Penetration testing

Approaches to Information Gathering in Physical Penetration Testing - Part I: Gathering Information via Photography

Ivan Dimov
March 17, 2014 by
Ivan Dimov

1. Introduction

The first phase of an attack, and in a security assessment, is to gather as much data on the target as possible. It is actually considered one of the most critical steps when carrying out an attack. But while most articles discuss information gathering through means such as Internet queries, social engineering, dumpster diving, domain name searches and non-intrusive network scanning, the first part of this article discusses information gathering through photography for physical penetration purposes. You can think of yourself as acquiring or trying out a new hobby – street photography.

Below, we discuss the parts of the target that you will most likely be interested in, we cover some basics when choosing a camera for collecting the intelligence, we give some tips on blending into the environment, and we lay out the basics of remaining "invisible" when taking the photos (those are mostly camera settings that you must configure), along with the basics of what you will need to take discrete photos in an unlit place during the night.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

2. Points of interest in gathering photographic intelligence

There are numerous points which would be of interest when preparing for a physical penetration. The graph below illustrates the most crucial ones.

Key Points to Photograph for Safe Physical Penetration

  1. The building(s) that you have targeted – You should shoot as many pictures as possible from all possible angles to get the details of the entire building.
  2. Entry/Exit Points – You must be certain that you are aware of all possible entry and exit points and all security mechanisms in place to protect each of them. For example, in certain situations a fire exit can be utilized as an entry point.
  3. Dumpsters – They will be discussed in a subsequent part of this article, but it suffices here to say that dumpsters are particularly useful for collecting preliminary information so you get to know the place you will be penetrating.
  4. Perimeter Security – The key points to look out for here are the type of physical security in place and whether it changes during the different hours of the day. You can photograph the different locks and all other sorts of physical barriers so you can later produce a strategy to overcome them.
  5. Security Staff – The key questions to answer here are: how many of them are on the scene? Are they stagnant or on the move? Is it possible for you to capture their pattern of movement – where they go, at what time? Can you make good photos of their uniforms and utilize them to your advantage? Are the security staff dedicated or outsourced – if the latter, which firm is responsible for the security?
  6. Target's Access Controls Do they resort to pin codes, proximity badges, swipe cards or bar codes to allow entrance? Take pictures of the card readers so you can analyze them when at a safe place. Targets that force visitors to be escorted by security are generally less secure because usually the staff gets tired of this and may allow visitors in and out of secure areas.
  7. Passes and Badges Here you must take discrete pictures of the relevant passes or badges. Usually the staff that comes in the building will wear them around their neck, on outer suit pockets or on a belt clip. They are generally located on open display, so you should be able to capture them in an image. If you manage to make the photo without getting caught – this will give you the opportunity to Photoshop one at home and get easy access to the target.
  8. Remaining inconspicuous when collecting photographic information

    It is essential to be able to take pictures of people without being noticed. If you are familiar with street photography then you probably know what this is about and know that people behave quite differently when they know they are being photographed than when they are unaware.

    Most of the skills acquired from the field of street photography are easily exchangeable to discrete photography, as both require the ability to remain unnoticed and unseen and make close and personal images. Being unseen is crucial, as you would have to, for example, take a high quality picture of an entry pass.

    Firstly, you would need to set up your camera appropriately:

    1. File Format

    Choose RAW, DNG or TIFF modes in that order of preference, where RAW is the most preferred mode. These three modes offer superior quality, which allows you to do better post-processing of the images. Whenever possible – always choose one of these unprocessed image formats.

    Using a proprietary RAW mode will prevent any loss of data, meaning that what the camera sees would be exactly represented in the content of the file and maximum color bit depth would be used. RAW modes are the most susceptible to photo editing programs – camera settings such as white balance and color saturation can be modified after the exposure.

    When you use RAW mode, it is quite likely that you will be unable to read the file in a couple of years, because the format is not standardized. Rhe file format is actually the raw data that the apparatus receives from the chip responsible for capturing the image. The volatility of this file format would most likely not be an issue, because the information captured by the image would be obsolete after such a period.

    DNG is an open standard "RAW" format designed by Adobe. The RAW file is incorporated into the DNG file which means that the "original negative" does not get lost. The fact that it is developed by Adobe pinpoints that it is supported in all their variety of digital image editing software, such as their famous Adobe Photoshop.

    TIFF or Tagged Image File Format is also useful as no image data gets lost, no matter the compression. It offers better quality than JPEG fine quality and is supported in almost all photo editing software, it is lenient towards badly exposed images and consists of the maximum color bit depth of the device.

    2. Flash

    If you want to get noticed and seen, be sure that you have turned your flash on! Otherwise, there are few situations where you would want to blast someone in the face with a flash and remain inconspicuous.

    3. Auto Focus

    Use auto focus if it does not take too much time for the device to focus. If the auto focus appear slow, resort to manual mode, but be sure to configure a hyperfocal distance that suits the device and the objects to be photographed.

    4. Focus Assistance

    This is the beam which is projected by the apparatus to the subject with the purpose of aiding the auto focus to measure the distance and the contrast between the two. The beam can be a red, blue, green or an invisible infrared light, and the device's flash can also be used. All of the aforementioned except the explicitly declared to be invisible (the infrared light) are perfectly visible and pinpoint with accuracy your location, so be wary when using focus assistance.

    5. Use of Sounds

    All kinds of beeps and clicks are unwelcome. Compact cameras can be configured to be 100% silent, this is clearly a big advantage when involved in discrete photography than SLRs (Single Lens Reflex cameras) which emit a characteristic mirror slap. The particular slap/operating noise of the SLRs is heavily dependent on the original purchase price, as pro models would be less noisy than amateur ones, and on the age and condition of the apparatus.

    6. ISO Assist

    Given the fact you would not have enough time to compose your shot the way you want it, nor would you have the opportunity to use a tripod for the camera, automatic ISO assist would be helpful to maintain the shot in focus. Such an ISO assist can bring noise to the shots, but in most cases it would not be so much as to ruin your goals. ISO, in this context, means sensitivity to light. Lower ISO speed products (lower sensitivity) need a prolonged exposure and are, therefore, called slow films. On the other hand, higher sensitivity means that you can shoot the exact same object with a shorter exposure. In general, higher ISO is used to shoot night scenes or objects that are not still, while lower ISO is used for exhaustive portraits. Thus, Automatic ISO Assist would automatically set the ISO (which affects the exposure speed) upwards, reducing the exposure time.

    Save these six settings in a custom slot and you will be ready to photograph your points of interests in a single click.

    4. Taking pictures at night

    It is quite a challenge to take discrete photos at night. Costly SLRs that are able to shoot at exceptionally high ISOs may render useless images if there is no flash and the light is scarce. Nonetheless, this does not mean that it is impossible – photos can be taken in utter darkness with a 35mm camera that has an infrared film and an infrared flash available. The good fact about infrared flashes is that they are absolutely invisible to the human eye, even in complete darkness and the subject is less than a meter away.

    The film's price varies from as low as $9 to more than $100 per roll and the processing is costly as well, but if you want to do discrete night time shots – you don't have much of an alternative. Although you may create an infrared lens filter for a variety of compact digital cameras which do not filter infrared to boost the makings of the photo, this method is not suitable for our purposes, as the exposure time involved for proper shots is unreasonably long.

    5. Choice of camera


    For street photography, and discrete photography as well, rangefinder cameras have been admired for a long time. A rangefinder is a camera equipped with a focusing mechanism that enables the photographer to measure the distance of the subject and take shots in sharp focus. Rangefinders are able to take shots without a battery, they are time-efficient in terms of operation, silent when it comes to shutter sound, and last but not least, they are relatively tiny and inconspicuous. The most famous models of rangefinder are the Leica, the Leica M9 in particular.

    However, for a physical penetration tester and not a photographer, a rangefinder would prove to be difficult to use as they are fully manual and he would have to continually adjust the camera for frequent changes in the lighting that occurs, etc.


    Some people might prefer DSLRs for their high image quality, affordable price, fast shutter speed and their interchangeable lens, but the downfalls of using one are pretty obvious: they are big in size and appear intimidating to the target. Furthermore, they produce a loud clicking sound when you take a photo, due to the presence of a mirror inside the camera, and this makes your intentions and deeds quite conspicuous.

    Point and Shoots

    High-end point and shoots are available nowadays which have relatively large image sensors, so you can produce images of good quality and they still appear clear at high ISOs. They are tiny in size, really silent and quite inconspicuous. The disadvantage of using one is that many of them have shutter-lag which makes taking pictures of moving targets without them becoming blurred a bit difficult.


    It is best to use a discrete camera (a covert camera) which you can get from the various spy shops on the Internet and in the real world. To be useful, it would have to be absolutely portable with a decent battery life and offer a high quality video feed. Cameras with these characteristics are present but not for the 200 bucks that most spy shops require. Such cameras usually have bad image quality and they are high in noise, which fits a static surveillance of a particular room, but would not work in an environment of fast-paced alterations in which you will find yourself when pursuing a target in public. However, technology is changing as of the moment that I write this, and most likely in the near future prices for what we consider now a high quality covert camera will keep falling down.

    6. How to blend in

    There are many books about covert photography, but a few points of advice will suffice for our purposes. Most modern compact cameras are very tiny and in reality everybody owns one. If you really look at the surroundings the next time you are on the street, you will be able to notice how many people have cameras placed around their necks or in their hands and view that they are photographing. Most people that take shots are tourists and people pass them by without giving them a second glance. This is a thing that you can take advantage of when photographing targets on the street.

    You have to act nonchalant and look like you belong where you are. This will make others not take a second glance at you, just like you don't take a second glance at tourists.

    When you are preparing to photograph from a close range, keep your hand over the shutter release continuously so it would appear as if you are holding it to avoid swinging.

    When photographing the target, it is better to appear absorbed in another object, simulating interest in an object located in another direction, examining the architecture of a building, a sign, a guide book, enjoying a view, etc. Anything that diminishes possible attention as to what you are really doing would work.

    In the case that somebody approaches you and questions you, be prepared and produce an answer and that is natural and as trustworthy as possible. Whether you deny all allegations, assert that you are a renowned street photographer, or claim that you are just taking random photos, it is up to you – just one general advice would suffice here – your answer should indicate that you are not doing anything illegal.

    Finally, do not be overly worried about the image quality. It is not necessary for the images to be of high quality as you are not taking them to participate in a competition. They just have to be good enough for you to extract the needed information.

    7. Conclusion

    In this article we have discussed some approaches to efficient gathering of photographic intelligence, but nothing stops you from being innovative. There is a myth regarding Henri Cartier-Bresson which states that he would wrap his apparatus in a handkerchief and take pictures while simulating a sneeze. Although the veracity of that statement cannot be proven, your imagination is probably good enough to make up your own methods of remaining inconspicuous and figure out camera settings and even camera model that suits your personal needs.

    What should you learn next?

    What should you learn next?

    From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

    You can even rely not on being inconspicuous but on the exact opposite – being obtrusive but having a good pretext for taking the photos. There is no such thing as the "best camera for discrete photography" – the answer to this statement depends entirely on the reader's preferences, needs and environment. Similarly, there is no perfect strategy for blending in – just tested by experience, time, and advice that proves to be working. What we have hoped to have achieved with this article – is get you to a better starting position for future endeavors of this kind.


    1. HumanScape, 'Digital File Formats – JPEG, TIFF, RAW, DNG'. Available at:
    2., 'Do I Need An Auto-Focus Assist Beam?'. Available at:
    3. Wikipedia, 'Hyperfocal distance', Available at:
    4., "Mirror Slap: Best and Worst Nikon SLR's?". Available at:
    5. Wil Allsopp, "Unauthorised Access", 2009
    6. Eric Kim, "The BEST Camera for Street Photography". Available at:
    7. Wikipedia, "Rangefinder camera". Available at:
    8. Tom Olzak, 'The five phases of a successful network penetration'. Available at:
    Ivan Dimov
    Ivan Dimov

    Ivan is a student of IT and Information Security. He is currently working toward a Master's degree in the field of Informatics in Sweden. He is also a freelance web developer engaged in both front-end and back-end coding and a tech writer. Whenever he is not in front of an Interned-enabled device, he is probably reading a print book or traveling.