Resources: Google M...
 
Notifications
Clear all

Resources: Google Maps forensics?

10 Posts
7 Users
0 Reactions
1,701 Views
erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
Topic starter  

I was just wondering if anyone knew of any tools, resources, or research into Google Maps forensics.

Is there any way to tell what addresses a user searched for (the URL doesn't change anymore cry )? Is there any way to see where a user moused/navigated to?

And what type of images are being sent - and are they cached? I gather some cell phone tools can do this, but I think they rely on screen-shots.

(I tried Googling for info on this, but no luck. I also looked at the Google Maps page source, something that would presumably be cached, but it was very ugly and I couldn't find any useful info (yet).


   
Quote
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
 

Do you have live RAM dump for that or trying to get any results from a hard drive?


   
ReplyQuote
(@joethomas)
Trusted Member
Joined: 16 years ago
Posts: 65
 

Google Earth saves user activity in .kmz files, but I thought that Google Maps would just save stuff to temporary internet files?


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

I was just wondering if anyone knew of any tools, resources, or research into Google Maps forensics.

Is there any way to tell what addresses a user searched for (the URL doesn't change anymore cry )? Is there any way to see where a user moused/navigated to?

And what type of images are being sent - and are they cached? I gather some cell phone tools can do this, but I think they rely on screen-shots.

(I tried Googling for info on this, but no luck. I also looked at the Google Maps page source, something that would presumably be cached, but it was very ugly and I couldn't find any useful info (yet).

Wireshark to monitor traffic between server and client.
Procmon to monitor file writes.
Firebug to see what the javascript is actually doing.


   
ReplyQuote
nlpd120
(@nlpd120)
Trusted Member
Joined: 15 years ago
Posts: 96
 

I sent you a PM. I did come up with some hex search terms that may be helpful.

Regards,

Chris Currier


   
ReplyQuote
erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
Topic starter  

I did a bit of web page deconstruction and found the following

First of all you can find the Google Maps search query by searching
for <a href="http//maps.google.ca/maps

The search query will typically be of the form
"q=term1+term2+term3+…" since Google Maps appears to use the GET
method to send data to their servers(?).

You can also find the map coordinates that were returned by searching
for center{lat OR lng

Once you get the map coordinates you can simply go to Google maps and
type them into the search box. This will return the map of the
location that was sent to the user.

For instance if you find the following data
center{lat45.456991000000002,lng-75.653740999999997}

You can then plug the following expression in the Google Maps Search
box 45.456991000000002 -75.653740999999997
This will return the map that was sent to the user.

Also, Google Maps sends the satellite images that make up the maps as
jpegs. These can be carved out of either memory or HD images with any
luck. If you're good at jigsaw puzzles, you can assemble them to make
a proper, complete image. )

The road-map overlays are sent as pngs and can also be carved out and assembled.

As for the route directions between two locations, I haven't had time
to look at that yet. I hope to do that soon.

[I'm looking at this from the perspective of memory dumps where a person was using private browsing and it would be unlikely to get complete, cached web pages…]


   
ReplyQuote
erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
Topic starter  

Hmorgan, with regard to using Wireshark, do you have a technique or tool to decompress the data within packets?

If I recall it used to be fairly easy to simply extract things like jpegs, but I gather a lot of data is now being compressed (GZIP ?) before it is sent - something that makes packet content inspection harder.


   
ReplyQuote
 WMIF
(@wmif)
Active Member
Joined: 14 years ago
Posts: 7
 

Don't waste your time with wireshark in this type of work. You don't need the level of detail that it gives you. You are looking to find artifacts of web traffic, so the better tool is to use a tool that captures web traffic.

I use a tool called fiddler2 (http//www.fiddler2.com/fiddler2/) which places itself between the browser and the web server by acting as a proxy server. It automatically configures IE and FF to direct traffic through its process. It has the ability to decrypt HTTPS traffic by faking SSL certs (it is not covert as the browser will warn). It can also decode the gzip compressed files automatically. It functions similar to wireshark in that it lists the traffic in records, but the records represent a pair of the request and response.

You can inspect the headers of both requests and even pause the traffic to 'fiddle' with the headers or data. It was designed for web developers, but works perfectly for this type of research. This is the tool I use to keep track of the gmail data structures.

James


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

fiddler has to be on the target machine that generates the traffic.

WireShark just needs to be in the path of the traffic.


   
ReplyQuote
 WMIF
(@wmif)
Active Member
Joined: 14 years ago
Posts: 7
 

Actually, Fiddler just has to be in the path as well. You can configure any machine you want to use Fiddler as its proxy. I have done it with multiple VM machines and physical machines. I have even done it from Linux and Mac to a Windows machine running Fiddler.

Like I said, I use this as my research tool.


   
ReplyQuote
Share: