Darknets are a privileged environment for crooks that intend to develop a prolific business protecting their anonymity, anyway, there are several aspects that they need to consider in order to leave tracks that could allow their identification.
In the past the analysis of EXIF metadata allowed law enforcement and intelligence agencies to track suspects, but now cyber criminals, including sellers in the principal black markets, have started to metadata the photos they posted. The trend was confirmed by a study conducted by two students at the Harvard University, Paul Lisker and Michael Rose.
“Our goal was to leverage a longitudinal archive of dark net markets (DNMs) to collect and analyze sale listing images with metadata containing location data.” the students explained in a post.
What is EXIF metadata?
“Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.” reads Wikipedia.
Basically, every image took with a digital camera or a mobile device includes information, in the EXIF standard, such as the device used and the location of the shot. That data are written in the “exchangeable image file format” (EXIF) standard.
Paul Lisker and Michael Rose analyzed images of drugs and weapons used by crooks to advertise their product and services on black marketplaces in the dark web and saved them to a data repository maintained by an independent security researcher Gwern Branwen.
The archive is very interesting for security experts that intend to study the activities in the dark web, it includes data from some 83 dark markets and 40 associated forums. Information was collected from 2013 to 2015, totalling 44 million files or 1.5Tb of data.
“From 2013-2015, I scraped/mirrored on a weekly or daily basis all existing English-language DNMs as part of my research into their usage, lifetimes/characteristics, & legal riskiness; these scrapes covered vendor pages, feedback, images, etc. In addition, I made or obtained copies of as many other datasets & documents related to the DNMs as I could. This uniquely comprehensive collection is now publicly released as a 50GB (~1.6TB uncompressed) collection covering 89 DNMs & 37+ related forums, representing <4,438 mirrors, and is available for any research. This page documents the download, contents, interpretation, and technical methods behind the scrapes.” wrote Branwen.
The experts used bash scripts to search for EXIF data including longitude and latitude data among the images in the archive.
“In order to analyze the listing images inside each archive, we first searched for and compiled a list of the file path of all JPEG images to ensure that no file went untested. (Images used for listings were only in the JPEG format; any other image formats — PNG, GIF, etc. — were used for website graphics.) Then, using Python and bash scripts, we checked each image’s EXIF data for longitude or latitude data, saving the coordinates for each geotagged photo and its file path to a text file.” explained the student.
The experts found 229 unique images that contained geolocation data that would reference the location of the shot within a range of two kilometres.
The duo analysed roughly 223,471 unique dark market images, the vast majority don’t include the EXIF data.
“Out of these markets and forums, we located 2,276 total geotagged images, which after eliminating duplicates available over multiple days, gave 229 total unique images with associated coordinates. The coordinates—with decimals removed from the numbers to protect privacy—can be seen plotted in the map below. (The coordinates may be up to about one mile away from their true location.)” states the duo.
“In total, we analyzed 7,522,284 images from the entire DNM archive, representing 223,471* unique photos. Table 1 presents a summary of markets containing geotagged images:”
Most popular black markets like Agora stripped metadata from images published in the adv. In the case of Agora, the researchers noticed that EXIF metadata was absent on all images after 18 March 2014.
Below the conclusions of the study, the researchers highlighted that sellers and dark market websites are failing to remove EXIF metadata from images.
“First, it was common in many cases to observe sites, typically residential, surrounded by 5–10 tagged images separated by a few meters,” the students explained in a post.
“This suggests the behavior of sellers who are careless on a regular basis, rather than the occasional forgetfulness of not stripping data or purposeful manipulation.
“We also found several instances of these clusters incorporating listings on multiple sites, pointing to sellers with activities across the darknet and failing to strip their products’ location on any of the sites up.”
(Security Affairs – EXIF metadata, Darkweb)