The “20 Questions” Tactic in OSINT

5 December 2023 10 minutes Author: Cyber Witcher

The Art of OSINT Analytics: Geolocation in 20 Questions

In this article, we explore how ordinary photos can reveal a wealth of information through open intelligence techniques. The article describes in detail the process of geolocation and image analysis, demonstrating how twenty different pieces of information can be extracted from a photograph. Through this example, readers get an idea of the depth and potential of OSINT analytics. The methodology presented in the article includes the analysis of weather conditions, architectural features, the study of vehicles, as well as other important details that can be detected in the photo.

Not only is this article a valuable resource for OSINT professionals, journalists, and researchers, but it also provides interesting insights for any interested reader who wants to learn more about the power of open intelligence and analytics. It shows how information can be found and analyzed in the most unexpected places, opening up new opportunities for a deep understanding of the world around us. It also highlights how OSINT can be used to solve real-world problems in security, journalism and research. She demonstrates the role of analyzing social networks, studying the details of clothing and signage, as well as other nuances that are often overlooked but can provide important information. The article also provides tips and tricks to help you develop your own OSINT skills. For example, how to correctly interpret shadows in a picture to understand the time of day, or how to use information about natural features for geolocation.

OSINT Detective: Finding the location through 20 questions

How much information does a photo contain? I recently learned that during military intelligence officers’ training, they are given photographs that at first glance seem to contain little detail, but they have to extract 20 pieces of information from them. When was the photo taken? What is the mood of the subject? Who is with whom in the photo? Where are they located? What shoes is he wearing? Where does he buy the clothes he wears? Etc. By asking relevant questions in response to the information provided, you can get details that may not be obvious at first glance.

So time to put it into practice with a little Quiztime challenge. On November 25, Julia Bayer posted this photo and asked what time it was taken:

In other words, the question is when the photo was taken, but in the absence of EXIF data or a visible clock, the only way to calculate the time would be the sun’s shadow. Julia can tell us the date (Thursday, November 21), but in order to calculate the time by the length of the shadow, we need to know the location of the shooting. Before we can say when, we need to know where. So how can we begin to geolocate this image? There are a number of methods that can be used, but I thought this would be a good opportunity to do a military version of 20 Questions. What 20 pieces of information can we get from this image?

Let’s see:

  1. Bright sunny weather.

  2. Modern construction, glass and metal structures.

  3. What kind of building is this? Not residential or industrial, maybe commercial or retail. It also doesn’t look like a grand public building (courthouse, parliament, etc.).

  4. Some construction work is going on at the back of the building.

  5. On the right is a “Menu” sign – probably a cafe or restaurant.

  6. Big Pepsi sign outside.

  7. Located opposite an open green area (park? parks?) next to the road, judging by the reflection in the left window.

  8. Some kind of box for telephone or electricity service on the sidewalk.

  9. Yellow bus with YBS logo – what does YBS stand for?

  10. Bus #79.

  11. The inscriptions on the bus are written in a non-Western script.

  12. Advertising of soft drink “100 Plus Active” – where is it sold? The ad has a Facebook logo – does this company have a Facebook page that could tell us more about where they are in the world?

  13. Bus license plate format: white text on a red background, 3N-2457. Slightly smaller size above this.

  14. Red and white borders. Which cities/countries have such roads?

  15. A separate road or parking in front of the main building?

  16. The people in the photo look Asian, possibly from Southeast Asia.

  17. The clothes of the people in the painting and the green trees indicate a warm climate.

  18. Some sort of shrine/memorial to the right of the stairs.

  19. One person was sitting on the steps near the building. Few people on the street and little traffic – does this indicate an early time of the day? Is this building open yet?

  20. Mannequins in the window of the building. Part or all of this building is intended for retail.

It’s a good start – there’s enough information here to find out exactly where Julia was, just by developing some of those pieces of information a little further. 100 Plus Active Juice is only sold in a few mainly Southeast Asian countries (item 12) and a Google search for YBS + bus (item 9) will tell you that this bus belongs to the Yangon Bus Service in Myanmar.

World Number Plates will then also confirm that some tax-free vehicles in Myanmar do indeed have license plates in the same format as the bus in the image (13):

A further search for “Yangon bus route 79” (combination of points 9 + 10) even gives us a map of the bus route. Julia’s location will be somewhere along this route:

It’s best to stop for a moment before exiting Google Maps or Street View and follow the bus route until you find the right place. You can find a place this way, but it will take a long time and be quite boring. Also, street views and 3D renderings of buildings in Yangon are blurry compared to many other cities. In addition, some of the information extracted from the photographs has not yet been used.

Research the photographer as well

Before we look at how we can use the other information, it’s worth mentioning another method you could have used to find out that Julia was in Yangon. Julia doesn’t tweet her every move, so it’s not easy to guess where she might be – but what about the people she was with on November 21? People may have a small digital footprint, but what about their digital shadow? What are other people saying about Julia? We can use Twitter to get an idea of where Julia has been. Using Twitter’s advanced search, we can set time parameters and see not only what Julia has posted, but also everyone who has tagged her. First, we can choose to see all tweets that mention Julia:

Next, we can set a specific date range. Julia posted the quiz on November 25th, so we can set the parameters large enough to see everyone who tagged her ten days before then:

Now we see not only what she was in Myanmar, but also what she did and who she was with:

Julia says she was with Bertram Hill. So, can we learn anything relevant from Bertram’s story? Yes, we can:

So now we have a picture of Julia training, but Bertram also confirms that the city was Yangon.

Therefore, you can use two different methods to search for a photo. The first is to look for the photo itself, the second is to look for the photographer. Both ways will eventually lead you to Yangon as the right place, but you’ll learn a lot in the process. Quizzes are, of course, fun and practice, but in real research you’ll find that using different methods can lead to very different results. Of course, there’s nothing stopping you from using more than one approach to the problem (we didn’t mention reverse image search as a way to find a location because it’s a very simple and easy way to find a location). But how much would we learn if everything was just one click away from the answer?). .

Finding the right location in Yangon

We know that the city is Yangon and that the correct location is somewhere along bus route 79, but we can first refine our search with some other observations from the photographs. Yangon is a huge city with a population of over 7 million and bus route 79 seems to cut through most of the city so it will take a lot of work to check everything out. But let’s trust our first observation. We are looking for a modern building (point 2) possibly used for retail or commercial use (points 3 and 20) with still construction at the back (point 4) and a large green area, possibly a park, on the other side of the road (point 7).

By looking for a place that meets all of these criteria, we can decide where to focus for a more detailed search. Finding the entire 79 bus route manually would take too much time and be very tedious, so it’s best to avoid it if possible.

To see what I mean, take a look at this elevated view of an early part of the bus route in the northwest part of the city:

There are green areas, but how are they used? Will there be a modern shopping center on this site? Unlikely. Most of the land plots are occupied by small residential and industrial buildings. There are no buildings of the type shown in the original images, so this area can be ignored without further investigation.

Another section of the bus route also doesn’t meet the criteria, so we can move on and ignore it:

Continue along the bus road, still quite high up, and suddenly you’ll see a prominent new building. There are also some buildings behind (point 4). This is not a park, but a kind of well-kept green area (point 7). The surrounding land use is also more like retail than residential or industrial development.

Now we can finally exit Street View for a closer inspection:

Finally! The correct location is Central Boulevard in Yangon.

Time search

So now we know the date and location, we can use Suncalc to determine the time. I actually got it wrong by a couple of hours the first time (was in too much of a hurry and didn’t check first), but by checking the shadow length and moving the sun slider to match the position of the shadow in the photo, you can see that it was around 08:40 local time when Julia took the photo .

For a clearer explanation of the timing in this example, I recommend reading this Twitter thread by Verso.

Bonus round

If you happened to notice this little detail in your search, it helped a lot with Julia’s quiz the week after:

What does the building look like? It is hardly a church. It looks like some kind of parliament or assembly building that is no longer in use. A quick Google image search for “Yangon + former Parliament OR Assembly” returned this photo of the old Chamber of Deputies:

And a little help from Wikipedia found this image of the building when it was in use:

