Magnet AXIOM Adds Forensic Support for Uber

Since its launch, Uber has become a popular alternative to taxi rides in many cities globally. As Uber is controlled through a mobile app, it only makes sense to add support for it in Magnet AXIOM and Magnet IEF. With the launch of AXIOM 1.0.4 and IEF 6.8.1, we’ve added support to parse data from the popular app to help identify any potential evidence stored on a user’s device.

Why Uber Should be on Your Radar

There have already been several investigations reported in the media involving Uber either directly or indirectly. One of the biggest cases in Michigan occurred in February where an Uber driver shot several people and picked up fares between locations (http://www.cnn.com/2016/02/21/us/michigan-kalamazoo-county-shooting-spree/).

Both iOS and Android store most of the Uber data in cache and LDB files located here:

LibraryApplication Supportcom.ubercab.UberClient19AE427F-5005-4970-A784-C864109E46590000X.ldb

LibraryApplication Supportcom.ubercab.UberClientCache.db

And here:

datadatacom.ubercabfilesrider000XX.ldb

datadatacom.ubercabcache

The cache data stores information about trips and payment information while the LDB files store account info, profiles, and locations. On iOS, these LDB files store multiple binary plist files that can be read and carved out, whereas the Android ones are stored in a different format that we cannot currently decode. This means you will be able to recover trips and payments from both iOS and Android, but we will also recover the account info, profiles, and locations from iOS.

Uber Trips

Trips taken with Uber can be quite valuable to an investigation, since the app will include very specific details about where a person was coming from and/or going to. From the cache files we will pull:

• timestamps for when the trip was booked and when the user arrived at the destination
• addresses for both the origin and destination
• duration and distance of the trip
• driver details such as name, rating, and picture (linked by a URL)
• vehicle details such as make, model, and type
• cost and currency
• status of the trip
• most importantly – the route taken

The route is provided as a google maps URL that can be copied to a browser and viewed, which will provide the path taken from the origin to the destination.

Uber Payments

Payment details are also available from the cached data and can be matched up with a given trip.

Both AXIOM and IEF are able to recover rider name, share code, cost/currency, duration, distance, payment method, and card details from this data. The share code is a general code for a user that can be shared with other Uber riders to obtain free rides and is used to promote the use of the app by giving users a free ride the first time they use the service.

Uber Accounts

This data is pulled from the LDB files mentioned above and gives additional details about the accounts stored on the phone. You may get multiple entries for a single account as this is how Uber stores the data in these files. When an account is updated with a profile picture for example, a new record is created with the new information but the old information stays on the device. From this data you should be able to obtain the user’s first name, last name, phone number, share code, user ID, and profile image URL. In our testing, updating the profile image or other info created duplicate entries but there was only one account associated to the device.

Uber Profiles

Similar to accounts, you can also recover profiles from the LDB files. With Uber you can create several profiles from a given account depending on the use of the rides. For example, you may want to have a profile for personal trips and another for business to keep the billing and receipts separate. Profiles contain information about the profile name, email address, and two IDs for user and payment.

Uber Locations

The last artifact of interest is the locations stored in the LDB files. Within these files are listings of locations that get stored on the device. However, in our testing we were unable to determine the exact use for these locations. Sometimes they referred to the user’s exact position, while other times it referred to where the user moved the map pin to set a pickup location. The locations are all valid and typically within a range of where the user was. More testing will help determine exactly the purpose of these locations and their meaning.

AXIOM and IEF will pull the latitude, longitude, altitude, and timestamp for these locations.

Since none of us here at Magnet Forensics are Uber drivers, we only have test data for riders at this time. (Drivers actually use a separate partners’ app. You may get some data from that as well, although it might not be the exact same.) Perhaps one day I will moonlight as a driver to generate some data :),  but in the meantime this should help in your investigation.

Overall, Uber is a very popular app that contains a lot of really good information about where a suspect might have been. There have already been several incidents in the media where Uber data played an important role in investigations and I suspect this will continue as the popularity of the app grows.

Feel free to reach out if you have any questions or have done your own research on anything above.