Posts Tagged ‘geolocation’

Dissecting a MySpace cookie

Wednesday, May 18th, 2011

myspace_logoI previously looked at the MySpace source code and as an aside, I decided to look at the MySpace cookie placed on my computer through Internet Explorer. I need to spend some more time with it, but I found one tidbit of interest. Here are the contents of that cookie:

MSCulture
IP=76.232.69.187&IPCulture=en-US&PreferredCulture=en-US&Country=VVM%3D&ForcedExpiration=0&timeZone=-7&USRLOC=QXJlYUNvZGU9Nzc1JkNpdHk9UmVubyZDb3VudHJ5Q29kZT1VUyZDb3
VudHJ5TmFtZT1Vbml0ZWQgU3RhdGVzJkRtYUNvZGU9ODExJkxhdGl0dWRlPTM
5LjU1NDUmTG9uZ2l0dWRlPS0xMTkuODA2MiZQb3N0YWxDb2RlPSZSZWdpb25
OYW1lPU5WJkxvY2F0aW9uSWQ9MA

myspace.com/
1600
1450779520
30110255
767532288
30108847*
SessionDDF2
WecgMpqrHOI4tePW304hLLYkIoD8e+hqZQakpBfhu0bf+3YNd9a3gLJAKgrhd57+klMP1U9u
DlEKYfXnDvXE8w==
myspace.com/
1536
2677308160
31578165
1536619600
30108650
*__utma
102911388.576917061.1287093264.1287098574.1287177795.3
myspace.com/
1600
522347392
30255698
765392288
30108847
*
__utmz
102911388.1287093264.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
myspace.com/
1600
428951552
30145363
1564109600
30108650
*__utmb
102911388.0.10.1287177795
myspace.com/
1600
1584863104
30108851
765392288
30108847
*
__unam
7639673-12bb1c67c3e-6a4aaea5-1
myspace.com/
1600
3491813376
30163644
781442288
30108847
*

Here is an interesting part in Base64:

QXJlYUNvZGU9Nzc1JkNpdHk9UmVubyZDb3VudHJ5Q29kZT1VUyZDb3VudHJ5
TmFtZT1Vbml0ZWQgU3RhdGVzJkRtYUNvZGU9ODExJkxhdGl0dWRlPTM5LjU1NDUmT
G9uZ2l0dWRlPS0xMTkuODA2MiZQb3N0YWxDb2RlPSZSZWdpb25OYW1lPU5W
JkxvY2F0aW9uSWQ9MA

Here is the Base 64 Translation:

USRLOC=AreaCode=775&City=Reno&CountryCode=US&CountryName=United States&DmaCode=811&Latitude=39.5545&Longitude=-119.8062&PostalCode=&RegionName=NV&LocationId=0

The investigator should be aware that the latitude and longitude is generally based on the IP address geolocation. Again this is something you are revealing to the website when you visit it. The website automatically geolocates the IP address for general marketing purposes. As an investigator you need to be aware that you are exposing this information to the websites you surf. I’ll comment more on geolocation in another post.

Not that we all did not know that companies use tracking codes to identify us, but here is the type of information that might be on a suspect’s system if you go looking for it in his cookies. It also shows how much MySpace is tracking about you during an investigation and collecting about you when you go to a suspect’s MySpace page. I found a nice article at http://helpful.knobs-dials.com/index.php/Utma,_utmb,_utmz_cookies describing some of the cookie’s contents of the cookie.

The cookies named __utma through __utmz are part of Google Analytics, originally by the urchin tracking module, also by the newer ga.js. These cookies track usage on sites that use Google Analytics.”

The article goes on to describe the various pieces of the cookie.

__utma tracks each user’s amount of visits, first, last visit.
__utmz tracks where a visitor came from (search engine, search keyword, link)
__utmb and __utmc are used to track when a visit starts and approximately ends (c expires quickly).
__utmv is used for user-custom variables in Analytics
__utmk – digest hashes of utm values
__utmx is used by Website Optimizer, when it is being used

Another good description of the Google Analytic cookies and their contents can be found at MoreVisibility (A marketing website). There are many other sites that collect similar information such as NetcraftAlexa, and WMtips (each of these can be accessed from our free Internet Investigators Toolbar.

The __utma cookie appears to be a string with six fields, delimited by a “.”. The last field is a single integer which records the number of sessions during the cookie lifetime

Here are the various pieces of the cookie with the date and times translated:

Cookie Code Section Date and Time Translation*
myspace.com/
1600
1450779520
30110255
767532288
30108847
1450779520,30110255
Fri, 22 October 2010 13:23:15 -0800
767532288,30108847
Fri, 15 October 2010 13:23:15 -0800
SessionDDF2
WecgMpqrHOI4tePW304hLLYkIo
D8e+hqZQakpBfhu0bf+3YNd9a3g
LJAKgrhd57+klMP1U9uDlEKYfXn
DvXE8w==
myspace.com/
1536
2677308160
31578165
1536619600
30108650
2677308160,31578165
Mon, 14 October 2030 13:54:22 -0800
153661960,30108650
Thu, 14 October 2010 13:52:03 -0800
__utma
102911388.576917061.1287093264.
1287098574.1287177795.3
myspace.com/
1600
522347392
30255698
765392288
30108847
522347392,30255698
Sun, 14 October 2012 13:23:15 -0800
765392288,30108847
Fri, 15 October 2010 13:23:15 -0800
__utmz
102911388.1287093264.1.1.utmcsr=
(direct)|utmccn=(direct)|utmcmd=(none)
myspace.com/
1600
428951552
30145363
1564109600
30108650
428951552,30145363
Fri, 15 April 2011 01:54:24 -0800
1564109600,30108650
Thu, 14 October 2010 13:54:24 -0800
__utmb
102911388.0.10.1287177795
myspace.com/
1600
1584863104
30108851
765392288
30108847
1584863104,30108851
Fri, 15 October 2010 13:53:15 -0800
765392288,30108847
Fri, 15 October 2010 13:23:15 -0800
__unam
7639673-12bb1c67c3e-6a4aaea5-1
myspace.com/
1600
3491813376
30163644
781442288
30108847
3491813376,30163644
Thu, 14 July 2011 23:00:00 -0800
781442288,30108847
Fri, 15 October 2010 13:23:16 -0800

*Decoding of the dates and times are thanks to the free “Dcode” tool by Digital Detective.

Todd Shipley is Vere Software’s president and CEO.

Twitter is officially now Creepy

Tuesday, April 5th, 2011

Okay, this is a play on words, but it really is getting creepy. Yiannis Kakavas, social media fanatic and software writer, has published a new free tool to scare the pants off of any sane Twitterphile. But if you are updating your Twitter page that much, you probably won’t really care.

Kakavas’s new tool, “Creepy,” is a social networking search tool — or in his words, a “geolocation information aggregator.” But unlike just any search, Creepy searches for where you have posted from, then figures out the posts’ longitude and latitude and makes a pretty map of where you have posted from each time. Can you say “stalker nirvana”?

Now this requires that you have turned on Twitter’s own geolocation service, or used some device (your smartphone) or web service (Foursquare, Gowalla, etc.) that collects your lat/long when you are posting. So, Kakavas’ tool is not collecting anything you haven’t already put online yourself. It just makes it easy for the investigator to get to.

Well, as I have posted before, where there is a great tool for stalkers there is a great tool for investigators. So let’s take a look at this new investigative tool.

CREEPY

Again, this is a simple to use tool. Go to the download page and download the Windows Executable or the Ubuntu version and install on your operating system. The Windows installer is quick and easy and it will have you investigating in no time.

Start Creepy and in the settings authorize it to use your Twitter account. (You do need a Twitter account, but many investigators set up accounts purely for investigative purposes.) Now you can search Twitter users or Flickr users, along with photos from many other online applications. I searched both and easily found the users I was looking for.

Then click on the big “Geolocate Target” button. Under the “Map View” tab, the found lat/long coordinates will be displayed, along with their location on a mapping tool of your choice (there are several different mapping tools, including Google, to choose from).

It may take a few minutes to complete the search, but the results can be very revealing. Just as call detail records from cell phones can help investigators map out a suspect’s or victim’s movements over a period of weeks – including their normal patterns, and departures from normal – Creepy’s maps can show patterns of behavior with regard to social networks. The longer you track these patterns, the better picture you will have of your target.

It’s that simple… or it’s that Creepy.

Do you use Creepy? What have your experiences been?

Tracing IP Addresses: Some Background

Wednesday, October 14th, 2009
Tools like traceroute show the many data packet paths across the Internet.

Tools like traceroute show the many data packet paths across the Internet.

Everyone uses the Internet, says Gary Kessler, instructor of upcoming “Tracing IP Addresses” webinar—but few people understand how it actually works. And while investigators don’t need to know how the telephone system works to get a warrant for phone records or even wiretapping, the Internet is far more complex–but far more accessible to the investigator.

“Computer forensics starts ‘under the hood’,” he explains. The investigator must know about file allocation tables, storage space on a hard drive or other digital device, and so forth, before being able to use the appropriate tool to recover evidence.

And because the Internet figures into so many forensic examinations—those involving child pornography, cyber bullying and harassment, etc.—it is one of the working parts “under the hood.” “No longer are there standalone computers,” says Kessler, “so conducting online investigations involves the application of some forensic principles.”

Tying digital evidence to individuals

These include both legal and technical aspects. “Investigators need to be able to understand the networking clues left on the computer,” says Kessler, “such as where to look, and how the clues can mislead. For example, the email header doesn’t prove who sent the email, but it can indicate where the email came from.”

In fact, he adds, everything in digital forensics is about finding patterns of behavior. “When taken together, those patterns can lead a reasonable person to what a suspect did,” says Kessler. “Digital forensics provides exculpatory or incriminating information which might take an investigation in a direction it may not otherwise have gone.”

In the case of IP tracing, this can even include geolocation. “An IP address can provide a general location from where an individual accessed email, for example,” says Kessler. “In one homicide investigation, this was key when the suspect denied an email account was his. Not only was the account established as his, but the IP addresses also showed the account being accessed from locations which coincided with his business trip calendar.”

Seeing evidence from every angle

Kessler says there are few misunderstandings about IP address tracing, but that investigators don’t always correctly interpret the evidence. “As an example, a traceroute showing data packets going from Point A to Point B will show a different set of addresses than the packets going back from Point B to Point A,” he explains, “which could be interpreted as a completely different route. The investigator has to know how to interpret the information, which is simply the same route being reported in a different way.”

The takeaways from Kessler’s webinar: how IP addresses relate back to online activities, along with tools that show how addresses relate to Web domains, how the domains relate to individuals, and how IP addresses relate to geographical locations.

In addition, Kessler will cover how criminals use the same tools. “An investigator uses the tools in a criminal case, but a hacker uses them to discover vulnerabilities,” he explains. So in all, while IP address tracing may seem trivial, it is important in any case with a networking component.

Learn more: register for the Tracing IP Addresses webinar today!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Image: curiouslee via Flickr