To begin our investigation, we are looking at what information can be acquired from Google Glass using various imaging processes.
After generating data on two pairs of Glass, rooted and un-rooted, we imaged them with the Shattered Script. We imaged first with the Shattered script because it includes features that can retrieve live system information. Below are the results from the Shattered script:
As seen above, the rooted pair of Glass was able to find the anr, backup, dalvik-cache, data, local, media, misc, private-cache, property, recovery, and system directories. The un-rooted pair was unable to get those directories.
Although Shattered provide much system information on an un-rooted pair of glass, it has an advantage in the live system information by using tools such as dumpsys to pull live system information.
Using Cellebrite, there was little difference in the amount of information that could be pulled from our high level view. As shown in the image below, the only immediatedifference between the two folders is the anr directory. During our research we will be looking deeper into the folder structure to see if there are even more differences between the rooted and un-rooted pairs of Glass with Cellebrite.
Questions? Comments? The Senator Patrick Leahy Center for Digital Investigations would love to hear from you!