Monday, February 28, 2011

Geotags: Friend or Foe?

by David Benford
Director, Blackstage Forensics

David Benford
David Benford
I recently wrote a research paper, “Geotag Data: The Modification of Evidence on the Apple iPhone”, based around the possibility of modifying geotag evidence on the Apple iPhone. A test was performed as part of this project, to find out how easy it is to discover a person’s home location, social and business movements and background information.

The process was begun by doing a Google Image search for the criteria “Blog iPhone self taken”. This was to trace an image taken by an iPhone for a personal blog, which would hopefully be of the user, hence “self taken”. In Google “Advanced Image Search” some changes were made, such as “Tall Image” and “JPG” file type being ticked; the theory being that most iPhone images are of portrait type and JPG format. An image appeared that seemed suitable of a woman photographing herself at the hairdresser's. The image was saved and opened in TAGView which showed the location of the shop to be in a specific street in Oregon. As there is only one hairdresser listed in this street the process of selecting the correct business was straightforward. The image linked through to the woman’s blog and by doing a search, several more images taken on her iPhone were found complete with geotag data. The woman had taken a photograph of a magazine, mentioning that she was reading it at the dentist’s surgery. The surgery could be located within a minute and was found to be around the corner from the hairdresser’s shop. There was an image of a cake, along with its geotag pointing to Walmart. There was an image of her foot, taken in her kitchen, and the geotag gave an approximate location of where she lived. Images on the blog that were taken on her drive had no geotags. With an approximate idea of her home address, these could be used to pinpoint the exact property by viewing Google Street View. There were also non-tagged images of her family, giving further personal information. In the side margin of the blog there was a link to her Twitter page. Twitter displayed her actual name, where she was at any time and gave an even more detailed pattern of her movements, social life, family’s sports and hobbies, dining out preferences and so on. All of this information was derived from the source of just one geotag within a JPG image. This woman was potentially not only putting herself at risk, but also her family...


Thursday, February 24, 2011

Computer forensics to die out by 2020

Somewhat contrary to expectations, I was interested to see that a search for "computer forensics" using Google's Insights for Search tool would appear to suggest that global interest in the field will fizzle out completely by 2020 or thereabouts (my screen wasn't quite wide enough to do an exact calculation):

Make hay while the sun shines, boys, the end is nigh!

Is the NTSB a model for incident response?

by Sean McLinden

Recently, the events surrounding the defacement of the HBGary Web site and publication of sensitive data were being bantered about on a number of forensic, security and incident response sites. As is typical for these kind of high profile events, some of those voicing opinions were not in the know while those who actually knew something were being silent.

In my experience this is commonly the case. High profile events can damage the reputation of individuals and companies and in many cases the truth, coming from those in the know, is more damaging than speculation from those in the bleachers. Counsel for the proximate "victims" often advise their clients to say nothing, reasoning that any official comment could be construed as an admission, whereas the speculation of others can be labeled as just that.

The following, alleged, accounting of the HBGary incident, while tinged with mildly satirical comments is, nonetheless, one of the most thought-provoking, if not accurate, descriptions of the surrounding events. It can be found here:

and it got me thinking.

Many years ago, I had a horrific experience at Chicago O'Hare International Airport when, while looking out the window of the concourse, I witnessed American Airlines DC-10 Flight 191 take off, roll to the left, and plunge to the ground along with 258 passengers and 13 crew. There is something unnerving about air crashes though they kill far far less than automobile accidents and, I suspect, part of the reason why is that they often lack a reasonable explanation when they happen.

But one difference between airplane accidents and digital incident investigations is that the former is a public process and a process by which we learn what failed, and why. And American Airlines Flight 191, like the account described in the link above, is a perfect example of what is to be learned through a public process...