Secure Computing: Sec-C

Hacker Factor Commentary on Computing and Security

 Home
Blog

Harry Potter Leaked and Analyzed

Thursday, July 19. 2007

You just knew it was going to happen. Someone got hold of a pre-release Harry Potter and The Deathly Hallows. This person took a digital picture of every page and posted the entire book on bittorrents, such as the Pirate Bay. The leak happened on Monday, and the mass media picked it up a day later.

Now, I don't expect anyone to seriously read the book this way. The quality is poor and some pages are not readable without tuning the color pallet. Die-hard fans of the series have already ordered the book. If they cannot wait, then the publisher will still be happy knowing that downloaders already paid for it. And non-fans won't waste their time trying to make out the words on these poor-quality images.

However, leaking the book is still bad. In my upcoming presentation at Black Hat on image analysis and digital forensics, I cover observation and meta data analysis techniques. So, I decided to analyze the photos. Things I noticed:
  • The photo of the copyright page (ironic, isn't it?) says that this is the United States version of the book.

  • The photographer's hand is visible in most of the pictures. The left hand is holding the book open, while the right hand is holding the camera. This allows us to profile the photographer.

  • The photographer is Caucasian.

  • The photographer is probably not married (no wedding ring on left hand).

  • The photographer is likely male. In the first few photos, the ring finger appears to be longer than the index finger. This is called the 2D:4D ratio and a lower ratio is symptomatic a high level of testosterone, suggesting a male. However, there is no clear shot of the fingers layed out, so this is not conclusive.

  • Although cameras are usualy designed for right-handed use, the photographer uses his left hand to pin down the book. This suggests that the photographer is right handed. (I've seen southpaws try to do this sort of thing, and they usually hold the camera in an odd way with their left hand.) However, this too is not conclusive.

  • The photographer's hand looks young -- possibly a teenager or young adult.

  • The photographer has no visible mid-digital hair. Since mid-digital hair is a dominant feature, the photographer appears to have a recessive trait.

  • The photos contain meta-data. The camera is a Canon EOS Digital Rebel 300D, Firmware Version 1.0.2. Since the quantization tables match the camera make and model, the images were unlikely modified.

  • The camera's serial number is 0560151117. This is stored in the meta data. The manufacturer should be able to identify what region and store sold the camera. Also, if the photographer put the camera on his insurance, then it should be traceable to an individual. (Considering that this is a $500 to $900 camera, there is a good chance it was itemized on the photographer's insurance.) The first two digits of the serial number indicate the manufacture year; the camera was made in 2005 ("05").

  • According to the meta data, the first picture was taken at 2007:07:15 20:39:58 and the last one at 2007:07:16 00:14:12. Unfortunately, we don't know the timezone.

  • The oldest posting (download disabled) for the book that I could find was on Totse.com, dated 2007-07-16 07:17 (GMT). Ignoring timezones, this is about 7 hours 3 minutes after the first picture was taken. However, the time differences can used to estimate the timezone of the photographer. At GMT-0700, the book would have been uploaded 3 minutes after the last picture was taken. This is unlikely since it's a 73M file and most home broadband connections take more than 3 minutes to upload something that big. Also, three minutes does not account for uploading the pictures from camera to computer and zipping them up. That leaves GMT-0600 or GMT-0500 as likely candidates (with GMT-0500 being more likely since Totse was probably not the first posting). Of course, all of this assumes that the camera's time is correct...

  • The upload by "pkfl3470" to the Pirate Bay's torrent is timestamped 2007-07-18 15:26:23 GMT. The zip file containing the book does include a Windows Thumbs.db file. According to this, the first file was saved to the Windows computer at Wed Jul 18 06:43:34 2007. This is the localtime for the Windows computer. Since two days passed since the Totse upload and the Pirate Bay upload, the person who uploaded it to the Pirate Bay is probably not the same person who took the pictures.

  • The posting on Totse points out one very interesting feature. The book cover has a protective jacket taped onto it. This is likely a library book. The poster mentioned that many libraries have already received the book but are forbidden from putting it on shelves. (And a library may actually have a $900 digital camera handy, and it would be itemized on their insurance.)

  • The photos were taken on the floor. The carpet is multi-colored and thin, suggesting a desire for high-traffic and spill resistance. A library, dorm, or other public area is a good guess.

  • There is a brown suede shoe with a black sole on the floor next to the book. Although I have attended the World Shoe Association's summer convention in Las Vegas, I'm not a shoe expert. However, IMG_3865.jpg shows a water stain on the toe of the shoe. Is that a piss stain from not standing close enough to the urinal?

  • The first few photos show an empty can in the top corner. I believe it is Caffeine-free Diet Coke. Considering that Diet Coke is primarily marketed toward female demographics, perhaps the photographer is female. Later photos (e.g., IMG_3955.jpg) shows a remote control in the top corner.

Do I think the photographer will get away with it? I'm leaning toward a "no", but time will tell. (Pun intended.) If for no other reasons that the camera serial number and library book provide traceability.

Pseudo-legal notice: Any copies of the photos that I have received are used for image analysis only. Laws and ethics prevent me from uploading or distributing the files. If you want to read the book, I strongly recommend buying it. As for me, I can wait until Amazon ships me my pre-ordered copy of the book.

Side note: I really did attend the World Shoe Association conference in 2002. I did it because registration took nothing and they gave good hotel discounts. WSA also provided me with free tickets to see Robin Williams. (WSA is at the same time as Defcon.) Attending WSA also yielded bonus points during the Defcon scavanger hunt for my team: Stupid Team Name.

UPDATE: (15-Aug-2007) Bruce Schneier has his own write-up of this story.
Posted by Dr. Neal Krawetz in Image Analysis, Forensics at 02:28 | Comments (5) | Permlink

Comments
Display comments as (Linear | Threaded)

#1 Nitin Kushwaha (Homepage) on 2007-07-28 02:44 (Reply)

Hi,

I agree regarding the EXIF metadata, found from the DSC images,

But how can it help in actually finding out who is this guy,

even u will get the focal length, GPS location, and the Serial Number from the Metadata.

Can you please expedite how to find the person.

Thanks

Nitin Kushwaha
CHFI.CEH.ITIL.SCSCSA.CIW-SA.MCSE.MCSA
#1.1 Dr. Neal Krawetz (Homepage) on 2007-07-28 05:33 (Reply)

Hi Nitin,

This particular digital camera does not store GPS information. (If it did, then it would be VERY easy to find the photographer.)

In the United States, law enforcement can run stolen equipment through a serial number database in order to find the registered owner. They use it for handguns, but also for things like recovered TVs and stereos. If the camera's owner put the camera on their insurance, then it is in the database and indexed by serial number. This would make it very easy to identify.

However, it is possible that the camera is not in the database (not itemized on the insurance). In that case, it can still be tracked by the serial number. Manufactuers track serial numbers to regions and stores. For example, they might know that it was sold at a Best Buy in New York, but not which specific Best Buy. However, this identifies the region. After that, they can start checking libraries in that area -- look for the carpet and the book. (The picture of the tape in the last photo is good enough to make a positive match if you have the actual book.) Then you can start looking at people who had access to the book in the days before it was placed on the shelf. This isn't as fast as the serial number database, but will yield the same results.

Then again, the publisher may not feel that it is worth the cost and effort to track down the photographer. Especially considering the low quality of the photos.
#2 Steve D on 2007-08-09 10:18 (Reply)

"The photographer is not married"...

(Looks at empty left hand) My wife of 20+ years will be upset to learn that not wearing a ring now means an annulment.

You mean "probably" isn't married. There are lots of us out here who don't wear wedding bands for various reasons.
#2.1 Dr. Neal Krawetz (Homepage) on 2007-08-09 11:05 (Reply)

Corrected. Thanks!
#3 theguyharrylol on 2008-08-11 13:33 (Reply)

He should be caught by now...

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

Search

Calendar

« February '10 »
S M T W T F S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28            

Archives

February 2010
January 2010
December 2009
Recent...
Older...

Categories

Feeds

Popular Posts

How Not to do Image Analysis Part I and Part II
As Alive As Elvis
Body By Victoria
Direct Deposit, Direct Withdrawl
Point-of-Sale Vulnerabilities

Links

Images
Photoshop Disasters
Food In Real Life
Worth1000
CG Society
Awkward Family Photos
Oh No They Didn't

Security
Internet Storm Center
Security Focus
CyberSpeak
Cybercrime

Blogs
Fergie's Tech Blog
Xenon's Isotopia
James Carrion
Mark Shuttleworth
Obama Conspiracies
Barackryphal
Unnecessary "Quotes"