One tool whispers, two tools shout! Life360 Android Locations

INTRODUCTION

First post! Yay! I will begin by stating that I discovered these locations accidentally. As with most things in digital forensics, the further you examine, the more you uncover and I consider this a "happy accident". I believe that this is not widely known and why I decided to post the information. I will try and keep this post as short as possible. 

I am usually not too picky about locations discovered during an exam as long as they are accurate and can be validated. With that being said, I have always been weary of Cellebrite carved locations and would not recommend using them without having a second source to be used for validation purposes. In my experience, Life360 locations have been present on phone downloads but there are not as many as you would expect. Even with a manual review of the device, the locations seem to be limited and the company is not always responsive to legal process. They will issue statements such as: "Life360 objects to this Legal Process on the grounds that the issuing entity lacks jurisdiction over Life360, an out-of-state corporation. Therefore, the Legal Process is invalid. To properly request records from Life360, you must obtain legal process issued by a California court with jurisdiction over Life360."  The law enforcement guide for Life360 states the following about retaining location data: “Life360 generally retains raw location data for up to approximately 90 days. Life360 currently collects dwell data in a yearlong batch and deletes the previous year’s batch in February of the following year. Thus, the retention period for dwell data depends on when it is collected but generally will not exceed 13 months.” (Source: Search.org). So basically, you will have to contact law enforcement in California to obtain a Life360 search warrant that will be honored by the company. I'm sure that the Foster City Police Department (California) gets a ton of requests for assistance! 

ANDROID ARTIFACTS

This endeavor started during a case where I needed to see if someone was at a certain location and there were no locations mapped out from the phone download. The phone was already parsed in Cellebrite Inseyets (PA) but I had not performed any location carving. For those not familiar with the process, Cellebrite will allow you to select an area and the program will look at the data to find any location information that may not have been originally parsed. See the images below for a very brief overview:

Tools>Get more data (Carving)>Carve Locations

Select "Carve most visited areas" and change it to "Custom radius". Select the blue "Carve" button and wait...

When the location carving is done, it looks like the image above and displays a map with locations. The ones with a pickaxe icon are the carved locations. All of these locations are carved if the map was zoomed in it would show more pickaxes. 


I always advise investigators to exercise caution when dealing with carved locations in Cellebrite. I recommend using additional evidence for validation, as carved locations can sometimes lead to false positives. This approach helps ensure the accuracy of the reported locations. Also, location carving with Cellebrite can take a very long time and I was able to find a shorter method that produced more locations within the database that Cellebrite was carving data. 

Source file: user/0/com.life360.android.safteymapd/databases/l360eventstore_service.db


The last image shows the source of the Life360 database where the locations were carved from. This is a SQLite database and can be exported from Cellebrite or viewed within the program. 

The hexadecimal offset of the carved location showed quite a bit of exciting location data! Not only is the lat and long information shown but also the altitude, speed, and accuracy. There is battery level, charging state, 
and wifi data information as well!

I exported the SQLite database and wrote a Python script to convert it into a binary (.bin) file. This conversion simplifies the process for a script to locate and extract data, saving the results to a CSV file. Once the .BIN file had been created, I wrote another Python script that would carve the locations, save them to a .CSV file, and map the locations in an HTML file. After it was all done, I just combined the scripts into one file. The main takeaway is that there are easily accessible locations that the forensic tools are not processing by default! Once the location information (lat, long, timestamp, accuracy, and speed) is found and search patterns are created, the rest is just pulling out the information and mapping it. Validation is super easy because it's just string-searching the code. If more validation is needed, then legal service to Life360 or a cellular carrier could be an option. 


Locations mapped from Python script

You can also use the exported .CSV file and map it in Google Earth, CellHawk, etc... I used CellHawk in the photo below and validated my findings with ALEAPP. What is crazy is that the Python script still found different locations than any other tool! ALEAPP found an incredible amount of locations that the Python script did not find (around 30,000 more!). This is probably because ALEAPP searches more databases than just one. The photo below shows ALEAPP (pink dots) and the Python tool locations (blue dots).  

ALEAPP locations comparison (not the whole map just a piece)

I'm still actively developing my script and plan to expand its capabilities over time. I can’t emphasize enough how impressed I am with ALEAPP—and all the LEAPP tools, for that matter. My goal is not to replace these invaluable tools but to complement them. I came across the Life360 database purely by chance and simply want to share my findings with the DFIR community. So much of what we learn comes from collaboration, and I’ve personally gained a wealth of knowledge from fellow professionals.  



Popular posts from this blog

Image
I bet almost every officer who has worked an ICAC case has dealt with MEGA.nz. You send a request for information to MEGA and you are pleasantly surprised at how fast of a response you get. But there is only one problem, You open a MEGA export zip file. Inside, a maze of JSON files—dense, cryptic, and filled with unfamiliar keys like session_details , bsi_timestamp , and outshares . You know there’s valuable information in there like IP addresses, login times, maybe even evidence of links being sent. But parsing it manually? That’s a full day gone. And worse, you still have to make it understandable to someone who’s never seen a JSON file in their life. I decided to build this parser after I saw multiple cases get ignored because the investigators working them got overwhelmed with the information and felt they couldn't understand it. Much less explain it to a jury.  If that’s you, you’re not alone. As a law enforcement officer, you don’t have time to become a developer just to de...
Read more