Many OSINT investigations require the analysis of images and videos, and if scrutinized, they can provide a wealth of information to assist you in achieving a successful outcome. In this blog, I will cover some tools and techniques to retrieve this information as well as providing questions that will help to unearth the actor’s intent.
Firstly, let’s revisit the source evaluation framework from our last blog.
R2C2
Images, just like written information, can be used to inform our judgments and advice to decision makers – so, let’s use the same R2C2 criteria for evaluating visual sources.
Relevance – when evaluating for relevance, check the image is closely connected to our problem-set and is appropriate to the current time, or circumstances of interest.
Reliability (source) – Is the source e.g., the social media user, trustworthy? Does the source have a history of reporting or motives for misleading us? This is where we can, for example, try to better understand the contextual information that surrounds the social media post – the caption, the user, the comments, the hashtags, the re-shares.
Credibility (information) – Is the image/video or the media credible? Is this media backed up by other quality sources? This is where we can try to find other sources online that either show this image, or others like it.
Corroboration (information) – Do other quality sources tell a similar story? If not, why not?
Now, what are some of the tools and techniques we can use to answer these questions?
EXIF Data
EXIF (Exchangeable Image File Format) data is the underlying metadata about an image - things like latitude and longitude, as well as the model and serial number of the device (there is much more EXIF data available). EXIF data might give us information about where and when a photo was taken, camera and device settings, the kind of software used to edit an image, and the person who created or edited an image.
Some platforms, like Telegram, will keep elements of image metadata, such as the time, which can be very important for some investigations. Most social media platforms, however, will compress the EXIF data making it unavailable to the user, so checking EXIF data often requires the original file. When EXIF data is available, we can use this information to check the credibility of an image and corroborate visual information.
There are several tools that allow us to do this outside of viewing the properties of the file, as shown above. One of our favourites is the online based https://jimpl.com/. These tools will often show us more specific metadata tags from an image, in comparison to the properties of the file. Another one of our favourites is https://exiftool.org for its offline capability, but there are a few steps to get going:
Download the file from the website
Extract the file from the .zip format
Once extracted, you should see the file name: exiftool(-k)
Place on desktop for easy access. We recommend changing the file name to exiftool(-k -a -u -g1 -w txt) as this will auto-create a text file with all the data you need.
Drag and drop image onto the icon.
If you’re lucky enough to find GPS coordinates in your image’s EXIF data, simply copy, and paste into Google and remove the “deg”. For example: S 33 deg 51' 17.145, E 151 deg 13' 32.839 should entered into Google as S 33 51' 17.145, E 151 13' 32.839. Try it - does this take you to Fort Denison?
Reverse Image Searching
The next set of tools to mention is based upon content-based image retrieval query technique that involves providing the search engine with an image. These tools have multiple uses, such as:
Confirming an image is current.
Discovering if the image is associated with a particular story, location or event.
Finding an article or website associated to an image or logo.
Assist in finding the originator or time of creation.
Use multiple search engines, as each of them have their strengths and to create efficiency we really like the Search By Image Browser Extension.
When used in this context of verification, we can answer elements of R2C2. For example, we can use this information to consider the reliability and to corroborate the information we can see in an image.
Drawing Out the Detail
Slowing down, and stepping away from tooling, we now step into a third technique. Here, we want to draw out meaningful information within images - it helps to make a note of every piece of information found.
Depending on the image, utilising the grid method may be a good option. This is dividing an image up into four, or nine sections to systematically search for clues in each section, as we might be blinded by lots of details and miss important clues.
The items that we can look for include signage, landscape, structures, vehicles, and clothing.
For example, a license plate number could tell you what country you are in, or a store’s phone number area code might help indicate a specific city or area. Another example might be product brandings and logos.
By looking at the individual components of an image, we can better identify indicators that an image has been tampered with, which helps us assess its credibility.
Contextual Information
If we are online, it is more likely than not that there will be information accompanying the image such as the social media account that posted an image, pattern of life (where they go regularly), image captions, comments and likes.
Note: Social media ‘Likes’ can be generate valuable insights and answer questions about social networks – for example, where do all the people who like the image live? Do they have common interests? This can provide an investigative pathway. See our Connecting the Dots blog for additional techniques.
Understanding an image’s context can sometimes be key to verification, and potentially finding the location, if that is required. For example, when we 'draw out the detail', can we identify map markers? What is evident in the image that would be observable from a satellite or street view? Remember, however, that maps are not always updated regularly, and things change – buildings, vegetation, people, artwork and signs.
Object Recognition
Once information, items and objects are identified within images, we can conduct OSINT enquiries to identify the origin of an image, based on:
country, region, or city that object belongs to.
product, release date, and distribution time frames; and,
possible consumer of that object.
The Australian Centre to Counter Child Exploitation (ACCCE) runs an object recognition site that is an excellent example of how these methodologies can be applied.
Image Manipulation
It is easy to edit and deceive through images via more available technology such as https://cleanup.pictures/ and from in-built technology in newer smart phones. However, there are online tools like http://fotoforensics.com (set on noise analysis) that can help identify some (but not all!) anomalies.
In cases of mis- and disinformation, or other forms of image manipulation, we can ask ourselves a few questions to guide our analysis. At a high level, what is the strategic effect the 'actor' is trying to achieve? What is the operational approach, and the tactics used to achieve that strategy?
When we conduct our analysis and evaluation of images that may be manipulated, contested, or part of a disinformation campaign, we should always ask questions about the provenance, purpose, and audience of an image. Alternatively, explore media manipulation under the headings of creation, messaging, and interpretation.
Creation - Who created and/or distributed the image? What was their motivation?
Message - Where was the image shared or distributed? E.g., news article, social media post, meme, private messaging group etc. Does the image tell a story or promote a particular point of view?
Interpretation - Who is the intended audience for the image? Does the image attempt to evoke an emotional response from its viewers? How might the image influence viewers’ opinions or behaviour?
Key Takeaways
There are a variety of analytical and technical tools and techniques that we can use to investigate images. Using the R2C2 (relevance, reliability, credibility, corroboration) framework can assist us in evaluating visual sources. To answer some of the questions we have about an image, we can:
Check for EXIF data – it's an easy step (it’s there, or it not).
Reverse Image Search - easy, but rarely a game changer in many investigations.
Draw out the key markers to better understand the context and situation - the gridline technique may help!
Try to identify the objects within the image - can this guide your next enquiry?
Consider whether an image has been manipulated.
Consider the intent of an image’s creator - what are they trying to achieve?
To support OSINT collection and analytical capability uplift and to delve deeper into some of the learnings above, please look at our in-person training courses, or our online, self-paced options here. Alternatively, contact us at training@osintcombine.com to learn about our bespoke training offerings.