adam w. mosher - geo tagging - atlseccon2011
TRANSCRIPT
Information Warfare
Information Exchange with GeoTagging
Atlantic Security Conference
Halifax, Nova Scotia
March 5, 2011
Adam W. Mosher
Senior Security and Network Consultant
Importance of GeoTagging?
• Population of the World 6.8 Billion
• Subscription to Mobile devices 5.5 Billion
• 81% of the population has mobile devices
• This has changed the whole landscape for the
way the business world operates and the way the
criminal world operates.
Attack Vector
• The explosion of technology has closed the gap between the
intersection of cyberspace and real space.
• The attack vector has been diminished from sophistication, to
simplicity.
• Sex related offenses. Analogy of predator vs. prey.
• Identity theft has become a few keystrokes of effort.
• Limitations of certain laws and corporate policies.
GPS and its potential
in the Forensic World
• ‘Traditional’ mobile device forensics.
• GeoTagging would not exist without GPS.
• Forensics Investigators should understand:
– The basic concept of the Global Positioning System
– The basic concept of the GPS network and how it functions.
– How the underlying technology works?
• Without this basic understanding, it becomes difficult to effectively
take advantage of geotagging technology and information.
GPS
• Essentially provides reliable time
and location information.
• 24 satellites, positioned 12,000
miles above the Earth orbiting 7,000
miles per hour.
• Satellites circle the earth twice each
day in a very precise orbit and
transmit signal information back to
Earth.
Satellites
• Powered by solar energy, with
backup battery supply.
• Power boosters ensure proper
travel through the orbit.
• Three signals contain all the
information that is sent
through the radio signal.
Need to knows
Investigators should be
aware of signal multipathing
and selective availability.
Clock synchronization
What corrects the issues?
• WASS
• A-GPS
• Location Based Services
GPS Receivers
• 2D position consists of
latitude and longitude.
• 3D position consists of
latitude, longitude and
altitude.
The newer iPhones accuracy even
exceeds that of many stand alone
GPS devices, as the device
determines its position in combination
with cell tower triangulation to +/- 1
meter accuracy
Carriers
Technology
GSM
Global System of Mobile
Communications
CDMA
Code Division Multiple Access
Much more prevalent due to its World
Wide Usage
America and selected parts of Asia.
EDGE is functionality and less speed EVDO is speed and less functionality
Account information is on SIM card Account information is programmed on
phone.
GeoTagging
Information
• All GPS enabled devices will carry similar information, just stored in
different locations.
• GPS Remnants – cached map queries, traffic or social networking
applications.
• You will have a gps log file, photograph log file, google earth log file
and a photo index file
• Graphically display the trackpoints, track logs, waypoints and routes.
• Camera metadata.
• How to work around barriers and failures?
GeoTagging
• GeoTagging allows the insertion of location data into an image, or
other form of media (videos, sms, websites).
• Fault…the definition is narrow. Can contain much more information
than geographical data.
• Can be done manually or automatically. In theory, it is not overtly
complicated.
• Effective when used in image search engines.
• All about finding location based information.
EXIF
• EXIF – Exchangeable Image File Format.
• Based on TIFF, which is simply a file format for storing images.
• Metadata information is organized into different Image File
Directories (IFD's) within an image
Flash Memory
NOR
Negated OR Function
NAND
Negated AND Function
Behaves like other random access
devices (SRAM and DRAM)
Part random and part serial.
All about code storage. All about data storage. This is where
the end user reads and writes to.
GeoTagging
‘cybercasing’
• Cybercasing – tracking someone’s activities through cyber space
• You need to have a target of interest
• The target needs to be attainable
• This is where fantasy and reality turn dangerous.
Scripting
Setting our sites on a
target!
Small 40 line code written
in Python.
Will extract enormous
amounts of images from a
site, or sites.
We have become
part of this family
First, middle and last
name for each family
member
Name of the child’s
daycare
The other name’s of the
children in the daycare
Emergency contact
information for children
at the daycare
Home address and work
address for both parents
Pictures of inside,
outside of the house.
Pictures of daycare,
doctor’s office and
parents work
Clothe size of the child Name of where the
parent’s work and
organizations they are
involved in
Hours the parents work. A schedule when the
child is dropped off at
daycare and which
parent drops them off
Email addresses
Last time the child was
checked at the doctor.
Who the doctor is.
Chat site the babysitter
uses.
iPhone 4
• Based on direct manipulation
• Four abstraction layers:
– Core OS layer
– Core services layer
– Media layer
– Cocoa touch layer
• Very impressive geotagging capabilities.
• Beyond the base installed applications, all are installed by the user
iPhone GeoTagging
• Latitude, longitude, altitude, compass heading, accuracy data, time,
make and model
• Videos…information is placed near the end of the file, which is not in
standard EXIF location.
• Cell Tower Data (root/Library/Caches/locationd)
• /Library/Maps (can be from logical or physical)
– History.plist
– Directions.plist
– Bookmark.plist
Corrections Usage
of GeoTagging
• Standard supervision condition that sex offenders are not supposed
to be in places frequented by kids, strip clubs, adult movie places.
• How can you prove this?
• There is limited cell phone monitoring.
• Computer monitoring software.
• Evidence from social networking sites.
• GPS in ankle bracelets
Future of GeoTagging
• Search and Seizure
• Wiretaps
• Tracker scraping from p2p sites
• Child Pornography image detection over a p2p network
• Metadata extraction over p2p networks
• Warrants
• Sex offender tracking
• Identity theft
• Criminal activities
• Corporate Security
If you are interested in a toolkit with all
sorts of tools and descriptions on how to
use them for GeoTagging, please just
drop me an email and I will send you a
link and password.
Useful for forensics investigators
(criminal, corporate, private sector)