Edit: I recently discussed how to use Carbon14 during a recent SANS webcast on website investigations. Since I wrote this post a few years ago Python 2.7 has been deprecated. Carbon14 now works in Python 3 but will only work with Python 3.8 and lower, so you’ll need to have an environment with Python 3.8 installed to run this correctly. If you get an error about being unable to import pytz, this is the most likely cause.
Carbon14 is a really useful Python tool for website investigations and verification. It allows investigators to work out when a webpage was created, and if it has potentially been altered since it was first published. Carbon14 checks the data attached to the images embedded in a webpage to be able to tell when they were uploaded and published. This helps to establish the likely time period when a webpage was first created, which might help to establish how often a website has been tweaked or altered since. This is especially useful for OSINT investigators who need to do a lot of verification work.
Carbon14 examines the Last-Modified HTTP parameter that was generated when the image was published. This means it is possible to determine when webpage content was first created. Note it detects the date of the image publication, not when the original photo was actually taken. It does not rely on EXIF data.
Getting Started
Carbon14 runs on Windows, Mac, and Linux. It needs Python 3.8 to run, so follow this guide to install Python 3.8 for Windows if you don’t have it installed already. This will show you how to install Python 3.8 on Ubuntu.
Download or clone the Carbon14 repository from GitHub in the terminal:
$ git clone https://github.com/Lazza/Carbon14
You can follow this guide here if you’re not comfortable with using the terminal to clone from GitHub. You can download the repository as a ZIP file and extract it manually.
Once downloaded, change to the newly-created Carbon14 directory:
$ cd Carbon14
Then install the additional software requirements. You may need to be root to install some of the software addons, in which case prefix the command below with sudo (Mac and Linux):
$ python3.8 -m pip install -r requirements.txt
Once the dependencies are installed, you can run Carbon14 with the following command to bring up the (very small) help menu.
$ python3.8 carbon14.py -h
To check the age of a webpage use the following format:
$ python3.8 carbon14.py https://examplewebsite.com
There is the option to add your name to the title of the short report that Carbon14 generates using the -a flag as follows:
$ python3.8 -a NixIntel carbon14.py https://examplewebsite.com
An Example – Detecting An Editorial Change
As an example I decided to use this recent blog post I wrote to see what Carbon14 brought back. The publication date says 5th October 2019, but I know that I published a a few drafts and edited a lot of the photos on this post before publishing a final version. Can Carbon14 detect these changes and find when I might have made them?
Here’s what the command to query the blog post looks like:
$ python3.8 carbon14.py https://nixintel.info/osint/digital-shadows-seeking-sector035-quiztime-26th-september-2019/
And here are the results. Carbon14 captures the URLs for all the images that I inserted into this post and the time and date that I originally uploaded the content. Can you spot my editorial change by looking at the publication dates for the images?
From these findings you can work out that I was writing the article between roughly 19:34 and 21:32 London time on 5th October 2019. The fact that Carbon14 presents the results in chronological order means that you can also work out when I made an editorial change and added a new picture:
Although the publication date for the blog still says 5th October, Carbon14 shows that I made a change and added a further image on 6th October 2019 at 09:51. It would not be obvious from looking at the webpage directly that this is the case, but the change I made is betrayed by the timestamps from when the images were published. This technique works on webpages of all kinds so it’s easy to see how you could use it to determine when the author has added or replaced images, as well as when the article was most likely originally created. These kind of changes are also not usually detected by archiving websites so it’s a useful way to get a finer level of detail about any changes made to a website over time.
Carbon14 And Twitter
Could Carbon 14 be of any use for Twitter? Twitter does not allow posts to be edited after they are published, so Carbon14 cannot show when any changes were made. However because of the way it queries webpages, it does bring back some image information that would be useful. As I was writing this blog, I noticed that there was a new Quiztime post by Marko Bereth, so I decided to experiment with it.
The URL for his original Tweeted photograph was as follows: https://twitter.com/mahrko/status/1185220029224280065/photo/1
So to query it with Carbon14, I entered the following:
$ python3.8 carbon14.py https://twitter.com/mahrko/status/1185220029224280065/photo/1
It brought back several interesting results:
Not only does it bring back the URL of the image in the Tweet, it shows the URL for the enhanced higher resolution version of the image as well (indicated by the :large suffix).
It also brings back three URLs of Marco’s profile picture too in sizes up to 400×400 pixels. We can also see that Marco published his latest profile picture at 14:12:33 UTC on 22/9/2019. It is easy to see how aging Twitter profile pictures in this way can give an idea of whether an account might be active or not and whether the profile image has changed since the account creation date.
I also noticed Carbon14 automatically can retrieve higher resolution photos from Instagram as well show exactly when an image was posted. For example here’s a recent post from Brazilian football legend Ronaldo:
Checking the post URL with Carbon14 brings back just a single result:
This tells us the exact time that the image was posted to Instagram (16:24:39 UTC on 13/10/19) rather than just the “5 days ago” that Instagram reports in the web interface. The URL also gives a higher-res version of the image than the one that is presented in the browser (technically it is the same image, just presented differently). You can do this by digging out the full image URL via the developer console, but Carbon14 is a much tidier way to do it.
Happy Carbon dating!