Finding McAfee: Geolocation & Imagery Analysis [Case Study]

Finding McAfee: Geolocation & Imagery Analysis [Case Study]

Identifying past, current, and possible future locations through the geolocation and chronolocation of media provided by a specific user.

This case study is based on a challenge from well-known entrepreneur, John McAfee, to show how relative geolocation of two points on a chronological timeline can give a likely path and possible locations in between.

To do this, two geographical points will be used, categorised by day, to geolocate a photo that was taken between those two points.

This research post is split into the following four sections, in this order:

  • Point B (the photo to geolocate)
  • Point C (where the subject is traveling to)
  • Point A (where and when the subject started the journey)
  • Geolocation analysis of the Point B image

The tools in this case study are completely free, so please do use them to follow along. I used Google Maps, GIMP (image editing) and Twitter.

Point B — The image to geolocate

Below is the tweet in question. The challenge: self-explanatory.

Geolocation of John Mcafee

So where do you start in a case like this? Using a first approach to imagery intelligence (IMINT), look in the image and ask: “what do I see?”.

In the image, we have a number of clues that may indicate where this photo was taken. I’m going to number some of them in the image below.

Finding John Mcafee

What do we see here?

  1. First, we’ve got McAfee. Who through his accounts may help give more clues. I’ll get to him later.
  2. This roof colouring gives an indication that it might be a brand colour.
  3. Coloured fuel bowsers indicate that this is both a fuel station, and is a unique identifier for what the brand or name of the fuel station may be.
  4. Large trucks use this fuel station, so it is likely that it is in an open area, or along a highway.
  5. There are flowers in front of the building McAfee is next to, which means it might be a store for the fuel station
  6. There’s a light blue band along the horizon. This is usually synonymous with a large body of water.
  7. This post and building would be a unique identifier on satellite imagery
  8. The horizon is not cluttered with buildings or trees, indicating it might be a flat plain and out of built-up urban areas.

That’s a lot of reference points we have to go off. And now, since we have done an initial imagery analysis checklist, we can work our way down that list to investigate each of those leads.

First is John McAfee. He is likely to indicate relevant information in his social media.

Point C (where the subject is traveling to)

In the initial tweet above the subject indicated he was “on the way to London” and that the photo was taken in the past. This identifies our destination.

How is he traveling there? Considering the location of the photo as we analysed in the eight takeaways above, it’s clear he is at a service station with his large security crew. So it’s likely he is driving to his destination.

Point A — Where and when the subject started the journey

Where did the subject come from?

This is where we can start using the intelligence tool I’d like to refer to as ‘geoprofiling’ — essentially we’re going to map out a short chronological timeline of where McAfee was in order to find where he is.

Scrolling back through his Twitter timeline, we can find this tweet. It was posted two days before the other photo.

Image for post

What’s important about this tweet is it gives us a location as well as a destination. Take a look in the red box in the right of the image below.

Image for post

Here is a closeup below. It says “Hotel Schlicker”.

Image for post

It is in Munich, Germany.

Image for post

We know this is the place where the photo was taken as there are a number of features that match those seen in geotagged images on Google Maps and Facebook.

First is the identical match of the sign and wall lining to this one found on Google Maps.

Second, for further verification, we can identify both the sign and the white paint on the ground from this image on the Hotel Schlicker Facebook page.

For chronolocation, for the purposes of this post there is no necessity to conduct a shadow calculation. Merely being able to plot this geolocated image on our timeline gives us an original lead for the following two reference points:

  1. Hotel Schlicker in Munich, Germany on January 26, 2020
  2. ?

3. London (at a future point in time)

Why did I skip the second point? Because that’s the initial location we need to find. And we’re going to do that now.

Geolocation analysis of Point B image

We already know two things about the image above. It was taken on the road between between Hotel Schlicker and London.

Using Google Maps ‘direction’ feature we can make a simple indication of the route between those two points.

That’s a lot of empty space to cover. But we have a list of eight points we can use to filter that information down.

First, what is the place they stopped at in the image? The following features of the roof and fuel pumps will help with that.

Geolocate an object

Those features are something we can use in a Google Search term. For this, I used what we know and what I see in the following string search for Google Images:

  • It’s likely in Europe, so that’s aterm I used — ‘Europe’
  • ‘Fuel Station’
  • ‘Red and White’

This is what we get from that Google Image search.

We also have blue bowser pumps in the image, and some of the above images have that.

The features in the photo match those pictured in Google Images as an Esso Petrol Station.

Now we can search for “Esso” in Google Maps to find any Esso fuel stations on the way from Munich to London.

To further refine our search area, looking back at the eight points, the photo was likely taken:

  • Near a body of water
  • Possibly in an open area or out of a city
  • Along a highway

In looking at places where there is a main road near a large body of water I identified two possible locations on the route.

To layer both the location of Esso petrol stations and the routes to London, I used photo editor GIMP to layer the two images (changing the transparency of one of them). There are alternative ways using KMZ points, but this one is also quite simple and keeps Google Maps as our main operating tool.

One of these stations along the route is near a body of water.

Geospatial

It is near Baden-Baden.

It satisfies a number of the indicators we are after, such as water, main road, quiet area and an Esso station on our route.

We can start to match this location with the Point B image to see if it fits the fingerprint of what is visible on the Google Maps satellite image.

Geolocation of Mcafee

Using all of the information derived from geolocating objects in the image, we can say, for certainty, that the photo was taken here: https://goo.gl/maps/EwTD6HKfeQupNka98

Further verification can be made by matching the Google Maps embedded images. However, for the purpose of this case study, the indicators seen in the photo are uniquely matched to the satellite image therefore giving a stronger level of geolocated evidence.

A NOTE ON THIS CASE STUDY: The purpose of this case study is to stimulate conversation, research and development in the open source community and is in no way to the detriment of the subject or any business or person identified in this case study.

5 Comments Finding McAfee: Geolocation & Imagery Analysis [Case Study]

  1. Anonymous

    Hi Ben, we really appreciate you doing research and spelling out your steps like this. I’ve sent through an email to you, we’d like to talk about getting training like what you have done here.

    H.

    Reply
  2. 0pens0urce

    Well done Ben. Appreciate the step-by-step walk-through.

    A question: do you use Gimp to do the photo markup? Or another tool?

    Reply
    1. Ben

      Hi. Thank you for your question.

      I use Gimp to layer the images. But for general markup and ‘red boxing’ I use the standard preview on Mac.

      Reply
  3. Matt

    Great Work. it would be an honour to connect with you on Linkedin. I conduct a few of these methods as well, but this was masterful.

    Very good!

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *