Forensic Science International: Digital Investigation 52 (2025) 301862

Contents lists available at ScienceDirect

Forensic Science International: Digital Investigation

journal homepage: www.elsevier.com/locate/fsidi

WristSense framework: Exploring the forensic potential of wrist-wear

devices through case studies ✩
,∗
Norah Ahmed Almubairik a,b, , Fakhri Alam Khan a,c,d , Rami Mustafa Mohammad e ,
Mubarak Alshahrani f
a
Department of Information and Computer Science, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia
b
Department of Networks and Communications, Imam Abdulrahman Bin Faisal University, Khobar, Saudi Arabia
c
Interdisciplinary Research Centre for Intelligent Secure Systems, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia
d
SDAIA-KFUPM Joint Research Center for Art­ficial Intelligence, KFUPM, Saudi Arabia., Dhahran, Saudi Arabia
e
Department of Computer and Information Systems, Imam Abdulrahman Bin Faisal University, Khobar, Saudi Arabia
f
Public Security, Ministry of Interior, Dammam, Saudi Arabia

A R T I C L E I N F O A B S T R A C T

Keywords: Wrist devices have revolutionized our interaction with technology, monitoring various aspects of our activities
Digital forensics and making them valuable in digital forensic investigations. Previous research has explored specific wrist device
Wrist devices forensics operating systems, often concentrating on devices from particular manufacturers. However, the broader market of
IoT forensic
wrist-worn devices, which includes a wide range of manufacturers, remains less explored. This oversight presents
Health data analysis
challenges in retrieving and analyzing data from wrist devices with different operating systems. Additionally,
WristSense framework
Digital evidence there has been limited exploration of utilizing health data from wrist devices in digital investigations. To address
Circumstantial evidence these gaps, this study presents a framework called ``WristSense,'' which systematically extracts health-related data
Wrist-device artifact catalog from heterogeneous sources of wrist devices. The framework has been evaluated through case studies involving
Huawei, Ama­fit, Xiaomi, and Samsung wrist devices. The WristSense ensures compatibility with devices from
different vendors and analyzes health data such as sleep patterns, heart rate, blood oxygen saturation, activities,
and stress levels. The research uncovers potential circumstantial evidence applicable to law enforcement and
introduces a wrist-wear device artifact catalog, which also serves as a taxonomy, enabling practitioners to
codify and leverage their forensic collective knowledge. The findings demonstrate the effectiveness of the
WristSense framework in extracting and analyzing data from various vendors, providing valuable insights for
forensic investigations. However, challenges such as encryption mechanisms on certain devices present areas
that require further investigation. This research provides a comprehensive overview of suspect or victim health
data, empowering digital forensic investigators to reconstruct detailed timelines and gather crucial evidence in
criminal investigations involving wrist devices.

1. Introduction share and representing over 49.45% of the total revenue (Market.us,
2023).
Wearable devices refer to a category of technology designed to be As the popularity of wrist devices continues to soar, it is essential
worn or attached to the skin, allowing for continuous monitoring of to explore their potential implications in the field of digital forensics.
an individual’s behavior while preserving their freedom of movement Digital forensics involves the extraction, preservation, and analysis of
(Gao et al., 2016). Wrist devices, including smartwatches and wrist­ electronic evidence for investigative purposes (Pande and Prasad, 2016).
bands, have achieved mainstream status within the extensive selection Traditionally, this field has focused on the examination of computers,
of wearable devices (de Arriba-Pérez et al., 2016). In 2022, the wrist­ smartphones, and other conventional digital devices. However, with
wear segment dominated global revenue, holding the largest market the proliferation of wearable devices, specifically wrist devices, a new

✩
Abbreviations: IoT, Internet of Things; DF, Digital Forensics; DFRIR, Digital Forensic Readiness Intelligence Repository ; DFI, Digital Forensic investigators; PCE,
Potential Circumstantial Evidence; SFCRT, Sensor-Feature Cross-Reference Table; HRV, Heart Rate Variability
* Corresponding author at: Department of Information and Computer Science, King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia.
E-mail addresses: g201902170@kfupm.edu.sa (N.A. Almubairik), fakhri.khan@kfupm.edu.sa (F.A. Khan), rmmohammad@iau.edu.sa (R.M. Mohammad),
Mob.mob1409@gmail.com (M. Alshahrani).

https://doi.org/10.1016/j.fsidi.2025.301862
Received 15 August 2024; Received in revised form 3 January 2025; Accepted 3 January 2025

Available online 16 January 2025

2666-2817/© 2025 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
frontier for digital forensics has emerged, presenting unique challenges • Application of the Framework: We demonstrate the practical appli­
and opportunities. Although several forensic frameworks and techniques cation of our framework by using it to analyze a wrist-wear device
have been proposed over the years to facilitate the investigation of IoT dataset. By successfully applying our framework to this dataset, we
networks and devices, finding a perfect solution that covers the diver­ highlight its capability to extract valuable insights and conduct in­
sity of IoT devices and networks remains a significant research challenge depth analysis, thereby showcasing its practicality and usefulness
(Mahmood et al., 2024). in the field of digital forensics. This demonstration reinforces the
Previous research has explored specific wrist device operating sys­ reliability of our framework, further establishing its potential to
tems, such as Android OS, Garmin OS, and Tizen OS, often concentrating contribute to future investigations involving wrist devices.
on devices from particular manufacturers. However, the broader mar­ • Creating a Taxonomy of Wrist-Wear Digital Forensic Artifacts: We
ket of wrist-worn devices, which includes a wide range of manufacturers created the observed forensic artifacts discovered in the investi­
like Apple, Samsung, Xiaomi, and Huawei, remains less explored. This gated wrist devices. These artifacts are categorized according to the
focus on specific systems, while ben­ficial, may inadvertently limit the artifact catalog structure outlined in reference (Casey et al., 2022).
scope of data retrieval and analysis in forensic investigations. Although By providing a detailed overview of these artifacts, we ensure that
the desired files may be discovered, they are often difficult to view and investigators are well-informed about the forensic capabilities that
understand (MacDermott et al., 2019). This research gap in wrist device can significantly enhance their investigations. It can mitigate the
operating systems and file systems can lead to the omission of valuable risks associated with overlooking relevant digital evidence and mis­
information for criminal investigations. interpreting forensic findings. It also empowers practitioners to
Another challenge is the limited research examining how health data make informed decisions and draw accurate conclusions from the
from wrist devices can be utilized in digital investigations. For exam­ digital evidence they encounter, ultimately strengthening the over­
ple, Heart Rate Variability (HRV), which measures the variation in the all integrity of their forensic investigations.
time interval between successive heartbeats, can serve as an indicator • Construction of WristSense-VendorData Dataset: We constructed a
of an individual’s stress or relaxed state. High HRV might indicate a per­ dataset that provides valuable information obtained from wrist de­
son is in a relaxed state, while low HRV might suggest a person has a vices, covering multiple vendors, operating systems, and data col­
less adaptable cardiovascular system and is therefore in a stressed state lection periods. Researchers in the digital forensics field can utilize
(Shaffer and Ginsberg, 2017). Exploring the utilization of health data this dataset for various investigative and analytical purposes.
like HRV in digital investigations remains relatively scarce in the liter­
ature. Our contributions significantly strengthen the field of digital foren­
This research introduces a novel framework called ``WristSense'' de­ sics by providing a robust framework for analyzing health data from
signed to systematically extract health-related data from a wide range wrist devices, offering practical insights through dataset analysis, and
of wrist devices, encompassing various vendors and operating systems. presenting a comprehensive catalog of forensic artifacts.
WristSense empowers investigators to effectively navigate through the This article is structured as follows: Section 2 provides an overview
wrist devices present at a crime scene, providing circumstantial evi­ of the related work in the field of wrist-worn devices. Section 4 presents
dence. The circumstantial evidence relies on indirect indications or es­ the details of our proposed framework, WristSense. In Section 5, we eval­
tablished facts to infer the existence of another fact (Direct and Circum­ uate the framework using five case studies from four different vendors.
stantial Evidence, 2019). Legally, there is no differentiation in weight Subsequently, Sections 6 and 7 present the results, discussion, and fu­
or significance between circumstantial evidence and direct evidence, as ture work, respectively. Finally, the conclusion is provided in Section 8.
both can sufficiently fu­fill the burden of proof required in a case (Direct
and Circumstantial Evidence D­fined, 2023). 2. Related work
This article addresses the following research questions:
In this section, we present an overview of the research conducted in
1. What artifacts can be recovered from wrist-worn devices for digital the field of wrist-worn devices forensics investigation, exploring the ex­
forensic investigations? traction techniques and data analysis methods employed. Additionally,
2. What potential circumstantial evidence (PCE) exists in wrist-worn we discuss the operating systems utilized in wrist-worn devices, high­
devices? lighting their impact on forensic procedures. Furthermore, we delve into
3. To what extent can the WristSense framework extract and analyze the evidentiary data stored in wrist-worn devices, encompassing a wide
PCE from different wrist-wear device vendors? range of artifacts that can be extracted for investigative purposes.

To evaluate its capability in extracting valuable evidence from 2.1. Wrist-worn devices forensics investigation
health-related data, the proposed framework undergoes a comprehen­
sive evaluation using a diverse set of case studies involving wrist devices Recent studies have highlighted the importance of extracting and
from vendors such as Huawei, Ama­fit, Xiaomi, and Samsung. analyzing data from Wrist-worn devices in forensic investigations. For
Our primary objective is to equip digital forensic investigators (DFIs) instance, MacDermott et al. conducted a study involving manual and
with a comprehensive understanding of biological data pertaining to logical data extraction techniques on wrist devices from three different
both suspects and victims. This will enable them to reconstruct a de­ vendors (MacDermott et al., 2019). Their aim was twofold: to extract po­
tailed timeline of events and individuals involved in a given crime scene. tential data from these wrist devices and to identify data inconsistencies
To address existing gaps in the field, we have made significant contri­ among the vendors. The researchers examined three fitness trackers: the
butions: Garmin Forerunner 110, Fitbit Charge HR, and a generic low-cost HETP
fitness tracker. They performed multiple test runs on a subject who wore
• WristSense Framework: We propose a pioneering framework that all three devices simultaneously while running a predetermined path
systematically extracts and analyzes health data from diverse offline with a one-mile distance and intentional elevation changes. The objec­
and heterogeneous sources of wrist-wear devices. To the best of our tive was to assess the accuracy and validity of the fitness bands. The
knowledge, this is the first framework of its kind specifically de­ findings indicated inconsistencies among the devices. Although these
signed for iOS systems. It ensures the data is forensically sound and inaccuracies were acknowledged by the manufacturers, they have not
compatible with various wrist devices, including Huawei, Ama­fit, significantly impacted court cases that utilize fitness bands as evidence,
and Xiaomi. leading to convictions.

2
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
Becirovic and Mrdovic employed manual and logical extraction tech­ Geradts, 2017; Kasukurti and Patil, 2018; Yoon and Karabiyik, 2020),
niques specifically on Samsung devices. They conducted a case study and Tizen OS (Becirovic and Mrdovic, 2019).
using the Samsung Gear S3 Frontier smartwatch (Becirovic and Mrdovic, However, it is worth noting that there is a category of wrist-worn
2019). They followed the ``event-timeline reconstruction'' analysis tech­ devices referred to as ``Others,'' which includes low-cost smartwatches.
nique by recording a three-hour sequence of watch events with the aim These affordable devices, despite being less recognized, have gained
of restoring and analyzing the data. These events encompassed tasks like popularity among individuals seeking cost-effective options with mod­
pairing the watch with an iPhone, answering calls, removing WhatsApp erate functionality. Gregorio et al. conducted an investigation specifi­
not­fications, and activating flight mode. The study emphasized the cru­ cally targeting these lesser-known low-cost smartwatches equipped with
cial role of the data gathering timeframe in the analysis process. Due to Real-Time Operating Systems (RTOS) (Gregorio et al., 2019). Their
the smartwatch’s limited memory, previous data gets overwritten dur­ study delved into the acquisition and forensic analysis of these RTOS­
ing regular use. To mitigate this issue, the researchers recommended based smartwatches, shedding light on an understudied area within the
that the initial step in forensic analysis involves enabling flight mode wrist-worn device landscape. By exploring these lesser-known devices,
or turning off the smartwatch when not in use. These precautions min­ researchers like Gregorio et al. are expanding our understanding of the
imize data tampering and improve the reliability of acquired data for diverse range of operating systems and devices present in the wrist-worn
forensic examination. device market.
In their study, Williams et al. utilized logical and physical data ex­
traction techniques on Fitbit wrist-devices paired with iOS and Android 2.3. Evidentiary data in wrist-worn devices
mobile devices (Williams et al., 2021). Their aim was to provide investi­
gators with timely access to health data across various devices and foren­ The information stored on wrist-worn devices, as well as other poten­
sic methods. By analyzing the Ionic smartwatch and Alta tracker, they tial sources of evidence, plays a crucial role in investigations. Kasukurti
ident­fied recoverable data types such as private messages, feed posts, and Patil have class­fied the artifacts found in wearables, including
pr­file information, GPS data, sleep data, and heart rate data. The re­ wrist-worn devices into seven types, including geo-location, activity log,
searchers created a test account, FitbitForensics, to simulate real-world and medical data (Kasukurti and Patil, 2018). However, further research
scenarios and determine if forensic tools could successfully recover these has shown that these artifacts can be expanded upon. The literature
artifacts. The results demonstrated the availability of different databases reveals a range of extracted artifacts, including device information,
and data types through various extraction and analysis techniques, while geo-location information, health information, contacts, call logs, text
also validating the accuracy of recorded data compared to planned test messages, social media interactions/posts/not­fications, web browsing
instances. Moreover, the researchers also delve into the crucial aspect behavior, search history, media files (pictures, videos, audios, music),
of data recovery from deleted data on these wrist devices. By exploring connected devices, WiFi and/or Bluetooth connections, and deleted files
the possibility of retrieving deleted data, the study sheds light on the po­ (Rongen and Geradts, 2017; MacDermott et al., 2019; Loomis, 2019;
tential for uncovering valuable evidence even from erased information Gregorio et al., 2019; Becirovic and Mrdovic, 2019; Kasukurti and Patil,
on these devices. This finding underscores the importance of thorough 2018; Yoon and Karabiyik, 2020). The variation in extracted data from
forensic analysis to ensure that no relevant data is overlooked, even if wrist-worn devices can be attributed to differences in the level of data
it has been intentionally deleted. extraction, sources of evidence, storage medium size, and the techno­
Considering the same vendor, Almogbil and Alghofaili investigated logical features of the devices.
Fitbits devices using the physical data extraction technique (Almogbil Some related studies have highlighted that wrist-worn devices store
et al., 2020). They aimed to demonstrate that open-source digital anal­ information about the device itself, such as the device name, serial num­
ysis tools, such as Autopsy Sleuth Kit and Bulk Extractor Viewer, can ber, and software version (MacDermott et al., 2019; Kasukurti and Patil,
produce results comparable to those of expensive commercial tools like 2018; Gregorio et al., 2019). Additionally, health-related information
Forensic Tool Kit (FTK) and EnCase, which often face resource and time found on these devices holds significant forensic value. This data can
limitations. In addition, Williams et al. found that open-source tools like be used to challenge a suspect’s false testimony or to track a victim’s
Autopsy and BE Viewer could retrieve essential information for investi­ behavior during an incident, as exempl­fied in the Richard Dabet first­
gations. Although this is true, it is crucial to ensure that these tools are degree murder case (BBC News, 2017). Researchers have successfully
forensically sound and admissible in court (Williams et al., 2021). extracted health information from wrist-worn devices, including step
Baggili et al. conducted case studies involving logical and physical counts, heart rate, calories burned, and average speed (MacDermott et
extraction techniques on two different vendors: the Samsung Gear 2 al., 2019; Becirovic and Mrdovic, 2019; Kasukurti and Patil, 2018; Yoon
Neo and LG G watches paired with a Samsung Galaxy S4 (Baggili et al., and Karabiyik, 2020; Loomis, 2019).
2015). Their aim was to compare the artifacts present in the paired de­ Furthermore, forensic analysis of event data from vehicle applica­
vices with those available directly on the smartwatches. The researchers tions has demonstrated the ability to reconstruct events during accidents
followed specific usage scenarios, such as sending an email, tracking or crime scenes (Onik et al., 2024). This method adds a new aspect to
footsteps, using voice commands, and checking heart rate. The results vehicle forensics, underscoring the potential for applying similar tech­
revealed that a significant amount of digital evidence could be recov­ niques in wrist-worn device investigations. By adopting these methods,
ered directly from the smartwatches compared to the synced data on forensic investigators can improve their capability to reconstruct event
the phones. However, the method of physically imaging the smartwatch data from wrist-worn devices, thus providing more thorough evidence
posed risks as it required gaining root access, potentially leading to a fac­ in forensic investigations.
tory reset and permanent data deletion. The study also highlighted the Apart from device and health information, evidence of communica­
difference in forensic soundness between acquiring a physical image of tion and call logs plays a vital role in numerous legal cases, providing
the Samsung Gear 2 Neo and acquiring data from the LG G watch, as insights into a person’s social and/or professional life. Call record data
the latter required a factory reset to gain root access. can be used by investigators to determine the most frequently contacted
individuals, call duration, and even the timeline of communication with
2.2. Wrist-worn devices operating systems specific individuals. Previous works have demonstrated the extraction
of call logs and contacts from wrist-worn devices (Rongen and Ger­
Previous research in the field of wrist-worn devices has primarily adts, 2017; Loomis, 2019; Gregorio et al., 2019; Becirovic and Mrdovic,
focused on well-established companies like Apple, Fitbit, and Garmin, 2019; Kasukurti and Patil, 2018). For instance, Gregorio et al. (2019)
whose devices commonly operate on popular operating systems such showcased the extraction of call logs from Real-Time Operating System
as iOS (MacDermott et al., 2019; Loomis, 2019), Android (Rongen and (RTOS) smartwatches. Similarly, Rongen and Geradts (Rongen and Ger­

3
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 1. Workflow Overview.

adts, 2017) were also successful in extracting phone calls made/received are utilized to perform a logical extraction of stored data, decrypt en­
using Google smart glass. crypted application data, and extract various types of data in the SQLite
format.
3. Wor­flow overview Given the diverse nature of the data sources involved, employing a
un­fied and forensically sound digital forensics unit is advisable. Exam­
This section presents an overview of the proposed WristSense frame­ ples of such units include MD-RED, MD-NEXT, XRY, and EnCase. The
work, combining the architectural design based on NIST 800-101 stan­ extraction process results in a logical image comprising a substantial
dards with the evaluation process. The framework operates through number of SQLite databases.
two interconnected components: architecture and evaluation through
case studies (see Fig. 1 The architecture (detailed in Section 4) en­ 4.2. Analysis layer
sures the systematic extraction of health-related data, such as sleep
patterns, heart rate, and activity logs, from wrist-worn devices. The The Analysis Layer consists of two primary components: an optional
framework employs the Sensor-Feature Cross-Reference Table (SFCRT) pr­filing unit and a mandatory processing unit. This layer receives the
to map sensors to forensic artifacts, facilitating the ident­fication of Po­ forensic image from the Data Source Layer and processes it using the
tential Circumstantial Evidence (PCE). The evaluation component (dis­ Logical Analyzed Image Database Parser. The parser’s primary objective
cussed in Section 5) involves vendor selection, dataset construction, and is to extract health data from wrist-worn devices embedded within log­
case studies that validate the framework’s compatibility across differ­ ical images. By employing specialized filtering mechanisms, the parser
ent vendors and operating systems. These evaluations demonstrate the efficiently ident­fies and extracts relevant SQLite databases.
framework’s ability to adapt to diverse forensic contexts. Practical ap­
plications, such as reconstructing crime timelines, are also explored in 4.2.1. Pr­filing unit
these sections. The framework uses various markers to identify the likely suspect:

4. Framework architecture • Biological Markers (``Biomarkers''): Identify characteristics such

as age, weight, body mass index, and body fat percentage.
This section proposes the WristSense framework for extracting health • Logical Markers: Investigate connected devices, stored account
data from various wrist devices and identifying artifacts relevant to dig­ credentials, and WiFi/Bluetooth connections associated with the
ital forensics, in accordance with NIST standards (Ayers et al., 2014). wrist-wear device.
WristSense emphasizes a focus on wrist devices, highlighting the frame­ • Location Markers: Examine routes visited by the wearer. If the de­
work’s ability to gather meaningful insights from these devices. The vice contains information related to the suspect’s work or home,
framework is designed to be independent of specific wrist-wear devices, it strengthens the likelihood of the device being linked to the sus­
ensuring broad applicability across different manufacturers and models. pect.
WristSense ensures the retrieval and analysis of data, including sleep
patterns, heart rate, blood oxygen saturation, activities, and stress lev­ 4.2.2. Processing unit
els. These insights contribute to identifying the PCE in digital forensic The processing unit is a fundamental component of the WristSense
investigations. framework architecture, encompassing several key elements, each serv­
The framework architecture of WristSense is illustrated in Fig. 2, pro­ ing a specific purpose. Firstly, the Health-Related Database stores the
viding a visual representation of its components and their interactions. health-related data obtained from the Logical Analyzed Image Database
Parser, acting as a valuable resource for analysis and interpretation. Sec­
4.1. Data source layer ondly, the Sensor-Feature Cross-Reference Table (SFCRT) maps sensors
to their corresponding features, aiding in identifying PCE from wrist­
The Data Source Layer serves as the initial stage in the data pro­ worn devices. Thirdly, the PCE component analyzes features from the in­
cessing pipeline, responsible for gathering data from wrist devices and vestigated devices to present factual information, such as sleep patterns
facilitating its subsequent handling by other layers. This layer includes (including deep sleep, light sleep, and the number of awakenings) and
wrist-worn devices such as smartwatches and smart bands discovered at heart rate data (including maximum and minimum readings). Lastly,
the crime scene, along with their associated mobile devices. The mobile the PCE Repository organizes and stores this data, ensuring systematic
devices are forwarded to a digital forensics unit, where specialized tools management within the WristSense framework.

4
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 2. WristSense Framework Architecture: Logical Image: Active data accessible through the file system; Forensics Image: A duplication process that preserves
all data from the original medium without alterations, ensuring suitability for investigations and legal proceedings; SFCRT: Sensor-Feature Cross-Reference Table,
PCE: Potential Circumstance Evidence, Straight Line --- : Mandatory; Dashed Line - - - : Optional.

Sensor-Feature Cross-Reference Table(SFCRT): This component draws • Features: Wrist device features provide valuable information about
inspiration from the methodology proposed in Kebande et al. (2021) an individual. For example, the heart rate monitoring feature can
for developing a Digital Forensic Readiness Intelligence Repository be highly useful to DFIs. In a domestic abuse case, a person may
(DFRIR), which establishes cross-referencing of potential digital evi­ claim to be at home relaxing, but an elevated heart rate could indi­
dence. In our framework, we utilize the SFCRT to capture the PCE and cate physical activity during that time, suggesting a false statement
create a repository that can be shared among digital forensic profession­ (Yoon and Karabiyik, 2020). The features considered in the SFCRT
als and law enforcement agencies. include: sleep monitoring, heart rate monitoring, SpO2 measure­
We consider two key observations in building the SFCRT. First, some ment, blood pressure measurement, body temperature monitoring,
vendors, such as Huawei, Ama­fit, Samsung, and Garmin, clearly list the activity tracking, and stress measurement.
embedded sensors for each wrist device on their official websites, while
others, like Apple, primarily list device features with limited information The SFCRT, illustrated in Table 1, demonstrates that a single sen­
about the sensors. Additionally, certain vendors provide a list of embed­ sor can provide information about multiple features. For example, the
ded sensors along with additional features that are not explicitly linked heart rate sensor assists in sleep monitoring, heart rate monitoring, ac­
to these sensors. To address this variability, the SFCRT uses sensors and tivity tracking, and stress monitoring. Conversely, features often rely on
features as keys to help determine the PCE. Second, the presentation of multiple sensors; for instance, sleep monitoring utilizes accelerometers,
wrist device features varies significantly among vendors, and there is blood pressure sensors, and heart rate sensors. To facilitate the genera­
no standardized list of features. Therefore, we consider a set of features tion of the PCE, the following key concepts are d­fined:
that are common across wrist devices, vendor-independent, and useful
for investigations -- 𝐹 : Feature
-- 𝑛: # Feature
• Sensors: Wrist devices constantly monitor individuals through var­ -- 𝑆 : Sensor
ious sensing mechanisms, making them essential for everyday ap­ -- 𝑆𝐹 𝐶𝑅𝑇 : Sensor-Feature Cross-Reference Table
plications (King and Sarrafzadeh, 2018). These sensors provide -- 𝑃 𝐶𝐸 : Potential Circumstantial Evidence
substantial information about user activities. The list of sensors in -- 𝐹𝑚 : Existing feature based on vendor’s manual
the SFCRT is derived from two sources: (1) a review and two system­ -- 𝑆𝑚 : Existing sensor based on vendor’s manual
atic review research papers (King and Sarrafzadeh, 2018; Morales -- 𝐹𝑠 : Existing feature based on existing sensor 𝑆𝑚
et al., 2022; Khakurel et al., 2018); (2) five vendor websites. The
sensors include: accelerometer, pedometer, GPS, gyroscope, blood The PCE is the sum of features; see Equation (1).
pressure monitor, SpO2/oximetry, magnetometer/compass/geo­
𝑛
∑
magnetic, heart rate/Heart Rate Variability (HRV) monitor, tem­
𝑃 𝐶𝐸 = 𝐹𝑖 where 𝐹𝑖 ∈ (𝐹𝑚 ∪ 𝐹𝑠 ) (1)
perature sensor, and electrocardiogram (ECG).
𝑖=1

5
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
Table 1
Sensor-Feature Cross-Reference Table (SFCRT).

Sensor / Feature Sl HR SpO2 BP BT AT St

Accelerometer ✓ ✓ ✓
Pedometer ✓
GPS ✓
Gyroscope ✓
Blood Pressure ✓ ✓
SpO2/Oximetry ✓ ✓
Magnetometer/Compass/Geomagnetic ✓
Heart Rate/HRV ✓ ✓ ✓ ✓
Temperature ✓ ✓ ✓
Electrocardiogram (ECG) ✓ ✓ ✓

Abbreviations:
Sl: Sleep monitoring, HR: Heart Rate monitoring, SpO2: Oxygen Saturation, BP:
Blood Pressure Measurement, BT: Body Temperature Monitoring, AT: Activity
Tracking, St: Stress Monitoring.
References:
✓Sl: (Yoshihi et al., 2021; Shin et al., 2019); ✓HR: (Zhao et al., 2021; Bent et
al., 2020; Chow et al., 2020); ✓SpO2: (Buekers et al., 2019; Davies et al., 2020;
Wackernagel et al., 2020); ✓BP: (Kumar et al., 2021; Kim et al., 2019); ✓BT: (Li et
al., 2022); ✓AT: (Li et al., 2016; Zhang et al., 2022; Popleteev, 2015); ✓St: (Parlak,
2021; Han et al., 2020; Minguillon et al., 2018).

To generate a list of PCE, digital forensic investigators (DFIs) must * Generating PCE:
first access the SFCRT and the manual of the investigated wrist device. Using the SFCRT and the manual, the following steps generate the
The process involves the following steps: PCE:

1. Iterate through each feature listed in the SFCRT. 1. Iterate through each feature listed in the SFCRT.
2. If a feature from the SFCRT is found in the device manual, it is 2. Check if the feature is explicitly mentioned in the manual:
directly added to the PCE list. -- Add Sleep Monitoring (Sl), Heart Rate Monitoring (HR), and Ac­
3. If the feature is not listed in the manual, the investigator then ex­ tivity Tracking (AT) to the PCE list.
amines each sensor in the SFCRT that contributes to that feature. 3. For features not explicitly mentioned, check the contributing sen­
4. If the examined sensor is found in the device manual and is associ­ sors:
ated with that feature, the feature is subsequently added to the PCE -- Stress Monitoring (St) is supported by the Heart Rate Sensor and
Temperature Sensor, both of which are present in the manual.
list.
Add it to the PCE list.
-- SpO2 Monitoring (SpO2): Typically supported by Optical Heart
This systematic approach ensures that all relevant features and sen­
Sensors or dedicated SpO2 Sensors. However, neither is explicitly
sors are thoroughly considered in the generation of PCE.
mentioned in the manual, so SpO2 Monitoring cannot be added
Apple Watch Series 9 Example
to the PCE list.
The Apple Watch Series 9 serves as a practical demonstration of how
-- Blood Pressure (BP): Commonly supported by sensors that mea­
the Sensor-Feature Cross-Reference Table (SFCRT) can be used to gen­
sure vascular tension, such as dedicated Blood Pressure Sensors.
erate Potential Circumstantial Evidence (PCE). As no Blood Pressure Sensor is mentioned in the manual, this fea­
* Manual Information: The following sensors and features are identi­ ture cannot be added to the PCE list.
fied from the Apple Watch Series 9 manual: -- Body Temperature Monitoring (BT): Supported by the Tempera­
ture Sensor, which is explicitly listed in the manual. Add Body
-- Sensors: Temperature Monitoring to the PCE list.
∗ Electrical Heart Sensor
∗ Third-Generation Optical Heart Sensor * Final PCE List: Based on the analysis, the PCE for the Apple Watch
∗ Temperature Sensor Series 9 is:
∗ Compass
∗ Always-On Altimeter PCE = {Sl, HR, AT, St, BT}
∗ High-G Accelerometer
∗ High Dynamic Range Gyroscope 5. Framework evaluation
∗ Ambient Light Sensor
-- Features: This section showcases the evaluation of the WristSense framework
∗ Sleep App Including Sleep Stages through a series of case studies. The chosen research design for these
case studies was an exploratory approach, as it allows for assessing the
∗ Heart Rate App
feasibility and effectiveness of the framework (Hancock et al., 2021).
∗ High and Low Heart Rate Not­fications
Additionally, a collective case study research design was employed to
∗ Irregular Rhythm Not­fications
contribute to the existing literature and enhance the conceptualization
∗ Medications App
of the underlying theory (Hancock et al., 2021).
∗ Mindfulness App
∗ Noise App 5.1. Evaluation settings
∗ Cycle Tracking App with Retrospective Ovulation Estimates
∗ ECG App This subsection outlines the comprehensive setup and conditions
∗ Activity Tracking (includes various workouts and metrics) used to evaluate the WristSense framework. It includes the selection

6
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
Table 2
Wrist-Wear Devices and Spec­fications.

Vendor Huawei Huawei Amazfit Xiaomi Samsung

Investigated Device Fit 2 Smartwatch Band 7 Band 7 Watch 3 Watch 6

Operating System Android Wear Android Wear Zepp OS Wear OS Wear OS
Health Applications Huawei Health Huawei Health Zepp Mi Fitness Samsung Health
Period Around one year 18 days 8 days 11 days 10 days
Timeframe 11 May 22-4 Apr 23 10 Jul 22-27 Jul 23 9 Jul 23-16 Jul 23 3 Sep 23-13 Sep 23 1 Oct 23-10 Oct 23

criteria for vendors, details about the dataset generation and its pub­ These evaluations will provide recommendations for vendors to fa­
lic accessibility, spec­fications of the hardware and software employed, cilitate wrist-wear device investigations.
and the assumptions underlying the evaluation. These elements ensure
the robustness, reproducibility, and relevance of the evaluation process 5.2. Evaluation method (case studies)
to real-world forensic applications.
This subsection describes the steps involved in applying WristSense
5.1.1. Vendor selection to each wrist-wear device, ensuring the reproducibility of the evaluation
Three prominent vendors from the wearable technology market were results.
considered: Huawei, Xiaomi, and Samsung. These vendors are recog­
nized as market leaders in the industry (Market.us, 2023; Intelligence, 1. Data Source Layer:
New Astron). Additionally, Ama­fit, a non-competitive player, was also -- Tools Employed: MD-NEXT and MD-RED for data extraction and
included in the evaluation. analysis.
-- Data Extraction: Data is extracted from paired devices (e.g.,
iPhone 11) using MD-NEXT and analyzed with MD-RED, which
5.1.2. Hardware / software spec­fications
supports over 1500 mobile apps on iOS and Android platforms.2
Table 2 presents the wrist-wear devices investigated in the study,
-- Output: A logical image containing numerous SQLite files is gen­
along with their respective vendors, operating systems, periods of data
erated for further analysis.
collection, and timeframes. The devices include Huawei Fit 2 Smart­
2. Analysis Layer:
watch and Band 7, Ama­fit Band 7, Xiaomi Watch 3, and Samsung Watch
-- Pr­filing Unit:
6. These devices operate on different operating systems such as Android
∗ Data Search: Searches for biological (e.g., weight, birthday,
Wear, Zepp OS, and Wear OS. Data collection periods vary, with Huawei
height, age) and logical (e.g., device linkage) pr­filing data.
having the longest duration. All devices, except for the Samsung Watch
-- Processing Unit:
6, were connected to an iPhone 11 for data synchronization through the
∗ Database Parsing: The Logical Image Database Parser extracts
vendor’s health applications. The Samsung Watch 6 was paired with a
health-related databases and apply SFCRT to identify PCE.
Galaxy device.
∗ PCE Ident­fication: Ident­fies potential features such as sleep
monitoring, HR monitoring, oxygen saturation measurement,
5.1.3. Dataset construction
activity tracking, and stress measurement.
The dataset was constructed using a single participant who wore var­ ∗ Evidence Compilation: PCE_Rep compiles circumstantial dig­
ious wrist-worn devices across different periods. Each device was paired ital evidence features and corresponding data.
with its corresponding mobile health application to ensure data syn­
chronization. To capture diverse real-world scenarios, the participant By detailing each step and tool used, this subsection ensures that
engaged in varying activity levels, including sedentary, moderate, and the evaluation process is transparent, reproducible, and scientifically
active states. The resulting dataset, named ``WristSense-VendorData,'' rigorous.
was generated separately for each vendor to maintain clarity and repro­
ducibility. The dataset, publicly accessible at,1 enables validation and 5.3. Case study results
supports forensic research involving wrist-worn devices.
Based on the assumptions made, the evaluation of the framework in
5.1.4. Assumptions this case study yields insightful results for digital forensics investigators.
The evaluation of the framework involves several underlying as­ These assumptions serve as fundamental principles that shape the eval­
sumptions that aid digital forensic investigators in their decision-making uation process, allowing investigators to derive meaningful conclusions
processes. These assumptions are: and extract valuable insights from the data at hand. The summarized
results of the case studies are presented in Table 3, providing a clear
1. Pr­filing data is available to help identify the likely suspect from a overview of pr­filing data availability and insights across different wear­
specific group. able devices. Table 4 details the specific variables used in the analysis,
2. The PCE can be extracted from all features with a minimal number offering a comprehensive view of the data collected from each device.
of variables. For detailed visualizations of the case study results, refer to the Ap­
3. Wrist-worn device data can offer insights into the suspect’s sleep pendix A.
and activity data related to specific dates, such as the date of a
crime. 5.3.1. There is pr­filing data that can help determine the probable suspect
4. Wrist-worn device data can provide insights into the suspect’s aver­ among a given set of individuals.
age awake time duration, indicating sleep disturbances or irregular -- Huawei: The Fit2 and Band7 encompass a range of biological and
patterns. logical markers in the wear.db database, more specifically in the
5. There is a correlation between steps and calories extracted from HWSporetHealth_localStorage_AccountInfo_table. This data includes
wrist-worn devices. weight, birthday, height, age and a username that corresponds to a

1 2
https://data.mendeley.com/datasets/f7fvmmsd86/3. https://mh-service.de/en/products/md-red/.

7
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
Table 3
Summary of Case Study Results.

Feature Huawei Huawei Xiaomi Ama­fit Samsung

Fit2 Band7 Watch3 Band7 Watch6

Profiling Data Availability Yes Yes No Yes N/A

Insights from Sleep Data (Crime Date) Yes Yes Yes Yes N/A
Average Awake Time Insights Yes Yes Yes Yes N/A
Correlation between Steps and Calories High High High High N/A

Table 4
Detailed Variable-Specific Results.

Feature Variables Huawei Huawei Xiaomi Ama­fit Samsung

Fit2 Band7 Watch3 Band7 Watch6

Sleep Time stamp, light sleep, deep sleep, REM sleep, nap duration, awake duration, awake counts, fall asleep time, wake-up time
Heart Rate Time stamp, max HR, min HR, avg resting HR
Blood Oxygen Time stamps, max SpO2, min SpO2
Stress Time stamp, max stress, min stress, avg stress
Activity Time stamps, total steps, total distance, total calories

Fig. 3. Huawei - Profiling Data (1).

Fig. 5. Amazfit Band7 - Profiling Data (Biological) (1).

Fig. 4. Huawei - Profiling Data (2).

portion of the user’s email address (refer to Fig. 3). Thus, DFI can data points can be crucial for DFI to establish device ownership.
establish ownership of a wearable device by examining these data. As for the logical markers, the investigation has uncovered com­
Furthermore, the investigation uncovers compelling evidence sug­ pelling evidence linking the Ama­fit Band 7 to a device with system
gesting a clear linkage between the investigated wearable and an version 15.6.1 (see Fig. 6). This evidence is derived from the pres­
iPhone 11 Pro (see Fig. 4). This evidence is derived from the pres­ ence of a anonymous_context table in the HMStatisticsAnonymous­
ence of a ProductIDTable* (i.e., where ∗ matches exactly 17 digits), DBV2.sqlite.db database, which establishes a definitive connection
which establishes a definitive connection between the wearable de­ between the Band 7 device and the iPhone with a system version.
vice and the specific mobile device model mentioned, namely the Furthermore, the data obtained from the smartwatch reveals the
iPhone 11 Pro. The existence of this table serves as a robust piece presence of a location ident­fier ``SA,'' which symbolically repre­
of evidence, bolstering the assertion that the wrist-wear device was sents the country ``Saudi Arabia'' where the device is connected,
deliberately paired and utilized in conjunction with the associated operating, or co­figured.
iPhone 11 Pro. Consequently, this further substantiates the case for -- Xiaomi: The Redmi Watch 3 device consists of a single database
ownership or possession of the investigated wearable by the iden­ consisting of 44 tables, named: 6678634272.db. However, upon in­
t­fied suspect. vestigation, it has been determined that this device does not store
-- Ama­fit: The Band 7 contains biological, logical, and location data. any pr­filing data, including logical, biological, or location-related
The investigation findings indicate that the Ama­fit Band 7 de­ information.
vice stores specific biological data within its database, known as -- Samsung:Although the data could be extracted, the encryption
HMCorePersistanceDatabaseV1.sqlite.db. More specifically, this data mechanism poses a challenge for analyzing pr­file data. A database
is stored in the familyMember and includes information such as called SecureHealthData.db and an encrypted key called encrypted­
name, gender, birthday, height, weight (refer to Fig. 5). These Keystore were extracted, but they cannot be accessed without the

8
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 6. Amazfit Band7 - Profiling Data (Logical - Location) (2).

decryption key to decrypt the SecureHealthData.db. Therefore, Sam­ about their alibis during specific time periods. By examining the sleep
sung data is not included neither in pr­filing nor in the analysis. and activity data, investigators gained a better understanding of the sus­
pect’s behavior and were able to potentially correlate these patterns with
5.3.2. Potential Circumstantial Evidence (PCE) can be extracted from all the timeline of events under investigation.
features with a minimum number of variables
Sleep Monitoring (SLM): The findings indicate that sleep data from 5.3.4. The wrist-wear device data can provide insights into the suspect’s
wrist-band wearable devices can provide valuable insights into the wear­ average awake sleep time duration, indicating sleep disturbances or
er’s sleep pattern. Several common variables have been ident­fied that irregular sleep patterns
contribute to deriving the sleep pattern, including time stamp, light sleep The analysis of wrist-worn wearable average awake sleep time du­
duration, deep sleep duration, REM sleep duration, nap duration, sleep awake ration yielded significant results in the investigation. The time duration
duration, awake counts, fall asleep time, and wakeup time. These variables in minutes provides valuable insights into sleep disturbances or irregu­
collectively offer clues and information about the individual’s sleep lar sleep patterns. Higher values indicate a greater occurrence of sleep
habits and patterns. Detailed plots and time series for these variables disturbances. These findings contribute to a better understanding of the
can be found in the appendix (Figs. 9, 10, and 11). sleep patterns and potential disruptions experienced by the individuals
Heart Rate Monitoring (HRM): The variables of interest, including under investigation. Refer to the appendix for relevant plots (Fig. 22).
time stamp, maximum heart rate, minimum heart rate, and average rest­
ing heart rate, provide significant insights into an individual’s heart rate 5.3.5. There is a clear correlation between steps and calories extracted
patterns. An acceptable range for resting heart rate falls within 50 to 80 from wrist-wear devices
beats per minute (bpm). Research has shown that a low resting heart The analysis of data extracted from wrist-worn devices revealed a
rate is linked to various factors such as criminal behavior, aggression, strong correlation between steps and calories. All wrist-wear devices
psychopathy, and conduct problems (Wilson and Scarpa, 2012). Fur­ demonstrate a high correlation between these variables, indicating that
thermore, studies have found associations between low heart rate and an increase in the number of steps taken is associated with a higher
different types of criminal offenses, including violent offenses, drug of­ calorie expenditure. Refer to the appendix for relevant plots (Fig. 23).
fenses, property offenses, and even traffic offenses (Latvala et al., 2015).
Refer to the appendix for relevant plots (Fig. 12). 6. Results and discussion
Blood Oxygen Measurement: Blood oxygen measurement provides
valuable circumstantial evidence through variables such as time stamps, This section presents the key findings obtained from the evaluation
maximum blood oxygen, and minimum blood oxygen. In general, a lower of the WristSense framework. The analysis delves into the applicability
SpO2 level indicates a higher risk. If the SpO2 falls below 90%, the of the framework in extracting and analyzing health-related data from
wearer may be susceptible to hypoxemia, a condition associated with various wrist-worn devices, providing valuable insights for digital foren­
inadequate oxygen levels in the body (Co). Refer to the appendix for sic investigations.
relevant plots (Figs. 13 and 14).
Stress Measurement (STM): The variables time stamp, maximum 6.1. Wrist-wear device potential circumstantial evidence
stress, minimum stress, and average stress can provide valuable circum­
stantial evidence related to stress levels. Research has indicated that Given that the case study results presented in 5.3 belong to a wearer,
stress has detrimental effects on human health and is closely associ­ who can be either a suspect or victim under investigation, several pieces
ated with mental disorders, including anxiety (Tsukuda et al., 2019) and of evidence can be obtained to draw conclusions.
seizures (Cano-Lopez and Gonzalez-Bono, 2019). Refer to the appendix
for relevant plots (Fig. 15). 6.1.1. Huawei Fit 2
Activity Tracking (AT): The variables of time stamps, total steps, to­ From a forensic perspective, several facts can be extracted from sleep
tal distance, and total calories can provide valuable information about an data. It is evident that the wearer exhibits variations in sleep time dis­
individual’s movement patterns and activity levels from a forensic stand­ tribution based on different seasons (Fig. 10). In winter, ``Deep Sleep
point. Analyzing these variables allows investigators to understand the Time'' increases due to colder temperatures and longer nights, promot­
length of routes taken by the wearer and assess their level of physical ing deep sleep. Conversely, in summer, ``Deep Sleep Time'' decreases
activity, aiding in the investigation. Refer to the appendix for relevant due to warmer temperatures and shorter nights. ``Sleep Dream Time''
plots (Fig. 16). follows the opposite trend.
Furthermore, Fig. 11 shows that ``Light Sleep Time'' occupies the
5.3.3. The wrist-worn device data can offer insights into the suspect’s sleep largest portion of the sleep cycle, indicating significant time in this stage.
and activity data related to a particular date, such as the date of a crime “Deep Sleep Time'' is substantial, suggesting considerable restorative
scene sleep, while ``Sleep Dream Time'' is the shortest, emphasizing the im­
The wrist-worn device data analysis provided valuable insights into portance of REM sleep.
the suspect’s sleep patterns on a particular date, such as the date of a The mean of ``Awake Sleep Time'' varies across the year (Fig. 22).
crime scene. Fig. 17 displays the relevant sleep variables recorded dur­ In April, it peaks at 28.3 minutes, indicating more frequent awaken­
ing the investigated period. Similarly, Fig. 18, 19, 20, and 21 present ings, potentially due to temperature changes or allergies. In December,
activity variables (e.g., step counts, calories burned) for specific date. it drops to 1.8 minutes, suggesting more continuous sleep. This trend
This information played a crucial role in establishing a timeline of the continues into January with 3.1 minutes of awakeness, highlighting the
suspect’s sleep cycle and activity, thereby verifying or raising doubts i­fluence of seasonal factors on sleep quality.

9
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
Moreover, DFIs can know exactly the sleep time for a suspect at a 3. Container: Full path or data structure of the container, including
specific crime scene. If a wearer states that he was sleeping all night, respective databases and tables.
large amounts of ``Awake Sleep Time'' might indicate misleading state­ 4. Artifacts: Both atomic and dependent artifacts.
ments (Fig. 17).
Regarding heart rate data, the user’s average resting heart rate falls The presence of the artifact catalog addresses potential knowledge
within the acceptable range (Fig. 12). However, maximum heart rates gaps among practitioners, ensuring awareness of forensic capabilities
on specific dates exceed the normal range, warranting further investiga­ and enhancing investigation outcomes.
tion (e.g., 4 June 2022, 6 June 2022, 29 December 2022, 31 Jan 2022
reached 152, 152, 149, and 153 bpm respectively). 6.3. Consistency analysis of variables across vendors in forensic
For blood oxygen levels, Fig. 14 shows normal saturation levels (90­ investigations
100%) with an exception on March 28, 2024, when it dropped below
90%. This day warrants further investigation. The analysis reveals con­ The consistency of data is crucial in forensic investigations. We ex­
sistently higher stress levels on specific dates, such as May 15, 2022, amined variables within each vendor’s dataset to ensure analysis in­
May 22, 2022, and March 28, 2023 (Fig. 15). Regarding activity, the tegrity. Fig. 8 shows the intersection of variables among Huawei, Amaz­
wearer maintains a consistent step count (1,000 to 10,000) with notable fit, and Xiaomi for sleep monitoring, heart rate monitoring, blood oxy­
variations (Fig. 16). Significant drops in activity can indicate periods of gen saturation measurement, activity tracking, and stress measurement.
non-wear or inactivity. DFIs can determine step counts and burned calo­ The Venn diagram highlights overlapping areas, indicating com­
ries on specific dates (Fig. 18). monly measured and recorded variables across different devices. Sleep
monitoring, activity tracking, and stress measurements show the high­
6.1.2. Huawei Band 7 est overlap, suggesting these variables provide reliable insights across
The wearer spends the majority of sleep time in the light sleep phase vendors. Heart rate monitoring and blood oxygen saturation measure­
(45.3%), followed by deep sleep (33.5%) and dream phase (22.2%) ments show varying degrees of overlap, indicating differences in data
(Fig. 9). The yearly calendar heat map shows minimal sleep interrup­ availability.
tions with an average ``Awake Sleep Time'' of 1.5 minutes (Fig. 22). By focusing on consistent variables, forensic practitioners can rely
A significant drop in sleep on July 16, 2023, is observed, followed by on robust evidence, enhancing the credibility of their findings.
a nap on July 17, 2023 (Fig. 11). Heart rate peaks at 166 bpm on July
17, 2023, indicating heightened activity, and drops to 52 bpm on July 7. Future directions
21, indicating rest (Fig. 12). Blood oxygen data shows consistent read­
ings with variations on specific days, such as July 14 and 17 (Fig. 14). This section presents some potential future directions for the Wrist­
Activity levels show an average of 4182 steps with decreases on July 21 Sense framework:
and 26, 2023.
1. Extension to Other Wearables: One promising direction is to ex­
tend the framework beyond wrist-worn devices and incorporate
6.1.3. Xiaomi Watch 3
compatibility with other wearables, such as smart clothes. This ex­
The wearer spends most of the time in light sleep (Fig. 9). Average
pansion would allow for a more comprehensive analysis of health
awake time is 5.1 minutes, with an awakening recorded on Septem­
data from a wider range of devices, providing additional insights
ber 11 (Fig. 22). The wearer consistently uses the device except on
and potential evidence for digital forensic investigations.
September 7. Heart rate data shows deviations from the normal range on
2. Ensuring Accuracy of Investigated Wrist-Wear Devices: Wrist­
September 4 and 7 (Fig. 12). Blood oxygen saturation remains high with
wear devices often provide data that is prone to inaccuracies due to
a drop to 85% on September 12 (Fig. 14). Unlike Huawei, Xiaomi does
factors such as environmental conditions, user-specific characteris­
not automatically record stress levels, relying on user-initiated tracking.
tics (e.g., tattoos, scars, excessive wrist hair), and proprietary sensor
Only one instance on September 13 shows stress levels between 29 and
algorithms. For example, Huawei has acknowledged that capillary
33 (Fig. 15). Activity levels average around 4000 steps, with a peak of
narrowing in cold environments can lead to inaccurate heart rate
over 8000 steps on September 4, 2023 (Fig. 16).
measurements. Future work should focus on systematically quan­
tifying error rates for each physiological feature (e.g., heart rate,
6.1.4. Ama­fit Band 7 sleep patterns, SpO2) and developing mechanisms for validating the
Non-REM sleep time is consistently lower than REM sleep, indicating accuracy of data collected under varying conditions. Additionally,
additional variables not included (Fig. 9). Average awake time is 10.9 incorporating cross-sensor or cross-device corroboration methods
minutes, with an increase to 33 minutes on July 14 (Fig. 22). Ama­fit can help mitigate these inaccuracies and ensure more reliable foren­
offers continuous SpO2 measurement, with levels above 90 except for a sic insights.
drop to 84 on July 11 (Fig. 14). ``Pressure rate'' rather than ``stress'' is 3. Framework Validation: Conducting thorough validation studies to
used, peaking on July 14 (Fig. 15). assess the PCE generated through the WristSense framework would
be a crucial step. Validation efforts can involve comparing the ob­
6.2. Taxonomy of wrist-wear digital forensic artifacts tained results from different digital forensics extraction and analysis
techniques to ensure reproducibility. This validation process would
The study reveals several wrist-wear artifacts on the iOS operating enhance co­fidence in the framework’s capabilities and support its
system that hold forensic value, providing practitioners with significant adoption in the field.
data for investigations (Fig. 7). The taxonomy is categorized according 4. Integration with Other Digital Forensic Investigation Tools:
to the artifact catalog structure suggested by Casey et al. Casey et al. Recognizing the importance of collaboration and interoperabil­
(2022). ity, the framework seamlessly integrates with established forensic
The artifact catalog includes: tools, facilitating a comprehensive examination of wrist device data
alongside other forms of digital evidence. This integration empow­
1. Category: Health features (e.g., sleep, heart rate, SpO2, activities, ers investigators to leverage the strengths of different tools and
stress). enhance the efficiency and effectiveness of their forensic analyses.
2. Platform: Operating systems (e.g., Android Wear, Zepp OS, Wear 5. Encryption Challenges: Addressing the challenge posed by en­
OS on iOS). cryption mechanisms in certain wrist-wear devices, such as Sam­

10
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 7. Taxonomy of Wrist-Wear Digital Forensic Artifacts.

Fig. 8. Intersection of Variables among Huawei, Amazfit, and Xiaomi Vendor.

11
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
sung devices, is an important future direction. Developing tech­ Software availability
niques to overcome encryption barriers and analyze encrypted data
would expand the framework’s applicability and ensure a more A comprehensive software framework, WristSense, was developed to
comprehensive analysis of potential circumstantial evidence. systematically extract, analyze, and visualize health-related data from
6. Admissibility of Wrist-Worn Device Data in Forensics: Future various wrist-worn devices. The software is designed for reproducibil­
research should focus on developing standardized guidelines and ity and ease of use, accommodating multiple device vendors such as
methodologies to ensure the admissibility of data from wrist-wear Huawei, Ama­fit, and Redmi.
devices in court. This involves not only addressing inaccuracies but The framework consists of modular Python scripts tailored to each
also demonstrating how these devices can produce reliable evidence device, ensuring compatibility while adhering to a un­fied wor­flow.
when supported by corroborative data. It includes separate scripts for data extraction and analysis, as well as
integrated tools for certain vendors. A detailed README file is provided,
By pursuing these directions, the framework can further enhance its outlining the usage of each script and demonstrating the overarching
capabilities and contribute to the advancement of digital forensic inves­ functionality of the framework.
tigations involving wrist devices and other wearables. The software is openly available on GitHub,3 enabling researchers
to utilize or expand upon the framework for their investigations. This
8. Conclusion repository also includes the WristSense-VendorData dataset to facilitate
reproducibility.
In conclusion, the research presented in this study addresses the
challenges and opportunities posed by wrist-worn devices in the field Funding
of digital forensics. The widespread adoption of wearable technology,
particularly wrist devices, has created a new frontier for investigators, This publication is based upon work supported by the King Fahd Uni­
necessitating the exploration of their potential implications. versity of Petroleum & Minerals. The authors at KFUPM acknowledge
The study highlights the limited scope of previous research, which the Interdisciplinary Research Center for Intelligent Secure Systems for
focused on specific operating systems while neglecting the overall mar­ the support received under Grant no. INSS2301.
ket share and diverse range of vendors in the wrist device market. This
oversight presents challenges for digital investigators in retrieving and Declaration of competing interest
analyzing data from wrist devices with different operating systems. Fur­
thermore, the utilization of health data from wrist devices in digital
The authors declare that they have no known competing financial
investigations has been relatively unexplored.
interests or personal relationships that could have appeared to i­fluence
To bridge these gaps, the WristSense framework is proposed, offering
the work reported in this paper.
a systematic approach to extracting health-related data from heteroge­
neous sources of wrist devices. The framework is designed to ensure
Acknowledgements
compatibility with devices from different vendors and enables the anal­
ysis of various health data, including sleep patterns, heart rate, blood
The authors gratefully acknowledge the valuable contributions of
oxygen saturation, activities, and stress levels. Through comprehensive
Ahmad Almulhem (Department of Computer Engineering, King Fahd
case studies involving wrist devices from Huawei, Ama­fit, Xiaomi, and
University of Petroleum and Minerals), Amena Alhemyari (Psychiatrist,
Samsung, the effectiveness of the WristSense framework in extracting
Department of Psychiatry, Imam Abdulrahman Bin Faisal University),
and analyzing data from various vendors is demonstrated.
and Muhammad Khalid (School of Computer Science and Technology,
The results of the case studies reveal potential circumstantial evi­
University of Hull). Their feedback and expertise greatly i­fluenced the
dence that can be valuable for forensic investigations involving wrist­
understanding of wrist-sense device data, shaping the proposed frame­
worn devices. The research introduces a wear-device artifact catalog,
work and providing valuable insights. We appreciate their support and
providing practitioners with a cod­fied and leveraged forensic collective
guidance throughout this research project.
knowledge. This artifact catalog holds significance for practitioners in
the field, enabling them to identify and interpret forensic artifacts from
Appendix A. Visualizations of case study results
wrist devices. Additionally, the study conducts a consistency analysis of
variables across vendors to ensure the integrity of the data in forensic
investigations. This analysis enhances the reliability of the findings and This appendix provides detailed visualizations of the case study re­
strengthens the potential evidentiary value of the extracted data. sults discussed in Section 5.3 (Figs. 19--21).
While the research demonstrates the effectiveness of the WristSense
framework, challenges such as encryption mechanisms on certain de­ Data availability
vices are acknowledged and warrant further investigation.
In summary, this research provides a comprehensive overview of I have shared the link to my data and code in the manuscript
suspect or victim health data obtained from wrist-worn devices, em­
powering digital forensics investigators to reconstruct detailed timelines References
and gather crucial evidence. The WristSense framework offers a valuable
toolset for extracting and analyzing data from a wide range of vendors, Almogbil, A., Alghofaili, A., Deane, C., Leschke, T., 2020. Digital forensic analysis of fitbit
wearable technology: an investigator’s guide. In: 2020 7th IEEE International Confer­
contributing to the advancement of digital forensic investigations in the
ence on Cyber Security and Cloud Computing (CSCloud)/2020 6th IEEE International
evolving landscape of wearable technology. Conference on Edge Computing and Scalable Cloud (EdgeCom). IEEE, pp. 44--49.
de Arriba-Pérez, F., Caeiro-Rodríguez, M., Santos-Gago, J.M., 2016. Collection and pro­
CRediT authorship contribution statement cessing of data from wrist wearable devices in heterogeneous and multiple-user sce­
narios. Sensors 16, 1538.
Ayers, R., Brothers, S., Jansen, W., 2014. Nist Special Publication 800-101 Guidelines on
Norah Ahmed Almubairik: Writing -- review & editing, Writing Mobile Device. Obtenido de National Institute of Standards and Technology. http://
– original draft, Visualization, Software, Methodology. Fakhri Alam nvlpub.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf.
Khan: Writing -- review & editing, Supervision, Funding acquisition.
Rami Mustafa Mohammad: Supervision, Writing -- review & editing.
3
Mubarak Alshahrani: Conceptualization, Investigation, Supervision. https://github.com/naalmubairik/WristSense.

12
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 10. Huawei Fit2: Distribution of all sleep time across its components in
different months.
Fig. 9. Distribution of sleep time across its variables for the Whole Dataset.

Baggili, I., Oduro, J., Anthony, K., Breitinger, F., McGee, G., 2015. Watch what you wear: chronic obstructive pulmonary disease (copd) over one week: observational study.
preliminary forensic analysis of smart watches. In: 2015 10th International Confer­ JMIR mHealth uHealth 7, e12866.
ence on Availability, Reliability and Security. IEEE, pp. 303--311. Cano-Lopez, I., Gonzalez-Bono, E., 2019. Cortisol levels and seizures in adults with
BBC News, 2017. Fitbit data contradicts husband’s story in wife’s murder case, say police. epilepsy: a systematic review. Neurosci. Biobehav. Rev. 103, 216--229.
https://www.bbc.com/news/world-us-canada-39710528. Casey, E., Nguyen, L., Mates, J., Lalliss, S., 2022. Crowdsourcing forensics: creating a
Becirovic, S., Mrdovic, S., 2019. Manual iot forensics of a Samsung gear s3 frontier smart­ curated catalog of digital forensic artifacts. J. Forensic Sci. 67, 1846--1857.
watch. In: 2019 International Conference on Software, Telecommunications and Com­ Chow, H.W., Yang, C.C., et al., 2020. Accuracy of optical heart rate sensing technology
puter Networks (SoftCOM), IEEE, pp. 1--5. in wearable fitness trackers for young and older adults: validation and comparison
Bent, B., Goldstein, B.A., Kibbe, W.A., Dunn, J.P., 2020. Investigating sources of inaccu­ study. JMIR mHealth uHealth 8, e14707.
racy in wearable optical heart rate sensors. npj Digit. Med. 3, 18. Co., H.D. Measuring your blood oxygen levels (spo2) with huawei watch/band. https://
Buekers, J., Theunis, J., De Boever, P., Vaes, A.W., Koopman, M., Janssen, E.V., Wouters, consumer.huawei.com/sa-en/support/article/en-us15847198/.
E.F., Spruit, M.A., Aerts, J.M., 2019. Wearable finger pulse oximetry for continu­ Davies, H.J., Williams, I., Peters, N.S., Mandic, D.P., 2020. In-ear spo2: a tool for wearable,
ous oxygen saturation measurements during daily home routines of patients with unobtrusive monitoring of core blood oxygen saturation. Sensors 20, 4879.

13
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 12. Scatter plot for heart rate variables.

Fig. 11. Time series for sleep variables.

14
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 13. Min, Max, and Average values for each variable of blood oxygen vari­
ables.

Direct and Circumstantial Evidence, 2019. Manual of model criminal jury instruc­
tions. https://www.ce9.uscourts.gov/jury-instructions/node/304. (Accessed 13 Au­
gust 2024).
Direct and Circumstantial Evidence D­fined, 2023. https://www.nycourts.gov/JUDGES/
evidence/4-RELEVANCE/4.02_Direct_and_Circumstantial_Evidence_Defined.pdf. (Ac­
cessed 13 August 2024), part of Article 4: Relevance and Its Limits, New York Un­fied Fig. 14. Scatter plot for blood oxygen variables.
Court System Guide to NY Evidence. Last updated: December 2023.

15
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 15. Scatter plot for stress/pressure variables.

Gao, W., Emaminejad, S., Nyein, H.Y.Y., Challa, S., Chen, K., Peck, A., Fahad, H.M., Ota,
H., Shiraki, H., Kiriya, D., et al., 2016. Fully integrated wearable sensor arrays for
multiplexed in situ perspiration analysis. Nature 529, 509--514.
Gregorio, J., Alarcos, B., Gardel, A., 2019. Forensic analysis of nucleus rtos on mtk smart­
watches. Digit. Investig. 29, 55--66.
Han, H.J., Labbaf, S., Borelli, J.L., Dutt, N., Rahmani, A.M., 2020. Objective stress mon­
itoring based on wearable sensors in everyday settings. J. Med. Eng. Technol. 44,
177--189.
Hancock, D.R., Algozzine, B., Lim, J.H., 2021. Doing case study research: a practical guide
for beginning researchers.
Intelligence, M., New Astron Wearable technology market size & share analysis - indus­
try research report - growth trends. https://www.mordorintelligence.com/industry-
reports/wearable-technology-market. (Accessed 13 August 2024).
Fig. 16. Time series for activity variables.
Kasukurti, D.H., Patil, S., 2018. Wearable device forensic: probable case studies and
proposed methodology. In: International Symposium on Security in Computing and
Communication. Springer, pp. 290--300.

16
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 18. Huawei Fit2 - Activity variables for specific date ``crime scene date''.

Fig. 19. Huawei Band7 - Activity variables for specific date ``crime scene date''.

Fig. 20. Xiaomi Watch3 - Activity variables for specific date ``crime scene date''.

Fig. 21. Amazfit Band7 - Activity variables for specific date ``crime scene date''.

King, C.E., Sarrafzadeh, M., 2018. A survey of smartwatches in remote health monitoring.
J. Healthc. Inform. Res. 2, 1--24.
Kumar, A., et al., 2021. Flexible and wearable capacitive pressure sensor for blood pressure
monitoring. Sens. Bio-Sens. Res. 33, 100434.
Latvala, A., Kuja-Halkola, R., Almqvist, C., Larsson, H., Lichtenstein, P., 2015. A longitu­
dinal study of resting heart rate and violent criminality in more than 700 000 men.
JAMA Psychiatr. 72, 971--978.
Li, F., Xue, H., Lin, X., Zhao, H., Zhang, T., 2022. Wearable temperature sensor with
high resolution for skin temperature monitoring. ACS Appl. Mater. Interfaces 14,
43844--43852.
Li, R.T., Kling, S.R., Salata, M.J., Cupp, S.A., Sheehan, J., Voos, J.E., 2016. Wearable
performance devices in sports medicine. Sports Health 8, 74--78.
Loomis, M.E., 2019. Wearable Device Forensics. The University of Tulsa.
MacDermott, Á., Lea, S., Iqbal, F., Idowu, I., Shah, B., 2019. Forensic analysis of wearable
devices: fitbit, garmin and hetp watches. In: 2019 10th IFIP International Conference
Fig. 17. Sleep variables for specific date ``crime scene date'' in minutes. on New Technologies, Mobility and Security (NTMS). IEEE, pp. 1--6.
Mahmood, H., Arshad, M., Ahmed, I., Fatima, S., ur Rehman, H., 2024. Comparative study
of iot forensic frameworks. Forensic Sci. Int.: Digit. Investig. 49, 301748.
Market.us, 2023. Wearable technology market report. https://market.us/report/
Kebande, V.R., Karie, N.M., Choo, K.K.R., Alawadi, S., 2021. Digital forensic readiness wearable-technology-market/. (Accessed 25 October 2023).
intelligence crime repository. Secur. Priv. 4, e151. Minguillon, J., Perez, E., Lopez-Gordo, M.A., Pelayo, F., Sanchez-Carrion, M.J., 2018.
Khakurel, J., Melkas, H., Porras, J., 2018. Tapping into the wearable device revolution in Portable system for real-time detection of stress level. Sensors 18, 2504.
the work environment: a systematic review. Inf. Technol. People 31, 791--818. Morales, A., Barbosa, M., Morás, L., Cazella, S.C., Sgobbi, L.F., Sene, I., Marques, G., 2022.
Kim, J., Chou, E.F., Le, J., Wong, S., Chu, M., Khine, M., 2019. Soft wearable pressure Occupational stress monitoring using biomarkers and smartwatches: a systematic re­
sensors for beat-to-beat blood pressure monitoring. Adv. Healthc. Mater. 8, 1900109. view. Sensors 22, 6633.

17
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862

Fig. 23. Correlation between steps and calories.

Fig. 22. Average awake times in minutes. (For interpretation of the colors in
the figure(s), the reader is referred to the web version of this article.)

18
N.A. Almubairik, F.A. Khan, R.M. Mohammad et al.
Forensic Science International: Digital Investigation 52 (2025) 301862
Onik, A.R., Spinosa, T.T., Asad, A.M., Baggili, I., 2024. Hit and run: forensic vehicle event Wackernagel, D., Blennow, M., Hellström, A., 2020. Accuracy of pulse oximetry in preterm
reconstruction through driver-based cloud data from progressive’s snapshot applica­ and term infants is insufficient to determine arterial oxygen saturation and tension.
tion. Forensic Sci. Int.: Digit. Investig. 49, 301762. Acta Pædiatr. 109, 2251--2257.
Pande, J., Prasad, A., 2016. Digital Forensics. Uttrakhand Open University. Williams, J., MacDermott, Á., Stamp, K., Iqbal, F., 2021. Forensic analysis of fitbit
Parlak, O., 2021. Portable and wearable real-time stress monitoring: a critical review. versa: Android vs ios. In: 2021 IEEE Security and Privacy Workshops (SPW). IEEE,
Sens. Actuators Rep. 3, 100036. pp. 318--326.
Popleteev, A., 2015. Activity tracking and indoor positioning with a wearable magnet. In: Wilson, L.C., Scarpa, A., 2012. Criminal behavior: the need for an integrative approach
Adjunct Proceedings of the 2015 ACM International Joint Conference on Pervasive that incorporates biological i­fluences. J. Contemp. Crim. Justice 28, 366--381.
and Ubiquitous Computing and Proceedings of the 2015 ACM International Sympo­ Yoon, Y.H., Karabiyik, U., 2020. Forensic analysis of fitbit versa 2 data on Android. Elec­
sium on Wearable Computers, pp. 253--256. tronics 9, 1431.
Rongen, J., Geradts, Z., 2017. Extraction and forensic analysis of artifacts on wearables. Yoshihi, M., Okada, S., Wang, T., Kitajima, T., Makikawa, M., 2021. Estimating sleep stages
Int. J. Forensic Sci. Pathol., 312--318. using a head acceleration sensor. Sensors 21. https://doi.org/10.3390/s21030952.
Shaffer, F., Ginsberg, J.P., 2017. An overview of heart rate variability metrics and norms. https://www.mdpi.com/1424-8220/21/3/952.
Front. Public Health 5, 258. https://doi.org/10.3389/fpubh.2017.00258. Zhang, S., Li, Y., Zhang, S., Shahabi, F., Xia, S., Deng, Y., Alshurafa, N., 2022. Deep
Shin, G., Jarrahi, M.H., Fei, Y., Karami, A., Gafinowitz, N., Byun, A., Lu, X., 2019. Wear­ learning in human activity recognition with wearable sensors: a review on advances.
able activity trackers, accuracy, adoption, acceptance and health impact: a systematic Sensors 22, 1476.
literature review. J. Biomed. Inform. 93, 103153. Zhao, C., Zeng, W., Hu, D., Liu, H., 2021. Robust heart rate monitoring by a single wrist­
Tsukuda, M., Nishiyama, Y., Kawai, S., Okumura, Y., 2019. Identifying stress markers in
worn accelerometer based on signal decomposition. IEEE Sens. J. 21, 15962--15971.
skin gases by analysing gas collected from subjects undergoing the trier social stress
test and performing statistical analysis. J. Breath Res. 13, 036003.

19