Images uploaded online often bring with them geotags in their EXIF data. OSINT researchers should understand how to find — and verify — this information when geolocating images.
Using geotags in open-source investigations allows for researchers to verify, catalog and corroborate valuable information on locations and where certain content was created or shared. But knowing where you will and won’t find images with geotags, how to view them and when to trust them is crucial.
Let’s break down this valuable detail in open-source intelligence (OSINT) investigations from the basics to advanced precautions researchers should take.
What are geotags?
Geotags are metadata containing location information. Geotags can be found in various media, such as photos and videos, and can be instrumental in investigations or exploited for malicious purposes. This type of metadata can be used for both malicious and law-abiding purposes, making it essential for those doing research to understand the implications of using geotags.
What other info does image metadata contain?
Geotags are just one type of information that can be found in image metadata stored in an EXIF (Exchangeable Image File Format) file. EXIF data can contain:
- GPS coordinates of where an image was taken
- Timestamp of when the photo was taken or downloaded
- Details on the digital camera and its settings such as exposure and aperture
Can geotags be changed or removed?
EXIF data and the geotags they contain may be stripped or altered before upload, and certain technology platforms like social media sites automatically remove EXIF data from images on their sites.
Security risks, OSINT rewards
Geotags can be used to form a pattern-of-life analysis, which involves extensive examination of an individual’s behavior, routines and everyday activities to get a sense of where they are, at what times and who they are with.
For an individual, sharing this information online can be a bit risky. In fact, for service members and their families, the U.S. military provides instructions and frequent reminders of the PERSEC (personal security) and OPSEC (operational security) risks that sharing photos online can pose. Geotags could reveal troop or weapon locations or expose other clandestine activities.
James A. Samuel, Jr., former Executive in the U.S. Defense Department, tells the story of how a Twitter user's livestream nearly blew the Bin Laden raid in Abbottabad, Afghanistan in 2011. While the tweets didn’t include geotags, they did contain geolocation information on one of the most highly classified military operations in recent history. Watch the full NeedleStack episode >
However, someone else’s risk can be your reward. PERSEC and OPSEC missteps are the things that OSINT researchers capitalize on to ensure their own missions succeed.
Examples of geotags used in OSINT investigations
OSINT researchers utilize geotags as valuable tools in a variety of investigations. In criminal investigations, geotags can help law enforcement solidify details such as crime scene location, track the movements of individuals concerning the case, and create a timeline of events.
Geotags have also been employed in OSINT regarding the Ukrainian-Russian war. OSINT research uncovered a post by a Russian solider on Vkontakte, a popular Russian social media site, with pictures of his unit’s living accommodations in a country club. Unlike some social media sites, images uploaded to Vkontakte did not automatically remove geotags. Ukrainian military officials may have been able to use this open-source information to launch a strike on Russian positions. In another OPSEC blunder, yet more photos of the country club in ruins appeared, allowing Ukrainians to do a proper battle damage assessment.
For OSINT researchers, this readily available geotag information is a major benefit to investigations — so much so that some researchers wish social media platforms would leave them up in order to capitalize on OPSEC blunders of the worst of the worst.
Fivecast tradecraft lead Abbi Dobbertin talks about the upside of publicly available geotag information when performing counterterrorism investigations. Watch the full episode >
How to find geotags in online media
For images that carry EXIF data, Silo Meta Data Viewer is a great tool to easily view EXIF data and geotags while maintaining anonymity in your research. Its managed attribution capabilities ensure researchers can blend in with the crowd while visiting websites hosting images of interest. (For example, if visiting a website where images of drugs are posted for sale, researchers would not want to tip off the site owners that they are under investigation.)
Videos don’t carry the same metadata as an image would, so it’s not as easy to find geotags for online videos. But there’s a tool for that! YouTube Geofind lets you see the exact location of YouTube videos in a map view, or enter a physical address to search for videos near a specific address.
As with any information found in an OSINT investigation, always corroborate and verify the authenticity of data by using other sources. You can learn more on geolocating images — with or without EXIF data — and best practices for verifying information in this blog, Geolocation 101.
Understanding the importance of geotags and other forms of image metadata has become an essential skill set for OSINT researchers. Knowing what geotags are, how to view them (safely) and corroborate them can open a world of possibilities.
Learn more on the fundamentals of OSINT research on our blog >Anonymous research Law enforcement OSINT research