Last year I posted about the Tile for Android app here that I felt was tracking a lot of information for just a few days worth of data gen. Over the past year, I've kept the Tile application running on my iOS app to see what would come about it. Oooooo boy was I surprised at how much data this application is collecting AND storing locally on its users.
So if you're not familiar with Tile, it's a bluetooth gadget tracking application. While they started with small tags you could attach to your keys, they have become engrained in several other companies products such as SkullCandy, Nomad, Bose, Plantronics, and even HP. These products have now incorporated Tile's bluetooth tracking and beaconing systems into them. Let's take a look at some numbers from Tile's website about how many devices and commonly "found."
Hmmm. Lots of location information being collected and stored. For years at a time it seems. So how could we use this in our investigations? I'm going to present two scenarios.
Suspect gives to the victim a "Tile" or tile-enabled product as a "gift." Nothing is thought of it other than a nice gesture. Why? Well now the victim is going to install the Tile application on his/her phone, so they can use the gift of course! Next, the suspect slips a tile-enabled product into the victim's bag, car, etc. Since Tile operates with a mesh network allowing users to report when it runs into another user's device, now the suspect has a way to effectively track the victim whenever they would like.
A device is recovered in the AFU state. The passcode is not known and therefore the location data is locked. However, a tile is found on the subject's keyring. A search of the device's available data shows that the Tile application is installed on the phone! With this, there will likely be location information capture by the Tile application and stored in this state.
Hopefully your interest in the application's artifacts are now piqued. Let's take a look!
There's a couple of interesting databases that can be found outside of the "normal" location where most people look. Remember that iOS can divide its data into multiple locations. The Data/Application/ folder is the USUAL location where the AppID can be tracked to thanks to the ApplicationState.db. However, the more commonly overlooked area is tracking down a separate AppID to /Shared/AppGroup/.
Finding the Tile application buried here we can find two separate databases of interest. One will store devices associated with this user's account found in com.thetileapp.tile-DiscoveredTileDB.sqlite. But there's another database that's used to track what device this phone has come into contact with previously.
This database, the com.thetileapp.tile-TileNetworkDB.sqlite had recorded over 200 devices with device identifiers and set names as well as the local user's information. Part 2 of this post coming later this week will feature custom artifacts in AXIOM for these databases.
Now, the last post mentioned log data, and I keep talking about location information. So where is it? Just like in the Android app, there's log data galore sitting behind in the main Containers/Application/Data folder if you know where to look! There's a smattering of location and diagnostic information scattered around but for the sake of those post I'm going to focus on the log files found in \private\var\mobile\Containers\Data\Application\[APPID]\Library\log\. There is one main log as well as several .gz zipped log files for historical data. On my device, these logs went back for months and commonly recorded where my devices were as my iOS device would interact with them and other tile devices out in the wild.
How can we extract just the location information in here? If you have a specific set of latitude or longitude information you can just search for it using a tool like Notepad++. In order to see ALL of the geolocation points though, I like to use Notepad++ to do a Regex Search: <(-?[1-9]+(\.[0-9]+)?,-?[1-9]+(\.[0-9]+)?)> instead to see what can be recovered. In a future post, I'm going to work on a way to export these location points to a more easier to review CSV dataset.
Why would Tile choose to keep this data locally? Well there's a Premium service that will allow you to view your device's history for the last 30 days so this makes sense for a quick rendering of the information. Even WITHOUT a premium account, you can still see a good bit of location data as long as you know where to look.
To summarize our two earlier mentioned scenarios, how can this this help us? Scenario One, our victim hands over their phone, the database and log files are used to see that the user's devices are commonly coming into range of another tile device. This device's ID is sent to Tile who then identifies our suspect's account data. Scenario Two, we use the subject's AFU data to review several location points that may be useful as well as retrieving the user's account data to be sent to Tile for potential additional data. In addition, tracing through the logs and databases may show you OTHER tile devices this user came in contact with as well.
Stay tuned for part 2 where I'll be providing some additional custom artifacts for finding location data, user account info, and registered Tile devices! Until next time!