Index

Introduction
By Phil Rees,
Director of Investigative Journalism, Al Jazeera 6

Chapter 1
What are Open Source
Investigations? 10

Chapter 2
Planning and Carrying Out an
Investigation 14

Chapter 3
Ethics and Safety 20

Chapter 4
Tracking Ships and Planes 24
Chapter 5
How to Identify Weapons 30

Chapter 6
Finding Out Who Owns
a Corporation 36

Chapter 7
Analysing Satellite Imagery 40

Chapter 8
Tools and Networks 49
 Open Source Investigation
6

Introduction
Director of Investigative
Phil Rees Journalism, Al Jazeera

Many of us know the scene in All the in restaurants, coffee shops or late
President’s Men, Hollywood’s inter- at night in bars. They persuaded
pretation of the Watergate scandal, whistle blowers to do the right
when “Deep Throat” is standing in thing; they gained their trust
a car park basement in Washington so that the identity of a
DC. The man we now know to be the source would not be
former Associate Director of the FBI, revealed. Managing a
Mark Felt, was the secret informant source was a critical
who gave clues such as “follow the skill for an investi-
money” to the Washington Post jour- gator. HUMINT - or
nalist, Bob Woodward. human intelligence -
was the cornerstone
Finding the evidence that brought of investigative jour-
down US President Richard Nixon nalism and obtaining
was a watershed event in investigative information that no
journalism and has rightly entered its one else had was es-
folklore. To break investigative stories sential for an exclusive.
in the 1970s, you needed to devel-
op sources. The skill sets needed for A journalist usually carried
success were once described by the only a notebook and a tape re-
late Nick Tomalin as “ratlike cunning, corder. When I started in journalism,
a plausible manner, and a little literary there were no mobile phones. There
ability”. Tomalin was killed while re- was little methodology to investiga-
porting the Arab-Israeli war in 1973, a tive journalism. Success depended
year after Woodward broke the Water- on who you knew and how effec-
gate story. tively you exploited them.

Investigative journalists were usually Then along came the

required to obtain confidential docu- computer and every-
ments from people who did not hand thing changed. Tech-
them over without a great deal of per- nology altered journal-
suasion. The investigator had to nur- ism, both its practice
ture sources over time. They’d met and its consumption.
Open Source Investigation 7

The roots of OSINT lie in Computer As- usually after something has happened.
sisted Research. CAR began by Investigative journalism, by contrast,
exploring and analysing da- seeks to prove that some aspect of
tabases. In doing this we what the public thinks it knows about
can discover patterns, the world is wrong. Like a policeman or
trends and anomalies prosecutor, an investigator will discov-
that may be useful in er a lead or obtain prima facie evidence
producing new infor- that supports a hypothesis that “X is
mation. The practical lying” or “X is corrupt”. The investiga-
use of this method- tion will aim to prove this supposition.
ology emerged with If it can’t, the investigation is dropped.
the Freedom of In-
formation Act in the This investigative methodology,
United States, which known as hypothesis-based narra-
was introduced in tive, replaced conventional charac-
the 1960s to open the ter-based or travelogue storytelling.
workings of government Evidence gathering became the glue
to public scrutiny. that holds the narrative together.

Philip Mayer, a pioneer of CAR, Decades ago, Philip Meyer made the
called it “precision journalism”. It prophetic statement: “When informa-
was inspired by the methodology of tion was scarce, most of our efforts
social sciences where a journalist were devoted to hunting and gather-
used evidence to prove his assertion. ing. Now that information is abundant,
processing is more important.”
A methodology was born that in-
spired a distinct storytelling style In the last decade, open-source in-
that distinguishes investigative telligence (OSINT) has emerged as a
from conventional journalism. journalistic science, as the vast re-
source of data collected from social
Conventional journalism is re- networks and internet-connected
active and observational. It de- devices is mined for information be-
scribes the world as it is seen, yond just databases.
 Open Source Investigation
8
The volume of data created, captured cerned with obtaining secret data than
and consumed globally is projected to finding ways to make sense of public
be around 200 billion gigabytes a year data, and tell stories based on that.
in 2025 (Up from 70 billion in 2020). More complex computer-based tools,
Every minute on Facebook, around such as data mining programmes,
half a million comments are posted, geographic information systems, de-
and 150,000 photos are uploaded. mographic databases and so forth can
More than four million hours of con- be used to identify patterns, anoma-
tent is uploaded to YouTube every day. lies and discrepancies in data. Much
Add to that, 700 million tweets per day of the new technology surrounding
Investigative journalism will increas- open source intelligence will involve
ingly rely on tapping these sources. machine learning, that is when a com-
We are not discovering truths that are puter model is trained to analyse data
strictly hidden from us - they are not much faster than a human being. In
confidential - but we are assembling effect, you train a computer to do the
information in a fashion that reveals hunting for you.
new truths. We are unpicking the re-
sources available online to tell the It means that investigative journalists
story behind the picture, the story that no longer need to only learn how to
the metadata provides, or the sto- write and turn on a tape recorder or
ry that shipping or flight data tells us camera. They will need to learn the
about an event. tools of the internet. While computer
scientists will write the programmes,
For filmmakers dealing with investi- journalists will need to understand the
gative content, there are new chal- science of OSINT.
lenges. There will be more use of
computer-generated imagery to tell OSINT is not a substitute but a com-
the story and less use of video. There plement for HUMINT. For most in-
will be a need to harmonise different vestigations, journalists need to use
sources, such as vertical aspect ra- human sources as well as data. In-
tio imagery, publicly generated and vestigative journalists still need “rat-
low-definition content with profes- like cunning, a plausible manner, and
sional standards. Graphic designers, a little literary ability”. But they also
data scientists and filmmakers will need to understand how to get value
need to work together in ways that from the abundance of information
presently rarely exist. The model of on the Internet.
television production needs to adapt
to a new method of storytelling. This handbook provides an invaluable
guide to achieve this.
With the amount of information in the
public domain, investigative journal-
ists of the future may be less con-
Open Source Investigation 9
 Open Source Investigation
10

Chapter 1
WHAT ARE
OPEN SOURCE
INVESTIGATIONS?
An open source investigation (OSINT) OSINT as “any and all information that
uses intelligence gathering tech- can be obtained from the overt col-
niques and technologies including lection: all media types, government
satellite imagery, social media posts reports, and other files, scientific re-
and user-generated content to uncov- search and reports, business informa-
er the invisible. In recent years, open tion providers, the Internet, etc”.
source investigations have become
one of journalism’s most valuable The learning process of how to use open
tools, largely due to its ability to tap source tools is constantly evolving. This
into vast amounts of publicly available handbook provides core elements and
online information to reveal otherwise tools for journalists who are interested in
untold stories. conducting open-source investigations.
It introduces a framework and outlines
Collecting and analysing publicly ethical approaches, while examining
available data and information from case studies, to analyse the fundamen-
across the internet can include any- tals of online search and research tech-
thing from analysing an IP address all niques for investigations.
the way through to interrogating pub-
lic governmental records. Whether it involves using search en-
gines to gather documentation, ex-
What is OSINT? Open source intelli- amines videos and satellite imagery to
gence is the application of intelligence collect critical evidence, or evaluates
gathering techniques and technology data gathered from an online data-
to investigations that make use of base, this handbook offers journalists
open source data. the necessary skills to acquire and
verify documentation.
Security adjunct professor at Columbia
University Mark M Lowenthal defines
Open Source Investigation 11

From early conflict and environmental tion without compromising the safety
monitoring to high-profile investiga- of your subject matter or those in-
tions such as Anatomy of a Killing,1 volved in investigating the story.
using advanced open source tech-
niques has quickly developed to be- Third, you should develop the right
come a crucial practice for journalists strategies to validate your findings.
in both long-form investigations and Collaboration is an important consid-
breaking news. Open source tech- eration here.
niques involve researching, selecting,
archiving and analysing information
from publicly available sources.

An effective open source investiga-

tion begins by addressing these three
questions: What do we need to know? Finally, as in many parts of the world
Why do we need to know it? Who information is heavily controlled,
might have the information we need? knowing how to preserve and archive
data remains an important element
While various open source guide- that can affect accountability mecha-
books available to investigative jour- nisms.
nalists differ on the exact process that
should be followed in an open source
investigation, they all agree on certain
fundamentals.

First, you must have a clear strategy

and framework in place for acquiring
and using open source information.
This involves identifying which investi-
gation to pursue and how to transform
your findings into an engaging story.

Second, you must identify a set of

tools and techniques for collecting
and processing open source informa-

1
https://www.youtube.com/watch?v=XbnLkc6r3yc
 Open Source Investigation
12

Benefits Risks
● Wide array of information ● Identity exposure
to collect
● Counterattacks from online
● No or low barriers to access adversaries
● Easy-to-locate publicly ● Collection of misinformation
available data

Debunking Myths about Tips for an open source

OSINT investigator
● Open Source investigation is just 1. YOUR SECURITY IS PARAMOUNT
Googling – Don’t forget to keep your identity
hidden while searching.
● Open Source investigation is only
for cybersecurity professionals 2. BE CAREFUL – You really need a
good eye for small details. A success-
● Open Source investigation is only ful open source investigator has sharp
for tech-savvy individuals or experts observational skills to detect even the
slightest bit of information that might
● Open Source investigation is sur- contribute to the bigger picture.
veillance and violates privacy
3. PERSEVERANCE – To be a suc-
cessful open source investigator, you
need to stick out the seemingly nev-
er-ending process of compiling data
and research.
Open Source Investigation 13

BOX #1 bile phone survey to gather information

Challenges for Open from those in places traditional jour-
Source intelligence nalism cannot reach. That data, which
included questions on demographics,
displacement, destruction, and plans to
CASE STUDY
return home was then verified against
Forced out - Measuring the other reporting tools, including satellite
scale of the conflict in South imagery, on-the-ground interviews, UN
Sudan reports, public records, photos of the
destruction and testimonies from inter-
In 2019, Al Jazeera’s AJLabs data jour- nally displaced people and refugees.
nalism team, in partnership with the Pu-
litzer Center, published an open source The result was an interactive longform
investigation to better understand the which included maps, videos, info-
complexities and scale of displacement graphics and before-and-after sliders.
and land rights in South Sudan.
In 2020, the Investigative Reporters
For this story, Carolyn Thompson and and Editors (IRE) awarded the story
Kristen van Schie worked with land third place in the Philip Meyer Award
rights experts and statisticians to sur- for “an outstanding example of a de-
vey more than 35,000 random phone termined group of reporters using so-
numbers across South Sudan in order cial science methods to get to the root
to paint an accurate picture of displace- causes of a refugee crisis, even with
ment across the world’s youngest na- severely limited press freedom, pos-
tion which had descended into civil war. sible government interference, and a
scared population.”
As of 2019, nearly 2.5 million refugees
had fled to neighbouring countries.

As many journalists are denied access

to or even barred from reporting with-
in the country, Al Jazeera used a mo-
 Open Source Investigation
14

Chapter 2
PLANNING
AND CARRYING OUT
AN INVESTIGATION
Journalists can follow the following 2: What are the key questions that
four steps to start their open source need to be answered?
investigations:
3: Which tools and platforms can help
gather the required information?
Step one: Planning

Before diving into a story you should

first determine if an investigation is SEARCH TECHNIQUES
possible or needed. To keep an inves-
tigative mindset it is important to al- ● Incorporate social media data to
ways start with a series of questions. cross-reference your findings. Pay
With your questions in mind, you can particular attention to who was the
then formulate a clear strategy and original source of this information,
choose the right tools to search for when this information was posted
key information. When it comes to and where this information was
information gathering, journalists can posted from.
decide either to make contact with the
target during the investigation or to re- ● Do a reverse image search using
main distant from the target and thus TinEye or Google Images. A re-
have a lower risk of being detected. verse image search allows you to
upload an image and immediate-
ly see when and where this image
Get started by answering the fol- was first used across the web.
lowing questions:
● Use other platforms like WeVerify,
1: What has prompted the need for the to fact-check videos and images
investigation? online.
Open Source Investigation 15

Step two: Structure and

secure information
Once you have a plan in place, you can now begin identifying the sources you
will be using to collect and archive your data so that it remains secure. It is
important not to lose sight of ethical, safety and legal considerations especially
when dealing with personal data. Various data privacy laws including the Gen-
eral Data Protection Regulation (GDPR), the California Consumer Privacy Act
(CCPA) and many others, exist to govern the collection, use and storage of
personal data.

Always evaluate any potential data storage risks and keep evidence and doc-
umentation safe by using encrypted storage. Also, don’t forget to take precau-
tions to ensure your identity remains secure.

ARCHIVING

Various groups including the investigative journalism group, Bellingcat; the

Global Legal Action Network; and the Syrian Archive among others have cre-
ated a standard process for archiving and investigating open-source evidence.

Collecting, preserving and building a body of evidence can serve as proof of

power abuses and human rights violations.

Image source Syrian Archive

 Open Source Investigation
16

Step three: Verifying your information

Raw information gathered must be analysed and processed before any useful
or actionable conclusions can be drawn. This includes contacting people and
verifying findings across multiple sources. Verification is an iterative process
that involves three main phases:

Verifying the source - Where did you get the information from?
Verifying the content - Is the information actually what it claims to be?
Verifying its relevance - Does this information fit into your investigation?
Open Source Investigation 17

GEOLOCATION Ensure that your findings are present-

ed across various digital platforms to
Geolocation is the process of determin- ensure your story can have the widest
ing the geographic position of a partic- available reach.
ular event. This can be done by using
tools such as Google Maps or Google
BOX #2
Earth to match geographical features
seen in the footage you are investi- Prepare, Don’t Panic:
gating. You can cross-reference stills Deepfakes and Synthetic
from the footage to satellite imagery Media
to confirm whether or not a video was
indeed taken from a particular location. Jacobo Castellanos, WITNESS
In some cases, it is possible to identify
the approximate time the footage was Malicious deepfakes and synthetic
captured by analysing the sunlight and media are - as yet - not widespread
shadows. Using SunCalc for example, outside of non-consensual sexual im-
it is possible to analyse the position of agery. However, with the rapid devel-
shadows and the sun at any given time opment of new technologies, it is ex-
and date, at any given location. pected that in the coming years these
will be evermore photorealistic and
pervasive, further blurring the lines
between what is real and what is not.

For digital investigators and fact-check-

ers, the challenge of identifying syn-
thetic media is growing. Already we
are at a point where depending on our
own eyes for detection is unreliable.
There are some tips that can help spot
them - for example, looking for visi-
ble glitches - but these are just cur-
rent slips in the forgery process that
will disappear over time (you can try
to detect deepfakes yourself with this
MIT Media Lab test).
Step four: Publishing your
findings The use of detection tools also pro-
vides no guarantees. If the technique
Finally, journalists should publish their used to generate the synthetic media
findings as well as show the process is unknown, the results will tend to be
behind their investigations with the unreliable as they would with low-res-
aim of ensuring transparency as well olution or compressed media general-
as building trust with the audience. ly found online. A recent experience of
 Open Source Investigation
18
a suspected deepfake in Myanmar shows
that relying on publicly available detectors
without further knowledge about how to
interpret the results may lead to inaccurate
assessments. What’s more, recent attempts
at developing deepfakes detection tools
have not come up with models that were
effective enough on known techniques or
sufficiently applicable to new techniques.

Even if robust tools are developed, they

may not be made available widely, particu-
larly outside specific mainstream platforms
and media companies. It is likely that media
and civil society organisations in the Glob-
al South will be left out, and it is important
to advocate for mechanisms that enable
them to have greater access to detection
facilities. WITNESS is arguing for increased
equity in access to detection tools, invest-
ment in the skills and capacity of global civil
society and local newsrooms, and for the
development of ‘escalation mechanisms’
that can provide timely analysis on critical
suspected deepfakes.

As a way to tackle misinformation from

AI-generated or manipulated media, there is
a growing movement pointing towards the
need for disclosure when synthetic media
has been created or shared (see for example
the EU Code of Practice on Disinformation or
Partnership on AI’s upcoming Synthetic Me-
dia Code of Conduct). ‘Disclosure’ can take
the form of labelling, or of other less visible
techniques such as inserting forensic traces
that are machine-readable, or metadata that
contains information about its provenance.

Any one of these techniques could facilitate

the process of identifying synthetic media,
but without proper consideration they could
Open Source Investigation 19

lead to further harm - for instance, labelling

could lead to suppressing certain forms of
free expression, particularly in art, parody
or satire (see WITNESS’s Just Joking! re-
port for an analysis of these grey areas).
Even well-intentioned efforts to provide
tamper-evident provenance metadata for
authentication, such as the work led by the
Content Authenticity Initiative or the Coali-
tion for Content Provenance and Authentic-
ity (C2PA), could create risks of surveillance
and exclusion for people who do not want
to add extra data to their photos and vid-
eos, or cannot attribute the photos to them-
selves for fear of what governments and
companies may do with this information
(see the WITNESS led Harms, Misuse and
Abuse Assessment of the C2PA).

Whether it be through detection tools, media

literacy or disclosure mechanisms such as
labelling, forensic traces or provenance-rich
metadata, WITNESS is generally concerned
that this work on ‘solutions’ does not ade-
quately include the voices and needs of peo-
ple harmed by existing problems of media
manipulation, state violence, gender-based
violence and misinformation/disinformation
in the Global South and in marginalised com-
munities in the Global North.

As these technologies evolve, the challenge

for digital investigators and fact-checkers,
as for journalists, human rights defenders
and technology companies and synthetic
media creators, will be to develop a better
understanding of how to detect synthetic
media and deepfakes in a way that is ef-
fective and accessible to those that need it
most, while mindful of the unintended con-
sequences, as well as potential misuses of
these frameworks and tools.
 Open Source Investigation
20

Chapter 3
ETHICS AND SAFETY
Open Source Investigation carries im- Secondary trauma refers to a range of
portant ethical concerns, as well as le- trauma-related stress reactions and
gal compliance. Information might be symptoms that may result from expo-
publicly available but personal data may sure to graphic details of another indi-
be subject to data privacy regulations to vidual’s traumatic experience.
varying degrees. Do not forget to con-
sider the issues below when using open As content from open source investi-
source investigative techniques: gations is often very graphic, knowing
yourself, and knowing what images
The origin and the intent of your affect you the most, is important to
sources: Make sure that all your consider. Another factor in preventing
searches are targeted and that you are secondary trauma is understanding
collecting only the information that is your personal connection to the work
relevant to your investigation. you are investigating.

Data is sensitive: Make sure that In 2020, a study2 conducted at Berke-

you are collecting only public data ley, School of Law, USA identified
and data that is freely available on- six general practices as helping mit-
line. Make sure the data you collect is igate secondary trauma: processing
safely and securely stored so as to not graphic content, limiting exposure to
breach data privacy rules. graphic content, drawing boundar-
ies between personal life
Use a VPN: Do not forget to pro- and investigations,
tect your identity. Using a Virtual Pri- bringing positivity
vate Network or VPN can help mask into investigations,
your location and make your internet learning from
browsing more secure. more experi-
enced investiga-
Investigators can come into con- tors and employ-
tact with a large amount of graphic ing a combination
footage. How to reduce the risk of of techniques.
secondary trauma?

2
“Safer Viewing: A Study of Secondary Trauma Mitigation Techniques in Open Source Investigations“
https://www.hhrjournal.org/2020/05/safer-viewing-a-study-of-secondary-trauma-mitigation-tech-
niques-in-open-source-investigations/
Open Source Investigation 21

BOX #3 from a victim of a crime. They can also

include public statements or medical
Archiving for Accountability
records, or other pieces of information
Carolyn Thompson that can help us understand what really
happened.
THE SUDANESE ARCHIVE
At first, we gathered links in a spread-
Since December 2018, the Suda-
sheet to track the protest violence, but
nese Archive - a joint partnership run
we quickly realised many of those links
through Gisa and Mnemonic - has
would break when content was re-
been gathering digital documentation,
moved by the person who posted it for
archiving it, and verifying it, with the
their safety, or by the platforms because
goal of using it to contribute to inves-
of its graphic nature. All those important
tigations, court cases and other ac-
photos and videos proving what hap-
countability mechanisms.
pened were getting lost. We tried down-
loading on our own computers, but
The project includes several compo-
there needed to be a centralised space
nents. First, a monitoring team col-
to hold the content and keep it safe.
lects material by scouring the Internet
That’s why we began partnering with
daily for evidence of human rights vi-
Mnemonic, which runs the Syrian and
olations. This can include photos and
Yemeni Archives. Through Mnemonic’s
videos filmed by documenters on the
archiving process, all those pieces of
ground in Sudan and posted on Twit-
digital documentation are permanently
ter, Facebook, Tiktok, and other open
saved, and in a way that includes chain
platforms. Also, materials are gathered
of custody components, such as time-
from partners and contacts directly
stamping and hashing, to ensure the
and shared with the Sudanese Archive
documentation can one day be used in
team. These photos and videos can in-
a court process.
clude many pieces of the story; they
document a human rights violation
in action, or the scene before or
after, and sometimes
they include testimony
 Open Source Investigation
22

Once the material is archived, our investigative team sorts the content and iden-
tifies crucial pieces to be verified. The verification process involves determining
the source of the video, the location where it was filmed, the time of day and
date on which the incident happened, and any other relevant context.

Once many videos have been verified from the same event, our team can begin
piecing together the truth of what occurred on that day. We use a standardised
data tagging process to ensure every researcher is using the same tools and
drawing the same conclusions, and we share those methods with our readers -
an important piece of accountability is transparency in this process.

Our most recent investigation is a large dataset called the Coup Files, which
aims to verify documentation of violent incidents at any protests that have oc-
curred in opposition to the 2021 coup. In this dataset, our teams tag each in-
vestigated piece of documentation with identifiers that help us conclude who
was the perpetrator of the violence. This includes tags focused on identifiable
weapons, uniforms, vehicles and other indicators of those perpetrator groups.
As well, we identify any protest characteristics that could help us prove there
were indicators of excessive force or unlawful use of crowd control techniques.
Open Source Investigation 23

That can be examples such as videos of tear gas canisters thrown directly into a
dense crowd of people, or photos of live bullets at a protest involving the pres-
ence of students and children.

We publish incident reports focused on the protest days, grouping together vi-
olent incidents or the presence of security forces that we can confirm using this
open source documentation. We also publish the data, set on a map, to help
human rights advocates find the information they need - including by sorting for
verified documentation of specific types of incidents or possible perpetrators.

Already, our work has contribut-

ed to court cases within Sudan,
and to international lawyers and
sanctions teams. As well, nu-
merous journalists have cited our
investigations or worked with us
to publish their own. While legal
accountability processes are a
significant part of our focus, we
also prioritise the importance of
ensuring we remain visible and
consistent so that the perpetra-
tors of these crimes know they
are being watched, and those
standing up for their rights know
they are seen.
 Open Source Investigation
24

Chapter 4
Tracking Ships
and Planes
Tracking the movement of ships and How to get started:
planes are increasingly valuable tech-
niques in Open Source investigations. 1. Choose a ship-locating website.
In the following chapter we present
Some go-to platforms for journalists
how these techniques can be used
looking for real-time shipping data in-
to investigate the movement of sanc-
clude:
tioned goods, follow the travel paths
- Marine-Traffic,
of government officials and track ille-
- VesselFinder
gal fishing or forced labour.
- FleetMon

Tracking Ships

Most ships have an Automatic Identi-

fication System, or AIS, which trans-
mits a vessel’s position over time. By
collecting historical AIS data, an in-
vestigative reporter can gain a better
understanding of where a particular
ship has been, measure how long that
ship has been in a particular location
and detect unusual travel behaviour.
Open Source Investigation 25

2. Search for the name of the ship.

You can search for a vessel using its
name. To ensure that the ship you’re
tracking is the correct one, compare
the ship’s unique IMO (International
Maritime Organization) number and its
MMSI (Maritime Mobile Service Iden-
tity) number.

The IMO number consists of the

three letters ‘IMO’ followed by a
seven-digit number and is never re-
assigned to another ship.

The MMSI number is a unique

nine-digit number for identifying a
ship.

3. Use the map to search for a

ship in a specific location.
If you don’t have the name of the particular ship you would like to track you can
explore the map by zooming in or out of a particular location and then click on
the ships around a particular port or shipping route.

4. Check with people on the ground or on the ship.

It is very helpful to reach out to crew members or other people working on the
ground. You can try to find them using LinkedIn or other social media platforms.
 Open Source Investigation
26

Other ship tracking tools Tracking Planes

Inmarsat Ships Directory - Find the Analysing an aircraft’s flight pattern
contact information of a vessel by can help investigators track the move-
searching for its name, number or call ment of illicit commodities, scrutinise
sign. the movement of high-profile individ-
uals and uncover the presence of sur-
Maritime Database - Lists and details veillance aircraft.
of shipping-related businesses and
ports around the world. To get started with analysing a
plane’s movements, it is helpful to
Global Fishing Watch interactive map - understand the following key terms:
Open-access online platform for visu-
alisation and analysis of vessel-based
human activity at sea.
Key terms

Automatic Dependent Surveil-

Don’t forget lance-Broadcast (ADS-B) - A tech-
nology that broadcasts the position
An alternative way to track ships is by
of an aircraft using satellite navigation
using the Vessel Monitoring System
or other sensors thus enabling open
(VMS), a satellite-based system that
source investigators to track a plane’s
provides data to fisheries authorities
movements.
on location. VMS is used to monitor
the position, time, course and speed
The Call Sign - The letters and num-
of fishing vessels. It is a key part of
bers which identify an aircraft.
monitoring, control and surveillance
programs at national and international
Hex code - A unique ICAO (Inter-
levels.
national Civil Aviation Organization)
24-bit address, part of an aircraft’s
Both AIS and VMS have limitations. If
Certificate of Registration, used to
ships deliberately turn off their identi-
identify an aircraft and broadcast by
fication system, international, regional
its Mode-S transponder. It allows for
and national authorities, traffic man-
real-time and historical tracking.
agement systems and surrounding
ships are unable to identify or track
Registration number - The num-
vessels.
ber that appears on the tail of every
plane. Looking at photos of an aircraft
can help you determine the history of
a plane. Two popular aviation image
sites to search for visuals are plane-
spotters.net and jetphotos.com.
Open Source Investigation 27

Serial number - Each aircraft is as- Aircraft Ownership: Identifying the

signed a serial number by the manu- owner of an aircraft is theoretically
facturer. This makes it useful for track- possible, but practically difficult be-
ing a plane over time between owners, cause most countries do not make
registrations and nations. their registries public. AeroTransport,
CH Aviation, are good places to start
ICAO airport code - A four-character looking, also see Airframes, RZJets
alpha-numeric code used to identify and spotters.
airports around the world.

The Isle of Man is one popular aircraft

registration jurisdiction, providing a
way to escape EU taxes, according to
a report by the International Consor-
tium of Investigative Journalists.3 The
ICAO code for the Isle of Man Airport
is: EGNS

2
https://www.icij.org/investigations/paradise-papers/offshore-gurus-help-rich-avoid-taxes-jets-yachts/
 Open Source Investigation
28

Aircraft Tracking Websites

As long as the transponder of an air- Anyone can deploy an ADS-B ground
craft is on, you should be able to use receiver that will triangulate satellite
the following flight tracking services to and aircraft transponder transmis-
track its movement: sions. If you are interested in helping
increase ADS-B coverage, you can
ADS-B Exchange request a receiver from flightradar24.
The world’s largest source of unfil-
tered flight data. Does not filter out in- The Swedish aircraft tracking service
formation about US aircraft that have will send you the ADS-B receiver sets
requested anonymity. (including receiver, antenna, and ca-
bles) free of charge that require a 10
to 20-minute setup, and once turned
FlightAware on will widen the coverage of ADS-B
Allows guest users free tracking op- in your area.
tions, including alerts on planes of in-
terest. >> Check the latest GIJN guide to
track aircraft around the world
Flightradar24
A commercial flight tracking service
that permits free tracking of flights.

RadarBox24
A flight tracker with live maps and
search function.

Freedar
A flight tracker that includes military
aircraft. It also has monitoring of air
traffic control audio.

OpenSky Network
A non-profit association based in
Switzerland that provides open ac-
cess to flight tracking control data.
Open Source Investigation 29

Icarus Flights

Washington-based non-profit C4ADS

has released Icarus Flights, a robust
new system designed to help journal-
ists trying to monitor illicit activity over
a geographic area or during a certain
period of time.

The Icarus tool kit includes transpon-

der data, aircraft ownership records,
and analytical tools. It provides loca-
tion-based searches for investigators
who want to study or document which
aircraft have flown in a given area.

https://icarus.flights/
 Open Source Investigation
30

Chapter 5
How to Identify
Weapons
Since the conflict in Yemen began in Here are a few steps to help
2015, it has become harder for inter- you identify weapons
national rights organisations, UN bod-
ies and journalists to document viola- 1. Determine the weapon’s class.
tions committed by all parties to the
conflict. Broadly speaking, there are three main
classes of weapons: small arms, light
Investigators have to work very hard weapons, and heavy weapons.
to identify and verify the details of ● Small arms include pistols, rifles,
possible unlawful attacks, mainly us- light machine guns and other weap-
ing intelligence gathering techniques ons that can be carried and operated
and technologies. One of these tech- by one person.
niques involves analysing photos and
videos to verify the types of weapons ● Light weapons include larger ma-
chine guns, rocket-propelled grenades
being used.
(RPGs), man-portable air-defence sys-
tems (MANPADS), mortars and other
Investigators can study the shape of a weapons that require a small crew to
crater left behind after a missile strike, operate.
watch footage of air raids to classify
the types of missiles used, or analyse ● Heavy weapons systems include
weapons trade data to understand tanks, helicopters, fighter planes, sub-
ownerships of these munitions. marines and warships.

This documentation can provide es-

sential evidence which can later be
used to hold perpetrators of violations
accountable. Documenting and ar-
chiving these findings paves the road
to justice through using them in legal
procedures.
Open Source Investigation 31

2. Determine a weapon’s make, manufacturer and country markings.

Weapons usually have markings that denote the make and/or manufacturer,
country of origin, and, less frequently, the production facility and/or storage ar-
senal. This information can usually be found on the weapon itself as is highlight-
ed in the image below.

3. Model and calibre designations.

The model refers to the make and design, while calibre refers to the diameter of
the bullet - usually measured in millimetres or inches. One of the most common
sizes is the 9mm calibre which is used in various handguns.

4. Find the serial number.

Serial numbers are useful for tracing weapons when they are recorded in documen-
tation pertaining to manufacture, import, export, licensing, or in-country transfer.
 Open Source Investigation
32

To track a weapon’s origins,

several databases are avail-
able for you to use:
Weapons Identification Database
The Weapons Identification Database
includes several small arms and light
weapons. The database about these
weapons includes information about
the producer, type, calibre as well as
photos to help you visually match a
weapon.

Arms Embargoes Database

The Arms Embargoes Database ag-
gregates data about all multilateral
arms embargoes that have been ad-
opted by the EU or the UN, or a group
of nations.

Arms Transfers Database

The Arms Transfers Database traces
suppliers and recipients of arms. It en-
ables individual comparisons between
countries with an option to select the
range of years to cover and the weap-
on systems to include.

Military Expenditure Database

The Military Expenditure Database
contains data about the military
spending of 171 countries since 1988
as well as of NATO member states
from 1949 or from their time of acces-
sion.
Open Source Investigation 33

It is worth comparing them to their

BOX #4
analogue counterparts, that is, phys-
Detailed Investigation Into ical architectural models. Architectural
Russian Air Strikes on the models can be quick sketches, con-
ceived to check the viability of an idea
Mariupol Theatre, Ukraine
or richly detailed presentations that
take months to produce. They can be
Tom James, Sophie Dyer, made to different scales: from a tiny
Stella Cooper, Crisis Evidence detail study to a city-scale model that
Lab, Amnesty International fills an exhibition room.

In the Crisis Evidence Lab at Amnesty Digital models can be all these things
International, we use digital 3D mod- too, either separately or all at once.
els to both generate new findings (evi- They can contain many different lay-
dentiary) and to communicate existing ers of data that can be turned on and
findings (demonstrative). off or overlaid. They can be zoomed
almost infinitely, enabling 3D and 2D
elements to be viewed together at dif-
ferent scales.

In the work of the Crisis Evidence Lab,

digital models become operational in
multiple ways at different stages of an
investigation.
 Open Source Investigation
34
They can be containers for organis- as a mathematical model of the blast
ing evidence - including photos, vid- wave. By doing this as a volumetric
eos, satellite imagery, drawings, wit- 3D model rather than 2D floor plans,
ness testimony - in time and space. we can visualise the layers in place,
Through this process we gain new and explore the damage from multiple
insights into the research materials, angles with more clarity.
revealing details not readily appar-
ent when analysing the media inde- We started by reconstructing in 3D
pendently. Lastly, we use models as the overall dimensions of the theatre
presentation devices: to publish often using photos from before the attack.
complex findings in print, video and By teaching the 3D software which
interactive visualisations. are the main features defining the per-
spective of the photo, it is possible
Our most recent model was built to to ‘solve’ the camera, and establish
accompany an in-depth report on the a good estimate for camera position
March 16, 2022 attack on the Donetsk and focal length. In doing so, we can
Academic Regional Drama Theatre in reference the image to model exterior
Mariupol, Ukraine. Amnesty Interna- details in the correct proportions. The
tional interviewed more than 50 sur- overall scale can then be corrected
vivors and witnesses, and collected using satellite images, or referencing
extensive digital evidence. The inves- objects of known sizes in the photos,
tigation concluded that Russian mili- such as cars or street furniture.
tary forces likely deliberately targeted
the theatre with air strikes, despite Initially we only had access to hand-
knowing hundreds of civilians were drawn plans of the interior of the the-
sheltering there on 16 March, making atre, produced by a witness who made
the attack a clear war crime. measured drawings of the layout.
Subsequently we were given access
A key secondary finding is that the to full CAD (Computer Aided Design)
damage to the theatre, although dev- plans, produced when the building
astating, was relatively localised, and was refurbished in 2018, which made
the death toll was probably lower than all interior details clear. At this point it
previous counts published by local was straightforward to trace the plans
authorities and international media. and extrude the walls of each floor. We
Witnesses described how the blasts stacked them in 3D using clues from
caused severe damage and multiple interior and exterior photos, as well as
fatalities in certain areas and left other stair details, to estimate floor heights.
areas protected from the explosion.
We used 3D software to geolocate the
To better understand the impact of building accurately on satellite imagery,
this attack, we built a 3D model which and then imported map data to generate
we overlaid with witness locations and the surrounding buildings, roads, and
testimonies about areas of greatest open spaces in that area of Mariupol.
damage, photos and videos, as well
Open Source Investigation 35

This city district-level context was plainer-style video, with a voiceover

important for establishing the relative from a Ukrainian human rights activist
geographic isolation of the theatre to that guides the viewer through events
other buildings, when considering the in lay terms, targeted at a general au-
intentionality of its targeting. It is often dience. This allowed us to incorporate
common to treat 3D models of build- not only the 3D model and overlaid
ings as ‘objects’, floating in space, media showing structural damage to
and viewed from afar. By anchoring the theatre, but also other elements in-
the building in its urban context, we cluding open- and closed-source foot-
establish its scale and relationship to age, satellite imagery and an animated
a living city, as well as the significant visual timeline of events. Additional
portion of it that was underground. outputs were a series of short clips and
stills that were included in the report,
We took the decision not to model shared across the Amnesty movement,
any of the damage to the building. and published on social media.
This can work for certain investigative
or diagrammatic purposes, but here Building a 3D digital model gives us
it was far better to use the model as great flexibility in producing drawings
the backdrop to overlay photos of the and animated segments that evolve
damage, which are far more revealing. alongside the script as it is refined.
In this way, the model becomes a rep- Segments can be exported in low
resentation of the building prior to the resolution to check timing and script
attack, and a container for the media beats, iterated upon and then ren-
recorded afterwards. dered at full quality. By cutting into
or ‘exploding’ parts of this model we
To locate images in the model, we used were able to show how the ordnance
a similar method to the one described penetrated the main theatre space
earlier, using perspective lines to cal- with minimal resistance except for the
culate the camera position and focal roof, before exploding at stage level.
length - or reading the focal length from
the metadata if available - and then es- In this investigation, the 3D model
timating the position manually. Moving served to synthesise the testimonies
between photos and videos in the mod- and other evidence into an overall view
el is a powerful way to map the spatial that convincingly corroborated the
or geographic dimension of an inves- areas of damage against those with
tigation. Moving from image to image known casualties, and served as a nar-
while using the model as a backdrop rative and illustrative device in support
helps the viewer to visualise a sequence of the detailed report. Incorporating
of events in time and space. it into a six-minute video greatly en-
hanced the user experience and made
When it came time to present the mod- the findings of the investigation more
el, rather than building an interactive accessible to a far wider audience.
platform we opted for a scripted ex-
 Open Source Investigation
36

Chapter 6
Find Out Who Owns
a Corporation
If you would like to investigate the Whatever you are investigating on
world’s largest companies and reveal global money-laundering cases or
who owns offshore companies and bribery investigations, you can use
trusts, free databases are your start- OpenCorporates to try to identify who
ing point. There are other ways to re- is who and who is transacting with
search companies; you can find offi- whom. The database can provide the
cial and court records, and search on company’s incorporation date, its reg-
subscription databases or corporate istered addresses, and the names of
websites. directors and officers. You can search
connections between companies, or
work out which companies are run by
the same CEO and even do more spe-
cific searches focusing on particular
countries. Similarly, journalists trying to
‘follow the money’ across borders can
use the Investigative Dashboard, cre-
ated by the Organised Crime and Cor-
ruption Reporting Project (OCCRP), to
allow access to hundreds of databases
that detail company records and online
and offline court records from nearly
every country in the world.
Open Source Investigation 37

If you are trying to expose organ- If you are interested in covering oil,
ised crime and corruption around the gas and mining and you would like to
world, the Offshore Leaks Database, discover the connection between the
developed by the International Con- companies that own and operate oil
sortium of Investigative Journalists rigs, and how they are incorporated
(ICIJ), can help you to find information as companies in, or working through,
and documents on persons of interest maritime tax havens; check the portal
and their business connections. The Double Offshore developed by Code
database contains leaked documents for Africa. The same organisation de-
about nearly 785,000 offshore compa- veloped the project the Miners of Mo-
nies and trusts. zambique, to discover the individuals
behind the mining industry in Mozam-
bique and their connections.

MORE:
● ResourceContracts: A portal that
houses over a thousand mining and
oil contracts.
● Resourceprojects.org: A repository
of extractives projects
 Open Source Investigation
38
BOX #5 But this didn’t last long, the page de-
How did a complex network leted most of their recent lists and
of shell companies trade stopped publishing new ones after
Syrian phosphates despite June 2020. But using google dork-
sanctions? ing techniques - a search string that
uses advanced search queries to find
Bashar Deeb information that are not easily avail-
investigator at Lighthouse Reports able - we managed to find other pag-
es which had copy-pasted these lists
Whether it’s a warzone in the Middle and reconstructed the timeline of the
East, Ukraine or Africa, or borders be- working ships in Tartous port. This
tween Greece and Turkey, it’s often very allowed us to track the ones carrying
difficult to send journalists to inquire phosphates to their European desti-
about things in such places. During nations. Of course, we did extra tradi-
a joint investigation between Light- tional verification work in some cases
house Reports, the Organised Crime by asking for landing bills for these
and Corruption Reporting Project (OC- ships to make sure our analysis was
CRP), and Syrian Investigative Report- correct, in some other cases we ob-
ing for Accountability Journalism (SIR- tained custom records that verified to
AJ), we were looking at the exports of us that these ships were indeed mov-
Syrian phosphates to see where they ing phosphates.
were ending up. The exports started off
from the Mediterranean port of Tartous, But we still needed to find out where
which is controlled by Russia. This port the new shipments were going. Here,
is not a place where journalists can vis- the challenge was to figure out a way
it and speak to people, so OSINT was to identify which ships were moving
critical to this work. phosphates after June 2020. Based
on our observations of these lists but
In theory, finding the ships that are also on reading old online articles
loading the phosphates in the port about the structure of the port, we
was the main challenge to figure out noticed that all the phosphate-car-
where the phosphate was going be- rying vessels would dock in berths
cause then we could track these ships 18-19. This pier was built specifically
on commercial AIS services to see to handle phosphates, with a crane
their final destinations. During the in- operating between it and a dedicat-
vestigation, my colleagues noticed ed phosphate storage area. We used
that the port’s FB page was regu- satellite imagery to verify. Having this
larly publishing a list of the working information allowed us to look through
ships on a daily basis. The list also photos taken by port workers or pho-
contained the type of cargo for each tos from official visits to the port and
ship and the piers where each of them identify a few ships that were docked
were docked. in this pier.
Open Source Investigation 39

Also by looking at visual material post-

ed by workers at the port, we found a
live Facebook video taken from inside
the phosphate section which showed
a truck driver emptying phosphate
from a bigger truck. The truck had the
logo of a security company which was
born out of a militia. This company
was reported as being the one provid-
ing security to the phosphates convoy
coming from the mines to the port,
but nevertheless we added visual ev-
idence that confirmed this reporting.

Two examples of that are 1/ a series of

photos posted from the port after the
visit by the Syrian energy minister to
the port in May 2021, where we iden-
tified two ships in the Phosphates pier;
2/ a selfie taken by a port worker which
showed a ship in the background
docked on the same pier. We tracked
these ships and figured out that they
ended up in Romania and Ukraine.
 Open Source Investigation
40

Chapter 7
Analysing
Satellite Imagery
When you have a story, but still need SATELLITE IMAGERY
to tie up loose ends to answer where PROVIDERS
or when a particular event occurred,
analysing satellite imagery can point Over the past few years, several free
you in the right direction. and subscription-based earth imaging
companies have emerged allowing
anyone to access high-resolution sat-
So how do you get started? ellite imagery from all over the world.
Some of these services include:
Analysing satellite imagery can be
useful in providing geographical con- Free services
text, reconstructing events, or even ● Google Earth
verifying if a particular event even ● NASA’s Worldview
happened at all. ● The European Space Agency
● World Imagery Wayback Tool
The use of satellite imagery has be- ● Zoom Earth
come an indispensable tool for in-
vestigative journalists to report on Subscription services
conflicts, environmental destruction, ● Maxar Technologies
developments in military infrastructure ● Planet Labs
and natural disasters. Satellite imag- ● Sentinel Hub
ery has also become a compelling ● SI Imaging Services
centrepiece for visual storytelling, and ● Spaceknow
a window into remote or restricted lo-
cations. Investigative journalists can
use satellite imagery to make visible
what governments or institutions want
hidden out of sight.
Open Source Investigation 41

However, just having access to these 4. Analyse the direction of the shad-
services is not always enough. For sat- ows and colour of the terrain to help
ellite image analysis to be effective in you determine the date and time a
your investigation you will need to en- particular image was captured.
sure that the recency of the images as
5. Consider your prior knowledge of a
well as the satellite image resolution
location to see if anything stands out
are adequate to match your needs.
in the environment

Companies like Maxar Technologies

and Planet Labs will often publish
Be careful
very high resolution, up-to-date sat-
With more people using satellite imag-
ellite images on image wire services
es you will also get more people trying
such as AP, AFP and Reuters. These
to misuse satellite images to better
companies also often provide image
align with their agenda.
archives of big stories to the media.

Once you have identified your image

Here are some things you should
provider, the next step is to make
do when you have doubts about
sense of the satellite imagery. Exam-
the validity of a satellite image:
ining images can complement other
research and provide corroborating ● Verify that the image matches the
evidence. original source of the satellite imaging
provider
● Compare the satellite image with
To unlock the rich information in a other sources
satellite image, you should:
● Try to verify when an image was
1. Determine the image scale to help captured by using tools like suncalc.
you determine the size of the area you org to analyse the position of the sun
are analysing and shadows
2. Look for patterns, shapes and geo- ● Consult a remote sensing expert
graphical textures including natural
and man-made landmarks.
3. Find where north is facing to help
you determine the direction of move-
ment of subjects of interest and/or
shadows.
 Open Source Investigation
42

CASE STUDIES USING

SATELLITE IMAGERY

One of the most common uses of sat-

ellite imagery is to compare before
and after images in a specific location.

BEFORE AND AFTER

On August 4, 2020, a massive ex-

plosion in the Port of Beirut ripped
through Lebanon’s capital, killing 218
people, injuring 7,000 and leaving
300,000 displaced.

The blast, which is considered one of

the biggest non-nuclear explosions to
have been recorded, damaged 77,000
apartments and caused an estimated
$3.8-4.6bn in material damage.
Open Source Investigation 43

Satellite images captured on August 5

highlighted the extent of the damage
to the surrounding area.
 Open Source Investigation
44

MAPPING ENVIRONMENTAL
IMPACT

Journalists are increasingly using

satellite imagery to conduct disaster
damage assessment or carry out en-
vironmental monitoring. Free Satellite
Data on Africa, a new tool by Digital
Earth Africa, offers free satellite data
on water resources and flood risks,
agriculture and food security, urbani-
sation and more. Smoke Screen proj-
ect used analysis of satellite data to
prove deforestation by large private
landowners in the Amazon.
Open Source Investigation 45

CASE STUDIES

● Xinjiang detention camps

In 2018, Shawn Zhang, a Chinese law ASPI says they have identified more
student in Canada, began scouring than 380 “suspected detention facili-
Google Earth for evidence of deten- ties” in the region, where the United
tions in Xinjiang, an official autono- Nations says more than one million
mous region in China. Uighurs and other mostly Muslim Tur-
kic-speaking residents have been held
Since then, several organisations in- in recent years.
cluding the Australian Strategic Poli-
cy Institute (ASPI) have used satellite
imagery, witness accounts, media re-
ports and official construction tender
documents to classify the detention
facilities into four tiers depending on
the existence of security features such
as high perimeter walls, watchtowers
and internal fencing.
 Open Source Investigation
46

● Weapons sales to Libya

Using tracking tools and open source

data, investigative journalist Mah-
moud Al-Waqi and team, revealed
how weapons and armoured vehicles
manufactured in the United Arab Emir-
ates and Turkey were sold to warring
factions in Libya, in violation of the UN
Arms embargo on Libya.

This case study helped the team to

claim that the United Arab Emirates
and Turkey have been violating the UN
arm embargo. As it was impossible to
visit sites in Libya, satellite imagery
helped verifying claims.
Open Source Investigation 47

● Attacks on Hospitals
and Medical Staff in Sudan

An investigation by Benjamin Strick

used open source investigative tech-
niques to geolocate, chronolocate and
analyse footage of two attacks by secu-
rity forces on an emergency department
in Sudan in December 2021 and Janu-
ary 2022 where staff and patients were
tear-gassed while inside the hospital. As
noted by the author of the investigation,
the purpose of this work is to stimulate
conversation, research and develop-
ment in the open source investigations
community, the human rights field and
the events happening in Sudan, as well
as to document wrongdoing and identify
those responsible.
 Open Source Investigation
48

● Massacre in Tigray

An investigation by BBC Africa Eye

uncovered evidence that a massacre
in northern Ethiopia was carried out
by members of the Ethiopian military.
It also revealed the precise location of
the atrocity, in which at least 15 men
were killed. This investigation recon-
structs the exact place of the massa-
cre, the period in which it took place
and even the identity of the perpe-
trators, without leaving London, only
with the help of open source tools and
techniques.
Open Source Investigation 49

Chapter 8
Tools and Networks
● Bellingcat’s Online Investigative Toolkit
● First Steps to Getting Started in Open Source
Research
● OSINTcurio.us features weekly podcasts, web-
casts and “10 minute tips” on video covering many
aspects of doing open source investigations. It’s a
community project begun in late 2018 by about 10
contributing experts
● The Open Source Intelligence Framework has a
very detailed and ever-growing list of digital inves-
tigative tools
● Exposing the Invisible Kit by Tactical Teck
● Open Source Intelligence Techniques by Michael
Bazzell
● Online research tools by Global Investigative
Journalism Network
● The OSINT Framework

NETWORKS

● Global Investigative Journalism Network (GIJN)

● Organised Crime and Corruption Reporting
Project (OCCRP)
● Arab Reporters for Investigative Journalism (ARIJ)
● International Consortium of Investigative Jour-
nalists (ICIJ)
● C4ADS is a non-profit organisation dedicated to
data-driven analysis and evidence-based report-
ing of conflict and security issues worldwide.
Open Source
Investigation
Handbook

By
Sara Creta

Edited by:
Muhammad Al khamaiseh
Nina Montagu-Smith

Designed by:
Ahmad Fattah

With special thanks to:

Mohammed El-Haddad
Phil Rees