How to do a small OSINT investigation

(Click here to watch and listen to the video version of this blog entry)

Introduction

With an overall increase in people’s interest in OSINT either as a tool to fight disinformation, part of the reconnaissance phase of ethical hacking, or as an aid in the investigation of possible war crimes, we have come to witness a surge in videos, articles, podcasts, etc, on the topic. For most of it, the focus tends to be the tools needed to get the job done. But the job is not done with the tools, it’s done with your brain. The tools are just there to help you gather the (open source) data that you will still need to verify, analyse and, later on, turn into intelligence. This can be in the style of a report, an article, a book, or any other form of wider dissemination of your findings.

In this blog entry I will take you along a small OSINT investigation focused on the Russia – Ukraine conflict, starting from the data collection, going past the verification process, followed by the analysis of the findings, and finally the report writing of the intelligence gathered.


The Title

Ideally when you start an investigation you should have a very clear idea of what you want to find out. It’s much harder to find the answers when you don’t have the questions.
This could be something complex like “Are the mass graves in Bucha a result of the attacks on civilians or a byproduct of the limited access to healthcare and emergency services in a war zone?“, or something simple like “How many churches were shelled in Mariupol in the month of April 2022?“.
Sometimes you start with the question and will have to try to find the data needed to answer it, and sometimes you come across the data and a question immediately pops up. Either way, for you to start an investigation you need a clear and well defined question, whether that question comes before or after you have access to that data, that’s up to the circumstances.


The Data

The Centre for Information Resilience, alongside Bellingcat and GeoConfirmed, have been collecting, verifying and sharing geolocated data on Russian military activities in and around Ukraine on an online map entitled “Russia-Ukraine Monitor Map” since January 2022. As of December 2022, the map has been moved to EyesOnRussia.org. As one among dozens of people involved in this massive project, it is both thrilling and daunting to see how much the database has grown in the past months. This impressive product is available, for free, to anyone who wants to see, interact with, or use it for their own intelligence reports (please credit our work though). Below on the left you can see the first map, used from January to December 2022, and on the right the new map in use from December 2022 onwards.

I have selected this public database as the data source for our little OSINT investigation as it is widely accessible, easily verifiable, and I know how much sweat and tears was put into it. Definitely more tears than sweat in my case, I tend to work sitting down.

So if we go to the map, this is what we would see below. There’s a world map and at the centre is Ukraine where hundreds of markers point at the various geolocated data. All these markers are organised in several categories, such as “Civilian Casualty“, “Russian Firing Positions”, “Munitions”, among many others. A box on the map contains information about the Russia-Ukraine Monitor Map as well as some links.

In the left image below you can see how on the old map used to include an item count which is not present on the new map. At the time of writing (May 2022) there were almost 4000 logged entries, all geolocated and verified by the team. The number grew exponentially by the time the new map, seen on the right, was introduced.

On the old map, when you clicked on “Basemap” on the top right, you could change the style of the map. For this blog entry I had selected to put it in “Pirate” style because I like to amuse myself with the little things in life.
This option is no longer available on the new map which is, in my humble opinion, a huge tragedy! You can however select between “default”, “classic”, or “Earth” style, as seen highlighted in red on the right image below.

But now something interesting happened. Once I zoomed out enough I realised that there’s some peculiar markers across Russia, almost creating a line between Ukraine and the far East of Russia, all the way to the shores of the Sea of Japan or East Sea. What could this be?

And that is how I ended up with an idea for a small investigation for this blog.
We’ll be looking at these markers on the map and try to understand what was happening, when it happened, why it happened, and what intelligence can we get from it. It won’t be anything ground breaking or worth a Pulitzer, but it will be a nice overview of how an OSINT investigation progresses from data to intelligence.

On the left image you can see the markers on the “old map” versus the same markers, on the “new map” on the right.

When you click on one of the markers on the map you can read more information about the geolocated incident. I started with the furthest marker from Ukraine, in East Russia, not too far from China and North Korea. Once you click on it you can see a preview of the data, a link to the source, some brief description of the event and the coordinates (among many other details).

If you then keep checking the markers highlighted across Russia, you’ll quickly realise that they are all showing similar content (military vehicles transported in trains) from around the same time (January and February 2022).
We’re lucky that the amount of data for this specific investigation is fairly small and we can check every single entry quite quickly, but sometimes that is not the case.

The EyesOnRussia map has a few options that we can use to filter the data. We can easily tell by clicking on the markers across Russia, they were all from events recorded between January and February 2022. We can therefore remove anything else from the map to clear up our view a bit.
We can do this using two different filter options; first we narrow by location on the map, and then we narrow by date.
Below are the steps to narrow down by location. Start by clicking the “Draw on map” symbol just above the “1” circle. Then select “Rectangle”, next to the “2” circle, and click on the map to mark the first corner as seen next to the “3” circle. Afterwards simply drag the cursor until you are happy with the borders of your search and select the “Only Events in Map Frame” option on the left, next to the “4” circle. Even though the other markers are still visible on the map, they are no longer on the list of events on the left.

Afterwards we will narrow down our search to the desired date range: start of January to end of February 2022. We can do this by either manually selecting the range on the left column, highlighted in red below, or by dragging the bar seen where the blue arrow is pointing until you reach the correct time frame.

We are only interested in the Russian military movements as that is the category of all the markers across Russia so let’s select the “Russian Military Presence” on the left bar.

Once you’re done with all the filters, simply click inside the rectangle so it goes from a dashed line to a solid line. Afterwards you will be able to see that the list of events, on the left bar and at the bottom, now only contains those that fit the criteria. They are all between start of January and end of February 2022, and they are located within the selected area. If you click on any of the events on the left you can quickly see the data, coordinates of the geolocation, and more details of the event.

Now that we have access to all the relevant data it’s time to move to the next step in an OSINT investigation.


The Verification

Data is only good if we are able to verify it.
As we already have the footage and the coordinates we can quickly double check that they were correct before adding the data to our report. Last thing we want to do is build an entire investigation and draw conclusions around incorrect or misleading data.

I selected the video previously shown, from the very far East of Russia, uploaded to Twitter on January 12, 2022, and quickly checked the area around google maps to confirm we have the correct geolocation (44.604920, 132.824411).
On the left we can see a frame of the video at 0:41min and on the right a photo I found on google maps of the train station in Spassk-Dalny, a town in Primorsky Krai. The blue building is a clear match. The photo was clearly taken between the big pole and the building. In fact, at the very beginning of the footage we can see the pole and the fence, both also visible on the google maps photo on the right.

As we don’t have too much data to analyse we can easily do this to every single piece of footage we plan on using.
Once finished we can move on to the next stage of an OSINT investigation.


The Analysis

Now it’s time to answer the question “What intelligence can we get from all of this?“.
At this point we have answered the “when” (January & February 2022), the “what” (trains taking military Russian vehicles to the Ukrainian border), the “why” (preparing for an invasion), we are just missing the intelligence so let’s get some.

We know that all our entries involve trains so I searched for a map showing Russian train routes. I found a good one by simply searching “Russia train routes” on google images. It depicts the different lines in various colours so we could easily identify which route go where. Afterwards I placed the new image with 50% opacity on top of our data map to see if I could spot any interesting pattern. Unsurprisingly we can see how the markers on the map match the Trans Siberian Express route, starting all the way at Vladivostok, and going across the country, before stopping at the border with Ukraine. At some point this line also connects with the Trans Mongolian Express, although there’s still two markers on the far East that can only match the Trans Siberian route, nothing else.

Fig. Russian train routes map layer on top of the Russia-Ukraine Monitor map on the old maphub.

So now you must be thinking “So what? It’s obvious that the Russian government would be using the Trans Siberian Express route to move military vehicles from the far East to the Ukrainian border.” And you are right, it was an obvious choice; but that also means that it was predictable and predictability in war is deadly.
What could we possibly do with such information? We could do what I just did in 5 minutes; now that we have the names of the cities from where the trains are passing through we can search for live cameras pointing at the train tracks. Let me show you how fast it is.

A quick google search for railway cameras takes me to railwebcams.net, a website dedicated to “railroad, trams and station webcams worldwide“.
At the top of the website I chose “Rail Webcams By Country” and then selected Russia from the list.

Fig. Screenshot of the homepage of the railwebcams website.

I’m particularly interested in Vladivostok, the last (or first) station of the Trans Siberian route at the very far East of Russia, just a few kilometres from the Chinese and North Korean border. Luckily for us they have 3 webcams in that city, the first of which pointing at train tracks. Aren’t we lucky?

Fig. Screenshot of the page on railwebcams website showing the railway cameras located in Vladivostok, Russia.

If you click on the “Cam 1” you’ll be able to have a very clear view of the tracks, live and available 24h a day. Below is a screenshot I took when I visited the link.

Fig. Screenshot of the live webcam from railwebcams in Vladivostok on May 15 (already May 16 in East Russia).

As a precaution I checked that this webcam is pointing at the train tracks in Vladivostok and not a different location, incorrectly labelled (always verify everything!).
Below is a screenshot I took from a google streetview image at the following coordinates in Vladivostok: 43.112896, 131.903364.
We can see the same streetlamp, the same building on the “left” side of the tracks, the similar benches and the same patterned floor. It’s clearly the same location. If you use the coordinates and check google maps you can turn around and see the bridge as well.

Fig. Screenshot of the streetview from google maps in Vladivostok, at the same location as the live webcam.

As this is an example of an OSINT investigation, and I don’t want to end up with enough information to write a book, the “analysis” stage will have to be hypothetical. Let’s imagine that this was happening in February 2022 and you were doing everything I did so far. You could, for example, compile a decent list of similar webcams, all pointing at places where Russian military vehicles were seen being transported in trains en route to Ukraine, record them and then analyse the content. Perhaps gathering what sort of vehicles were being taken and where? This sort of data, before invasion, would have been very exciting (and useful) to have and analyse. The interesting thing is that, as we have seen, this (geolocated) footage was available at the time. Anyone, literally anyone with an internet connection, could have gathered, analysed and written a very useful report on it. Perhaps someone did.


You could end up with a very detailed list of exactly what tank models were being sent where, how many trucks were going to a specific town, how many refuel trucks accompany each battalion, what rocket launcher models the Russians have and where they are deployed.
Perhaps you could even check satellite imagery of certain areas around specific cities. Imagine that you were following a train route and suddenly there’s vehicles that you hadn’t seen before en route. They weren’t there in city A but suddenly they were when they went past city B. Now you have a good range of places to search to see if you could spot where they were kept. You could even keep track of the number of vehicles taken over time by periodically checking the satellite images of the area.

I can quickly show how easy it is. Let’s jump on the map again and see if we can spot any trains near Vladivostok (clearly my newest favourite city in East Russia). Below you can see how there’s indeed a video of military vehicles being loaded onto trains on March 2, 2022, in the Khabarovsk Krai province, where Vladivostok is located.

And because everything on this map is geolocated we can just grab the coordinates (46.808484, 134.254594), put them on a map and check the surroundings. We know the vehicles were being loaded so they were probably near the tracks. Within a few seconds we can spot the military base on google maps as seen below. The arrow shows the train tracks, the orange circle the coordinates and the dark blue rectangle the military base.

Fig. Google maps screenshot showing the area where the vehicles were being loaded on the trains, near Vladivostok.

Zooming a bit more allows us to check out some of the Russian military vehicles in more detail.

Fig. Close up of the military base near the train station.

You could now start tracking this section using free, or paid, satellite tools, depending on the level of detail you’re looking for.

The available OSINT investigations using data from EyesOnRussia map are endless and only limited by your own imagination. We are certainly not lacking in data.


The Report

Once you’re done with the analysis of your data, it’s time to write a nice report on your findings. What was your conclusion? How did you reach it? What data did you use? How did you verify it? Why should we trust it?
All of these are questions that need answering. An OSINT investigation should be transparent. You are there to look at the facts, verify, analyse and report your findings.
The report stage might be the most important of them all. You might have discovered something absolutely groundbreaking and, even better, you have undeniable proof of your claims; but if you are not able to explain your process and adapt your knowledge to your audience, all that work was for nothing.

What is your audience interested in and how much detail do they want? Will they be able to understand what you are trying to convey? Does it matter to them? Why should they listen to what you have to say?
When writing a report I would always advise to throw in some nice maps, graphics, screenshots, videos, whatever other visual aids you can get. It helps people understand what you’re trying to explain and makes it easier to digest if the content is too complex. The majority of the population will not be as well versed in open source intelligence as you are so it’s your job to make the knowledge attainable.


Conclusion

OSINT investigation is an exciting field of work. It takes work, a lot of attention to details and a fair amount of persistence to, not only get the intelligence behind the data, but to also be able to explain and share it with others.
I hope my little (it was definitely not little) tutorial gave you inspiration for an investigation, the tools to collect the data and the motivation to just go for it.
Thank you for reading.

~Sofia.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: