With any kind of OSINT investigation it’s easy to gather huge amounts of data in a very short amount of time, but what do you do with it all? There are thousands of tools you can use to scrape information from all kinds of sources, but how do you decide to prioritise it? What information is relevant, and what is not? How do you keep your research on track and avoid wasting time on pointless searches that take you nowhere?
Consider the Mueller Investigation into President Trump – it executed over 500 search warrants, issued over 2,800 subpoenas, made 230 requests for telecoms data, and interviewed about 500 witnesses, all to produce a 448 page report. The Skripal Poisoning investigation took over 900 witness statements, seized 2300 pieces of evidence, and reviewed 4000 hours of CCTV footage. All of these investigations were very different in purpose but they all had to gather and evaluate vast quantities of information in order to achieve their aims, but how did they avoid becoming overwhelmed? Of course it helps that these enquiries are well resourced, but the important investigative decisions about where to go next are still made by just a tiny number of senior investigators. How do they keep things on track and avoid drowning in data? How do they decide what is important and what is irrelevant? What determines where they will go next?
If you’re just starting out with OSINT investigation, or even if you have lots of experience, you’ll notice how easy it is to build up a lot of data and go off on a lot of tangents very easily. Most OSINT investigations are not on the same scale as the Mueller Report or the Skripal Poisonings of course, but the same investigative decision-making method used by experienced investigators in major cases can also be applied to smaller scale investigations to help sort through the data, focus on what’s important, and then decide what to do next. The method is known as gap analysis.
Gap Analysis
Gap Analysis is a simple but very effective way to keep an investigation focused on what is important and avoid unnecessary and confusing tangents. The name comes from the fact that it is used to evaluate all the known information and then identify gaps where further enquiries are needed. It is not specific to OSINT, but it can be easily applied to online investigations. It uses four simple questions to look at the gathered information, evaluate it, and then decided what to focus on next. The four questions are:
1) What do I know?
2) What does this mean?
3) So what do I need to know?
4) How do I find out?
Instead of rushing ahead and leaping from one tool to the next in hope of a quick win, gap analysis ensures that the approach is more methodical and accurate. With OSINT it is possible to be fast or accurate, but it is not often possible to do both!
Even if you are completely stuck at the start of an OSINT task, or maybe just overwhelmed with information, applying these questions to the data in front of you will help determine where to start. Also notice that thinking about what tools or resources to use are only addressed at question four – “How Do I Find Out?” While a knowledge of the available OSINT tools is essential, they will never get you very far if they are not used in conjunction with a good investigative method. The method will determine what tools to use.
A Quiztime Case Study – Using Gap Analysis To Find Tilman Wagner
On 22nd May the Quiztime challenge was quite a hard one to begin with – but it was possible to solve by using gap analysis to identify what information was available, and what had to be done next in order to solve the challenge.
Tilman posted the image below and asked two questions: 1) Was there another flight between his and the Easyjet one? and 2) Where was the Easyjet plane flying to?
He also told us that the image was taken on 12th May 2019, and that this was his outbound flight. Tilman often posts from Tirana where he is based but he was clear this was an outbound flight and he was not heading to Tirana. The first thing to do was to identify Tilman’s location and work from there.
There was no way to solve this instantly, but being systematic and using gap analysis it was possible to identify some ways to find the location and start heading in the right direction. Here are the four key questions I used to get started:
1) What do I know?
i) This is on the 12 th May 2019.
ii) There is an Easyjet plane on the runway ahead of Tilman’s plane.
iii) There is a sign in the picture that says “BB 25”
2) What does this mean?
i) Tilman’s plane was also at an airport that Easyjet fly from.
ii) The sign may tell us something about the location.
3) So what do I need to know?
i) Which aiports do Easyjet fly from.
ii) What does the BB25 sign next to the runway mean, if anything?
4) How do I find out?
i) Get a list of locations that Easyjet fly from.
ii) Find a guide that explains airport runway signage.
So already gap analysis gave me something to work with. Finding out where Easyjet fly from is straightforward – their website and this Wiki page give all the destinations, but they fly from 136 different airports. I could have looked at every single aiport on Google Earth and compared it to the photo, but that would take a long time and I would quickly drown in information.
The runway sign was more promising. A quick Google tells us that “BB 25” means that this sign denotes taxiway BB for runway 25 – this is a vital piece of information that will help solve the puzzle much more quickly.
Runway Names and Numbers
Every single runway has a number, or two specific numbers to be exact. A runway takes its number from a the compass heading it is directed towards. For example a runway that points due west (bearing 270 degrees) would be called runway 27. However planes sometimes use different ends of the runway to take off from depending on wind direction, so the runway is given a second number for when aircraft use the opposite end. Because runways are straight lines, the opposite end of a runway will have a compass heading that is 180 degrees opposite to the other end. So if one end of a runway points towards 270 degrees, the other must point 90 degrees. This means the runway name will be 090/270, or 09/27 for short. If you’re confused there’s a really simple guide here.
So now I knew the runway in the photo is runway 25. This means the Easyjet plane is heading 250 degrees for takeoff. With a little bit of geometry it was possible to find out a little more that will quickly help to locate Tilman. If one end of the runway is facing 250 degrees, the other end must be facing 70 degrees (because 250- 180 = 70), so the runway name we are looking for will be 07/25.
So perhaps now would be a good time to hit Google Earth and just check out all the Easyjet aiport locations that have a runway named 07/25? It would have been an option to do this, but it was possible to narrow the parameters even further with just a little more geometry.
If the Easyjet plane is facing 250 degrees (roughly WSW), then Tilman must have been looking roughly northwest when he took the photo. No airport buildings of any kind are visible on the image, so the main airport infrastructure must be on the south side of the runway, not the north side. Now the parameters for finding the correct airport were really small:
i) It is used by Easyjet
ii) It has a runway 07/25
iii) The main terminal buildings are likely on the south side of the runway.
A very quick trawl through the list of 136 Easyjet destinations reveals that only a tiny number (I think it was less than 15 but can’t quite recall) had a runway 07/25. I checked these out on Google Maps, and even fewer had the main airport buildings on the south side of the runway. One of the very few that met all three search criteria was Rome Leonardo Da Vinci Airport. I then moved to Google Earth to try and verify if this could be correct:
By comparing the original photo to the Google Earth image it was clear the red and white towers in the background were the same on both photos. Tilman had been waiting to take off from runway 25 at Rome Leonardo Da Vinci Aiport.
This last Google Earth image showed two planes waiting to take off at the end of the runway. This suggested that it was at least possible there was another plane between Tilman’s aircraft and the Easyjet one we were trying to find.
So having established Tilman was in Rome, it was time to decide what to do next by applying some more gap analysis.
1) What do I know?
i) The image was taken on 12th May.
ii) The image was taken on runway 25 at Rome Leonardo da Vinci Aiport (FCO).
2) What does this mean?
i) Tilman’s plane and the Easyjet flight will have departed close together on 12th May. To identify Tilman’s flight we will also need to identify the Easyjet flight.
3) What do I need to know?
i) What time planes took off from FCO on 12th May.
ii) Where do Easyjet fly to from Rome?
4) How do I find out?
i) Get a list of departure times for FCO on 12th May 2019.
ii) Find out where Easyjet fly to from FCO.
Now you might assume that it would be possible just to head over to Flightradar and view historic departure information and solve the puzzle just like that, but it wasn’t. Tilman posted the challenge ten days after the flight, but Flightradar only holds records for the last seven days unless you have a premium account. There are other aircraft datasets available but most are intended for commercial use and cost a lot of money to access. So where to get the data I needed?
To get the data I used Airportia and found the page with departure records for FCO here. Now there seemed to be a problem again because Airportia only allows you to see the last seven days worth of information, but with a little URL manipulation it was possible to access the data I needed. The standard URL format Aiportia uses is:
https://www.airportia.com/italy/leonardo-da-vinci/departures/YYYYMMDD/0000/2359/
So by amending the URL to my target date as follows, it was possible to get the data for the date in question, even though there is no direct option to do this from the website:
https://www.airportia.com/italy/leonardo-da-vinci/departures/20190512/0000/2359/
There was a lot of data to go through, especially as there is a big difference between planned departure times and actual departure times. Airportia doesn’t allow sorting of flights by actual departure time, so a little patience was required. I got slightly disheartened at this point because I counted a total of 21 different Easyjet departures to thirteen different destinations: Geneva, Nice, Paris, Gatwick, Lyon, Berlin TXL, Paris Orly, Amsterdam, Nantes, Basel, Toulouse, Bristol and Luton.It would be hard to find the exact flight without guessing. I guessed that perhaps Tilman would have flown to Dusseldorf, based purely on the fact that he goes to Germany a lot, so I looked for Easyjet flights near to Dusseldorf flights but I’m happy to say I was wrong. Logic beats guessing every time.
So how to narrow down my the list of 21 possible flights to one? Time for more gap analysis:
1) What do I know?
i) There were 21 Easyjet flights from Rome on the 12th May.
ii) The flights go to 13 different locations.
iii) The flight in the picture is one of those.
iv) The flight pictured is in daylight.
2) What does this mean?
i) The flight must have been before sunset, as it is still light and there are no runway lights visible.
ii) Any flights that took place after sunset can be eliminated.
3) What do I need to know?
i) What time was sunset on 12th May?
4) How do I find out?
i) Use Suncalc!
Suncalc told me that sunset had been at 20:20 on the 12th May. This meant that any flight after this time could not have been in daylight and so could be eliminated. It was possible to eliminate 7 Easyjet flights this way, leaving me with just 14 possibilities.
More Information Needed
I was running out of ways to identify the specific Easyjet flight. It was not possible to accurately read the tail number of the aircraft (that would have been too easy) and I needed more information. Tilman helpfully provided some:
Tilman said this image was taken shortly after takeoff after his aircraft turned left approximately 90 degrees. The runway geometry meant that he had taken off on a heading of 250 degrees so a left turn of approximately 90 degrees meant he was heading roughly south. A quick Google Maps search helped confirm the location in the photo:
Even if you hadn’t figured it out from the runway angle, Tilman’s second picture shows the town of Fiumicino. This also means he is heading south. With some new information, it was time to apply some more gap analysis.
1) What do I know?
i) Tilman’s plane took off from Runway 25, turned left, and headed south.
ii) An Easyjet flight took off ahead of him, destination unknown.
2) What does this mean?
i) That the departure timetable will show a flight heading south near to the same time an Easyjet flight took off.
ii) That where a flight to the south and an Easyjet flight occur together, this is probably the right answer.
iii) That if there is a flight in between an Easyjet flight and a southbound flight, it will likely contain the answer to Tilman’s second question.
3) What do I need to know?
i) Which flights on 12th May were going to a destination south of FCO?
4) How do I find out?
i) Revisit the flight departure data.
ii) Check the destinations on a map – which are to the south?
So on reviewing the flight data, the only flights heading (roughly) due south out of FCO on 12th May were to Tunis, Palermo, and Catania:
The only time when a flight to one of these destinations took off shortly after an Easyjet flight was at 17:36 when a plane went to Palermo, just after Easyjet flew to Nice at 17:32.
This also means that there was another flight inbetween, to Pisa at 17:33. There is no other combination of Easyjet flight followed closely by a southern flight towards Palermo, so this had to be the correct answer. Fortunately Tilman confirmed that it was!
Without a sound logical method like gap analysis it would not have been possible to solve this challenge, but it allowed me to make sense of the data available and also identify the next pieces of information needed to find the answer. The average terrorism or murder investigation is a lot more complicated of course, but the only real difference is in the amount of data that has to be analysed and evaluated, not the decision making process itself.
Hi,
First of all, let me thank you for your blog posts which are such an amazing tool to learn OSINT.
I have a question about this one: Why did you discard the flights to Catania? There was one that departured at 13:28 and was preceded by an Easyjet flight to London Gatwick at 13:26. Another one departured at 15:12 and was preceded by an Easyjet flight to Paris-Orly at 15:10.
Do you think the time between the two flights was too short? According to this website, 2 minutes is a minimum to avoid a wake turbulence hazard https://www.skybrary.aero/index.php/Mitigation_of_Wake_Turbulence_Hazard
Hi Mira, thanks for taking the time to comment.
The main reason I discounted the Catania flights at those times is because in the original picture it looked like it was getting too dark. Although it was still daytime when the picture was taken, the sky on the left of the image looks like the sun is already quite low, so I assumed it was getting close to evening time. I think that the sun is too low in the sky for 13:28 or 15:10 at that time of year.
Re-reading the article I realise I was not explicit about this when I wrote so it is not very clear what my rationale was, but that was pretty much it!
Thank you for the explanation. I was also thinking at the beginning that the photo was probably taken in the evening (or early in the morning), but I forgot about it along the way.
Pingback: Dressed NOT for Success – We are OSINTCurio.us
Pingback: Cyber Intelligence – jagadee.online