Forensics Beyond the Hard Drive: Kindle 2 Logging

June 26, 2009

Platform: Kindle 2

Artifact Type: Log

Information Type: GPS Location

Caveats: Debug mode and 611 logging must be on.

Usefulness: Very Limited

I was interested in what information was available via a Kindle 2 to assist in investigations.  In poking around to see what work others have done I found two sites that were really in depth and had great information:

Kindle Hacking: http://kindle2hacks.com/

Igorsk Blogspot: http://igorsk.blogspot.com/

These two sites do a great job dissecting the Kindle and Kindle 2.

Because inquiring minds want to know, I did a cursory review via FTK and Encase of a brand new Kindle 2, and did not find a whole lot that was very interesting.  Based on my reading of the two blogs above, it seems the more useful bits occur once you have access to the actual filesystem.

One item caught my attention: the “611 Log”.  Upon activating debug mode and turning on this log, one thing immediately stood out:  Latitude and Longitude information.

It is important to say that this log is going to be limited in an actual investigation, but it is worthy of note just the same.

The primary items that limit its usefulness are:

  • It is not on by default
  • It only logs GPS coordinates when the Kindle 2 is actually turned on (screensaver is not “On” for our purposes)
  • The readings are from cell towers, and not actual queries to GPS satellites, so the information is definitely not as accurate.

*** Important Note:  I am not forcing you to do stuff to your Kindle 2, if you do and mess your device up you have no one to blame but yourself.  These steps worked great for me, you take the life of your Kindle 2 in your own hands if you decide to play along. ***

Now that I have doused you with cold water, here is how you actually turn the logging on:

Follow the excellently written directions found on the Kindle2 hacking blog here. Look for the “Enable Debug Mode” section.  Do not continue on through the USB networking section… unless you just want to!

Next, type:   ‘help

That is a single hash, found near the “}” under the Sym menu, followed by the word help.  All of your commands from here on out will be prefaced with that character.  You should see an informational pop-up that looks like this.  Take a moment to enjoy some of the possibilities of what you are seeing.

Next, close the pop-up and type the following: ‘log611

There will be a short hesitation, a screen blink and that is it.  When you plug your Kindle 2 into the USB cable and attach to your system you will find a folder called “611” and a log that is formatted: YYYY.MM.DD.HH  (Hour in military time).  Open that log and peruse to the “1xRTT” section.  In this section you will find “Latitude” and “Longitude”.  These are the coordinates supplied by the cell tower.

If you turn off the Kindle 2 (ie. hit the slide button so the screensaver comes on) and travel, this log will not add information until you hit the slide again and it has a chance to hop back on the network.

To turn off the logging:  Go to “Menu”> “Settings”.  Then hit “Menu”>Restart.

3 Comments | Forensics Beyond the Hard Drive | Permalink
Posted by inforensics