How could you use open source information to trace a fugitive or a missing person? For this post I thought it would be an interesting exercise to see what information it would be possible to gather from Sector035’s recent Quiztime challenge. On the surface it was quite a straightforward photo geolocation question, but there is always more to learn from challenges like this. Finding the location was easy enough – but real life open source investigations are usually a lot broader in scope. There are always more questions to be asked: who took the photo? When did they take it? Why did they take it? What was the reason they were at the location? Who were they with? How did they get there? How many other people were present? And so on. In this post I will show a few examples as to how it is possible to start with just a single piece of open source information and then develop it in order to end up with a much wider understanding of your subject.
(Sector035 read this post before I published it and he’s happy for me to post it!)
Here’s the photo that Sector035 asked us to geolocate:
Geolocating this was quite straightforward. A simple reverse image search with Yandex was sufficient to find a match:
Working with these results it was possible to work out quite quickly that the location was Gitschiner Strasse in Berlin. Finding Sector035 was quite easy on this occasion but I thought it would be good practice to see what other information we could learn about his visit to Berlin.
In OSINT there is the concept of a digital footprint, which is all the information that a subject has made available about themselves on the internet. It is relatively easy for a privacy-conscious person to control their footprint, and sometimes it is really hard to find out information about someone from their footprint alone. Alongside the idea of the digital footprint is the idea of a digital shadow – this information that other people have uploaded about the subject. It is much harder to control and can yield a lot of additional useful information. In the rest of this post I’ll show how Sector035’s digital shadow made a good starting point to find out more about his trip to Berlin and how it would have been possible to geolocate the photo even without a nice helpful reverse image match.
When and Where?
Is it possible to find out when Sector035 took the photo? We know he posted the Quiztime challenge on 26th September, so it must be before then. Perhaps Sector035’s own Twitter feed will give us a clue:
On Monday 23rd September Sector035 told us that he’d been away having fun at the weekend:
Going back to his tweet prior to this there is a very big clue as to where he might have been:
Sector035 was in Berlin on Sunday 22nd September. Not only do we know the city, but the tweet above from @disruptberlin also tells us exactly where – Tempelhof Airfield. Although this tweet was in Sector035’s own timeline, it is an example of his digital shadow – this is information that a third party uploaded about Sector035. They’ve also given us a hashtag – #DNL17. Can we pivot from here and use these sources to learn more about Sector035’s weekend?
It turns out we can. Now I moved away from Sector035’s timeline and decide to have a look at the timeline of the account that tagged him, @disruptberlin. On 23rd September they retweeted this piece of information from @GVA_Watcher:
This confirms the date – the tweet was posted on 23rd September and refers to “yesterday” i.e. the 22nd of September. So now it is possible to be certain about the date Sector035 was in Berlin, and also exactly where he was, and I mean exactly where he was:
The photo above is taken on one of the two runways at the now-disused Tempelhof Airport. They both run roughly West-East, so the fact all the participants’ shadows are (almost) at a right angle to the centre line means that the sun is in the south (it is the northern hemisphere after all…) and that the photographer is facing east. Because we know the date (22nd Sept) we can use the sun’s shadow to calculate the time with Suncalc:
So the photo must have been taken at approximately 12:42 UTC+2 on 22nd September 2019. There are several X-marks on the runway, but the white building and small red and white bollards to the left of the picture put the location here:
So from Sector035’s digital shadow it is possible to work out in just a few minutes exactly where and when he was in Berlin. This helps with the next question – why was he there?
We already knew where Sector035 was, as well as when. This information also tells us why – he was there to give a talk on how to use ADSB to track aeroplanes in the skies over Berlin together with @emmanuelfreuden! Awesome! The meeting point link confirms that I was right about the workshop location on Tempelhof runway – but this new piece of information helps shed some light on the original photo that Sector035 posted at the start. The workshop may have started at Tempelhof, but it finished at Supermarkt Berlin, Mehringplatz 9:
Now supposing that it had not been possible to do a reverse image search to find the location of the original photo that Sector035 posted – simply digging through a few tweets as I have done above would have put you pretty close to the location. Mehringplatz is only 500m away from the photo location, and following the elevated U-Bahn tracks along Gitschiner Strasse would have quickly led you to where the photo was taken from – no reverse image search required:
So by working from the original photo we can know not only exactly where Sector035 was, but also exactly when, as well as why. Can this help us find out anything more about the the photo that started all this? Yes it can. The Disruption Labs site tells us that the workshop ended at Mehringplatz 9 at 1800, so Sector035 must have been in the area at that time. A little bit more shadow work can help identify an even more exact time when it was taken:
The shadows are faint but you can just about make them out on the lamposts. Like the Tempelhof runway, Gitschiner Strasse runs roughly West-East. We can see in the picture that the sun is beginning to set in the west, but Suncalc can help us be a little more precise:
The shadows in the original photo suggest that Sector035 took the original image at about 18:50 UTC +2. So he probably took it just after he finished the workshop at 18:00.
I am speculating slightly here though – who is to say that he didn’t arrive early and that this photo was taken the evening before at the same time? It is always important to stay open-minded and not draw more conclusions than the evidence supports.
I was slightly hesitant to write this section – this blog is only a bit of fun and I’m sure that all the people that went to Sector035’s workshop don’t want me prying through their digital details, so I didn’t. I decided that to finish the article I would only look at people who had already openly identified themselves as having been at the event on their own public social media and I wouldn’t dig any deeper than that.
The point of this post is to show how it is possible to pivot from a single piece of open source information to learn a whole lot more about the context in which it originated. Sector035 is not a dangerous criminal or a money laundering dictator (as far as I know…), but the same methods I’ve outlined here can be expanded and used to develop leads for real open source cases.
I’ve already shown how working from Sector035’s original tweeted photo can yield more information about the context in which it was taken – the where, when, and why – but this last part will look at who was there with him. Since we already know the date and the place, we can look at the hashtag #DNL17 and also see Tweets that Sector035 was tagged in during the relevant time period by using Twitter’s advanced search function.
Here’s the first confirmed association:
I also wanted to point out that Sector035’s opsec is so good he even concealed his face in the reflection on Laurie’s sunglasses:
Of course @emmanuelfreuden was there too, because he was teaching the workshop together with Sector035:
@LiekePloeger was there too:
It looks like everyone had a good time! The website tells us that only 20 people could attend, and we can identify a quarter of them quickly just through looking at tweets that refer to Sector035’s workshop directly.
So from a single image it is possible to learn an awful lot about the context in which it was taken. If you aren’t successful with a reverse image search, look at who took it. Start to ask why, when, and who, as well as where. If your subject has a small digital footprint, look at their digital shadow. Sometimes the clues to locate an image are not visible in the image itself!
For more of my Quiztime related blog posts, click here.