OSINT Exercise 001

OSINT Exercise #001

Recently, I saw a RAINBOLT’s video “a fan told me i couldn’t find her book” on Youtube. It was an interesting OSINT exercise where person has to find some flags from a provided photo. This lead me to discord OSINT Exercises by Sofia Santos. At first, I did a couple of them and it was really fun. Then I remembered that I still have this blog and decided to start my series of write-ups on these exercises. As a disclaimer, I must mention that I am intermediate in OSINT at best but I will (hopefully) get better with each exercise.

Anyway, let’s stop yapping and get into the first exercise.

Task description

Task briefing: Below you can see a screenshot from a tweet containing a photo. It contains all the relevant information necessary to help you find the exact location. Please identify the coordinates of where the photo was taken.

Click here for the photo without the Twitter border.

Exercise level: For beginners: Hard For experts: Medium

Task Tweet (or is it ‘X’ nowadays?)

Process

By reading the photo caption, I immediately notice the city name ‘Kiffa’. In Google Maps, there is a single match for this city name which is really fortunate (imagine checking N cities with the same name).

Kiffa in Google Maps

Alright, so we have a city name. It is time to find where the photo was taken. Just zoom in and find the spot, right? Well, not really, Kiffa has a population of 60,005 (2013 census, thanks Wikipedia), with this many inhabitants it would be 6th largest city by population in Lithuania.

To find the location where the photo was taken, we’ll need to consider few things from the tweet:

1. When was the photo taken?
2. What are the surroundings of the photo?

The photo was taken in Feb 20, 2013. As for the surroundings, let’s take a look at the photo once again:

Marked photo

I’ve marked a few things here:

1. It looks like the road goes a bit downhill and uphill. It could be a feature of terrain or there might be a creek/river down there.
2. There are electricity poles going by the road and there are a few buildings behind.
3. There is a structure with a tree behind. The structure might be a building or a wall.
4. There is a paved road with a wide gap to a building. In such areas paved roads could be reserved to main roads only.

In addition, it is worth noting that there is nothing besides trees in the horizon. Kiffa looks like a densly populated city which means that the photo was likely taken on the edge of the city.

Typically, I would use street view to get a feel of the suroundings, however, there is not Google Street View coverage in Kiffa:

No street view coverage

In this case, I’ll have to use satellite imagery only. It is time to move from Google Maps to Google Earth. Why? Google Earth allows to view historical satellite images whereas Maps do not (I think it used to but I might be imagining stuff at this point).

In Google Earth, I’ve selected Historical Imagery and selecter nearest 2013 imagery to the tweet date (Feb 20, 2013) - Jul 18th, 2013. From the imagery and road markings it is easy to see which roads are main and paved. Let’s mark some city edges and then zoom in:

Kiffa City edges marked on the main roads

Great, instead of scanning the whole city, I’ll need to check just 4 areas which is a way better option. In these areas, there were two places that, at first glance, looked like potential finds:

Potential finds marked

After a closer look, the first potential find was a false flag since the road curves, there are trees that are not visible in the photo and, most important, there is no paved road. However, the second potential find looks more promising:

Potential find #2

This area lines up pretty well (there is even a river!). However, to verify whether this is a match, I need to compare satellite imagery with the photo.

Satellite and photo comparison

Alright, so there are some marked spots with numbers. Let’s review each one of them:

1. There is a tree behind a wall in satellite image and behind some structure in the photo. This might be the same tree as they don’t really move (unless cut).
2. There are trees in the horizon. In addition, there is a river which would explain a change in elevation we can observe in the photo.
3. There are some buildings on the left side of the road. In the satellite image we can we a road, however, in the photo it is hard to tell whether it exists (it might be slightly visible).
4. The gap between the building and the road!
5. The building itself
6. A building and a couple of walls.

Given these factors, the photo was taken at these coordinates:

answer

16°36'34.25"N 11°23'52.10"W

This was a fun exercise and interesting exercise. At the time of this write-up, there is a total of 30 exercises which will keep me occupied for a while.