One of the main purposes of OSINTEditor is to get more people into the world of OSINT (Open Source Intelligence) and more importantly get them being constructive. Geolocation is among the most popular OSINT techniques and in this article I will try to guide you through some basic but fundamental concepts, tools and techniques.

The case

Always more often in the era of social media and hyper sharing you might stumble on one or multiple pictures or videos that could be useful if not crucial in some OSINT investigation. In this example the context is the tragic shot down of Ukraine International Airlines Flight 752 just minutes after it took off from Tehran international airport on January 8 2020.

In the night of January 9 a video was published on social media possibly portraying the firing of a Surface to Air Missile (SAM) as captured by a security camera of sorts somewhere in Tehran. The video could have been old or in general been portraying another event, geolocating it would have been crucial to corroborate it’s authenticity and accept it as valid evidence in the worldwide OSINT investigation that had been going on since the plane “crash”.

One of the tweets containing the video we will analyse.

Download the media

Among the very first steps there should be that of downloading the media you are analysing. Especially in the case of a video, having it on your computer where you will be able to play it with a dedicated video players (VLC, QuickTime just to make some free and basic examples), will prove very useful and allow you more control over the playback.

According to the social media platform the source material was posted on, different tools and techniques exist to download the video to your computer. A simple google search “how to download a video from X” (where “X” is the social media platform) will bring up many valid results. In this case the video was posted on Twitter and Google’s first result brought me to https://www.savetweetvid.com/, simply pasting in the main field the tweet link and pressing download got me the source material in the highest quality available.

Setting up Google Earth Pro

In this example we are going to use Google Earth Pro (GE) on a PC/Mac desktop environment. A lot can nowadays be done even from mobile platforms, but for the moment almost nothing, especially among free applications, beats Google Earth Pro for geolocation work (at least for most phases of the investigation).

Once in GE, a good practice is that of setting up a research environment adding all the pertinent data that is available about the investigation.

Given where the crash happened, we will navigate to Tehran as a first step.

In this specific case we had the plane position since its took off up till the presumed moment of the “crash” thanks to ADS-B services such as FlightRadar24. For this examples sake, we will use a simple screenshot taken from the FligthRadar24 website showing the short path of the plane. We will use the screenshot to bring into Google Earth the plane last contact position and its trajectory.

Screenshot taken from FlightRadar24 website with Ukraine International Flight 752 path until it stopped transmitting its position via ADS-B.

A very basilar but efficient way of getting maps or aerial pictures of any kind into GE (Google Earth Pro) is that of using its “Add Image Overlay” feature.

Google Earth Pro interface showing how to the reach the “Add Image Overlay” feature.

Once you have selected the file you want to overlay (“browse” button in the newly opened window) you can use the green handles to drag, resize and rotate the image until it matches the underlying features. In this case we have the roads on the FlightRadar24 screenshot which will help us obtain a precise overlay. To help me in this I toggled the “Roads” layer in Google Earth (bottom left of screen, among the “Layers”), this will be rendered over the image overlay we added previously.

The central green handle allows you to move the image, the diamond shaped handle on the left is to rotate the image while all other handles allow you to resize it. The opacity slider can help you when you have to match geographical features which would other ways be covered by the image you are adding.

Once satisfied with the image overlay, we can use it to map the relevant positions. In this case we are interested in the last contact location so I simply add a pin where the plane icon is displayed. Done this I can then disable the image overlay and go back to see GE satellite images to proceed with the geolocation attempt.

I added a pin in the last location reported by the plane.

According to what you are investigating you will have different starting data you might want to bring into Google Earth Pro, in some cases you will have none, but in general setting up a comprehensive “workspace” in GE before starting your actual geolocating attempts will often prove to be very useful.

Google Earth Pro allows you also import geoTIFF files (which contain geolocation informations), dedicated KML or KMZ files and even spreadsheets which can contain coordinates.

Picking the right frames

Now that we have the video on our computer and Google Earth set up for our investigation, the next step will be that of opening the video file in whichever video player you prefer and start looking for relevant frames. In this case the main advantage of having the video stored locally is that of being able to precisely move through its frames, thing which is difficult in most online media players.

According to the video source and wanted results, you might have to grab numerous frames, you might also have to stitch them together to create some sort of a crude panoramic picture so to provide a final wider field of view and generally a better spatial idea of the depicted area.

In our video, the camera has a fixed angle (sort of actually, its a video of a video….) so practically every frame will depict the same location and field of view. BUT….. Stuff happens during the video and especially in this case, illumination changes which will prove fundamental.

First selected frame (Frame 1)

The first frame I chose is one in which the supposed missile is visible in its ascending course. This will be useful to eventually locate the direction from where the missile came. The frame also provides a decently lit image of the area immediately next to the camera with multiple details we might use.

Second selected frame (Frame 2)

The second selected frame is probably from the moment the missile exploded. The light coming from the explosion illuminates the whole field of view exposing many fundamental details that where not visible in the dark scene.

Isolate the relevant features

Now that we have two frames, we need to isolate the visible features that can help us identifying the location where the video was shot and possibly when.

Frame 1 and its preliminary analysis

The first of the frames isolated (which will refer to as Frame 1) reveals some important features close to the camera such a large parking, a sidewalk and some kind of ramp perpendicular to the sidewalk. It also gives us the position where the missile is coming from in relation to the field of view of the camera. Top right there is something that looks like a timestamp, but in this specific case it proves useless and misleading (many reasons why, if that actually is a timestamp, it could be wrong)

Frame 2 and its preliminary analysis. Of notice that slight brightness and contrast adjustment where made to better expose some of the details)

The second selected frame, thanks to the illumination provided by the probable explosion, reveals many details that will be fundamental for our geolocation effort.

We have a large, possibly residential, building (Building 1) which shows a peculiar silhouette. The image also tells us that is probably has at least ten floors (seven discernible from the image and probably three more below them, we have no info on how many more floors there might be above those seen in the video).

Rough reconstruction of Building 1 based on its silhouette and the visible windows

We also see some sort of tubular structures, a second building (Building 2) in the background with a peculiar silhouette too and the contour of a mountain or a hill.

The illumination brought by the suspected explosion tells us, via the shadows it casts, that the light source (explosion) is placed roughly straight above the scene we are analysing.

The frame also tells us a lot thanks to what it is not showing. It is not showing tall buildings between Building 1 and Building 2 revealing a free area between them and the background mountain/hill. It is also not showing structures on the right side of Building 1 with a clear view until the mountain/hill.

Thanks to all this details we now have a much better idea of how the scene is laid out, its features and the rough spacing and spatial relationships between them.

We should have enough to move back into Google Earth Pro to finally attempt to locate where the scene was captured from.

Defining an initial research area

In GE we had set up the last reported position of the plane and we also have an “image overlay” showing its path. We can use this data to extrapolate a possible path had the plane continued to fly along the same vector. This assumption will serve us to narrow down our research area, and even if the plane could have changed course radically after the last reported position, it is still worth a try.

Red line is the path drawn in Google Earth via the “Path” tool

We can now start to zoom in and look for an area with tall residential buildings, wide open areas, tubular structures and possibly a hill or mountain nearby.

The first attempts should move along the plane path as we know that explosion happened just above the location we are seeking so if the plane continued along its vector we should encounter the features we have isolated. Among the assumptions we can make, at least for first tries, there is also that the plane probably ceased transmitting its position not long after or before being hit.

Investigating a candidate area

Along the plane path, in the first few kilometres before and after the loss of contact not many areas have the features we are looking for but one stands out.

Following the plane path one area stands out.
Candidate area

In this area we can immediately spot some of the features we are looking for:

  • “Tubular” structures
  • Wide empty areas
  • A hill
  • Tall residential buildings

By toggling the “Terrain” layer, GE will display the elevation of where you are hovering the mouse, thanks to this we can see that the northern “empty area” is higher than where the tall buildings are (a hill).

We have some elements but we need more. The characteristic silhouette of Building 1 isn’t visible in the satellite images Google Earth is showing us by default (which are the most recent and most clear it has available). Time to use another great GE feature: “Historical Imaging”

Historical imaging shows us an older image taken from a satellite at a different angle revealing another side of the buildings.

Historical imaging allows us to go back through time visualising all past images Google has of a specific location. Different images will have been taken by either different satellites, or more generally from different orbits and perspectives. In this case an image from March 2019 shows us another side of the buildings we are examining. Very interestingly the newly revealed side has characteristics very similar to those that we are looking for our “Building 1”.

This, coupled with the hill and the tubular buildings is enough to have us dig further. Observing the image we can formulate a hypothesis about where the camera of the video we are analysing could have been positioned and how it was oriented.

Many elements matching

Once we start piecing the all the elements together we start to see that our hypothesis could actually be correct. For further confirmation altho there are still a couple of the details we had isolated in the video frames that are missing. Specifically the sidewalk and “ramp” seen in Frame 1.

Again using the “Historical imaging” feature we find an image that shows both the sidewalk the the “ramp” as seen in Frame 1, finally revealing 2 candidate buildings for where the camera was placed.

And… there they are. We now have a rather small area, and two possible positions for the camera (at the base, on the left of the entrance, of the two buildings pictured above).

For final confirmation we will use another GE feature, street view. (remember to have the “terrain” layer toggled)

Toggle street view by dragging the “human” icon which is placed above he zoom slider on the right side of the screen, over the position desired, then release the mouse to have a ground view from the chosen location.

While GE terrain data resolution is rather low (so we can’t see the precise contour we are looking for), and it is rather old (so the areas near the parking and buildings aren’t flattened for the relatively new residential area), what it shows is a hill exactly where it should be with a slope which resembles a lot that of the video. Fiddling with the camera orientation we can obtain a decent match with the view of our video. This further corroborates our hypothesis.

Conclusion

Well…. Everything matches, we can, with a very good degree of certainty, say that the security camera which shot the video of the missile ascending and then exploding just above the camera was placed in the approximately in the location we have isolated (Lat: 35.510084° Lon: 50.927135°).

We aren’t actually yet completely sure about which of the two buildings the video was shot from, current thesis is that it was from the southern most of the two candidate buildings. But it gets a little tricky and this “tutorial” is already way longer than I had originally envisioned… (but if you care for more details, reach out via our Discord server)

Having proved that the video was actually shot in Tehran and in an area consistent with the plane crash grants a lot of credibility to it, allowing the OSINT community and actual state sponsored investigators to accept it as actual evidence. Given all we have it would also be easy to extrapolate the direction from which the missile came from (spoiler, a IRGC site…)

In this particular case, this video, another one released just the night before, pictures of a SAM missile seeker landed close to where the plane lost contact and what the OSINT community did with all this, have probably been a strong catalyst for the Iranian government to finally come forward and admit the tragic error.

Dozens if not hundreds of amateur and professional OSINT investigators using twitter and other social medias where able in a matter of a couple of days, to expose, with solid evidence what had actually happened. This shows how powerful well employed OSINT can be and that the more the community grows in both numbers and quality the more we can help exposing truth, especially in such tragic and complex situations.

Hope to have managed to either teach or at least slightly motivate you (brave person who reached so far into bad English and confused pictures) with this sample research. And if you care to learn more, share your knowledge or participate in future investigations in a hopefully more coordinated manner, take a look at our Discord server.