Blog

Updates and News

Introducing the New Plessas Digital Knowledge Base: Expanding Access to OSINT Tools and Methodologies

We’re thrilled to announce the launch of the Plessas Digital Knowledge Base, an evolution of our former paid subscription service, OSINT News. This transformation reflects our commitment to democratizing access to essential Open Source Intelligence (OSINT) resources while fostering a vibrant, supportive community for those who value the platform and its mission.

A New Era of Accessibility

The Plessas Digital Knowledge Base is now open to the public. By opening this resource to everyone, we aim to enhance the global OSINT community's capacity for learning and collaboration.

But this isn’t just about opening the doors. It’s about building something better. Each entry in the knowledge base has been carefully reviewed, evaluated, and updated. AI plays a role in crafting the content, but we take it further by providing deep insights, highlighting controversies, and identifying each tool’s country of origin. Special emphasis is given to marking tools or resources we find potentially dangerous—whether due to malware risks or deceptive practices—and celebrating those we find exceptionally useful.

Join the Supporter Community

All previously paying subscribers will find their familiar content integrated into their academy libraries, ensuring uninterrupted access. While the core knowledge base is free, we invite you to join our supporter community, designed for those who wish to help us grow and sustain this platform. Supporters gain exclusive benefits, including:

  • Access to a private forum for discussions and networking.

  • Interactive video chat sessions for deeper engagement.

  • Regular challenges to test and hone your OSINT skills.

  • Our highly regarded premium newsletter, packed with expert insights.

This community provides a unique space for passionate OSINT practitioners to connect, share, and collaborate.

A Work in Progress

Building a knowledge base of this caliber takes time, and we ask for your patience as we continue to refine and expand the entries. While we’ve provided a How to Use the Knowledge Base page and a feedback form for errors, bugs, or suggestions, please understand there may be some early-stage imperfections.

Every entry has been individually reviewed, but as with any ambitious project, we welcome constructive feedback to help us improve.

Guidelines for Content and Contributions

We aim for transparency and accuracy. If you’re the creator or owner of a tool listed in the knowledge base, we will not remove verified information, including controversies, though we are open to adding context. Additionally, while we don’t upload custom images or logos (except for partners), we ensure every entry is as informative as possible.

Opportunities for Partnership

We are actively seeking sponsors and partners to help sustain and grow the knowledge base. Partner benefits include:

  • A dedicated section in the database.

  • Logo and icon integration for brand visibility.

  • Recognition as a supporter of this vital resource.

If you’re interested in partnering with us, please reach out via email.

Powered by Notion

The Plessas Digital Knowledge Base is hosted on Notion, a multipurpose tool that is as user-friendly as it is versatile. We encourage users to explore Notion’s potential—after all, the core platform is free!

A Collaborative Future

This launch marks a new chapter for OSINT resources, and we’re excited to embark on this journey with you. Together, we can ensure that the Plessas Digital Knowledge Base becomes an indispensable tool for the global OSINT community. Your support, feedback, and participation will be key to its success.

Welcome to the new era of open OSINT exploration—start exploring today!

Kirby Plessas
All About OSINT: Interviewing the Experts

All About OSINT: Interviewing the Experts

By: Olivia Elliott

Introduction

As an emerging member of the OSINT community, I am very passionate about learning more about the field. To deepen my understanding of OSINT, I interviewed six experts in the field. During our conversations, I learned more about the tools and techniques customarily used in OSINT, the triumphs and trials to be expected, and how to integrate myself seamlessly into the OSINT community.

Falling in Love With OSINT

Of course, I had to know what interested them in such a unique field. Interestingly, many of my interviewees discovered OSINT by happenstance. For some, their interest blossomed while working for the government. Sarah Womer, Senior Analyst at Plessas Experts Network, Inc. (PEN), got into OSINT shortly after 9/11 while researching terrorist websites back when she was working as a regional Middle East analyst. She says that she mainly did “...open source intelligence or research on…hostile entit[ies] or negative themes….” Getting to follow the trail from propaganda to other intelligence excited Sarah, so she has been working in the OSINT field ever since.

Following evidence trails had also been an exciting prospect for Rae Baker, a prominent OSINT specialist best known for her book Deep Dive: Exploring the Real-World Value of Open Source Intelligence, and is currently an Advisory Specialist Master at Deloitte. She had wanted to join the crime-solving community for many years and struggled to find a good fit until she attended a conference hosting a Trace Labs competition. Rae described this activity as “...an online missing person finding kind of event…,” where you research actual cases in a sort of competition, but then it has the bonus of all the information being provided to the authorities later. This experience resonated deeply with Rae, so much so that she immediately dove into learning all she could about OSINT, leading her to where she is today.

Karie Nordland, Crime Analyst at Lakewood Police Department, discovered OSINT while “...working for the Toledo Police Department…and very slowly started doing trainings and kind of getting into the realm of crime analysis….” Among those courses were ones focused on OSINT. She quickly realized many applications could be made to her investigations, and as she used OSINT more and more, she found that her desire to learn even more tools and techniques grew, as did her desire to teach them. Now, it is a day-to-day part of her career.

However, Eliot Jardines (current President of Gnosis Solutions, Inc. and Director of Operations and Treasurer for the OSINT Foundation) discovered OSINT in one of his college courses where one of his professors required him to research information, as Eliot says, “...us[ing]...the Internet…And so I literally had to go get an email address, and he would send the assignments out only over the Internet….” Eliot had to use critical thinking and problem-solving skills to collect random snippets of knowledge hidden on the Internet, which is a vital part of the OSINT process, one that Eliot discovered he excelled in. While all that was happening, the United States Army also discovered OSINT, which led Jardines and his unit to begin “...writing a handbook on open source…;” the rest is history.

What’s the Best Part?

Another interesting thing I learned from some of my interviewees was the part of digital investigations that most fascinates them. For many, this is the ability to take one piece of information and get many other details after researching that first bit of information. For instance, Niles Gooding, the current owner of Varda Investigations LLC., enjoys interviewing scam victims because, as he says, “...there’s little digital things that they’ll give me which I can do leads on….” He says he enjoys this because one piece of information will inevitably lead to another and then another. I think this stems from a quality almost everyone in the OSINT community I have talked to has deemed essential: curiosity. It’s clear from my talk with Niles that he deeply appreciates his curiosity’s ability to highlight critical pieces of whatever puzzle he’s trying to put together.

Rae expressed a similar excitement over the fruits of her curiosity, confiding that “...uncovering those little details really makes [her] happy….” She also enjoys organizing the information she finds in link analysis charts, allowing her to follow the trails produced by her research efforts. This is a critical part of the OSINT process because, as we will later see, where information comes from matters. If you don’t have the process or the sources to back it up, you may as well be making the evidence up.

However, Eliot was mind-blown by a different wonder of OSINT: the knowledge that everything leaves a trace and that it’s up to his problem-solving skills to find that trace. He says, “...with open sources, the information 99% of the time is there….” He also mentions that it’s important to consider possible sources and locations of information, as well as the possible motives for the source obtaining that information when scouring the Internet for juicy tidbits of knowledge. This seems an excellent way to start investigations or pick them back up when stuck.

Cynthia Navarro, president of the OSMOSIS Institute, OSINT Cocktail podcast Co-Founder, and OSINT Analyst for Digital Mountain, Inc., shares Eliot’s excitement about information availability. When asked about what fascinates her, she mentions that all the personal details readily available on the Internet interest her, especially because a lot of that information can be found through someone’s connections on social media, no matter how weak. Additionally, she enjoys “...the challenge…[of] collecting or analyzing [information] for verification…” and getting to prove her skills to others. As crucial as verification is in investigations, it can be tedious, leading to people wanting to disregard it entirely, which can have highly damaging effects. It takes noteworthy analysts like Cynthia to find joy in this part of the cycle.

Karie has an affinity for a different element of OSINT work, saying, “One of my favorite things for digital investigation is cell phone analysis….” She especially likes getting the geolocation information from this data, enabling her to track the approximate locations of missing persons and suspects. She is fascinated by the evolution of this technology over time, particularly with how refined they have become. It allows her to construct a narrative depicting the events of the crime, piecing together each event meticulously so that the evidence will be convincing once presented in court.

Across all of my interviewees, the common theme for their fascination was not actually with what they were investigating but with the investigation process. Sarah sums it up the best when she notes, “It’s not necessarily the topic of what you’re investigating, it’s the methodologies and the tradecraft that you’re using for the investigations.” The predictable cycle of intelligence, the use of analysis, and the knowledge that there is an answer to every problem truly fuel the passion for OSINT for these experts.

Application to Careers

As someone aspiring to work with OSINT in the future, it was crucial for me to also discover how OSINT played a role in various careers. One of the many ways my interviewees utilize OSINT is in educating and collaborating with others in the field to ensure efficacy and bring awareness to the field. In Sarah’s work for PEN, she “...work[s] on the news portal…” to educate others about resources available from the OSINT field. To further this goal, she also helps with investigations and occasionally instructs in PEN’s many training webinars.

Other interviewees use OSINT broadly in the investigative world. One example of how Niles uses OSINT in digital investigations is taking a phone number and using that “...to figure out who that telephone number belongs to, whether it’s an active call or active number, [or] whether it’s an IP number….” Using this information, he can later find other relevant information to his investigations, providing a good application for his passion for curiosity.

Karie, for her part, mentions that she “...use[s OSINT] almost every single day…” and assists with multiple investigations due to being her department’s default OSINT expert, a role she is incredibly proud of. However, to anyone who thinks such leadership can be easily attained, Karie warns that there is more than just knowing OSINT involved. She says that while OSINT is a field that can be suited to anyone interested in joining it, to rise to the top, it is essential to know how to find information in the right places in the least amount of time. In addition, Karie notes that it is vital to be adaptable in the ever-changing landscape of the Internet, where resources can vanish like water in the desert. Like in the desert, it is crucial to have the resilience to search for a new oasis when the first is gone. Karie knows how to do this, which is why she is considered an expert in the field. 

Rae, like Niles and Karie, also uses various forms of OSINT but says that she “...get[s] pulled into…a lot of maritime stuff…,” a realm of investigation that brings her particular joy. However, she mainly focuses on “...a lot of the networks, uncovering people, places, things that are facilitating illicit activities.” Work like this shows how important her love of organization is. It’s critical to keep track of where the threads between various individuals in a group connect and why, a subject that came up with another one of my interviewees later.

Still others interact with open source intelligence primarily through the legal side. Eliot mentions that he “...[doesn’t] do a lot of OSINT other than sort of day to day related tasks [and] mostly look[s] at OSINT policy [and] manage[s] OSINT contracts….” As a lesser-known and regulated field, OSINT policy and legal definitions need development, so this work is key. Regarding everyday OSINT, Eliot mentions that he is conscious about what apps he downloads and what he buys because our data can be used in ways we aren’t always cognisant of and from sources we wouldn’t even think possible. One example he gave was about a man who bought a vacuum cleaner only to realize that it was sharing information to a server based in China. This story made me realize that in today’s digital world, everyone must interact with OSINT to maintain data security.

Tools of the Trade

While trying not to think too hard about what kitchen appliances might be sharing my information with foreign powers, I also (as a budding collector of OSINT tools) had to know my interviewees' favorite tools. Their answers to this question surprised me.

Rae answered immediately, confiding, “Google is my number one tool…,” which surprised me as I expected a more obscure and technical tool to be named. However, Google is a formidable part of any digital investigation arsenal. Knowing how to use search operators and parameters can help narrow down the search for information, making Google one of the best starting points for research into a case.

Another common yet powerfully revealing tool was mentioned by Karie: social media. She says, “...I am fascinated by the fact that people continue to put their entire lives online and…it’s great for us because we can use it to our advantage….” Every aspect of these media services, from the pictures, reels, and other posted media to the comments and user profiles, can potentially contain valuable information, allowing investigators to collect evidence that solidifies the case and hopefully convinces the jury when brought to court.

Cynthia brought up one of my favorite tools: Epieos, a tool designed to gather more information about a person just by being provided an email address. This information consists of other accounts that email is associated with, such as social media. Another tool she claims to have merit is “...Framework, which is great because it will list everything that you may be doing within your investigation, and, say you have a username or you have a phone number, whatever it is you’re looking for, you click on that, and then it’s gonna bring out different tools that can be used, and you can look at these tools.” This seems like a good tool for beginners unfamiliar with the vast majority of OSINT tools, but also, as Cynthia noted, for people inexperienced in particular investigative areas. This could also be a resource suitable for finding additional tools when others have failed or for developing new avenues of investigating a case.

However, there was another exciting tool I had never heard of and was eager to learn more about: TLOxp, which Niles praised. He describes it as “...a database that…gathers all sorts of information from mainly across the US, but it’ll…do a little bit overseas.” Some of its merits include the ability to search a name and come back with “...a little bit of criminal history…date of [birth], previous addresses, any corporations or businesses that they’ve been associated with, either they’ve worked with or not.” Any database has the potential to hold a treasure trove of information on subjects, so I can see the benefit of using this tool. Niles also recommends Pipl, which I was more familiar with, and can give similar information after simply being provided an email address.

Other tools mentioned were more organizational, providing my interviewees a way to keep track of links between pieces of information as well as a visual way for others to see the flow of logic. Eliot mentions Maltego and Analyst's Notebook (also known as i2) as good resources, but he cautions users against simply dumping the information in and going on their merry way. He says that “...the standard link analysis chart is a chart that measures centrality…or popularity” and to keep in mind that “...popularity is not the same thing as influence.” Simply put, just because someone comes up frequently in your investigative research doesn’t mean they are more important or a leader in an organization you’re trying to investigate. It’s essential to think about why they have that presence, why others don’t, and to understand the patterns occurring in the data. As Eliot says, “...what’s not there is equally important, if not more important than what is there,” proving the importance of organization. 

Rae also shares Eliot’s love of organization, naming i2 as her go-to tool. “...I think being able to see things visually for some people makes [investigating] so much easier. Because half of it is…where are the gaps, what am I missing, what did I forget, and I feel like it just…lines it up [for you],” she says, listing the merits of using similar resources. 

Sarah, however, had a very different answer, confiding that she is less enthused about the tools themselves but rather the creativity and ingenuity needed to exploit those tools for uses they weren’t technically designed for but can be used for nonetheless. She also cautions that “...whenever somebody is using a tool, they should never be 100% reliant on it….” It is crucial to understand where a tool gets its information from and what errors or incapabilities may come up when using the tool. According to Sarah, the brain is our best tool, a theme that came up later in many of the interviews.

Educational Connections

When researching my interviewees, I found that many of them had previously or currently produce(d) educational material for members of the OSINT community. To learn more about this common thread, I asked each member what led them to want to do so.

For Sarah, it was to fill a need that the military had for OSINT because she “...thought it would be important for people that were going down range to be able to do OSINT in a wartime environment…,” which was somewhat of a struggle because some divisions were skeptical about how effective it could be or how it could be better than their own tools. As you’ll see later, OSINT has, and will continue to have, a very positive impact on our military.

Karie also decided to teach others about OSINT to fill a void, saying that she would compile her knowledge into presentations and later notice that her knowledge wasn’t incorporated in other experts’ talks, indicating that what she had to share was unique. This later led Karie to give talks of her own, incorporating interactive scenarios into her presentations. However, her education aspirations don’t stop there. She says, “...my main goal and something I would love to do in the future is I want to go out into smaller departments that don’t have the money or the budget for analysts and be able to teach their police force how to do a lot of these OSINT and social media investigations….” This is a noble goal, as programs like this could greatly assist communities with low infrastructure, notably less populated, rural communities.

Facing similar challenges, Eliot educates on OSINT to bring “...advocacy for the discipline…,” particularly as others outside the discipline tend to spread misinformation, a problem that will be elaborated on later. OSINT is actually a very intricate discipline that seems deceptively simple, and that is what Eliot wishes to impart. To draw people into this discipline, he says it is important “...for people to see some of the products, what…OSINT can do,” and to impart why OSINT matters. They primarily try to do this through their Product of the Year award, in which participants submit written products that can be used by the general public so that OSINT’s importance is understood. He also mentions that college students will soon be able to engage in an OSINT competition, a plan presently being engineered by the OSINT Foundation.

Rae also got into teaching OSINT to promote the field to others, particularly in a way that wouldn’t intimidate them with technical knowledge from the outset. She does this well, especially in her book, which is a great introduction to the entire field without being too overwhelming for newcomers. “...I try to keep it very…conversational and very light and stupid…,” she explains about her tone, making her book a go-to resource for the OSINT community.

Cynthia’s work with the OSMOSIS Institute focuses primarily on OSINT instruction, which she enjoys “...because it’s all about bringing this wonderful community together and help[ing] one another…” to make it a safe space for fresh OSINT enthusiasts to ask questions and learn about the field. They provide resources, create events, and, above all, “...emphasize…ethics…” and teach people to avoid engaging in confirmation bias. This answer also helped give me insight into what it was like to work at OSMOSIS.

Niles, however, had a different motive, one that started in one of his previous careers. He says, “...when I became a DEA agent in particular, and started dealing with not only the bad guys, but the victims, that really led me down the road of wanting to kind of educate the public…[about] the effects…drugs have on people,” pointing out that drug use often leads to “...other types of crime” like theft, physical violence, or even murder. He particularly cites the documentary Dopesick as an excellent example of this phenomenon.

The Triumphs

But what, you may ask, are some of our interviewees' successes that resulted from their OSINT skills? In an act of extreme kindness and heroism, Sarah once helped out a family whose daughter had overdosed (thankfully still alive), using the drug dealer’s Snapchat account name to find a bunch of data on the subject, which she delivered to the family to turn over to the authorities. This story moved me because it shows the ability of OSINT to keep future victims of subjects safe and to give closure to existing victims’ families.

Karie’s story went even darker. “...we had a homicide a couple years ago,” she recalls, “and we had potential cell phone number of [our victim].... Our victim’s cell phone was taken away from the scene, we got his records, and we found it was weird that he was making phone calls after we believed he was dead. So we took those phone numbers, ran [them] through…all of our intel and everything, and it was coming back to this one guy.” However, while Karie did note that their man had gang connections, his appearance didn’t match the witness testimony. So, Karie took that phone number over to CashApp, which is often used for criminal transactions and found that number connected to a different individual. Karie says, “...I remember he had a…gangster cashtag or something and [we] found him on Facebook; he matched our description and I was actually able to figure out who he was based on the plethora of information that he put on his Facebook page….” After providing that information to the detective, they ended up discovering that the person Karie had found on CashApp was indeed their perpetrator and were able to connect him to two other murders.

Another high-stakes case found Cynthia investigating an unofficial event during which a participant was hurt. She analyzed multiple videos people had taken at the event, searching for the victim, as their job at the time was to check to see if the victim was still alive. However, while Cynthia didn’t find that evidence, she did find evidence of who perpetrated the attack on the victim, gaining intel for her team that would contribute to achieving their goal.

Another exciting OSINT success occurred due to Eliot’s efforts in the army during the Persian Gulf War in Iraq. At the time, they were trying to plan a maneuver that would hopefully result in a successful sneak attack. However, this maneuver “...required massive amounts of troops and equipment to move through unstretched, [uncharted], uninhabited stretches of just desert. And so [the person in charge of the maneuver] required soil composition and trafficability analysis, so that we don’t get the trucks and tanks stuck….” Unfortunately, multiple entities within the government, when requested to provide that information, said that they were unable to locate it. They were about to send a team to obtain soil samples (which could have jeopardized the future maneuver) when Eliot and his team discovered something within the Library of Congress. As Eliot recounts, “...on the shelf at the Library of Congress was a report written almost 100 years earlier by a group of American archeologists who had received funding from the government. They had done textual analysis of the Bible, and were pretty certain [of] the final resting place of Noah’s Ark….” In the planning for this expedition, this team of archeologists knew that in case they did come across the Ark, they would have to ensure that they would be able to return with the religious icon without getting stuck themselves. So, they traveled that route and did the same tests of the soil that the United States Army would need about 100 years later. Using that information, the maneuver was a success.

Rae couldn’t mention details on one of her many successes, but what she admitted showed how much of an effect OSINT has on the world. She says, “...one of the things I found led to a Presidential Action, so that was pretty cool….” Additionally, Rae counts the completion of her book as one of her other biggest successes, a noteworthy addition to her list of successes as it provides an accessible look at OSINT and people can utilize it. She also pushed herself out of her comfort zone by becoming an occasional public speaker, an act that challenged her but ultimately helped build her brand.

The Trials

Of course, not all stories are success stories, but all stories have wisdom. In their limitations, in situations that didn’t end happily, my interviewees found things to remember in their investigations.

In the most relatable of the struggles, Rae mentions, “I think the biggest challenge is working with other people. I think that that’s always a challenge….” She takes pride in following all the leads and ensuring that effort is put into her work, and it’s frustrating to her when others don’t reciprocate. And, as she notes, even if they do, group members may work at a different pace than you, so there’s also that to keep in mind. To combat this frustration, Rae says that she has to “...step back, like, okay, they’re gonna finish it, they don’t want [her] to fail, they don’t want to fail, they’ll get through it. I just gotta let them do their thing, and just personally, that’s a struggle for [her].” At the same time, she admits there is such a thing as overachieving and putting in too much effort, so she works hard to self-regulate that for herself and others.

The struggles only got more high-stakes from there. As Sarah admits about struggles occurring during investigations, “...you can’t expect everybody else to be able to react real time. I think that’s a frustrating thing for all OSINT analysts.” She gave an example of a Snap on Snapchat’s Snap Map that showed a woman “...being sold in front of a hotel….” Unfortunately, while Sarah narrowed down where the Snap had been recorded in a timely manner, the people on the other end couldn’t react as efficiently, and they lost her. Sometimes, even if someone has used OSINT to do all they can, it may not be enough, and that hit home for me in this example.

Niles’s struggles seemed to connect with Sarah’s in that time can be critical in determining the outcome of a case. He mentions that it is easier to interview a victim and get more information when they’ve been scammed recently instead of a year ago, mainly because their memory is fresher and sharper, allowing him to have more data to track down the subject.

However, sometimes more data might not always mean good data. When asked what her biggest struggle in digital investigations was, Karie admitted, “The large amount of misinformation that’s out there…” and the arduous process of determining what information is timely and outdated. It’s critical, she says, to determine the veracity of what OSINT resources tell you because some detail on a subject might be accurate up to the date or be stuck on relevant information five years ago. To confirm her findings, Karie looks at multiple resources capable of providing the same type of information and checks to see if the information matches. To do this, she uses both OSINT resources similar to the one she found the original information on and her organization’s database. Although the use of her organization’s database is not OSINT, it serves as a reliable way to assess the information gleaned from OSINT.

Operational security (OPSEC) can be another considerable issue. Ideally, as Eliot says (and Cynthia agrees), “...we should be gathering more information than the information we’re leaving behind….” He notes that the foot traffic left on adversarial sites can be an indication of data collection and that that collection can give away that that site has desirable information. Suppose the people who operate that site know that the information is of interest. In that case, they will ensure that nobody can access that information, leading to an inability to monitor adversaries effectively in the future.

Lastly, another big struggle in working in the OSINT field is dealing with what is known as vicarious trauma, which is the effect of taking in disturbing and traumatizing content of something terrible happening to another person and then feeling that trauma yourself. This is especially prevalent in people who work on pedophile or other sexual assault cases. In Sarah’s case, this came from her extensive research on terrorist websites, which can be disturbing, but she offers some guidance in this space. She says, “...I think some OSINT analysts can get burnout…For a while, I had it, and…you have to find that healthy balance, so that you’re not just surrounding yourself with all these dark things.”

Advice for the Newbies

I asked all my interviewees what advice they would give to young professionals aspiring to enter the OSINT field, both for myself and for the good of others who share my passions. They did not disappoint.

Rae started answering this question by describing how open OSINT is to accepting new followers, especially as it’s gained renown in the media and popular culture. The problem is that new OSINT followers tend to miss one critical thing when attempting to join the community. Rae says that “...the one thing that people…don’t want to do is market themselves, and…[she’s]...always telling people to do that and they fight it because…it’s weird for people to…put themselves out there and some people don’t like to blog [or] talk about themselves….” However, Rae swears by this method’s success, having built her brand as an OSINT subject matter expert (SME). With the general public's lack of understanding about what OSINT is and what it can do, any certificate you receive is nice but less effective without the extra branding and explanation of your skills. As an example, after Rae participated in the Trace Labs competition that she had mentioned earlier (she won second place), she was contacted by Deloitte, both because they were impressed with her performance in the competition, but also because they had then looked her up, read and watched her content, and knew that she possessed skills that would make her a desirable employee.

For Sarah’s part, she again touted the importance of investigative thinking, saying, “I think the one thing that is…the bread and butter for…an aspiring young person looking to join the OSINT field is…you should start off with…one kind of area that you specialize in…but the biggest part of it is having that foundation of analytical thinking and getting a basis of things like…competing hypotheses, association matrixes, how you do inductive, deductive logic, all that kind of stuff. Because, again, the tools are just the tools, and they’ll be there for a while, and then out comes a new tool. And you can always learn a new tool.” The Internet is in a constant state of change, but what will never change is the importance of being able to problem-solve. Later in my interview with Sarah, she also mentioned the importance of operational security (OPSEC), and that it is crucial to “...not [put] somebody else’s life in danger,” and, more generally, that it is crucial to be ethical when doing OSINT.

Niles’s piece of advice was one that I, funnily enough, had been following during my interviews. “...the biggest thing,” says Niles, “is getting ahold of those subject matter experts and picking their brain. And if you go to some of their trainings, their…trainings are absolutely fantastic. The other thing…is…as you start to go to these trainings, or [pick]...their brains and [say] ‘Hey, what do you use?...How do you do these types of investigations, they will typically tell you….” To advance in the OSINT community, collaborating and learning as much as possible is important, evident from Niles’s testimony.

Cynthia agrees with learning as much as possible, particularly from field experts. She says, “...go out and take different…courses that…[are] going to help you to understand how to do the work. [You want to] know the ethics, you wanna know the different tools that are available out there…and I recommend going to LinkedIn…” in order to see “...who appears to be having a lot of followers and folks watching what they’re doing…,” particularly if they have reliable intel. She also advises, “...start following them, but you wanna see where that passion is for you because you might find something you don’t even know you like…and passion is what really pushes you forward more than anything,” again showing that esteem for discovery is a common trait among OSINT community members.

In that same vein, Eliot mentions that it is crucial to “...be curious about the world around you,” whether it’s studying linguistics, traveling, or reading up on a culture you were previously uneducated on. This is especially handy, Eliot says, if you’re trying to get into an intelligence agency. 

Another recommendation Eliot had on how to get into the intelligence community revolved around internships. He says, in particular, to “...apply [to] all the intelligence agencies…because…getting the clearance for the background check is the biggest hurdle…” and tends to take a long time.

Karie agreed with Eliot’s and Niles’s opinions, saying that getting your feet wet in OSINT is critical to learning about and advancing in the field, whether done through internships or talking with experts. She says, “...what can set you apart is having done research, having taken those trainings, and be able to speak to the experience that you’ve already gathered just being a young student in college.”

Recommended Resources

Of course, my knowledge-hungry brain wanted more, so I asked my interviewees what resources they would recommend for someone interested in OSINT and digital investigations. I would be remiss to withhold them from fellow amateurs, so I have provided them here.

One resource provided by Eliot was the group known as Bellingcat. He mentions that they have good training and that their book, We Are Bellingcat: Global Crime, Online Sleuths, and the Bold Future of News, is also a good resource, but that “The one caveat with that book is some of the things that they do is not open source,” so it’s essential to research what is and is not OSINT if you are unfamiliar with it. Eliot also recommends (and I concur) that the docuseries Don’t F*** With Cats: Hunting an Internet Killer is another good resource showing the investigative process, although it does have its problems with the lack of OPSEC that occurred. It should also be noted that this docuseries contains somewhat graphic images and content and should be watched with caution. Another resource provided by Eliot was the frequently updated book, Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information.

Another Bellingcat enthusiast, Cynthia, recommended visiting Bellingcat’s Discord and home site. Cynthia also mentioned ProPublica, an organization that often collaborates with Bellingcat. Of course, she also mentioned the resources provided by the OSMOSIS Institute, noting that many members are OSINT experts.

Karie, for her part, highlighted the material created by PEN, which ranges from training to articles to blog posts, and referred me to OSINT Techniques content, some of which is developed by another prominent OSINT expert, Ritu Gill. Along with those two resources, she recommends following experts (naming Chuck Cohen as an example) and going to speaking events.

Rae also recommended other interesting literature. In our talk, she praised the online content created by OSINT Curious and recommended searching for topics of interest on YouTube. She also mentioned the importance of following prominent OSINT community members on social media and paying attention to what they post. She says, “...I like to follow experts who are doing things that I…want to be doing so that I can model what I’m doing off of what they’re doing….” And, of course, never missing a branding moment, she offered up her blog.

Sarah also quite rightly pointed out that resources benefitting newcomers to the OSINT community will differ based on specific interests. Still, she pointed out one that has a common thread with every interest. She says, “I think one of the big things…is to do an internship,” mainly because it can help beginners gain experience in the particular line of work they are keen on. She also mentions shadowing, getting a PI license, and obtaining legitimate OSINT certifications as valuable learning opportunities.

Regarding certifications, Niles cited the ACFE certification as particularly good because it takes a lot of effort to complete and will likely make a good impression on a resume. He says that getting multiple certifications and having many experiences to draw from can make an individual more marketable and, consequently, more likely to be given a job offer.

Internship/Job Openings

In that line of questioning, I also asked my interviewees whether their companies had any internship and/or job opportunities that would benefit analyst aspirants like myself.

I was already aware that Plessas Experts Network, Inc. offers internship opportunities, having participated in one this summer. However, Sarah also mentioned that potential job opportunities may be available, particularly if paired with obtaining a PI certification.

The OSMOSIS Institute is both hiring and offering internships according to their website, although you must first become a member to have access to said positions.

The OSINT Foundation offers jobs, but not internships, due to the nature of their employees working face-to-face with government clients or via a home office, neither of which would be appropriate spaces for an intern. Entry-level positions with their company exist, particularly for recent graduates, but you need a clearance to apply and obtain a job with them due to the nature of their work.

Conversely, Deloitte is highly supportive of interns and offers numerous internship opportunities, particularly targeting recent college graduates, with competitive compensation.

Karie notes that her department occasionally has internships, though they are uncommon. While the position is not exclusively focused on OSINT, it remains a valuable opportunity. Karie often works closely with the interns, providing instruction in the techniques and tools relevant to the field.

OSINT’s Problems

While OSINT is an excellent field, it does have problems. One of those problems, as described by Eliot, is “That there are many people who think that because they use the Internet that that gives them the right to speak about open source intelligence. So, many senior leaders who think that because they can Google, they understand the complexities of open source, and that’s not the case….” This false idea of OSINT being pushed by people who aren’t informed can be damaging to the field by making it seem like something it isn’t (which can mess with future legislation regulating its use or recruit or dissuade people who shouldn’t be recruited or dissuaded from the field). In fact, the OSINT Foundation was created because “...the biggest challenge we have is that the people who are speaking the loudest on OSINT are rarely knowledgeable,” and they want to set the record straight on what OSINT is and is not.

Karie’s worries also stem from people who don’t see OSINT how it is actually used. She says, “I think [the biggest problem] is the fear of Big Brother. I say this with social media, I say this with a lot of sites, I think people are very fearful that government, law enforcement, all these entities are trying to track their every movement, all of their information, and because of that, sites keep getting shut down…the majority of the public is afraid that we’re tracking everyone when they don’t understand that most of the people we’re looking into we’re looking into for a specific reason.” This fear most of the civilian population has is mostly unfounded because even if the authorities did care what everyone was up to all the time, I doubt they would have the manpower and bandwidth to monitor them all. However, due to this irrational fear and subsequent OSINT witch-hunting, the authorities are suffering resource losses that could otherwise help them track down dangerous criminals.

Rae has a similar worry to Eliot about the world’s lack of understanding of the nature of OSINT. When asked about the field's problems, she says that “...the lack of unified certification” is the biggest. She adds, “...anybody can say they’re an OSINT analyst…There’s no good one-stop-shop to get a certification. You can get it from Sands, you can get it from McAffee (which I wouldn’t recommend). I know OSMOSIS has theirs now and they’re trying to make their…certificate into that…but as it stands right now, there’s not one fully recognized certification that you can take to a job and everybody knows you know what you’re doing.” This makes it hard for employers to adequately determine which candidates have the skills and which are pretenders.

Yet another problem facing the OSINT community centers around morality. Cynthia says, “I think that ethics would be a big [problem] because you can go out and get information. The question is how you went out and got that information and that can be a real challenge. If you’re very eager to get some information, you have to have that discipline that you will keep your ethics and you’re not gonna get it illegally because that happens so much. You have to be very, very careful within that field,” especially if the courts are in play. If evidence is not obtained carefully and properly, that evidence is inadmissible in court, and your opportunity to apprehend someone dangerous is potentially squandered.

Conclusion

These interviews show that OSINT is a diverse discipline. However, as I learned in these interviews, some essential qualities will help you stand out in the OSINT field. First, we need people who are curious, who will question the information they are provided with thoroughly, and who will look for creative ways to solve problems. These people are necessary to aid the efficiency and effectiveness of verifying information and tracking down criminals. 

We also need people who can adapt easily to the changing technology and criminal landscape. As advancements bring new tools into play and force others into obsolescence, we need people willing and eager to learn quickly to keep up with the similarly widening field of crime.

What can people just joining us expect from OSINT in the near future? We can expect that AI will continue to develop and evolve in its capabilities, including those that can be used for OSINT, as well as the ethical and legal ramifications of its use. We can also expect that OSINT as a whole will be discussed from an ethical and legal standpoint, as its definition is not widely known, and the line between gathering too much information and just enough information can be gray at times. We’ll need invested and engaged people willing to engage in these conversations so that our tools and techniques fit the needs of our members and the people we’re trying to protect.

If you’re even a little bit interested, don’t be shy! Reach out to other members in the OSINT community or go to local events! Our community members are always happy to talk about what they do. I also encourage you to pursue internships with companies, groups, and agencies that work with OSINT to dip your toes in and get some hands-on experience. Finally, I cannot undersell the importance of reading. Use the resources I mentioned in this article, and seek out more so that you can learn more in-depth about what possibilities exist in our field.

I hope this article provides some of this knowledge to others who, like me, want to be involved in this community of diverse passions. Below, I have linked the resources mentioned by my interviewees. If you have any questions or comments or want to chat about OSINT, please do not hesitate to reach out via LinkedIn! I am always happy to answer questions and discuss OSINT! And, as always, happy investigating!

Sources (for interviewee research):

Sources (for interview conduction):

Resources mentioned in paper:

Editing Tools/Resources:

  • Kirby Plessas, CEO of Plessas Experts Network, Inc.

  • Kyle Elliott, COO of Plessas Experts Network, Inc.

  • My lovely interviewees:

    • Rae Baker

    • Niles Gooding

    • Eliot Jardines

    • Cynthia Navarro

    • Karie Nordland

    • Sarah Womer

  • Grammarly (extension)

  • ChatGPT

Kyle Elliott
Investigating Geolocation, Metadata, and Implicit Location Data: Tips, Tricks, and Tools

Increasingly, online tools offer geolocation technology that allows you to determine a location shown in photos, videos, and other forms of media. This can be an essential capability for OSINT analysts looking to locate a place or person of interest. However, it’s imperative to know which tool will suit your needs the best for the type of investigation you’re following. During my research for Plessas Experts Network, Inc. (PEN), I analyzed various geolocation tools and methods and will be sharing my findings here. I hope that this will prove to be a readable and informative resource for people just dipping their toes into geolocation methods as well as an up-to-date guide for seasoned analysts.

Please note that while I primarily use Google Maps and Google My Maps as my mapping tools of choice, you can use plenty of other sites and applications. If you are interested in different tools, here is a site that details many prevalent mapping tools.

The types of tools and methods I will cover will fall into three distinct sections (and, unless otherwise stated, all tools are free to use). They are as follows:

AI-Based Geolocation:

  • Contains:

    • How to use AI-based geolocation tools to identify a location in an image

    • Accuracy and limitations of each tool

    • Personal successes and failures while testing tools

  • Tools Include: Geospy, Gemini, ChatGPT, etc.

Social Media Geolocation:

  • Contains:

    • How to use social media platforms in conjunction with other geolocation tools to locate a subject

  • Tools Include: Twitter/X, Grindr, MapDevelopers, etc.

Metadata Geolocation:

  • Contains:

    • How to extract metadata from an image or YouTube video to determine subject whereabouts

    • Tools Include: MW.io, Forensically, Pic2Map, etc.

The tools and methods mentioned in this article are not exhaustive, so please feel free to comment on this post, especially if you have any additional input or experience that will help me and others to be better educated on the subject.

Before we start unpacking the intricacies of geolocation, it’s essential to address the ethics of using these tools. While geolocation technology can provide a wealth of information, we need to understand how to balance our need for data with privacy and legal concerns, a complicated subject that I will talk about first.

Ethics

It's important to consider a few things when we collect data, particularly sensitive data (like the data we get from geolocation). Yes, people leave their location data everywhere. Yes, that means it’s free for anyone to exploit. But that doesn’t mean you have to do so, especially if you share that information with other individuals or organizations. 

As stated in Deep Dive: Exploring the Real-World Value of Open Source Intelligence, Rae Baker's popular OSINT resource book, it’s crucial only to give your clients what they specifically request. I can think of two particular reasons for this. Firstly, if you’re looking for information that your clients don’t need, you’re wasting time on the task at hand. Additionally, if the information is unneeded and sensitive, you’re intruding on the person’s privacy without legal backing, which could get you and your organization in serious trouble.

It’s essential to take a step back and ask yourself, Is this task required of me? Would there be any legal consequences for doing this? How will using this tool and/or collecting this information affect others and/or myself? Is this a reasonable and ethical line of investigation?

If you’re a civilian investigator, I recommend turning any data you collect over to your local authorities. They are trained and can determine whether that data needs to be acted upon. Suppose you decide to act upon the data yourself and publicly inform the Internet of your findings (especially findings so sensitive as where people are, where they work, where they live, etc.). In that case, it can go very poorly, both for yourself and whoever you accuse. It can lead to legal repercussions and possibly even fatal consequences. I reference these in my previous article: A Budding Criminologist’s Perspectives on OSINT under the subheading: Deviant Amateurs: Asset or Liability? I would encourage everyone to read this article, particularly that subheading for more explanation.

Essentially, just do precisely what your elementary school teachers told you to do: follow the rules, don’t bully others (including spreading rumors about them), and if you see someone doing something unsafe, you tell the teacher (read: local authorities). Easy! Okay, now that we’ve got the playground rules out of the way, let’s test some tools!

AI Geolocation

This geolocation method is a growing field, so there aren’t many tools out yet that can do this. The way it is supposed to work is that you give the AI a photo, and they can tell you where it was taken. Ideally, you also want the AI to provide you with some sort of coordinates or map link so that you can verify on a map application that the results are accurate. However, some tools have not been developed that far. I tested various AI geolocation tools for their accuracy and efficacy during my analysis. A chart with my summarized assessments of each is provided immediately below, with my more detailed findings below that.

Tool Comparison Chart 1

Geospy

Geospy is a tool that uses AI technology to analyze pictures and tell you the location featured in the image. It also has a Pro version, which I assume includes more features. However, the beta version of Geospy is pretty easy to use and does an accurate enough job that I would say it isn’t necessary to purchase/sign up for the Pro version. This is especially true if you’re trying to stay disconnected from your findings, although there are some minor wrinkles to work around when using the tool.

To test drive Geospy, I used the Sherlock Holmes Museum in London as my mock place of interest. I sourced my pictures from Google Images, starting with one from the exterior of the building. While Geospy has a drag-and-drop feature for the image you want to analyze, dragging and dropping Google Images was unsuccessful, and I had to download the pictures to upload them. This might not be a big deal depending on what site the location is on or who owns the picture (because they may be notified when someone downloads their photo), but it is certainly something to note for OPSEC purposes and for knowing how to use the site. 

After unsuccessfully trying to drag and drop the Google Image again with another photo, I wised up and downloaded the pictures, clicked the square in the middle, and uploaded the first photo again. Once the photo was processed, I got a readout that told me the country, city, and partial address and gave me the coordinates and description for the location. Geospy also provides a map image as well as a link that takes you to Google Maps. However, the coordinates that it identifies aren’t entirely accurate. 

The first picture’s coordinates were keyed to a point about 316 ft. away from the actual museum, which isn’t too bad, but it does mean that for locations that aren’t popular attractions or aren’t even labeled on the map, it may be more challenging to track them down. My other two attempts at accurately locating the museum with an exterior photo had similar results: not too far from the museum, and honestly, probably an acceptable distance for an analyst, but still not exact. However, since Geospy has proven to locate only a small distance from the pictures’ subject, I would suggest that it would be reasonable to assume its success in other trials. Thus, we would presume that with a bit of browsing in Street View in Google Maps, we would be able to quickly find the location after establishing a 350 ft. radius to search within, just in case the subject happens to be outside the 316-328 ft. error margin I got when testing.

Another point of note is that Geospy can positively identify and describe the museum from an interior picture I uploaded (the fourth picture). However, it still did not exactly pinpoint the location, though it was still close. Here is a map of all the guesses (represented by the numbered blue flags towards the top of the map) in relation to the museum (near the bottom of the map):

Geospy guesses are depicted with blue flags.

Another thing for investigators to remember is that getting a full screengrab of the entire readout page provided by Geospy is challenging. While Fireshot (a tool I used for most, if not all, of the screenshots in this article) is usually very good at capturing whole pages, it struggles with Geospy. Additionally, saving the page as a webpage does not yield readable results, making it hard to keep data records. It might work if you screengrabbed each viewable portion of the readout using Fireshot, but it would take slightly longer, and you would have more files to organize. Despite its difficulties, though, using this tool is still worth it due to the relative accuracy and descriptive information that it shares. However, as I have mentioned, investigators should consider the minor hindrances of using this tool.

Geospy Competitors

Let’s say you don’t want to use Geospy but still need a geolocation tool. What do you do? Thankfully, you can use plenty of other tools, some of which are included in the subheader link.

However, I would first recommend a source not on that list: Gemini. In some ways, I found it to be even better than Geospy but less satisfactory in others.

Gemini

Gemini did incredibly well in identifying both the first exterior picture of the Sherlock Holmes Museum as well as that of its interior. Like most of the other chat-based AI tools, it described the location. However, unlike Geospy, it did not provide me with a workable link, not even a plaintext URL, which was somewhat frustrating. Despite this obstacle, I did like that it explained why it couldn’t (safety reasons), as it helped me to understand its limitations. Here’s the result of the initial search I did through Gemini:

Gemini correctly identified the image as the exterior of the Sherlock Holmes Museum.

While my idea of using a link to Google Maps to assess the accuracy of Gemini’s geolocating capabilities had failed, I came up with a slightly less efficient but still effective plan. I tried asking Gemini for the coordinates of the locations in each picture. When I copied and pasted those coordinates, it took me directly to the Sherlock Holmes Museum, making it one of the most accurate geolocation tools I have yet seen, which you can see from the map below.

Because of these findings, I recommend using Gemini over Geospy because of the sheer accuracy (despite the slight inefficiencies of copying and pasting coordinates instead of clicking a link). However, if Gemini doesn’t get the job done for whatever reason, Geospy has proven to be a close second. Or, as we will see from the success of ChatGPT, a close third.

ChatGPT

I found working with ChatGPT a very teachable experience for my OSINT skills. As it was the first tool after Geospy that I tested for geolocation accuracy, it formed the basis for what problems I might expect when working with chat-based AI tools and what workarounds to employ when I don’t see the solution I am looking for. My later interactions with AI tools like Claude, Gemini, Copilot, and others got me thinking about other ways I could trick the system into working for me, but had I simply given up on ChatGPT, I would have missed the incredible accuracy it provides.

What’s also interesting about ChatGPT is that it has many different tools that geolocate, but as it is the same AI, I don’t think it makes much of a difference which you use, as you will see in my findings.

The first tool I analyzed was called QGISGPT. My tests started promisingly when the tool positively identified the first photo as the Sherlock Holmes Museum and described the place. However, like Gemini, it did not automatically provide me with a map image or link to a mapping site, so I had to ask for one. Unfortunately, links cannot be clicked in ChatGPT, which was frustrating. So, I tried something different. I asked it for a plaintext URL so I could select, copy, and paste it into the search bar. I was pretty proud of this idea until it gave me a link that didn’t work. I asked for a different link, and this time, it worked. Through my trials, I found that the initial link you get (the one beginning with goo.gl) will not work, but when you ask for another one, a link containing www.google.com/maps will pop up and will work. However, when it took me to Google Maps, it only showed me a general area and didn’t give me a pinpoint location of where it thought the museum was. Thankfully, the area did feature the pin showing the museum, but if we were investigating a less public place or one not labeled on the map, this might present more of an issue. I also tried the interior photo and got similar results. Here is an image of my conversation with QGISGPT:

My conversation with Cartographer, another tool through ChatGPT, presented roughly the same outcome with the first exterior photo as QGISGPT. However, I also decided to try asking it to show me a picture of the map so I could finally assess its mapping accuracy, but when it gave me a file, I was unable to open it. I think the issue might be that I do not have the paid version of ChatGPT. At this point, I realized that all the ChatGPT geolocation tools might have the same capabilities and limitations. This realization was furthered when I found I had to pause my exploration of ChatGPT tools because the platform only allows you to upload a certain number of pictures to analyze within a set period of time; otherwise, you have to sign up for the Pro Version. Once my restriction had been lifted, I tested the interior photo and obtained similar results even though I tried multiple phrases to get a map image (none worked).

Another issue of note came up when I was using a third ChatGPT geolocation tool: ChatGIS. When I put in my query, the AI’s responses came back in Spanish. This may not be a problem where Spanish is a native language, but in the United States, investigators who aren’t fluent in Spanish need to take the extra step to translate the output (I used Google Lens). Other than the difference in language, the results were roughly the same. There is at least one other tool (GPT StreetGuy) that ChatGPT offers for geolocation needs, but as I figured the results would be the same, I didn’t test it.

However, after testing other AI-based tools, I came up with two solutions for my chief issue with ChatGPT geolocation: the inability to pinpoint an exact location when using Google Maps links provided by the site. Your first option is to ask ChatGPT for coordinates to the location, and if you plug them into Google Maps, you should get an exact result, much like Gemini.

Another workaround is copying and pasting the coordinates from a Google Maps link provided by ChatGPT and pasting those into Google Maps. You’ll get slightly different coordinates, but they will still land you in roughly the same spot as the other workaround. This, at least, works with QGISGPT, but since the other programs performed so similarly in my other tests, I don’t expect they would behave differently in this regard. 

Finally, like Gemini, this should be one of the first go-to geolocation tools any OSINT analyst uses.

Claude

At first, Claude struggled with this task. Identifying the first exterior image was challenging, but the AI succeeded when I asked about the interior and second exterior pictures. My guess is that the trouble had to do with the resolution of the images, but I can’t be sure. Claude gives workable Google Maps links, but, unfortunately, it does not form these links such that they pinpoint a location, just like Chat-GPT. However, if you copy and paste the coordinates from the link’s search bar and then search those coordinates in Google Maps, you will get a more exact location. Once I finally had the guessed location plotted, I discovered that Claude was also pretty close in its guess, even closer than Geospy's (Claude’s guess was roughly 255 ft. from the museum). However, due to the issues with correctly identifying images, I would be cautious when taking advice from this chatbot, especially if your photo is blurry or has low resolution.

Picarta

Initially, I liked this site. It allowed me to upload my first exterior photo of the museum without issue, and came up with a results page shortly after. What threw me off was that the site said that it didn’t know where the photo was despite fairly obvious indications as to where it was (AKA the large sign hanging outside). However, they did offer suggestions as to where the picture could have originated, and under different circumstances, I would have found that to be a nice touch. The problem was that the confidence ratings for the guesses were extremely low, even though two of the guesses were in London. The other was in Camden Town, so I didn’t bother plotting it on the map. After consulting with Google Maps, it turned out that the guesses Picarta gave me weren’t even close to the museum. Picarta’s first guess (at approximately 51.50699920279341, -0.12767849046925764) was 1.72 mi. away on foot, which means that if you had to take that radius into account when using the tool during investigations, you might end up having to crawl for hours on Google Maps to reach your target (I say this because when I checked the walking time from Picarta’s guessed location to the museum, it was not a short time, leading me to believe it would also take a long time to crawl through Street View). This is particularly problematic when looking for a less well-known location in a big city with many buildings and streets to check for your target.

Copilot

Of all the tools I’ve tried, I recommend Copilot the least. On many attempts, I have not gotten the AI to identify the correct location. Here’s the funniest part. The location it picked was in a completely different country and continent, as Google My Maps told me (The location, shown below, is in Canada). This site also struggles with giving URLs, so even if you did get the proper location, you would have to add the extra inefficiencies of having to copy and paste the URL into a Google Map. I will say that the site did provide a map showing the incorrect location, and I assumed that if I clicked the link on the map, it would take me to a mapping site. However, it only took me to the location's website, which may be helpful in some investigations, but for my purposes, it was utterly useless. It also seems to be an AI that is unwilling to learn. On correcting it on the location that was actually in the photo, the AI repeatedly misconstrued my differently worded queries on the topic as being me having an issue with the coordinates rather than the actual location guess. Overall, it was a very frustrating experience, and I would highly discourage its use until it undergoes more development.

Perplexity

Perplexity is also supposed to be able to do geolocation. However, I was dismayed to learn that uploading photos requires money, either for a subscription or the Pro version. Since we’ve already established the success of Gemini and ChatGPT, I doubt there would be anything more that Perplexity could offer.

Social Media Geolocation

There used to be many more social media apps that provided effective geolocation, but as technology evolves and privacy concerns ebb and flow, there have been many changes in the tools available to investigators. Here’s a chart I have made that discusses the current status of the geolocation potential of many prevalent social media platforms:

Facebook

Facebook has never had a geolocation feature, but it does have geotags. However, there’s no restriction on how far away you have to be from a place to geotag yourself in it, meaning that it’s incredibly possible for a person to have taken pictures in a completely different place from where they tagged themselves. If you are unsure of the location and aren’t having any luck with AI-based geolocation tools, look at the picture/video and compare it to the geotagged location. Ask yourself if it seems possible for the media to have been taken at the geotagged location. If there’s lots of evidence that supports the geotag, you may find luck plugging the location into Google Maps to see if the media matches the map display. If there’s an apparent disconnect between the geotag and the media or no evidence to support a match, try a different tack. Tools and tags may be helpful, but remember, your most valuable assets as an investigator are your brain and your common sense.

Instagram

Instagram is owned by Facebook, so the geotags here will be similarly unreliable. To geolocate subjects' Instagram post locations, you’ll need to employ similar tactics as you would with its parent platform.

Snapchat

Snapchat does have geolocation capability, but only on the mobile app. If you go into the Snap Map, you can see little hotspots showing where people post snaps. If the area is bluer, only a few people are posting there. If the area is a dark red, many people are posting. 

Tap on the area you’re interested in, and you should be able to scroll through the snaps in that area. You may be tempted to screenshot the display once you’ve found your desired post. Under no circumstances must you do this. Snapchat lets its users know when another user has screenshotted one of their snaps. If you do, you’re potentially tipping off your suspect that you’re onto them, which will cause them to go underground and become more challenging to find. The best action is to take another mobile device or camera and take a picture of your screen. Then, you’ll have both the evidence you need and the post's location, and your suspect will be none the wiser.

Twitter/X

I learned most of my tricks here from a triangulation course given by Plessas Experts Network (PEN). While some of the capabilities taught in the class have changed, you can still geolocate with Twitter/X.

Let’s say you’re looking for posts from within a particular location range that may give you clues as to a subject's whereabouts, but you don’t know any Twitter/X handles that can be reliably tied to your subject. To find a post within a location range, the first step is to go to a site called MapDevelopers. Here, you will be utilizing the draw circle tool to determine a range that holds relevant posts, and once you’ve found the appropriate posts, narrow down the search field to a more manageable size.

Once you’re in MapDevelopers, zoom in within the map display to the location relevant to your investigation. Then, click on that location. A circle will pop up, with the clicked location becoming where the circle's central point rests. It will come with a preset radius, but you can edit this and the units with which you desire to work in one of the boxes above the map display. Simply click on the distance amount and unit of measure, change them to your specifications, and, most importantly, click the Edit Circle button.

Now that you’ve made a circle that meets your specifications, you should see coordinates above the map display. Those coordinates will correspond to the center point of your circle. Copy those coordinates, then go to Twitter/X.

You’re now going to employ the use of a geocode string. In the search bar of Twitter/X (please note that this technique works best under the Latest tab on your Twitter/X feed), you will type in this formula: geocode:pastecentercoordinateshere, insertradiusandunitofmeasurehere. This formula will not work if you include any spaces other than the one after the comma immediately before the radius and unit of measure. If you desire other strings to narrow your search, some will narrow the search results to a specific time frame, but for the purposes of this example, we’ll keep it simple. Hit enter.

Scroll through your results and edit both your search terms and circle as needed. Once you find the post you’re looking for, you will want to go back to MapDevelopers (first, however, duplicate the tab holding your original post so that you have the original coordinates and distance information to refer to should anything go wrong later on). Here’s the post I will be using for this example:

Click the map feed, creating another circle. Then, drag your new circle so that it overlaps part of the original circle, but place it such that the central point of the new circle rests on the edge of the old circle. The coordinates above the map display should now reflect the center of your new circle. Your circles should look something like those in the figure below. Copy and paste these coordinates in place of the old coordinates in the search bar of your feed.

Before hitting enter (which will let you see if the space where the new circle and the old circle overlap contains the location where the post was created), here’s a tip that will help you avoid scrolling through numerous results until you find the post you’re looking for. Copy the post's caption, put a space after the latest string in your search bar, then paste the caption. There is no need to remove spaces here. This new string will allow you to only see that post in whatever string you use, provided it is within that location range. Now, back to our example.

If your post doesn’t appear in the area, you should get an error message like this:

If you get this message, don’t worry! Just check your string to ensure you haven’t made any mistakes or included unnecessary spaces. If your string is clean, you’ll have to try looking elsewhere. Try moving Circle #2 to the opposite side of the circle and see if your elusive location is there. My circles now look like this:

If needed, try the top and bottom edges of the circle as well if your post still doesn’t appear because there are small areas where the left and right sides will not cover. In this example, however, my post showed up, so I’m ready to move on to the next step, which involves creating a third circle. Place Circle #3 such that the circle's center point rests on one of the points of the football that marks the space you have identified as containing the post. Your circles should look something like this:

Search this area to see if it contains your post. If not, move Circle #3 to the opposite point of the football. Once you’ve found the football half that includes your post, make a new circle, and, this time, drag it so that the center point is roughly in the middle of the identified area. Adjust the radius so that the circle can cover the entire region. It’s okay if it goes a little outside the boundaries of the region; just don’t go inside the boundaries and risk missing the little bit of the area that has your location. Your map should look like this:

Search this circle area to make sure it contains the post (it should, but it’s good to double-check), remembering to edit the radius as well as the coordinates because both will have changed. Once you get your confirmation, delete all the circles except the most recent one so you won’t have a mess of circles to sort through in future steps. Your map should now look like this:

But what if you want to narrow your area down even further? We’ll have to repeat the process. However, before you create more circles to overlap your new starting circle, you’ll need to click on the new starting circle. This will ensure that any new circles you make have the same radius as the starting circle. When you removed the other circles earlier, the original radius reappeared in the radius box, which would have made the new circles have the old radius. This would not be ideal since you would then be widening your scope instead of narrowing it, hence why you need to select the new starting circle to make the new overlap circles. Your circles should look like this again with the restarting of the triangulation process: 

Then, once we’ve found the half of the circle that contains our post, we’ll overlap half of the football again.

We’ll cover the area with a new circle and adjust the radius to cover it.

While I would like to check further that this circle is accurate, Twitter/X has recently made a very frustrating change. Any geocode string that asks for a distance of roughly less than 2.80 mi. will not work even if your string is clean. It’s not ideal, but we are closer than when we started, which is a plus. However, we still have a chance to locate the post. We just need to get a little creative. First, you’ll delete all the circles except the most recent one and zoom in around the circle's center. Your screen will look like this:

Pick a point on the map that you can easily search in Google Maps. For this example, I picked the Burke Nursery & Garden Centre. Then, go to Google Maps and search for that location, opening Satellite View as you do.

Since our post focuses on opening a parking garage, we’ll go to the search bar and search for parking garages.

Search all the parking garages in Street View until you find the one that matches the architecture of the one in the post. We already know from the post comment that it’s the Monument Center Commuter Garage. Still, had that information not been readily available, we would have had to go through the triangulation process and search all the parking lots in the area. To speed the example along, however, I searched it up to be sure the location matched. Here is the Street View of the location:

This was the side that most matched the photo, although I couldn’t find the Slug Lane sign featured in the photo. Near the bottom right of this readout, it explains why this might be. This Street View image is dated May 2023, and the post we were using as an example says that the parking garage had just opened. Given that we see the construction in the Google Maps image, we can deduce that Google Maps probably hasn’t come up with an updated view of the parking garage and hasn’t had reason to, as it would have just shown more construction until right around the opening. Additionally, Google Maps did not offer Street View of all sides of the building, so I could not search for the sign there either. However, the distinctive architecture of the building and the glass-enclosed stairwells that are featured in both images of the post also appear in this Street View, leading me to say that even if I hadn’t known where this building was from the beginning, I would have found this location to be the likely target.

There is one problem that would have occurred if I had tried to locate it without any information about its location. If we look at the distance between the parking garage and the garden center that marked roughly the center of the circle meant to contain our post, we will see that the geocode string wasn’t very accurate.

The 6.87 mi. distance would indicate that this triangulation process isn’t very accurate, but sometimes it is, so it’s worth using this tool. Besides, there may be a plausible explanation for why the geocode string led us to the Burke area. It could be that the post was not uploaded at the parking garage itself, but at the office where the person who posted it works. If we look at the user, we see that Supervisor James Walkinshaw uploaded the post. Let’s see if we can find him on LinkedIn to see where he works.

If we look at the results, the second one from the top has a profile picture that matches the one on Twitter, meaning that this is likely also an account belonging to the James Walkinshaw we are looking for. His home location is Burke, Virginia, indicating we’re on the right track. His job title is a little cut off, so let’s go into his profile to see it more clearly. If we do, we will see that he is the Braddock District Supervisor at the Fairfax County Board of Supervisors. Let’s see where the Fairfax County Board of Supervisors meets on Google Maps.

If we look at the search results, we do see the Fairfax County Board of Supervisors, but it has multiple results. However, we also see that the Braddock District Supervisor’s Office comes up in the results! It looks like we’ve found James Walkinshaw’s office! Now, let’s see if it is within the range of the circle that we made.

Our smallest circle’s radius was 1.96 mi., and it looks like the office is 1.37 mi. from the garden center around the center of our circle. We can see that it is incredibly likely that James Walkinshaw made the post about the parking garage here. However, if we look at one of the places labeled as where the Board of Supervisors meets, we will also see that it rests within the area we identified as containing the post’s geocode.

This meeting place is also within 1.73 mi. of the garden center, meaning that it is also possible for the post James Walkinshaw uploaded to Twitter/X to have originated from that location. Of course, he could have also used a spoofing tool. Still, since there are two other very plausible locations and James Walkinshaw is a public figure, I doubt he would spoof the location where he posted an announcement of a parking garage opening.

TikTok

Please see the Facebook section of this article.

Tinder

Tinder is tricky because you can never be completely confident that the location capabilities are accurate, as you probably saw in the linked article by All About Cookies. The article explains that Tinder users can change their locations through VPNs, spoofers, paid subscriptions, Facebook location changing, and more. Thus, we have to rely on the same techniques as we would with Facebook and other social media platforms with unreliable geotags. 

Grindr

Grindr does have geolocation capabilities, but to effectively utilize these capabilities, you’ll need to implement a more boots-on-the-ground approach.

First, you’ll need to look up the user you are searching for. Take a screenshot of the readout that displays the distance away you are from them. Then, drive a little way in one direction. Open your Google Maps app and take a screenshot of your location like this:

After that, you’ll want to return to Grindr and see how the distance has changed. Take a screenshot of the new readout. A readout from Grindr should look like this:

To triangulate your subject’s location, repeat these steps, considering whether the distance between you and the subject increases or decreases. Do this approximately three times. 

Once you’ve gotten your three points (assuming you haven’t already located your subject), get your laptop out and go to Google Maps. Find your starting location on this map. Right-click and then click the coordinates that pop up. This will allow you to copy the location coordinates to your clipboard. 

Take these coordinates to MapDevelopers and paste them into the coordinates box. You will now do something similar to what we did in the Twitter/X example. Adjust the radius to the distance your subject was away from you. You may need to adjust the units of measure to do this. Click the New Circle button. Do the same thing for each of the other points you stopped at. Once you’re done, look at the space where all the circles overlap. Assuming your subject hasn’t moved, they should be in that space. Here’s a finished map showing all the overlapping circles. Can you tell me where our subject is?

Due to the reduced search space, locating your subject should be much easier. If you need to repeat the triangulation process, that’s okay, especially if, after the first triangulation, you are still left with a large amount of space to search.

Hinge

Hinge is interesting in that, as Security.org says, it is meant to take into account both spontaneous and scheduled outings, which is great if you have a trip to an area outside your usual sphere and want to meet up with people in the town you’re passing through. However, it also means that people can change their location with no indication as to where they might be at the time. Because of this, we need to take the distances Hinge gives us with a grain of salt and verify using the same methods we used with Facebook.

YikYak

YikYak used to have geolocation capabilities, but they don’t anymore. My guess is that this app's ability was removed due to safety concerns over the app's target audience: college students. It makes sense. While YikYak is intended to be a way for college students to connect and make friends, it could just as easily be used for malevolent purposes (e.g. stalking).

Still, while investigators can’t directly geolocate through YikYak, they can run any media of interest through an AI-based geolocation tool. 

Swarm

Swarm (initially known as Foursquare) is a way to share places you visit with people you friend on the app. You likely won’t find your suspect on here due to the immense popularity of other apps (everyone’s talking about TikTok and Snapchat nowadays, but I’ve hardly ever heard Swarm mentioned), but it’s still worthwhile to check. If you find your subject on Swarm, you may be disappointed to find that explicit location information is blocked for people the user has not friended. However, you can still glean a lot of information on your subject if they have a Swarm account.

Firstly, you can see the number of Check-Ins a person has submitted through Swarm. This is the amount of times they have tagged themselves at any location. Depending on how high the number is, you can get a sense of how often the subject uses the app. If they use it frequently, you should monitor their account to see if any new Check-Ins pop up with accompanying photos. Swarm allows the user to attach images of their location when they check in; if you’re lucky, your subject will use this capability to share their surroundings with their friends. What difference does that make to us? One of the few pieces of information Swarm gives us is the list of photos the user has uploaded. If the subject tends to use pictures when they complete a check-in, we can then use our AI-based geolocation tools to keep tabs on their location.

In addition to seeing the number of check-ins a user has and their photos, we can also see how many different types of places they’ve been to (under categories). This may not seem helpful, but if we scroll down past their photos, we can see the stickers that the user has collected. These come from completing achievements within the app, sometimes from going to specific places. If we know what each sticker means, we can establish what types of places the person may check into, even if we don’t explicitly know the category.

The other statistics would not offer us much beyond conjectures and vague estimates that might not be accurate. Despite this, as an OSINT professional, it is not our job to go undercover and attempt to friend the subject. This breach of OPSEC and OSINT etiquette could tip off the subject that someone is onto them. 

Flickr

While the app doesn’t share geolocating capabilities, we can use Flickr's website version for this purpose. Just click on the picture you’re interested in, then scroll down. You’ll see a bunch of data that will be extremely helpful for your investigations.

Firstly, you’ll see the date the photo was taken as well as when it was uploaded, which will help you establish a timeline of events. You can also see who has viewed and favorited the photo and any comments that may be attached. These may contain helpful information that could reveal accomplices or connections not already known. You can also see what camera the photo was taken with and, most importantly, where the picture was taken.

Flickr will show you this location on OpenStreetMap, but, as we know from previous examples, it does not show Satellite View, so we will need to grab the coordinates from the OpenStreetMap link and paste them into Google Maps. As with the Twitter example, testing Flickr showed that you cannot always guarantee a complete match with Google Maps. When I searched for pictures to test, I gave the search term ‘beach’ and filtered it within the span of a couple of days occurring earlier this month. Unfortunately, while the infrastructure in the distance in the photo did look similar to those of the Google Maps Street Views I could find of the location, there was enough of a difference to be somewhat uneasy about confirming it as an absolute match. When I looked at the various Street Views, the most recent one appeared to have been taken in 2020.

Since four years have passed, I will admit it is plausible for the infrastructure to have changed, so I will only offer that I am mostly confident in the platform’s success. I have attached pictures so you can judge for yourself. The first is the photo I got from Flickr, and the second is the most recent image I could find on Google Maps.

Now that I’ve covered a few geolocation tools, I’ll move to my next topic: tools that use metadata stored within pictures and videos to geolocate suspects.

Metadata in Pictures

A Quick Note On OPSEC: When you take pictures, there’s always a chance you could be giving away your location. Some of this might stem from visible clues that you could reverse image search. However, even if you do your best to remove that variable, you may still be playing into the hands of malicious OSINT analysts due to the metadata stored in your pictures. To avoid this, ensure that when you post or share images from sensitive locations (your home, your workplace, a close contact’s home or workplace, etc.) with others, your location is not tracked with your camera app. This is relatively easy to do. Go into your mobile phone settings, and after some searching, you will find a setting that disallows location sharing through your camera app.

Fortunately, this vulnerability can be a possible liability for our subjects, allowing us to track them down. I’ll start showing you how on images first.

Image Metadata Tools

Several tools can help us find this metadata and then geolocate it. To test the accuracy of these tools, I will use pictures taken from my own phone, like playing both subject and analyst at once. Can I find myself? We’ll see!

Forensically

To start my investigation on myself, let’s imagine that I posted the following photos a few days ago:

I probably also would have put some sort of caption related to the fact that I was at a church, a conclusion an investigator would likely have already come to from the spire-like architecture of the building behind me in the selfie, as well as the statue of someone in a nun’s habit with a rosary and book. Let’s say I, the investigator (we’ll refer to this persona as Olivia 1), am trying to figure out where subject me (Olivia 2) was because she’s suspected of a crime. They want to bring her in for questioning. To start, Olivia 1 opens up forensically and inputs the first picture. She gets something looking like this:

The Magnifier won’t help Olivia 1 much here, so she’ll scroll down the page until she sees the tab on the sidebar that says ‘Metadata’ and click it.

Wow, that’s a lot of information. However, as an investigator, Olivia 1 knows what information is most important. The type of camera Olivia 2 used to take her photos is of interest. You can see here that she used an Apple iPhone 12 Pro. Also, if Olivia 1 already knew what time zone Olivia 2 was in when she took the photo, she could determine the exact time by converting the time shown in the readout to that time zone. I say this because the readout will always show GMT regardless of your or the subject's time zone. There are also the GPS coordinates there, which, theoretically, Olivia 1 could plug into Google Maps or some other mapping application to pin down Olivia 2’s location. However, there’s a much simpler way to do this. Olivia 1 scrolls down the sidebar to Geo Tags and clicks on it, getting this readout:

Here, Olivia 1 sees a lot of the same information, but if she scrolls down, there are links to an OpenStreetMap site, a GoogleMaps site, and a Flickr site. If Olivia 1 were to open the OpenStreetMap site, it would look like this:

Now, Olivia 1 could take this suggestion that Olivia 2 was at Saint Theresa Catholic Church at face value. Still, she has to be absolutely sure that the potentially devious Olivia 2 didn’t somehow edit the metadata or make it look like her phone was broadcasting from somewhere else. Olivia 1 can’t do this very easily without having a Satellite View to ensure the landmarks from the photo match up, so she’ll go to the Google Maps link in Forensically. She does some scrolling around in Street View for a little bit, but then she finally comes across this:

A match! The bronzy spire and the three windows to the left of it match what appeared in the photo of Olivia 2. Olivia 1 can also see that some of the shrubbery and foliage look pretty close to what was behind Olivia 2. Olivia 1 could also go completely nuts and confirm exactly where the statue was. Between the above Google Maps photo, the below Google Maps photo, and corroborating pictures online, she could know precisely where Olivia 2 was standing when she took a picture of the statue. She would eventually conclude that the statue featured in the above photo was incredibly likely to be the one that Olivia 2 took a picture of.

Let’s say that Olivia 2 posts again before Olivia 1 can locate her. Like Carmen Sandiego, she’s popped up in a completely new location. She posts the following picture with the comment: “A great day for baseball! Such lovely weather!”

Olivia 1 is off like a shot, uploading the photo to Forensically. She looks through the metadata readout before finally clicking on the Geo Tag readout. She gets something like this:

Let’s say she skips straight to Google Maps, scrolls around for a bit, then comes to this image:

If we look at where that sneaky Olivia 2 is, we see a picnic table behind her. Olivia 1 notices the same thing and compares it to the Google Maps readout. Look! There’s also a picnic table! There’s also a trash can of a similar shape and colors in the same spot as the one behind Olivia 2! Additionally, we can also see similarities between the wooden planks and hedges featured in both the Google Maps image and the one posted by our subject! And, of course, there’s the very prominent baseball field. Olivia 1 knows she has enough evidence to find her subject. But, oh no! Olivia 2 has posted again! She’s posted the following pictures and the caption: “Through these doors lies boundless knowledge! Can’t wait to go inside!”

Olivia 1 knows she needs to be speedy. She opens the file in Forensically, clicks open the Geo Tag Tab, and sees the following information:

She goes into Google Maps, scrolls around for a bit, and finds this:

The structure definitely looks similar to the one Olivia 2 posed by. Still, with the bushes blocking the location she thinks Olivia 2 took the picture, it’s challenging to look for landmarks in the pictures to verify that this is the correct location. With a little more digging, Olivia 1 finds a more usable snapshot: 

If Olivia 1 looks closer, she can see that Olivia 2 made a critical mistake. She forgot to crop out the address above the picture of the sliding glass doors! If we compare what we know from Google Maps is the entrance to the Gum Spring Public Library to the picture Olivia 2 posted, Olivia 1 can see the building number in the same spot above some very similar-looking sliding glass doors. Olivia 1 can also compare the angle of the sidewalk's edge in the background to Olivia 2’s picture. If Olivia 1 considers what she knows of the Google Maps image, she can determine that Olivia 2 was standing on the other side of the archway and off the sidewalk when she took a picture of the location. Gotcha! Olivia 2 is at the Gum Spring Public Library! Olivia 2 is tracked down and taken in for questioning. She turns out to be innocent but has valuable insight into the events she was framed for, and the real criminal is brought to justice.

On a more serious note, I mentioned earlier that Forensically provides Flickr links. Still, I couldn’t find corroborating images from any of my locations featured in this example. Maybe with more famous locations, an investigator might find pictures to compare, but in my experience, it has not worked.

It’s clear from this silly example that Forensically otherwise works really well, but if you find it doesn’t suit your needs for whatever reason, Pic2Map is a close second.

Pic2Map:

When you upload a picture to Pic2Map, you should get a readout like the one below, followed by images of nearby places.

This gives you some different information from Forensically, some of which could tell you more accurately the position of the photo (see the GPS Information section). However, just like Forensically, it tells you where the photo was taken and does so (from my experience) accurately. Unlike Forensically, however, it does not directly link to satellite maps, meaning that visual confirmation must be obtained by copying the address or coordinates and pasting the information into Google Maps or some other mapping application that has a Satellite View. This would take more time than simply clicking on the link provided by Forensically, but not by much. I would still prefer to use Forensically due to its higher efficiency. However, due to the slight differences in each tool's data types, a situation may call for using Pic2Map instead.

YouTube

Another Quick Note On OPSEC: Yes, geolocating metadata can be found in YouTube videos. But, this time, you need to actively decide to break OPSEC procedures to mess this up. YouTube will only geolocate your videos if you opt into it. If you don’t, congratulations! You’ve got an extra layer of security between you and anyone trying to stalk you or steal your data. If you do, well… all I can say is that, depending on the location, that’s a choice.

Now that you know how to protect yourself from what we’re about to do, we can get into how we, as OSINT analysts, can use this slightly creepy power for good, highlighting the website MattW.io as a key resource for doing so.

MattW.io

This website is awesome. It features many different tools, but I will focus on the tools under the YouTube subheading today. To test the accuracy of these tools, I went into the tool labeled MW Geofind Location, which allowed me to look for videos that were confirmed to be geotagged. I decided to filter my results down to within a 25km radius of a point the site placed somewhere within Washington D.C. to keep things simple.

The first video I picked was posted by the user Music by Fimora and had a title that translated to (thank you, Google Lens): “Vlog - NT Biakkima’s fight with Taylor Swift at Target,” followed by a target emoji. Now, I’m not even going to pretend to know what that means, but I do know where the video took place, not just because that’s where MW Geofind Location told me it was. It did offer the coordinates and the location of the video, but let’s say that I was an investigator, and all I had was the video link. Thankfully, MattW.io has another tool called MW Metadata that allows you to paste in a YouTube link and see if it can be geolocated.

So, I played pretend and pasted the link into the search bar. The following is part of the readout I got:

Just like in the description of the video and the Geofind Location site, we see that the location comes up as the Gaithersburg Presbyterian Church. Now, we don’t entirely know that this location matches what’s in the video. It may be that the video was only posted from the church or that Music by Fimora is using another tool to make it look like it was from there. Either way, we need to verify that this is at least one of the locations featured in the video to determine the location accuracy of MW.io. Thankfully, the Metadata site features a Google Maps link, and provides this view:

I realize that this image features two Gaithersburg Presbyterian Churches, so to avoid confusion, I will clarify that the point MW.io says we are analyzing is the one above and to the left of the point labeled “MVA - Walnut Hill.” Either way, this view doesn’t really help us because we can’t visually confirm anything. We need to go into Satellite View.

This is a Street View of the church. Now, if we go and search the video for matching frames, we come across this clip:

The architecture looks the same, but we can also confirm this as the correct location based on the placement of the bench, signage, light fixtures, windows, doors, and some of the foliage. Whoever Music By Fimora is was indeed present at Gaithersburg Presbyterian Church.

Let’s look at a trickier example.

The next video I tried was “Sophie Ellis-Bextor - Murder on the Dancefloor - Live at 9:30 Club DC USA - 6/3/24,” which was uploaded by Stephen Grall. This one is tricky because all the frames were interior. MW Geofind Location, where I had discovered the video, claimed that it was, indeed, at the 9:30 Club, as did MW Metadata. I knew the explicit Google Maps Satellite View wouldn’t help us here. However, when you go to Google Maps, pictures are often associated with public places that can give you a sense of the place. I decided to see if, by some miracle, I could find some aspect of the shadowy stage in the video that matched up to something on Google Maps. For context, here’s a frame from the video:

Very little is distinguishable in that picture. I was beginning to doubt I would find anything when I came across this picture:

Aha! I may not be able to tell the location from any structures inside, but the costume the performer is wearing is distinctive. Since my investigation started in the first couple of days of June 2024, I knew there was a minimal span of time that I could place the performer in. Therefore, it’s incredibly likely that Stephen Grall, who posted the YouTube video, was at the 9:30 Club on the day he claimed to be.

But what about the discrepancy between the date Stephen uses in the title and the date the video was uploaded? Depending on how late the set ran, plus whatever time Stephen took to get home, I can think of three possibilities that might have occurred. First, maybe Stephen got home late and was so excited to post that he stayed up into the wee hours of the morning of the next day getting the video ready. The second option is that Stephen had plans with friends following the concert and could not prep the footage for YouTube until the following day. Finally, it’s possible that after a long night of partying and excitement, Stephen was too tired to even think of doing anything other than going to bed and so couldn’t post until the next day. Lots of hypotheses, but how can we narrow them down? Let’s go back to MW Metadata. If we look through the data provided by the site, we come across this:

Okay, we can see when the video was published, but it’s not in the right time zone (note: it will always show GMT, so you will need to convert if you are not investigating that time zone). Thankfully, MW.io has a time zone converter. I clicked the link, put in the location I was looking for (Washington, D.C.) and got:

Based on the time I got from the converter, I doubt Stephen would have stayed up late after an evening event getting a video ready. This explains why the dates aren’t the same, but it doesn’t exactly prove that both he and the performer were there on June 3rd. To figure this out, we must do a bit of old-fashioned research.

According to Stephen’s description, we can guess that the performer’s name is Sophie Ellis-Bextor. I decided to look up previous concerts at the 9:30 Club to see if I could find her name and when she had performed. I came across a site called Concert Archives and found this:

If we look at the June 3rd entry, we see a match! We can be relatively sure that Stephen Grall was at the 9:30 Club on June 3rd and that he did not stay up late after the show posting a video.

The sheer amount of information you can get from a single YouTube video proves how invaluable both YouTube and MW.io tools can be in an investigation. However, since you must ensure the video has geolocation, I wouldn’t necessarily depend on it being a perfect solution for all scenarios. Suppose the video you’re looking at doesn’t have geolocation. In that case, I’d probably suggest trying to take a screenshot of the desired location in the video and plug that into one of the earlier-mentioned AI-based geolocation tools.

Conclusion

As you’ve seen, there are plenty of ways to geolocate a subject, whether through AI-based geolocation tools, social media geolocation and triangulation, or metadata targeting tools. Regarding AI-based geolocation tools, the best options I’ve found based on accuracy have been Gemini and the various geolocation tools under ChatGPT’s purview. Social media geolocation capabilities have been waning as of late, but screenshots uploaded to AI-based geolocation tools can provide a solution. However, for platforms that do have geolocation capabilities, triangulation with MapDevelopers is an excellent method. Forensically is best for finding metadata within images, while MattW.io proves instrumental for doing the same with YouTube videos.

As previously stated, I fully recognize that this article does not include every geolocation tool. If there is one that I haven’t mentioned that you’ve found to be particularly effective, please comment on my LinkedIn page so I can learn more about the tools available to the OSINT community.

In addition, the capabilities these tools offer us will change, perhaps even doing so during the time of this writing. If any of the information I have presented has since changed, please let me know in the comments so that others and I may continue to have a strong understanding of our field.

Lastly, if you have any feedback, positive or constructive criticism, don’t hesitate to share it. Happy geolocating!

Sources (listed by first appearance):

AI-Based Geolocation Tools:

Social Media:

Metadata:

Content and Editing Contributors:

  • Kirby Plessas, CEO of Plessas Experts Network, Inc. (Content and editing)

  • Kyle Elliott, COO of Plessas Experts Network, Inc. (Editing)

  • Grammarly web extension (Editing)

  • ChatGPT (Editing)

Kyle Elliott
A Budding Criminologist’s Perspectives On OSINT

Author’s Introduction: Olivia Elliott is a second-year student at Virginia Tech, pursuing a bachelor’s degree with a major in criminology and double minoring in leadership studies and sociology. She is also pursuing an Honors Laureate Diploma through the Virginia Tech Honors College and is a proud member of the Virginia Tech Corps of Cadets. Additionally, Olivia is currently an intern at Plessas Experts Network, Inc., hoping to gain experience that will prove valuable to a future career in the federal government. In her spare time, Olivia enjoys hanging out with her friends and family, cuddling with her dogs, and crocheting while listening to audiobooks and podcasts.

A Budding Criminologist’s Perspectives On OSINT

TW: Readers are advised that the following content may be disturbing. Please read with caution.

My natural desire to discover the truth led me to apply as a criminology major at Virginia Tech and start learning more about open-source intelligence (OSINT). I recognize that only some in the OSINT community have a criminological background, so OSINT may relate to different ideas or concepts to them than it does to me. Due to my lack of experience in other fields, I cannot describe their perspectives, but I can offer a look at OSINT from a criminological lens.

Important Terminology

OSINT

First, I’ll need to define a couple of terms so that everyone understands what I’m talking about here. For those new to OSINT, we’ll first need to explain the concept of open-source intelligence. The book Deep Dive by Rae Baker contains a wonderful definition, which is as follows: “Open-source intelligence (OSINT) is the production of intelligence through the collection and enrichment of publicly available information.” Baker adds that "[...] OSINT is a purely passive method of intelligence collection, meaning that we view information such as a person’s credentials in a database, but we do not use those credentials to access anything or to log in.” In plain terms, OSINT means collecting, analyzing, and applying data obtained without hacking, using passwords, etc., to solve a problem or answer a question. 

However, just because OSINT is publicly available, it doesn’t mean there aren’t restrictions. Baker notes that OSINT investigations have rules just the same as any regular type of investigation, so if you are just starting to get into OSINT, it’s critical to review the legislation in your area (Baker cautions that both national and state guidelines are necessary to look into) so that you know that whatever evidence you pull will be useful and so that you don’t end up in legal trouble or lose your job. If, for some reason, one type of OSINT isn’t available to you, never fear! Deep Dive notes that there are many different types of OSINT, each corresponding to various kinds of data, ranging from numerical data to EXIF data to geolocation data.

Criminology and Sociology

It’s also essential to define criminology, but before that, it is crucial to understand the meaning of sociology. The University of North Carolina at Chapel Hill (UNC) says that “Sociology is the study of human social relationships and institutions,” but also that it “[...]  is an exciting and illuminating field of study that analyzes and explains important matters in our personal lives, our communities, and the world." To summarize, it is the study of humans interacting with each other, our surroundings, and the ideas present in the world. 

Criminology is actually an offshoot of sociology, which is both why I explained sociology first and why so many criminology and sociology majors share classes, at least in their first years of college. It’s also common to double major or minor in the one you aren’t majoring in. But, you might ask, where is the difference? North Central College defines criminology as follows: “Criminology refers to the study of crime and criminals within a societal sphere.” Essentially, this means that instead of focusing on human behavior in general, we are specifically looking at criminal behavior and the factors that contribute to that behavior. In this article, I will use the experiences gained from utilizing this lens to describe my perception of OSINT.

Further terms will need to be defined to better understand this perception, but these are predominantly in the criminology/sociology (CRIM/SOC) field and may be less common to readers, so their explanation is even more critical.

Deviance

The first is pretty simple: deviance, which, funnily enough, I first learned about in a course called Deviant Behavior. Deviance is going against (deviating, if you will) from societal norms. Deviant behavior doesn’t always come in the form of committing a crime. Say you and your family attend a wedding in the United States (I clarify the setting because traditions vary in different locales). The bride wears a gorgeous white gown as is the traditional custom. But what’s this?! Your Aunt Sheila has also decided to wear white. Everyone starts muttering when she walks in, and throughout the reception, nobody talks to her. Or if they do, it’s in curt or passive-aggressive tones. Why? Because while Sheila hasn’t committed a crime written in the legal code, she has, in a way, committed a crime of etiquette. 

The same can be said of talking loudly in a movie theater, picking your nose, or wearing an ‘eccentric’ outfit. As you can probably tell, there are varying degrees of deviance. The difference between each is that the more outside the norm the behavior is, the more people will take offense to it, laugh at it, or otherwise punish the person doing it. Regardless of whether the behavior does any harm or not, if it is not considered socially acceptable, the person is being deviant.

Strain

Another thing we need to cover is the concept of strain, which I have studied in many classes. Multiple theories by varying scientists talk about the phenomenon in which different societal factors come together and put pressure, or strain, on a person, which may ultimately lead to them committing a crime, sometimes because they can’t imagine another possible option. This is referenced on Britannica’s website and expounds on the different theories associated with the topic. Specifically, there is a theory mentioned called Merton’s Strain theory. In that theory, it is suggested that all people are trying to reach goals that are commonly agreed upon in their shared locale (known as the common goals). For example, many people in the United States are trying to be well-off financially and attain things that give them opportunities, such as a college education. 

However, most people also try to accomplish these goals through the accepted means. This means that people generally attempt to achieve their goals in ways considered normative to others and aren’t against the law. But, if certain societal factors or prejudices present an obstacle, people may abandon the common goals, accepted means, or both altogether. Below is a chart showing the different demographics of people who undergo strain. You’ll note that the conformists accept both the common goals and accepted means. They actually don’t undergo strain. This is what everyone, at least initially, strives for. Strain theory can also apply to non-criminal actions or behaviors that showcase minor deviance. That’s my belief, anyhow, and this idea of mine will heavily come into play later on in this article.

Sourced from: Twitter/X (@allsociology)

Stigma

Lastly, it’s vital to understand the concept of stigma (another term I learned in Deviant Behavior. The National Library of Medicine offers a wonderful definition, saying that “[...] stigma [is] a social attribute that is discrediting for an individual or group." If you want more information on stigma, another great resource is Erving Goffman’s book, Stigma, in which he first introduced the concept. To summarize, stigma is a trait of one or many people that is deviant or that most of society finds unlikeable.

Now that you know the relevant terms, we can connect them to OSINT. I learned most of my OSINT skills from an OSINT 101 course taught by Plessas Experts Network, so most concepts and ideas relating directly to OSINT come from there. It’s a great course, and I highly recommend it for anyone wanting to learn more about any of the following topics and many more that I regrettably do not have time to list here. But, I will say that one of the topics we covered was social media use in OSINT investigations, as well as its general history and the demographics associated with different platforms, and that is a prime topic to highlight the connection between OSINT and criminology.

Social Media

Connection to Strain

Firstly, social media is connected to my criminological experience through the prevalence of strain on each platform. I would go so far as to say that strain is the foundation of social media. Everyone looking to be a part of the conformist group that follows the common goals and uses the accepted means knows that Americans (I can’t speak for other countries, but I imagine it’s the same in many countries that have high numbers of social media users) want to know and emulate what is trendy at all times, which will allow them to attain the common goal of being famous and well-liked. Because social media is becoming increasingly image-heavy, it makes it much easier to take in larger amounts of information on what’s in than there was initially with text-heavy social media. So people are frantically posting anything and everything about their lives, trying to please the rest of the world (or at least pander to a specific group) by copying whatever new style or dance is popular. This has made social media an effective, accepted means of achieving the common goal of popularity, which we can see with the sheer number of influencers and people making money solely from their social media content. There could be no possible downsides to posting so much, right?

OPSEC Concerns

However, as many people in the OSINT community will tell you, the more you post, the more potential there is for danger. I’m not saying you should be afraid to use social media; it is an incredible invention that has a lot of positive impacts, both in and out of the investigative community. But, it’s also important to be cautious about what you post. You might get so caught up in copying the latest trend that you accidentally include information online predators can exploit and use to take advantage of you. If you take a picture of yourself in front of your house and post it online, it’s incredibly easy for people to take that image and put it into Google Image Search, and, boom, now the entire Internet has the potential to know where you live. Due to the incredibly easy nature of information sharing on social media, people (especially those unfamiliar with social media or operational security (OPSEC)) are more likely to post information that gives away sensitive information accidentally. However, this isn’t the only potential concern associated with excessive social media use.

Parasocial Relationships

One should also be cautious of parasocial relationships, a concept I didn’t learn about until very recently and which I found a fascinating sociological phenomenon. Verywell Mind defines parasocial relationships as “[...] a one-sided relationship that a media user engages in with a media persona” of any type, real or fictional. Particularly important is a nested concept known as parasocial interactions, which, as VeryWell Mind also states, “[...] take place exclusively while interacting with a persona via media and psychologically resemble real-life face-to-face interactions." 

The article goes on to state that we’ve become so hardwired as a species to register face-to-face contact as social bonding, and that video technology is so new a technology that we haven’t evolved subconsciously enough to think of seeing people on social media (or any other media, for that matter) as anything other than being around them in real life. This is great because it can help us feel less alone and more connected, but just as connection and camaraderie manifest themselves in media-based and real-world interactions, so do heartbreak and animosity. This leads to parasocial attachments and parasocial breakups, respectively. And while ‘attachment’ may sound like a positive term (and, in the case of instances like celebrity crushes, it can), it can approach extremes.

For example, there was a documentary I watched once for Deviant Behavior that was called Beware the Slenderman. It discusses an attempted murder that took place when two girls became obsessed with the Slenderman, a horror figure described “[...] as an abnormally tall, thin man, with a featureless face” in an article by CBS. Between this fanaticism that stemmed from horror content on the Internet and some mental health problems, the girls became convinced that the Slenderman needed them to kill another one of their friends, and so they took her into the woods one day and stabbed her multiple times, which, thankfully, she survived. The presence of social media makes this phenomenon concerning because platforms like TikTok and Instagram allow users to consume a lot of content in a short span of time, potentially allowing them to forge parasocial relationships more readily, and so more incidents like what happened in Beware the Slenderman may occur with others who want, as the synopsis for the documentary on IMDb says, “[...] to appease [...]” the characters or people they are in parasocial relationships with.

The Allure of Quantitative Data

Speaking of appeasement, we discuss, in many of my data analytics and statistics classes, that numbers make humans happy. They make things simple, neat, and measurable. Social media provides this need for information, which is particularly important because people want to ensure they meet the goal of being cool and popular. Users can satisfy their curiosity on this front by simply checking how many people have liked their posts, how many followers they have, and how many people have commented. There is constant competition in today’s world for users (particularly in the young adult range) to have the highest (or, at the very least, respectable) amount of likes, followers, snaps, etc. This can present a problem, especially if someone has fewer followers or likes or has comments on their posts that are negative or attacking. Consequently, a person will develop low self-esteem and may even go so far as becoming depressed or suicidal, which has led to cyberbullying being highlighted more and more as social media makes more and more of an impact on today’s youth.

Connection to Deviance

The concept of deviance can also play a role in social media, at least in the etiquette sense, because, as we all know, different social media platforms have specific ways that you’re ‘meant’ to use them. For instance, Facebook is used to connect with others, particularly family and friends, and to share pictures or videos with stories or memories posted with them, which are meant to be treasured forever. Snapchat, on the other hand, is a more casual platform that is mainly used for sharing quick videos or pictures that people don’t attach much emotional meaning to or want to be discreet and temporary since the posts only stay up for a limited amount of time (which, by the way, is why drug dealers commonly use Snapchat to communicate. You wouldn’t want to post it on Facebook and have a higher risk of people becoming aware of your activities; that would be considered deviant within the criminal community). 

There’s also a generational aspect of deviance within social media. You’ll notice that most people who post on Instagram, Snapchat, or TikTok are relatively young. In contrast, people really only start to seriously use Facebook or Twitter (now called X) when they are in their adult or elder years. If you were to see a video on Instagram of your friend’s grandma doing a dance trend to a popular rap song and posting it on a personal account, that would be considered deviant, both because elderly people don’t usually dance to rap music (or do dances in the contemporary style, for that matter) or post on Instagram. Knowing these demographics can be helpful in OSINT investigations, which, coincidentally, is the next topic.

OSINT Investigations

Are Investigators Deviant?

Deviance can, in addition to relating to social media, be tied to OSINT investigation. Since the latest technology (social media, for example) is new and still somewhat out of the norm due to its exponentially evolving nature, it is deviant, making the data stored within inherently deviant. In addition, due to the developments in new technology, there have also been updates in the tools that investigators use to solve crimes. Thus, investigations have also become deviant because people still perceive the investigative norm as mainly focusing on tangible evidence. While physical investigation techniques will never be fully redundant, digital investigation, including the majority of commonly used OSINT, is becoming increasingly common. However, the public perception of investigation has yet to catch up to this reality, so OSINT is deviant, at least for now, in more ways than one.

Deviant Amateurs: Asset or Liability?

There’s another reason OSINT investigations are deviant: amateurs and people not in official investigative positions can join in on investigations. A couple of noteworthy examples come to mind. The first I learned of when researching this article was the story of the group Bellingcat. 

An article from France24 gives a pretty good overview of what the group does. Essentially, they act as investigators into the doings of various governments because nobody within international agreements, or individual countries, for that matter, is, in specific issues, willing to do it themselves, especially when it will create a scandal. Granted, investigations aren’t entirely outside the sphere of their everyday jobs (some of them are journalists), but I feel like most journalists don’t go to the lengths that Belligcat has. France24 notes that among their accomplishments has been the uncovering of various recent misdeeds and sabotages in the Russian government, although the Russian government is by no means Bellingcat’s particular target. The article says that one of the group members, when interviewing him, “[...] cite[d] investigations into the Syrian war, EU police agency Europol and others focused on Greece, Turkey, Hungary and the far right in the United States and Europe."

I suppose many journalists are used to this sort of danger (although these ones are treading a very fine line), but the average Joe certainly isn’t, and that’s where the second example comes into play. In my Deviant Behavior class, we had to watch a three-episode documentary called Don’t F**k With Cats. It is about a group of people on the internet who became enraged at a video that was posted on Facebook that, I am sorry to say, contained the brutal killing of a kitten in a context that indicated that it was for the personal enjoyment of the killer. Some people, horrified by what they saw, banded together and tried to figure out who the person who had done such a terrible deed was. As they searched, finding more and more information as they went along, the perpetrator posted more videos of kitten murder, escalating in their brutality until, finally, he went a step further and committed homicide. Eventually (spoiler alert), they caught the killer, with critical evidence from the group of amateurs used to ultimately confirm his guilt and find his whereabouts. 

However, in doing so, the group (as it appears in the docuseries; I know the series doesn’t tell the whole story, and likely, I may be biased) seemed to dive right in without taking appropriate precautions. The way they describe it, they got so enraged that they decided to investigate immediately. While one of the group members had a fake account they were investigating Facebook under, the perpetrator still discovered her identity and found out where she worked. OPSEC is critical for investigators, and while amateurs can be incredibly useful, they don’t know everything, especially not how to keep themselves safe while investigating (I include myself in this assessment, recognizing that I am an amateur myself). 

Additionally, in the process of their investigations, the group trying to identify the kitten killer (prior to the homicide) at first thought they had found the culprit due to a self-declared boast of guilt, but it turned out to be an internet troll. However, before anyone found this out, they had already threatened the person trolling the group, calling him names and bullying him. Eventually, he committed suicide. None of the group meant for it to happen, but investigations sometimes go very, very wrong. Since none of the amateurs (at least, none mentioned outright in the docuseries) were official investigators, they didn’t have the experience or training to know that one always needs to fully confirm everything and not jump to conclusions. 

Again, amateurs do still have great things to offer to OSINT investigations. They think of ways to glean information in plain sight, while official investigators have kind of been trained to rely on specific databases and exclusive tools. However, when doing OSINT, or any investigation, really, you need to have a firm understanding of the responsibility you hold to find the absolute truth and to do so without endangering yourself or anyone else in the process, and this is, unfortunately, where many amateurs struggle. Another area of struggle can be distinguishing truth from fact and avoiding bias in investigations, which I will discuss next.

Informational Echo Chambers, Source Reliability, and Deepfaking

In at least one of my CRIM/SOC courses, we talked about informational echo chambers. This common phenomenon consists of a person only seeking out and trusting information sources that say things that they agree with. If you’ve ever wondered why some people prefer one news channel over another, this idea explains why.

Besides the risk of biases affecting the judgment of media users, there’s also the risk that the content may be entirely fake. I’m not just talking about lies in the media, although that is, unfortunately, an ever-growing concern in today’s world. I’m talking about the development of technology that allows for the presentation of false information. During the Plessas Experts Network (PEN) OSINT 101 course, I was shocked to discover that anyone can open the inspect panel on their web browser to change pictures and words in a website to produce a fake display that can be screenshotted and shared to others. In OSINT 101, Kirby Plessas used the example of editing a news headline, demonstrating how easily someone can produce a very realistic screenshot despite the news media content being changed to something very different from the original article. If the user were to screenshot their work and send it to someone else, it would appear to be an official article and might be taken as believable.

And this isn’t even the technology with the most potential for sowing disinformation. The development of AI and deepfaking technology has become problematic for elections worldwide. One particularly troubling example described by multiple news articles (the best summary of the event can be found on NPR, but other good articles can be found through The Washington Post and The Hill) was the recent series of deepfake phone calls that, by all accounts, sounded like President Biden was delivering them. The calls consisted of faux-Biden attempting to persuade left-wing New Hampshire residents not to vote in the primary elections, saying, "‘Your vote makes a difference in November, not this Tuesday’ [...]." While this isn’t the most convincing example of a deepfake, people may still fall for it, and that is why the incident is being treated as a voter suppression case, notes NPR. OSINT knowledge can be an incredible superpower in cases like these. In PEN’s OSINT 101 class, we learned how to distinguish AI-generated images from real ones, a skill that will become useful when assessing source reliability during the election season.

Flawed Data

Data Biases

As scientists of all types, not just criminologists and sociologists, know, data and data collection are fickle things. When a concept is being studied or a hypothesis tested, no matter how objective the scientist attempts to be, there will always be some fraction of bias or personal opinion inserted into the study. Let’s say you’re studying poverty and its relationship to other variables. Poverty is brutal to measure because its definition is subjective. As I learned in my Community Analytics course, people who study poverty have many ways of quantifying it, so findings will vary from study to study. This limits OSINT investigations because investigators rely on public data, meaning they may pick up unreliable information.

Flaws in AI and Geolocation

This is particularly problematic with AI because the sources that it is primed to pull information from are not always accurate or may be biased. While it sometimes produces correct output, we cannot check its work because chatbots do not list its sources. AI can read all the biases and false information on the Internet, so OSINT investigators must be careful when using it as a research tool.

Geolocation is also somewhat problematic. In high school, I took a couple of Geospatial Information Sciences (GIS) courses and learned how to do a lot of research that way. The tool we used most often was called ArcGIS, although we also used ArcGISPro a lot as well. Both resources had vast databases of data collected by many organizations, which we would use to investigate relationships. One project we did was analyzing Chicago’s crime data for a set time. However, I later learned that crime data has a huge problem: it’s wholly inaccurate. Don’t get me wrong, crime data is essential, but the problem is that it depends on equitable policing. As I’ve learned in many criminology courses, there are inherent biases that people have against other groups of people, making them racist, sexist, homophobic, classist, etc., without them being consciously aware of it. I’m not excusing this behavior by saying everyone is affected by it; quite the opposite. I’m saying that because we have these biases, we need to be aware of them when collecting data. Unfortunately, because people who collect crime data (law enforcement, investigators, scientists, etc.) are human, they are biased on where they look. That’s why there is a disproportionate number of arrests in poor neighborhoods, especially in those mostly populated with people of color. But what does this have to do with GIS? One incredibly cool feature of ArcGIS is that it can create cluster or hot spot maps, showing high concentrations and low concentrations of data points, making them a go-to tool for people who want to predict future data. 

However, because crime data is inherently biased, we can already predict, based on our stereotypes of crime, that there will be a higher concentration in poor, urban neighborhoods. The reality is that rich people, poor people, races of all types, and people of all genders commit crimes roughly about the same amount. But, because there is simply not enough data being collected in rural or suburban White neighborhoods, we get a disproportionate, misrepresentative view of the data, which is detrimental to other researchers and investigators. And, because people will mistake the output for the truth, policing will continue to revolve around poor, urban neighborhoods where there will be even more data collection, ‘confirming’ the findings of police and investigators.

Conclusion

I am grateful to have been given the idea to write this article, as I hope it will positively impact the OSINT community. This network of truth-seekers will only thrive if we are willing to share our unique stories and perspectives based on our diverse backgrounds. Our differences are assets, allowing us to see the world differently. When we combine these ways of seeing OSINT, we can better understand the intricacies of social media culture and its differences from other technology. We can more readily accept different viewpoints highlighting the implications of our work if we discuss them. Lastly, when we converse about OSINT tools and data, we will be privy to various opinions on their merits and dangers, particularly as they pertain to using tools in the media and how data may or may not be reliable. I hope sharing my perspectives will foster connections between OSINT community members from diverse backgrounds. Everyone has a particular set of unique skills, and I hope this article will spark discussions that will bring those to light. To help start the ball rolling, feel free to reach out to me on LinkedIn and share your insights!

Resource List

Editing Assisted by

  • ChatGPT

  • Grammarly

  • Kyle Elliott, COO, Plessas Experts Network, Inc.

  • Kirby Plessas, CEO, Plessas Experts Network, Inc.

Kirby Plessas
Crafting Effective OSINT Prompts for Law Enforcement and Online Investigations

Coming soon we will host a webinar updating our use cases for AI and OSINT. In thinking about this, it may be useful to give some example prompts. In the digital age, having a repository of refined prompts for AI tools like ChatGPT 4 (paid), Bing Copilot, Google Gemini, and You.com (free) can streamline your efforts and enhance your investigations. Collecting a few examples that have produced great results can get you started even on unrelated cases. Here are some expertly crafted prompts and tips to boost your OSINT activities.

1. Corporate or People Research

When researching companies, AI excels. It can be a little trickier to research people, but it can be done. The following prompts worked well.

PROMPT: Act as an Open-Source Intelligence (OSINT) Specialist. I want you to gather information from publicly available sources for me. Your answers should be concise and specific to the information requested. Do not include personal opinions or speculation. Find information about the current CEO of Plessas Experts Network, including locations of events, colleagues, and any future events.

I got the idea for the above from an interesting Reddit thread on the topic, and it worked best in ChatGPT and Copilot

PROMPT: Who are the primary customers for Plessas Experts Network?

This query analyzed the company descriptions and provided the types of customers that were likely. Each AI gave a slightly different output, but all generalizties. This might be given further details to try to identify specific customers or entities.

PROMPT: Please find connections between Kirby Plessas and Kyle Elliott based on their online presence and interactions, and list them.

I got the idea for this query from DorkSearch. ChatGPT 4 and You.com (ChatGPT 3.5) did best.

PROMPT: Who owns Pastebin.com

This prompt could be used for companies, mobile apps, etc. Addresses can be queried, and although specific owners were not identified, other pertinent information was, and in most cases, included suggestions on where the owner information can be found.

PROMPT: Create a smart research strategy for investigating a company in Ukraine

While this query was useful in all AIs, Gemini excelled at this task and gave direct links to suggested resources.

PROMPT: Identify 5 experts in the field of cellphone analysis that have worked with law enforcement in the past

Interestingly, each of the AI tools did well with this but gave different experts, so try them all with queries like this one.

2. Craft Advanced Queries for Search Engines

If you're looking to find specific online mentions, consider being very specific about what you want and ask AI to create a Google or Bing “dork” or advanced query. These queries use search language that limit the searches to specific parameters, such as keywords included in titles or results from a specific domain.

PROMPT: Create a Google dork that will help me find posts mentioning Bill Smith but only in conjunction with Las Vegas, NV, Miami, FL, or Phoenix, AZ. They must also have to do with cryptocurrency or the dark web, have the name in the title, and come from government websites.

The above query works wonderfully, but be aware that not every search engine can handle multiple advanced operators like Google can. If the return is too complicated, use it in Google, but then simplify for other search engines.

3. Demographics and Trends

Consider looking for insights into particular demographics and trends.

PROMPT: Generate a detailed profile of the average meth user in Salt Lake City, Utah, including demographic, psychographic, and behavioral traits

The above query was inspired by an article on SocialPilot.

PROMPT: Generate a list of trending topics on Reddit for likely drug users

While queries involving drugs may be a very important topic for some investigators, the AI tools were somewhat cagey with the answers, and ChatGPT 4 refused to provide any answers. The AI tools are building in protections against misuse and are likely trying not to help a user obtain illegal drugs, but you may have to ask follow on questions or reword in some cases.

PROMPT: What are 20 slang words that homeless people in Arizona use?

All of the AI tools returned slang results, but Copilot was the only one that really understood the regional aspect of the question.

PROMPT: Examine the rates of homelessness and the crime rates in Lexington, Kentucky. Are there any patterns over time? Are any regions of the city more susceptible to either homelessness or crime? Provide deep analysis and citations.
PROMPT: Generate a thorough set of addresses and locations within Tucson, AZ where homeless people gather. Include descriptions of activity, such as tents or panhandling locations. Give intersections of street addresses when possible. Explain why each location is included. Estimate the number of homeless people in each location at any given time.

These two examples show more detailed instructions. If your instructions are long and very specific, you will get more specific answers, so don’t be afraid to outline your parameters. Another suggestion would be to ask follow-up questions to get down to the answers you need - but be sure to include the follow-ons when saving to your examples list so you have some guidance next time you run across a similar need. By the way, Gemini absolutely excelled at the second question.

4. Investigative Research

PROMPT: What are some gang names used in Tucson, AZ. Exclude large national gangs.
PROMPT: What street gangs are operating in Tucson, AZ. Exclude large national gangs.

These questions returned some great answers, specifically in Copilot, but be aware of AI hallucinations (incorrect data made up by the AI). Also, be aware that the data may not be complete. Consider this a jumping-off point for further queries or search engine keywords.

5. Technical Tutorials

Prompt: Write a simple step-by-step tutorial on how to install and use ExifTool

Replace ExifTool with whatever tool or website you want to learn. Gemini was very helpful in identifying prerequisite software in this case.

PROMPT: Write a chrome extension that will highlight all email addresses in a webpage

Have the AI create custom software, browser extensions, or Python scripts for your own use. Depending on how technical you want to get, you can create tools for yourself, your team, or the OSINT community.

6. Uploaded Images

Images can be uploaded into the AI tools. Copilot and Gemini allow this for free while Chat GPT 4 and You.com offer this as a premium service. Here are some sample prompts for images.

PROMPT: Analyze this image, identify all text available, translate into English, and provide the locations that are possible according to the street signs
PROMPT: Analyze this image for possible location indicators
PROMPT: Analyze this image and tell me if it is AI generated or not

In the case of the last result, I was able to feed the tool an AI generated image that it could not identify. As before, be wary of the results and double check anything that could be seen as factual.

7. Data Manipulation and Analysis

Excel and other files can be uploaded into ChatGPT4 or pasted into the other AI tools for manipulation and analysis. This can be a huge time saver.

PROMPT: Extract all email addresses from this data. Exclude duplicates.
PROMPT: Extract all phone numbers from this data. Put into a common format.
PROMPT: Clean up this data and return only names and web addresses. No bullets or numbered lists.

Great for getting data ready to input into other tools (Like Custom Search Engines! See my blog post.)

PROMPT: Analyze this data and tell me what this is about and any locations if possible
PROMPT: Analyze and explain this data

Great for mysterious messages, lists of seemingly unrelated content, or computer code.

PROMPT: Identify and analyze patterns in this data
PROMPT: Identify the names that show up on this list more than once

Useful for comparing friends lists, and specifically to find hidden friends lists or the infamous Finstas.

For more insights and prompt ideas, explore these resources:

- OSINT Combine

- ChatGPT for OSINT Investigations on Medium

- DorkSearch's Blog on OSINT

- 103 OSINT ChatGPT Prompt Ideas

- AI Prompt Examples by Formidable Forms

These prompts and resources are just a starting point. As you progress in your OSINT endeavors, adapt and refine these prompts to fit your specific needs and circumstances. Stay informed, stay agile, and leverage AI to enhance your investigative capabilities.

Kirby Plessas
Quick CSEs - a guide to making CSEs efficient for temporary usages (with AI)

Google Custom Search Engines (CSEs) are an under-utilized resource. They can be made quickly and robustly and shared with the whole team. And they don’t have to be permanent (or semi-permanent) tools. They are easy enough to make, with the help of AI, to create for one time uses.

Let’s first tallk about making CSEs quickly but without AI. My go to for this is to use Instant Data Scraper for Chrome. Any page that has a list of links I would like in my CSE is easily converted into a spreadsheet that I can use to copy and paste content into my CSE. Let me show you an example:

Similarweb lists websites and ranks them by popularity

Using Instant Data Scraper, I grabbed the top 45 online marketplaces worldwide.

Once I had the lists, I removed the extra columns because I only needed the basic web addresses. From here I chose “Copy all”

Next, I took it to the Google page to create a CSE. I named it and put a dummy website as a place holder.

I created the search engine, but next I chose to customize.

First, I removed the dummy place holder.

Then, clicking Add, I was able to paste in the contents from Instant Data Scraper. I remembered to remove the top line (column name), and I added a few online marketplaces I knew were good but were not in the list.

The online link for the search engine is in the top panel of that page. I clicked through to do a couple sample searches.

Now that this search engine works, I added it to our Resource page.

Instant Data Scraper puts things in a nice spreadsheet, making copy-paste into a CSE dead simple. But some lists aren’t scrapable in this way, or, if they are, they need some cleaning up to paste into the CSE. Removing bullets, extra characters, descriptions, etc., is required for Google CSE, and the input field is very specific.

This is where AI comes in. Of the popular AI tools available, I find ChatGPT the best at understanding what I want. I can copy a long list of websites with descriptions and bullet points, easily remove duplicates, clean up the text, and make it easily ready to insert into a CSE. For example, I was able to copy the results page from a Google search into ChatGPT and ask it to list URLs for the results only, without bullets, and it was ready to copy and paste into my CSE. I can even ask ChatGPT for a specific list of resources and add them directly into a CSE. Additionally, I could upload a spreadsheet or a graphic into ChatGPT, have it resolve, and then list the URLs for yet another CSE.

Google allows for 5000 sources across your collection of CSEs. In most cases, my CSEs have between 50 and 100 sources, which means I can have a lot of CSEs, but I still might want to make and delete some for short-term projects quickly. Check out our growing list of public CSEs.

Kirby Plessas
New Facebook ID numbers for pages?

For anyone who has been doing deep searches on Facebook, the ID number of a page is critical information. Recently, I’ve noticed that the employer and education pages IDs were not working in either the advanced search tools like SowSearch or the manual Base64 translation method. I have worked out the change and restored my search capabilities, but I would like to outline how this might be done for anyone should this happen in the future.

First, perform the search as you normally would do. My example will be looking for students named Brian who are attending or have attended Georgetown University. Note that I am choosing an easy-to-access example because restoring the capability requires this to be easily searchable in Facebook - meaning that it will definitely show up as a suggestion in the Facebook filters.

First, using the source code method of getting the ID number for the chosen Facebook page, I will search within the code for container_id and paste that after facebook.com/ in my browser to test that it is indeed the ID number I require. In this case, the ID number for the Georgetown University page on Facebook is 100064869785068. Using SowSearch, I select people in the dropdown menu and add this ID number into the “school” filter, remembering to click “add filter” and scrolling up if needed to double-check the filter has been added. Then I use the search term “Brian” and choose the center choice to open the URL in a new window.

SowSearch.info

This is where things go wrong. No results. Surely, there is someone named Brian on Facebook who has attended Georgetown University.

Zero results

Notice on the sidebar of Facebook that there are no filters added. This is the issue. So I manually added Georgetown University in the education search filter, and there are numerous Brians! So, are we stuck using only Facebook's suggestions for that field?

The Brians have been anonymized.

No. Let’s examine the differences in the web URLs for each result.

Our search with no results is https://www.facebook.com/search/people/?q=Brian&epa=FILTERS&filters=eyJzY2hvb2wiOiJ7XCJuYW1lXCI6XCJ1c2Vyc19zY2hvb2xcIixcImFyZ3NcIjpcIjEwMDA2NDg2OTc4NTA2OFwifSJ9

And the search with results is https://www.facebook.com/search/people?q=Brian&filters=eyJzY2hvb2w6MCI6IntcIm5hbWVcIjpcInVzZXJzX3NjaG9vbFwiLFwiYXJnc1wiOlwiODgyNTMzMTI0NVwifSJ9

Comparing just the filters:

eyJzY2hvb2wiOiJ7XCJuYW1lXCI6XCJ1c2Vyc19zY2hvb2xcIixcImFyZ3NcIjpcIjEwMDA2NDg2OTc4NTA2OFwifSJ9

eyJzY2hvb2w6MCI6IntcIm5hbWVcIjpcInVzZXJzX3NjaG9vbFwiLFwiYXJnc1wiOlwiODgyNTMzMTI0NVwifSJ9

They are clearly not the same. But we know both are Base64, so let’s decode using Base64Decode.org.

Our decoded original filter looks like this:

{"school":"{\"name\":\"users_school\",\"args\":\"100064869785068\"}"}

And the decoded working filter looks like this:

{"school:0":"{\"name\":\"users_school\",\"args\":\"8825331245\"}"}

The only difference appears to be the ID number. But what ID number is that? Testing it by using it after facebook.com brings us to… Georgetown University. Try is: https://www.facebook.com/8825331245

Both ID numbers go to the university's Facebook page. Why?

Going back to the source code for the page, searching for 8825331245 should help us identify how to get these secondary IDs.

Searching within the code, I determined that there were 14 times that the new ID showed up in the source code. Looking at the code before the ID number, there are a selection of possible search terms to use in the future, but they must be tested first to make sure they are in use across a number of pages. After testing a variety of business and fan pages across Facebook, I discovered that associated_page_id worked well (and is descriptive). Once I started using that ID number in both SowSearch and via the manual search method, I regained full search capability for those pages.

This has been updated on my Facebook Matrix page. Additionally, if you are having problems with a shifted source code search (in both Facebook and Instagram), watch this video for the solution.

Kirby Plessas
AI is coming for your vote!

Hey - Kirby here. I love AI, but I am just dreading this election cycle. Please watch and share this video that I have created to increase AI-literacy. It’s going to be bad!

Kirby Plessas
Tracking the Ad Trackers for OSINT OPSEC and Investigations

by Sarah Womer

Collecting entities tracking domain visitations can be helpful for OPSEC and OSINT investigations. 

On January 14, 2023, I authored a LinkedIn blog post on “Domain Ads and Ad Analytics as an Information Resource for OSINT Investigations FouAnalytics PageXray for Domain Profiling a Propaganda Outlet.”

At the time, I noted-

“Typically, people will often look at Ad Analytics when visiting a domain for marketing, OPSEC risks, and privacy concerns. However, ad tracking, fingerprint canvassing, and other collection activities that can be viewed are also a resource of information for investigative collection. Just as metadata may be crucial to an OSINT investigation, so may Ad Analytics. Ad Analytics may be used for fraud investigations, Bot Detection, identifying authentication vulnerabilities between login and domain, foreign connections, domain relationships to other domains, domain profiling, and has other uses.” 

Ad Trackers on a domain can be used beyond marketing for user visitation surveillance. Visitors can be tracked after they leave the domain and targeted as a part of an attack. Checking who is tracking visitors on a domain is counter-surveillance and OPSEC. 

It is important to stress that the website owner or maintainer may not even be aware of the extent of the tracking, as many trackers are placed from a package of ads that are purchased through a third-party broker. Likewise, the service, such as a webpage builder or host, may have a built-in network of trackers. Easy website builders, for example, like GoDaddy, Wix, and Squarespace, may come with trackers. Site owners are able to check which third-party services are tracking on their domain but oftentimes don't. The reason for this flaw is simple: the identification and importance of that type of threat has been understated for years.

On May 11, 2023 Jonathan Pidgen at Media Analytics Global noted-

“Ad fraud is everyone’s problem, and there are very few exceptions. The majority of global brands have the same issues, so don't feel alone. You can't be blamed for something you never knew about. Let's learn together and grow together! The root of the problem is the "black box" legacy verification vendors. Their ineptitude has allowed "ad fraud" to flourish and become the "norm." The trade associations (ANA, IAB, TAG, etc.) have rubber-stamped the global epidemic of ad fraud by parroting the 1% IVT reported by legacy verification vendors.”

It is everyone's problem, as this type of fraud does not just impact marketing and branding; it impacts the consumers, customers, and visitors to a domain. In addition, tracking is sometimes a part of something larger or different than advertising. For example, what happens when a government uses browser fingerprinting and tracking as a third-party tracker on a domain? A government oftentimes has a larger budget and can buy ad-tracking technology just like a company, a charity, or anyone else.  In addition, some government sites have ad tracking from third parties, which also may present security concerns. 

For OSINT communities, most practitioners know that tracking is a threat to privacy and that it can compromise collection requirements. Many OSINT practitioners suggest ad blockers, malware removers, VPNs, privacy-enhanced search engines, and other options. However, unless a domain is visited with no-touch research techniques (including air gapping as an option)  or a Virtual Machine with a VPN, there is still much wiggle room for error, especially when some third-party trackers that download to a computer are designed to evade blockers or may be hidden in creative ways. 

Following are some compromise examples and suggestions on how to gauge tracking on a domain for OPSEC and Investigations

Scenario: Not Common But Occurs, Organizational Tracking

Much of the tracking present on the following domain is not ad tracking and is organizational tracking. Tools used in the following example include- Fou Analytics Page XRay, Domain Tools Who Is, and Webbkoll Dataskydd.

National Bugle Neo NAZI Tracking

FouAnalytics PageXRay is used first, as I have found it to be the most comprehensive out of any of the tools for showing ad tracking and malvertising on a domain. It also provides an excellent first stop for OPSEC before visiting a URL and oftentimes provides pivotal information for an investigation.

Below is a description of the tool from Dr. Augustine Fou-

“The PageXray tool is a headless Chrome browser which loads a webpage and allows the javascript to run. A headless browser is a normal browser but one that does not have a screen. These are developer tools used to automate tasks like testing a webpage to make sure it loads correctly. With a headless browser, we go beyond the static code that is visible on the page when a user clicks "views source." We record all the network calls made by the javascript and preserve the "chains" of "what called what." Then we plot these in a tree graph that shows the cascade of what calls what to reveal the shocking number of ads and trackers and other things loaded into a webpage, often without the users' knowledge.”

As of August 7, 2023 FouAnalytics Page Xray showed that visitors to the National Bugle had tracking as depicted on the following graph.

A cursory look from FouAnalytics PageXRay shows this domain had tracking from the United States and Russia. It did not show any browser fingerprinting or supercookies. Of interest is that there are two instances of ad server requests from a Daily Stormer domain out of Russia. The Daily Stormer is not an ad company or ad tracker, it is another extremist Neo NAZI domain that has been banned from multiple other locations. In this instance, confirming the location of the tracker is fairly clear as there is no intermediary tracker between the National Bugle and the Daily Stormer. 

For double-checking the Daily Stormer’s Russia location, there are options. In this instance, a basic WHO IS was conducted with Domain Tools. The WhoIs reconfirmed a possible Russia connection to the tracking domain of Daily Stormer that can be further investigated. A simple Search Engine query of the domain name “dailystormer.in” and Russia provided a VOX 2017 article,”Neo-Nazi site Daily Stormer resurfaces with Russian domain following Google and GoDaddy bans”, by Aja Romano stated that the domain resurfaced in Russia during the 2017 timeframe.

For OPSEC, If tracking is of concern from Russia by a Neo NAZI extremist organization, then enhanced security should be incorporated into visiting the site and in any collection plans. Possible risk mitigation measures include- no-touch research with the Internet Archive Way Back Machine or other measures. If all that is needed is a preview of what is on a particular URL for OPSEC and a screenshot, then Fou Analytics Page XRay provides that with a URL query of the domain. 

In addition, FouAnalytics PageXRay provides a preview of all of the external links hot-linked on a page with their position on a page. This provides further security as the information is provided without touching the domain. The domain is touching Fou Analytics PageXRay. Below are examples of hotlinks that were available for preview with a hover versus a domain click on the FouAnalytics query that provided enhanced OPSEC and possible pivot points for an investigation.

Hovering over “Contact Us” showed that the listed Point of Contact for the National Bugle is Zio Watch. This is a possible pivot point for a domain or organization investigation.

Hovering Over “Join the Conversation” provided a lead for a social media venue for the organization on ChantNGo.

Hovering Over “Donate” requested fundraising donations through cryptocurrency.

In addition to showing where external links are on a page, FouAnalytics PageXray also provides a compiled list of external hotlinks to a URL that can be useful for OPSEC and investigations. Below is an excerpt from the compiled external links of the National Bugle Domain URL as of August 6, 2023, via Fou Analytics Page XRay, including several social media locations from Vokante, a Russian social media platform.  If the domain or organization were under investigation, this information may be useful.

FouAnalytics PageXray also provides a list of the internal links on a page and a list of ad-serving domains.

For the domain of The Daily Bugle, Internal Links provided further insights for fundraising through cryptocurrency. The Adserving Domains showed ads were served through WordPress. 

There are also several other options available on Fou Analytics PageXRay that may be of use. A user can cross-compare the graph with the HTTPs HAR JSON and the Detailed JSON, which are offered for download. Additional insights on the tracking are also offered in the JSON. A download of the domain graph is also offered as SVG.

This is not a complete overview of Fou Analytics Page XRay as that would be an entire user manual, and Dr. Augustine Fou has authored multiple articles about this resource that are available on his LinkedIn page.  This example simply introduced how to use Fou Analytics PageXray for checking a domain OPSEC, privacy, and investigative leads. 

In order to further check OPSEC as it relates to the domain and for further investigative leads, I am now going to pivot to Webbkoll DataSkyDD (Webbkoll).

Webbkoll provides a description of “monitors privacy-enhancing features on websites, and helps you find out who is letting you exercise control over your privacy.”  This resource is useful to domain maintainers and visitors for OSPEC and investigations. 

The following Webbkoll query results of the National Bugle provide additional OPSEC and investigative insights that are broken into sections of- front end summary, Content Security Policy, Reporting, HTTP Headers, Cookies, Third Party Requests, IP Address, and Raw Headers.

The front-end summary on this resource shows that the domain may have some vulnerabilities as it relates to privacy. It also shows that there were 18 requests to unique hosts, which further confirms findings on Fou Analytics PageXray that also depicted 18 “other requests.” It also has conveniently provided the IP for pivoting to IP investigations.

Next, this resource provided insights into a possible vulnerability with the Content Security Policy. A full explanation is provided by Webbkoll highlighting why this may be a vulnerability, including- “Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.”

In other words, from an OPSEC perspective, this site may not be safe to click on.

The next part of the Webbkoll query showed the CSP, Certificate Transparency, and Network Logging, explaining why they are important.

After that, Webbkoll provides OPSEC insights on the HTTP Headers of the National Bugle and why that may be a problem. Webkoll notes “The referrer header is a privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.”

This resource then showed that no cookies are present, which is a good thing, but the HTTP headers issue is still of concern, and there were 18 other tracking-related requests.

Webbkoll’s  Third-Party Requests data confirmed data that FouAnalytics PageXRay provided and provided the IP addresses of those 18 requests and whether they were secure or insecure. 

In addition, a user can attain additional information from each URL. 

This may be overkill for an OPSEC check, but it can definitely be of use for a domain and organizational investigation and offers additional pivot points.

Webbkoll also offers further IP information and Raw Header data, including software of the server that may be of investigative use.

The FouAnalytics PageXRay Query, Domain Tools Who Is, and Webbkolmay may be enough for an OPSEC assessment prior to visiting the domain. In most instances, a visit to Fou Analytics PageXRay is enough in and of itself if the concern is a tracking check. 

For pivoting in OSINT investigations, multiple leads were provided in this example that could be pivoted to additional resources such as URLScanIO, Joe’s Sandbox (to check for Malware), BuiltWith, a backlinks checker like AHREFs, View DNS INFO, Shodan, and many others. 

Contact Sarah Womer on LinkedIn.

To learn more techniques and how to apply these to your investigations, take Sarah’s full day class “Tracking the Trackers" on February 20 or On Demand.

Kirby Plessas