## Wednesday, December 3, 2014

### Search Challenge (12/3/14): What's going on in this file?

I'm in DC for the rest of this week, teaching folks a bit about SearchResearch skills.  And to celebrate, I have a particularly interesting Challenge for this week.

Here's a link to a file for you:  http://dmrussell.net/data/history-11-22-2014.kml

The Challenge is this:

1.  What's going on in this file?
Given just this information, what can you deduce?

This isn't a crazy off-the-wall question--this is the kind of thing that Digital Forensics people do all the time.  Think of this Challenge as a bit of SRS Sherlock Holmes,  CSI, MacGyver, or Columbo (depending on what age you are)!

Be sure to tell us your thought process as you try to figure out what's going on here.  You're really trying to figure out what this file is telling you.  There's a real story here--can you decode it?

If everyone's stuck, I'll give a couple of hints tomorrow, but I wanted to start off with a real Challenge, and see how far everyone gets!

Search on!

1. It is a location history (for you) commonly used to trace a route.

My process: What is a kml file? --> How do you open kml files in Google Maps? --> Result page: Location history for Latitude User from 11/22/2014 to 11/29/2014 --> Create a kml file for Google Maps --> Share your location google maps history kml file --> Result page: WHAT IS A KML FILE AND HOW IS IT USED?

2. Good Morning, Dr. Russell and everyone.

Looking at the file, noticed this.

1. KLM. That show us is Google Earht related. Therefore, location.

2. Coordinates

3. Description shows: Location history for Latitude User from 11/22/2014 to 11/29/2014

[]

We wanted a better way to represent movement on and above the globe Google Earth.

4. [coordinates provided]

5. [/gx:coord]

A coordinate value consisting of three values for longitude, latitude, and altitude, with no comma separators

Keyhole Markup Language

Kml Sampler

[122 degrees coordinates]

Google Maps output There we can see elevation profile, Google Maps, Earth and others.

1. What's going on in this file? Given just this information, what can you deduce?

File is code for KML (Google Earth) that tracks position in Latitude, Longitude and Altitude

Location history from 11/22/2014 to 11/29/2014

Looking data in Maps. It is a travel Coast to Coast in The United States in different ways. It includes airplane and underground.

1. While doing the Challenge, had difficulties with coordinates. Normally, I got confused with left and right and stuff like that. Therefore, when looked them, searched with copy/paste to have an idea. For example [79.0541395 35.9096001] and went to Barent Seas instead of North Carolina.

Search for and get coordinates

Also noticed Kml displays: Longitude, latitude, altitude. Google Search: Latitude, longitude.

Jon tU The speed and flights you tell us is great. When I looked the data in the site, couldn't appreciate that. Fantastic :)

3. First I see its a kml file so GoogleEarth. and second line contains "http://www.google.com/kml

Farther down I see "Placemark" followed by Location history for Latitude User from 11/22/2014 to 11/29/2014

Punching that into SEARCH I find "simple kml" at the top. Looks like your data are a track in GE. Written in Python.

I saved your data in my text editor as kml file. Which then opened in GE as expected [hoped for !]

Explored a bit then opened the Elevation feature. Now it gets interesting.

Shows a 6 day trip starting from Chapel Hill then Raleigh Durham International Airport whence the flight commenced to SF at 387 mph, mostly. Top speed reached was an astounding 3205.5 mph !

There were 2 "flights" on the west coast which must have been fascinating. Travelled at 994 mph 2 feet below the surface of the water on 2 occaisions. And flying around the mountains at 200 feet of altitude at 2000 mph must have gut wrenching.

I shall explore further to learn the names of the second pilots two Bernese puppies and the colour of his wife's motorcar.

This is a great CHallenge.

Spent a bit over half an hour futzing around

jon tU

4. So, I noticed the location/gps data and tried to pull individual coordinates into google maps. One batch, for some reason, was in Antarctica and the other near Point Reyes, CA. Some of the coordinates wouldn't work anyway.

Second thing I noticed was that it was a .kml file which is google earth. So, saved the file and opened it with Earth. This gave a cool little slider with more reasonable locations in CA and NC.

My detective work shows that this is your phone/gps location for Nov 22-28. Do you want any more specifics?

5. I thought I got something wrong when I clicked the link to a kml file as it showed the markup and didn't download. I saved the page that opened to download the file and open in Google Earth.
Something was weird as it showed a straight line from coast to coast. I zoomed in and things got really weird. Zoomed out and noticed the timeline appear at the top. Clicked play and saw the Earth as it traveled through time and space. Cool, but not clear as to what I was seeing.

Back to the page of code. First query [ StyleMap id="multiTrack" ] just confirmed it was tied to kml.

Next search [ Latitude User from ] talked about the dead Google Latitude service. Went to Latitude has been retired to see if it had been assimilated into anything else. Followed a link on that page to Your Location History. I noticed that I can export my history as a kml file.

Went back to the code and then searched for [ gx:coord gx:coord ] . I took out the coordinates because they weren't helpful. I found KML Reference to tell me that it contains 3 coordinates for longitude, latitude, and altitude.

Based on what I saw in Google Earth and figuring this is your location history and how short the timeline is from one point on the coast to the other coast I can tell you were flying (with your phone ON! For shame.) ;-)

So now based on the time of departure and arrival, I wonder if we can track down which flights you were on?

Off to search [ airline flight history ].

6. we are tracking a person who
leaves Carolina Inn
takes the plane to San Francisco at 6.49 (cost of tickets 300-500\$ skyscanner)
staying in San Francisco at 3419 Ramona St, which seems a lovely house with 3 beds, 2 baths, and approximately 1,528 square feet. The property was built in 1950.
the property prices may be rising( 3419 Ramona St is in the St. Claire Gardens neighborhood in Palo Alto, CA. The average list price for St. Claire Gardens is \$3,674,500. http://www.zillow.com/homedetails/3419-Ramona-St-Palo-Alto-CA-94306/19502907_zpid/ )
doing some work at Google ;)
having a coupe of coffee at Peet's Coffee&Tea
having a trip to Bird Island, with a stop at Santa Cruz/Costanoa

ps: what I don't understand is the altitude in some of the location, https://developers.google.com/kml/documentation/kmlreference#gxcoord says that the gx:coord has longitude, latitude, and altitude and it seems that in some locations the altitude is negative, an explanation may be scuba-diving?

7. Easy to identify the kml file extension and we know Google Earth uses that format. I imported the kml file into Google Earth which is shown on my shared document (Image 1) .As well the document shows the tracking, starting at the University of Columbia in Chapel Hill North Carolina (Image 2) and then the final destination in Palo Alto (Image 3).

Then I did random samplings of time & coordinates to see where Dr. Dan (or his phone more precisely) got to. Nothing dramatic showed up and I stopped my sampling only because my eyes were getting tired. But something that I am not sure about did show up. See below the four lines of coordinates and time taken from Dr. Dan’s file. The first two lines relate to departure from North Carolina and the second two lines are the arrival in San Francisco. I assume local time is noted which is why the times are almost exactly the same. No recordings were made between these two locations.

What I don’t understand is if the phone was not recording while in flight why do we have the track across the USA showing up. My assumption is that the last satellite link in North Carolina is held in memory until the next satellite link is made which in this case is San Francisco. But can I then assume it just did a best guess to draw the track across the USA. For example in Canada flights often go in a curve northward because travelling the globe in a straight line is often a longer route. Is the track the actual route based on some other facts? I know GPS on phones isn’t as precise as a dedicated GPS device. You do get odd tracks even on GPS devices quite often because of the location of the satellite as it passes by or the fluctuation in the number of satellites visible at any given moment.
From
Dr. Dan’s kml file--

-78.7949546 35.8780288 0
2014-11-22T10:08:49.081-08:00
-122.38951 37.6213898 0
2014-11-22T10:10:00.810-08:00

To clarify on my shared document is a list of the comments after the images that I made as I scanned the file from Dr. Dan. That’s to alleviate the need to scroll through the long document.

8. Next I searched for [ airline flight history by date ] to FlightStats

I also went back into Google Earth. Right clicked the Latitude User file and saw Show Elevation Profile. This shows the elevation and flight speed.

There was only one early morning flight from Durham to SFO - (UA) United Airlines 1295
(UA)United Airlines 1295 Flight Event Status  Requires a login.

The last part of the elevation profile has me stumped. The extreme speed that jon mentioned above. It almost appears like it is a skydiving or microgravity experience.

9. Getting back to the issue about the tracking across the USA. Thinking more about how a gps device works what happens is when a device is turned off and then turned on again in a different location it locks on to the last satellite it had found before being turned off. So it just drew a straight line to the last reported location. So the speed being referred to may just be how fast it picked up the east coast satellite.

Regarding issue with altitude I note that the setting for this kml file is “clamped to ground”. You’ll find this on gps devices and in Google Earth. There are several settings dealing with altitude but clamped to ground is most common. Not being that familiar with this aspect I will assume it is a constant distance that the signal maintains relative to the ground.
Checking for flight paths after the fact are difficult to find. I can find typical flight paths but with weather, traffic and other issues pilots have to deal with I don’t think we can recreate the actual flight path.

10. This shared page shows the flight information (Thanks Fred). I didn’t find an actual flight path and that may not be available. This explains the time difference I mentioned regarding departure and arrival.

1. Rosemary - impressive work by you, Fred, Ramón, jtU and crew - like Fred, I'm surprised the device wasn't in airplane mode, but DrD is a rebel & secret Air Marshall…
fwiw: this appears to be the flight path - a UA738/L didn't know about the 738 & it's variations or the 739 either so the Boeing knowledge is increased, even if I remain clueless about the file types and sleuthing…
like Ramón, I found myself in the Barents Sea, thinking Dan may have been strapped to one of these - could have accounted for some of the speed/altitude oddities…
then got sidetracked to this classic & John Tedesco - How to solve impossible problems: Daniel Russell’s awesome Google search techniques via John Tedesco - where I quickly & wrongly (in hindsight) came to the conclusion that Dan may have experienced an unfortunate incident after swimming in the jet stream with his GPS activated - this is where things got "squirrelly":
"I didn't know it, but I've waited my whole life for this headline"
weapon?
back story, thankfully Dan wasn't involved and no animal was harmed… other than the man
none the less; at that point, I was so overwrought that the thought of further file delving was - and is - still beyond me and my limited supply of Xanax…

11. With no deep investigating, just plain examination of the text, I am guessing it is the text file for a company vehicle that is monitored with a GPS.

12. I'm still trying to figure out the portion of the log near the end of the time period.

Did the person or you visit the Costanoa Lodge?

1. I'll give you hint: Yes. See more in my note today...

13. This comment has been removed by the author.

1. I see what you did there.

14. Retracting my previous suggestion of some extreme sport for the speed and going back to what Rosemary said about turning off the device and then turning it on. I am also still toward the end of the log not around Mountain View or North Carolina, but on the lines that appear in Google Earth around Pescadero, CA and Monterey, CA.

I know that with my iPhone, it bases location on a few different things such as GPS, cell towers and wifi access points. Thinking about this I searched [ map cell towers ] to http://opensignal.com/ and can see coverage in the area is sparse. This leads me to think that while at the Costanoa lodge the lines I see in Google Earth and the speed might be caused by the device trying to find a tower and then the phone triangularly determine a location.

I also see that the phone or device went for either a hike or a run while at the Costanoa Lodge.