Today’s Quiztime was run by Fiete Stegers once again. It posed a very different kind of OSINT challenge because it involved gathering information in live-time from very volatile sources. On one hand this meant it was possible to get a lot of data very quickly and find Fiete in a very short time, but on the other hand the reliance of this challenge on short-lived data means that attempting it in 48 hours, or a week’s time would require a very different method to be successful. This was also the first chance I’ve had to use OSINTCombine’s new SocialGeo Search Tool, but more on that later.
Deadboxing or Volatile Data?
In digital forensics there is a distinction between “deadbox” data that is static and volatile data that is just as vital but only exists for a few minutes or seconds before it is gone forever. The photos on your hard drive will probably be forensically recoverable for years to come, but the password, bitcoin wallet key, DNS queries, or TOR browser data in your computer’s RAM will last only a short while, and they will be gone forever when you turn the computer off.
The same concept exists in OSINT. Most of the time we do “deadbox” research using data sources that are stable and relatively long-lasting, but the concept of volatile data also exists in OSINT. Some data is live and if you don’t capture it quickly then recovering it afterwards is very difficult, or perhaps even impossible.
My solution for this challenge made use of this kind of live geolocation data from Twitter as well as the OSINT nemesis Snapchat to locate Fiete.
Today Fiete asked two questions. Firstly, where exactly is the group in the photo, and secondly how many people were there? Here’s the photo:
So before firing up the tools I mentally planned out a quick method. Firstly just pause and look at the photo. What is it showing? Anything that helps with the location? This is obviously a demonstration. The banner pictures and slogans also indicate that it’s about climate change. Most importantly the signs are in German, so we already know Fiete is at a climate demonstration in Germany. The photo also tells us that there are a lot of people there. Not only that but they are all mostly under the age of 30. A large group of under 30s taking part in a demonstration are going to leave a huge digital footprint all over the internet. With the right technique we would find their footprint and then by extension find Fiete.
My strategy was to find an ongoing climate protest in Germany, and then find out where exactly the picture was taken. There aren’t actually many details in the picture that would identify the location at the outset, but the brown and white building on the right, the line of trees, and the distant church spire would be useful for verification once we found the approximate place. Two weeks ago I made the error of assuming that Fiete’s challenge must be linked to Hamburg because he lives there, but I was not going to repeat that mistake. If he was in Hamburg, I was determined to show this objectively and not just assume.
Twitter is still the best platform for getting live information about unfolding events, and so it proved once again here. A quick glance at my sidebar already showed two trending hashtags of interest: #ClimateStrike and#Fridays4Future. They were linked to climate demonstrations that were taking place on Friday morning, but there was only one problem: there were thousands of demonstrations taking place all over the world at the same time. How to find the one were Fiete was? Time to use OneMillionTweetMap.
OneMillionTweetMap is absolutely essential for gathering any kind of information about an ongoing event. Once you load the page, OneMillionTweetMap will begin to display the geolocation of every single Tweet it detects until it reaches the total of one million displayed Tweets. It also allows filtering by hashtags or keyword for fine-tuning results.
It is really important to note that OneMillionTweetMap is an example of a volatile data source. You can’t go backwards and look at the past, and the results will look completely different if you look for the same information at a different time. If you go and make a cup of coffee before you start it up, you might miss something that you’ll never recover. It is a live OSINT tool and needs to be used to capture information as it is generated.
So having established we were in Germany, I loaded OneMillionTweetMap and narrowed the search parameters to the two hashtags #ClimateStrike and #Fridays4Future. This is what Germany looked like after about 30 seconds:
The Twitter logo shows a single tweet, but the purple circles show a cluster of multiple Tweets. The place with the most relevant Tweets was…Hamburg! We can zoom in for a closer look and find out even more:
There was definitely some kind of climate demonstration going on in Hamburg so I needed to capture as much information as I could to find Fiete. My method for this was simple but effective using just a few browser tabs that would be left running to hoover up the information was it was generated.
Tab 1: OneMillionTweetMap looking for Tweets relating to #ClimateStrike and #Fridays4Future
Tab 2: Twitter feed customised to search for #climatestrike + Hamburg, sorted by latest
Tab 3: Twitter feed customised to search for #fridays4future + Hamburg, sorted by latest.
I knew if I just left these tabs running for a few minutes the thousands of protestors and associated media coverage would generate lots of tweets, videos, and pictures that I will be able to use to find Fiete’s location more quickly.
But first time to pause and think again. There are thousands of people at an organised demonstration. How do they organise events like this? What platform do they use? It’s impossible to organise such large-scale events via WhatsApp, Snapchat, or other closed messaging platforms.The only obvious place to organise something on this scale is Facebook, so I had a quick search on Facebook for climate protests in Hamburg. This was what I found:
Result! The protest was happening as I was searching, so I knew it would be the same one that was all over my OneMillionTweetMap view of Hamburg. This also told me that the exact start location was the U-Bahn station in St Pauli – just where I had seen the Tweet cluster before. I was confident I was getting close to Fiete.
Just before opening Google Maps to hone in on St Pauli, I checked how my other Twitter searches were going. In the last few minutes, this Tweet had appeared in my #Fridays4Future + Hamburg search list:
It told me that the protestors were now at the Lombardsbrücke. I don’t know Hamburg, but that doesn’t matter. In just a few minutes it had been possible to establish the exact start point at St Pauli U-Bahn, and now there was confirmation of the exact location of the front of the demonstration in live time. I asked Google Maps how to travel between these two places on foot. This was the answer:
So now I had very narrow parameters in which to search for Fiete’s location. Of course he could have gone to one of the other protests elsewhere in Germany, but I would have to eliminate Hamburg before moving on to another city. I decided to switch to Street View and “walk” along the protest route to try and find where Fiete took his picture. It took less than a minute to find the location:
The location where Fiete was is on Glacischausee in Hamburg, just across from the protest start point. The brown and white building, the trees at the roadside, and the spire of St John of Kronstadt in the distance verify this is the correction location.
My Twitter feeds also found the answer to Fiete’s second question by accident. This tweet popped up in my #Fridays4Future + Hamburg timeline:
So according to the police, the answer to Fiete’s second question was that there were 17,000 people at the demonstration. Not bad going!
Going Further With Live OSINT – OSINTCombine
So finding Fiete was fun exercise and it shows how this kind of live data can be maximised to find out even more vital information. It would be possible to use the same technique to find out more about about a terror attack or a large-scale sporting event as it unfolds. You could also search through the Tweets and Facebook posts to begin to identify and map the networks of those involved in large scale public events, if you had an ethical reason to do so. I hope this post also shows the importance of capturing live, volatile OSINT data in fast-moving situations. It is about twelve hours since I attempted the challenge, but if I tried it again now the data picture would have changed a lot and the same method wouldn’t work.
This quiz was also the first chance I’d had to look at OSINTCombine’s SocialGeo search tool since I heard about it last week. I was really pleased with how it turned out and it should be part of your toolkit if you need to grab a lot of social media geolocation data in a hurry. The ongoing protest in Hamburg seemed like a good occasion to try it out. Could we get any other information that would be useful for OSINT purposes with Social Geo Lens?
I pointed the tool at Fiete’s location and began the search. The tool takes the exact map coordinates and then checks Instagram, Facebook, Snapchat, and Twitter for any content that geolocates to that area. It’s important to note that Instagram and Facebook do not use latitude/longitude to find data. Instead they calculate real-world name of the location and then present hits related to that place name to the user. In this case Facebook and Instagram correctly deduced I was looking at Neustadt in Hamburg, so they returned results that matched the term ‘Neustadt’. Unfortunately there are a lot of places called Neustadt, so I got a lot of content that I didn’t need and that wasn’t relevant. This is a limitation of Facebook and Instagram however, not the tool itself.
A lot of useful hits were returned for Twitter but as I’d already used Twitter a lot in the challenge I didn’t spend too long looking at the results. I did like the ability to set a radius for geolocated Twitter results, down to as little as one kilometre.
The best feature of the tool was how it linked the location to Snapchat Map. Snapchat is notoriously difficult to use as an OSINT source, but the Snapchat Map is an essential part of any live OSINT enquiry. Like OneMillionTweetMap, it is a source of volatile OSINT data. It presents a heatmap containing geolocated content uploaded by users – but each video has a maximum life of 24 hours. You can’t get historic data so if you don’t capture it at the time, you never will. SocialGeo brought up a nice Snapchat Map of Fiete’s location:
The heatmaps show video or image content. Simply clicking on the heatmap will show the content. Here’s some of what it found in Hamburg:
I didn’t watch for long enough to see if Fiete made a guest apperance – but you can see the usefulness of this tool for OSINT purposes. You can’t directly download the videos as far as I’m aware but you can use video capture tool if you want to keep the footage for later.