Author: David Haddad
During a recent investigation, a request was posed to me regarding parsing of health, exercise, and related movement data that might have occurred leading up to and following a homicide.
The goal being, to recover and analyze such data from a device belonging to the alleged suspect to determine if any automated step, health or exercise data on a Samsung phone, could be correlated with secondary facts and the cases timeline.
Without disclosing any case specific details, I’ll say that it brought me down an interesting path, where the data I was able to recover may be quite significant. Further, I spent quite a bit of time reverse engineering the Samsung Health Database stored on Samsung Android devices, as there were no prior parsers, or automated tools available that I was aware of. While well-known tools ‘Cellebrite’ do support the automated decryption of the database, there was virtually no pertinent analysis that happened.
The database has the capability of storing everything from second by second heart rate, step counts, exercise types, stride types, and more. Further, while some of the data is fairly easy to decode during a typical sqlite database review, there are other integers, values and type fields that are not readily apparent and required cross referencing with Samsung’s SDK/APIs.
Plus, there’s a secondary layer of data that is also stored inside compressed JSON blobs within the database, that is not readily available without a little more legwork.
Seeing the benefit of this data, and the great potential for its application in this case and others going forward, I wrote a small tool that automates the parsing and report generation of this database.
More details on its features and use are available below:
Overview
The Samsung Secure Health Data Parser is a forensic tool designed to extract and analyze data from Samsung Health databases. With the increasing importance of health-related data in digital forensics, this tool simplifies the process of extracting critical information, such as exercise data, step counts, and live activity tracking, stored in Samsung Health databases.
The tool offers both a GUI and command-line interface, making it accessible to forensic investigators.
Samsung Health Database Path & Decryption
By default, Samsung Health stores its databases in a protected path on Android devices:
/data/data/com.sec.android.app.shealth/databases/SecureHealthData.db
This database is encrypted by default and cannot be directly accessed without proper decryption. Fortunately, forensic tools like Cellebrite Physical Analyzer automatically decrypt the Samsung Health database during a forensic extraction, if the encryption keys were recovered. The decrypted version of the database is stored at:
/data/data/com.sec.android.app.shealth/databases/SecureHealthData.db/SecureHealthData.db.decrypted
Before using this script, users must manually export this decrypted version of the database. Once exported, this decrypted database can be parsed using the Samsung Secure Health Data Parser to generate detailed reports.
Features
- Step Count Parsing: Extract step count data and output the results in both Excel and HTML formats.
- Exercise Session Analysis: Gather details such as exercise type, duration, distance, and calories burned for individual sessions.
- Live Data Decompression: Decompresses and parses GZIP-compressed JSON data stored during live exercise tracking sessions.
- Open Source and Modular Functionality: Allows easy expansion or integration of functions into other tools/scripts.
- Comprehensive Reports: Generates reports in Excel and HTML formats for easy review and analysis.
- Precompiled Windows GUI Builds: Precompile builds for easy execution without needing to download or setup additional dependencies.
- Command-Line Support: For advanced users, the tool also supports command-line arguments for seamless integration into automated workflows.
Use Cases
- Forensic Investigations: Retrieve step counts, exercise data, and live tracking data from a suspect’s Samsung Health app to understand movements and activities during specific periods.
- Health Research: Extract exercise and movement data for analysis in health studies or insurance claims.
Tool Functionality Overview
- ringleader(db_path, output_path)
Coordinates the extraction of step data, exercise session data, and live activity tracking, generating comprehensive reports. - decompress_live_data_from_compressed_json(compressed_data)
Decompresses and parses GZIP JSON live activity data, crucial for real-time exercise tracking sessions. - export_step_data(db_path, output_path)
Extracts step count data and exports it to both Excel and HTML, providing detailed step count information. - export_exercise_data(db_path, output_path)
Extracts exercise session data and maps exercise type codes to human-readable descriptions for easy interpretation. - fetch_compressed_live_data(db_path)
Fetches and decompresses real-time activity data from live exercise sessions, providing insights into performance metrics like heart rate and distance. - save_live_data_to_excel(df, output_path)
Saves parsed live data into an Excel file for in-depth analysis of exercise tracking data.
GUI and Command-Line Modes
GUI Mode
The GUI interface simplifies the user experience:
- File selection for the decrypted database and output folder.
- Status updates that show progress during data extraction.
- Access to logs for troubleshooting or reviewing detailed logs of the process.
Command-Line Mode
For more technical users, the command-line mode provides an efficient way to run the tool as part of larger forensic workflows. Use the following command:
python SHealth_DB_Parser.pyw <db_path> <output_path>
Prerequisites
Before running this tool, ensure you have:
- A decrypted version of the Samsung Health database from Cellebrite Physical Analyzer or another forensic tool. The decrypted database should be found at:
/data/data/com.sec.android.app.shealth/databases/SecureHealthData.db/SecureHealthData.db.decrypted
- Python 3.11 or greater installed on your system.
- Install the required dependencies using the following command:
pip install pandas pyautogui FreeSimpleGUI openpyxl jinja2