cyber revision

Geolocation, imagery and physical intelligence

Photo geolocation from EXIF and visual clues, WiGLE, satellite imagery, aircraft and ship tracking, and cell tower databases.

~8 min read

Why physical intelligence matters

Geolocating a photograph, identifying a building, tracking an aircraft or mapping a target's physical infrastructure is a distinct OSINT discipline bridging the digital and physical worlds. Physical intelligence can establish:

  • Where a photo was taken, and therefore where a person was at a specific time
  • Whether a claimed location or address is genuine
  • The physical layout, approach routes and security posture of a facility
  • The movement patterns of a person, vehicle or vessel over time
  • When a satellite image was captured relative to when something happened

Photo geolocation

Every photograph is a dataset. The question is which parts are readable.

EXIF metadata

Photos taken on smartphones embed GPS coordinates directly into EXIF metadata unless the camera app is configured to strip them. Extract with ExifTool:

exiftool photo.jpg | grep -i "GPS"
# GPS Latitude   : 51 deg 30' 26.34" N
# GPS Longitude  : 0 deg 7' 39.12" W

Convert to decimal degrees and drop into Google Maps or Google Earth. The presence of GPS coordinates in EXIF is frequently the complete answer in CTF geolocation challenges.

Environmental clues

When metadata is absent, work from what the image shows. Systematic analysis can geolocate a photo to within metres:

Vegetation and terrain: tree species, grass type and landscape shape narrow a photo to a climate zone and hemisphere. Deciduous vs evergreen forests, tropical palms, alpine terrain and savannah each reduce the candidate area substantially. Bellingcat and Geoguessr communities have mapped many regional vegetation indicators.

Architecture and construction: building materials, roof styles, window patterns, utility pole types, road markings, guard rail designs, and traffic light styles all vary by country and region. These are often more reliable identifiers than they appear.

Signs and text: partial text in a foreign alphabet, a phone number format, a street name, vehicle number plates, or a visible business name are directly resolvable via Google or map search. Even a glimpse of a road sign or supermarket logo narrows the location dramatically.

Sun angle and shadows: the direction and length of shadows reveal time of day and (with a known date) compass direction. SunCalc (suncalc.org) plots sun position (azimuth and elevation) for any location and time. Drop a candidate location into SunCalc and match the predicted shadow direction against the image to confirm or eliminate the hypothesis.

Infrastructure fingerprinting: electricity pylons, road construction equipment brands, public transit signs, kerb and road paint styles, and fire hydrant designs all differ by country. Bellingcat's geolocation guides detail many of these identifiers for open-source conflict verification.

Reverse image search and maps: once you have a hypothesis (a distinctive building, coastline or landmark), enter it into Google Maps Street View or Yandex Maps Panorama to verify at ground level.

WiGLE

WiGLE (Wireless Geographic Logging Engine, wigle.net) is a crowdsourced database of wireless networks mapped to geographic coordinates. Volunteers wardriving with mobile apps contribute access point names (SSIDs), BSSIDs (MAC addresses), signal strength and GPS positions. The database contains over a billion networks.

For OSINT, WiGLE is useful in several scenarios:

  • Geolocating a home or office via network name: if you know someone's router SSID (from a network scan, a leaked configuration, or a screenshot showing available WiFi networks), searching WiGLE for that SSID may return the physical address to within metres
  • Verifying a claimed location: if a target claims to be somewhere and you have their home network name, WiGLE can confirm or contradict it
  • Infrastructure and physical access mapping: mapping WiFi density in an area provides a picture of where devices concentrate
  • Historical records: WiGLE retains historical contributions, so even if a network has been renamed or removed, a historical location record may remain

Query via the web interface or the WiGLE API by SSID, BSSID, or geographic area. Free accounts allow limited daily queries.

The same technique that finds a person's home network can be used to violate their privacy and safety. Like all OSINT, the ethics and legality depend entirely on the purpose and authorisation of the investigation.

Satellite imagery

Google Earth Pro (free desktop application): high-resolution imagery with a historical view selector showing archived snapshots dating back years. The measurement tools (ruler, area) let you measure distances and building footprints. First stop for identifying facilities, infrastructure and before/after comparisons.

Sentinel Hub EO Browser (apps.sentinel-hub.com/eo-browser): free access to Copernicus Sentinel-2 multispectral imagery at 10-metre resolution, refreshed globally every 5 days. False-colour composites highlight vegetation, heat signatures or moisture, useful for environmental, agricultural or industrial facility intelligence.

Planet Labs (planet.com): commercial daily satellite imagery at 3–5 metre resolution. Free access is limited; Planet imagery has been widely used by journalists to document recent conflicts and infrastructure changes. The Planet Explorer interface allows temporal search.

Maxar (maxar.com) and Airbus Defence & Space: providers of very-high-resolution (30–50 cm) imagery. Access is commercial; Maxar imagery is licenced to Google Earth and is often visible there as the base layer in high-activity areas.

NASA Worldview (worldview.earthdata.nasa.gov): free access to near-real-time and historical NASA Earth observation data, including MODIS (250 m resolution, daily global coverage). Useful for weather, fire, flood and large-scale environmental events.

Street-level imagery

  • Google Street View: click and drag the yellow pegman onto any road to enter a ground-level panoramic view. Imagery dates are shown; many areas were last captured years ago.
  • Mapillary (mapillary.com): crowdsourced street-level images from cyclists, pedestrians and vehicles. Covers paths, trails and indoor spaces that Street View cannot reach, and is often more recent in rapidly changing areas.
  • Yandex Maps Panorama (yandex.com/maps): the best street-level coverage for Russia, Eastern Europe and parts of Central Asia, often more recent than Google Street View in these regions.
  • Apple Look Around: available in major cities via Apple Maps; useful as a cross-check.

Aircraft tracking

Civil aircraft broadcast their position, altitude, speed and identity via ADS-B (Automatic Dependent Surveillance-Broadcast), an unencrypted open protocol. Several services aggregate and display this:

  • Flightradar24 (flightradar24.com): the most popular live tracking platform, with good global coverage and historical flight replay (historical data requires a subscription).
  • FlightAware (flightaware.com): broad coverage with detailed flight history and aircraft registration lookup; strong for US domestic flights.
  • ADS-B Exchange (adsbexchange.com): the key distinction: ADS-B Exchange does not filter out military, government or sensitive aircraft at operators' request, unlike the commercial platforms. Aircraft that have paid to be hidden on Flightradar24 (private jets, surveillance planes, government aircraft) appear here. The historical data archive is used extensively by journalists and investigators tracking aircraft of interest.
  • OpenSky Network (opensky-network.org): academic platform with a free historical data API, useful for programmatic analysis.

Aircraft registration databases: UK tail numbers are searchable via the CAA G-INFO registry (srs.caa.co.uk); US tail numbers via the FAA Registry (registry.faa.gov). These map registration codes to the registered owner.

Maritime tracking

Ships transmit their position via AIS (Automatic Identification System), analogous to ADS-B for aircraft:

  • MarineTraffic (marinetraffic.com): the standard live ship-tracking platform. Shows vessel name, flag, destination, position, speed and ship photos. Historical track replay is available on paid plans.
  • VesselFinder (vesselfinder.com): similar features; useful as an alternative when MarineTraffic data lags.
  • Global Fishing Watch (globalfishingwatch.org): free platform focused on fishing vessel tracking, useful for detecting suspected illegal fishing or AIS manipulation. Uses ML to classify vessel behaviour.

Vessels can and do manipulate or switch off their AIS transponders. Absence from AIS does not mean absence from an area, a known tactic in sanctions evasion and dark fleet operations.

Cell tower geolocation

Cell tower databases can map a device to an approximate geographic location given its connected cell tower's identifiers (MCC, MNC, LAC, CID), which may appear in captured radio metadata, device logs or malware telemetry:

  • OpenCelliD (opencellid.org): the largest open database of cell tower positions, crowdsourced from mobile devices. Free API for moderate use. Query by cell identifiers to get the tower's GPS location.
  • CellMapper (cellmapper.net): similar crowdsourced database with a map interface showing tower locations and estimated coverage patterns.

Cell tower geolocation gives only an approximate fix: hundreds of metres to kilometres, depending on cell density in the area. Multiple towers with signal-strength data improve accuracy but are rarely all available without specialised equipment.

Quick recall

  • Photo EXIF GPS: use ExifTool; coordinates are common in CTF geolocation challenges. When absent, analyse vegetation, architecture, signs, shadows.
  • SunCalc.org: validates candidate locations by predicting sun/shadow direction for a given place and time; match against the image.
  • WiGLE.net: over a billion WiFi networks mapped to GPS coordinates. SSID → physical address. Can confirm or refute a claimed location.
  • Satellite: Google Earth Pro (historical views), Sentinel Hub (free 10 m, 5-day refresh), Planet Labs (daily commercial). NASA Worldview for large-scale events.
  • ADS-B Exchange for unfiltered aircraft tracking; it shows aircraft hidden on Flightradar24. MarineTraffic/VesselFinder for AIS ship positions (note: AIS can be disabled).
  • Cell tower geolocation: OpenCelliD/CellMapper give approximate location (hundreds of metres); useful when tower identifiers are available from device data.
PreviousNext