Adam w. mosher - geo tagging - atlseccon2011

Information Warfare

Information Exchange with GeoTagging

Atlantic Security Conference

Halifax, Nova Scotia

March 5, 2011

Adam W. Mosher

Senior Security and Network Consultant

Importance of GeoTagging?

• Population of the World 6.8 Billion

• Subscription to Mobile devices 5.5 Billion

• 81% of the population has mobile devices

• This has changed the whole landscape for the

way the business world operates and the way the

criminal world operates.

Attack Vector

• The explosion of technology has closed the gap between the

intersection of cyberspace and real space.

• The attack vector has been diminished from sophistication, to

simplicity.

• Sex related offenses. Analogy of predator vs. prey.

• Identity theft has become a few keystrokes of effort.

• Limitations of certain laws and corporate policies.

GPS and its potential

in the Forensic World

• ‘Traditional’ mobile device forensics.

• GeoTagging would not exist without GPS.

• Forensics Investigators should understand:

– The basic concept of the Global Positioning System

– The basic concept of the GPS network and how it functions.

– How the underlying technology works?

• Without this basic understanding, it becomes difficult to effectively

take advantage of geotagging technology and information.

GPS

• Essentially provides reliable time

and location information.

• 24 satellites, positioned 12,000

miles above the Earth orbiting 7,000

miles per hour.

• Satellites circle the earth twice each

day in a very precise orbit and

transmit signal information back to

Earth.

Satellites

• Powered by solar energy, with

backup battery supply.

• Power boosters ensure proper

travel through the orbit.

• Three signals contain all the

information that is sent

through the radio signal.

Need to knows

Investigators should be

aware of signal multipathing

and selective availability.

Clock synchronization

What corrects the issues?

• WASS

• A-GPS

• Location Based Services

GPS Receivers

• 2D position consists of

latitude and longitude.

• 3D position consists of

latitude, longitude and

altitude.

The newer iPhones accuracy even

exceeds that of many stand alone

GPS devices, as the device

determines its position in combination

with cell tower triangulation to +/- 1

meter accuracy

Carriers

Technology

GSM

Global System of Mobile

Communications

CDMA

Code Division Multiple Access

Much more prevalent due to its World

Wide Usage

America and selected parts of Asia.

EDGE is functionality and less speed EVDO is speed and less functionality

Account information is on SIM card Account information is programmed on

phone.

Mobile Devices /

Embedded Devices

GeoTagging

Information

• All GPS enabled devices will carry similar information, just stored in

different locations.

• GPS Remnants – cached map queries, traffic or social networking

applications.

• You will have a gps log file, photograph log file, google earth log file

and a photo index file

• Graphically display the trackpoints, track logs, waypoints and routes.

• Camera metadata.

• How to work around barriers and failures?

GeoTagging

• GeoTagging allows the insertion of location data into an image, or

other form of media (videos, sms, websites).

• Fault…the definition is narrow. Can contain much more information

than geographical data.

• Can be done manually or automatically. In theory, it is not overtly

complicated.

• Effective when used in image search engines.

• All about finding location based information.

GeoTagging

Example

EXIF

• EXIF – Exchangeable Image File Format.

• Based on TIFF, which is simply a file format for storing images.

• Metadata information is organized into different Image File

Directories (IFD's) within an image

Flash Memory

NOR

Negated OR Function

NAND

Negated AND Function

Behaves like other random access

devices (SRAM and DRAM)

Part random and part serial.

All about code storage. All about data storage. This is where

the end user reads and writes to.

GeoTagging

• What geotagging is not?

GeoTagging

‘cybercasing’

• Cybercasing – tracking someone’s activities through cyber space

• You need to have a target of interest

• The target needs to be attainable

• This is where fantasy and reality turn dangerous.

Knowledge

Scripting

Setting our sites on a

target!

Small 40 line code written

in Python.

Will extract enormous

amounts of images from a

site, or sites.

Blogspot

We have become

part of this family

First, middle and last

name for each family

member

Name of the child’s

daycare

The other name’s of the

children in the daycare

Emergency contact

information for children

at the daycare

Home address and work

address for both parents

Pictures of inside,

outside of the house.

Pictures of daycare,

doctor’s office and

parents work

Clothe size of the child Name of where the

parent’s work and

organizations they are

involved in

Hours the parents work. A schedule when the

child is dropped off at

daycare and which

parent drops them off

Email addresses

Last time the child was

checked at the doctor.

Who the doctor is.

Chat site the babysitter

uses.

• ICSL – Internet Commerce Security Laboratory

• Yang’s Scientific Research Institute

iPhone 4

• Based on direct manipulation

• Four abstraction layers:

– Core OS layer

– Core services layer

– Media layer

– Cocoa touch layer

• Very impressive geotagging capabilities.

• Beyond the base installed applications, all are installed by the user

iPhone GeoTagging

• Latitude, longitude, altitude, compass heading, accuracy data, time,

make and model

• Videos…information is placed near the end of the file, which is not in

standard EXIF location.

• Cell Tower Data (root/Library/Caches/locationd)

• /Library/Maps (can be from logical or physical)

– History.plist

– Directions.plist

– Bookmark.plist

Sex Offender

Monitoring

Corrections Usage

of GeoTagging

• Standard supervision condition that sex offenders are not supposed

to be in places frequented by kids, strip clubs, adult movie places.

• How can you prove this?

• There is limited cell phone monitoring.

• Computer monitoring software.

• Evidence from social networking sites.

• GPS in ankle bracelets

Future of GeoTagging

• Search and Seizure

• Wiretaps

• Tracker scraping from p2p sites

• Child Pornography image detection over a p2p network

• Metadata extraction over p2p networks

• Warrants

• Sex offender tracking

• Identity theft

• Criminal activities

• Corporate Security

If you are interested in a toolkit with all

sorts of tools and descriptions on how to

use them for GeoTagging, please just

drop me an email and I will send you a

link and password.

Useful for forensics investigators

(criminal, corporate, private sector)

[email protected]