Image courtesy of http://www.oxygen-forensic.com/images/whatsnew/911/WiFiHistory.png
From research conducted the results identified little has been written about HERREVAD (GMS). It may be there is more information out there, possibly in a internet walled garden, but not very much is revealed using the well-known internet search engines. From what has been discovered it is recorded below so should more information come to light this discussion can be updated.
As can be seen in the above screen image it shows records of WiFi History of connections to WiFi network servers. In this regard, as has been previous stated in another discussion at this blog, WiFi location analysis should naturally form part of cell site analysis as smartphones have multiple radio in them (http://trewmte.blogspot.co.uk/2014/08/csa-site-survey-method4cell-types.html).
Three databases have been identified so far, but no information was found that actually described what each database actually recorded, so assumptions are based upon the title of the databases and data recovered:
Moreover, no guidance was found to define whether each of databases are providing data-support to one another. It is an assumption that the information stored in each combines together to provide an abstract of connection events. It could be said this is evidence of the 'fact' the data are recorded there. It means the recording was made due to a smartphone's sensor activity showing the device had detected and decoded the WLAN networks, including SSID and BSSID (MAC address) info, as well as timestamps; thus there is proximity to a source. So here is potential evidence, but that doesn't necessarily confirm what is happening during the connection.
In the above image WiFiHistory.png it displays a number of connections consistent with the same network (so to speak) and on various dates and times. It is possible to draw an inference from that of a device in regular proximity to a particular WiFi network, thus a 'distance' (in space and time) to a location. This would support the merits of investigating those identities.
the only independent document found at this time discussing HERREVAD is that from Connie Bell, in her partial MSc thesis:
'PROVIDING CONTEXT TO THE CLUES: RECOVERY AND RELIABILITY OF LOCATION DATA FROM ANDROID DEVICES'
In this thesis Connie states:
"However, during a review of the databases’ contents, it became clear that the database did not capture all of the instances in which the devices were connected to WLAN networks, based on test session activity."
"From these examinations, it seems clear that connectivity-related log artifacts may be quite useful in ruling out the possibility that the WLAN sensor was disabled at a particular time. However, it may be more difficult to affirm that the sensor was indeed enabled at a particular time, since these logs seem to only document when the device is actually connected to a network."
"A device may have the WLAN functionality enabled but be out of range or not connected due to wireless network security, for example. In situations like these, it seems the log files would not indicate that the device WLAN feature was active, since the device would then default to cellular data services"
The research took into account Connie's observations regarding lost WiFi updates to the databases. Two useful web resource site to search are github and pastebin; both commonly have various types of processing dumps which field useful clues for investigation.
The following is part of a logcat dump. This logged failed event (colour red) could be due to the device's sensor proximity to/from a network or surrounding noise meant insufficient data was available to complete sending a HERREVAD record entry update or that the third party plugin failed for some other reason:
(com.estrongs.android.pop) from content://downloads/my_downloads/6 format 2
98.12-26 19:31:01.741 536 536 I installd: free_cache(6186696) avail 33903247360
99.12-26 19:31:01.764 4260 4260 V Herrevad: NQAS connected
100.12-26 19:31:01.776 1016 2567 D WifiService: New client listening to asynchronous messages
101.12-26 19:31:01.796 4678 4678 I ConfigService: onCreate
102.12-26 19:31:01.927 4260 7615 I ReportNQOperation:  g.a: Not enough data to save wifi report to local db: com.google.android.gms.herrevad.g.s@nnnnnn
This .pdf https://www.dropbox.com/s/ds89ulvcgezcgsy/Pandora%20Herrevad.pdf shows a complete logcat dump from a post on pastebin. Another example can be found here at github https://gist.github.com/mujeebulhasan/b5e910fc23ec5a41c924e7b5971f1e31
It was noted during research that a number of logcat dumps were for third party apps making use of HERREVAD Databases, so any further research may wish to include:
- Apps download
- Leisure (running etc)
and so on
Some search terms you may wish to consider when analysing images from smartphones or logcat dumps:
Connie Bell thesis suggests:
select local_reports.network_type, local_reports.ssid,
as "Converted timestamp (UTC)"
order by local_reports.timestamp_millis asc
Additionally, from the research here it is suggested the following maybe helpful, too:
download or downloaded
For time-stamps they may require conversion so here are a couple of sites that might assist you:
Further research will continue and efforts will be made to update this thread. If any reader can provide any additional information, please send an email to firstname.lastname@example.org and please provide your details and confirm if you wish to have these included in any update.