by David Benford
Director, Blackstage Forensics
There appears to be many arguments on the web that the geotag feature being activated as default is not a well known fact amongst users. A very recent article published by the International Computer Science Institute in America supports this argument, along with the theories of the potentially dangerous nature of publishing data with embedded geotags. The authors, Gerald Friedland and Robin Sommer argue that websites such as Flickr having APIs which allow easy researching of specific criteria such as time, place and date can place unsuspecting users in a potentially vulnerable position, (Friedland & Sommer, 2010).
There is a strong possibility that similar search techniques could be adopted by paedophiles to discover the locations of young children. Innocent images, incorporating geotags, of children may have been taken by their family and uploaded to a blog for sharing with friends and family. There are many blogs that link through to social networking accounts that, when used together with the geotags, can assist in presenting a relatively clear picture of where a family lives, goes on holiday, works or socialises away from home, or can provide travelling times and school details. There are many cases of similar details being used by criminals for cybercasing and cyberstalking, as websites such as ICanStalkYou.com (URL no longer active) have highlighted.
There may also be an argument against the geotagging of images of endangered animals and birds. Geotagged online photographs of, for example, a rare bird sitting in its nest, could leave the bird vulnerable to poachers, egg collectors and hunters. With the availability of cameras, such as the Fujifilm Finepix XP30, that have in-built GPS, the proliferation of geotags may increase. With the XP30 being waterproof, it is particularly suitable for outdoor use and therefore for photographing wildlife.
Modification of Geodata
In my recent research I carried out processes proving that geotag data can be modified on the iPhone. These changes can be made either to JPG metadata on the device or to metadata within the iTunes backup files, which are then restored to the device. The benefit of the latter method is that it is less detectable when forensically analysing the iPhone than the method of modifying the images on the device itself. Obviously analysis of the computer where the changes were made in iTunes Backup should present artefacts, although the machine may not be available to the investigator to offer the evidence. This can be used to falsify evidence, such as creating a false alibi or in an attempt to falsely incriminate a third party.
TAGView screenshot (click to enlarge)
TAGView screenshot (click to enlarge)
The same methods can be applied to other iDevices, such as the iPod and iPad, and with Apple projecting iPhone sales of 100 million handsets and 48 millions iPads for 2011, there are increasing possibilities that Apple iDevices may be misused for fraudulent or criminal activities. Of course, these modifications could just be done on a computer with no involvement of mobile phones.
Here are some hypothetical examples of modifying geotags for misuse:
· A person with a grudge could upload an image of some precious diamonds to Craigslist. They could convert the geotags to point to the target’s home address, therefore leaving the target and their family vulnerable to possible theft.
· If a victim’s phone could be accessed briefly, a pornographic image, taken by a similar device, could be transferred onto the target device. The image would have geotags pointing to the victim’s house address. The instigator could then anonymously inform the police that the victim is in possession of illegal images. The evidence is present on the device to help convict the victim. He may have often left his iPhone on his desk during the working day, but thought it OK as it was pin-locked.
· An organised crime gang member could download a JPG of a girl from the web. The location could be modified to a disused warehouse, and then, via the wi-fi connection in the local cafe, the image uploaded to the web. The image geodata could be translated to the location by someone who works in ICT, who could decide to visit the address out of curiosity and is attacked and robbed.
In a case where an outcome may rely on geographical evidence, it is crucial that it be taken into consideration that the data may have been tampered with, even if there is no forensic evidence being present.
Due to the speed of users’ uptake of accessing email and the internet, along with the multimedia and geographic capabilities of the latest smart phones, there is an argument that such smart phone devices could easily become subjected to misuse, criminal and fraudulent activities. An example of this already happening is with the introduction of apps that utilise augmented reality. A definition of augmented reality, otherwise known as AR, is “the real-time mixing of computer generated and real-world information” (TheAssurer.com, 2010). An example of AR working in conjunction with an iPhone is Layar utilising a Panoramio layer. Panoramio is a Google-owned app allowing images to be uploaded via a smart phone or internet browser. The images appear, for example, on Google maps where certain criteria are entered into an API. This can then be interlaced with Layar, which is an app allowing the smart phone user to point view media tied to their current location. This AR system can also interlace further with Flickr and Google Earth, which arguably could cause further problems in the case of misuse. Could it be only a matter of time before this technology can be used to create violations of privacy and potentially endanger individuals and property? By creating an image of a person or object that may be likely to attract undesirable attention from criminals or sex offenders and geotagging it to a user’s location could be considered malicious and a violation of the user’s right to privacy and safety.
To summarise, such modifications of evidence on digital handheld devices may not be commonplace at the moment, but could prove to be a problem for victims in the future. Modifications of digital evidence may prove a future challenge for both law enforcement agencies and forensic examiners on a global scale. There is also an inherent naivety, amongst many users, regarding the dangers involved with publishing geotagged images on the internet.
If anyone would like a copy of “Geotag Data: The Modification of Evidence on the Apple iPhone” then PM me ( RedCelica67 on ForensicFocus.com ) or email me via the Blackstage Forensics website.
David Benford is Director of Blackstage Forensics (www.blackstage-forensics.co.uk), Derbyshire, England. He specialises in the forensic analysis of handheld digital devices and possesses an MSc in Forensic Computing & Security. He is also a trustee of the Cystinosis Foundation UK charity – see http://www.cystinosis.org.uk/our-charity/trustees for further details.