Digital photography and social networking anti-forensics
I attended a superb class on OSINT the other week. One of the topics covered using geolocation data in digital photographs found on social networking sites to gather intelligence on suspects.
Geolocation is all the rage, and numerous complaints and even lawsuits have been directed towards companies collecting and (mis)using geolocation data. Despite this, the public is sharing more of their location data every day, and companies are spinning up new services to encourage them to do so. Photographs are one of the primary sources for geolocation data, and Flikr, Facebook, and Instagram are but some of the major players making use of the data. Many of the services accept an uploaded photograph, store the geolocation data for their own use, and then strip it out of the photograph so that users can only see what the service presents to them.
But what if you lie to the service? You can do so through some of their GUIs, but there is a better way – lie in the data you upload.
These four photographs were taken by me in Prague of this year.
But, when I run the following command:
./spoofexif.py -sd 01/01/2001 -ed 12/31/2010 -sh 0 -eh 8 -l “Waya, Fiji” -b 50 -d photos
and then upload the resulting photographs to Flickr, they appear to be taken in Fiji sometime in the last decade, always between midnight and 8AM.
At the moment, spoofexif.py can do the following
usage: spoofexif.py [-h] [-sd BEGINDATE] [-ed ENDDATE] [-sh BEGINHOUR] [-eh ENDHOUR] [-l LOCATION] [-b BOXSIDE] [-d DIRECTORY | -i IMAGES] optional arguments: -h, --help show this help message and exit -sd BEGINDATE Start date -ed ENDDATE End date -sh BEGINHOUR Start hour -eh ENDHOUR End hour -l LOCATION Location to place photograph -b BOXSIDE Length of side of bounding box -d DIRECTORY Directory containing photographs to modify -i IMAGES Name of image file to modify
- It takes a date range and randomly spreads the specified photos out over the entire range. You can modify a set of winter photographs with “-sd 11/01/2006 -ed 02/28/07”
- It takes an optional pair of hours and spreads the photos out over that range of hours. So, if you have a collection of dinner photos, you’d use “-sh 18 -eh 23”
- It takes a location and spreads the photographs randomly in a box with a side of length -b. This allows you to scatter your Prague photos around Paris, or to make it appear that you vacationed in Fiji when you were really in New Jersey.
- And you can specify an entire directory or just a single file. You can send your entire photo library back in time ….
I can detect my own modifications, and it has given me some ideas on how to detect other people’s. But can Facebook, Twitter, or Instagram detect your time machine/teleporter?
Code available by request.