Post-mortem digital forensics analysis of the Zepp Life android application

Abstract

This paper studies the post-mortem digital forensic artifacts left by the Android ZeppLife (formerly MiFit) mobile application when used in conjunction with a Xiaomi MiBand 6. The MiBand 6 is a low-cost smart band device with several sensors that allow for health and activity monitoring, collecting metrics such as heart rate, blood oxygen saturation level, and step count. The device communicates via Bluetooth Low Energy with the ZeppLife application, which displays its data, provides some controls, and acts as a bridge to the Internet.We study, from a digital forensics perspective, the Android version of the mobile application in a rooted smartphone. For this purpose, we analyze the data repositories, namely its databases and XML files, and correlate the data on the smartphone with the corresponding usage of the Mi Band device. The paper also presents two open-source scripts we have developed to ease the task of forensic practitioners dealing with ZeppLife/MiBand 6: ZL_std and ZL_autopsy. The former refers to a Python 3 script that extracts high-level views of Zepp Life data through the command-line, whereas the latter is a module that integrates ZL_std functionalities within the popular open-source Autopsy digital forensic software. Data stored on the Android companion device of a MiBand 6 might include GPS coordinates, events and alarms, and biometric data such as heart rate, sleep time, and fitness activity, which can be valuable digital forensic artifacts.