Recovering data from Garmin Edge 500 GPS

Categories Forensics, Hardware

A friend of me asked me if I wanted to take a look at his Garmin Edge 500 GPS bike computer, since it was missing some of his tracks. After opening the flash drive of the device in FTK Imager I noticed that the Activities directory did not contain any of the track data (.fit files) for 2014. Since I could not find the data on the device as lost or deleted items or something I decided to try some file carving. The first thing I did was creating an image of the full flash drive (which also included the currently present .fit files) with FTK Imager, the resulting image (uncompressed) was just 56MB big. There does not seem to be a lot of storage in the unit.

To be able to carve you need to know some specific information from the file type the device uses, such as the header, footer and filesize. If you are lucky this information is present in the config file of the carving tool you use (Scalpel in this case), however .fit files are not in that config file.

Looking at the different .fit files on the device the header of the the file type can be spotted:


 Header3

Header2

Header

 

It seems that all Garmin .fit files start with the following HEX values:

0C 10 40 00 ? ? ? 00 2E 46 49 54 40 00 00 00

 

The question-marks are different for each file on the device. Looking at the footer of the files we can spot the footer of the .fit files as well:

 

Footer1

Footer3

Footer2

 

The Garmin .fit files all seem the have the following footer:

01 00 00 1A 01 ? ?

 

Again, the question-marks are different values for every file.

The largest .fit file I could find on the device was 650KB, so I decided that I would take a maximum of 1MB as file-size. Combining this information results in the following Scalpel rule:

 fit y 1000000 \x0C\x10\x40\x00???\x00\x2E\x46\x49\x54\x40\x00\x00\x00 \x01\x00\x00\x1A\x01??

 

After adding this rule to the scalpel.conf file we can start the carving:

 

# scalpel -c /etc/scalpel/scalpel.conf -o garmin image.001
 Scalpel version 1.60
 Written by Golden G. Richard III, based on Foremost 0.69.
 Opening target "/root/image.001"
 Image file pass 1/2.
 image.001: 100.0% |*************************************************************************************************************************************| 53.9 MB 00:00 ETAAllocating work queues...
 Work queues allocation complete. Building carve lists...
 Carve lists built. Workload:
 fit with header "\x0c\x10\x40\x00\x3f\x3f\x3f\x00\x2e\x46\x49\x54\x40\x00\x00\x00" and footer "\x01\x00\x00\x1a\x01\x3f\x3f" --> 398 files
 Carving files from image.
 Image file pass 2/2.
 image.001: 100.0% |*************************************************************************************************************************************| 53.9 MB 00:00 ETAProcessing of image file complete. Cleaning up...
 Done.
 Scalpel is done, files carved = 398, elapsed = 1 seconds.

 

Scalpel seems to have found 398 files. There were still 275 files present in the in Activities directory, which are of course included in this total. However that means that Scalpel was able to identify 123 possible lost .fit files.

To be able to quickly read information from all the .fit files and identify them I used the Perl script fitdump. For this tool to work you will need the Garmin::FIT Perl module.

The commandline I used to find out the creation dates from the fit files:

# ./fitdump fit-0-0/* |egrep '(time_created)|(\*\*\*\*)'

 

In this commandline the Scalpel output directory is named “fit-0-0”, which contains the carved fit files. The output of this commandline looks like:

***** fit-0-0/00000028.fit *****
time_created (4-1-UINT32): 2014-04-20T03:57:45 (766915065)

 

This way I was able to identify which .fit file was from which date. In the end I was able to recover 50 .fit files from 2014 which were no longer on the device.

7 Comments

  • Thice.nl » Post overview
    24/08/2014

    […] carving Recovering data from Garmin Edge 500 GPS Samsung WB650 Video file Scalpel […]

  • 3:30 » Blog Archive » Recovering ride data from Garmin Edge 500
    19/11/2014

    […] the second time now I lost a ride from my Garmin Edge 500. But this time, thanks to this great blog post I was able to recover the data and upload to […]

  • Didier
    31/08/2015

    Thats great! Would you know how to access the drive of a garmin 910xt which uses ant to connect? I was not able to view or mount the drive.

    Thanks
    Didier

  • Thice
    01/09/2015

    @Didier
    Sorry, I have no experience with the Garmin 910xt.

  • Josh
    25/07/2017

    Everything works perfectly, except…it can’t find any fit files, even the ones on the device right now (EDGE 500)

    I tested this by doing the following.
    Went onto the GARMIN usb, and pulled out the two current .fit files on the device.
    Created an image of a folder containing those files, then ran scalpel
    It found those files and pulled them out

    When I use the image I’ve created, it finds no files matching the header, but the image should have the two current activities on there, right?

    Please help, I’ve debugged this as best I can, but I’m lost why it’s not finding the current activity files on there.

  • Thice
    13/10/2017

    @Josh
    It could be that in the meantime the file format has been changed. Please send one of the fit files to me to analyze.

  • Ethan
    10/05/2018

    I have found these instructions useful, but I do have a similar problem to the previous user. I believe the FIT files have changed since this and other instructions were written a few years ago. I believe the current pattern for the header is

    \x20\x0E\x07\xF9??\X00?\x46\x2E\x54\x49??\x00\x40

    based on a hexdump from several files:

    0000000 200e 07f9 58b6 0000 462e 5449 c23d 0040
    0000010
    0000000 200e 07f9 e9c0 0000 462e 5449 c71b 0040
    0000010
    0000000 200e 07f9 19fe 0000 462e 5449 5069 0040
    0000010

    (note that 0000 in the middle is 0001 in some other files).

    I’m not certain how to read the footer, however. There appears to be no discernible pattern. I tried the following on some recent FIT files

    for i in `ls 2018-04*.fit`; do xxd $i | tail -n 5; done

    But this is what I get:

    00011530: 9043 3501 0000 1a01 0cbb c843 35ad 0fff .C5……..C5…
    00011540: 7f54 1444 0000 7100 07fd 0486 0204 8603 .T.D..q………
    00011550: 0486 0404 8600 0284 0101 0005 0100 04bb …………….
    00011560: c843 3500 093d 0026 223e 00a9 ae43 3500 .C5..=.&”>…C5.
    00011570: 0002 00be c7 …..
    00005830: ffff ffff ffff ffff 7f7f ffff ffff 4100 …………..A.
    00005840: 0022 0007 fd04 8600 0486 0504 8601 0284 .”…………..
    00005850: 0201 0003 0100 0401 0001 85e5 4435 cb0a …………D5..
    00005860: 2d00 45ad 4435 0100 001a 010c 85e5 4435 -.E.D5……..D5
    00005870: 1810 ff7f 5f1a 47d0 …._.G.
    00015ff0: a6b2 4835 a70d cd00 667a 4835 0100 001a ..H5….fzH5….
    00016000: 010c a6b2 4835 670f ff7f 4c0e 4500 0071 ….H5g…L.E..q
    00016010: 0007 fd04 8602 0486 0304 8604 0486 0002 …………….
    00016020: 8401 0100 0501 0005 a5b2 4835 0009 3d00 ……….H5..=.
    00016030: f95c 5400 e396 4835 0000 0200 c559 .\T…H5…..Y
    000083c0: ffff ff00 00ff ffff ffff ffff ffff ff7f …………….
    000083d0: 7fff ffff ff41 0000 2200 07fd 0486 0004 …..A..”…….
    000083e0: 8605 0486 0102 8402 0100 0301 0004 0100 …………….
    000083f0: 0189 114a 3551 7a43 0049 d949 3501 0000 …J5QzC.I.I5…
    00008400: 1a01 0c89 114a 35ff 0fff 7f5d 1945 b1 …..J5….].E.

    I can’t figure out if I’m doing something wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *