Category talk:Investigation

Investigation Category
Petri, you created this category, I think. You start most of them. What do you hope to do by putting things in such a category? Is it more stuff about investigations or more investigative posts we've done? And would this page be a good spot to share investigative techniques we've used so others can replicate and improve them, etc.?

UN Office for the Coordination of Humanitarian Affairs
From Sharmine Narwani:
 * ‏@snarwani – The most disgusting #UN whitewash of #Syria rebel violations: "Sometimes you cannot apply the rules"

-- Petri Krohn (talk) 13:01, 13 May 2013 (UTC)
 * "Sometimes you cannot apply the rules" - Syrian rebels and IHL
 * I saw this earlier but didn't really read it. Very informative and overly even-handed (oxymoron) piece from Iranians (IRIN). Linked there, the direct quotes of the fighters interviewed. What was the U.N. whitewash here? The quote was by FSA guy "Manhal Abu Bakr in Hama." --Caustic Logic (talk) 11:59, 18 November 2013 (UTC)

Using Google satellite images
Interesting: -- Petri Krohn (talk) 02:47, 19 November 2013 (UTC)
 * Google satellite photo shows a murder scene, says victim's father

EXIF Data and Sniffing Out Rats

 * ''Moved from Talk:Torture Photos from "Caesar"

He he! I was searching for a sample image to demonstrate meta-data of a torture victim photograph. I chanced on this image from HRW.

And what do you know!! It's been photoshopped!

EXIF IFD0

Picture Orientation = normal (1) X-Resolution = 3000000/10000 ===> 300 Y-Resolution = 3000000/10000 ===> 300 X/Y-Resolution Unit = inch (2) Software / Firmware Version = Adobe Photoshop CS4 Windows Last Modified Date/Time = 2011:03:29 16:46:58 Artist = choig

IPTC

Record Version = 35475 By-line = choig Object Name = Microsoft Word - peru_2011.doc

It came from or went into a Microsoft Word Document- peru_2011.doc. So the usage is related to Peru while the image is titled Bangladesh.

--Charles Wood (talk) 04:08, 24 January 2014 (UTC)


 * Interesting, and probably the first fully naked ass we've shown here. "Photoshopped" of course doesn't mean altered, just it opens the possibility, right? Could just be where they pasted it after copying from the document. As for the Peru clue, maybe it was drafted in Peru, etc., but definitely a valid point, and a cool side-finding. I'm not an expert in anything in the room, but it and the guy's jeans to me say something like Peru over Bangladesh. --Caustic Logic (talk) 10:02, 24 January 2014 (UTC)

O.K. Here's a better example that's not been obviously photoshopped



EXIF IFD0

Camera Make = OLYMPUS OPTICAL CO.,LTD Camera Model = C40Z,D40Z Picture Orientation = normal (1) Last Modified Date/Time = 2002:09:23 04:29:47

EXIF Sub IFD

Exposure Time (1 / Shutter Speed) = 10/400 second ===> 1/40 second ===> 0.025 second Lens F-Number / F-Stop = 34/10 ===> ƒ/3.4 ISO Speed Ratings = 200 Original Date/Time = 2002:09:23 04:29:47 Exposure Bias (EV) = 10/10 ===> 1 Flash = Flash fired Focal Length = 112/10 mm ===> 11.2 mm   Image Width = 3200 pixels Image Height = 2400 pixels

So we have an object lesson the the usefulness of EXIF metadata in sniffing out rats. --Charles Wood (talk) 04:34, 24 January 2014 (UTC)


 * Thanks for getting both motivated and concrete. This is a great start. If I can though ... what's the lesson? --Caustic Logic (talk) 10:02, 24 January 2014 (UTC)


 * The lesson is that there are many ways a faker can give themselves away. Although the HRW image may have been innocently altered, the metadata suggests that the location is in doubt. In a court of law this would be good enough to discard the image as evidence without further corroborating facts. The Chinese image on the other hand has consistent metadata but we have no idea whether the image was staged or not. Again it would be of dubious probative value.


 * In my business in the criminal defence area, every bit of evidence you can get dropped by the prosecution is a bonus. Both these images and especially the HRW image would be easily contested.


 * As a practical example, in one of my cases a jpeg scan of a document on a memory stick showed EXIF metadata from a time and date when the defendant was known to not be in possession of the stick. The prosecution hadn't checked that, but your's truly did. The implication was that the document was placed on the stick to incriminate the defendant (the document was linked strongly to the defendant). This fact alone was sufficient to get a hung jury.


 * The lack of metadata on the Ceasar images is a sign of a legal team intimately aware of the dangers of releasing data that may affect their narrative - not their case, there isn't one. --Charles Wood (talk) 12:18, 24 January 2014 (UTC)


 * Excellent, thanks. It can be all kinds of data (maybe even the file name to some extent) that provides clues "meta" to the image itself. Sometimes this can even include GPS data? (I intend to organize all this into the front page, if no one else does, once I feel I have a grasp) (also, I appreciate the narrative vs. case distinction and will keep it in mind.) --Caustic Logic (talk) 12:48, 24 January 2014 (UTC)

SEA site Blocked in Australia

 * ''Moved from Talk:Alleged Chemical Attack, August 21, 2013

(Side-conversation) --Caustic Logic (talk) 13:31, 12 December 2013 (UTC)

The website is down or blocked or DOS'd. I have a google cache copy --Charles Wood (talk) 09:36, 10 December 2013 (UTC)


 * Works fine for me. So, blocked for you. --CE (talk) 09:48, 10 December 2013 (UTC)


 * Wow! I'd heard the Australian authorities were blocking child-porn sites but didn't know they also did political blocks. I can get round it of course. Though it seems they've dropped it out of the DNS system and blocked the IP address! Bastards!


 * I wonder if they are as good as China? I was there a few months ago and they blocked lots of sites including youtube and blogspot (but not liveleak) and they blocked proxies as well. --Charles Wood (talk) 10:06, 10 December 2013 (UTC)


 * Thank goodness they haven't blocked hidemyass.com ! By the way, I have my own class-c and don't use any ISP upstream proxy. This block is quite full-on. They've blocked it at DNS and international router level rather than at ISP level! Bastards! --Charles Wood (talk) 10:11, 10 December 2013 (UTC)


 * Wow, that sucks. Wasn't it Australia whose great firewall list was published by WikiLeaks a couple of years ago, with some poor dentist who fought tooth & nails to get off the list again? We got around that "child porn filter" stuff with a lot of public effort here in Germany last time, but they'll try again after they manage to form a new government. --CE (talk) 11:36, 10 December 2013 (UTC)


 * In my day-job I deal with a lot of child-porn (professionally). The hard-core users all use Tor which is not blockable or traceable and has search facilities to find huge amounst of child porn as well as buy and sell drugs and any other vice you can think of. The Australian firewall is basically a joke designed to make a certain demographic feel safe when they're not. --Charles Wood (talk) 11:55, 10 December 2013 (UTC)


 * Yeah, fortunately we have the fabulous Chaos Computer Club here who are quite accepted as "white hat" hackers in society and were invited to explain to the politicians and judges how ridiculous that "child porn" argument is and how easy it is to circumvent such a firewall even without using tools those to-stop evil-doers are using already, but the average internet user doesn't know about. That was one of the main points that prevented these laws. Focus on taking them off the net (as most are hosted in the US or other rule-of-law countries anyway) instead of creating infrastructure inviting abuse. --CE (talk) 12:06, 10 December 2013 (UTC)


 * In my day job I deal with a wide spectrum from the amateur who's picked up a DVD in a Thailand street market through the hard-core professional who's been doing this stuff since before the invention of the web browser and knows all the tricks. The only possible benefit I can see of a firewall is to make it harder for the 'merely curious' to make the first step.


 * Tor knows no boundaries. The content is encrypted. The access paths are encrypted. The search tools are encrypted. Tor is in fact an entire alternative Internet that rests in the heart of the ordinary internet entirely unseen. The content can be anywhere.


 * Luckily Tor leaks. Or at least certain implementations of it do. There are sufficient fingerprints left on computers that it's often possible to get a conviction. Even more interesting is that a large percentage of Tor end nodes are operated by intelligence agencies. In many cases the last leg communications are in-clear and can be monitored. Not all cases, but most Tor users aren't sophisticated enough to make sure there is 100% security on all legs to the communications.


 * If you want to be especially secret don't use electronic communications. Use couriers and encrypted USB sticks or DVDs. Cracking encrypted media is still a very hard task if it's done right. --Charles Wood (talk) 12:27, 10 December 2013 (UTC)


 * The problem with that "merely curious" argument is that maybe no topic has a smaller part of the population just taking a look. But you're right, at least it is an argument. Which reminds me and brings me back to topic - in case your overlords want to protect you from learning about "sheep shagging" as they call it... there are indications that that fellow Van Dyke is into it or has been joking about it, and the term "bestiality" is used somewhere on that page... --CE (talk) 12:53, 10 December 2013 (UTC)