In the short time that I have been blogging, many of the OSINT tools I’ve referred to have already become obsolete or no longer exist. Facebook removed Graph Search, Twitter removed geotagged Tweets, IntelTechniques lost its tools, and Pipl went behind a paywall. Although these setbacks can be frustrating, it’s important to remember that the foundation of good OSINT investigation is a sound method, not just the right tools. Tools are transient, but the methods of good investigation stay the same.
With that in mind, this article will look at how a sound investigative method can make even difficult OSINT challenges possible. As an example I’ll use Marc Krueger’s recent Quiztime challenge. How do you geolocate this image?
At first this might seem a little bit daunting. Marc has edited the image in such a way that obscures a lot of the detail. This makes reverse image searches ineffective but this also adds an element of realism – most real-life OSINT investigations are not straightforward. So where to start? By asking the right questions and using gap analysis we can determine what information we already, and what information is needed to solve the puzzle.
Gap Analysis
I wrote a previous blog post about how Gap Analysis can be applied to OSINT investigations but I’ll summarise it again here. It is a simple investigative method that asks four key questions about the information gathered up to that point and then determines what enquiries are needed to take the investigation forward. The questions are:
1) What do I know?
2) What does this mean?
3) What do I need to know?
4) How do I find out?
It’s a very effective way to bring a lot of clarity to a large collection of confusing data. Notice that questions about tools (“How do I find out?”) come last. Every time an OSINT enquiry gets muddled or comes to a dead end, reviewing the case with gap analysis can help identify new ways forward.
Ask The Right Questions
That’s all very well when you’ve already got some information in front of you. It’s easy to ask “What do I know?” when you’re already sat on collection of images, street signs, IP addresses, usernames, and e-mail addresses. But what if you’ve got nothing to start with? No one managed to solve Marc’s challenge in the first 24 hours and on the surface it appears very difficult, but by asking the right questions of the image it is possible to start gathering information that can be assessed with gap analysis and a solution can be found quite quickly.
Asking questions of an image might seem unusual, but we do it subconsciously all the time. In traditional investigations such as those carried out by journalists or detectives, asking the right questions of witnesses is a central part of any case. Asking good questions produces a lot of information, but bad questions do not. Good questions are open and elicit a wide range of information, but closed questions only allow for a narrow range of answers. Even worse are leading questions, which already contain the answer. Political journalists love to ask leading questions, but it makes for terrible interviews.
Good questions begin with “Tell me…“, “Explain to me….“, “Describe to me….“. They can be followed up with more open questions like What? Why? When? Where? or How? to draw out further detail. These kind of questions are the foundation of good investigative interviews because they elicit a lot of information. Closed questions on the other hand shut down the flow of information. Questions that begin with “Is this place x?” only offer the possibility of a “yes” or “no” answer. Even worse are the leading questions so beloved of TV interviewers: “Isn’t it the case that the government said they would spend x but in fact they only spent y?” The anticipated answer is already in the question. These kinds of questions have their place, but they are useless for eliciting any kind of information.
Let’s see how this could be applied to Marc’s challenge photo…
It may appear at first that we do not have an awful lot of detail, but by asking open questions of the image, we can actually assemble quite a lot of information to begin applying gap analysis to take the challenge forward and finally solve it. Here’s a good open question to start:
“Tell me…everything you can see in the image”
An old building
Graffiti
An old kiosk type building covered in graffiti
A tarmac road
Sunny weather
A tree
Shuttered windows and door
Two signs next to the door
Two flagpoles above the door
A sign next to the door that says “ESPASOS” or maybe “ESPANOL”
Shutters on the kiosk
So already we have eleven pieces of information to work with. It might not seem like much yet, but it is a start. Let’s ask more open questions to develop this a bit further…
“Describe everything in the photo. What does it look like?”
Looks old.
Abandoned.
Looks like southern Europe or Mediterranean.
The road looks quite new but the buildings look old.
A light above the door is broken.
The graffiti says “hier” and lots of other things that aren’t all clear.
So very quickly we have five additional pieces of information just by looking at the photo methodically. If we had just asked closed questions like “Is this in Italy or Spain?”, “Is it a house?” or “This is where Marc Krueger went on holiday, isn’t it?” we would not have a lot of information to work with. In normal daily conversation we ask closed and leading questions all the time, but with investigations it is necessary to make a conscious effort to ask open questions about the material you are working with.
Applying Gap Analysis
So now there is a little information to work with, it is possible to begin to apply gap analysis to determine what to do next. Let’s make a start:
1) What do I know?
This is an old abandoned building covered in graffiti.
It is opposite a kiosk that has been shuttered up and which is also covered in graffiti.
There are flagpoles but no flags.
The sign next to the door says either “ESPASO” or “ESPANO”.
There is a road between the kiosk and the building.
The sunny weather and the architecture suggest the building is in southern Europe or somewhere around the Mediterranean.
There is a tree with leaves on.
2) What does this mean?
The building is probably no longer in use.
It once flew flags from the flagpole.
The word “ESPASO” or “ESPANO” suggest a Latin language rather than a Germanic one. This also makes North Africa, the Balkans, or Greece unlikely locations despite the similar architecture.
The buildings are probably not in use, but the road looks as though it may be (it is not covered by weeds, unlike the building)
3) What do I need to know?
What kind of locations could be so close to a road?
What language does the word “ESPASO/ESPANO” belong to – this could at least give me the country, if not the exact location.
What kind of buildings fly flags?
4) How do I find out?
Use Google Translate to investigate the “ESPASO / ESPANO” word.
Make a list of all kinds of buildings that might fit the criteria of being next to a road, flying a flag, and being close to a kiosk.
So after experimenting with Google Translate, I couldn’t find any suitable words in Spanish, Portugese, or French that had the root “ESPASO”. “ESPANO” was a much better fit. A simple Google search showed that “ESPANO” is the root of words that mean Spain or Spanish. My Spanish is almost non-existent so I had to trust Google at this point, but it was a vital clue. I now knew that the sign next to the door of the building probably said “Spain” or ” Spanish”.
The second part of the “How Do I Find Out?” didn’t even really require the internet. What kind of building would be next to a road, opposite a kiosk, have flagpoles, and have “Spain” or “Spanish” next to the door? There are very few possibilities:
1) An embassy
2) A consulate
3) An immigration centre or border checkpoint
4) A Spanish restaurant. This is some kind of cruel joke by Marc.
So having established roughly what kind of building it is, and what country it is probably associated to, it was possible to use another round of gap analysis before firing up the tools.
1) What do I know?
This building is either in Spain or is associated to Spain in some way.
It is an abandoned building/kiosk covered in graffiti.
The kind of building that would have these features as well as flagpoles could be an embassy, border checkpoint, or other diplomatic location.
2) What does this mean?
If it was in use, it probably isn’t now. The target building is probably an abandoned Spanish diplomatic building of some kind. For some reason this building is no longer needed or has been replaced.
3) What do I need to know?
I need to find out about abandoned Spanish diplomatic buildings. Are there any? Where are they? Do they look like the image in the challenge?
4) How do I find out?
Google, Google Maps, and Google Images will probably be enough.
So I began researching Spanish Embassies. Fortunately Embassy Pages proved to be a helpful resource. It only took a few minutes to identify all Spanish embassies/consulates and other diplomatic missions in Europe and then check them against Google Maps / Images. There were no real matches and it struck me that the average embassy building is much bigger and more ornate than the one in the picture. I also couldn’t find anything that suggested Spain had any abandoned embassies. There was one exception in Morocco, but it didn’t match:
Having discounted embassies I then turned to border checkpoints. A little Geography knowledge (or Google Maps) is required. Which countries have a border with Spain? Spain has a border with Portugal, Andorra, France, and Gibraltar – but also not forgetting its outposts of Ceuta and Melilla in North Africa.
A Google Image search for “Spanish border” related photos brought up lots of pictures of the high fences at Melilla and Ceuta designed to keep out immigrants from Africa. The high security needed there means that these borders don’t fit with the old abandoned location in the challenge photo, so I discounted them. A little knowledge of European history means that because the Schengen Agreement, most internal EU borders were abolished in the 1990s. This was more fitting for the image I was trying to geolocate.
Finally I conducted an image search for “old Spanish border post”. On the fourth page I found this familiar looking kiosk:
A click on the link leads to an article about the history of cross-border escapes between France and Spain in WW2. From it I learned that the kiosk in the picture was at the French-Spanish border at Portrou:
A further image search for the border post at Portrou brought up this. It is now easy to see that the sign on the other side of the door was for the French Police.
And finally a glimpse of the location on Streetview.
Having established the location, it is now possible to research Marc’s question about the local road number changes, but that’s beyond the purpose of this post. This was not an easy challenge on the surface, but the solution did not involve any tools more complicated that Google Images. The key to solving this challenge was really about looking closely at the image and asking the right questions, and then developing them with gap analysis to find the solution. These methods are always reliable to start a difficult investigation and they’ll never be turned off by social media providers!