co-authored by Sarah Edwards, Senior Digital Forensics Researcher, Cellebrite; and Josh Hickman, Senior Vice President for Cyber Risk Practice, Kroll
When the Apple iPhone first turned up on the market in 2007, smartphones probably seemed like an odd accessory that would only catch on with tech nerds. Today, we carry smartphones everywhere. It’s likely the same thing will happen with “wearables”: the technology that’s meant to be worn, like watches and jewelry, and does everything from monitor our sleep to let us check email at a glance.
If wearables become essential equipment for a broader swath of the population, it stands to reason that law enforcement officers and digital forensic analysts will start finding wearables as they investigate crimes. While we’re not there yet, we may reach a point in the future when wearables are as common as smartphones – so it’s not a bad idea to get familiar with what wearables are, what data they can provide, and the basics of protecting evidence on them when they turn up at a crime scene.
What’s a wearable?
Wearables are electronic devices that can be worn as accessories. Wearables can track information about a person, such as heart rate, sleeping patterns, and general activity.
The Fitbit, a wristband for tracking users’ steps to improve overall fitness, was an early popular wearable technology product. Today, smartwatches such as the Apple Watch and the Samsung Galaxy Watch are common wearables that not only track health indicators, but also allow users to check email and texts or make and accept phone calls.
There are also “smart rings” on the market, which are worn on fingers and can track sleep and physical activities.
What kind of data can a wearable device contain?
The type of data that can be found on a wearable varies widely, depending on the type of device, the model, and the operating system that runs it.
The specifics of data storage are fairly consistent on Apple Watches, since they all run on the watchOS operating system, which is based on iOS found on iPhones and iPads. Very little data is retained on Apple Watches as they are synched with other devices, typically an iPhone, or an iCloud account that then stores and manages the data.
On the other hand, while Android-based devices run the Wear OS operating system (also known simply as Wear), the way data is stored on various devices can be all over the map, since the devices are made by a wide range of third-party manufacturers. Wear is based on Android, so devices running the operating system do appear to store some data, such as call logs and messages, in many of the same places where you’d expect to find data on an Android phone.
How can data be accessed from a wearable device?
If forensic investigators can gain access to data on a wearable, a synced device, or a cloud account, the data is usually similar to the types found on any personal device – location and mapping data, as well as messages and calls.
The usual (but not standard) method of storing data in wearables is that the data only remains until the device syncs to another device connected to cellular networks or Wi-Fi. For example, if someone goes on a run with an Apple Watch, data about the runner’s heart rate and route would be stored temporarily on the watch during the run itself. When the runner returns home, the watch can connect with the person’s nearby iPhone or to a home Wi-Fi network.
If digital forensic analysts have access to the device that the wearable is synched to, such as a smartphone, the task of collecting data becomes a bit easier. In this case, the challenges are very much like gathering data from any other device: gaining access to a locked device, analyzing the available data, and so on.
How should wearables be handled to protect the chain of evidence?
Since we’re not quite at the point of widespread consumer adoption of wearables, frontline officers may not come across many in the field. But it’s important to keep an eye out for wearables – not so much as an evidence source, but as an evidence-destruction source.
For example, if an officer takes a suspect’s phone, but the suspect still has access to a smartwatch, the suspect could use the watch to lock investigators out of the phone. This might sound farfetched, but if you ask longtime investigators and analysts to share war stories, they’ll probably be able to point to cases where a suspect whose phone was seized was able to ask an associate to access the phone remotely and perform a wipe.
Because of this possibility, one caveat is that if the synced device is also available to investigators – for example, they have both an Apple Watch and an iPhone – the two devices should be isolated from each other.
Frontline officers should keep wearables in mind as they search for evidence in much the same way they’d search for any small item, like narcotics or digital device memory cards. Wearables could be found in the same places where officers find phones – such as near a charging port, on tables, or with jewelry.
As for advice on whether a wearable device should be turned on or off, or isolated from network connections at the time it’s obtained, the guidance isn’t clear. Both watchOS and Wear have Airplane Mode, which function the same way as their phone counterparts and can be used to isolate devices running these operating systems. Turning the wearable on or off could depend on how the device syncs with other devices … which version of an operating system is in use … and many other factors still to be tested and explored by digital forensics experts. Until guidance on how to handle wearable devices becomes clearer, our advice is to handle wearables in the same manner as mobile phones. Expect to learn more about the evidentiary impact of wearables in the coming months and years.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.