OSINT - Image Analysis or More Where, When, and Metadata [Guest Diary], (Wed, Sep 25th)

SANS Internet Storm Center, InfoCON: green 2024-09-26

[This is a Guest Diary by Thomas Spangler, an ISC intern as part of the SANS.edu BACS program]

A picture is worth a thousand words, as the saying goes. Using open-source information and basic image analysis can be an valuable tool for investigators. The purpose of this blog is to demonstrate the power of image analysis and the associated tools for open-source intelligence (OSINT). Having recently completed SANS SEC497, I was inspired to share the power of image analysis in providing valuable information for investigations. This post will provide a step-by-step approach using a random image [1] pulled from the internet.

SAFETY FIRST

Always scan a file or URL prior to retrieving a target image. This action is particularly useful when retrieving information from suspicious or unknown websites. A tool like VirusTotal [2] makes this step very easy.

First, select your scan type:  File, URL, or Search.  In the case of a file, it can be dragged and dropped on the screen.

In this case, I used a known PDF file to generate the sample result shown below.

Now we are clear to proceed with the image analysis…

TARGET IMAGE

Our target image was randomly selected from the NY Times website.

Credit: Filip Singer, EPA

WHERE WAS THIS IMAGE TAKEN

A natural first question might be:  where this image was taken?  OSINT analysts use many tools, including image analysis, to answer questions like this one.   As you will see, image analysis alone cannot solve this question.  Other tools like Google searches, translation tools, and metadata can be combined with image analysis to provide discrete clues that integrate together into an answer.

Potentially identifiable or unique markings…

In looking for image clues, focus on context (e.g. bridge collapse and flooding), unique markers (e.g. signs, buildings, bridges), and geography.

With these clues in hand, we can now use tools like Google Lens [3] and Yandex [4] (if your organization or agency permits its use because of the Russian origin) for reverse image lookups and text-based searches.  While most people think of Google searches in terms of text, Google Lens is the image search equivalent, which can be used to find additional clues.  In this case, I used Google Lens with the original image and the image clues mentioned above to find relevant matches.  Below are the Google Lens matches obtained from a search on the original image:

From the Google Lens results, the images from www.lusa.pt  and TAG24 seem to be similar matches.  Note the TAG24 description indicated Dresden and is written in German.  Upon visiting the TAG24 website [5], we find a different image of the same location and an article in German.  

Using another important OSINT tool, Google Translate, we can translate some of the text to English in order to find the exact bridge and location in question.

Voila…Carola Bridge.  A simple Google text search on Carola Bridge turns up an article from Euronews [6] that confirms the image location at the Carola Bridge in Dresden, Germany.  We can also use a Google Dork…maps:carola bridge…to find a map of the location:

WHEN

From the Euronews article, we also know that the bridge collapsed sometime between 11-12 September 2024 in the middle of the night.

An AP Article [7] that also turned up in the previous google search indicated that “crews were alerted around 3am”.  And, an Engineering News Record article [8] confirms the collapse occurred on 11 September 2024. A Deutche Welle article confirms that demolition of the fallen structure began on 13 September 2024.

We can conclude that this picture was taken sometime between 3am local time on 11 Sept 2024 and daylight hours on 13 Sept 2024.  With further investigation, using Google Street View and similar tools, we could have probably narrowed the timeline down even further.

METADATA

I wanted to touch on one other important topic…metadata.  Metadata (as shown in the details below from the reference image) presents interesting information such as location, size, imaging device, date, and time for the image in question.  Original images, videos, and files usually contain a treasure chest of information in the form of metadata.  Using Exiftool [10], the following data is returned on the target file in this blog:

It includes some basic information about the image size, encoding process, etc., but with original images, location, camera type, date, and time will all likely be included.  These pieces of metadata could drastically speed up any OSINT investigation.

CONCLUSION

In conclusion, imagery can be an important starting point for OSINT investigations.  However, more cyber tools than just image analysis must be employed to answer some basic questions like who, where, and when.  In certain cases, an analyst needs to pay close attention to their own attribution (“being found”) when conducting an investigation.  Instead of using live web searches from a local machine, an analyst may need to use sock puppet accounts, VPN protection, and/or cloud-based hosts and even tools like Google Cache and the Wayback Machine for archived web sites to protect their identities and the fact that a target is being investigated.

Thank you to SEC497 instructor Matt Edmondson for peaking my interest in OSINT and the skills developed during the course.

[1] nytimes.com [2] virustotal.com [3] https://chromewebstore.google.com/detail/download-google-lens-for/miijkofiplfeonkfmdlolnojlobmpman?hl=en [4] Yandex.com/images [5] https://www.tag24.de/thema/naturkatastrophen/hochwasser/hochwasser-dresden/hochwasser-in-dresden-pegel-prognosen-werden-sich-bestaetigen-3317729#google_vignette [6] https://www.euronews.com/my-europe/2024/09/12/major-bridge-partially-collapses-into-river-in-dresden [7] https://apnews.com/article/dresden-germany-bridge-collapse-carola-bridge-ad1ebf71f396d8984d2e79f9e6ba3f06 [8] https://www.enr.com/articles/59283-dramatic-bridge-failure-surprises-dresden-germany-officials [9] https://www.dw.com/en/dresden-rushes-to-remove-collapsed-bridge-amid-flood-warning/a-70215802 [10] https://exiftool.org/ [11] https://www.sans.edu/cyber-security-programs/bachelors-degree/

----------- Guy Bruneau IPSS Inc. My Handler Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.