Can you tell me a bit about your background – naturally only as much as you are comfortable to reveal. What can you tell me about you education, type of work you’re doing, your experience with technology?
My background in OSINT really arose just out of a natural curiosity to find out about things. In the 1990s when I got dial up internet for the first time I remember how fascinating it felt to suddenly have this huge range of information at my fingertips, it felt like you could find out anything you wanted to know.
The internet still seems like that in some ways, but now every aspect of life is digitised and there is so much more to find out. I learned about computers and networks through playing computer games so eventually I have come to a point where being curious and knowing about computers have combined to lead me to the world of OSINT. I’ve never really been taught OSINT in any formal way, I’ve always been motivated by just wanting to find things out.
After I left university I had a really dull job in commerce and I wanted to do something a little more interesting so I joined the police. I became a detective quite early on in my career and now I have the chance to do a lot of OSINT in my daily work, for example finding missing people, fugitives, or identifying and tracing victims of child abuse. It has not always been like this though – even just a few years ago I was criticised by my boss for trying to use Twitter to source some leads for a crime! Fortunately things have improved a little.
Lately I have taken more of an interest in photo geolocation. It is quite a new area of OSINT for me but it’s quite enjoyable. About a year ago I saw Eliot Higgins from Bellingcat give a talk about some of the geolocation work his team had done. At the end most people who were at the talk wanted to ask “what program did you buy to do all this?” He explained that he only used Google Earth, Street View, and Google Maps. They didn’t really get how you could do all that just with open data. The point of course is that buying a shiny tool does not make you a good OSINT investigator, it is all about how you think and solve problems. Since then I’ve taken more of an interest in geolocation and I think that is why most people read my blog although I am still very new to this aspect of OSINT investigation, relatively speaking.
Recently I have started trying to demystify and explain the world of internet investigation and OSINT, especially for those who are new to it. The most basic principles of rational enquiry and investigation apply in the digital world too, so if you can learn to apply these traditional techniques to the digitised world that we now find ourselves in then you can be a successful OSINT investigator, regardless of whether you are a journalist, law enforcement officer, fraud investigator, or just a curious hobbyist.
Why and how did you decide to get into OSINT investigations?
I got into OSINT investigations entirely by accident. I always had an interest in OSINT and I tried to use it whenever possible in my work and now the world has changed so much that it is inconceivable that you could investigate anything without OSINT. Ultimately I have gravitated to this area because I enjoy it, and (usually) OSINT work does not feel like a chore. You have to be slightly obsessive and very curious to become skilled at OSINT and I am fortunate that as the world has changed so that my niche interest in noseying around the internet has become much more important, so I now I get to do OSINT work most of the time.
How do you prepare before you dive into an OSINT investigation? What do you find the most important?
Plan! What are you actually trying to find out? What is important? What do you know already? What do you need to know to go forward? How are you going to find it out? How will you determine what is true? Can you corroborate what you find? How much weight will you give each piece of information? It is easy to be overwhelmed with data and go down endless rabbit holes if you lose sight of what you are trying to achieve so having a structured approach is important.
Having a good plan at the outset saves an awful lot of time and confusion later on. For example with some of the Quiztime challenges I have written about I have probably spent about 75% of the time figuring how a problem can be solved before actually getting the tools out to solve it.
For this reason it is really, really important to start by extracting as much information as you can from your research subject by asking the right questions: Tell, Explain, Describe, Who? What? When? How? Where? Why? There is always more information to work with than there seems at first. For example if just have a photo that you wish to geolocate, spend time looking at the image and write down 20, 30, or 40 pieces of information that are contained in the picture before hitting the internet.
It doesn’t matter how small or irrelevant they seem, because at the outset you cannot know whether the details might be relevant or not. Then once you have identified things that are true about the photo you can start to apply logic to set parameters for further investigation. You have to think almost like a computer program – if X is true, then do Y. If a car is driving on the left, then eliminate all the countries that drive on the right. If the plug socket in the picture has two pins, then it cannot be in the UK or Ireland, and so on.
It is also really important to have an open mind and accept the possibility that you can be wrong. This might seem obvious but in practice it can be hard to stay objective. One of the worst (and most dangerous) investigative habits is to decide on the conclusion at the outset and then only find evidence that confirms the original hypothesis. In criminal investigations this kind of unconscious bias leads to miscarriages of justice and in journalism it turns a good investigative idea into a propaganda piece.
What I really want to hear about is your methodology of using flight tracking for geolocation. What can you tell me about it?
In a really broad sense, all geolocation methods are very similar. They involve finding pieces of information that are true, and then working from those to establish other things that must therefore also be true. For example someone posts a picture of the sunrise, so it must be true that they are not facing north or west. Or maybe picture of a train; you research the train’s number and find it only runs on one particular line in one area of Germany, so therefore it must be true that your subject was at a station on that line somewhere. Or someone shows a picture of a ship in a harbour and you find that ship was scrapped in 2017, so therefore it must be true that the photo was taken before then, or there is a motorway sign that is green, so you narrow the possible countries to ones that have green motorway signs, and so on. Extracting and evaluating data in this way helps to constantly refine your parameters until eventually you can find what you are looking for.
So really flight data is just another data type that can be used to refine the parameters of your search. Flight data contains a lot of vital information for geolocation: altitude, heading, speed, GPS position, and so on. You have to see the aeroplane as a big flying collection of information and then try to see how you can combine this with data from other sources to really tighten up your search.
So for the photo challenge I did where I was trying to find Tilman Wagner’s hotel, I knew that once the flight was identified it would always be possible to know what its position was at any given time on that day because I would have GPS data, altitude, heading, and so on. Combining that with the daylight, weather and sun position gave a small range of possible times and eventually only one possible location. I am not the kind of person who loves doing complex mathematics and trigonometry to calculate where someone is so it was then a question of realising that if the flight data is accurate, I should be able to recreate the flight and see exactly what Tilman saw from his hotel room. So the actual searching only took a few minutes but to set the parameters to decide where exactly I needed to search took me about 4-5 hours over a couple of evenings.
What learning resources do you recommend for OSINT?
There are a lot of good tools and resources, but first you have to remember that OSINT is a mindset rather than a list of resources to check through. It is really an approach to problem-solving and it takes time and many mistakes to become skilled, so go and make lots and lots of mistakes if you really want to learn! It may sound cliched but you just need to find something you are curious about and explore it.
For example, how does TikTok create URLs for user profiles? Could I find out and then be able to predict the profile URL of any given user? Let’s press F12, load the page, and find out how it is put together. Where does my local council keep digital records of meetings and planning discussions? These might contain useful e-mail addresses, associations, and phone numbers. How do I find them? Can I target a search for PDF files at their website and see what comes out? People are posting pictures of their conference badges all over Twitter – can I crop the badge and scan the barcode to find out more about them? And so on. I’ve never done any formal OSINT training as such, this is how I learned.
Learning from others is essential. It is good to find someone whose approach to OSINT you like and try to learn from them. OSINT is a very broad discipline and no one knows everything (and the more you know, the more you realise you don’t know) so reach out to OSINTers on Twitter, it’s a very friendly community and someone will always be able to help. The “O” in OSINT is important – the data we use is open and ultimately anyone can find it so it is not possible to be a gatekeeper of the community’s resources. I think this is why the OSINT community is quite a friendly one without any nasty egos or tantrums.
In terms of actual web resources for learning OSINT: Sourcing.Games, GeoGuessr, IntelTechniques, OSINTCurious, Bellingcat, @OpenSourceLeads and of course @Quiztime. There is also a lot to learn from the infosec community. There is a huge overlap between the world of OSINT and the reconnaissance and social engineering aspects of penetration testing. There is a lot of useful stuff on sites like Null Byte or Hackers Arise.
Is digital privacy important to you?
It is important to me for no other reason than what I do with the internet or my phone is no one else’s business but mine. I’m not worried about the NSA or MI5 but I deeply resent the presumption held by data companies that they have a right to know absolutely everything about me. This is one reason why I prefer to use Linux to Windows and Firefox to Chrome. I’m also a big believer in open source software – if we can all see how it works, we know it isn’t being used for sinister purposes. F-Droid and Blokada are two of my favourite software projects.
There is also a big link between privacy and security, so cultivating good privacy practices also promotes good digital security. Compartmentalisation, encryption and obfuscation are all important for digital privacy. That said I am quite critical of the way that many online privacy enthusiasts get their threat model out of all proportion. It’s fun to pretend you’re on the run from the CIA, but this is probably not your threat model so don’t waste time wrapping your air-gapped laptop in tinfoil. It is more important to understand what the threat to your privacy is and then mitigate it in a way that is proportionate and achievable.
What do you see as the main challenge for the OSINT community in 2020 and onward?
The loss of more APIs like we’ve seen with Facebook and Instagram in the last year. Data held by social media companies will become more difficult to access and human intelligence will become more important. The requirement to submit a facial scan when creating social media accounts to prove you’re not a bot is also likely to get closer to being a reality. Start creating your sock puppet army today!
It will also become more important to become better at using automation to conduct OSINT, at least during at the gathering stage. The days of conducting OSINT entirely manually are slowly disappearing. The best OSINT practitioners in the future will do work that is heavily augmented by automation. The most important analytic work will still be done by curious people though.