For those of you who are not familiar, open source intelligence (OSINT), is defined by the Department of Defense as “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.” Essentially, using a subject’s social media, public records, and their overall digital footprint to create a broad picture of that individual.
OSINT can be used by security professionals in checking for potential network/ software weaknesses. It is also widely used in aiding legal disputes, investigations, and threat assessments. However, this blog will examine the dark side of OSINT in order to stress the importance of personal privacy and smart online behavior.
Modern-Day Stalkers Use Tools We’re All Familiar With
In October 2019, news began to break about the arrest of Hibiki Sato, a 26-year-old from Saitama, Japan, on the suspicion of stalking and the subsequent assault of a J-Pop star. The victim of the assault was 21-year-old Ena Matsuoka, a member of the J-Pop group Tenshi Tsukinukeni Yomi and the assault occurred as she was on her way back to her Tokyo apartment following a concert. Sato told investigators he was able to locate Ms. Matsuoka by thoroughly examining all the videos and images she posted on social media.
Mr. Sato would study the videos and images Ms. Matsuoka would post of her daily comings and goings. He would try to identify landmarks she passed during her daily routine. He would then use the landmarks he was able to identify and look them up in Google Street View. Using this, he was able to identify which trains she took during her commute. Mr. Sato even claimed to have gone as far as too use the reflection off of her pupil in one image to identify the specific street she was on.
Mr. Sato also studied some of the posted photos that were taken from within Ms. Matsuoka’s apartment and used these to identify location of the apartment (floor number & which side of building) within the building by studying curtain placement and the direction of incoming natural light.
Case Scenario – How Might a Stalker Gather Your Information?
In order to further illustrate this, we decided to take a look at the Instagram account for American country music singer Thomas Rhett. To be fair, the first post we looked at [Figure 1] does indicate in the comments that the image is from Telluride, a ski resort in Telluride, Colorado. However, for this one we tried to identify the location using only context clues from the image.
So, what do we see? Well, unsurprisingly, the scenery resembles a ski resort/ mountain. We can also see some trail signs and note their proximity to a ski lift. Now, going to Google we can search those trail names and immediately be directed to a trail map [Figure 2]. Going one step further, given the angle of the ski lift, it appears to continue up the mountain a little further. Looking at the trail map and Google Maps, you can see that the two trails intersect twice at the top. It would be a good assumption that the image was taken just below the lift at the lower intersection. In the second post by Thomas Rhett [Figure 3] you can see him and his family standing in a boat on a river with skyscrapers all around. Now in this example we did look at the comments and noted that image was somewhere in Chicago, IL. We went right to Google Maps selected satellite view. With this one could easily identify all the surrounding rivers. Here we found it extremely easy to locate the exact spot of the photo and identified the building in the background as Trump International Hotel and Tower [Figures 4 & 5].
This blog is certainly not intended to deter you from ever posting another image to social media again. It simply serves as another reminder of how connected the world has become and how, in some cases, an innocent post can put your privacy at risk. Just because you are avoiding the use of geo-tagging your location on social media doesn’t mean that potential threat actors can’t figure out your location.
Much like not posting your vacation photos until you are back home in order to avoid advertising an empty house, be sure to use care in posting images or videos of your daily routine in order to avoid advertising your day-to-day movements. Your physical safety could depend on it.
 Thomas Rhett [@thomasrhettakins]. (2019, January 3). [Photograph of Thomas Rhett with his wife at Telluride Ski Resort, Telluride, Colorado]. Retrieved from https://www.instagram.com/p/BsL4syXgMgn/
 Telluride Ski Resort Trail Map. (n.d.). Retrieved from https://www.tellurideskiresort.com/uploaded/maps/Trail-Map-Legend-Logo_TELSKI_1819_2000.jpg
 Thomas Rhett [@thomasrhettakins]. (2018, July 27). [“The perfect Chicago day“]. Retrieved from https://www.instagram.com/p/BlvkXCXjn4N/
 Google (n.d.). [Google Maps view of Chicago River/ Trump International Hotel & Tower]. Retrieved November 4, 2019, from shorturl.at/lsvzD
 Google (n.d.). [Google Maps view of Chicago River/ Trump International Hotel & Tower]. Retrieved November 4, 2019, from shorturl.at/opPRW