OSINT/GEOINT - Investigating and geolocating #1 - Commercial flight

A few days ago, a good friend sent me a picture taken from a plane for an OSINT/GEOINT challenge. The goal was to find the flight departure, arrival, but also, where the picture was taken. The topic being rather fun and considering the variety of information and skills needed to solve the challenge, I thought it would be interesting to write about it.

Prelude

If you are unfamiliar with the OSINT/GEOINT terms or if you landed here just driven by curiosity, then this paragraph is for you :

OSINT stands for Open Source Intelligence and corresponds to all the public or 
semi-public information you can gather on a given target.

GEOINT (Geospatial Intelligence) is intelligence about the human activity on earth 
derived from the exploitation and analysis of imagery and geospatial information that 
describes, assesses, and visually depicts physical features and geographically referenced activities on the Earth.

The idea behind this blogpost is to talk about different topics and information gathering methods, whether geographical or physical, in order to solve a small real case of open source investigation. For the less aware of you, it also shows how you can research, investigate and identify this kind of things.

Context and first elements

Sunday, 30th of August, 2020. We receive the following picture on the group channel we often use, quoted with the following message : “Where did I take this picture ? Where did I takeoff and to which destination ? :)”

From that moment, even if I have a few days ahead of me, the remaining time to solve the challenge is counted. You will understand why later.

The person living in France, I made the hypothesis of a departure from a French airport. Moreover, thanks to contextual informations, I know that this person is probably located in the North/Western part of France right now.

First thing first, even before starting on the picture, we can see that the original filename has been kept : IMG_20200830_180055091_HDR.jpg. The interesting information here is the fact that when a mobile phone takes a picture, it uses a timestamp to name the file. This way, it is impossible to have a duplicate. In our case, this gives us crucial information, the date and the probable time when the picture was shot : The 08/30/2020 at 18:00.

You can also verify this information by viewing the file’s metadata.

$ exiftool IMG_20200830_180055091_HDR.jpg
[...]
Create Date                     : 2020:08:30 18:00:59.210329
Date/Time Original              : 2020:08:30 18:00:59.210329
Modify Date                     : 2020:08:30 18:00:59.210329
[...]

Let’s now move on to the picture analysis. At first glance, at least four elements are worth checking.

• Red : The aircraft winglet and especially it’s shape and colour are interesting informations. Indeed, it can help to identify the aircraft model and the airline company ;
• Yellow : The low part of the wing flaps (If just like me, this word is new, here it is : link) can, just as the winglet, give information for aircraft identification ;
• Green : The landscape and especially relief indicate a mountainous region. Other equivalent elements are on the picture but for clarity sake, only 2 mountains have been framed ;
• Blue : The sun’s shadow, as well as shadows on the reliefs below are also important visual elements because, as long as we know when the picture was shot, we can use is to find the sun position and so calculate the plane trajectory.

Good ! Now that we have these informations, it’s research time. But.. What are we looking for ?

1/ What is the featured aircraft model ?
2/ Which company, flying in France, is using this type of aircraft ?
3/ Which direction is it heading to ?
4/ What is the flight number ?
5/ Where was the picture shot ?

Aircraft Identification

For this task, I based my researches on the above identified elements, but also on the fact that I know very few about the aviation world, which in this case allowed me to avoid long researches. Indeed, having only little information on the different types of aircraft used, I naturally turned myself on the two biggest (or at least the well known in Europe) companies producing aircraft : Airbus and Boeing.

I’m skipping some details, but for Boeing, nothing seems to correspond to what we have here.

However, for Airbus (link and link) I’m starting with the A380 model, but quickly discard this option because this model, propelled by four engines, has 5 flap sliding rails per wing. However, our aircraft only has 4 of them.

In the A320 family (and derivatives), it’s more promising! The following post (link) explains some of the differences between models and especially with the “NEO” range. All of the NEO aircrafts have “sharklets” winglets (one-sided upward winglet). Our aircraft is, therefore, not a NEO.

Then, looking to the Airbus A318, we see that only 80 aircraft have been built, and 59 are now in service. In Europe, only AirFrance and TAROM (Romanian airline) operate them. Thus, even if the characteristics may correspond, this aircraft is unlikely an A318.

The A319 and A320 are very similar aircrafts, especially regarding wings. One of the big differences between them both is the 2 emergency doors located near the wings on the A320. Now if we take a look at the A321 model, the main difference with its two brothers is the size, larger than the two others.

Furthermore, the below picture shows a lateral door just behind the wing on the Airbus A321, located at approximately the same level as the passenger seat from which the photo was taken. So, it seems we can discard the A321.

So, these first researches allow us to build the following reduced list :

• Airbus A319
• Airbus A320
• Other ?

Having no way to be 100% sure of the aircraft model, but having this small list, we can save it in order to later correlates with other elements.

Flying path analysis

In order to prepare the future research for the airline compagny, I preferred to start by the aircraft trajectory analysis, as it could allow to discard some airlines.

It is possible to have an idea, more or less precise, of the plane’s trajectory by using shadow left by the sun, both on the plane’s cabin and on the mountains below. Moreover, knowing when the photo has been shot makes the search easier.

The online tool Suncalc allow to search for a precise sun position over time, even for the past days. So if we take Paris as a reference for the 30th of August, we have the following result.

The shadow on plane’s wing indicates that the sun was right to it. The alignment, non-parallel, of the shadow with the shape of the plane also indicates that the sun was located slightly behind.

In the other hand, shadows of the clouds and mountains give clues to specify the sun position, a little more behind.

Still think about an hypothetical departure from France and thanks to the previous elements, we can roughly plot a supposed flying path, toward South-East. The following red line corresponds the sun projection whereas the red arrow symbolizes the potential path.

Finally, possible destinations are restrained to places around the Mediterranean Sea, North of Africa and West of Middle East.

Identifying the Airline Company

By supposing a departure from France toward South-East, researches are naturally oriented toward European airlines. So, we are looking for companies :

• Having A319 or A320 (or even A318) ;
• Flying from France, toward South-East ;
• Using red and white colours, especially for wings and winglets.

From now on, we can take 2 paths. The first idea is to search about all airlines flying in Europe, looking for their colours and filter on this. That’s also the thing I did when I first investigated on this case. However, after double thinking about it, another approach and methodology might be more efficient. Indeed, starting by filtering on airlines flying in France seems a better idea. Several online resources can give the type of lists we are looking for (link. Even if it’s a good starting point, it doesn’t allow to filter on France, but Skyscanner have this feature link). We now have a list of 32 airlines to search for. Keeping in mind a departure from the West or North, we can even filter by region or by using the list of most attended airports (link) but it increases the risk of missing something important.

Through Google Images, we can also quickly browse the 32 airlines and discard most of them. Finally, after a quick search, only 6 airlines correspond in terms of colours :

• Volotea
• Iberia
• SWISS Airlines
• Austrian Airlines
• Air Algerie
• Czech Airlines

The fleet analysis for each of them (public informations, available on their website) reveals that any of them own A318 aircraft.? Furthermore, Air Algeria doesn’t have A319 nor A320, so we can discard it.

• Volotea
• Iberia
• SWISS Airlines
• Austrian Airlines
• Air Algerie
• Czech Airlines

After a quite deeper analysis, 2 more false positives are spotted, because of white winglets :

• Volotea
• Iberia
• SWISS Airlines
• Austrian Airlines
• Air Algerie
• Czech Airlines

The three remaining airlines all have corresponding colours. But, what about their routes ?

The excellent flight tracking tool FlightRadard24 gives the opportunity to visualize, for a given airline, the entire route network. Thus, by showing all routes for the three airlines, we can also discard Czech Airlines and Austrian Airlines because they don’t have any flight to South-Est from France.

The Volotea network seems to have many more routes, including some that could fit our criteria.

Considering gathered elements, we are now almost sure that the airline used in this flight was Volotea. Another small information, if we check their operational fleet (link) we can see that Volotea only use two types or aircrafts, Airbus A319 and Boeing 717. So, we can now also be sure about the aircraft, an Airbus A319 !

Researching the right flight

Did you remember, when, at the beginning of this blogpost, I’ve mentioned the fact that we must be quick to solve problems like this one ? It’s all about now, when researching precise informations about the flight and later, when trying to geolocate the picture.

Indeed, several online resources index and log past flights, as well as many information about these ones (for example, the exact and real departure and arrival time). These informations are usually free, but for a short period of time, often 7 days. Indeed, even for most of the websites, it’s possible to go further back in time, these services are usually not free and can be expensive.

Once again, the online service FlightRadar24 can be usefull to search flights, airport by airport. However, as long as I didn’t know the departure and arrival airports, I chose to use another service, Airportia, which offers a free flights history for a given airline.

So, thanks to the search function, filtered by date and time, we’re able to only see flights for the 30th of August. However, we have to be careful regarding the time. Indeed, the website data are based on the GMT (or UTC) format. Right now, we’re on a UTC+2 time zone, so we have to add 2 hours to get the real time.

According to the gathered data, only two flights correspond to our criteria (departure from France, probably from the North/West, toward South-East).

• The V72606 flight, leaving Nantes (17:05) to Bastia, Corsica (18:55) ;
• The V72581 flight, leaving Caen (17:15) to Marseille (18:50).

We can also check the history for each flight for the last 7 days, through FligtRadar24.

As seen, both of the flights are coherent in terms of date, time and route. So, it seems difficult to know which one is the good one. That’s why the last analysis step will help us in order to identity to get the good one.

Geolocating the picture

Great ! Considering that we don’t have full answers but a short list, searching for the exact place where the person shot the picture could help in order to discard one flight, and reveal the good one. Two methods can be employed here.

Firstly, if we plot the trajectory, even if it’s kinda rough, between departures and arrivals, for each flight, a little difference can be seen.

And now, if we use again the previously identified sun calculation, on the 30th August at 18:00 and we apply it on the previous paths. We have the following map, allowing to know, approximately, where was the sun against the plane.

Now let’s take a look, once again, at the shadows below just like we did before. If we look at the angle they have on elements they are cast (for example, clouds and mountains) we can highly suppose that the sun, while being on the right side of the plane, is not perpendicular and slightly aligns itself with the aircraft.

So it seems that the flight number V72606 between Nantes and Bastia fits better our criteria. However, another method can be used to be sure of that information, or at least, to rectify it. Once again, it’s about informations available in a short period of time because they come from the same previously used dataset. FlightRadar24 is also useful here because thanks to this, you can replay the exact path and behavior for a given flight, minute by minute.

Alright, so if we look at the V72581 flight between Caen and Marseille around 18:00 (16:00 UTC+2), the aircraft was close to Clermont-Ferrand city, just above a town called Trézioux. If we now check the same thing for the V72606 between Nantes and Bastia, the aircraft was near the French Alps, above another town called Upaix.

From there, we use a quick landscape overview in order to find more elements. Thanks to the following tool (link) you can combine Google Maps (map and satellite) and Google Street View.

On another hand, the map used by FlightRadar24 is also interesting because relief visualisation seems to be more precise.

The landscapes observation shows that the geographical area around Trézioux, where the Caen-Marseille flight went, is kinda flat, whereas the area near Upaix, where the Nantes-Bastia flight went, is much more mountainous, especially on the left side of the aircraft’s trajectory. As long as several mountainous reliefs can be seen on the original photo, we can discard the V72581 (Caen-Marseille) flight !

Conclusion

Finally, we can affirm, without many doubts that this person left Nantes (FRA) on the 30th of August 2020 with the flight number V72606 and was heading to Bastia (FRA). Moreover, the featured pictured was shot near Upaix, in the south of France.

Later on, this assertion has been validated by the involved person which gave me this screenshot, taken from the mobile application at the same moment he shot the picture. Victory !

Although I am far from being expert in this discipline, I tried through this post to explain both the methodology and the research done to get this result, but also to show that it is possible, through some tools, to conduct this kind of investigation and that, on top of that, it’s a fascinating and fun exercise !

PS : It’s also interesting to note the difference between my first solve try and the moment I write these lines. Indeed, after some time to think about it, some methodology elements have evolved and could have been used to avoid some errors during my first research. But oh, that’s the way we learn things !

Resources & Tools

Before diving in a bunch of posts, tools and other things, I highly recommend this Bellingat post about flight tracking (link).

• Informations about planes/aircrafts

  • https://www.dataero.fr/reconnaitre-les-elements-exterieurs-avion/
  • https://www.lavionnaire.fr/CelluleHyperVolets.php
  • http://blogs-pedagogiques.lfmurcie.org/bugsavionstpe/2014/12/06/les-ailes/
  • https://fr.wikipedia.org/wiki/Dispositif_hypersustentateur
  • https://www.dataero.fr/differencier-famille-a320/
  • https://upload.wikimedia.org/wikipedia/commons/9/92/A32XFAMILYv1.0.jpg

• Flight tracking and research tools

  • https://www.skyscanner.fr/vols-a/fr/compagnies-qui-proposent-des-vols-a-france.html
  • https://www.airportia.com/
  • https://www.flightradar24.com

• Visualisation tools

  • http://data.mashedworld.com
  • http://suncalc.net