So I’ve seen all these challenges on Twitter before, and every time I see one, I’m in awe of all the people who manage to complete them - they look stupidly hard at first glance, and I’ve always been excited for the day I’d get to try one… and due to the encouragement of the people running our wednesday offshoot of DMU Hackers, ‘CTF club’, that day came one Wednesday afternoon in a local pub!
It‘s @Quiztime 🥳
— Julia Bayer (@bayer_julia) October 18, 2021
🔎 What am I doing here?
✍️ Reply to me with your answer
🤝 Reply to all for collaboration
🌈 Good luck with the #MondayQuiz pic.twitter.com/14IXXRdCzP
So as you may know, Twitter removes EXIF data from posts - which means tools like exiftool are automatically rendered useless. I know that from past OSINT-y bits I’ve done, exiftool is a great start to investigations as it can include some of the most helpful data, such as GPS coordinates, creation/modification date and other funky bits.
Alas, leveraging the metadata in this image was not an option, and I had to look in other places. Another first port of call is a reverse image search, more specifically using the Russian search engine ‘Yandex. I won’t go into it here, but there’s a lot on the web concerning why Yandex is better than other search engines (e.g Google) for reverse imaging.
The Yandex reverse search yielded (seemingly) good results; all of the images seemed to fit the rough spec. of the image, although nothing much could be found. Also, the tweet author @bayer_julia (go give her a follow) appears to be German from her tweet history and bio, which is another pointer.
After a bit of deliberation and zooming in, it then occurred to me that I should try flipping the image - now I know this image is pretty likely to be in Europe, it makes sense since they drive on the right hand side, and at the moment cars are on the left. I’d zoomed in to the image earlier to see if I could gather anything but not much (at least text-wise) could be found. Flipping the image using the trusty ‘imagemagick’ gave me a much clearer idea of what I can do:
convert -flop quiz_image.jpeg quiz_image_flipped.jpg
And no - (mainly for J) - it’s not a typo! -flip is vertical flipping and -flop is horizontal :-)
I feel a lot better about the image being flipped now. I could see one object of interest immediately - the graffiti on the left side was now readable as text… maybe it’s a tag?
Now I know other hackers in the group approached the next stage a different way - but my immediate instinct was to do a quick Google search for this IKARUS/IKARVS graffiti. ‘IKARUS’ was the first thing I searched, but even going back and searching for ‘IKARVS’ yielded nothing. To my delight, I found a match - and even better, the group seemed to be based in Berlin which confirmed my suspicions of Germany!
Now I started scrolling through their instagram, and I managed to find a photo of the graffiti - going onto the post confirmed a bit more context about the location, showed the graffiti was above a branch of Berliner Volksbank, and also (using some of my minimal German skills), I inferred that ‘Neukölln’ was either a town or district where this image is located - Google confirms it is indeed a district of Berlin.
Originally my thoughts were to search for branches of Berliner Volksbank in Neukölln, but I couldn’t find a great deal at first glance. Rather than focusing on this, I thought I’d exhaust my other options - which included the church (I did originally think it was a clock tower, but I couldn’t really find anything clock tower related)
Keeping the image of that spire in mind, I searched for churches in the Neukölln area (the exact query was ‘kirche neukolln’ - a little bit of German coming in handy!)
And boom. The first result on Google images was a match - I now knew the church was ‘Martin-Luther-Kirche’.
So going onto Google Maps, I was able to find where this church was, in the district of Neukölln. And interestingly in front of a shopping centre
So we have the location the image was taken for - the shopping centre - but the tweet is asking for what the person was doing. Google Earth is great for more specific location as it lets you elevate to a certain level, a feature that standard streetview doesn’t have.
Going into Google Earth, I heighten myself to the level I believe the image was taken, and line it up like so:
Now we’re pretty much there - but just to get a precise location, I lookup a floor plan of the shopping center - I know it’s called Neukölln Arcaden. A search for ‘Neukölln Arcaden floor plan’ brought up the following diagram (when scrolling up to the top floor):
Given the windows in the library, and the fact that the car park comes quite far down to the corner - I think it can be deduced that this person was in the car park. However, it could also be debated that the library is where the photo was taken, but given that the photo looks too clear to be taken from inside a window, I think the car park is the most likely explaination.
So, there you have it! My first proper OSINT challenge write up. I hope you found the read interesting, and stay tuned for more of these - I’m definitely interested in doing more, and I hope that they’re engaging enough for people to follow :)