Monday, 10 November 2008

Goodmans GNAV12 sat nav device

This device runs destinator software within a Windows 4.2 CE OS and is similar to the Medion MDPNA150 I looked at earlier. It has an external SD card slot which was not populated on the one I looked at. It also has internal flash memory.

I accessed the device via Mobile Device Centre in Vista and copied off the contents of the ResidentFlash volume. At the path DestinatorApps\Destinator\UK_Ireland I found Previous.dat. This file contains Recent Locations which are locations that the user chose to navigate to.

I have deconstructed the records found within Previous.dat.

Key (click on table to view larger image)

Example Records (click on records to view larger image)

Each record contains two sets of longitude and latitude co-ordinates stored one after the other. I speculate that one set is actual and the other set is nearest road. In my sample they were either very similar or the same. Each longitude or latitude value is stored as a double which requires 8 bytes therefore 32 bytes are required to store both sets. The two sets are followed by a further 16 bytes of data -use unknown, which completes the record.

To locate these co-ordinates I found it easier to count back from the start of the following record. The other problem to overcome is how to convert the doubles to a decimal value. Encase does not have a easy way to do this. The data interpreter in Winhex can do this. The hex editor 0xED on a mac can also do this but rounds up to fewer decimal places than winhex.

I can supply on request an Enscript (written by my friend Oliver Smith over at Cy4or) that will parse out these records.

HP QuickPlay version 2.3

A HP media centre laptop came through our lab recently. Its main OS was XP Media Center edition. However it appeared to have another XP OS installed on a separate 1GB partition. This was a case where the suspect was suspected of hiding stuff and regularly re-installing his OS to cover his tracks - so this second OS was of interest.

Encase listed three partitions

Mounting the drive PDE and looking at the disk in Disk Management showed

The Windows Initialise case module reported the following for the OS on the 1GB partition

The 1GB partition has a Partition Type of D7

A quick google began to throw some light on the matter. It seems that the laptop has HP Quickplay 2.3 installed. This technology allows users to access multimedia disks without booting into the main operating system. The version of XP on the partition with partition type D7 is XP embedded. This OS facilitates the quickplay function. Later versions of HP Quickplay do not use this method.

It seems that a number of other manufacturers use the D7 partition type for similar purposes.