How to Geolocate Mobile Phones (or not)

Wouldn’t it be cool to geolocate mobile phones? The following article will show you possibilities and limits when it comes to accurately finding the location of a mobile phone.

Last week I published an article explaining how accurate the geolocation of IP addresses is. This time, I had a look a cellular data and how a mobile phone is registered while roaming as well. If you haven’t read last week’s article yet, go have a look before you continue here.

Today I decided to go on a little road trip, because I wanted to show you what kind of data your mobile phone produces while on the move. So, I’m inviting you to follow me on a short trip to Austria. Keep in mind, that all data you will see here is not only visible to me, but also to my provider and could be visible to law enforcement or intelligence services, should they choose to track me. However, this data is nothing that can be easily obtained by random individuals.

The starting and end point of my journey was the train station in Steinebach. If you dial *3001#12345#* on your iPhone, it will open a developer menu packed with cellular data, including the actual cell you are connected to and the signal strength for this connection (among other things). Unfortunately, I forgot to take a screenshot when I left the train station. I did, however, take a screenshot upon return. In any case, the same cell served my phone both when I left and when I returned. As you can see, my phone was connected to the Mobile Country Code (MCC) 262, which is the country code for Germany, and the Mobile Network Code (MNC) 3, which is the code for the provider O2/Telefonica. That’s the network this burner phone is running on.

The most relevant piece of information is the Physical Cell ID (PCI). This is the identifier for the actual cell my phone was registered to. The only problem here is that the developer menu on my iPhone doesn’t give me the ID of the cell tower (or eNodeB/ENB in an LTE network) this cell was actually broadcast from. Whenever I am dealing with cellular data, one of my go-to sites is CellMapper. Here I can browse through information on cell towers on a map or search for specific data. Let’s have a look at what we can find with the MCC, MNC and PCI from my phone. After adding the information I have to the search panel on the right, a new popup opens and displays all the cell towers in the German O2 network that use the PCI 422.

Rather than clicking through all these results, I just zoomed into the map manually (since I of course knew where I was) and clicked through the nearby towers until I found the tower that broadcasts the PCI 422. Cell 2 of eNB 100396 is the one my phone was connected to.

The train station is in the top right corner of the highlighted cell. Keep in mind, that the full extension or reach of the cell may not be accurately displayed here. So now you have seen how cellular information can be broken down to a rough physical location. I could narrow down this location even more, because my phone also knows which other cell towers are providing a signal in the area and it is constantly measuring the signal strength. So, if I know the location of these other cell towers and I know the signal strength to each tower, I could use that information to triangulate a more precise location. But let’s not go that far this time.

If I am connected to a UMTS or LTE network (3G or 4G), the cellular network will also allocate an IP address to my phone. The accuracy, or rather non-accuracy, was topic of the last blog article. Nonetheless, I would like to share the IP I had when I left the train station at around 09:00 o’clock, to show you what happens with this IP during my travel.

Above you can see the IP address and the result from a query on the Geo2IP Precision database from Maxmind. Maxmind is one of the leading IP geolocating companies worldwide. According to them, this IP address was located near Munich in a radius of 50km. Nothing wrong here, the train station in Steinebach is within that radius.

I decided to drive to Neuschwanstein (the inspiration for the Disney castle) near Füssen and from there quickly cross the boarder to Austria. During this drive, my phone would constantly reconnect to new cell towers and new cells whenever the signal in the current one was too weak. More on this topic can be read here:

https://www.netmanias.com/en/post/techdocs/6224/emm-handover-lte/emm-procedure-6-handover-without-tau-part-1-overview-of-lte-handover

Every once and while I completely lost signal. Now the interesting thing is that my phone kept the allocated IP address throughout the complete trip. Steinebach and Füssen are roughly 70km apart (beeline), I had multiple cell and cell tower handovers and thus my IP in Füssen was the same as when I left the train station in Steinebach. As the IP hadn’t changed, the Maxmind geolocation also hadn’t changed and was now clearly wrong. You could wonder why I wasn’t issued a new IP when my phone lost signal or connected to new cells or cells towers. For the cellular network there was no need to reissue a new IP address, because I technically never detached from the network. And why should the network go through the hassle of constantly issuing a new IP, when reconnects to cells and cell towers might occur every couple minutes? Getting a new IP in such a frequency clearly would cause some troubles for the user, if connected to a website or service continuously throughout the travels.

A new IP will be issued whenever you turn your phone off or put in in airplane mode and then turn it back on. Switching it off or using airplane mode sends a so-called “IMSI-detach” to the network, letting the network know you want to log off and thus won’t be needing service anymore. Temporary loss of signal won’t cause that command to be sent. If your phone is offline for a longer period of time, the network will automatically detach the IMSI (which is basically your main identifier in a cellular network) from the network. However, each provider might define a different time span before detaching.

At 12:10 o’clock, I was sitting at the McDonalds in Füssen and still had the same IP. Just to be sure, I checked it using a different browser, I didn’t want to risk cached data messing up my results.

Out of interest, I switched on the airplane mode and connected to the wifi hotspot while eating my McFlurry. Again, I checked this IP and looked it up on Maxmind.

The IP issued to me by my cell phone provider still had me located in Munich and the wifi hotspot came out over 400km away (in the middle of a lake in the center of Kassel). And once I reconnected to the cellular network, I received a new IP address, which according to Maxmind was still in a 50km radius of Munich.

So much for the accuracy of IP geolocations. The cellular data (MCC/MNC/PCI) put in me the correct location again.

I finished my ice cream and briefly crossed the border to Austria. Just enough to connect to an Austrian network. While the cell data put me in the right spot on CellMapper, the IP I then received from my provider placed me even further away than before. This time instead of Munich, the IP was supposedly in a 50km radius of Nuremberg.

The IP range was also different than any other IP address that O2 had given me in Germany, so I assume that O2 has an extra IP range reserved for roaming connections. I switched to a different Austrian provider and checked again.

Okay, now I’m confused. I went from Munich to Nuremberg to Stuttgart. On the other hand, the information I found here could prove to be relevant. If my provider uses a different IP range for phones located outside of the home network (in a foreign country) than the IP range using for phones ‘at home’, maybe other providers do so as well. This might enable finding out if a mobile phone is located in country or outside, similar to what a HLR lookup can provide (not gonna explain this time, just google it). Remember that the results shown here might differ in other countries and with other providers. But once more, the bottom line is that geolocation based on IPs is not as simple and accurate as some of us might think and geolocations based on cellular data could get you quite close to your actual target. That is, if you have access to this kind of data, which I assume most of my readers don’t.

And now you also know how I spend my Sundays. Combining road trips through the beautiful Bavarian alps with my passion for OSINT. In any case, the trip was totally worth it: new insight on cellular roaming and of course this amazing view:

Neuschwanstein

MW-OSINT / 12.07.2020

Geolocating Mobile Phones based on IPs

This article was written together with Nixintel and was published on Nixintel.info as well.

IP addresses feature prominently in digital investigations, but how useful are they for geolocation? The truth is that while IP addresses have many investigative uses, they can be quite unreliable as a precise geolocation method.

The limitations of IP addresses as geolocation tools are grounded in the technology itself. The current IPv4 protocol allows for the existence of just under 4.3 billion separate IP addresses. This was not an issue when the technology was designed in the early 1980s, but now the demand for IP addresses far exceeds supply.

To deal with this shortage, ISPs have developed several workarounds over the years. A reverse proxy server allows thousands of websites to share the same static IP address, for example.

Websites and services generally use IPs that are fixed, but if you’re reading this from your home internet connection then the chances are that you’ve been issued a dynamic IP address by your ISP. You might have the same IP address for a few hours or days, but ISPs constantly juggle and reallocate their IP addresses according to demand. The IP address you have today might be issued to someone else elsewhere in the country tomorrow.

With mobile IPs the IP shortage problem is even more pronounced. Whenever you connect to a 3G or 4G network, you are probably sharing that IP address with thousands of other users at the same time. Your IP address also changes very frequently on a cellular network, sometimes as often as every few seconds.

There is no real correlation between a physical location and a cellular IP address. IP addresses aren’t organised geographically in the way that old landline numbers used to be. It’s more accurate to think of them as being grouped by ISP and service type.

For more detailed information on this subject matter I recommend reading these research papers:

So what about IP geolocation services like Maxmind A little digging into their own data accuracy reports will tell you that we need to be extremely cautious about how much weight you attach to the geolocation information that they provide.

For example in Germany, Maxmind state that 83% of their IP addresses are accurately linked to their location – but only to within a 50km radius, and even then only with fixed broadband lines:

When we look at cellular IPs, the accuracy drops significantly. Only 38% accuracy within 50km:

The more specific the location, the lower confidence level. In Germany the confidence that a specific IP address is associated to a specific city is just 16%. In the USA this accuracy level is just 12%, with 73% of IPs being incorrectly resolved. So how much weight should you really put on the accuracy of a geolocated cellular IP if even the world’s leading IP geolocation companies have such low confidence of it being accurate to within 50km, let alone a single city?

This is not a fault of the GeoIP service providers. It simply reflects the fact that ISPs have no need to allocate IP addresses by geographic area, but instead allocate them according to network demand.

Yet it is common knowledge that mobile phones can be geolocated. A mobile phone connects to a cell tower, and as a matter of fact to all of the surrounding cell towers as well (at least to monitor the signal strength). Each cell tower has a unique ID. This ID can be picked up by several means, whether it is intercepting the radio connection between the mobile phone and the tower or by collecting information on one of the backlinks to the network. If the physical locations of the cell towers are known, a rough geolocation of the phone can be performed if of course you have the cell IDs. However, this can only be done (legally) by law enforcement and/or intelligence services. But is it possible to geolocate a phone based on other information than the cell ID?

Most mobile phones nowadays are constantly connected to the internet. We browse the web, we send messages through services such as Signal or WhatsApp and we check our emails and reply with our smartphones. Each of these connections will transmit an IP-address that has been allocated to our phone. On my normal computer, I could look up my IP address on sites such as IPLocation and it would show the approximate area I am located in. Of course, this only works if I am not using a proxy or VPN. Different databases might have slightly different locations, but as you can see in this example, I am located somewhere in the vicinity of Munich based on my IP address.

Just to put these locations into perspective, I plotted them on the map. I was located somewhere on this map while writing this article. Not really that precise, right?

That’s the landline I used, what about geolocating a phone based on the IP address? Getting the current IP address of the phone is not as easy as it sounds. Even if I were to receive an email sent from my target’s phone, chances are high that this would not include the originating IP address. Especially if sent from providers such as Gmail or Hotmail. How can we then obtain the actual IP of the phone?

Before you continue reading, a word of caution: The next step could be illegal in some countries and is very intrusive. It is definitely not something I would recommend as you have to actively engage your target. In this case I am just using the technique to prove my point.

I sent my target an email with a tracking pixel. Don’t worry, the target is one of my burner phones. I sent myself an email and opened it with my phone while connected to my provider on 4G (LTE). Tracking pixels, also known as web beacons, are used to figure out if a user has accessed content such as a webpage or an email. These trackers will provide information such as the access time and also the IP address from which the content was accessed. I used the site GetNotify to get a tracking pixel. Then opened the email with my phone. Here is the result:

As you can see, the tracking pixel sends back the time the email was opened, the user agent string for the browser on my phone and an IP. It states that this IP address is registered to Telefonica Germany, the provider this burner phone is running on. Let’s check the IPLocation site again:

Okay, we have Munich in there, but we also see other locations. Once more, I plotted them on the map.

I’m on here somewhere, but as you can see, two of the locations are quite a bit away from Munich. So apparently, the IP allocated to my phone by my provider seems to provide a very inaccurate location. One reason for this can be found in the 4G network infrastructure.

The IP address the mobile phone receives is a dynamic address allocated by the so-called Packet Data Network Gateway (P-GW). This is basically the exit node to the internet and the IP address is chosen randomly, coming for a pool of addresses. Each time you reconnect with the network you will receive a new random address from this pool, even if you connect to the same cell (for LTE eNodeB) again. There is no direct link between the IP and any other element of the network, such as the cell tower (eNodeB). Often, outgoing traffic from the P-GW will assign multiple registered mobile phones the same IP-address. While connections from a mobile phone will likely be handled by a regional P-GW, in my case the one physically located in Munich, it could also be registered to a P-GW hundreds of kilometers away. I spent an hour trying to find a friend that uses Telefonica/O2 as well and asked them to help me out here. I sent her an email with a tracking pixel. Here’s what came back:

This IP-address is supposedly located in Munich as well, my friend lives near Passau. That’s 170km apart! Keep in mind, all of this was done without any proxies or VPNs. Using a VPN will of course alter the results. Here’s my burner phone on LTE running through a Belgian IP:

In conclusion, geolocating a phone through an IP might give you the general area (if you are lucky), but just as with any regular IP address, it will not provide you pinpoint accuracy. I think geolocating landline IPs is actually more accurate than mobile phone IPs in most cases. Just keep this in mind for your future investigations.

Nixintel & MW-OSINT / 05.07.2020

Unravelling the Norton Scam – Chapter 5

Never be too careless with what you post on social media. It might come back to haunt you one day and in the case of our investigations it sure led to some key findings on the scam network!

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

The ultimate goal of our investigation was to find the people behind the scam. So far, we had found fake personas and most of the WHOIS data was misleading as well. Of all the people we came across, there was still a reasonable amount of doubt that they were actually involved in the scam, or we couldn’t reveal their true identities for sure. In our hunt for the truth we also turned to social media, hoping to find someone connected to our case.

As previously mentioned, most names used to register websites were clearly fake. Nancy Wilson and Steve Dalton were among the favorites. However, we did notice that the majority of sites had Indian addresses in the WHOIS data. In particular, two addresses reoccurred often: one in Noida and one in Gurgaon (also known as Gurugram). We decided to find Facebook profiles that had visited both cities and that were also linked to East Peoria, the city in Illinois that the scammers posted on their websites. Maybe someone was careless enough and had checked into all three places. Of course, this was done a while back when the Facebook graph search was still working.

Jackpot! While we hadn’t expected to find anything on this wild query, one Facebook profile matched our search. This person, named Baljeet, was a very active social media user and constantly checked into places on Facebook. Among these check-ins were Noida, Gurgaon and East Peoria.

Intelligence collection always feeds on mistakes your adversaries or intelligence targets make, and Baljeet committed a major blunder here. Soon after, we found ourselves digging into Baljeet’s profile. It turns out, that he had frequently visited locations (marked in blue) in the vicinity of the office building (marked in red) which was found in the WHOIS data of the scam sites and in which we suspected the team of developers behind these sites to be located.

At the same time, we discovered that Baljeet registered a website with his full name and actual email address, which we had found in his Twitter timeline. This website was providing web design services to customers in the US. And guess what? The site was using the same address in East Peoria and also the same phone number as the scam sites! I decided to have a little chat with Baljeet on Facebook to confront him with this information.

The conversation went on for a while and Baljeet kept coming up with excuses and dodgy information on why his website was using the same address and phone number as the scam sites. After our talks, he actually took down both for a while, but the address is back on the website today. To us it is clear: Baljeet is definitely involved in this scam. You don’t just sit in India and coincidently use the same address (in the middle of nowhere) and phone number as multiple scam sites on your own site. You don’t just coincidently happen to work in vicinity of addresses we have attributed to the scam sites.

While looking into other social media profiles used by Baljeet, we came across other indicators that fit the overall picture. A couple days ago, he proudly posted the following on Twitter: A certificate of an advanced Google Analytics course (my browser was set to German when I opened the link).

As you can see, the information we won from social media research led to us a prime suspect in our case. Not only did we have a real name now, we also had a unique username, a pattern of life and enough information to verify his involvement in our scam.

Our social media research also led to many more key findings. One of the phone numbers we found in the scam sites’ WHOIS data was also posting job advertisements on Facebook.

A call center agent providing support to activate Norton? That’s exactly how our hunt started. Looks like it is all coming together! The information we gathered throughout our social media research was invaluable and had us dig even deeper into WHOIS data and source code from the scam websites, leading to unravelling the whole network behind it. But that is something for the coming chapters.

Sector035/MW-OSINT – 15.08.2019

百度地图 – Mit Baidu Maps unterwegs auf Chinas Straßen

Andere Länder andere Sitten. Es muss nicht immer Google sein. Heute präsentiere ich euch eine Möglichkeit, wie man in China eine Adresse in Augenschein nehmen kann.

Google Street View ist für OSINT Ermittler heute unabdingbar. Insbesondere für den Bereich der Geolocation Verification spielt das Tool eine entscheidende Rolle. Die Abdeckung mit aktuellem Bildmaterial wird von Tag zu Tag besser. In Großstädten wie Paris und London ist das Google Street View Car teilweise schon mehrfach durch die Straßen gefahren, so dass man sogar eine historische Veränderung nachvollziehen kann. Sogar in vermeintlichen Entwicklungs- u. Schwellenländern existiert eine solide Abdeckung. So kann ich mich problemlos virtuell in ein abgelegenes Dorf in der Slowakei begeben, um die Adresse in Augenschein zu nehmen, an der sich angeblich ein Unternehmen befinden soll.

Leider gibt es aber immer noch viele weiße Flecken auf der Google Street View Landkarte. Dies liegt weniger an Google als an regulatorischen und/oder sicherheitsbedingten Gründen in den verschiedenen Ländern.

In Deutschland scheitert es vor allem am schwierigen Verhältnis der Deutschen zum Datenschutz. Nur in wenigen Großstädten existiert aus dem Jahr 2009 veraltetes Bildmaterial, das teilweise auch noch verpixelt ist. Der Rest ist digitales Entwicklungsland.

PNG 1 Abdeckung mit Google Street View (blaue Schattierungen) in Deutschland im Vergleich mit den Nachbarstaaten

Auch in China existiert keine Abdeckung mit Google Street View (ausgenommen Hongkong). Dies hat aber vor allem mit regulatorischen Auflagen der Volksrepublik zu tun. Aber China wäre nicht China, wenn es keine Alternative gäbe. Die chinesische Suchmaschine Baidu verfügt ebenso wie Google über einen Kartendienst, der ebenfalls eine Street View Variante bietet. Allerdings ist nicht das ganze Land abgedeckt, sondern bisher nur die Großstädte und Wirtschaftsmetropolen. Für Ermittler, die beispielsweise eine Due Diligence eines neuen Geschäftspartners in China durchführen, bietet Baidu somit die Möglichkeit, die Adresse vorab in Augenschein zu nehmen. Sollte sich an der Adresse anstatt der Werkshallen nur ein Kiosk befinden, sollte ich stutzig werden.

PNG 2 Abdeckung Baidu Total View (blaue Schattierungen) im Großraum Shanghai

Eine große Herausforderung ist die sprachliche Hürde. Baidu ist in Chinesisch und die automatische Übersetzung der Webseite funktioniert nicht immer, so dass ich einzelne Textabschnitte herauskopieren muss.

Ich erreiche den Kartendienst von Baidu, indem ich auf der Startseite oben rechts auf地图 (übersetzt Karte) klicke.

PNG 3

Der Kartendienst ist grundsätzlich ähnlich wie Google Maps aufgebaut. Oben links befindet sich das Eingabe- und Suchfeld (roter Rahmen). Unten rechts sind die drei verschiedenen Kartenansichtsvarianten Straße (grüner Rahmen), Satellit (gelber Rahmen) und Total View (violetter Rahmen).

PNG 4

Den größten Erfolg habe ich, wenn ich direkt eine chinesische Adresse in das Suchfeld eingebe. Wenn ich beispielsweise eine Firma in China untersuchen soll, erhalte ich die Adresse sehr wahrscheinlich von der Webseite des Unternehmens.

Als Beispiel soll die Volkswagen (China) Investment Co. Ltd. (大众汽车（中国）投资有限公司), ein Tochterunternehmen des deutschen Autobauers, dienen. Auf der Webseite des Unternehmens www.vw.com.cn finde ich unter Kontakt den genauen Firmennamen und die Adresse der Gesellschaft, natürlich unter Zuhilfenahme von Google Translate.

Den chinesischen Namen der Adresse kopiere ich in das Eingabefeld von Baidu Maps und erhalte einen Treffer. Danach wechsele ich in den Total View Modus und setze die kleine Kamera vor das Gebäude.

PNG 7

Im Baidu Total View Modus habe ich dann wie bei Google Street View die Möglichkeit, die Kamera zu drehen, herein und heraus zu zoomen und die Straße entlang zu fahren. In unserem Fall erkenne ich das Volkswagen-Gebäude am markanten Schriftzug davor.

PNG 8

Natürlich ist es nicht immer so einfach wie in diesem Fall. Sehr häufig ist es notwendig, das Umfeld der Adresse in Baidu Total View abzusuchen, um den gewünschten Treffer zu erhalten.

Ich hoffe, ich konnte mit diesem kurzen Blogeintrag eine praxistaugliche Beschreibung über Baidu Total View geben. Am besten ihr spielt ein bisschen mit dem Tool, um die Leistungsfähigkeit selbst zu bewerten. Wenn ihr Fragen oder Anmerkungen habt, dann schreibt es gern in die Kommentare.

Ingmar Heinrich / 30.11.2018

The Sunny Side of Geolocation Verifications

The sun is a useful helper in investigations and geolocation verifications. Looking at shadows in pictures could reveal the moment of capture. This helps debunking false information.

Three weeks ago we showed you how to use EXIF data in pictures to receive indications on the location and precise moment of capture. Unfortunately, not all pictures contain EXIF data, or even worse: the EXIF data could be falsified. The shadow cast in pictures enables us to check if the sun position correlates with the exposure time contained in the pictures’ metadata.

Let us look at the following picture:

IMG_5542_2

I claim, that this picture was taken in front of my office on April 11, 2018 at 10:30am. True or false?

An evaluation of the EXIF data confirms that the coordinates and exposure time back my claim. The following screenshots depict the results of the fotoforensic check on fotoforensics.com. Try it yourself, the picture actually contains the EXIF data.

Case closed, information verified? Not really, because I altered the EXIF data in the picture. While the coordinates were left unchanged, the exposure time was modified. To verify this, we’ll take a closer look at the picture and dissect it into it’s single pieces of information. Hereby, we will concentrate on the shadow cast by the tree on the left.

Next we will use the website suncalc.org to check the casted shadow. Suncalc uses Google Maps to diplay results and the existing satellite imagery on Google is good enough to pinpoint each tree. In the first step, tree 1 will be used as the reference point (red marking). It is important to know the precise location of your reference point, or else the final results may be distorted. Afterwards, we add the presumed exposure time. The result of this actually shows, that the cast shadow (black arrow) of tree 1 fell towards the west, and not towards tree 2 as shown in our picture.

EXIF data canbe manipuliated, however, no one can change the course of the sun. Without any doubt the exposure time in the picture’s metadata is wrong. Now, let us cross check the actual exposure time. The picture was taken on April 25, 2018 at 02:58pm.

This method can be used in many different ways. Imagine someone stands trial and presents a picture of himself containing EXIF data to prove that he or she was at a certain location at a certain time. Or it can be used to verify propaganda pictures and videos of ISIS in Syria, supposedly containing images of an attack the previous day.

MW-OSINT / 02.10.2018

Licht und Schatten bei Ermittlungen

Die Sonne ist ein nützlicher Helfer bei Ermittlungen und Geolocation Verifications. Ein Blick auf den Schattenwurf in einem Bild gibt Rückschlüsse auf den Aufnahmezeitpunkt. Dadurch lassen sich auch Falschinformationen entlarven.

Vor drei Wochen haben wir Ihnen gezeigt, wie man mittels EXIF-Daten in Fotos Hinweise auf Standort und Aufnahmezeit des Bildes bekommt. Leider liegen EXIF-Daten nicht immer vor oder noch schlimmer: sie können gefälscht sein. Anhand der Schattenwürfe in einem Bild lässt sich überprüfen, ob der Stand der Sonne mit dem in den Bildinformationen genannten Aufnahmezeitpunkt übereinstimmt.

Schauen wir uns nun folgendes Bild an:

IMG_5542_2

Ich behaupte, das Bild wurde vor meinem Büro am 11. April 2018 um 10:30 Uhr vormittags aufgenommen. Richtig oder falsch?

Die Auswertung der EXIF-Daten ergibt, dass die Koordinate zum angegeben Standort passt und die Uhrzeit sich ebenfalls mit meiner Aussage deckt. Die folgenden Screenshots zeigen die Ergebnisse einer Foto-forensischen Auswertung auf der Webseite fotoforensics.com. Probieren Sie es auch selbst aus, das dargestellte Bild enthält EXIF-Daten.

Fall abgeschlossen, Informationen verifiziert? Nicht ganz, denn ich habe die EXIF-Daten in diesem Bild manipuliert. Der Standort passt, der Aufnahmezeitpunkt allerdings nicht. Um dies zu verifizieren, zerlegen wir das Ausgangsbild zuerst in seine Einzelinformationen. Hierbei konzentrieren wir uns auf den abgebildeten Schattenwurf des linken Baumes.

Danach nutzen wir die Webseite suncalc.org zur Überprüfung des Schattenwurfs. Suncalc nutzt Google Maps zur Darstellung der Ergebnisse und auf dem vorliegenden Google Satellitenbild sind die Bäume gut zu erkennen. Im ersten Schritt wählen wir Baum 1 als Referenzpunkt (rote Markierung) in Suncalc. Es ist wichtig, den genauen Standort des Referenzpunkts zu kennen, damit die Ergebnisse nicht verfälscht werden. Anschließend tragen wir den vermeintlichen Aufnahmezeitpunkt ein. Als Ergebnis sehen wir, dass der Schattenwurf (schwarzer Pfeil) von Baum 1 zum angegeben Zeitpunkt 10:30 Uhr nicht wie im Ausgangsbild in Richtung Baum 2 fiel, sondern in westliche Richtung.

Man kann EXIF-Daten fälschen, aber nicht den Lauf der Sonne. Somit ist zweifelsfrei bewiesen, dass der Aufnahmezeitpunkt gefälscht wurde. Hier ist die Gegenprobe mit dem richtigen Aufnahmezeitpunkt. Das Bild wurde tatsächlich am 25. April 2018 um 14:58 Uhr aufgenommen.

Diese Methode kann in vielen Fällen angewendet werden. Stellen Sie sich vor, ein Angeklagter in einem Strafverfolgungsprozess möchte Anhand eines Bildes samt EXIF-Daten nachweisen, dass er zu einem bestimmten Zeitpunkt an einem bestimmen Ort war. Oder im Falle von Propagandamaterial des IS in Syrien, in dem ein vermeintlicher Angriff am Vortag gezeigt wird.

MW-OSINT / 02.10.2018

Asset Tracing using EXIF Data

Geolocation Verification was a topic in this blog last week. The previous post presented one method to geolocate a picture based on different reference points within the picture.

In some cases geolocating a picture is even easier, provided the picture contains georeferenced EXIF metadata. EXIF (Exchangeable Image File Format) is a standard ancillary tag used by digital cameras. Next to various camera settings, such as focal length and exposure time, EXIF metadata could include descriptions of the picture and be geotagged with GPS coordinates as well. Many smartphone users have the so-called ‘location services’ constantly switched on, thus resulting in their pictures being enriched with GPS coordinates.

The following example is based on a real investigation. The names and locations were altered to ensure the safety of the involved persons.

An asset tracing case has us looking for financial and property assets belonging to a German banker named Hans P. Extensive OSINT research on Hans P. remains unsuccessful. The focus of this investigation will now be on family and friends of Hans P. We identified two of Hans’ children on Facebook. His eldest daughter, Anna H., recently married and had set a wedding webpage using the platform ZOLA. This website reveals that the wedding took place at a large unknown estate. The actual location of this estate was not easily given away on the website. The overall information, however, points towards the mediterranean region. On this site, Anna also thanks her father for financing this wedding and providing his estate for the celebration.

Example of a ZOLA wedding site

This is an indication that Hans P. is in fact in possession of the aforementioned estate. The website also features many professional pictures, as well as the possibility for wedding guests to upload their own pictures. We look at each picture using a browser extension which shows if the picture contains EXIF data or not. Luckily, one of them does.

Our next step is to extract the EXIF data using fotoforensics.com. The EXIF data extracted from the picture contains information on the type of phone used and also the exact GPS coordinates from which it was taken. This location is directly displayed on Google Maps.

fotoforensics

The estate is located near the Italian city of Tuscania. After figuring out the specific street address, we check this in the local real estate and property register.

Bingo! The estate was purchased four years ago and currently belongs to Hans’ wife. Since Hans’ wife does not originate from a wealthy family, nor has she ever worked, we assume that this asset was in fact purchased with money provided by Hans P.

By the way: The wedding picture contains the EXIF data shown. Feel free to try this out yourself!

MW-OSINT / 12.09.2018

Geolocate thIS! (English version)

In early 2016, Islamic State (IS) supporters published pictures in Telegram messenger channels containing handwritten pledges to the Islamic States’ cause. With this propaganda campaign, the terrorist organisation wanted to show the size and strength of its worldwide network.

Apparently some of the IS supporters were not aware of how much information regarding their actual location they had divulged in these pictures. Within hours of release, Twitter users had revealed these locations. IS was not really able to demonstrate global power with this propaganda campaign, however, I am quite sure that some of these supporters gained the attention of law enforcement and government security agencies afterwards.

How could this happen? First off, there is a large community of OSINT specialists, many of them with a journalistic background, specialized in the verifcation of information. One aspect of this is Geolocation Verification, in which pictures are dissected to receive individual clues that can be researched online using various different tools. The main goal is to pinpoint the exact location.

Geolocate This! is one of them and is very useful to find a location using two separate reference points.

Based on one the pictures posted by an IS supporter in 2016, I would like to demonstrate how this works.

Step 1: Dissecting the picture into individual clues

This picture contains several clues, which will help us along the way.

The city of Paris is written on the note in Arabic (باريس). This indicates we are looking for a location in the capital of France.
In the background we can see a Suzuki sign. It most likely belongs to a dealer or repair shop.

These clues alone would enable us to find the exact location. Looking up all Suzuki dealers or repair shops in Paris on Google Maps could be successful. However, it would take an unproportionate amount of time to view all results.

The opposite side of the street depicts a sign of the beer brand Heineken. This likely indicates a bar.

Step 2: Using Geolocate This!

I looked up the coordinates (latitude, longitude) for the center of Paris on latlong.net and entered these into the search mask.
Next I set the search radius to 10.000m.
The first keyword is Suzuki and I add a category as well. The second keyword is bar, which I also used as the category. The use of categories is optional.
Based on the picture, the distance between both locations is approximately 20m, which I then add as the final input.

After clicking on Search, I receive ten results with possible locations for my picture.

Step 3: Verification with Google Street View

Luckily, Paris has an excellent Google Street View coverage. I check each result from Geolocate This! in Street View and compare this view with the IS supporter’s picture. As the picture clearly shows a smaller side street, I check these first.

Et voilà! Shortly afterwards I am able to identify the location from which the picture was taken. This Street View was captured in July 2016 and I can clearly see the Suzuki sign, the Heineken Bar and the scaffolding in the background.

Tilting Street View to the left, gives me a view of the house from which the initial picture was taken, probably in a room somewhere between the first and third floor.

We now have an address in which a probable IS supporter lives. This information might be relevant for law enforcement and government security agencies…

This is just one example of how OSINT techniques can lead to the exact location of a picture. There are many more used within Geolocation Verification.

In the following weeks, we’ll present more tools and techniques from the everyday life of an investigator. In the meantime, I advise you to practice your geolocation skills trying to solve the pop quizzes on Twitter at @Quiztime

Ingmar Heinrich / 07.09.2018

Geolocate thIS!

Anfang 2016 veröffentlichten Anhänger des sogenannten Islamischen Staates (IS) auf Kanälen des Messengers Telegram mehrere Fotos. Diese enthielten handgeschriebene Treuebekundungen zum IS. Die Terrororganisation wollte durch diese Propagandaaktion die Größe und Stärke ihres weltweiten Netzwerkes darstellen.

Dem einen oder anderen IS-Sympathisanten war vermutlich nicht bewusst, wie viele Hinweise er damit über seinen eigenen Standort preisgibt. Innerhalb weniger Stunden wurden die genauen Aufenthaltsorte mehrerer IS-Anhänger von Twitter-Usern enttarnt. Der erwünschte Effekt des IS blieb aus und es ist sogar anzunehmen, dass einige dieser Personen in den Fokus der Sicherheitsbehörden gerieten.

Was war passiert? Es gibt mittlerweile eine sehr große Gemeinde von OSINT-Spezialisten, davon viele aus dem journalistischen Umfeld, die sich auf die Verifikation von Informationen spezialisiert haben. Bei der sogenannten Geolocation Verification werden Fotos in ihre Einzelinformationen zerlegt, um diese dann mit Hilfe unterschiedlicher Tools im Internet zu recherchieren. Ziel ist die Lokalisierung der exakten Ortsangaben.

Ein sehr nützliches Tool ist Geolocate This!, mit dessen Hilfe sich Orte unter Angabe von zwei Bezugspunkten lokalisieren lassen.

Anhand eines der geposteten IS-Fotos möchte ich die Funktionsweise kurz erklären.

Schritt 1: Zerlegen des Fotos in Einzelinformationen

Auf dem Foto lassen sich mehrere Informationen erkennen, die uns bei der weiteren Recherche helfen.

Auf dem Zettel steht auf Arabisch Paris (باريس). Diese Information grenzt die Suche auf die Hauptstadt von Frankreich ein.
Zudem ist ein Schild der Automarke Suzuki erkennbar. Vermutlich gehört es zu einem Händler, der die Marke Suzuki vertreibt.

Allein diese beiden Informationen reichen aus, um den genauen Ort zu lokalisieren. Eine Suche der Suzuki-Händler in Paris bei Google Maps würde zum Erfolg führen. Allerdings müsste ich verhältnismäßig viel Zeit aufwenden, um mich durch die Treffer zu klicken.

Auf der gegenüber liegenden Straßenseite ist das Schild der Biermarke Heineken erkennbar, das wahrscheinlich zu einer Bar gehört.

Schritt 2: Eingeben der Daten bei Geolocate This!

Die Koordinaten (Latitude, Longitude) von Paris erhalte ich von einer Webseite wie latlong.net. Den Ausgangspunkt setze ich in das Zentrum von Paris. Die Koordinaten übertrage ich in die Suchmaske.
Ich grenze den Suchradius auf 10.000m ein.
Das Keyword 1 ist unserer wahrscheinlicher Suzuki-Händler. Optional vergebe ich die Kategorie Car Dealer. Als Keyword 2 vergebe ich Bar und kategorisiere es zudem als Bar.
Der Abstand zwischen den beiden Orten beträgt ungefähr 20 m.

Danach klicke ich auf Search und ich erhalte eine Übersicht mit 10 möglichen Treffern.

Schritt 3: Recherche mit Google Street View

Paris verfügt über eine exzellente Abdeckung mit Google Street View. Ich gehe nun durch die einzelnen Treffer von Geolocate This! und gleiche sie mit dem Ausgangsfoto ab. Als weitere Eingrenzung sichte ich zuerst Treffer, die sich in Nebenstraßen, wie auf unserem Foto, befinden.

Et voilà! Nach einer kurzen Suche kann ich den Ort lokalisieren. Auf einer Aufnahme von Juli 2016 erkenne ich das Suzuki-Schild, die Bar mit dem Heineken-Schild, sowie das Baugerüst im Hintergrund.

Drehen wir die Google Street View-Kamera nun nach links, sehen wir das Haus, aus dem heraus das Foto aufgenommen wurde. Sehr wahrscheinlich wurde es aus einem der Fenster zwischen dem 1. – 3. OG geschossen.

Somit haben wir die wahrscheinliche Adresse und sogar das Stockwerk, in dem ein mutmaßlicher IS-Anhänger wohnt. Um alles weiter müssen sich jetzt die Sicherheitsbehörden kümmern…

Das Beispiel zeigt eine Möglichkeit, wie ich exakte Standorte mit Hilfe von OSINT-Techniken lokalisieren kann. Bekanntlich führen viele Wege nach Rom und es gibt zahlreiche weitere Methoden im Rahmen der Geolocation Verification.

In den nächsten Wochen werden wir weitere Tools und Techniken aus dem Alltag eines Ermittlers vorstellen. Wer sich die Wartezeit verkürzen und bis dahin etwas üben möchte, dem empfehlen wir den Twitter-Kanal @Quiztime

Ingmar Heinrich / 06.09.2018