2014 at 20:39 | #2