Recipe of Success for Tech Investigations (Journalism)
Eight open source stories that leave a lasting impression are examined for their recipe for success.
The Prinzregententorte is certainly one of the well-known and most popular cakes in southern Germany. Delicate and elegant, and it leaves a lasting impression on many fans of the sweet poison (like the author of this post).
Among Munich cakes, she is a star. Created by Heinrich Georg Erbshäuser, a 19th-century confectionery founder and master in honor of Prince Regent Luitpold. Then it didn’t take long for it to become a real evergreen hit. Nowadays, it is impossible to imagine many expensive cafés, cake stores or pâtisseries without it.
Erbshäuser, appointed supplier to the royal Bavarian court of Prince Ludwig in 1890, stacked seven thin layers of sand dough bound together with chocolate cream. The architecture of the cake, the interplay between sponge and buttercream, is the central ingredient of the success tincture. This makes the cake a hit. To this day, cake and baking enthusiasts complain on the one hand about how difficult it is to get the Prinzregententorte right in terms of baking technique. On the other hand, many rave about how the delicate work is worth it for the pleasure.
Why all the talk about baking and cakes?
Just like the ingredient architecture of the Prinzregententorte (which makes it so uniquely delicious, and that is pure opinion journalism), investigative stories also have ingredients of technical nature that lead to success, that make or break it.
Broadly defined, these can certainly be secret documents, data leaks, court records, etc., but also, especially, interviews with sources that no one can get to so easily. Sometimes, however, it is the sum of individual or all technical tools that are used in a search.
For the technical part, this means analyzing in detail what brings the “breakthrough” in a search. More and more often these are combinations of data and information from the Internet, so-called Open Source Intelligence, OSINT.
The field of OSINT journalism has exploded in recent years. This is because it often delivers important results at critical points that help journalists move forward at key moments. Sometimes this happens when the editor-in-chief is deciding in that very moment whether the investigation should proceed or not.
There are information and data sources that work like a secret tincture in a baking recipe. They make a story work, or not. Sure. With new technical tools, entirely new approaches to research are possible. Many think wrongly however: whoever can do OSINT has already won. But like baking, it’s often not enough to just have the ingredient. You also have to know how best to work it into the dough.
Following is my selection of 8 stories that use open data and digital forensic tools. As you can see, some journalists are more successful, others less (as in the Bamberger Hörnla example). The selection is based on the quality of the research approaches but also on the diversity and extravagance in the use of open source intelligence sources.
Also important: that the insights gained through online forensic work are not a side show. These stories use OSINT as a major component of their storytelling and evidence chains. Thus, without this work, there would be no stories.
In detail, therefore, it is fair to ask: Why and why do these stories work at all? What is the key ingredient, the technical piece that moved the journalists forward?
In each case, there is a baking recipe, a suggestion of a dessert to match the location of the story.
Bon appetit and Happy Investigating!!!
1. QATLAMA/Afghanistan
The New York Times Visual Investigations team published a tragic story from the troubled Afghanistan last September: how did an American drone strike come to kill an innocent civilian in Afghanistan? One key ingredient: The research was able to benefit from previously unseen video footage from security cameras. It shows crucial moments of the relevant person (and his colleagues) just before the attack.
Sure. The footage alone would have been worthless had the journalists not had the case independently confirmed through countless interviews with the person’s colleagues and other technical means. For example, the journalists use satellite images from the day of the attack in question. The reader is led to believe that the authenticity of the video footage is also important to them. As on the aerial photographs, so viewers see the same vehicles as on the video recordings. This advanced technical verification work with attention to detail, is not only important for the validity. It also makes the story itself a success.
Many journalists would not even go that far. The New York Times “goes the extra mile” for its readers and viewers. They love it and thank it with high ratings on YouTube and high international readership.
What the killed man does shortly before the attack is explained in detail. The narrative style is typical for this medium. The timeline is coherent and fall height is built up to the drone strike. This does make the story longer. But if you’re interested enough, you’ll stay tuned. Length is also a detail: Not too long, not too short. The analytical viewer likes to watch the whole 11 minutes of the video until the end.
Conclusion: The conclusiveness of the evidence makes it fun to watch. Also, the research is done in depth rather than in breadth. Only briefly, the political circumstances in Afghanistan and America’s fight against terror, is addressed. What counts is the story of a man who was unlawfully executed by the American state. This can be portrayed well visually. True, more civilians died as a result of the attack. But empathy, focused on a single person, can be told better than the suffering of the masses.
Such tragic stories are often measured by impact (and any changes or concessions). The story not only made waves on online video platform YouTube with nearly 5 million views. It also got the Pentagon to admit a serious mistake. Great work, with key ingredients that make this investigative story successful (broken down again in detail)
Ingredients:
- Exclusive access to footage from the security cameras that filmed the man who was killed
- Answering the question “is the footage real,” using satellite data
Interviewing colleagues of the man who was killed - Frame-by-frame image analysis of the container the slain man was carrying to determine guilt
Exclusive access to footage from the security cameras that filmed the man who was killed
Answering the question “is the footage real,” using satellite data
Interviewing colleagues of the man who was killed
Frame-by-frame image analysis of the container the slain man was carrying to determine guilt
2. Ekmek Kataifi/Greece
Certainly one of the most impressive stories from Investigative Outfit Bellingcat for Europe, is this story that looks at the culpability of the border force Frontex to illegal pushbacks (there are several here, we’ll go into two). To determine how Frontex is complicit in illegal pushbacks by the European Border Force, two key data sources are mixed as ingredients.
Open sources are used that show Frontex personnel actively participating in a pushback incident at the Greek-Turkish maritime border in the Aegean Sea. In another case, Frontex vessels were present. In another four cases, they are in “close proximity.” The aim was: to evaluate the AIS data of the ships that were on site during the pushbacks. Journalists were thus able to prove to the ships of the European Border and Coast Guard Agency how disadvantageously they behaved towards migrants at sea.
Insert: Another ingredient (not in this pushback story, but another Bellingcat story on the topic): Important data can also come directly from social media, from Twitter or Facebook. Migrants post their experiences on social media, cell phone videos with updates of their perilous journey to Europe. Bellingcat/Lighthouse journalists verify them and can thus show in detail how pushbacks work.
Regarding data on ship locations, there are Twitter profiles that have access to expensive ship tracking databases (like the account YorukIsik, which you should follow). While these colleagues are not journalists, they are very friendly, active and transparent. For this story, such sources seem to have been helpful to some degree, especially in kicking things off. But that was not enough for the journalists. To keep a close eye on Frontex ships, they needed far more tracking data.
They turned to commercial partners. AIS and transponder data they purchased in the course of their research. Publicly available information identifying the location of specific ships or aircraft could be accessed in part from websites such as Marine Traffic or Flight Radar 24. However, it soon became apparent that many of the ships they identified did not share publicly available information. One reason: many had their transponders turned off — certainly something that posed its own security risk.
It wasn’t easy to track the ships, journalists said. Not even the ships that kept the AIS signal on. However, they represented by far the greatest glimmer of hope of convicting the authority. So the recipe for success was to find these ships. From the ships that showed up with AIS, they then purchased data from companies. “More detailed data from vessel and flight tracking companies on the dates that pushbacks had been reported to.”
This AIS data was then cross-referenced with already public reports of pushbacks. Non-governmental organizations that had an interest in creating these data collections collected them and shared the coordinates with Bellingcat.
Now the journalists only needed to combine the two sources. Once the pushback cases were identified with Frontex, journalists could get to work verifying the details, interviewing victims, confirming culprits.
Ingredients:
- AIS tracking data of some Frontex ships purchased
- Combined with data where pushbacks were reported by migrants and organizations (NGOs)
- Analysis of social media posts
- Geoanalysis of a pushback situation, temporally and spatially analyzed.
3. Esterházytorte/Austria
Named after the diplomat Paul III Anton Esterházy, the cake, after being created by Budapest confectioners, became a (Viennese) perennial favorite of the regional pastry cuisine. Austria and Hungary have more to offer than just Sissi and plenty of creative baking recipes. The countries — in this case Austria — also house a wide range of online agitators and right-wing voices on the Internet.
Regarding the case of C. K., I recently spoke out on my OSINT blog. I only did the verification of the analysis, not the original research. It was exciting nonetheless.
For years, the account HartesGeld was on several social platforms. The man behind the accounts was a lawyer. That’s how he described it himself. What has now been brought to light shows: The man behind the mask is really on the road as a lawyer, even sits with organizations in the supervisory board.
But he is more. Much more. For years he has been a central propagator of vaccination and smear campaigns, and more recently, since the Russian war of aggression against Ukraine, pro-Russian propaganda campaigns. As far as one can tell, he has now been put out of business.
Since the beginning of November, the Hard Money accounts have been silent. Hard but fair, many find that was intimidated by the account. With thousands of followers, he has simply put down many of his hate victims. Often he has doxxed people. Now his own name, status and address have been shared with the Internet public by self-proclaimed online investigators.
Insertion: A very important point in SOCINT stories, like this one that exposes a radical anonymous account, is: respect the general anti-doxxing rules. The person should not become the target of further hate, hatred or violence.
Who is behind the profile, which describes itself as a libertarian lawyer from Austria? What’s particularly exciting about the research is that the full force of social media research comes into play here. The core idea behind the analysis of the man behind the account Hartes_Geld was to find the very first known social media account of Hartes Geld on VK and to browse through it, a source reports.
The user must have lost access to the account, because about a year after he stopped using it, a second VK account was opened under the same name and description. Now the first old account is more interesting, because the person was more careless than nowadays when more people are watching him. At that time he was also not so radical. In the account we personally find clues that point to him, like friends in the contact list. They point to the family network. In the friend lists, for example, we find the brother’s wife.
An online obituary helps to further unravel the family network of the target person and confirm names that appeared in the VK account. With a Google search, one quickly comes across a death notice of the person’s father, the source tells me. A certain C. is listed there as the husband. The father died in May 2018, strikingly: In the period Hartes_Geld wrote less than usual, another indication thus. Thus, the network of clues thickens more and more.
Furthermore, posts, especially photos of the profile on Twitter can provide even more details. These clues and statements in posts can then be matched with the person’s résumé. They confirm the identity. Hartes_Geld, for example, writes that he studied in Salzburg. In the vita of the man with a master’s degree we find the confirmation.
Image analysis of the account’s posts was certainly a key ingredient in the analysis. Hard money claims he owned a private “swimming pond” in July 2016. Analyses of the aquatic plant that was pictured there, a Nelumbo lucifera, is native to Austria. A pond is also found at the address of the person.
One place the person behind the account Hartes_Geld regularly visits is the Ristorante Pizzeria Bar La Canottieri, which again fits the picture. He sits on the board of directors for a foundation, the FABASOFT PRIVATSTIFTUNG, with ties to FABASOFT AG, a software manufacturer and cloud service provider based in Linz (which is half an hour away from the person’s office).
That’s how we work through each Puzzle piece of evidence and verify them. Since it became known who is behind the account, all channels of the lawyer remain silent. For many on the web, especially on Twitter, this means breathing a sigh of relief.
An activist who campaigns against hate on the net (also in the Kellermayer case) tells me how the account has literally transited her. There are many more of these hate accounts on Twitter — and with the new Twitter CEO, it certainly won’t get any easier. Still, there seems to be a small victory against online agitation, right-wing hatred and pro-Russian disinformation.
Ingredients:
- A previous/old VK account, in which the person reveals his family network
- Online obituary of the father
- Matching of the family network through social media analysis (SOCINT)
- Geolocation verification of a post leading to the target person
Search for final papers of the target person (not target specific, but still exciting) - Photo matching: a pond found at the person’s address as well
4. Kyiv Cake
With research, journalists from Bellingcat and Spiegel managed to identify some military engineers “with training and their professional background in long-range missile programming.” These long-range missiles also kill civilians, as I explain in detail here. War crime, in other words.
The identification of this secret group within the Department of Defense quickly became a massive open source intelligence spectacle. The success was provided by the analysis of open source data from thousands of graduates of the leading Russian military institutions dealing with missile technology and programming — in particular the Military Academy for Strategic Missile Forces in Balashikha near Moscow and the Military Naval Technical Institute in the Pushkin suburb of St. Petersburg yielded important clues
The initial hypothesis was: these leading military institutions serve as training grounds for at least some of the officers currently piloting Russia’s most advanced long-range missiles.
Leaked employment or phone metadata of these graduates were offered in Russian darknet data markets. In this way, journalists were able to confirm that some of these individuals were listed in phone contact lists as employees of the GVC or the Russian Armed Forces Main Computing Center.
It was also purposeful to consult various Telegram bots such as Glaz Boga and HimeraSearch to include personal data in the research.
Ingredients:
- Telegram lookup data to find the identity of people who have a specific address.
- Cell tower metadata: Phone lists: Bellingcat has acquired phone metadata of a senior person in the institution. Data is purchased from brokers offering such services. The Russian black market has made it possible for data journalists and activists to conduct research into numerous important investigations into the country’s military and intelligence services in recent years.
- Interviews with the accused on the phone
5. Tamriyeh/Palästina
The death of Shireen Abu Akleh was a tragedy, but resulted in great research. “The Extrajudicial Killing of a Journalist,” by the Forensic Architecture (FA) organization, is certainly one of those groundbreaking pieces of research in recent years. FA shines in the way it creates a timeline and presents it visually. The journalists’ new video recordings were a central part of the evidence. Without them, none of this would have been possible.
Unseen footage provides new evidence of the killing, showing how snipers from the Israeli occupation forces took aim and targeted the journalists. So not an unfortunate random shot? The investigators’ answer: a resounding no.
What stands out is that the investigation uses precise, digital reconstruction methods for the incident. Using advanced spatial and audio analysis, colleagues have tracked the location and movements of various key players throughout the incident — from journalists, civilians, to military vehicles.
Secret ingredient of the success is therefore the following: By geolocating individual images (frames) from the videos obtained by the newsroom, they were able to reconstruct in a digital model the exact position of Shireen and the other journalists during the incident, as well as the position of the military vehicles in relation to the one that was killed.
Photogrammetry, the work of first scanning things and worlds into a 3D model and then analyzing them, seems complicated at first and only something for experts. But this is a misconception. Because everyone who has a modern model of an Android or IOS smartphone in his pocket, perceive the environment in 3D. This could help research and its representation immensely. It is also affordable. If you are interested, you can download apps like PIX4Dcatch. KIRI Engine, or WIDAR for free. Especially during the Ukraine war, locals equipped with smartphones did important archive work and scanned tanks and destroyed buildings. The 3D models can then be shared and commented on the Sketchfab platform.
To build 3D models you don’t even need to be at the scene in person yourself. Some platforms attempt to calculate the model only on the basis of video or image input. However, the better product one receives scanning the environment at the scene.
Another small trick to archive videos:
To generally download videos, archive them and work with them, it is recommended to use the tool of the Citizen Evidence Lab, called Citizen Evidence Online Video Wrangler (good tutorial on Youtube-dl here). It is open source, so freely available, and so can be used by journalists around the world.
To display time data, the tool Timemap is a suitable choice. Timemap is open source software for visualizing geographic events in an interactive platform. FA is constantly updating the code base to support new features and data types, but the current version looks something like FA’s platform for documenting the Russian military presence in eastern Ukraine.
Ingredients:
- Acquisition of “new” video footage
- Tool to enter the exact locations of the perpetrators and the journalists in a timely manner
6. Kıbrıs Tatlısı/Zyperns Dessertkuchen
How do we get to Cyprus? It is the corporate research on XHamster, a porn site that admitted cases of Revenge Porn on the site.
The story was published by STRG-F’s investigative team. It started with a front man, Alex Hawkins, and the company allegedly operating in the background, Hammy Media. The latter, however, has a ridiculous turnover since 2009 of only 700,000 euros (data taken from the Cyprus Trade Register). The journalists become suspicious and dig deeper.
The breakthrough comes when colleagues check the domain registration of the Xhamster site. There they find an e-mail address and a name. That of the Russian “Oleg Popov” (in reality Netepenko), and the email tigus1@gmail.com.
The comparison between domain registration data and Oleg Netepenko’s other companies, especially the company Wisebits, is in the end purposeful. This forensic preparatory work is then used in the course of a visit to a meeting with employees and partners of the company. Suspicions of the personalities behind XHamster (who earns all the money from the dirty business that goes on here) confirm them with further interviews. This is how the story became a hit.
Ingredients
- Checking the domain registration data
- Analysis of documents and data from the Cyprus Trade Register
- Xhamster Profile Analytics
- Conversation with concerned parties
- Talk with colleagues/employees involved with Wisebits company7. Afrikanische Leckereien aus Malawi: Mbatata Cookies
Forensic digital analysis of the BBC, through the program BBC African Eye reveals the network of Chinese producers of racist videos in Africa. The journalist is able to reveal the network of those behind the videos. GEOINT, a form of OSINT, is used in the process.
Secret ingredient: A company logo of an African company in one of the racists videos. Journalists subsequently consult Facebook and find an ex-employee who tells them the location of the company.
Ingredients
- Social media video analysis
- Geolocating the location
- Find company in one of the videos
8. Bamberger Gebäck/Bamberg-Germany
A Bamberger — or Bamberger Hörnla — and not to be confused with the old potato sort from Franconia, is a Danish pastry, a bit like the French croissant. Regionally known in Upper Franconia and also Middle Franconia, it has become known as Bamberger. In Bamberg itself, however, it is usually called Hörnla.
The link to digital forensics, please! Since 2015, the Central Office for Cybercrime Bavaria (ZCB) has existed at the General Public Prosecutor’s Office in Bamberg. Experts this agency were consulted for a story in Germany, for WISO magazine.
Bankdrop research by WISO magazine uncovered rip-offs with such ghost accounts. Bankdrop procurers get unsuspecting people to open accounts, and become this way so-called “financial agents”. Their data is then used for criminal activities. Fakeshop operators share proceeds with bank drop procurers, moving money back and forth mostly via anonymious cryptocurrency accounts and Bitcoin mixers. Law enforcement is helpless. The people behind these scemes are rarely caught. Yet, the journalists found an OSINT expert who attempted to dig up clues.
Ghost accounts are used by criminals to manage transactions from fake-stores and scams. For the accounts, the rip-off artists often stolen identities. These they get through fake job ads: They capture their victims’ personal data with the help of fabricated job sites.
WISO Crime therefore wanted to know: Who are the cybercriminals who make millions with ghost accounts? And how do the fraudsters get hold of such accounts? The colleagues track down informants from the darknet and, with the help of an IT forensics expert, can see how the criminals try to keep their illegal earnings safe from the law enforcement authorities. But this can only be done with the victims’ data. Journalists convince them to give them all the information.
One of the scammers’ email addresses is tagged with an email tracker and sent. If the user opens the email, the journalists get the IP address. It works. With an IP address of the Internet access, location analysis, geolookup, the location can then be guessed that way. It is a German IP. But the organization is not involved, does not use the named server at all. A dead end? Not quite, but almost. The IP address appears on a blacklist for fraud on the Internet. So not the first case. A small victory.
Again and again, traces of journalists come to nothing. Then another user name is checked on social media portals, which appears in metadata of a training document of the perpetrators. Unfortunately, nothing again. Even the cryptocurrency transaction data find little. What the journalists can’t be blamed for, however, is not trying to learn more about the perpetrators by any means.
Special ingredient: the documents, emails and messages of the victims who became accomplices through the fake job portals are shared. Without them, the work of the experts cannot start at all. Only with you can anything at all be brought to light.
To read metadata from PDFs and other file types, metadata2go.com offers an online tool. An IP address that investigators find through an email tracker (tool: https://hunter.io/mailtracker or https://www.readnotify.com) appears on a blacklist on the Cleantalk site (IP Blacklist: https://cleantalk.org/blacklists).
In metadata of a PDF document used to train financial agents, a guide for bank drop procurers, the name Croewley is found, allowing journalists to match usernames on social media platforms (using a lookup tool).
From the victim, they also get access to the cryptocurrency accounts they created for the perpetrators. With the transaction addresses, it’s off to forensics. From the account, it goes into a so-called BitcoinMixxer to disguise transactions.
Who is behind the addresses, even Jakob Hasse, the expert, cannot say. However, a crypto account was also used on the site Crymenetwork. This is used for trading from bank drop accounts.
Unfortunately, my conclusion to the story is similar to the bland taste of the Bamberger Hörnla, compared to the French croissant. All kinds of possible approaches are shown. But unfortunately only little comes out. Too bad!
Ingredients
- Darknet research on Crimenetwork
- IP address of the perpetrators by email tracker
- IP address matching with blacklists (here Auktionshilfe.info, here was warned, so one hit)
- Profile analysis of metadata of a PDF on training of financial agents, sent by perpetrator to victim (with NameChecker)
- Domain registration of the fake job site recruiting people, (missing due to anonymization service)
- Phone number analysis of scammers mentioned in emails with victims (dead end)
- Crypto address analysis: money sent from victim accounts to perpetrators (no names, but you can find the amount of income and bitcoin mixing)
Bottom line: delicious baking recipes can indeed be combined with the dark reality of investigative journalism. If you like this post, follow me on Twitter (Techjournalisto) — or if you’re not a fan of Elon Musk, email me. You are an OSINT enthusiast. You should be able to find my email address yourself :-)
The Prinzregententorte is and remains my absolute favorite among the desserts. The trick with the buttercream, by the way, is to beat the butter with a mixer until smooth and then stir in the cooled pudding by the tablespoonful, making absolutely sure that the butter and pudding remain at room temperature, otherwise the buttercream will curdle.
PS: Using right baking pans:
Only with the right baking pan will the delicate cake work. If it is too shallow, the baking time can be shortened. It’s similar with online forensic journalism stories. To make OSINT stories suitable for baking, I have developed some models how to structure them. There’s ‘The chain’, ‘The pivot’, “The verification” and “The pattern”. Just have a look here.
