Threats Without Borders - Issue 180
Cybercrime Investigation Newsletter, week ending April 28, 2024
We all get concepts in our heads that are kind-of-right but not right, and yet they persist—like those earworm songs you can’t clear from your head.
I have a bunch of these. One, for instance, is the intermixing of safety and security. It usually comes out when I’m talking about passwords, and I’ll say something about creating “safe passwords” when I should be referring to “secure passwords”. Of course, secure passwords are safe, but deep down, there is a subtle difference between safety and security.
This week, I heard a DFIR (Digital Forensics Incident Response) personality discussing the metadata of digital files, but he referred to it as EXIF data. It would have been fine if he was talking about digital files made with a camera, but he was referring to a specific file created by the Windows file system. The listener was left to decipher if he didn’t understand the subtle difference between EXIF data and metadata or if it was just one of the things that got stuck in his head, like when I conflate Safe with Secure.
Regardless, it gave me a topic for this week's newsletter: What is the difference between metadata and EXIF data?
Let’s get straight to the point: EXIF data is a form of metadata, but they aren’t exactly the same and can’t always be used interchangeably. It depends on the file type and how it was made.
Wait, Matt, why should we talk about this? Metadata, or data about the data as it is classically defined, is an essential element of the cyber investigation process, particularly in the sub-field of digital forensics.
Do you want to know what device created a Word document and when? Look at the file’s metadata. Do you want to know where that picture was taken? Check the EXIF data since most cell phone camera systems include the GPS coordinates by default.
Metadata is information that provides details about a piece of data but not the content of the data itself. An email is a good example illustrating the data and metadata concept. The actual text written in the email body is considered data. However, the information in the header section, such as the sender's name, the time it was sent, IP addresses, and route information, is all metadata. It’s specific information about the creation and use of the consumable data.
Every digital file created and stored by a computer device will have associated metadata. The data includes file format, creation timestamp, file modification time stamp, software used to create the file, and sometimes, the username who created the file.
Exif data (Exchangeable Image File Format) stores additional information related to a digital image file, such as camera model, serial number, and the number of pictures taken. It can also include specific camera settings for capturing the image, like shutter speed, aperture, ISO, and white balance. Even more important for digital investigations, the EXIF data can capture the geolocation coordinates of where an image was taken.
The EXIF Data Standard was created in the late 1990’s by a collaboration of Japanese camera makers and formalized over the next few years. It is now an essential element of every digital camera system, including those used in mobile phones and tablet devices.
The quintessential EXIF viewing tool is ExifTool by Phil Harvey. https://exiftool.org/
Another great tool is https://fotoforensics.com/
There are numerous ways and tools available to view the metadata of a digital file. For a quick view, if you are using a Windows machine, right-click on the file, select Properties, and then click on Details. On MacOS, you can right-click on the file and select Get Info to view the metadata.
File metadata can make or break an investigation, yet many investigators completely overlook it.
A person from Texas is a human, but not all humans are Texans—or so I’ve been told. EXIF data is metadata, but not all metadata is EXIF data.
What the hell is a safe password anyway?
Some News
Speaking of passwords, Thursday (May 2) is World Password Day. To celebrate, Bitwarden released a survey conducted in Spring 2024, which gathered responses from 2,400 of its users worldwide. https://bitwarden.com/resources/world-password-day/
Akamai studied the web traffic going to malicious phishing sites impersonating the United States Postal Service and compared the results to the traffic going to the legitimate USPS website. Unsurprisingly, the traffic flow to the fake sites is similar to the traffic to the real site. From the report, “through this analysis, we discovered the number of DNS queries to the collected malicious domains is generally about equal to the number of queries to usps[.]com, and even exceeds it during peak times”. https://www.akamai.com/blog/security-research/phishing-usps-malicious-domains-traffic-equal-to-legitimate-traffic
This man hates robocalls. Seriously, David Frankel has dedicated the last twelve years of his life to battling these bots. Unfortunately, he’s just keeping them at bay. https://spectrum.ieee.org/how-to-stop-robocalls
A Texas man has been indicted for making 3D-printed copies of the universal mail keys, known as arrow keys. Piper is facing five felonies, including false statements to obtain credit, fraudulent use of identifying information, and drug possession. He was arrested in September for misdemeanor theft and unlawful use of a criminal instrument charges. https://www.click2houston.com/news/local/2024/04/17/man-accused-of-3d-printing-universal-mailbox-keys-indicted-in-harris-county/
The president of an anti-crime non-profit organization called Mid-America Crime Free was the criminal. Oh, and his other job - police officer. Kansas City police officer Aaron Wayne McKie has been indicted by a federal grand jury for a scheme where he spent over $300,000 in donations for his personal expenses. The indictment alleges that McKie used the majority of MACF funds for personal purposes, including travel, entertainment, restaurants, bars, retail and luxury, transfers to personal accounts, cash, household expenses, and personal tax payments. Is this irony? https://www.justice.gov/usao-wdmo/pr/kc-police-officer-indicted-300000-charity-fraud-scheme
During Q1 of 2024, nearly half of the engagements observed by Cisco Talos Incident Response were due to Business Email Compromise (BEC). This marks a significant increase from the previous quarter. https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/
Casinos used to launder money? Who would have imagined? https://nevadacurrent.com/2024/04/22/gaming-control-board-joins-probe-of-money-laundering-in-nevada-casinos/
Do progressive prosecutors increase crime? The actual science says Yes. https://onlinelibrary.wiley.com/doi/full/10.1111/1745-9133.12666
Cool Tool
Yes, IP addresses are identified when you use torrenting software. You probably don’t want to pirate your guilty pleasure series without using a VPN or proxy. https://iknowwhatyoudownload.com/en/peer/
Cool Job
Special Agent - Organized Retail Theft Unit, Pennsylvania Office of Attorney General. https://www.governmentjobs.com/careers/paoag/jobs/4472490/special-agent-trainee-i-ii?page=4&pagetype=jobOpportunitiesJobs
Irrelevant
The group Catholic Answers released an AI priest called "Father Justin" but quickly “defrocked” the chatbot after it repeatedly claimed it was a real clergy member. https://futurism.com/catholics-defrock-ai-priest-hallucinations
Irrelevant but very relevant
Is Lyme disease becoming more prevalent? Yes. Are we making progress? Maybe. https://news.harvard.edu/gazette/story/2023/06/how-to-prevent-lyme-disease-this-summer/
Sign Off
Thank you for reading another issue. Every week, the view counts trend higher, but it doesn’t translate into new subscribers. I guess it’s like gore; people can’t help but come look once, but they never want to see it again.
If you have dropped in from our website, please consider subscribing. It's free, and we promise not to spam you or try to sell you anything.
Matt
“Do not cling to a mistake just because you spent a lot of time making it.” - Kevin Kelly
Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter interests everyone tasked with cybersecurity or involved in preventing or investigating technology-enabled fraud, theft, or money laundering.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinion and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.