We set ourselves a challenge; could we explain geolocation using OSINT in 1,000 words? [Spoiler Alert: done in 975 words]
Geolocating images - establishing the exact location in which an image was taken – is just one example of an image’s potential when conducting an OSINT investigation. It involves the use of multiple, creative techniques to find the real value in an image.
There are well-established methods that work in some cases, such as extracting EXIF data. But EXIF data (the metadata that includes GPS coordinates attached to an image) is gradually disappearing from open sources. In fact, the data behind an image is now wiped as a matter of course when an image is uploaded to most social media sites or sent through messaging apps. So, whilst this method can be an excellent means of establishing the technical genesis of an image, it can no longer be regularly relied upon as a method for understanding the origins of an image.
In any given image (as in the one below) there are normally several overt clues that allow us to start the geolocation process. There is information which is easy to extract, such as: advertisements - well-known brands; transport infrastructure - tram signs; shop front - Manchester’s Arndale shopping centre sign is visible; identifiable architecture - the tower on the left and the skyscraper on the right. The list goes on…
However, the scope of this technique is limited. For instance, city layouts and shop fronts may change rapidly, making it harder to rely on this information for analysis. Images also won't necessarily contain the abundance of signs seen in the above image. Or perhaps the signs won’t be immediately familiar to the analyst. In such cases, further techniques are needed - either to help us extract more information, or to verify what we analyse.
Our next step in confirming the location of an image is to measure the shadows and the position of the sun. There are several sun positioning and daylight measurement tools, which can help verify the location, with the input of general pieces of information like the city, the time, and the date. Even without this information, this method is still reliable using analytical deductions derived from the simple analysis of the image.
These tools allow the user to visualise this path of the sun over a location at a certain time on a given date. From here, we return to our original analysis of the image to geolocate. Using the image above as an example, we can compare each tram stop in the vicinity, matching the tower on the left-hand side of the road. To develop this further, we can also cross-check the path of the sun rising. In the case of the above image, which was taken in a densely developed area, using such tools avoids checking multiple similar streets, and adds verification to the eventual geolocation. Vitally, this method is reliable even when multiple variables may affect the appearance of the location in an image. Conversely, in more remote locations where analysis relies on terrain and natural features, this method is also reliable.
Having considered how tracking the sun can improve our search, we can also make use of search engines as a tool for geolocating images. This may lead us to the original image, the context of which can provide more information. Or it may lead to similar images that may also provide additional information. As the sophistication of image search services improves it is possible that parts of the image may be identified individually, or keywords relating to the image may be generated. For example, the target language of linked content in search results can provide clues to the country as a start point and narrow down our search.
Some search engines are particularly effective in identifying components of the image, they may navigate the image and break down the picture in more detail (for example identifying the tram stop). Other search engines will find similar images to help us understand the surroundings of the image better (for example a monument photographed from multiple angles, or further information about a building in the background). Likewise, some searches will offer the chance to ‘zoom out’ to a larger scale and see identifying marks we didn’t know were there.
An alternative type of ‘search engine’ is also at our fingertips when it comes to geolocating images. Social media platforms link user content to locations - this can be useful for cross-checking an image. Posts can be filtered by location tag, media type (photos/videos), and date.
It is also worth noting the information the proportions of an image can give us. Images conform to different proportions depending on the site. If the image proportions indicate the image is from a certain site, searching that site (filtered by location or hashtag) may be quicker. The same can be said for other identifiable editing marks like timestamps, filters, locations, music tags, etc which may trace an image back to a certain platform.
As is the case with different search engines, it is important to highlight the differences between platforms. Platforms vary with the age of content they show ranging from a few hours old, to several years. The verification of location is also different platform to platform - some is user verified, and some is GPS only.
The tools available for geolocation are developing constantly: from viewing live cameras to virtual tours, there is a vast array of material in the publicly available domain which may hold the key to pinning down the location.
As with any form of intelligence collection, the real value added from such techniques is only maximised when overlaid with the vast array of tools and techniques that expert OSINT analysts bring to bear every day. Nevertheless, from something as simple as a sole image, we can start to generate significant investigative insight and images can help us unlock an entire investigation.