Quiztime 16th July – Start Big, Get Small – How To Be An OSINT Sherlock17th July 2019
“Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.”
I’m not usually a big fan of Sherlock Holmes. Like many other fictional detectives, I don’t think he’s a particularly effective investigator. Holmes, Columbo, Morse, and countless others usually rely on evidence that is highly circumstantial and even then they usually need the villain to incriminate himself by making a full confession anyway.
That aside, Sherlock makes a good point about eliminating the impossible that can easily be applied to OSINT investigations. Even small-scale OSINT enquiries can generate a lot of information that has to be carefully sifted and eliminated to arrive at the correct answer. By choosing the right parameters and applying them to the data, it is possible to use logic to eliminate the incorrect answers and arrive at the truth.
A really good recent example is this notorious Quiztime challenge (pictured above) that Sector035 managed to solve yesterday. The task was to identify which school the two girls in the picture attended. The car registrations showed that the location was in Brazil, but trying to find a single school in Brazil is nearly impossible since there are thousands. However by using just two parameters to filter the data, Sector035 was able to reduce the number of possible locations to a much smaller number and eventually he found the right answer.
By assuming that the location was probably in Recife (based on @y_vdw’s posting history) and that it was on a four-lane highway, it was possible to find the right location by searching all the four lane highways in Recife for a visual match. This was still a relatively time-consuming exercise, but by starting from the whole of Brazil and eliminating all locations that were not Recife, and all roads that were not four lane highways, it was possible to find the exact spot. Start big, get small, and find the right location.
Where Was Lars Wienand?
1) Can you name the four cruise ships I saw on the day I took the photos?
2) One cruise ship can be seen there for several months. Why?
Most of the quiz could actually be solved with just the first photo. A cruise ship is visible in the background, but the train provides the most useful information to begin working with:
1) The DB (Deutsches Bundesbahn) logo shows this is in Germany.
2) The train is at a station next to a location where cruise ships dock.
Germany only has a small coastline relative to its size, but there are still a lot of possible locations where large ships dock, and almost all of them have railway stations. Looking at a map the possible locations were: Emden, Norden, Wilhelmshaven, Bremerhaven, Bremen, Cuxhaven, Flensburg, Hamburg, Kiel, Luebeck, Wismar, Rostock, and Stralsund. There were also a few other ports that I might have missed. In theory it would have been possible to just look at Google Earth to see if any of the port locations resemble the one in the photograph, but this would be quite a slow and ineffective method, not to mention quite a boring way to spend an evening. The pool of potential locations was quite big, so how could I do some Sherlock Holmes-style elimination to find the correct location?
The answer was to revisit the photograph and extract a little more information to set some new parameters. I couldn’t read the destination on the front of the train (as if Lars would make it that easy…) so instead I searched for the train’s serial number 442338 to find out more about it. Searching with Google for “zug + 442338” (zug = train) brought up this snippet of information:
This tells us that train number 443 338 was introduced to run services between Rostock and Gustow. Now I knew if this was correct, it would mean that I could eliminate all the other locations immediately. To check I looked at Rostock with Google Earth:
This a match for the location in the photograph. The train platforms are at the correct angle in relation to the water so that the ships would appear as they do in Lars’ photos, and a check with Google Maps showed that the large building next to the water is a cruise ship terminal. So just applying a single parameter (the train number) to the data meant that all the incorrect locations could be eliminated, and the big pool of possible answers was narrowed down to just one. The correct location is Rostock-Warnemunde station.
Which Ships Were At Rostock?
So now to answer the rest of Lars’ questions. There were a few ways this could have been solved. One method could have been to try and identify the ships in the photographs and then follow their movements. For example the ship in the second photo clearly belongs to the Aida cruise company. In theory I could have looked at their fleet of ships and then worked out the identity of the vessel in the picture by looking at funnel positions and counting windows, and then looking at when the boat was last in Rostock. In some cases this would be appropriate technique but it would also be time-consuming and there was a quicker way to do this in the circumstances.
There’s also the small matter of when the photo was taken. Lars does not specify the date, but it is necessary to solve the quiz. After all, how can we know which ships Lars saw if we do not even know when he was there? Sherlock Holmes can help again here. In theory there were an unlimited number of days on which Lars could have gone to Rostock, but by applying a few parameters it was possible to eliminate all the incorrect dates and find the correct one. Start big, get small.
The Port of Rostock publishes a list of all the past and future arrival dates of cruise ships here. Lars told us that he saw four cruise ships on the day he visited. This meant all the incorrect dates could be eliminated by discounting all dates when fewer than four cruise ships were present. Working through the list, it was clear that Friday 12th July is the only date so far this year when four or more cruise ships came to Rostock, so it must be the correct date (assuming that Lars visited this year). Here are the ships that were present on that date:
This also means it was possible to be certain about the ships that were present. So the answer to question 1 was that the ships Lars could have seen were AidAmar, Costa Favolosa, Marina, Regal Princess, and Viking Sea. Logically it is not possible that Lars could have visited on any other day and seen the same number of cruise ships.
A search of all the ship names in Google News also brought up this article from the local press, which confirmed the visit of five ships, the names of the ships, and the fact that this is an unusual occurrence for Rostock. There’s even a YouTube video here.
Which Ship Hasn’t Moved For Months?
The second part of the quiz was a little more tricky, but was solvable with a bit of effort. Firstly I decided to make use VesselFinder to see if there were still any cruise ships there:
There weren’t any, which meant that any cruise ships that had been there for months had either left since Lars was there on Friday, or they were not transmitting their location. If the ship had left, then surely it would have shown up on the Port of Rostock website? The more important question to ask was – why would a cruise ship be in a port for months and not go anywhere? Cruise ships are expensive assets and need to be working to make money. The only reasons I could think of that a cruise ship wouldn’t move for months would be because a) it is in need of repair, b) it is being scrapped, or c) it hasn’t been completed yet.
Googling for ship repair at Rostock brought up the company website of MV Werften, who have a large shipbuilding facility in the port. Their website shows that they are currently building a new cruise ship called “Global One”. Work started there in 2018 and the ship will not leave until 2020 – which explains how a cruise ship can be at Rostock for so long without moving!