Using Gap Analysis For Smarter OSINT – Quiztime 4th March 2020

In OSINT we make use of the wealth of information that is now available to us, but so often it becomes the case that there is too much information for us to process effectively. It’s easy to drown in a sea of data and you can quickly find yourself with twenty browser tabs open having completely forgotten what it was that you originally set out to do. Going down some rabbit holes is inevitable because often you can only know that you were on the right track with the benefit of hindsight and you have to get things wrong before you get them right. Nevertheless it is still important that OSINT research is structured and methodical. Good OSINT reporting is clear and precise, and it should be possible for anyone who reviews your findings to understand how you came to your conclusions. This means structure and planning have to be built into your research at the outset. Not only will this ensure that you don’t go off on too many tangents, but it will also ensure that your final product is much more able to withstand scrutiny.

This might sound very serious for a post that is just a write-up for one of this week’s Quiztime challenges. Quiztime is for fun of course, but it is such a useful tool for practice because some of the harder challenges require the same methodical approach that more complex “real life” investigations require. It’s fun to solve a Quiztime puzzle with a first-time reverse image search, but good luck only takes you so far! This is why I always recommend people who want to learn more about OSINT try to solve Quiztime puzzles to improve their skills.

With that in mind I’m going to hopefully show how a more methodical approach made it possible to solve a recent Quiztime challenge from Tilman Wagner. Here’s the original tweet:

Something is out of place, so this is going to be a where question. It’s also a what question – what exactly do Swapfiets do, and why did this advert cause Tilman to think something was amiss? The advert is for a bike hire and repair service called Swapfiets, and it proudly announces the roll out of their service to Bonn, Germany – but how can we be certain that the photograph is actually in Bonn, and if it isn’t in Bonn, then where is it? Ultimately we will be able to show that not only is this photo not in Bonn, but we will be able to pinpoint the exact location where the photo was taken to prove  our point. Let’s start at the beginning…

Gap Analysis

I’ve written about using gap analysis in many previous blog posts and I make no apology for writing about it again. It’s a very easy way of bringing structure and order to research by making you identify what it is you’re actually trying to achieve and how you will actually do it. It’s tempting to try and take shortcuts and try your luck by hopping from tool to tool in the hope of a quick fix but in the long run this won’t necessarily serve you well. Gap analysis takes stock of the initial information that you have and then applies four simple questions to identify what to do next. There are plenty of other ways to plan OSINT research, but I like this one for its simplicity and scalability. The four questions are:

1) What do I know?
2) What does this mean?
3) (So) What do I need to know?
4) How do I find out?

So we can apply this to the very limited information we start off with and soon we will be able to identify what to do next without falling down too many rabbit holes on the way. Let’s give it a try:

1) What do we know?

This is an advert for a bike company that purports to be in Bonn, but Tilman is a little sceptical about this.

2) What does this mean?

We need to know where this photo was taken so we can either confirm or eliminate whether or not Bonn is the right location.

3) So what do I need to know?

Where was this photograph taken.

4) How do I find out?

We need to gather enough information to accurately geolocate this photograph. We can start by trying to find the original source.

Finding the original source of the image is not too hard. We can visit the Swapfiets Facebook Page as a starting point. Look at what we find when we get there:

A very familiar looking image – but unlike the one that Tilman saw, this is much larger and has not been cropped. This means that it might contain important extra details that we would have missed otherwise. We also learn that Swapfiets have a .nl website, so they are likely a Dutch company:

We’ll come back to the website shortly. For now we can get the full size version of the image that we need to geolocate by clicking on the banner at the top of the page:

 

Much better! There’s a lot of detail here, and ultimately it will make it possible to identify the exact spot where this image was taken from. Now we can gather as much information from the photo as possible before applying another round of gap analysis to decide what we need to do after that. There’s no magic trick to extracting information from a photograph – just use your eyes! If you’re struggling then using a technique like 20 Questions can force you to pull out more detail than you might otherwise. We can start by adding just a few observations from the photo, these will then be added to the “What do I know?” part of the next round of gap analysis. Here’s a few things from the photo to get started:

1) It’s a city with tall buildings.

2) There are tramlines in the street.

3) The car registration is partly visible, looks like PJ-620-something.

4) The lamppost has black and white stripes.

5) There are some unusual buildings on the left hand side of the road – one has two distinct metal columns, while the other has some kind of rectangular column sticking into the street.

That’s only five points, but in this case it will probably be enough when we combine it with the information from the Swapfiets Facebook page. Time to feed what we’ve learned into another round of gap analysis:

1) What Do I know?

The location is a city with tall, modern, buildings, the lampposts have black and white stripes, and there are tram tracks in the street. The registration plate of the car is partly visible. It is a location where Swapfiets offer their services.  Swapfiets are a Dutch company (and Fiets is a Dutch word).

2) What Does This Mean?

The location will be a modern city with tall buildings that has trams running in the street. Swapfiets will have a service there. We might be able to use the street furniture and the car registration plate to home in a bit further.

3) So What Do I Need To Know?

Which cities do Swapfiets operate in, and which of these cities still run trams in the street?

4) How Do I Find Out?

The Swapfiets website would be a good place to start. Wikipedia might also be a good place to find out about trams.

I haven’t used every single piece of information to take this mini-investigation forward. I’ve focused on the information that will identify the country and city first. The information about street furniture will be used for fine tuning later on.

Country & City

The Swapfiets.nl website contains a list of all the locations where they run their services. They provide bikes for hire in the Netherlands, Belgium, Denmark, and Germany in dozens of different cities. This might seem a little daunting, but we can be confident in our investigation plan and move on without having to check all of these cities individually for matching features. Why? Because we have already identified some features that the correct location will have, and we can apply these same parameters to all the Swapfiets locations to confirm or eliminate them. One way to do this is to identify the country before moving on to a specific city.

 

We’ve already narrowed it down to four possible countries by using the Swapfiets site. Can we use any other information to find the correct one? The car registration plate is the most obvious place to start:

 

We can use WorldLicensePlates to compare this registration plate to those of the four possible countries. These are some sample Dutch number plates to begin with:

And some German ones:

And the Danish:

And finally the Belgian plates:

Of the four countries, which has the closest match to the one in the picture? Only the Dutch plates really come close, although white number plates seem to be quite rare in the Netherlands. If we’re wrong on this point it doesn’t matter too much. Because we have a structured method in place, we can always retrace our steps and start again if we go in the wrong direction. This is much better than firing random search terms into Google or loading endless images into Yandex in the hope we get lucky.

So if we work on the basis that the photo was taken in the Netherlands, we can now add in the second part of our “What Do I Need To Know?” question: Which cities in the Netherlands have trams that run in the street, and how do we find out? Let’s start with Wikipedia.

Trams

There really is a Wikipedia page for everything, and the Dutch tram system is no exception. This page tells us all about the tram systems all across the Netherlands. From this we learn that only five towns in the Netherlands still have tram systems. They are: Delft, Utrecht, Den Haag, Amsterdam, and Rotterdam. It’s still too early to open up Google Maps and start looking at these cities for matching locations though. With the new information about cities we can conduct another quick round of gap analysis to decide what we need to do next before getting the maps out.

1) What Do I Know?

The photo was taken in either Delft, Utrecht, Den Haag, Amsterdam, or Rotterdam.

The location is on a street with some tall buildings. Two of them have some very distinctive columns:

 

2) What Does This Mean?

If we can find these distinctive buildings in one of the five cities, we will be able to find the location. We’ll be able to use the tramlines and striped lamppost to find the precise spot.

3) What Do I Need To Know?

Of the five possible cities, which one has buildings with these distinctive features?

4) How Do I Find Out?

We’re going to use Phorio and Skyscraper Page to get a quick overview of the most prominent buildings in each of the five cities.

Phorio & Skyscraper Page

Phorio and Skyscraper Page are brilliant tools for geolocation challenges. Phorio contains all kinds of data relating to large buildings in cities all across the world, including height, map, and photo information. It also usually features skyline photos and high quality pictures of the key buildings in a particular city. Skyscraper page contains sketches of all the key buildings in a city and arranges them by height, so it’s great for identifying specific buildings and skyline features. To solve Tilman’s quiz we can go through the Phorio and Skyscraper Page sites for each of the five possible cities we have identified to see which one matches the buildings in the photo.

Let’s use Delft as an example. Here’s the Phorio page:

Complete with pictures of all the most prominent buildings in the city:

There are no immediately obvious matches here. This is what Delft looks like on Skyscraper Page:

 

I can’t see any matches for the buildings in the picture. Something else is not quite right here – Delft may have trams but it does not really seem to have the big commercial buildings like those in the picture. Its largest buildings are either the university or residential blocks. I suspect Delft is too small to be the city in question. Utrecht is a little bigger and has a few larger commercial buildings, but there are still no obvious matches. It must be either Amsterdam, Den Haag, or Rotterdam.

These cities are much larger and so it takes slightly longer to check their Phorio profiles, but I still find this much quicker than using Google Maps. For more refined searching, Phorio allows the selection of different filters such as building type or district. These are the available filters for Rotterdam:

Of all the different building types (or “channels”), it seems most likely that our location is dominated by office buildings, so we will just look the those for now. It gives a nice selection of buildings to focus on. This is a very efficient way to check a large number of buildings at one time. Looking through the list, there is one specific building that stands out.

The Unilever Building has the same distinctive metal columns as the building in the original photo. We need to check if it’s the right one.

 

The building has its own Phorio and Skyscraperpage entries, so we can find out its address too. It’s located at Weena 455, Rotterdam. This is what it looks like in Google Maps 3D:

 

A final look with Streetview just to check – it looks pretty good!

All the features we identified throughout are present here: the tramlines, the building with metal columns, all the same tall tower blocks, the striped lampposts and all the other street details all match. This means that the photo was taken looking down the Delfste Poort in Rotterdam. This explains why Tilman wasn’t entirely convinced by the original picture:

This was by no means the only way to have solved this quiz. There is usually more than one solution but if you get a little stuck or aren’t sure what to do next then gap analysis is an excellent way of making things a little more clear and structured. If you enjoyed reading this then check out some of my other Quiztime write-ups and don’t forget to follow @Quiztime to take part in the daily quiz.