Home

Introduction

Every so often people approach me to help them with something OSINT related, either finding data, analysing something, or geolocating images or footage of an event. These type of requests have previously led me to go down some amazing rabbit holes so I am always happy to help. Occasionally, if the information is not too sensitive, I can even turn them into a blog post like the one I wrote on the geolocation of an old ISIS execution video in Iraq.

At some point in 2022 someone asked me to geolocate a few photos, taken in 2016, showing internally displaced persons (IDPs) in South Sudan. I was given the name of a town (Kajo Keji) and a Facebook link to a post containing 15 images, all taken in the same location. After a (not so) quick look I realised that the photos had not been taken within the borders of Kajo Keji (according to Google Maps that is) so I had to use a different technique. Sometimes the best way to geolocate an image is to forget about it for a second and track down the movements of the person who took it. If you know where they went, you will be able to find out where they were at the time the photo was taken. This will narrow down your area of search a lot and, possibly, cut down the hours spent on the task.

Please note that the person I tracked down was a civilian and in no way involved in the situation. Although this blog entry will be focused on explaining how I tracked their movements, I will keep their identity private and censor anything that may lead to others finding them. The purpose of this blog entry is to explain how I used features available on Facebook in order to help me geolocate photos of civilians escaping a conflict.

Initial information

As I have mentioned above, I was initially given the name of a town alongside the photos. Nothing else. But that was already filled with information. Unfortunately some of that information was unhelpful; sometimes that happens.
The photos were all taken from the same exact spot. They depicted IDP’s either walking on the road or in vehicles, all headed in the same direction, towards the right of the person taking the photos.
Below is the screenshot of the Facebook post. You can see how the person included a lot of information, underlined in red below. Unfortunately, none of it helped me geolocate the photos, but it helped me verify the coordinates once I had already found them.

So what do we already know?

• The Facebook user tagged their post as being in “Equatoria, South Sudan”.
• The initial “kk” probably refers to Kajo Keji, the name of the town I was given.
• The people were moving towards Uganda, which is 20 minutes away.
• There’s a place called Kansuk “some kilometres from the town“.
• The user is near their place of work.

It all sounds great and you would think that with so much information it would be super easy to geolocate this. You would be wrong (don’t worry, I was too). Although the post is filled with information, it was all a bit unhelpful as I mentioned above.

• The Equatoria region covers an area of almost 200,000 km² and is almost a third of the entire area of South Sudan. It does not narrow it down at all.
• The photos were not taken within the borders of Kajo Keji (I checked).
• We don’t know if the “20 minutes away” is in driving or walking time.
• I have no idea where Kansuk is and at this point I would rather not attempt to track down yet another town.
• I don’t know where the person was working in 2016.

After spending an embarrassing amount of time moving the camera around Kajo Keji on Google Earth Pro whilst muttering to myself “it must be here somewhere!” I decided to step back and think of a different way to solve this problem.

Tracking down the user

I did not know where the photos were taken but I knew that the person was near their workplace. If I could track down where they were working in July 2016 I could very easily narrow down my search, and figure out the correct coordinates. I could see that the person was (in 2022, when I geolocated this) a doctor in a hospital. Unfortunately for me they worked in Uganda, not South Sudan. According to their Facebook “About” page they lived in Uganda, studied in Uganda and worked in Uganda. But I know that at some point they were in South Sudan so I just had to find evidence of it!

If you go to the “Check-ins” section on a Facebook user, some people will actually “geolocate” themselves whenever they go to places. It’s both amazing and creepy. Definitely a stalker’s dream.

This user has apparently been actively (and publicly) announcing their location since the end of November 2013. I am both horrified at their lack of privacy and envious of the fact that they clearly do not have to care about these things.
You can see a (very small) section of their check-in tab on Facebook. The similar colours represent the same location. At a quick glance we can tell that the user was in Uganda until March 17, 2016 (purple) and within the four days between then and March 21, 2016 (green) they left the country and arrived in South Sudan. They clearly liked the place marked in green as they kept going back to it.
The closest “check-in” entry to the events on the photos (July 2016) was the location highlighted in blue where they claimed to have been on May 3, 2016. So let’s see what we can find about Lijo, South Sudan!

Finding their workplace

Luckily for us all of the entries on the “check in” section are clickable so I followed the “Lijo, South Sudan” link. I ended up on a tiny page with zero followers. The size did not matter because it still had a map! I can even spot “Kajo Keji” near the marker so it was clearly not too far from it.

From there it was a matter of seconds until I found the place on Google Maps. The screenshot below shows the same marker (dark blue circle), in the same location, as seen above. And what do we see just a few hundred metres south of the marker? A medical facility! And who works in medical buildings? Many people, but also doctors!

If my suspicions were true, then the photos of the IDPs would have been taken nearby. Time for Google Earth Pro!

Verifying the location

The reason why I needed to use Google Earth Pro instead of just Google Maps is because I was looking for an old image. Landscapes change all the time for a variety of reasons: war, natural disasters, urban development, etc. On Google Earth Pro you have the option to view historical satellite images. In this case I could try to find data from around July 2016 to ensure I got a good match for the photos I was trying to geolocate.
You can see two satellite photos of the same area below. On the left, an image taken in March 2016, and on the right the same place in December 2020. Highlighted in red you can observe the clear difference in tree growth. It may not look like a big deal but trees are one of the best geographical features to go for when trying to geolocate with satellite imagery. They almost never move!

With the suspected location and the satellite image from March 2016, it did not take long to figure out where the photos had been taken. Below, at the top, you can see two of the photos, taken and shared on Facebook on July 12, 2016, showing IDPs walking south, to the Uganda border. The bottom picture shows the satellite image from Google Earth Pro from March 2016. I have highlighted the different buildings in various colours. In front of the building you can see the two sets of trees, with red and blue arrows pointing at them. The building highlighted in green in the distance is the medical facility. The trees definitely helped!

Distances between everything

I want to give you an idea of the distances between the town I was given as a possible location of the IDPs on July 12, 2016, and the actual coordinates of the photos. The map below illustrates the various areas. In blue (purple?) I marked the border of the town of Kajo Keji as claimed by Google Maps. A few kilometres south of it you can spot a marker with a star. That was where the Facebook user “checked-in” on May 3, 2016. Only 500 metres south of it, with the camera marker, I found the exact location of where the photos were taken on July 12, 2016.

According to Google Maps, the people would have taken a bit over 20 minutes by car to reach the border of Uganda from where they were seen on the photos on Facebook. As most people were on foot, they would have taken 3 hours to walk the same 15.7 kilometres.

The answers to all our questions

Now that we have figured out the coordinates and have seen where everything is in relation to one other we can attempt to answer the questions we had at the beginning.

• The Facebook user tagged their post as being in “Equatoria, South Sudan”. – Correct, this section is part of Equatoria, South Sudan. It did not help me at all.
• The initial “kk” probably refers to Kajo Keji, the name of the town I was given. – Probably does, it was not helpful.
• The people were moving towards Uganda, which is 20 minutes away. – Mostly correct. It would have taken a bit over 20 minutes by car but most people were walking which would have taken then 3 hours.
• There’s a place called Kansuk “some kilometres from the town“. – No idea, never found it. It did not help me at all.
• The user is near their place of work. – Yes, the person was likely working at the medical centre across the street, visible on the photo.

From checking out this user’s profile I found out that they were a doctor originally from Uganda that, between March and August 2016, worked on the medical centre a few kilometres south of Kajo Keji. Their photos were shared on Facebook at 6:20 am local time as they were waiting to start their work day. According to an article by the BBC, published on July 8, 2016, four days before the people were seen walking towards the Uganda border, a violent clash erupted in Juba, the capital of South Sudan. Heavy gunfire was reported between soldiers that were loyal to Riek Machar, South Sudan’s Vice-President, and soldiers loyal to Salva Kiir Mayardit, the country’s President. In the afternoon of July 12, 2016, on the same day that the photos were taken, the ceasefire between both parties was declared. As a result of the conflict 270 people died, and thousands fled, many by crossing the border to Uganda. The ones in the photos on Facebook were just a few of the many.

Conclusion

Sometimes the fastest way to geolocate a photo is to forget about it and instead focus on the person behind the camera. If we can track down their movements there’s a very good chance of being able to narrow down our search area. This will enable us to focus on a smaller area and get to the correct coordinates much faster.
Would I have been able to geolocate the photos without tracking down the user? Most likely.
Would it have taken me a lot longer? Absolutely.
Why do the hard way when we can do it the smart way?

I hope my explanation on how to use the check-in option on Facebook to track down people’s movements in order to geolocate their photos was useful.
Thank you for reading!
~Sofia.

P.S. Please don’t stalk people.

(Click here to watch and listen to the video version of this blog entry)

Introduction

Every so often people reach out to me online and ask for help with something OSINT/GEOINT related. I am always happy to help, especially because it often ends up with me learning something new along the way. Recently I was asked to assist in finding a pool in Mosul, Iraq. I was not given any more information at first so I gave some pointers on how to do it and got curious. Next thing I know I am being given a link to an old YouTube video with some clips where a pool is visible. It turns out it was not just an ordinary pool but one where an ISIS group put prisoners in a metal cage and lowered them into the water to drown them. If you are uncomfortable with this sort of content please skip this blog entry. I made sure to keep the details and photos as minimally impactful as possible but the reality of it might still be too much for some people, and that is ok.
This blog entry contains an explanation on how I went from that initial clip to finding the exact location of the featured pool in a few hours. I will not skip the parts where I got lost and went off track as this is not a tutorial on how to do it but an explanation on how I did it. Geolocating and investigating data is not always a straightforward path and it is important to embrace the mistakes we make along the way.

I have also not included any links or coordinates to anything due to the nature of the content.

The Video

As mentioned above, I was given a YouTube link with clips of the ISIS execution. The video itself was surrounded by adverts, and had several details covered by text and banners so I really needed to find something clearer and better quality. Below is a screenshot of the footage to give you some idea of what I am attempting to describe.

As you can imagine the first point of action was to try to find a much better quality of the ISIS execution footage to see if there are any details I could use to help me geolocate this pool in Mosul, Iraq. Long story short, I did find the full video and managed to save it to my computer. If I was not already on some list I am pretty sure I am now!

Unfortunately the footage itself had very little detail on the surroundings but that never stopped me. I gathered six screenshots that I felt contained relevant information of the pool and area around it in order to help me find its location. Below are the images I saved. I censored them but you can still get an idea of what I was working with.

Although at first glance there is not much to start with, if we look closely there are a few useful details that will definitely help me verify the location (once I find it!).
The top image on the left is, in my opinion, the best one so let’s really look into it.
Below you can see all the information I gathered from that one screenshot.

1 – Corner of a building with a roof that overhangs. It has vertical markings on it and seems to be grey in colour.
2 – Cream / orange coloured building. There seems to be some sort of “T” shape marking on it. Some tall vegetation or a small tree in the front.
3 – Narrow path surrounding the pool. A small wall behind, made of vertical bricks. Dark blue and slightly aged. Contains vegetation behind it, probably grass.
4 – Circular shape that goes into the pool. Could be a small structure in the pool such as a fountain or statue, or the border of the pool. The pool in the video will either not be straight edged or will contain something in it.
5 – Pool ladder on the same side as the building (1), a few metres from it.
6 – Tall wall, definitely over 2 metres high. Privacy or protection? There’s some patterns on it.
7 – Big tree. It wouldn’t be interesting if I was looking at the Amazonian Forest but as my target is, allegedly, located in Mosul, a huge city in a semi arid climate location, this is quite striking as trees can be seen on satellite imagery.

Gathering Information

As I have mentioned in many of my geolocations before, I do not particularly like going straight to Google Maps / Earth Pro and start scanning the area without having first an idea of “where”, “when” or “what” I am looking for. I already have the “what” but not the “when” or “where”. Mosul is the second biggest city in Iraq and would take quite some time to scan the entire place. Instead I would rather spend some time collecting more data about this incident. Things also change a lot over time so the “when” is vital as well.

The When

In order to find out when this incident happened I started trying to find out when it was first mentioned / shared online.
I compiled a few descriptive keywords of what I was watching in the footage and googled them. I mostly used a variety of combinations of the words “ISIS”, “Daesh”, “cage”, “prisoners”, “pool”, “Mosul”, “Iraq”, in several different languages (never stick to just English!). Afterwards I collected all the articles, videos, online mentions, and started noting down the dates. Although the most mentioned date of the event was June 23, 2015, I actually found an article with screenshots, allegedly published in May 2015.
A little trick I use when looking at dates of published articles online is to inspect the page code as the author could very easily claim the article was published on a date that does not match your evidence.
Below is one of the articles about the ISIS execution, in Arabic, published on June  23, 2015. You can verify the date by right clicking the page and selecting “inspect”. Afterwards either search for the word “published” or start typing “201” or “202” for the correct decade. According to the source code, the article screenshot below was published on June 23, 2015 at 17:30 in a country with a timezone +3 GMT.

At this point I am confident enough that it mostly likely happened in May/June 2015. I could not find any other mention of it earlier than that, and I could not fully verify the May 2015 date so I am going to work with the assumption that it happened within that month. It is good enough.

The Where

Now begins the fun part where I needed to find the actual location. The earlier the articles the more reliable they will be as the media has not engaged yet in a very long Chinese Whispers / Telephone game of telling and retelling a story until you end up with very little reliable facts. Almost all the articles that I found from June 2015 mentioned the incident happening in an area of Mosul called “Al-Faisaliyah”.
I jumped to Google Maps and tried to search for “منطقه الفیصلیه موصل” (Arabic) which literally translates to “Al-Faisaliyah district, Mosul”. I was expecting Google to provide me an area but instead I got a specific coordinate.

It was not exactly what I was looking for but I can work with it. I decided to verify that this area is at least the correct one. For that I went onto YouTube and searched once again for “منطقه الفیصلیه موصل”. The top video is about shop owners in the Al-Faisaliyah area in Mosul protesting against a decision to remove their stores to expand the road. I figured that if I could geolocate that video I could at least confirm that Google Maps is pointing to the correct place.

And that is how I ended up doing a geolocation within a geolocation. Fun times. 
I will spare you the details about that one but here is the verification of my (not shared) coordinates.
In the figure below you can see a screenshot of the video (top) and a Google Maps image from a car dash camera in the area (bottom). It is a very good match. It is also around 170 metres from where Google Maps told me Al-Faisaliyah area was located so well done Google.

This is where I realised I could have saved myself the trouble and just paid attention to the map the first time around. I noticed that the area was not called “Al-Faisaliyah” on Google Maps but just “Faisaliyah”. This might be obvious for Arabic speakers but I did not realise that the “Al” was removable. Live and learn.
Another useful thing in Google Maps is that (almost) everything is clickable. That means that if I click that “FAISILIYAH” word as seen on the image below, I will get additional information.

And here is, according to Google Maps, the Faisiliyah area in Mosul.
I had to remove the satellite view as it was too colourful to actually see the red border around the area.

Now that I can clearly see the delimitations of the area I just started scanning it around. The pool looks big enough that it would be visible from satellite view so how hard can this be?
A bit of a spoiler half way through; the pool is not even in the Al-Faisaliyah area of Mosul. Keep reading though.
I looked around for a while but got nothing. A few pools here and there but no clear match. This is that point in a geolocation where you start second guessing the entire thing. Was this even in Mosul? Iraq? Wrong date? Where did I go wrong?

Second guessing everything

First thing I did was then trying to assess whether ISIS was even in Mosul in May/June 2015. I then tried to find videos of them in the area and see if I could perhaps geolocate them. At that point I wondered if I really wanted to be added to more watch lists. The answer is no. One day I will travel abroad again and I do not want to be interrogated at the border so there’s that. I was also trying to minimise the exposure to graphic images during this investigation so perhaps I needed another strategy.

New theory

I stopped and thought about it for a bit. Mosul is a big city but there is not that many pools around. Where are pools located? Hotels? Rich people’s houses? 
I went with the hotel theory first since I can’t just ask Google Maps to point out rich people’s houses in Mosul. 
On Google Maps I wrote “فنادق الموصل” which literally translates, from Arabic, to “Hotels Mosul”. I was presented with the list, as seen below.

Starting from the top I checked every single one of them in search of the presence of an outdoor pool, especially in the Al-Faisaliyah area in case I had missed something (I didn’t). I got nothing but then realised something very important; the city of Mosul has changed a lot in the last years so it is possible that there were hotels at the time that are no longer in operation or vice versa. Google Maps will only give me the current results so time to think of an alternative on how to go about this theory. I also wanted to confirm that ISIS was in Mosul around May / June 2015 so I googled that.

I quickly found a very interesting article from the Wall Street Journal about how ISIS took over a luxury hotel in Mosul as their base in June 2015. Screenshot of the article with an embedded video below.

Before you get as excited as I was I just want to let you know our target pool was not even in a hotel so contain your expectations.
I scanned this specific hotel and surroundings so many times on Google Earth Pro, changed the dates over and over again to compare the satellite imagery from around June 2015 but found no traces of an outdoor pool that matched the one I saw in the ISIS video. Back to square one?

Next Theory

Ok, the hotel theory is likely wrong so I had to think about where else would a pool be? Perhaps in a University? Sometimes they have a Sports Complex with pools so I decided to go for it. My theory was not that strong so I just quickly searched “mosul university pool” and checked Google Images. I figured that it was not worth translating as I was not too sure on that anyway.
The result I got can be seen in the screenshot below. It is probably too small to notice but I immediately spotted an interesting image, highlighted in red.

And here is the (censored) image I found. I am sure you can already spot the similarities to the screenshot from the ISIS video but I have marked them all. Number 4 and 6 were out of frame and number 5 slightly hidden but I can confirm it was there.

What now?

That was it! I had the place! Kinda. I still did not know where it was located though…
My excitement did not dwindle though. I was definitely in the right direction at last!

I read through the page that had the photo(s) to see if I could get any information about the location. As luck had it the photo was of an American military base in Iraq and they were extremely vague about the location. In fact, apart from being in Iraq I got nothing else regarding the whereabouts. That is ok because now I had the name of the base and I can work with that.
I want to clarify that the only reason I am publishing this information is because the photo is over 15 years old, the Americans left Iraq 11 years ago and this base has long been abandoned.

Finding the Pool

So I set off trying to find information about the base using the codename I found on that page with the photo of the army personnel jumping into the pool. It did not take me long to track an article from 2015 with a vague description of its location.
The sentence I saw said something like “FOB (Forward Operation Base) FakeName sat on the “CardinalDirection” side of Mosul, Iraq, along the “CardinalDirection” of the Tigris River”.
Perfect, I can work with that too.
From there I jumped into Google Earth Pro, set the historical view to August 2015 and navigated around using the cardinal directions I just read. Shortly after I got it. 

Here is the pool at last.

Verification

After tracking down the location it is time to verify it so let’s really look at the satellite imagery and see if we can match it with what we are expecting to see.
Below you can see the same tree highlighted in green, the wall next to it in pink, the corner of the building in blue, and that circular shaped area of the pool that sticks in, highlighted in red. It is a very good match.

Conclusion

And this is how I went from a small clip from YouTube to the coordinates of the pool where in May / June 2015 ISIS drowned five prisoners, in the span of a few hours. I am not willing to share the coordinates of the actual pool but I can confirm it was indeed in Mosul, Iraq.
I hope you managed to learn something along the way. 
Thank you for reading!

~Sofia.