Open in app

Sign in

Write

Sign in

Finding McAfee: A Case Study on Geoprofiling and Imagery Analysis

Identifying past, current, and possible future locations through the geolocation and chronolocation of media provided by a specific user.

Benjamin Strick
7 min readMar 15, 2020

This case study is based on a challenge from well-known entrepreneur, John McAfee, to show how relative geolocation of two points on a chronological timeline can give a likely path and possible locations in between.

To do this, two geographical points will be used, categorised by day, to geolocate a photo that was taken between those two points.

This research post is split into the following four sections, in this order:

  • Point B (the photo to geolocate)
  • Point C (where the subject is traveling to)
  • Point A (where and when the subject started the journey)
  • Geolocation analysis of the Point B image

The tools in this case study are completely free, so please do use them to follow along. I used Google Maps, GIMP (image editing) and Twitter.

Point B — The image to geolocate

Below is the tweet in question. The challenge: self-explanatory.

So where do you start in a case like this? Using a first approach to imagery intelligence (IMINT), look in the image and ask: “what do I see?”.

In the image, we have a number of clues that may indicate where this photo was taken. I’m going to number some of them in the image below.

What do we see here?

  1. First, we’ve got McAfee. Who through his accounts may help give more clues. I’ll get to him later.
  2. This roof colouring gives an indication that it might be a brand colour.
  3. Coloured fuel bowsers indicate that this is both a fuel station, and is a unique identifier for what the brand or name of the fuel station may be.
  4. Large trucks use this fuel station, so it is likely that it is in an open area, or along a highway.
  5. There are flowers in front of the building McAfee is next to, which means it might be a store for the fuel station
  6. There’s a light blue band along the horizon. This is usually synonymous with a large body of water.
  7. This post and building would be a unique identifier on satellite imagery
  8. The horizon is not cluttered with buildings or trees, indicating it might be a flat plain and out of built-up urban areas.

That’s a lot of reference points we have to go off. And now, since we have done an initial imagery analysis checklist, we can work our way down that list to investigate each of those leads.

First is John McAfee. He is likely to indicate relevant information in his social media.

Point C (where the subject is traveling to)

In the initial tweet above the subject indicated he was “on the way to London” and that the photo was taken in the past. This identifies our destination.

How is he traveling there? Considering the location of the photo as we analysed in the eight takeaways above, it’s clear he is at a service station with his large security crew. So it’s likely he is driving to his destination.

Point A — Where and when the subject started the journey

Where did the subject come from?

This is where we can start using the intelligence tool I’d like to refer to as ‘geoprofiling’ — essentially we’re going to map out a short chronological timeline of where McAfee was in order to find where he is.

Scrolling back through his Twitter timeline, we can find this tweet. It was posted two days before the other photo.

What’s important about this tweet is it gives us a location as well as a destination. Take a look in the red box in the right of the image below.

Here is a closeup below. It says “Hotel Schlicker”.

It is in Munich, Germany.

We know this is the place where the photo was taken as there are a number of features that match those seen in geotagged images on Google Maps and Facebook.

First is the identical match of the sign and wall lining to this one found on Google Maps.

Second, for further verification, we can identify both the sign and the white paint on the ground from this image on the Hotel Schlicker Facebook page.

For chronolocation, for the purposes of this post there is no necessity to conduct a shadow calculation. Merely being able to plot this geolocated image on our timeline gives us an original lead for the following two reference points:

  1. Hotel Schlicker in Munich, Germany on January 26, 2020
  2. ?

3. London (at a future point in time)

Why did I skip the second point? Because that’s the initial location we need to find. And we’re going to do that now.

Geolocation analysis of Point B image

We already know two things about the image above. It was taken on the road between between Hotel Schlicker and London.

Using Google Maps ‘direction’ feature we can make a simple indication of the route between those two points.

That’s a lot of empty space to cover. But we have a list of eight points we can use to filter that information down.

First, what is the place they stopped at in the image? The following features of the roof and fuel pumps will help with that.

Those features are something we can use in a Google Search term. For this, I used what we know and what I see in the following string search for Google Images:

  • It’s likely in Europe, so that’s a term I used — ‘Europe’
  • ‘Fuel Station’
  • ‘Red and White’

This is what we get from that Google Image search.

We also have blue bowser pumps in the image, and some of the above images have that.

The features in the photo match those pictured in Google Images as an Esso Petrol Station.

Now we can search for “Esso” in Google Maps to find any Esso fuel stations on the way from Munich to London.

To further refine our search area, looking back at the eight points, the photo was likely taken:

  • Near a body of water
  • Possibly in an open area or out of a city
  • Along a highway

In looking at places where there is a main road near a large body of water I identified two possible locations on the route.

To layer both the location of Esso petrol stations and the routes to London, I used photo editor GIMP to layer the two images (changing the transparency of one of them). There are alternative ways using KMZ points, but this one is also quite simple and keeps Google Maps as our main operating tool.

One of these stations along the route is near a body of water.

It is near Baden-Baden.

It satisfies a number of the indicators we are after, such as water, main road, quiet area and an Esso station on our route.

We can start to match this location with the Point B image to see if it fits the fingerprint of what is visible on the Google Maps satellite image.

Using all of the information derived from geolocating objects in the image, we can say, for certainty, that the photo was taken here: https://goo.gl/maps/EwTD6HKfeQupNka98

Further verification can be made by matching the Google Maps embedded images. However, for the purpose of this case study, the indicators seen in the photo are uniquely matched to the satellite image therefore giving a stronger level of geolocated evidence.

A NOTE ON THIS CASE STUDY: The purpose of this case study is to stimulate conversation, research and development in the open source community and is in no way to the detriment of the subject or any business or person identified in this case study.

📝 Save this story in Journal.

👩‍💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.

Osint
Journalism
Satellite
Cybersecurity
Bitcoin

--

--

Benjamin Strick

Written by Benjamin Strick

747 Followers

Digital investigator. Loves dogs. Lives in a binary box at benjaminstrick.com and makes tutorials on open source techniques at youtube.com/c/Bendobrown

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams