{"id":1344,"date":"2017-02-06T11:57:44","date_gmt":"2017-02-06T11:57:44","guid":{"rendered":"https:\/\/www.phillips321.co.uk\/?p=1344"},"modified":"2017-02-06T11:57:44","modified_gmt":"2017-02-06T11:57:44","slug":"recovering-an-activity-from-a-garmin-920-xt-forerunner","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2017\/02\/06\/recovering-an-activity-from-a-garmin-920-xt-forerunner\/","title":{"rendered":"Recovering an activity from a Garmin 920 XT Forerunner"},"content":{"rendered":"

So a friend of mine recently competed in a 10mile race (supposedly) and he thinks he tracked the “ACTIVITY” on his watch but after the race deleted it by mistake.
\n\"\"<\/a><\/p>\n

He brought the watch immediately over to me to see if there was anything I could do. Well the watch seems to be pretty nifty and has built in GPS, bluetooth and some other bells and whistles.<\/p>\n

\"\"<\/a><\/p>\n

The watch comes with a charging dock which i noticed had 4 pins so must have had USB data lines as well las the power. As such I connected the device, mounted it read only, and then cloned the disk and made a working backup:<\/p>\n

1
2
<\/div><\/td>
sudo<\/span> dd<\/span> if<\/span>=\/<\/span>dev\/<\/span>rdisk3 of<\/span>=backup.dump
\ncp<\/span> backup.dump working.dump<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

The next thing I ran was foremost against the file system to see if it could find anything interesting:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp# foremost -v -i working.dump <\/span>
\nForemost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
\nAudit File
\n
\nForemost started at Mon Feb  6<\/span> 09:16<\/span>:41<\/span> 2017<\/span>
\nInvocation: foremost -v<\/span> -i<\/span> working.dump
\nOutput directory: \/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>output
\nConfiguration file: \/<\/span>etc\/<\/span>foremost.conf
\nProcessing: working.dump
\n|<\/span>------------------------------------------------------------------
\nFile: working.dump
\nStart: Mon Feb  6<\/span> 09:16<\/span>:41<\/span> 2017<\/span>
\nLength: 10<\/span> MB (<\/span>11508224<\/span> bytes)<\/span>
\n 
\nNum  Name (<\/span>bs<\/span>=512<\/span>)<\/span>         Size  File Offset     Comment
\n
\n*|<\/span>
\nFinish: Mon Feb  6<\/span> 09:16<\/span>:41<\/span> 2017<\/span>
\n
\n0<\/span> FILES EXTRACTED
\n   
\n------------------------------------------------------------------<\/span>
\n
\nForemost finished at Mon Feb  6<\/span> 09:16<\/span>:41<\/span> 2017<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

That didn’t work so I decided to have a look on the filesystem to see an example of the type of files I should be looking for.<\/p>\n

1
2
3
4
5
6
7
8
9
10
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp# mkdir filesystem ; mount working.dump filesystem<\/span>
\nroot@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp# ls filesystem\/<\/span>
\nAUTORUN.INF  ERR_LOG.TXT  GARMIN
\nroot@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp# ls filesystem\/GARMIN\/<\/span>
\nACTIVITY  COURSES     EVNTLOGS          GOALS     MLTSPORT  NEWFILES     RECORDS   SCHEDULE  SPORTS   TEXT    WIFI
\nAPPS      DEVICE.FIT  GarminDevice.xml  LOCATION  MONITOR   NRF_ERR.TXT  REMOTESW  SETTINGS  TEMPFIT  TOTALS  WORKOUTS
\nroot@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp# ls filesystem\/GARMIN\/ACTIVITY\/<\/span>
\n6CRC0101.FIT  712G0619.FIT  71865606<\/span>.FIT  71FE4602.FIT  71J72457.FIT  71N72941.FIT  71RD2701.FIT  71VC3005.FIT
\n6CS95823.FIT  71495133<\/span>.FIT  719B3605.FIT  71GC1249.FIT  71JB1310.FIT  71OG4701.FIT  71T73357.FIT  72370402<\/span>.FIT
\n6CVE0513.FIT  716I5616.FIT  71D70320.FIT  71I64149.FIT  71K70156.FIT  71P72020.FIT  71V92016.FIT<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

As I now had some example files I will check the headers and footers of each to see if there are any similarities so that I can create
\nHeaders:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>filesystem\/<\/span>GARMIN\/<\/span>ACTIVITY# for i in *.FIT ; do xxd -l 16 $i >> heads.txt ; done<\/span>
\nroot@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>filesystem\/<\/span>GARMIN\/<\/span>ACTIVITY# for i in *.FIT ; do xxd -l 16 $i; done<\/span>
\n00000000: 0e10 d607 a81b 0000 2e46 4954<\/span> 01dc 4000<\/span>  .........FIT..@<\/span>.
\n00000000: 0e10 d607 a03d 0000 2e46 4954<\/span> 47b8 4000<\/span>  .....=...FITG.@<\/span>.
\n00000000: 0e10 d607 a81b 0000 2e46 4954<\/span> 01dc 4000<\/span>  .........FIT..@<\/span>.
\n00000000: 0e10 d607 9843<\/span> 0000 2e46 4954<\/span> db0d 4000<\/span>  .....C...FIT..@<\/span>.
\n00000000: 0e10 d607 4e29 0000 2e46 4954<\/span> 9c7d 4000<\/span>  ....N)<\/span>...FIT.}<\/span>@<\/span>.
\n00000000: 0e10 d607 3022<\/span> 0000 2e46 4954<\/span> a015 4000<\/span>  ....0<\/span>"...FIT..@.
\n00000000: 0e10 d607 668f 0000 2e46 4954 59c9 4000  ....f....FITY.@.
\n00000000: 0e10 d607 ffce 0000 2e46 4954 c1cb 4000  .........FIT..@.
\n00000000: 0e10 d607 931d 0000 2e46 4954 257b 4000  .........FIT%{@.
\n00000000: 0e10 d607 4612 0000 2e46 4954 1718 4000  ....F....FIT..@.
\n00000000: 0e10 d607 d747 0000 2e46 4954 dabd 4000  .....G...FIT..@.
\n00000000: 0e10 d607 a81a 0000 2e46 4954 111c 4000  .........FIT..@.
\n00000000: 0e10 d607 f910 0000 2e46 4954 7fec 4000  .........FIT..@.
\n00000000: 0e10 d607 3dbd 0000 2e46 4954 0e85 4000  ....=....FIT..@.
\n00000000: 0e10 d607 6b25 0000 2e46 4954 925a 4000  ....k%...FIT.Z@.
\n00000000: 0e10 d607 e00d 0000 2e46 4954 738b 4000  .........FITs.@.
\n00000000: 0e10 d607 9241 0000 2e46 4954 78b2 4000  .....A...FITx.@.
\n00000000: 0e10 d607 700f 0000 2e46 4954 5927 4000  ....p....FITY'@.
\n00000000: 0e10 d607 1acc 0000 2e46 4954 2c7c 4000  .........FIT,|@.
\n00000000: 0e10 d607 4079 0000 2e46 4954 4df4 4000  ....@y...FITM.@.
\n00000000: 0e10 d607 1511 0000 2e46 4954 6131 4000  .........FITa1@.
\n00000000: 0e10 d607 89ac 0000 2e46 4954 0503 4000  .........FIT..@.
\n00000000: 0e10 d607 5b22 0000 2e46 4954 e78e 4000  ....["<\/span>...FIT..@<\/span>.
\nroot@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>filesystem\/<\/span>GARMIN\/<\/span>ACTIVITY# cut heads.txt -d" " -f 2-9 | sed 's\/ \/\/g' | sed 's\/.\\{2\\}\/& \/g' > heads_snip.txt<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Footers:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>filesystem\/<\/span>GARMIN\/<\/span>ACTIVITY# for i in *.FIT ; do xxd -s -16 $i >> tails.txt ; done<\/span>
\nroot@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>filesystem\/<\/span>GARMIN\/<\/span>ACTIVITY# for i in *.FIT ; do xxd -s -16 $i; done<\/span>
\n00001ba8: f077 1000<\/span> 3912<\/span> c532 0100 011a 01ff 315c  .w..9<\/span>..2<\/span>......1<\/span>\\
\n00003da0: 0100 f056 0400 c440 c632 0000 0101 b81b  ...V...@<\/span>.2......
\n00001ba8: a253 1000<\/span> d174 ca32 0100 001a 01ff 469d  .S...t.2......F.
\n00004398: 0100 845e 0400 e434 cd32 0000 0100 2e8b  ...^...4.2......
\n0000294e: 4155<\/span> 1c00 1683<\/span> cf32 0100 011a 01ff 9a1c  AU.....2<\/span>........
\n00002230: 01a0 1a00 27a6 d232 0100 011a 01ff 89d7  ....'..2........
\n00008f66: 0100 90b1 0400 9996 d432 0000 0100 eacb  .........2......
\n0000ceff: ffff 1502 0000 a529 d632 0200 0201 4122  .......).2....A"
\n00001d93: 3661 2400 c93b db32 0100 011a 01ff 068c  6a$..;.2........
\n00001246: 06a6 1100 0144 de32 0100 011a 01ff e9e9  .....D.2........
\n000047d7: 0100 9f18 0400 f56d df32 0000 0101 11dd  .......m.2......
\n00001aa8: 6207 1b00 96c9 e132 0100 011a 01ff 3cba  b......2......<.
\n000010f9: 0100 cabb 0400 971e e332 0000 0100 2e4a  .........2.....J
\n0000bd3d: ffff 5202 0000 4653 e332 0200 0201 d1e8  ..R...FS.2......
\n0000256b: 9b6d 2900 1877 e432 0100 011a 01ff b57c  .m)..w.2.......|
\n00000de0: 8a06 0e00 c168 e832 0100 001a 01ff 7a6e  .....h.2......zn
\n00004192: 0100 e34b 0400 5639 ea32 0000 0100 fb3e  ...K..V9.2.....>
\n00000f70: 05c5 1100 580a eb32 0100 001a 01ff 10ae  ....X..2........
\n0000cc1a: ffff 5d03 0000 a5fe ed32 0200 0201 de55  ..]......2.....U
\n00007940: 0100 5bc6 0400 1e4f f032 0000 0100 e2b1  ..[....O.2......
\n00001115: 0f9e 1200 e90f f332 0100 001a 01ff 931f  .......2........
\n0000ac89: 3d00 c307 5100 c53e f332 0000 0200 43eb  =...Q..>.2....C.
\n0000225b: d57b 1a00 34ea f632 0100 011a 01ff a957  .{..4..2.......Wroot@KaliMJP:\/mnt\/hgfs\/temp\/filesystem\/GARMIN\/ACTIVITY# cut tails.txt -d" " -f 2-9 | sed '<\/span>s\/<\/span> \/\/<\/span>g' | sed '<\/span>s\/<\/span>.\\{<\/span>2<\/span>\\}<\/span>\/&<\/span> \/<\/span>g' > tails_snip.txt<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

This allows me to identify the following common fields: 0e 10 d6 07 ? ? 00 00 2e 46 49 54 ? ? 40 00<\/strong><\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>filesystem\/<\/span>GARMIN\/<\/span>ACTIVITY# for i in {1..16}; do cat heads_snip.txt | cut -d' ' -f$i | uniq -c | sort -nr | head -n 1; done<\/span>
\n     23<\/span> 0e
\n     23<\/span> 10<\/span>
\n     23<\/span> d6
\n     23<\/span> 07
\n      1<\/span> ff
\n      1<\/span> ce
\n     23<\/span> 00
\n     23<\/span> 00
\n     23<\/span> 2e
\n     23<\/span> 46<\/span>
\n     23<\/span> 49<\/span>
\n     23<\/span> 54<\/span>
\n      1<\/span> e7
\n      1<\/span> f4
\n     23<\/span> 40<\/span>
\n     23<\/span> 00<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Unfortunately the footers were not so common \ud83d\ude41<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>filesystem\/<\/span>GARMIN\/<\/span>ACTIVITY# for i in {1..16}; do cat tails_snip.txt | cut -d' ' -f$i | uniq -c | sort -nr | head -n 1; done<\/span>
\n      2<\/span> 01
\n      1<\/span> ff
\n      1<\/span> f0
\n      2<\/span> 00
\n      1<\/span> e9
\n      2<\/span> 00
\n      1<\/span> f6
\n      2<\/span> 32<\/span>
\n      2<\/span> e3
\n      2<\/span> 32<\/span>
\n      3<\/span> 00
\n      2<\/span> 1a
\n      7<\/span> 01
\n      2<\/span> ff
\n      1<\/span> fb
\n      1<\/span> eb<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

As such I could only use a header in my custom scalpel.conf file:<\/p>\n

1
2
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp# grep -v "#" \/etc\/scalpel\/scalpel.conf <\/span>
\ny 100000<\/span> \\x0e\\x10\\xd6\\x07??\\x00\\x00\\x2e\\x46\\x49\\x54??\\x40\\x00<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

And then run scalpel:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<\/div><\/td>
root@<\/span>KaliMJP:\/<\/span>mnt\/<\/span>hgfs\/<\/span>temp# scalpel -c \/etc\/scalpel\/scalpel.conf -o scalpel_output working.dump <\/span>
\nScalpel version 1.60<\/span>
\nWritten by Golden G. Richard III, based on Foremost 0.69<\/span>.
\n
\nOpening target "\/mnt\/hgfs\/temp\/working.dump"<\/span>
\n
\nImage file<\/span> pass 1<\/span>\/<\/span>2<\/span>.
\nworking.dump: 100.0<\/span>%<\/span> |****************************************************************************************************************|<\/span>   11.0<\/span> MB    00:00 ETAAllocating work queues...
\nWork queues allocation complete. Building carve lists...
\nCarve lists built.  Workload:
\nfit with header "\\x0e\\x10\\xd6\\x07\\x3f\\x3f\\x00\\x00\\x2e\\x46\\x49\\x54\\x3f\\x3f\\x40\\x00"<\/span> and footer ""<\/span> --><\/span> 93<\/span> files
\nCarving files from image.
\nImage file<\/span> pass 2<\/span>\/<\/span>2<\/span>.
\nworking.dump: 100.0<\/span>%<\/span> |****************************************************************************************************************|<\/span>   11.0<\/span> MB    00:00 ETAProcessing of image file<\/span> complete. Cleaning up...
\nDone.
\nScalpel is done<\/span>, files carved = 93<\/span>, elapsed = 0<\/span> seconds.<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Now that I had carved out the FIT files I wanted to see if any matched up with the date of the race (5th Feb 2017). To do that it’s worth using the perl module fitdump<\/a><\/p>\n

Sadly nothing came out….:<\/p>\n

1
<\/div><\/td>
root@KaliMJP:~\/bin# <\/span>.\/<\/span>fitdump \/<\/span>mnt\/<\/span>hgfs\/<\/span>temp\/<\/span>scalpel_output\/<\/span>fit-0<\/span>-0<\/span>\/*<\/span> |<\/span> grep<\/span> "2017-02-05"<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

However, this does teach me some of steps involved in data recovery.<\/p>\n","protected":false},"excerpt":{"rendered":"

So a friend of mine recently competed in a 10mile race (supposedly) and he thinks he tracked the “ACTIVITY” on his watch but after the race deleted it by mistake. He brought the watch immediately over to me to see if there was anything I could do. Well the watch seems to be pretty nifty […]<\/p>\n","protected":false},"author":1,"featured_media":1345,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[461,460,458,459,457,462],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1344"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1344"}],"version-history":[{"count":5,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1344\/revisions"}],"predecessor-version":[{"id":1351,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1344\/revisions\/1351"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/1345"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}