Geotags: Friend or Foe?

by David Benford
Director, Blackstage Forensics

I recently wrote a research paper, “Geotag Data: The Modification of Evidence on the Apple iPhone”, based around the possibility of modifying geotag evidence on the Apple iPhone. A test was performed as part of this project, to find out how easy it is to discover a person’s home location, social and business movements and background information.The process was begun by doing a Google Image search for the criteria “Blog iPhone self taken”. This was to trace an image taken by an iPhone for a personal blog, which would hopefully be of the user, hence “self taken”. In Google “Advanced Image Search” some changes were made, such as “Tall Image” and “JPG” file type being ticked; the theory being that most iPhone images are of portrait type and JPG format. An image appeared that seemed suitable of a woman photographing herself at the hairdresser’s. The image was saved and opened in TAGView which showed the location of the shop to be in a specific street in Oregon. As there is only one hairdresser listed in this street the process of selecting the correct business was straightforward. The image linked through to the woman’s blog and by doing a search, several more images taken on her iPhone were found complete with geotag data. The woman had taken a photograph of a magazine, mentioning that she was reading it at the dentist’s surgery. The surgery could be located within a minute and was found to be around the corner from the hairdresser’s shop. There was an image of a cake, along with its geotag pointing to Walmart. There was an image of her foot, taken in her kitchen, and the geotag gave an approximate location of where she lived. Images on the blog that were taken on her drive had no geotags. With an approximate idea of her home address, these could be used to pinpoint the exact property by viewing Google Street View. There were also non-tagged images of her family, giving further personal information. In the side margin of the blog there was a link to her Twitter page. Twitter displayed her actual name, where she was at any time and gave an even more detailed pattern of her movements, social life, family’s sports and hobbies, dining out preferences and so on. All of this information was derived from the source of just one geotag within a JPG image. This woman was potentially not only putting herself at risk, but also her family.

There appears to be many arguments on the web that the geotag feature being activated as default is not a well known fact amongst users. A very recent article published by the International Computer Science Institute in America supports this argument, along with the theories of the potentially dangerous nature of publishing data with embedded geotags. The authors, Gerald Friedland and Robin Sommer argue that websites such as Flickr having APIs which allow easy researching of specific criteria such as time, place and date can place unsuspecting users in a potentially vulnerable position, (Friedland & Sommer, 2010).

There is a strong possibility that similar search techniques could be adopted by paedophiles to discover the locations of young children. Innocent images, incorporating geotags, of children may have been taken by their family and uploaded to a blog for sharing with friends and family. There are many blogs that link through to social networking accounts that, when used together with the geotags, can assist in presenting a relatively clear picture of where a family lives, goes on holiday, works or socialises away from home, or can provide travelling times and school details. There are many cases of similar details being used by criminals for cybercasing and cyberstalking, as websites such as ICanStalkYou.com (URL no longer active) have highlighted.

There may also be an argument against the geotagging of images of endangered animals and birds. Geotagged online photographs of, for example, a rare bird sitting in its nest, could leave the bird vulnerable to poachers, egg collectors and hunters. With the availability of cameras, such as the Fujifilm Finepix XP30, that have in-built GPS, the proliferation of geotags may increase. With the XP30 being waterproof, it is particularly suitable for outdoor use and therefore for photographing wildlife.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Modification of Geodata

In my recent research I carried out processes proving that geotag data can be modified on the iPhone. These changes can be made either to JPG metadata on the device or to metadata within the iTunes backup files, which are then restored to the device. The benefit of the latter method is that it is less detectable when forensically analysing the iPhone than the method of modifying the images on the device itself. Obviously analysis of the computer where the changes were made in iTunes Backup should present artefacts, although the machine may not be available to the investigator to offer the evidence. This can be used to falsify evidence, such as creating a false alibi or in an attempt to falsely incriminate a third party.

 


Before modification
TAGView screenshot (click to enlarge)

After modification
TAGView screenshot (click to enlarge)

The same methods can be applied to other iDevices, such as the iPod and iPad, and with Apple projecting iPhone sales of 100 million handsets and 48 millions iPads for 2011, there are increasing possibilities that Apple iDevices may be misused for fraudulent or criminal activities. Of course, these modifications could just be done on a computer with no involvement of mobile phones.

Here are some hypothetical examples of modifying geotags for misuse:

· A person with a grudge could upload an image of some precious diamonds to Craigslist. They could convert the geotags to point to the target’s home address, therefore leaving the target and their family vulnerable to possible theft.

· If a victim’s phone could be accessed briefly, a pornographic image, taken by a similar device, could be transferred onto the target device. The image would have geotags pointing to the victim’s house address. The instigator could then anonymously inform the police that the victim is in possession of illegal images. The evidence is present on the device to help convict the victim. He may have often left his iPhone on his desk during the working day, but thought it OK as it was pin-locked.

· An organised crime gang member could download a JPG of a girl from the web. The location could be modified to a disused warehouse, and then, via the wi-fi connection in the local cafe, the image uploaded to the web. The image geodata could be translated to the location by someone who works in ICT, who could decide to visit the address out of curiosity and is attacked and robbed.

In a case where an outcome may rely on geographical evidence, it is crucial that it be taken into consideration that the data may have been tampered with, even if there is no forensic evidence being present.

Due to the speed of users’ uptake of accessing email and the internet, along with the multimedia and geographic capabilities of the latest smart phones, there is an argument that such smart phone devices could easily become subjected to misuse, criminal and fraudulent activities. An example of this already happening is with the introduction of apps that utilise augmented reality. A definition of augmented reality, otherwise known as AR, is “the real-time mixing of computer generated and real-world information” (TheAssurer.com, 2010). An example of AR working in conjunction with an iPhone is Layar utilising a Panoramio layer. Panoramio is a Google-owned app allowing images to be uploaded via a smart phone or internet browser. The images appear, for example, on Google maps where certain criteria are entered into an API. This can then be interlaced with Layar, which is an app allowing the smart phone user to point view media tied to their current location. This AR system can also interlace further with Flickr and Google Earth, which arguably could cause further problems in the case of misuse. Could it be only a matter of time before this technology can be used to create violations of privacy and potentially endanger individuals and property? By creating an image of a person or object that may be likely to attract undesirable attention from criminals or sex offenders and geotagging it to a user’s location could be considered malicious and a violation of the user’s right to privacy and safety.

To summarise, such modifications of evidence on digital handheld devices may not be commonplace at the moment, but could prove to be a problem for victims in the future. Modifications of digital evidence may prove a future challenge for both law enforcement agencies and forensic examiners on a global scale. There is also an inherent naivety, amongst many users, regarding the dangers involved with publishing geotagged images on the internet.

If anyone would like a copy of “Geotag Data: The Modification of Evidence on the Apple iPhone” then PM me ( RedCelica67 on ForensicFocus.com ) or email me via the Blackstage Forensics website.

David Benford is Director of Blackstage Forensics (www.blackstage-forensics.co.uk), Derbyshire, England. He specialises in the forensic analysis of handheld digital devices and possesses an MSc in Forensic Computing & Security. He is also a trustee of the Cystinosis Foundation UK charity – see http://www.cystinosis.org.uk/our-charity/trustees for further details.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles