Geolocation is a key to great OSINT collection, but is your tradecraft keeping up with the times? Learn how creative resources can help you hone your craft.

Much of open-source intelligence (OSINT) collection relies on the free and open internet, and in online currency, images and videos are gold. For online researchers, that means image-based research is a key part of discovering the who? What? When? And — perhaps most importantly — the where?

OSINT research relies on the ability to interpret all types of data, including image-based information. From law enforcement and journalism to cybersecurity and human rights advocacy, the ability to analyze and interpret visual data can reveal critical insights that may otherwise go unnoticed. But to glean these insights, practitioners first need to understand the methods for conducting effective image-based OSINT research, from intent to tools and resources.

Verification is key

If an analyst comes across an image or video that may be relevant to their research, the very first step is to analyze whether that image has been manipulated or misapplied. Misleading or manipulated imagery online is common, and the misinformation it leads to can be high stakes, especially when it comes to operational security (OPSEC) and foreign conflicts. Images of conflict zones, downed aircraft or troop positions can be an invaluable source of information to decision-makers and humanitarian organizations alike, but it’s imperative that that information not be based on falsified images. To find out if an image is real and put it in its proper context, the first step of a researcher is to find where it originated.

The rule of first instance

One way to verify or debunk an image is to find when it first appeared on the internet. If someone on Twitter purports an image of a downed fighter jet is evidence of a mounting offensive in the Ukraine war, but the very same image has been around since 2014, you can safely call that claim debunked. Finding the original version of an image can also help analysts sus out manipulated content. 

Reverse image searching allows you to find information about an image by searching the internet for other instances of that image or similar ones. This can help you identify the source of an image, verify its authenticity and uncover additional context or related content. Here are two popular tools for reverse image searching:

  • Google Images: Google's reverse image search feature is a simple and widely-used option. To use it, visit the Google Images website, click on the camera icon in the search bar, and upload the image or provide a URL.
  • TinEye: TinEye is another powerful reverse image search engine. It offers a browser extension for easy access and provides additional features such as sorting results by oldest or most recent appearances of an image.

Finding the source image can sometimes be complicated by the growing popularity of closed-group social media networks. Private group channels on platforms like Telegram, Discord, Facebook and others can produce content — and sometimes misinformation — that is difficult for outside analysts to gain access to.

Geolocation and chronolocation 

Geolocation involves identifying the specific location where an image was taken, while chronolocation focuses on determining the time it was captured. Both techniques can provide valuable context and help verify the authenticity of images. Here are some methods to improve your geolocation and chronolocation skills:

  • Identifying landmarks and other geographical features: Examining an image for distinctive elements such as buildings, monuments or natural formations can help narrow down the location. Cross-referencing these features with maps, online databases or local knowledge can lead to accurate geolocation.
  • Analyzing shadows and light sources: Shadows and lighting in an image can offer clues about the approximate time the photo was taken. By understanding how the sun's position changes throughout the day and considering factors like daylight saving time, you can make educated guesses about the time of day when the image was captured. SunCalc is a great tool for understanding how light sources and location interact.
  • Cross-referencing with maps and satellite imagery: Tools like Google Maps, Bing Maps and Google Earth can be invaluable for verifying locations and finding additional visual data. Satellite imagery can also reveal changes over time, helping you pinpoint when an image was taken.

Discovering geolocation and the first instance of an image are key first steps in verifying an image or identifying if it has been manipulated or misused. As the prevalence and sophistication of deepfakes continue to grow, these simple methods can help researchers determine fact from fiction in the world of image-based OSINT. 

Sus-ing out bogus footage

Detecting image manipulation is crucial in OSINT research, as doctored images can spread disinformation or mislead investigators. To determine if an image has been altered, consider the following:

  • Common signs of image manipulation: Look for inconsistencies in lighting, shadows and reflections, as well as irregularities in image quality, pixelation or artifacts that may indicate editing.
  • Tools for detecting image manipulation: Software like Forensically and FotoForensics can help identify signs of tampering by analyzing an image's metadata, noise distribution and other technical aspects.
  • Check the image metadata for irregularities: Using a tool like Silo Image Metadata Viewer allows researchers to safely and instantaneously view comprehensive data about where and how an image was taken. 
  • Verify your findings: Always cross-reference and verify information from multiple sources before drawing conclusions. Never rely solely on a single piece of evidence, and be sure to acknowledge any uncertainties. Recognize the limitations of your analysis and be transparent about any question marks to avoid making definitive claims without sufficient evidence to back them up.

Understanding EXIF data

Exchangeable image file format (EXIF) data is the hidden information stored within an image file that can provide crucial details about when, where and how the image was created. Extracting metadata can help you verify the authenticity of a photo and uncover additional context.

Types of EXIF data that can be found:

  • Camera settings (including aperture, shutter speed, ISO)
  • Image metrics (like dimensions, resolution, colorspace and filesize)
  • Date and time the picture was taken
  • Location coordinates
  • Descriptions
  • Copyright information

Despite this wealth of data behind every image, EXIF data still needs to be analyzed and verified by other sources. It’s possible for bad actors to manipulate this information. It also can’t be relied upon. Many major social media companies strip the data in the images their users post for safety reasons, including Facebook, Instagram and Twitter.

Get creative with OSINT!

Investigating images isn’t just about having the right tools or methodology. Breaking free from the mold and getting creative can lead to great results. Curiosity is key. OSINT is a dynamic, ever-evolving field. Researchers should try to challenge themselves to keep up with training and tradecraft. There are many ways to keep up with industry standards to try.

Some tips for practicing geolocation:

  • Do online challenges: Follow accounts that post photos to geolocate or play geolocation-based games like GeoGussr
  • Consume tradecraft-related media: Follow geolocation TikToks, publications like Bellingcat or read Eliot Higgins’ book (which serves almost as a history in online photo/video geolocation)
  • Make it more challenging: Skip the reverse image search and challenge yourself not to use the easiest method for the location to see if you can locate the image based on other harder-to-see clues
  • Sign up for a training course: There’s no shortage of great training courses out there to keep up with your tradecraft — from the industry leaders at MyOSINT.training to the gamification of training modules at Kase Scenarios
  • Collaborate and share knowledge: Join online forums, social media groups, and other platforms where OSINT practitioners share insights, experiences and advice. Collaborating with others can not only help you learn from their expertise but also contribute to the collective knowledge of the community.
  • Attend a conference: There are many great conferences on OSINT, from OSMOSISCon 2023 onsite in New Orleans to the free and virtual SANS OSINT Summit
  • Stay ethical and responsible: Always consider the ethical implications of your research, especially when dealing with sensitive information or vulnerable individuals. Adhere to legal regulations and follow established guidelines for responsible OSINT practices.

The risk of attribution

Any investigation, including image-based research, runs the risk of attribution to the researcher and their employer. To avoid tipping off investigative targets and bad actors, researchers should shroud themselves in anonymity — and no, I don’t mean with just a VPN!

To fully manage attribution, researchers should look to using robust, purpose-built solutions. Not only will they help you protect your identity and the intent of your investigation, you’ll get built-in tools at your fingertips to help streamline and protect research. Researchers can discover great tradecraft tools and be secure at every step in their analysis.

To see how Silo for Research assists practitioners in protecting their craft to quickly get the information they need, request a demo.

Tags
Anonymous research OSINT research Social media Threat intelligence