The term "geolocation" refers to finding the real-world location of features in a photograph or video. This skillset can be critical for investigations as it often provides vital evidence to verify and develop findings.
As part of asset tracing and other online investigations, MDR Cyber analysts frequently need to identify the whereabouts of high value assets, such as yachts and properties. They may also need to identify where people are located based on minimal information from photographs.
In this blog, our team show how freely available mapping tools can be used to help with these kinds of cases.
Geolocation as a hobby has risen in popularity in recent years thanks to the viral geographical browser game, "Geoguessr". Geoguessr randomly drops its users in Google Street View anywhere in the world and they have to determine where an image was taken. Geoguessr's popularity has led to wider sharing of geolocation techniques, many of which are invaluable for assisting open-source investigations. Within our team, geolocating has important ‘real-life’ applications: we have previously geolocated an address based on an approximate location and a photo of a front door with a number. This helped ascertain a defendant's whereabouts for the serving of legal papers.
The use of OpenStreetMap (OSM) data is a popular geolocation technique. OSM is a collaborative project where individuals and organisations contribute to a free, editable map of the world. OSM allows users to search across millions of map features and plot them to effectively assist with geolocation. Below, we have showcased a fictional example to illustrate the value of OSM in geolocating images. We have used a similar technique in the past to identify high value assets and to identify the port where a yacht was moored based on social media images.
Geolocating a screenshot from drone footage using OSM
Figure 1 below displays a screenshot from drone footage observed on a popular social media platform. The video that contained this footage was stitched with various other pieces of drone footage and did not reference specific locations. However, initial social media analysis indicated that the location of this image was in England which narrowed down our search substantially.
Figure 1: Test image screenshotted from drone footage
We initially pulled out some notable features from the image that could be queried in OSM. The most obvious was the windmill, followed by its proximity to a river.
Our first mapping step was to therefore locate all windmills in England. OSM allows users to search "tags" for almost any type of map feature using a naming system provided on their wiki. In this instance, we searched the phrase "man_made=windmill" which is defined by OSM as "a traditional windmill, historically used to mill grain with wind power". If we were looking for a more modern, functional wind turbine we would instead search "generator:source=wind".
Our search returned hundreds of results and it would have taken many hours to find our target location from these results alone. We narrowed down our results through the use of a programming language to ask OSM to pinpoint windmills that were within 100 metres of a river. This cut our results down to 20 locations. Figure 2 below displays a zoomed-in view of our initial search on the left, compared to our refined search on the right.
Figure 2: Location of windmills (left) and windmills next to a river (right) from © OpenStreetMap contributors
Based on the low volume of results, we were able to check each point manually to find our target location. OSM provides coordinates of each point, which can be searched on services such as Google Maps. Switching to Street View allowed us to view features of each point to determine whether they matched our original image.
One of the points on our map led us to the Google Street View image of Berney Arms Windmill located in Great Yarmouth. This image contained an identical windmill to our test image, and other matching features such as the design of the fence, gate, and houses. We were therefore confident that we had geolocated our original image, all within a 20-minute timeframe.
This small investigation outlines the power of geolocation in online investigations, and how quick and easy it can be to identify the location an image has been taken in.
At MDR Cyber, we use geospatial intelligence capabilities as part of our investigative services. Please reach out to MDR Cyber to find out more.