Forensic researcher publishes guide for grabbing digital evidence off Google Glass

If you haven’t yet bumped into a person wearing Google Glass, that day is coming. Sadly we can’t jam Glassholes, Glass Explorers who ignore social etiquette. Google eventually came out with a list of dos and don’ts, such as “Don’t be creepy or rude (aka a ‘Glasshole’).” Still, Glassholes exist so it’s inevitable that the day is coming when forensic examiners will pull digital evidence off Google Glass that will prove innocence or guilt. Julie Desautels, a digital forensics student at Champlain College, has been researching Google Glass forensics since August 2013. Desautels has now published “A Forensic Examiner's Guide to Google Glass.”

Forensic examiners can pull digital evidence from Google Glass

There was no advice on Google’s list for Glass Explorers about not operating Glass while driving. Perhaps it was overlooked, or perhaps Google thinks it is fine, even though there’s already been a case when a woman was ticketed for speeding and for wearing Glass while driving. At the start of 2014, Cecilia Abadie's attorney argued there was nothing illegal about driving while wearing Glass when it's turned off; a California judge dismissed the charges because there was not enough evidence to prove Glass was switched on and in use while Abadie was driving.

That reason won’t fly anymore as the computer forensic blog Hacking Exposed pointed out when hearing about Desautels' research "to make the case that a driver was or was not operating the Glass device at the time she was pulled over." Google Glass “event logs and battery level can indicate if Glass was on or off at a particular time” and Desautels also showed that the battery levels can prove if a user was operating Google Glass at a specific time.

Google Glass, all fun and games until forensic evidence gets some Glasshole busted

Google provides the details for rooting Glass and other development instructions, but Champlain College shows the difference between a rooted and un-rooted pair of Glass imaged with Cellebrite and with “Shattered Script.” In case you don't know about Cellebrite, it's a cellular forensic tool that can suck all the data out of mobile devices in about one-and-a-half minutes. In the past, when an Android phone was locked and its contents couldn’t be downloaded to Cellebrite without unlocking it first, law enforcement had Google reset and provide the password.

A Forensic Examiner's Guide to Google Glass by Julie Desautels

Desautels took the digital forensics even further, showing how to access a Glass Explorer’s voice commands. That might not seem like a big deal, but Google stores audio clips of the user giving the voice commands; Desautels said that “background talking and/or noise” can also clearly be heard on those clips. If the command was “Ok Glass, take a picture,” then there is audio of that command as well as a photo with Exif data time-stamped into it. If the photo was deleted, the audio remains.

For Google searches via Glass, Desautels found where in the timeline searches are time-stamped, where to find cookies and web search history. In fact she wrote, “From this research, I realize there are multiple timestamps that can be found for a particular term the user searched by saying, ‘Ok Glass, Google’."

So what other digital evidence in addition to voice commands and searches can forensically be extracted?  According to A Forensic Examiner’s Guide to Google Glass:

It can be determined if Google Glass is on or off, and if it was being used while it was on.

If Explorers utter, “Ok Glass, take a picture,” then there is evidence of that picture. Traces and photo artifacts remain… even if it has been deleted.

“Ok Glass, record a video,” also records more digital evidence. For example, the thumbnail remains even if the video is deleted.  

There’s audio evidence of “Ok Glass, get directions to” but then it cuts off as Glass reaches out “to the phone for Bluetooth data to get directions.” Nevertheless, forensic examiners can find those directions in the Glass timeline, analyze GPS locations and even “play back the requested directions.”

Forensic evidence from Glass could one day make or break a case. And in the same way texts, calls and online chats are used in ugly divorces and child custody cases, the day may come when everything a Glasshole has done in secret could come back and bite him or her.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon