Forensic Science International: Digital Investigation 47 (2023) 301624

Contents lists available at ScienceDirect

Forensic Science International: Digital Investigation

journal homepage: www.elsevier.com/locate/fsidi

Post-mortem digital forensic analysis of the Garmin Connect application for

Android
Fabian Nunes a,∗ , Patrício Domingues a,b,c , Miguel Frade a,c
a
School of Technology and Management - Polytechnic Institute of Leiria, Leiria, Portugal
b
Instituto de Telecomunicações, Portugal
c
Computer Science and Communication Research Centre, Portugal

A R T I C L E I N F O A B S T R A C T

Keywords: The Garmin Vivosmart 4 smartband can monitor various health metrics, including heart rate, oxygen saturation,
Android body composition, and stress levels. It is a quite popular fitness tracking device, as its Android companion
ALEAPP application – Garmin Connect – has been downloaded more than 10 million times and can provide critical
Digital forensics
forensic artifacts such as timestamped GPS-based locations. In this work, we analyze the Garmin Connect
Garmin Connect
Mobile forensics
application to identify 𝑖) relevant digital forensic artifacts, and 𝑖𝑖) assess methods to retrieve cloud-based data
relevant to a digital forensic examination. For this purpose, we first establish a test scenario where the paired
device/application collects data in regular real-world situations using a rooted smartphone running Android 11.
The smartphone is then examined to gain insights into the data stored by the application and identify meaningful
digital artifacts.
To ease and automate the task of digital forensic practitioners, we have developed the Garmin Connect for
Android Analyzer (GC4AA) set of Python 3 modules tailored for the digital forensic framework Android Logs
Events And Protobuf Parser (ALEAPP). These open-source modules parse dumps of a Vivosmart 4 data directory
and create reports displaying several digital artifacts, such as health metrics, GPS data and routes, and phone
notifications. They automate the information-gathering process and produce a report specially tailored for
Garmin Connect data, highlighting the most relevant artifacts. Our results show that the analysis of paired
Garmin Collect/Vivosmart 4 with GC4AA can yield more digital forensic artifacts than existing open-source tools,
including the following new artifacts: 𝑖) Daily Summary data; 𝑖𝑖) GPS data; 𝑖𝑖𝑖) Response Cache data; 𝑖𝑣) Network
Logs; 𝑣) Facebook API tokens; 𝑣𝑖) Device Synchronization cache; 𝑣𝑖𝑖) SpO2 reading charts. Our contributions
include a graphical presentation of the collected data, greatly improving its readability and analysis.

1. Introduction Other digital-worn devices are smartwatches, which besides displaying

time and date, also provide some smartphone functions, such as placing
We live in the golden age of technology, and everyday researchers and receiving phone calls, running applications, sharing GPS location,
and engineers are developing new ways to integrate technologies into and storing data. Some, like Apple iWatch, even have WiFi connec-
our lives. In the last decades, computers have gradually transformed tivity. Smartwatches also have various health sensors that collect and
from large machines to portable devices carried in pockets and, more re- monitor metrics such as heart rate, blood pressure, and oxygen satura-
cently, worn on wrists. This paper focuses on devices called smart wear- tion. These sensors enable smartwatches with fitness and health tracker
ables, more specifically on smartbands. Smartbands are tiny wrist-worn functionalities (King and Sarrafzadeh, 2018). Nonetheless, smartbands
devices fitted with health and activity-related sensors capable of moni- and smartwatches are two very different kinds of devices. A smartwatch
toring heart rate, oxygen saturation (SpO2), daily steps, burned calories, runs a custom-made operating system (OS) such as watchOS for Apple
and count workouts specific activities such as distance cycling, jogging, Watch devices and Wear OS for Android-based devices. These OS are
and swimming, to name a few. Smartbands have gained substantial mar- adaptations of iOS and Android, tailored for more constrained environ-
ket share due to their affordable prices and good price-quality ratio. ments at the cost of delivering fewer functionalities. Smartbands are

* Corresponding author.
E-mail addresses: [email protected], [email protected] (F. Nunes).

https://doi.org/10.1016/j.fsidi.2023.301624
Received 22 June 2023; Received in revised form 25 August 2023; Accepted 28 August 2023
Available online 18 September 2023
2666-2817/© 2023 Elsevier Ltd. All rights reserved.
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

more specific devices focusing on fitness metrics. They usually run a The main contributions of this paper are 𝑖) the analysis and extrac-
basic operating system with enough resources to provide an interac- tion of forensic artifacts in a post-mortem scenario of the Garmin Connect
tive interface. Their main goal is essentially to work as a fitness tracker. application; 𝑖𝑖) The analysis of the mobile application and its API us-
Therefore, unlike a smartwatch, smartbands cannot receive calls or send ing various tools and scripts to assess the robustness of the application
messages and do not support the installation of applications. Instead, and its cloud ecosystem; 𝑖𝑖𝑖) The development of 16 open-source soft-
smartbands typically establish communication with a paired smart- ware modules for the framework Android Logs Events And Protobuf
phone through protocols such as Bluetooth Low Energy or LTE using Parser (ALEAPP1 ) to extract forensic artifacts and create a report for
a companion application. This companion application stores the users’ further analysis2 easing the task of forensic practitioners, all through
metrics and workout sessions. The companion app is an essential part open source software; 𝑖𝑣) Implementation of several enhancements to
of the band/smartphone pair, as it receives and processes data collected the ALEAPP framework for reporting and displaying several data types,
by the device and uploads it to the application’s cloud. It also down- namely, geolocation coordinates and routes. Our code was integrated
loads firmware updates for the device. A primary difference between into ALLEAP’s new release and is now available to the community.
smartwatches and smartbands is that smartwatches manage to store in- The remainder of this paper is organized as follows. Section 2 re-
formation so they can work independently from paired smartphones. views related work, while Section 3 describes the materials and meth-
On the other hand, when smartbands are not connected to their com- ods of this study. Section 4 analyzes the Garmin Connect application,
panion application, their usefulness becomes significantly limited. highlighting its primary forensic artifacts. Section 5 presents our open-
The wearable industry is growing annually due to the rapid evolu- source modules, Garmin Connect for Android Analyzer. Finally, Sec-
tion in capacity and features and the advantages it offers to the user. tion 6 concludes the paper.
In 2021 the global market for smartwatches and smartbands already
reached a volume of 46.5 Million Units, and studies show that it will
2. Related work
likely get 59.1 Million Units by 2027 (Wood, 2022). The same growth
is visible in applications that use these devices to gather data. In 2019,
there were more than 350 000 healthcare applications in the major app This section reviews studies on gathering and analyzing digital
stores, responsible for 3.7 billion downloads per year (Byambasuren forensic data from wearables and their companion applications. Addi-
et al., 2019). Mobile Healthcare (mhealth) and fitness apps are one tionally, we briefly review works related to the ALEAPP framework as
of the dominant applications in the current market. Various studies our software modules for the Garmin Connect target the ALEAPP frame-
have been made in this area, analyzing the current threat landscape work.
and security challenges these applications face. An impressive research Hassenfeldt et al. (2019) focused on the forensic study of nine differ-
was performed by Tangari et al. (2021) that used a platform to test ent fitness applications for Android: MapMyFitness, RunKeeper, Strava,
20 000 mHealth applications discovering: 𝑖) mHealth apps generally MyFitnessPal, Runtastic, Health Infinity, Fitness Tracker, Nike Training,
adopt more reliable signing mechanisms and request fewer dangerous and JEFIT. The authors created their testing environment by collecting
permissions than other applications; 𝑖𝑖) 1.8% of mHealth apps package and extracting data with Android Debug Bridge (ADB). Their main find-
suspicious codes (for example, trojans), and 45% rely on unencrypted ings were Personal Data, GPS location, and Passwords related
communication. As much as 23% of personal data – location informa- to the applications. The authors also developed a tool for extracting
tion and passwords – is transmitted as unsecured traffic. forensic artifacts, although not as complete as resorting to the ALEAPP
Companion applications, such as Garmin Connect, hold a wealth of framework.
user information from a forensic standpoint since these applications Yoon and Karabiyik (2020) published a forensic study of the Fitbit
store health data and even geolocation for a specific timeframe. That Versa 2 for Android. The research explains the triage process one must
is why they can be instrumental as they can be used in real-life sce- follow in investigating wearable devices. How the device should be ap-
narios to trace the last steps of victims/culprits, being de facto digital prehended, and how the data needs to be acquired. The researchers
forensic artifacts (Neale, 2023). This data can be of paramount impor- used static methods and commercial tools such as AXIOM and XRY to
tance for investigations and has already helped to solve some cases. For acquire data from the device and study it afterwards. The authors found
instance, in 2015 police used GPS coordinates and step pace stored in many relevant forensic artifacts inside the SQLite3 databases, such as:
a Garmin smartwatch to accuse a killer of a double homicide, corre- 𝑖) GPS Location; 𝑖𝑖) Health Data Values; 𝑖𝑖𝑖) Web Cookies; and 𝑖𝑣) Credit
lating the time and date of the killings with coordinates stored in the Card information.
smartwatch to draw the suspect’s escape route (Ganjoo, 2019). Another Kang et al. (2020) studied the Fitbit Alta HR and the Xiaomi Mi
example occurred in 2017 when a victim’s Fitbit device was used to Band 2 and their respective Android application, focusing on the foren-
solve a murder case, with the device data helping to refute her hus- sic artifacts found in the SQLite databases from the applications. The
band’s alibi (Watts, 2017). authors reported on a collection of user-related information that the
This paper focuses on the Garmin Connect application for Android applications store, like sleep, steps, activities, account, and device in-
that was installed in a rooted phone and paired with the Garmin Vivos- formation.
mart 4 smartband. As we shall see later on, this smartband contains a Williams et al. (2021) reported on the methods used to acquire data
variety of sensors, such as an optical heart rate monitor, a barometric al- from the Fitbit application on Android and IOS. The authors studied
timeter, accelerometers, an ambient light sensor, and a SpO2 sensor. It whether the retrieved data differed between the two operating systems.
connects to the smartphone via BLE and is compatible with Garmin pro- To test this, the authors created two scenarios, one using a Google Pixel
prietary interoperability ANT+ equipment protocol (Bang et al., 2022). 2XL and the other with iPhone 7 Plus. They used two commercial foren-
Our motivation to study the Garmin Connect application stems from sic tools – Cellebrite and XRY – to extract and study the data on the
providing a thorough analysis of the application from a Post-mortem computer. Since the Android device was not rooted, the tools could not
digital forensic point of view. Note that Garmin is gaining popularity extract the private information of the application, so the authors used a
in the wearable market, currently ranking fifth among the most sold virtual device created with the Genymotion emulator. The data found
brands and dominating the premium watch market (Lovejoy, 2022). On was the same as the other research made for the Fitbit application,
Google Play, the Android Garmin Connect application has surpassed 10 such as Private Messages, Feed Posts, GPS Data, Profile Information,
million downloads and has a 4.6 score out of 5 from more than 800 000
reviews (more details are shown in Table 1). Additionally, studies re-
garding digital forensics of Garmin Connect are scarce, as we shall see 1 https://github.com/abrignoni/ALEAPP.
2
in Section 2, and thus we wanted to provide our contribution. https://github.com/labcif/GC4AA.

2
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Table 1
Studied application details.

App name Garmin Connect

Downloads +10 million
Average user score 4.6 / 5
Number of reviews +800 000
Market Global
Studied version 4.61 (released on 2022-11-15)
Play store URL https://play.google.com/store/apps/details?id=com.garmin.android.
apps.connectmobile

Sleep Data, Heart Rate Data. This research highlights the difference Table 2
in the acquisition methods of both operating systems. List of devices used in the study and their
In 2021 Dawson and Akinbi (2021) analyzed the contents of the respective OS versions.
Tom Tom companion application focusing on the data stored in Tom- Device OS version
Tom Spark 3 watch. The authors’ goal was to compare the forensic
Vivosmart 4 V5.40
artifacts found in the TomTom watch using forensic and non-forensics Samsung A40 Android 11 (API 30)
tools and demonstrate the possible limitations of these tools and how
they can affect the analyst’s decision-making. To that end, the authors
compared the data obtained with the Cellebrite forensic tool with those lyze database files of the Android Telegram application. Analysts Delija
studied using ttwatch – an open-source command-line tool used to in- et al. (2022) relied on ALEAPP, Autopsy, and the commercial tool Belka-
teract with the physical TomTom GPS smartwatch and extract forensic soft to process forensic artifacts found in the system files of Android
artifacts stored on flash memory – and Runanlyze – a tool to analyze version 11 to compare the results provided by the three tools. Lastly,
proprietary files from TomTom watches. The authors found forensic Mirza et al. (2022) did a digital forensic analysis of various so-called
data related to Activities, User Account, and Bluetooth Logs. Web3 wallet applications for Android and iOS. In their research, they
Domingues et al. (2023) did a post-mortem analysis of the companion used both ALEAPP and its similar platform for iOS called iLEAPP (iOS
application ZeppLife (formerly called MiFit) for Xiaomi devices when Logs, Events, and Plists Parser). Our work also relies on ALEAPP, as we
coupled to a MiBand 6 in a rooted smartphone. The authors focused provide modules to process the forensic data of the Garmin Connect ap-
solely on a static analysis of the application, reporting on the following plication. We have also extended the framework, adding new features
data: 𝑖) Health data; 𝑖𝑖) Device data; 𝑖𝑖𝑖) Daily summaries (steps, sleep and capabilities such as Heatmaps, Date Filtering, GPS Maps, and Data
hours, etc.); 𝑖𝑣) User information; and 𝑣) Workouts. They also developed Charts, as we shall see later on.
a software module – MiFit Analyzer – for the Autopsy forensic browser.
The module generates a dynamic HTML-based report with the artifacts
found in the extracted private directory of the application. 3. Materials and methods
Hutchinson et al. (2022) studied three companion applications using
three different smartwatches and smartbands, the Amazon Halo Band, In this section, we describe the materials used in this investigation,
the Garmin Vivosmart 4, and the Mobvoi TicWatchS2. This research both hardware and software and then the process for generating and
is different from the rest. One of the applications is Garmin Connect for analyzing the data.
Android, using the same smartband as we are, the Garmin Vivosmart 4.
The authors created a test environment using the various smartbands to
populate the application’s database. They used a rooted Samsung A50 3.1. Hardware
with Android 10 to facilitate the post-acquisition of the data. After that,
they analyzed the contents of the application using three different tools, To analyze the running applications, we resorted to a rooted Sam-
Cellebrite and Magnet Axiom, which are both commercial tools and sung A40 smartphone with Android 11 (API 30). We collected data
the popular open-source tool Autopsy. The authors aimed to find the using the smartphone and a smartband, the Garmin Vivosmart 4. Note
differences using commercial and open-source tools in post-mortem ex-
that the native companion for the Garmin Vivosmart 4 smartband is the
aminations. They also explored various other types of research made
Garmin Connect application.
before them in specific research about Fitbit. The authors found the
The Table 2 lists the hardware used.
following data: 𝑖) Exercise Data; 𝑖𝑖) Profile Information; 𝑖𝑖𝑖) Heart Rate
Data; 𝑖𝑣) Steps Data; 𝑣) Sleep Data; 𝑣𝑖) Stress Data; 𝑣𝑖𝑖) Notifications;
and 𝑖𝑥) Voice Data. Regarding digital forensic data, the authors fo- 3.1.1. Garmin Vivosmart 4
cused mostly on the application XML files, devoting less attention to The Garmin Vivosmart 4 smartband comes in two sizes: small-
the application’s database. Our work provides a deeper analysis of the /medium with 15 × 10.5 × 197𝑚𝑚 weighing 16 grams or large with
post-mortem data left by the application regarding the databases. In ad- 15 × 10.5 × 223𝑚𝑚, weighing 17.1 grams. The material of the smart band
dition, we also provide for software modules to report on the digital is polycarbonate, and the screen is an OLED with a 48 × 128 pixels
forensic artifacts left by the application usage. display. The smartband includes various features such as a heart rate
Before beginning our analysis, we also analyzed works related to monitor, barometric altimeter, accelerometer, ambient light sensor, and
ALEAPP, as our modules target this framework. ALEAPP is a popular pulse oxygen saturation sensor. While Garmin does not provide specific
open-source Python-based framework able to extract forensic artifacts details about its internal memory, they mention that the smartband can
from an application’s data folder and create reports (Brignoni, 2023) store up to 7 timed activities and 14 days of health tracking data.3
through specific software modules. The modular framework allows de- Additionally, the smartband is water-resistant and capable of track-
velopers to add new modules supported by existing features of ALEAPP ing swimming workouts. The smartband and its companion application
and develop new functionalities to enhance the tool or its report capa- communicate through Bluetooth Low Energy (BLE) technology.
bilities. In this short review, we focus on i) works that have developed
modules for the framework and ii) analysts that have used it in their
3
studies. The work by Vasilaras et al. (2022) resorted to ALEAPP to ana- https://www.garmin.com/en-US/p/605739#specs.

3
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Table 3
Software tools.

Tool name Version Usage

ADB 33.0.1 Data access

ALEAPP 3.1.6 Framework to generate report
bring2lite 1.0 Recover deleted records
DBDiagram.io online tool Create database diagrams
DB Browser for SQLite 3.12.2 Database analysis and queries
schemacrawler 16.19.5 Generate database diagrams
PyCharm 2022.3 Python Development
Python 3.10 Module and script development

3.2. Software Data, 𝑖𝑖𝑖) Update weight changes regularly; 𝑖𝑣) Adding water hydration;
𝑣) Creating Running Routes and exercises; 𝑣𝑖) Adding equipment; 𝑣𝑖𝑖)
The version of Garmin Connect studied was version 4.61, which at Interact with user posts. The smartband collects health data such as
the time of this analysis, was the current version available for download heart rate and SpO2 by wearing it. To initiate workouts, the users can
on the Google Play Store. initiate them on the smartband or let the smartband detect the activity
This analysis was divided into two parts: 𝑖) Post-Mortem Analysis; automatically.
and 𝑖𝑖) ALEAPP Development. For each part, we used different tools. Following the test data generation, we employed a range of open-
source tools. In cases where existing tools did not serve our specific
Post-Mortem software For the post-mortem analysis, we used ADB (An- needs, we developed custom tools. This approach not only accelerates
droid Debug Bridge). This command line tool permits the user to access the data retrieval process but also reduces required computational re-
and interact with a mobile device connected via USB. With the debug- sources when compared to the use of generic forensic tools like Autopsy.
ging mode activated,4 Furthermore, our approach enabled us to incorporate novel forensic ar-
ADB is the standard method used to extract data from a mobile tifacts absent in the research discussed in Section 2. Section 4 presents
device. We also developed a script in Python5 to automate this pro- a comprehensive exposition of our approach.
cess of extracting data to reduce the various commands to a simple
script call. For analyzing the database, we used the open-source tool 4. Post-Mortem analysis
DB Browser for SQLite,6 one of the most popular tools for work-
ing with SQLite databases. We also used schemacrawler7 to generate In the following part of this paper, we will present the data collected
database diagrams to understand the connections between tables and and analyzed during the post-mortem analysis. We will start by giving
DBDiagram.io8 to improve the diagram generated by schemacrawler. a brief overview of the structure of the application’s interface, the per-
To analyze possible deleted records, we used the open source script missions asked by the application, and the extraction and analysis of
bring2lite.9 This script tries to recover deleted records from SQLite the data to find forensic artifacts.
Databases.
4.1. Garmin Connect
Module development For developing the ALEAPP module, we only
needed standard programming tools. ALEAPP is written in Python, so The application’s main screen is a dashboard where the daily infor-
we used the IDE PyCharm to write our code. The Table 3 shows all the mation of the user is shown, as seen in Fig. 2. The dashboard is split
tools used for this project, the used version, and their usage. into various rectangles associated with a day’s feature, such as activi-
ALEAPP or Android Logs Events And Protobuf Parser is a Python ties, calories burned, water consumed, and steps walked. Clicking one
tool created by Brignoni (2023) to generate forensic reports based on of these rectangles opens a detailed look at the parameter. It is possible
artifacts found in directories extracted from Android applications. The to change to a different parameter by opening the side menu. The user
artifacts will depend on the modules the user selects when executing can open a detailed view of various activities, statistics, and health data
the tool, as shown in Fig. 1. ALEAPP is a valuable triage resource within there. Depending on the stats, a corresponding data chart will be dis-
forensic laboratories, offering a crucial auxiliary solution for forensic in- played inside these views, as shown in Fig. 3 for the heart rate variation
vestigators when commercial tools are inaccessible. Moreover, ALEAPP during a specific day. There is also a bottom menu where users can go
is a versatile framework enabling independent testing and evaluation to the challenge page to participate in challenges to earn badges. There
of various forensic tools, further enhancing their utility and value. It is a calendar that the user can open on a specific day and see all the ac-
is becoming a popular tool among open-source analysts for analyzing tions registered by the application during that day. There is also a news
Android applications. feed that acts as a social place where the user will see posts from activ-
ities realized by himself and friends s/he might have in the application.
Lastly, there is also a notification page where the application presents
3.3. Method
announcements and other messages generated by the application.
Table 4 lists the most relevant features of a paired Garmin Vivosmart
To gather enough data for this Analysis, one of the authors used the
4 with Garmin Connect.
Garmin Vivosmart 4 and the Samsung A40 for six months after setting
up an account in the application. To gather enough and varied data, the
4.2. Android permissions
author did: 𝑖) Workouts (both indoors and outdoors); 𝑖𝑖) Gather Sleep
The Garmin Connect application requires a set of Android permis-
4 sions that must be enabled when the application executes for the first
https://developer.android.com/studio/command-line/adb?hl=pt-br.
5
https://www.python.org.
time. Table 5 lists the permissions asked by the application. All permis-
6 https://sqlitebrowser.org/. sions made sense based on the features provided by Garmin Connect
7
https://www.schemacrawler.com/weak-associations.html. and compared to other applications in the same field. Installing the ap-
8 https://dbdiagram.io/home. plication for the first time will ask permission to access the calendar,
9
https://github.com/bring2lite/bring2lite. the user’s location, calls, and messages.

4
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Fig. 1. ALEAPP GUI.

Table 4
Most relevant functionalities of the Vivosmart 4.

Feature Description

Heart rate Measure the heart rate.

Max. Oxygen Consumption Measure the Maximal Oxygen Consumption also known as VO2 using the
heartbeat data.
Oximeter Measure the oxygen saturation level in the blood, also known as SpO2 .
Steps Count the number of steps.
Body Battery Measure Body Battery (energy levels based on sleep and calories consumed).
Floors Count number of floors ascended and descended.
Stress Detect and measure stress levels.
Calories Count calories burned.
Sleep Analyze sleep along four main components: deep sleep, light sleep, awake time,
and rapid eye movement (REM).
Workout Allow selecting one of the four default workouts (walking, running, strength,
yoga). Using Garmin Connect, it is possible to change or add new workouts.
Notification Vivosmart 4 vibrates and displays a message for the smartphone notifications
(e.g., calls, SMS, WhatsApp, etc).
Time Time-related functions such as chronometer, countdown and timer.

4.3. Extraction of data To start our analyses and to get an overview of the structures of the
folders extracted, we ran the command tree to give us its structure. We
started by analyzing the public folder that is accessible without root,
To extract the data stored by the application from the smartphone,
we used ADB (Android Debug Bridge). However, issuing ADB com- executing the tree command wielded the result shown in Fig. 5.
mands manually is time-consuming since the analysts must find the The content of the public folder is reduced. We only found two
correct package, compress the data, and send it to its computer. We files: map_cache.db and temp_file. Using DB Browser to analyze
decided to create a simple Python script to automate this process. The map_cache.db, we found four tables, mainly with BLOB values and
snippet below shows how to execute the script: timestamps for expiration dates. The information stored did not have
any relevance to the analysis. By searching for the name of the database
online, it was possible to discover that this database stores cache tiles
1 python3 acquisition.py <package_name> -d for the map functionality of the application to speed up its process dur-
↪ <emualtor|physical> -t <private|public|apk> ing use. The temp_file was not human-readable and is likely used by
Garmin Connect to save temporary data during the app’s runtime. This
file can be used for various purposes, such as caching, storing tempo-
We also developed a GUI version of the application where users rary data, or facilitating data exchange between components within the
can select what data they want to extract and choose the respective app.
application, as shown in Fig. 4. This version was developed with the The application did not store any relevant data in its public folder.
graphical library PySimpleGUI.10 Both versions work across Windows, There is no need to analyze this directory further or use other tools
MacOS, and Linux and can be found in our repository https://github. here.
com/labcif/ADB-Extractor. After that, we executed the same process for the private directory.
This one is shown in Fig. 6 and contains much more information. The
private folder has 51 sub-directories and contains 674 files. This number
10
https://www.pysimplegui.org/en/latest/. is massive and makes a manual analysis an uphill task. The following

5
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Table 5
Garmin Connect Permissions.

Permission Function

Calendar Read calendar details and events

Camera Take pictures and videos
Contacts Read Contacts Search for accounts on the device
Only access the approximate location in the foreground
Only access the exact location in the foreground
Call Logs Read Call Log
Cell Phone Dial phone numbers directly
Read the status and identity of the mobile phone SMS
Send and view SMS messages
Storage Change/delete the contents of the shared storage
Other Transfer files without notification
Prevent phone sleep mode
View Wi-Fi connections
Receive data from the internet
Use background data
Access background location
Send fixed broadcast
Have full access to the network
Run in background
Advertising ID authorization
Run service in foreground
Access Bluetooth settings
This app may appear on top of other apps
Run on startup
See network connections
Read Google services configuration
Query all packages
Control vibration
Answer phone calls
Installer Referrer API Google Play
Sync with Bluetooth device

Fig. 2. Main screen of Garmin Connect. Fig. 3. Garmin Connect Heart Rate Statistics.

6
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

them. We also provide, for each database, the number of tables that
hold records, as we observed that many tables were empty.
Most databases are empty or contain information without forensic
value. To be brief and precise, we will only analyze four databases that
contain relevant forensic data: cache-database, gcm_cache.db,
notification-database and sync_cache.db.

4.4.1. cache-database
The cache-database database holds the most meaningful digital
forensic data. It has 27 tables, although, in our setup, only 14 of those
had data. We suspect that the absence of data in some tables is due to
the lack of features from the Vivosmart 4 smartband that are present on
other Garmin products (e.g., blood pressure readings). These tables are
listed in Table 7 and classified regarding their digital forensics value.

Activity tables In the database, the four activity tables are related to
the workout activities stored by Garmin Connect. They are connected
by a foreign key which is the activity ID. To facilitate the analysis of
this database, we used schemacrawler and DBDiagram.io to create
a database diagram overview, shown in Fig. 7. Since the complete di-
Fig. 4. ADB Extractor Graphical Interface. agram is too big to present in the paper, we created a repository with
the complete diagram and code to generate it in our repository https://
github.com/labcif/Garmin-Connect-Database.
Each record in these tables represents a workout activity performed
by the user. The two tables that hold more information are activ-
ity_details and activity_summaries, which contain the various
details of an activity done by the user (calories burned, steps, heart
Fig. 5. Directories inside public folder. rate, distance, etc). These two tables hold the same data. The only dif-
ference is that activity_details saves the data in separate columns
(the table has a total of 120 columns), and activity_summaries
saves all data related to the activity in a JSON object stored in a sin-
gle column. We hypothesize the table activity_summaries stores
the activity in the format sent to the server when the user uploads
an activity. The table activity_chart_data is related to the charts
generated for the activity. It contains two columns that store an ar-
ray of X and Y values to create the chart. During our data gathering,
we only managed to generate records related to heart rate charts. The
table activity_polyline is associated with the outdoor activities
with GPS tracking. The table stores the starting and ending coordinates,
and a large string of characters called polyline. A polyline is a string
of characters that encodes a series of coordinates. The polyline is en-
coded using the Google Maps API and is usually used to draw a route in
Google Maps11 as shown in the Fig. 8.
The coordinates hold significant forensic value because they can
pinpoint where the user was during a period. According to Google’s doc-
umentation, decoding a polyline back to group coordinates is possible.
Using the Python library polyline,12 we created a Python script that de-
codes Google’s polylines back to coordinates and saves them in a XLSX
file. This file will contain the coordinates of the activity. Additionally,
with the use of the library geopy,13 our script will add also informa-
tion to the coordinates such as the respective road, city, postcode and
country. This file aims to aid the analysis of GPS coordinates and filter
possible locations of interest. After that, we use these coordinates to cre-
ate a file with the route done by the user. The user can choose to export
Fig. 6. Directories inside private folder. this file in HTML or Google Earth format (KML). This script was part of
the modules developed for ALEAPP. However, since we could not find
subsections will detail the sub-folders where we found forensic artifacts: any script that did those features, we decided it could prove helpful for
4.4 Databases, 4.5 Files and 4.6 Shared Preferences folders. other use cases, so we created a standalone version called Polyline2GPS
in our repository https://github.com/labcif/Polyline2GPS.

4.4. Databases
11 https://developers.google.com/maps/documentation/javascript/

examples/polyline-simple.
Under the databases directory, the application holds 17 SQLite3 12 https://pypi.org/project/polyline/.
13
database files. Table 6 presents the databases and briefly describes https://pypi.org/project/geopy/.

7
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Table 6
Brief description of Garmin Connect databases. The column Tables displays the total of tables and, within parenthesis, the
number of tables with data.

Database # tables Description

applications-database 3 (3) Related to the version of the application

AppNotification 3 (3) Internal Notification of the application
cache-database 27 (14) Data cached from the app’s features
Campaign_Database 3 (2) Possible storage for Garmin Campaigns
com.google.android. 7 (2) Android internal communication process (Google Play Services
datatransport.events library)
connect 4 (3) mac address of the smartband
garminpaycore 4 (2) Data regarding the Garmin Pay feature (not available for Vivosmart 4)
gcm_cache.db 12 (6) Cache Data originated from the data received from the API
gcm_onboarding_item 5 (4) Devices associated with account and features activated
gcm_swings 3 (2) Database related to Golf features present in some devices (not
available for Vivosmart 4)
gcm_user_presistence 7 (3) Cached information for certain features of the application
(onboarding and badges)
google_app_measure ↪ 2 (1) Database related to Firebase Analytics
ment_local.db
livetrack-database 6 (2) Data regarding livetrack feature (not available for Vivosmart 4).
news_feed_database 3 (2) Database related to the user feed.
notification-database 3 (3) Database with the recent phone notifications sent to the smartband
sync_cache.db 3 (3) Database with the synchronization process between smartband and
application
ue3.db 3 (1) Database possibly related to internal events

Table 7
Non-empty tables of the cache-database database.

Table Forensic value Description

acclimation_pulse_ox_details fair Recored SpO2 data

activity_chart_data high Values for activities’ charts
activity_details high Details of activities
activity_polyline high GPS coordinates from activities
activity_summaries high Activity Details in JSON format
heartrate_zones low Users Heart Rate Zone Values
intensity_minutes low Total Minutes of intense exercise
response_cache low Response Cache from server
sleep_detail high Stores Sleep Information
user_daily_summary high Daily user summaries
weight fair Weight Data

sleep_detail The table sleep_detail contains users’ sleep data. It By default, SQLite does not delete records. Instead, it marks them
stores a timestamp when it starts the sleep mode. When it stops, the as unused until other data overwrites them. To retrieve any possi-
table also stores the duration in seconds of the recorded sleep phases ble deleted records from the database, we utilized the open-source
(light sleep, deep sleep, REM sleep, and awake time). In addition, the script bring2lite.14 However, we could not retrieve any data. We
Vivosmart 4 actively reads the user’s SpO2 during sleep and stores the later verified in the database properties that it has the flag PRAGMA
lowest, highest, and average SpO2 readings. The values of the table have schema.auto_vacuum set to FULL. With this option, SQLite moves
forensic value since it can tell the analyst the timespan the person was the free list pages to the end of the database file. Then the file is trun-
asleep and correlate it with other events. cated to remove them at every transaction commit, eliminating the
possibility of retrieving deleted data (SQLite Community, 2023).
user_daily_summary The table user_daily_summary stores general
data such as calories burned, steps, stress, heart rate, SpO2 etc. The 4.4.2. gcm_cache.db
table has a total of 70 columns and stores the user’s daily data (one The database gcm_cache.db, just like the cache-database,
record per day). This table is valuable from a forensic standpoint since holds temporary data. It has various tables related to user data (ac-
it is possible to understand the user’s day, such as the maximum heart tivity information and daily statistics) and the associated devices. From
rate and the number of steps. the 12 tables inside the database, only 4 had any data after our tests, as
The general problem with the cache-database is that the presented in Table 8.
database only stores data temporarily. We used the smartband for var-
ious months, and only the most recent data was saved in the database. JSON tables The gcm_cache.db holds various tables with the prefix
After synchronizing with the device, the application sends the data to json. Only two of them had data, a table called json and another called
Garminin’s cloud servers, where the data is then stored. This process json_activities. The tables store cached values in JSON format.
is part of the Garmin Connect API developed to share data with part- The data present here is the same as in the cache-database. We sus-
ner apps. That means that the application only uses the data in this pect this database holds a cache from the data the application retrieves
database for caching and to reduce load times. The primary way to ac- from the cloud via requests to the API. The gcm_cache.db and the
cess the application’s data is by retrieving it from the cloud, which is gcm_cache.db hold the same data in different formats. The cache-
why it requires a continuous internet connection. While this slightly di-
minishes its forensic value, the fact that the application stores recent
14
data in its cache still makes its information valuable. https://github.com/bring2lite/bring2lite.

8
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Fig. 7. Simplified diagram of the cache-database.

Table 8
Non-empty tables of the gcm_cache.db database.

Table Forensic value Description

device_permission low Permissions of the device

devices fair Information related to the connected device
json high Device captured Data (JSON)
json_activities high Stored activities (JSON)

9
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

1 {
2 "Fid": "dOrIAtkqT66jHW4uNghIvs",
3 "Status": 3,
4 "AuthToken": "eyJ...(a total of 305 characters)",
5 "RefreshToken": "3_A...(a total of 112 characters)",
6 "TokenCreationEpochInSecs": 1677750057,
7 "ExpiresInSecs": 604800
8 }

Listing 1: Content of PersistedInstallation file.

1 Mar-01;8:37:04.774PM [OkHttp https://connectapi.garmin.com/.. ⌋

↪ .] D/NetworkDI - -> GET
↪ https://connectapi.garmin.com/mobile-gateway/snapshot/usa ⌋
↪ geIndicators/v3
↪ http/1.1
2 X-Garmin-Paired-App-Version: 7302
3 X-Garmin-Client-Platform: Android
4 User-Agent: GCM-Android-4.61
5 X-Garmin-User-Agent: com.garmin.android.apps.connectmobile/4. ⌋
↪ 61; ; samsung/SM-A405FN/samsung; Android/30; Dalvik/2.1.0
↪ (Linux; U; Android 11; SM-A405FN Build/RP1A.200720.012)
6 X-app-ver: 7302
7 X-lang: pt
8 Authorization: Bearer eyJ...(a total of 946 characters)
9 -> END GET
10 ...

Listing 2: Content of app.log file.

files as being in the Flexible and Interoperable Data Transfer FIT)

format.
FIT is a binary file format that stores health and fitness data such as
workouts, heart rate, and GPS. It was developed by Garmin and is used
by various fitness trackers and apps, including Garmin devices, Strava,
and many others (Ltd, 2023). These files can contain data recorded
Fig. 8. GPS Route of a walking activity.
by the device, meaning they might have forensic value. However, the
only official way to decode a FIT file is using Garmins proprietary SDK
database generally holds more information and is easier to read. Yet, for developers. Luckily, there are open-source scripts developed by the
we found records in the gcm_cache.db that were not present in the community to decode these files. One of these tools is a Python library
cache-database, meaning that both have forensic value and should called fitdecode,16 which converts a FIT file to JSON. However, the
be equally studied. tool did not manage to decode these files since they are only fragments
of a complete FIT file and are likely the result of caching processes.
4.4.3. notification-database We only found two human-readable files. The first one is a JSON file
The database notifications-database, as the name implies, is called PersistedInstallation that contains the access_token and
used to store the phone’s notifications transmitted to the smartband. refresh_token, as shown in Listing 1. This file is related to Firebase,
Since the notification appears in cleartext, it can be a good artifact, a real-time noSQL database developed and maintained by Google. The
for example, possible incriminating text messages or call logs. Unfor- file contained the end user credentials such as the databases ID (Fid),
tunately, this database only stores recent notifications and frequently the current Authentication token needed to make requests, the refresh
deletes old notifications. We have verified that this database, similar to token for when the authentication token expires, and two timestamps
cache-database, has the flag PRAGMA schema.auto_vacuum set in seconds when the token was issued and its validity time. The authen-
to FULL, thereby rendering the recovery of deleted records impossible. tication token is valid for seven days. The refresh token never expires
(based on the firebase code public on Github17 ). This finding is not
4.4.4. sync_cache valuable from a forensic perspective. Still, it could be considered a se-
The database sync_cache stores the synchronization process of the curity risk since an attacker could access this file and access the user’s
smartband and the smartphone. This database contains forensic value data accessible in the applications’ Firebase database.
since it gives us some information, such as what smartband is synchro- The second file, named app.log and stored in the subfolder logs,
nized with the smartphone (the database stores the unit ID of the device contains all the execution logs during the last day it was used. This file
in each record). It also tells us that the smartphone connected the device occupies a total of 3.43 Megabytes over 22 582 lines. Therefore, we
via BLE at that moment – each record contains a UTC timestamp. decided to search for specific keywords related to the authentication
process, such as: auth, token, secret, password, and id. Using
these keywords, we found interesting information about the applica-
4.5. Files directory
tion execution. The application logs the HTTP communications with
Garmin’s servers, as shown in the Listing 2.
Typically, the directory files is linked to files generated by the In Listing 2, we can see a GET request to the URL https://connectapi.
application, whether through user interaction or not. This folder has garmin.com/mobile-gateway/snapshot/usageIndicators/v3, using an
various sub-folders and files, most of which were fragments of synchro-
nization processes. Upon inspection, we observed that the files were not
in a human-readable format. The Linux file15 command identified the 16
https://github.com/polyvertex/fitdecode.
17 https://github.com/firebase/firebase-android-sdk/blob/master/firebase-
installations/src/main/java/com/google/firebase/installations/local/
15
https://www.man7.org/linux/man-pages/man1/file.1.html. PersistedInstallation.java.

10
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

1 curl -location -request GET 'https://graph.facebook.com/23503 ⌋ Table 9

↪ 04655138824?metadata=1&access_token=EA...(a total of 250 Parsed artifacts.
↪ characters)'
Artifact File
Listing 3: Content of app.log file. Activities cache-database
gcm_cache.db
authorization bearer token. Executing this request in Postman returned Activity Charts cache-database
Daily Summaries cache-database
a JSON response containing the features that were available on the de- GPS Data cache-database
vice used in the Garmin Vivosmart 4. The Authorization token is a JSON Response Cache cache-database
Web Token or JWT used to authenticate the requests to the API and pro- Sleep Data cache-database
tect it against unauthorized access. During our testing, we found that SpO2 Data cache-database
Weight Data cache-database
this token remains valid for 24 hours before it expires. The token con-
User Data gcm_user_preferences.xml
sists of 946 characters, less than the standard size for JWT tokens of gcm_cache.db
1 Kilobyte. This discovery is crucial since the last logged Bearer token Log Data app.log
in this file could still be valid, meaning we can interact with the API Facebook com.Facebook.internal.preferences
without knowing the user’s credentials. This fact is essential because it Firebase PersistedIntallation.xml
Notification notification-database
means there is a chance of having access to all the user’s data logged to Synchronization Cache sync_cache.db
Garmin Connect. In the request, there is also information related to the
client device that initiated the requests, such as the device model, the
applications versions, and the current installed Android version. This developing our modules for Garmin Connect, there were still no mod-
information also holds forensic value since it could tell if this request ules for Garmin Connect. ALEAPP is modular and was developed so
came from the phone we are analyzing or from another that the user that new developers could create modules or new features for ALEAPP
might be logged in. and seemingly integrate them. We are motivated to develop these mod-
ules for ALEAPP and not create a standalone tool such as was done
4.6. Shared preferences by Domingues et al. (2023) because of the current popularity growth
in ALEAPP from users and developers creating modules for it. Improv-
The Shared Preferences directory contains 48 files in XML ing ALEAPP by adding a popular application such as Garmin Connect
format. However, a large part of these files contains no data or and bringing it to more analysts instead of publishing a standalone tool
does not have any forensic value. One of the most critical files is makes sense.
gcm_user_preferences.xml as it holds data related to the user ac- We created 16 different modules to extract the information from the
count logged in to the application, such as email, gender, account ID, data source. We also developed 5 new features for the reports generated
device ID, height and weight. by ALEAPP. We made a pull request with all our code, which is already
merged into ALEAPP’s main repository. Our modules were made offi-
com.facebook.AccessTokenManager.SharedPreferences.xml Users have cially part of the new version 3.1.8 of ALEAPP.
the ability to link Garmin Connect with the social media platform
Facebook. From the application, it is possible to share activities to the 5.2. Post Mortem modules
user’s Facebook feed. It also allows one to discover Facebook friends
with a Garmin account. The Shared Preferences contains vari-
The post-mortem modules were developed by leveraging the inherent
ous files related to this communication. One of the most relevant files
functionality of ALEAPP, which involves parsing data within Android
is called com.facebook.AccessTokenManager.SharedPrefer-
application directories to locate artifacts and generate comprehensive
ences.xml. This file contains cache data related to the user profile:
reports. Using the data collected from the post-mortem analysis, our
user ID, name, and access token. Searching in the Facebook API, we
modules will parse the files listed in Table 9 to retrieve the correspond-
discovered a cURL call that accepts this token and the user id as a
ing artifacts.
query parameter and responds with the data related to the user account
connected to this token, as shown in Listing 3.
The data that can be retrieved is contingent upon the permissions GPS data Due to the application’s storage of polyline strings rather
granted by Facebook to the application. For the Garmin Connect app, than coordinates, we have devised a methodology, elucidated in subsec-
we were able to retrieve: the user ID, user name, profile picture, number tion 4.4, for converting the polyline into GPS coordinates. The resulting
of friends, Garmin Connect app id, and the permissions given to Garmin. data will be presented in the format depicted in Fig. 9. Analysts can
modify the displayed route on the map by clicking the Show Map button
5. Garmin Connect for Android Analyzer associated with a specific record. Additionally, analysts can download a
KML file containing the coordinates, which can be opened with Google
We developed a group of modules for the forensic framework Earth. Like ADB Extractor, users can also download an XLSX file con-
ALEAPP to automate the Android Garmin Connect data analysis. taining coordinates and supplementary information obtained using the
We called this set of modules Garmin Connect for Android Ana- geopy library. This library needs an Internet connection to receive the
lyzer (GC4AA). We also developed various new functionalities for the additional data. Analysts who do not wish to connect to the Internet can
ALEAPP framework to augment the reports generated, present the data still execute our module because ALEAPP will abstain from generating
more interactively, or ease the report’s analysis by adding improve- the file without a network connection.
ments to existing features. In subsection 5.3, we will detail all the new
features added to ALEAPP. Facebook data The Facebook module was created using the knowledge
gained during the post-mortem analysis. This module can retrieve in-
5.1. ALEAPP formation from Facebook’s Graph API using Python’s http.client
and the token stored in com.facebook.sdk.USER_SETTINGS.xml.
Since ALEAPP is an open-source project, the creator incentivizes Since the user may not want to connect to the Internet, we added a
contributions such as creating modules for applications that still need warning in ALEAPP GUI module to notify the user that it will obtain
to be added or creating new features for existing ones. When we started data from a HTTP request.

11
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Fig. 9. Extract of GPS Report Module.

Fig. 10. Heatmap created for ALEAPP.

5.3. New features form (Barr-Smith et al., 2021). Autopsy, being Java-based, requires its
extension modules to be written either in Java or in Jython, a Python
ALEAPP, a powerful forensic tool, has been further enhanced during interpreter that runs within the Java Virtual Machine.
our development process to incorporate specific ideas for report presen- ALEAPP fulfils both of these requirements. It is already integrated
tation. We strongly believe that augmenting the tool with various visual into Autopsy, ensuring that new versions of Autopsy are equipped
functionalities would greatly improve its overall capabilities. Leverag- with the latest version of ALEAPP. Therefore, modules that are part of
ing the modular nature of ALEAPP facilitated the rapid implementation ALEAPP are automatically integrated into new Autopsy releases without
of these features. The following functionalities have been integrated requiring additional developer intervention. Since our modules have
into ALEAPP: 𝑖) Heatmaps (see Fig. 10), 𝑖𝑖) Date Filtering, 𝑖𝑖𝑖) GPS Maps been accepted and merged into ALEAPP 3.1.8, they will be readily avail-
(see Fig. 8), 𝑖𝑣) Data Charts (see Fig. 12), and 𝑣) Formatted code blocks able as soon as Autopsy is updated with ALEAPP’s latest version.
with syntax highlighting (see Fig. 11).
6. Conclusion
5.4. Autopsy
From a digital forensic perspective, we analyzed the Garmin Con-
The decision to develop our modules for ALEAPP was not arbi- nect application for Android in conjunction with the Garmin Vivosmart
trary. Our primary objective was to create a tool that could be utilized 4 device. This investigation focused on extracting and analyzing a sub-
independently or seamlessly integrated into the Autopsy forensic plat- stantial amount of data, including heart rate, SpO2 , sleep duration, step

12
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

Fig. 11. Code Blocks created for ALEAPP.

Fig. 12. Heart Rate Data Chart.

13
F. Nunes, P. Domingues and M. Frade Forensic Science International: Digital Investigation 47 (2023) 301624

count, and workout information. Initially, our examination involved the Brignoni, A., 2023. abrignoni/aleapp: Android logs events and protobuf parser. https://
extraction and analysis of data in a post-mortem scenario. We discovered github.com/abrignoni/ALEAPP. 2023-05-29.
Byambasuren, O., Beller, E., Glasziou, P., 2019. Current knowledge and adoption
that the application stores recent data in SQLite 3 databases, while per-
of mobile health apps among australian general practitioners: survey study.
sistent user data is stored in XML files located within the application’s JMIR mHealth uHealth 7. https://doi.org/10.2196/13199. https://mhealth.jmir.org/
private directory. Throughout this process, we successfully extracted 2019/6/e13199.
valuable forensic artifacts such as Activities, Health Data, GPS coordi- Dawson, L., Akinbi, A., 2021. Challenges and opportunities for wearable IoT forensics:
nates, and Phone Notifications. Tomtom Spark 3 as a case study. Forens. Sci. Int., Rep. 3. https://doi.org/10.1016/J.
FSIR.2021.100198.
In our Section 2 we have highlighted the immense value of access- Delija, D., Sudec, D., Sirovatka, G., Zagar, M., 2022. How to do a forensic analysis
ing and analyzing data from wrist-wearable health trackers, as they can of android 11 artifacts. In: 2022 45th Jubilee International Convention on Infor-
hold crucial evidence to identify perpetrators or establish someone’s in- mation, Communication and Electronic Technology, MIPRO 2022 - Proceedings,
nocence. However, it is important to note that the databases contained pp. 1042–1047.
Domingues, P., Francisco, J., Frade, M., 2023. Post-mortem digital forensics analysis of
minimal data since the application primarily relies on using API calls
the Zepp Life android application. Forens. Sci. Int. Digital Invest. 45, 301555. https://
to fetch information. doi.org/10.1016/J.FSIDI.2023.301555.
For this analysis, we developed two Python tools: ADB Extractor and Ganjoo, S., 2019. GPS data from Garmin smartwatch helps police catch a man convicted
Polyline2GPS. ADB Extractor is a versatile tool that automates the data of two murders. https://www.indiatoday.in/technology/news/story/how-a-garmin-
extraction process from a device using ADB (Android Debug Bridge). smartwatch-helped-police-catch-a-man-convicted-of-two-murders-1435570-2019-01-
21. 2023-02-25.
It can be executed through the command line or a GUI interface, mak-
Hassenfeldt, C., Baig, S., Baggili, I., Zhang, X., 2019. Map my murder! a digital forensic
ing it compatible with various operating systems. Polyline2GPS, on the study of mobile health and fitness applications. ACM Int. Conf. Proc. Ser. https://
other hand, is a script designed to decode a Google Polyline into a set of doi.org/10.1145/3339252.3340515.
coordinates. It then utilizes Open Street Map18 to draw the correspond- Hutchinson, S., Mirza, M.M., West, N., Karabiyik, U., Rogers, M.K., Mukherjee, T., Ag-
garwal, S., Chung, H., Pettus-Davis, C., 2022. Investigating wearable fitness ap-
ing route in an HTML file. Additionally, it provides the option to create
plications: data privacy and digital forensics analysis on android. Appl. Sci. 12,
a KML file, which can be opened on Google Earth. Furthermore, Poly- 9747. https://doi.org/10.3390/APP12199747. https://www.mdpi.com/2076-3417/
line2GPS generates an XLSX file that stores the extracted coordinates, 12/19/9747/htmhttps://www.mdpi.com/2076-3417/12/19/9747.
along with additional information such as road details, postcodes, city, Jennings, L., Sorell, M., Espinosa, H.G., 2023. Interpreting the location data ex-
and country. tracted from the Apple Health database. Forens. Sci. Int. Digital Invest. 44,
301504. https://doi.org/10.1016/j.fsidi.2023.301504. https://www.sciencedirect.
In conclusion, our efforts were dedicated to enhancing the efficiency
com/science/article/pii/S2666281723000057. selected papers of the Tenth Annual
of digital forensic investigations involving the Garmin Connect applica- DFRWS EU Conference.
tion. To achieve this, we meticulously crafted a collection of modules Kang, S., Kim, S., Kim, J., 2020. Forensic analysis for IoT fitness trackers and its appli-
within the ALEAPP framework. These modules were specifically tai- cation. Peer-to-Peer Netw. Appl. 13, 564–573. https://doi.org/10.1007/S12083-018-
0708-3/TABLES/6. https://link.springer.com/article/10.1007/s12083-018-0708-3.
lored to parse Garmin files and generate comprehensive case reports,
King, C.E., Sarrafzadeh, M., 2018. A survey of smartwatches in remote health monitoring.
equipping forensic analysts with valuable insights for further analysis J. Healthcare Inf. Res. 2, 1–24.
and processing. Our contributions encompass modules for post-mortem Lovejoy, B., 2022. Smartwatch market size, share| 2022 - 27 | industry report. https://
data analysis. Furthermore, we expanded the capabilities of ALEAPP www.mordorintelligence.com/industry-reports/smartwatch-market. 2023-02-26.
reporting by introducing additional features such as heat maps, GPS Garmin, D., 2023. Fit protocol | FIT sdk | Garmin Developers. https://developer.garmin.
com/fit/protocol/. 2023-05-27.
maps, and data charts. By incorporating these enhancements, we have
Mirza, M.M., Ozer, A., Karabiyik, U., 2022. Mobile cyber forensic investigations
enriched the functionality of the ALEAPP tool. As a result, our features of web3 wallets on android and ios. Appl. Sci. 12, 11180. https://doi.org/10.
and modules have been integrated into the latest version, ALEAPP 3.1.8. 3390/APP122111180. https://www.mdpi.com/2076-3417/12/21/11180/htmhttps:
In future work we plan to conduct a comprehensive dynamic analy- //www.mdpi.com/2076-3417/12/21/11180.
Neale, C., 2023. Fool me once: a systematic review of techniques to authenticate digital
sis of the application. This analysis entails utilizing a range of tools and
artefacts. Forens. Sci. Int. Digital Invest. 45, 301516.
scripts to evaluate the application’s network communication, resilience SQLite Community, 2023. Pragma statements supported by sqlite. https://www.sqlite.
and cloud ecosystem. Additionally, we intend to enhance our ALEAPP org/pragma.html#pragma_auto_vacuum. 2023-06-16.
modules by incorporating data from other Garmin Wearables, such as Tangari, G., Ikram, M., Sentana, I.W.B., Ijaz, K., Kaafar, M.A., Berkovsky, S., 2021. Ana-
blood pressure devices. Furthermore, we will investigate the iOS version lyzing security issues of android mobile health and medical applications. J. Am. Med.
Inform. Assoc. 28, 2074–2084. https://doi.org/10.1093/JAMIA/OCAB131. https://
of Garmin Connect and modify our modules to align with the Python
academic.oup.com/jamia/article/28/10/2074/6335525.
framework, ILEAPP. Lastly, we plan to explore the interaction between Vasilaras, A., Dosis, D., Kotsis, M., Rizomiliotis, P., 2022. Retrieving deleted records
the Garmin smartband and the Apple Health database within the Apple from telegram. Forens. Sci. Int. Digital Invest. 43, 301447. https://doi.org/10.1016/
iOS ecosystem (Jennings et al., 2023). J.FSIDI.2022.301447.
Watts, A., 2017. Police use murdered woman’s fitbit movements to charge her husband
- cnn. https://edition.cnn.com/2017/04/25/us/fitbit-womans-death-investigation-
Acknowledgements trnd/index.html. 2022-11-04.
Williams, J., Macdermott, A., Stamp, K., Iqbal, F., 2021. Forensic analysis of fitbit versa:
CIIC partially supported this research under the UIDB 04524/2020 Android vs iOS. In: Proceedings - 2021 IEEE Symposium on Security and Privacy
project by FCT/MCTES and EU funds under the UIDB/EEA 50008/2020 Workshops, SPW 2021, pp. 318–326.
Wood, L., 2022. Worldwide smart band industry to 2027 - featuring fitbit, garmin
project.
and jawbone among others - researchandmarkets.com | business wire. https://
www.businesswire.com/news/home/20220516005623/en/Worldwide-Smart-
References Band-Industry-to-2027-–Featuring-Fitbit-Garmin-and-Jawbone-Among-Others-
–ResearchAndMarkets.com. 2023-02-26.
Bang, A.O., Rao, U.P., Bhusari, A.A., 2022. A comprehensive study of security issues Yoon, Y.H., Karabiyik, U., 2020. Forensic analysis of Fitbit versa 2 data on Android.
and research challenges in different layers of service-oriented IoT architecture. Cyber Electronics 9, 1431. https://doi.org/10.3390/ELECTRONICS9091431. https://
Secur. Digital Forens., 1–43. www.mdpi.com/2079-9292/9/9/1431/htmhttps://www.mdpi.com/2079-9292/9/
Barr-Smith, F., Farrant, T., Leonard-Lagarde, B., Rigby, D., Rigby, S., Sibley-Calder, F., 9/1431.
2021. Dead Man’s switch: forensic autopsy of the Nintendo switch. Forens. Sci. Int.
Digital Invest. 36, 301110.

18
https://www.openstreetmap.org/.

14