Archive for May, 2011

Dissecting a MySpace cookie

Wednesday, May 18th, 2011

myspace_logoI previously looked at the MySpace source code and as an aside, I decided to look at the MySpace cookie placed on my computer through Internet Explorer. I need to spend some more time with it, but I found one tidbit of interest. Here are the contents of that cookie:

MSCulture
IP=76.232.69.187&IPCulture=en-US&PreferredCulture=en-US&Country=VVM%3D&ForcedExpiration=0&timeZone=-7&USRLOC=QXJlYUNvZGU9Nzc1JkNpdHk9UmVubyZDb3VudHJ5Q29kZT1VUyZDb3
VudHJ5TmFtZT1Vbml0ZWQgU3RhdGVzJkRtYUNvZGU9ODExJkxhdGl0dWRlPTM
5LjU1NDUmTG9uZ2l0dWRlPS0xMTkuODA2MiZQb3N0YWxDb2RlPSZSZWdpb25
OYW1lPU5WJkxvY2F0aW9uSWQ9MA

myspace.com/
1600
1450779520
30110255
767532288
30108847*
SessionDDF2
WecgMpqrHOI4tePW304hLLYkIoD8e+hqZQakpBfhu0bf+3YNd9a3gLJAKgrhd57+klMP1U9u
DlEKYfXnDvXE8w==
myspace.com/
1536
2677308160
31578165
1536619600
30108650
*__utma
102911388.576917061.1287093264.1287098574.1287177795.3
myspace.com/
1600
522347392
30255698
765392288
30108847
*
__utmz
102911388.1287093264.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
myspace.com/
1600
428951552
30145363
1564109600
30108650
*__utmb
102911388.0.10.1287177795
myspace.com/
1600
1584863104
30108851
765392288
30108847
*
__unam
7639673-12bb1c67c3e-6a4aaea5-1
myspace.com/
1600
3491813376
30163644
781442288
30108847
*

Here is an interesting part in Base64:

QXJlYUNvZGU9Nzc1JkNpdHk9UmVubyZDb3VudHJ5Q29kZT1VUyZDb3VudHJ5
TmFtZT1Vbml0ZWQgU3RhdGVzJkRtYUNvZGU9ODExJkxhdGl0dWRlPTM5LjU1NDUmT
G9uZ2l0dWRlPS0xMTkuODA2MiZQb3N0YWxDb2RlPSZSZWdpb25OYW1lPU5W
JkxvY2F0aW9uSWQ9MA

Here is the Base 64 Translation:

USRLOC=AreaCode=775&City=Reno&CountryCode=US&CountryName=United States&DmaCode=811&Latitude=39.5545&Longitude=-119.8062&PostalCode=&RegionName=NV&LocationId=0

The investigator should be aware that the latitude and longitude is generally based on the IP address geolocation. Again this is something you are revealing to the website when you visit it. The website automatically geolocates the IP address for general marketing purposes. As an investigator you need to be aware that you are exposing this information to the websites you surf. I’ll comment more on geolocation in another post.

Not that we all did not know that companies use tracking codes to identify us, but here is the type of information that might be on a suspect’s system if you go looking for it in his cookies. It also shows how much MySpace is tracking about you during an investigation and collecting about you when you go to a suspect’s MySpace page. I found a nice article at http://helpful.knobs-dials.com/index.php/Utma,_utmb,_utmz_cookies describing some of the cookie’s contents of the cookie.

The cookies named __utma through __utmz are part of Google Analytics, originally by the urchin tracking module, also by the newer ga.js. These cookies track usage on sites that use Google Analytics.”

The article goes on to describe the various pieces of the cookie.

__utma tracks each user’s amount of visits, first, last visit.
__utmz tracks where a visitor came from (search engine, search keyword, link)
__utmb and __utmc are used to track when a visit starts and approximately ends (c expires quickly).
__utmv is used for user-custom variables in Analytics
__utmk – digest hashes of utm values
__utmx is used by Website Optimizer, when it is being used

Another good description of the Google Analytic cookies and their contents can be found at MoreVisibility (A marketing website). There are many other sites that collect similar information such as NetcraftAlexa, and WMtips (each of these can be accessed from our free Internet Investigators Toolbar.

The __utma cookie appears to be a string with six fields, delimited by a “.”. The last field is a single integer which records the number of sessions during the cookie lifetime

Here are the various pieces of the cookie with the date and times translated:

Cookie Code Section Date and Time Translation*
myspace.com/
1600
1450779520
30110255
767532288
30108847
1450779520,30110255
Fri, 22 October 2010 13:23:15 -0800
767532288,30108847
Fri, 15 October 2010 13:23:15 -0800
SessionDDF2
WecgMpqrHOI4tePW304hLLYkIo
D8e+hqZQakpBfhu0bf+3YNd9a3g
LJAKgrhd57+klMP1U9uDlEKYfXn
DvXE8w==
myspace.com/
1536
2677308160
31578165
1536619600
30108650
2677308160,31578165
Mon, 14 October 2030 13:54:22 -0800
153661960,30108650
Thu, 14 October 2010 13:52:03 -0800
__utma
102911388.576917061.1287093264.
1287098574.1287177795.3
myspace.com/
1600
522347392
30255698
765392288
30108847
522347392,30255698
Sun, 14 October 2012 13:23:15 -0800
765392288,30108847
Fri, 15 October 2010 13:23:15 -0800
__utmz
102911388.1287093264.1.1.utmcsr=
(direct)|utmccn=(direct)|utmcmd=(none)
myspace.com/
1600
428951552
30145363
1564109600
30108650
428951552,30145363
Fri, 15 April 2011 01:54:24 -0800
1564109600,30108650
Thu, 14 October 2010 13:54:24 -0800
__utmb
102911388.0.10.1287177795
myspace.com/
1600
1584863104
30108851
765392288
30108847
1584863104,30108851
Fri, 15 October 2010 13:53:15 -0800
765392288,30108847
Fri, 15 October 2010 13:23:15 -0800
__unam
7639673-12bb1c67c3e-6a4aaea5-1
myspace.com/
1600
3491813376
30163644
781442288
30108847
3491813376,30163644
Thu, 14 July 2011 23:00:00 -0800
781442288,30108847
Fri, 15 October 2010 13:23:16 -0800

*Decoding of the dates and times are thanks to the free “Dcode” tool by Digital Detective.

Todd Shipley is Vere Software’s president and CEO.

Dissecting a MySpace page

Tuesday, May 17th, 2011

myspace-300x81Having not seen this done anywhere else, I decided to look at some basic MySpace pages at random and determine if I could find anything in the source code that might be of any investigative interest.

In general, the source code of a MySpace page has lots of HTML code, but much of it is of no use to the investigator because it does not identify the user or provide investigative leads. There are, however, a couple of interesting things to be found if you look for them.

The actual server location of an image file

Images on a MySpace main page are not embedded in the page. They are linked to a separate web address at www.msplinks.com. Here is a real example randomly gathered from a MySpace page of an image that was on the page:

href=”http://www.msplinks.com/MDFodHRwOi8vdmlld21vcmVwaWNzLm15c3BhY2
UuY29tL2luZGV4LmNmbT9mdXNlYWN0aW9uPXZpZXdJbWFnZSZmcmllbmRJRD0y
ODYzNDc4JmFsYnVtSUQ9MjExNDE2NSZpbWFnZUlEPTQ0OTU4MTY2″>

This highlighted portion of the code which is obfuscated and is actually encoded in Base64:

MDFodHRwOi8vdmlld21vcmVwaWNzLm15c3BhY2UuY29tL2luZGV4LmNmbT9mdXNl
YWN0aW9uPXZpZXdJbWFnZSZmcmllbmRJRD0yODYzNDc4JmFsYnVtSUQ9MjExNDE
2NSZpbWFnZUlEPTQ0OTU4MTY2

The Base64 translation of this portion of the code is:

01http://viewmorepics.myspace.com/index.cfm?fuseaction=viewImage&friendID=2863478&albumID=2114165&imageID=44958166

The Base64 translated link contains the friendID of the page it is from and what appears to be a uniquely assigned imageID.

The www.msplinks.com address is just a white page when you go there. However, when you look at the source code for this page you see some “old school letters” spelling out myspace.com:

myspace

Embedded video files and their original location

If you right click on an embedded video and select “copy embedded HTML” and paste that into a separate document, you can review the code and find the video location.

Actual example of an embedded video from a random MySpace page:

<imgsrc=”<object width=”640″ height=”390″><param name=”movie” value=”http://www.youtube.com/v/Xz2MWedTbP0&hl=en_US&feature=
player_embedded&version=3″></param><param name=”allowFullScreen” value=”true”></param><param name=”allowScriptAccess” value=”always”></param><embed src=”http://www.youtube.com/v/Xz2MWedTbP0&hl=en_US&feature=
player_embedded&version=3″ type=”application/x-shockwave-flash” allowfullscreen=”true” allowScriptAccess=”always” width=”640″ height=”390″></embed></object>

The actual page location on YouTube of the embedded video from above example:

http://www.youtube.com/v/Xz2MWedTbP0

Finding the FriendID

I also found the MySpace FriendID in several different locations in the pages source code. A simple search for “FriendID” will find the numerical Friend ID used by MySpace.

Here is a random example of a FriendID found in MySpace source code:

var MySpaceClientContext = {”UserId”:-1,”DisplayFriendId”:281346014,”IsLoggedIn”:false,”FunctionalContext”:
“UserViewProfile”,”UserType”:1};

This is the Myspace ID # that corresponds with the MySpace user name:

DisplayFriendId”:281346014

Add the Friend ID to the MySpace URL and it will take you to that friend’s page.

http://www.myspace.com/281346014

Tracking Code

I also found something of interest to the investigator and a good reason not to use your agency/company computer network to look at a MySpace page. Without much effort I found the code for MixMap. MixMap is tracking code that can be used to identify the IP addresses of anyone viewing a MySpace page. You can register at www.mixmap.com for access to your account and to prepare unique code for insertion on your MySpace page.

In a real example I found the following tracking code located in the MySpace page’s source code:

<a href=”http://www.msplinks.com/MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v”
target=”_new” title=”MySpace Tracker”>
<img src=”http://www.mixmap.com/661165/no_image_tracker_strict.jpg” border=”0″ height=”1″ width=”1″ style=”visibility:hidden;” alt=”MySpace Tracker” /></a></style></span>

<a href=”http://www.msplinks.com/MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v” target=”_new” title=”MySpace Tracker”><img src=”http://www.mixmap.com/661165/no_image_tracker_strict.jpg” border=”0″ height=”1″ width=”1″ style=”visibility:hidden;” alt=”MySpace Tracker” /></a></style></span>

This portion of the code is actually encoded in Base64:

MDFodHRwOi8vd3d3Lm1peG1hcC5jb20v

The Base64 translation of this portion of the code is:

01http://www.mixmap.com/

MySpace beacon data

Another thing I found a little disturbing about MySpace was what it is collecting on its pages. I located the following code labeled MySpace.BeaconData, which indicates that MySpace appears to be tracking persons viewing MySpace pages. Not that this is unusual from a marketing point of view. But the investigator should be aware that s/he is being tracked.

In the abbreviated random example below, you can see in the bolded portions the city, state and country I am coming from, as well as my computer’s operating system and the version of Internet Explorer I was using.

MySpace.BeaconData={”dsid”:”2″,”dsv”:”1″,”rd”:”browseusers.myspace.com”,”rqs”:”",”refpg”:
“/Browse/Browse.aspx”,”rpf”:”Browse”,”d”:”www.myspace.com”,”qs”:
“friendID=2863478″,”pf”:”UserViewProfile”,”fa”:”",”pgnm”:
“/Modules/Profiles/Pages/Display/Profile.aspx”,”cip”:”1290290619″,”pc”:”en-US”,”pid”:”405384887825081977″,”pidf”:”0″,”ABtd”:”0″,”t”:
“1287086098069″,”ct”:”1287086098069″,”ci”:”Reno“,”st”:”NV“,”co”:”US“,
“dmac”:”811″,”uff”:”0″,”uatv”:”br=MSIE 8.0&os=Windows NT 6.1“,”sip”:”170659174″,”uid”:”-2″,”pggd”:
“e327762c-2571-4e8f-b47f-d5fb46a670e5″,”prid”:”2863478″,”ili”:”0″,”at”:”1″,”cfv”:”0:0:0″,”cef”:
“0″,”sliu”:”0″,”pref”:”0″,”kvp”:”bt=0

In the following abbreviated random example I used the Tor network to hide myself, and you can still see (in the bolded portions) the city, state and country the Tor exit node was located:

MySpace.BeaconData={”dsid”:”2″,”dsv”:”1″,”rd”:”",”rqs”:”",”refpg”:”",”rpf”:”",”d”:”www.myspace.com”,
“qs”:”friendID=542455573″,”pf”:”UserViewProfile”,”fa”:”",”pgnm”:
“/Modules/Profiles/Pages/Display/Profile.aspx”,”cip”:”3493170727″,”pc”:”en-US”,”pid”:”405384887825081977″,”pidf”:”0″,”ABtd”:”0″,”t”:”1287100961997″,”ct”:
“1287100961997″,”ci”:”Woodstock“,”st”:”IL“,”co”:”US“,”dmac”:”602″,”uff”:
“0″,”uatv”:”br=MSIE 8.0&os=Windows NT
6.1
“,”sip”:”170663537″,”uid”:”281346014″,”pggd”:”c1834a83-d897-44a8-adfe-
93e8f959c60e”,”prid”:
“542455573″,”ili”:”0″,”at”:”2″,”cfv”:”0:0:0″,”cef”:”0″,”sliu”:”0″,”pref”:”0″,”

In this example the Tor exit node just happened to be in Illinois. From an investigative standpoint, the investigator should know what s/he is exposing to the target website.

I’ll continue to review pages and comment as I find anything interesting. If anyone else has any good tidbits about MySpace or any other social networking sites let me know in comments.

Todd Shipley is Vere Software’s president and CEO.