Live Forensics on GPS inactive Smartphone

Google is known to still track the user's location despite the GPS settings and location history in smartphone settings has been turned off by the user. This requires special handling to prove the location on smartphones with inactive GPS and view its Location History previously used by user. The research investigates if Google is still recording its user data location. Live Forensic requires data from the running system or volatile data which is usually found in Random Access Memory (RAM) or transit on the network. Investigations are carried out using a Google account with a method used by live forensics to obtain results from the location history. Smartphones have been checked manually through data backup through custom recovery that has been installed. When checking the backup filesystem, turned out that no location data is stored. Therefore, researchers conducted an analysis on the Google Account which was analyzed using a forensic tool to analyze cloud services to obtain location data results. The results of the analysis carried out obtained a similarity in location from 8-days investigations. Google can still find the location of smartphones with GPS disabled, but the location results are not accurate. Google can store user location data via cellular networks, Wi-Fi, and sensors to help estimate the user's location. The process of extracting the results from the google maps log using a Google account will be analyzed using the Elcomsoft Cloud eXplorer and Oxygen Forensic Cloud Extractor so that the log location results are still available by Google.


INTRODUCTION
The development of information technology has developed, one of which is in making Android-based smartphone devices that can be easily used and can provide information quickly and efficiently [1]. One of the features contained in a smartphone is internet service and is equipped with a Global Positioning System (GPS) feature [2].
Global Positioning System (GPS) is a navigation system using satellite technology that can receive signals from satellites [3]. With the GPS, smartphone users can find out the location coordinates in the form of latitude and longitude data. GPS can calculate information, such as speed, direction of direction, path, destination of travel, distance to destination, sunrise and sunset and others. The signal sent by the satellite to the GPS will be used to calculate travel time [4].
Location Based Services (LBS) is a location-based service, which is an internetbased service that functions to search with Global Positioning Service (GPS) technology and Google's cell-based location [5]. Maps and location-based services use latitude and longitude to determine geographic location. Location based service or location-based service is a general term used to describe the technology used to locate the devices we use [6].
Google is known to still track the user's location even though the GPS settings and location history in the smartphone settings have been turned off by the user [7]. This finding was previously known to researchers from Princeton University Gunes Acar, who found that Google was still watching movements without the user's knowledge. To stop the action of 'snooping' your movement, here are the steps that smartphone owners can take. Associated Press reported, here are steps you can take to make Google no longer detect your movements. First, make sure the smartphone is connected to a Google account. The next step you can access the site myactivity.google.com via a smartphone browser. For example, geographic and location databases may come from government-owned agencies or company/business/industry data may come from the Yellow Pages, as well as other data-providing companies [8].
In the menu options at the top left, you can select 'Activity Controls' then turn off 'web & app activity' and 'location history'. By turning off these two settings, Google should no longer be able to mark every move and associate it with your account. However, the internet giant from the United States will give a warning that some services can not work if this setting is disabled [9].
Research conducted by Sack, Kröger and Creutzburg, [10] shows that not all navigation data on smartphone devices is stored, even though it is used for navigation to certain destinations. The method used in this study uses rooting privileges to access locked data from a smartphone. The results obtained from this study are to know the latitude and longatitude of the location. However, this research is very difficult because some of the data and information are combined with the smartphone navigation system.
According to research by Sukriadi and Prayudi, [11] shows that terrorist activities use smartphones to exchange and store information. This research uses acquisition, extraction, conversion, and presentation methods. The results of this study help investigations related to GPS digital evidence on android smartphones.
Research conducted by Sansurooah and Keane, [12] shows an analysis to identify how GPS and location-based services are used in smartphones and identify all digital artifacts contained in smartphones. The methods are Manual (rooting), Logical, Physical, and JTAG/Chip-Off. The results obtained from this study were carried out using various mobile forensic tools to identify whether the geographic location of the data can be found within the device. Therefore, inspection revealed that photos taken with the camera's left geo-tagged device in EXIF data, which identifies the date, time and location where the photo was taken.
According to research Rindiatmodjo, Megaantara and Pratama, [13] shows that users can overcome the loss of smartphones due to user negligence. This research uses Cell ID and Geocoding methods to track the whereabouts of smartphones. However, this study still has shortcomings in the level of effectiveness because it still uses SMS technology. Shows that losing a cellphone is clearly very undesirable for all users of this versatile item. Moreover, if the cellphone is the only connecting device for someone to another person when they are not in the same place. The method is done by sending and receiving SMS then SMS Format and Send the Mobile Phone Coordinate Point Location via SMS. Obtaining results Has a level of accuracy that does not differ much between test 1 and other tests (tests were carried out 10 times). The time required from sending tracking SMS to receiving SMS feedback is in the interval of 30 -90 seconds.
Research conducted by Moore, Baggili and Breitinger, [14] shows that whether the user has actually traveled to the destination from the mapping application data. The method is done by extracting data from the application. The results obtained are that a lot of data related to the user's navigation history, be it address, longitude, latitude, etc., is stored on the user's device. It was also found that in almost all cases,  distinguishing whether the user actually traveled to a destination from the mapping application data was not possible.
According to research ÇeviK, [15] shows that the suspect tries to alter and delete digital evidence in the form of photographs. In this study using the Convolutional Neural Network (CNN) method to obtain data. The results obtained by the researcher in the form of 1582 photos with location information and 268 photos without location information, which were obtained from cellphones and taken between 01.01.2018 and 31.06.2018 were used as data collections.
Research conducted by Williams, Yerby and Williams, [16] shows that some data is visible to the device owner, some is quickly discarded, and some is hidden from the person using the device. Research to reveal security and privacy concerns. In this study, the National Institute of Standard and Technology (NIST) method was used to obtain the data desired by the researcher. The results increase awareness for mobile device users and may lead to more consumer-centric privacy settings in mobile operating systems.
This study has similarities with research conducted by Sukriadi and Prayudi, Sansurooah and Keane, Moore, Baggili and Breitinger, regarding the method used, namely Root which distinguishes it from research, namely the identification process used. Research conducted using root as the process of identifying an image to obtain location geodata, while this study uses root as a tool to extract the Google Maps database to obtain Google Maps location logs.

METHODS
The method used in this research is Live Forensic which is an analysis technique which involves data running on the system or volatile data which is generally stored in Random Access Memory (RAM) or transit on the network.
Live forensics techniques require accuracy and precision, since volatile data can be lost, and the possibility of data being overwritten by other applications. A live forensics method is needed which can guarantee the integrity and authenticity of volatile data without eliminating data that has the potential to become evidence [17].
Data collection methods used to collect data related to needs, problem formulation, research objectives, and discussion are as follows: • Observation Technique Data collection was carried out by using observation techniques to determine the ongoing process on Google Activity.

• Experiment and Simulation Techniques
Experimental and simulation techniques by making observations on Google MyActivity to find out the process and output obtained from smartphone user activity.
Research conducted by Ellick M. Chan, the researcher will use the research methodology of The U.S. The National Institute of Justice (NIJ) is depicted in the plot in 1) Collection is the initial stage, namely conducting a needs analysis to collect items to be investigated such as imaging, records, based on accurate data sources. 2) Examination in this stage, checking the data that has been collected at the Collection stage. 3) Analysis in this stage, the analysis of the results of the examination is carried out using a predetermined method to find out all the information required. 4) Reporting in this stage, reporting and explaining what has been analyzed is then described in detail the evidence that has been found and documented.

Case Scenarios
In Figure 2, the victim made a transaction at an ATM and left his smartphone on top of the ATM machine. The perpetrator entered the ATM to make transactions and saw the victim's smartphone that was left behind, after making the transaction the perpetrator immediately took the smartphone and left the ATM location.  The victim whose smartphone is left behind tried to contact it, but the call is rejected by the perpetrator. The victim also reported it to the police for further processing. The police went to the bank to get information about the thief's data based on CCTV footage inside the ATM. After knowing the identity of the perpetrator, the police immediately went to the perpetrator's residence and made an arrest and obtained evidence in the form of an android smartphone and a packet of shabu-shabu. The smartphone evidence is submitted to investigators for analysis and will later be used as evidence in the trial process. The investigator analyzes the evidence on the suspect's smartphone and Google account to get the results of the analysis which can later be presented in the form of the results of reporting analysis which can be used as a reference for evidence.

RESULTS AND DISCUSSION Collection
This stage is the initial stage of searching, collecting data and documenting evidence, then in this study the sample of evidence to be analyzed is a smartphone which is a scenario as evidence in a crime case. The smartphone used is active and does not have password protection. At this stage, documents related to smartphones are carried out, as seen in Table 1. Based on Table 1. Evidence information can be seen from information in the form of brand, series, model, imei, and version of the smartphone's operating system. In addition to conducting studies and documentation, at this stage the preparation and planning of the analysis process and the tools used for the analysis process are carried out. According to [19] Root is a process to get full rights on an Android device. Root allows users to bypass restrictions set by carriers, operating systems, and hardware manufacturers. With full control of the device, users can remove bloatware, enjoy added functionality by special apps that require root privileges, or run paid apps for free and according to [20] UnRoot is the process of returning a rooted smartphone to its original state. related to the method used, namely Root which distinguishes it from research, namely the identification process used. Research conducted using root as the process of identifying an image to obtain location geodata, while this study uses root as a tool to extract the Google Maps database to obtain Google Maps location logs.

Examination
Of the three backup results including ADB backup, TWRP data backup, and TWRP System backup, comparisons can be made to find out which backup process is more effective to use. For a comparison of the three backup results can be seen in Table 2.   Table 2, it is known that there are differences in the amount of data obtained during the backup process from ADB Backup, Data Backup, and System Backup. Data files from System backup have more data and are more complete than others.

Analysis
At this stage the researchers conducted a study related to smartphone robbery and digital evidence obtained. So after the evidence is acquired, the researcher extracts and analyzes the detailed information on the evidence obtained. The analysis process is carried out in 2 stages, namely the manual and automatic stages. The stage of using automatic forensic tools will ask for a login with Google account authentication. After logging in, the tool will provide the categories to be analyzed then select the categories to be analyzed for analysis. The analysis process will have difficulty after selecting the categories analyzed, the analysis process takes a long time to get the extraction results.

1) Oxygen Forensic
In the extraction and analysis stage of smartphone device evidence through Oxygen Forensics, the evidence file is a database in which there is information on the coordinates and locations where the information is very important for further processing. The data contained in the database are 44 combined data containing locations can be seen in Figure 3.  Figure 3, the combined data contains the contents of the Data Table in the form of _key_pri, _key_sec, and _data. It can be seen that if one of the combined data is opened, it will display Hex data and location in an abstract and unstructured manner. From the data obtained, there is no link access to view the location or route of travel, the data available is only the full address of that location. The locations that are stored in this database are the results of finding a location that you want to go to.

2) Elcomsoft Cloud Explorer
At this stage, evidence is obtained from Google's My Activity about the location history of the analysis process. Evidence obtained during the analysis process is in the form of digital evidence. Digital evidence obtained at the stage of the analysis process finds digital evidence in the form of a history of the Timeline location in which there is information on the Timestamp, Description, and location coordinates. Next displays the results of the location history which can be seen in Figure 4. Elcomsoft Cloud eXplorer tools have a Show track feature to display all the location points obtained can be seen in Figure 5. In Figure 5, displays all the coordinates that can be seen by the tool. In addition to displaying all location points. In this figure, it can only display the coordinates, cannot display the route or line from location A to location B because the tools used are still in trial.

3) Oxygen Forensic Cloud Extractor
The results of location history data using the Oxygen Forensic Cloud Extractor tool show digital evidence in the form of coordinates from a location obtaining route data of 19 and 167 coordinate points. In addition, the Oxygen Forensics Cloud Extractor tool also displays diagram data of the location date. The location results can be seen in Figure 6;  In the location result, history shows many saved travel coordinate points and routes. Apart from showing the location points, the Oxygen Forensics Cloud Extractor tool obtains trips from the account, which can be seen in Figure 7.

Reporting
At the reporting stage, a detailed discussion and presentation will be carried out based on the results obtained through the examination and analysis process. After analyzing the evidence in the form of 1 smartphone, evidence of the location's history was found. From these findings it can be ignored using a mobile forensic process with the live forensic method on the Android platform where digital evidence related to evidence has been successfully obtained. The next stage, the researcher conducted a comparison of accounts using the Elcomsoft Cloud eXplorer Tool to obtain more accurate data. The comparative data can be seen in Table 4. From the results of this comparison, it can be seen from the differences in the locations obtained at almost the same time. On November 3 2020 from 10:54:01 to 11:32:24 the location on the account under study is not known to be in the Indomart Minimarket, while the comparison account at 11:28:26 to 11:34:32 is unknown at Gobyos Geprek Chicken. Location comparison location is the actual location, from the comparison results it can be denied that the GPS location that is turned off is less accurate. Furthermore, showing the comparisons obtained from the two accounts can be seen in Table 5.  Table 5 shows the difference in the number of routes obtained from the tool. From the table above, the first account stores 3 route data on October 31 st , 2020, while the second account stores 4 route data. The next stage, the researchers conducted an account comparison using the Oxygen Forensics Cloud Extractor Tool to obtain more accurate data. The comparison data can be seen in Table 6. Based on Table 6, it can be seen that the two accounts were compared using the Oxygen Forensics Cloud Extractor Tool to get more accurate data. In the first account, on 3 November 2020 Location History status is activated and GPS is disabled or disabled obtains location data 4, point 36, and route 3. Whereas in the second account with Location History status activated and active GPS gets location data 7, point 27 points, and route 6. In addition to the table above, there is a comparison of the location coordinates and other information which can be seen in Table 7. are the points of longitude. Besides displaying the coordinates, it also refers to the location pointer point and a photo of that location. In a comparison account with a different starting time of 03.11.2020 11:08:26 and a different end time at 11:34:32, the location is in Gobyos Geprek Chicken with the coordinates of latitude -7.8191670 and longitude 110.4011110. From the location data obtained, the researchers carried out the proportion of data that had been filtered from November 3, 2020 to November 10, 2020 to see the level of accuracy of the data which can be seen in Table 8.

CONCLUSION
The results of the analysis carried out obtained a similarity in location for 8days in a row: on Nov 3 rd , 2020 getting 57.1%, Nov 4 th , 2020 getting 42.9%, Nov 5 th , 2020 getting 50%, Nov 6 th , 2020 getting 0%, Nov 7 th , 2020 getting 62.5% , Nov 8 th , 2020 received 100%, Nov 9 th , 2020 received 100%, and Nov 10 th , 2020 received 37.5%. Google can still find the location of smartphones with GPS disabled, but the location results are not accurate. So that the perpetrators of drug sales can be known the locations of transactions. Google can store smartphone user location data via cellular networks, Wi-Fi, and sensors to help estimate the user's location.The process of extracting the results from the google maps log using a Google account will be analyzed using the Elcomsoft Cloud eXplorer and Oxygen Forensic Cloud Extractor tools so that the log location results are still used by Google.