Pokémon GO Forensics: An Android Application Analysis

As the geolocation capabilities of smartphones continue to improve, developers have continued to create more innovative applications that rely on this location information for their primary function. This can be seen with Niantic’s release of Pokémon GO, which is a massively multiplayer online role playing and augmented reality game. This game became immensely popular within just a few days of its release. However, it also had the propensity to be a distraction to drivers, resulting in numerous accidents, and was used as a tool by armed robbers to lure unsuspecting users into secluded areas. This facilitates the need for forensic investigators to be able to analyze the data within the application in order to determine if it may have been involved in these incidents. Because this application is new, limited research has been conducted regarding the artifacts that can be recovered from the application. In this paper, we aim to fill the gaps within the current research by assessing what forensically-relevant information may be recovered from the application and understanding the circumstances behind the creation of this information. Our research focuses primarily on the artifacts generated by the Upsight analytics platform, those contained within the bundles directory and the Pokémon Go Plus accessory. Moreover, we present our new application-specific analysis tool that is capable of extracting forensic artifacts from a backup of the Android application and presenting them to an investigator in an easily-readable format. This analysis tool exceeds the capabilities of the well known mobile forensic tool Cellebrite’s UFED (Universal Forensic Extraction Device) Physical Analyzer in processing Pokémon GO application data.