Forensics Beyond the Hard Drive: Kindle 2 Logging

Platform: Kindle 2

Artifact Type: Log

Information Type: GPS Location

Caveats: Debug mode and 611 logging must be on.

Usefulness: Very Limited

I was interested in what information was available via a Kindle 2 to assist in investigations.  In poking around to see what work others have done I found two sites that were really in depth and had great information:

Kindle Hacking: http://kindle2hacks.com/

Igorsk Blogspot: http://igorsk.blogspot.com/

These two sites do a great job dissecting the Kindle and Kindle 2.

Because inquiring minds want to know, I did a cursory review via FTK and Encase of a brand new Kindle 2, and did not find a whole lot that was very interesting.  Based on my reading of the two blogs above, it seems the more useful bits occur once you have access to the actual filesystem.

One item caught my attention: the “611 Log”.  Upon activating debug mode and turning on this log, one thing immediately stood out:  Latitude and Longitude information.

It is important to say that this log is going to be limited in an actual investigation, but it is worthy of note just the same.

The primary items that limit its usefulness are:

  • It is not on by default
  • It only logs GPS coordinates when the Kindle 2 is actually turned on (screensaver is not “On” for our purposes)
  • The readings are from cell towers, and not actual queries to GPS satellites, so the information is definitely not as accurate.

*** Important Note:  I am not forcing you to do stuff to your Kindle 2, if you do and mess your device up you have no one to blame but yourself.  These steps worked great for me, you take the life of your Kindle 2 in your own hands if you decide to play along. ***

Now that I have doused you with cold water, here is how you actually turn the logging on:

Follow the excellently written directions found on the Kindle2 hacking blog here. Look for the “Enable Debug Mode” section.  Do not continue on through the USB networking section… unless you just want to!

Next, type:   ‘help

That is a single hash, found near the “}” under the Sym menu, followed by the word help.  All of your commands from here on out will be prefaced with that character.  You should see an informational pop-up that looks like this.  Take a moment to enjoy some of the possibilities of what you are seeing.

Next, close the pop-up and type the following: ‘log611

There will be a short hesitation, a screen blink and that is it.  When you plug your Kindle 2 into the USB cable and attach to your system you will find a folder called “611” and a log that is formatted: YYYY.MM.DD.HH  (Hour in military time).  Open that log and peruse to the “1xRTT” section.  In this section you will find “Latitude” and “Longitude”.  These are the coordinates supplied by the cell tower.

If you turn off the Kindle 2 (ie. hit the slide button so the screensaver comes on) and travel, this log will not add information until you hit the slide again and it has a chance to hop back on the network.

To turn off the logging:  Go to “Menu”> “Settings”.  Then hit “Menu”>Restart.

3 Responses to Forensics Beyond the Hard Drive: Kindle 2 Logging

  1. For some reason, when I activate the debug on my Kindle 2 and type in `help, the help window pops up but it doesn’t give me as many personal commands as you showed me. For example, help doesn’t tell me about the `einkAdjustments command. All I see is this (http://youngprofessor.wordpress.com/2010/06/07/k2dm/screen_shot-41986/) screen shot. Could my software version be different than yours? My software version is 2.3.3 (431100003). Also, when I enter some of the commands (such as `log611), a window pops up saying “log611 is now deprecated”. How do I fix this?

  2. inforensics says:

    LP: I will have to check this out.

    Based on the deprecated message I am guessing that there has been an update that has changed some of the available features.

    I will post what I find.

  3. Just so you know, I just made a screen-shot of the “command is now deprecated” window.

    http://youngprofessor.wordpress.com/2010/06/07/k2dm/command-is-now-deprecated/

    Do you know if there is any way to download previous software versions?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: