Bellingcat OSINT Challenges - Back in Time

Open Source Intelligence is, a lot of the time, about finding a needle in a haystack.

However, you can significantly improve your chances of locating the specific data points you’re after by layering as many relevant details as possible — whether about the subject or the timeline of events. This enables a controlled reduction of results, helping you focus your search more efficiently. This approach is search engine agnostic and can be applied in two distinct directions:

From Macro to Micro

Begin with broad, generalized searches using minimal keywords — particularly avoiding terms for which you have low confidence.

For example, if you’re attempting to track a specific type of Soviet weapons shipment, it’s often better to avoid including terms like “AK-47,” “AKMS,” or “AKS” at the outset, even if you’re somewhat familiar with those variants. If your initial search yields too many irrelevant results, you can always narrow down later. Starting broad allows you to avoid excluding relevant results prematurely.

From Micro to Macro

Alternatively, starting with a specific assumption or data point based on your existing knowledge is also valid — but don’t get stuck if it doesn’t immediately lead anywhere. This is often how analysts fall into research rabbit holes.

That said, if you have deep domain expertise — say, you can visually identify an AKMS from a blurry image taken 500 meters away — then by all means take the shot. Just make sure to validate your findings. Remain aware of your own cognitive bias and maintain a critical mindset, even when the result fits your expectations. Always try to find counterpoints to your conclusion and act as your own harshest skeptic.

The timeline — or the timing of when a data point was created — can be incredibly effective in narrowing down search results. Time is one of the 5 W’s of root cause analysis (Who, What, Where, When, Why), and for good reason: it sets the scene for both past and future events. Time often serves as a gateway to uncovering the rest of your needed data points.

Time is an immutable element of intelligence work, and it’s the cornerstone for event-related nonrepudiation. If you can establish a timeline, you strengthen the credibility of your findings and gain the ability to reverse-engineer a chain of events. That’s exactly the kind of insight that the talented Sofia Santos explores with the following challenge. Let’s walk through it.

1. Fresh Faced

The key information given to us in the video snapshot is the text at the bottom of the image, describing the founder, Eliot Higgins, in Croatian.

Bloger Eliot Higgins svaki dan pregiedava nove snimke

Which translates to:

Blogger Eliot Higgins reviews new footage every day

The challenge also notes that the interview is available on YouTube, and there’s a strong chance the video dates back to 2013.

The investigation steps taken in order of probability are as follows:

1. Using reverse image search. (unsuccessful)

2. Searching for the text in the video title. (successful)

3. Reverse image search utilizing facial recognition platforms. (untested)

While performing a reverse image search of the interview screenshot quickly proves to be unhelpful, performing a Google search with the keywords Eliot Higgins and the specific search date range of 1/1/2013–12/31/2013 will yield multiple results, which include a section of “Video Results” as well. The fourth video features a setting and image of Higgins that exactly match the challenge screenshot. The title of the video is in Croatian, which also aligns with the original image.

If this result is not immediately available to you when performing your own search, attempt to aid it by passing it the keyword hrvatska, which means "Croatian". This will place the video result as a YouTube link directly, rather than under the "Video Results" section.

The video's title is Bloger koji je otkrio hrvatsko oružje u Siriji, and the video ID, which the challenge expects as an answer, is "k7qd4Y6QAfY". The exact timestamp where the challenge image is observed at is 1:50.

As outlined in the introduction, even when most factors point to a correct finding, verification is essential.

At the 1:50 mark of the video:

• Higgins is seated in the same posture

• The same laptop and alien figurine are visible

• The weapons shipment appears on screen

• The background picture, chair placement, and lighting all match the screenshot

The following visual comparison provides confirmation that this is indeed the correct source video.

Answer: k7qd4Y6QAfY

2. Training Time

We are starting off this challenge with a lot of useful information, already. Let's see if we can put it to good use.

December 2017 is an exact point in time where there couldn't have been many workshops going on in parallel. If this workshop was advertised anywhere online, it would be quite a unique result in our search.

To add to this data, we know that Christiaan Triebert was running the show, which gives us another avenue for determining the location. Not only would Bellingcat have posted about the training session, but Christiaan might have included photos or notes about how the event went as well, on their own social media profiles or within public professional circles, such as online OSINT communities.

The data points "December 2017" and "Christiaan Triebert" are considered very-high confidence, since they are provided to us by the challenge author. We can include them both in our initial macro-to-micro search.

If we were to use Google's indexing date tool, spoiler alert, we would have incidentally excluded the result that would bring us our answer. Instead, a suitable date range was automatically picked by Google through our use of the "workshop 2017" keywords. This arbitrary range is "12 Jan 2017 - 12 Jun 2019". It's important to keep this fact in mind when inputting dates in the search bar.

In scenarios such as this, where there are multiple results that require further investigation, I follow a colleague's advice, Cry0lite, and I "walk the tabs". This means that for each source result, I pop out the tabs related to it and I end up with multiple windows for the same browser, each with its own information source. The subsequent tabs are distributed "in depth", providing me with a visual lead of the investigation, from left to right. Menu-by-menu, search-by-search, I can easily reference each step I took and how I reached a conclusion, or a dead-end. This will allow me to easily backtrack in case I end up in a rabbit-hole, and find the next analysis branch in the particular data subject I'm looking at, be it a location, a website, or a person.

We can ignore the two X/Twitter links for now, as they usually contain a trove of other pieces of information we might be interested in. Remember, we're going from macro to micro. We don't want to delve too deep just yet. Twitter posts would contain commenters, quote-reposts, and replies with threads, just to name a few of the rabbit holes we could get stuck inside of.

The next interesting result is the schedule for ARIJ 10th Annual Forum. Despite the data of the post being 06 Aug 2018, the page text describes a workshop taking place on Saturday, December 2, 9:00am EET, and Christiaan Triebert's name also appears in the page text body.

Accessing the link brings us to an event scheduling platform which hosted the 10th Annual Forum of ARIJ - Arab Reporters for Investigative Journalism. They are a non-profit media foundation based in Amman, Jordan, founded in 2005. ARIJ is the first and leading organization in the Arab world focused on strengthening investigative journalism and fact‑checking across the Middle East and North Africa.

Keep in mind, we are looking for a workshop that has taken place sometime in December 2017. Let's cross-check a few elements on this page.

1. The schedule for the event is filtered by date (right) for the range Dec 1-3 2017.

2. The filtered page contains one result (center) - Investigating War and Conflict with Digital Information, hosted by Christiaan Triebert of Bellingcat.

3. If the ARIJ 10th Annual Forum took place in 2017, then the banner (top) would match the timeline for the ARIJ 12th Annual Forum, which would take place in 2019. This confirms that we are looking at the correct event.

4. The venue for the event is already filtered (bottom right), and the location is set to "Movenpick Resort & Spa Dead Sea | Dead Sea Road, 11180", which leads us to our next part of the investigation.

When caching specific pages, search engines will save the URLs containing search and filtering parameters, much like in this case. The full URL for our result is the following:

https://arij10thannualforum2017.sched.com/type/workshop/d

The web directories /type/workshop already filter for "workshop" type events within the larger event. "D" in this case, is quite unknown, but it could refer to the room designation or the participant capacity of the workshop.

If we were to clear the filter for "Workshop, D", seen in the screenshot above, we would see a list of all the workshops participants could join, the first one being our search target. Accessing it directly will provide us with a precise URL for the event we were initially looking for, which the search engine could have indexed, but it did not.

The workshop's page also provides more information about the room it takes place in. While we do not know the specific distribution of event spaces across the resort grounds, we at least know now that it took place in the Al Diwan 1 building, on Floor G. This can help narrow down results if we get access to a map of the resort.

The URL to the event itself does not hold any parameters, such as the date filtering or room assignage. It uses the same format as the previous link, with the subdomain being a direct association with the specific event, and the web resource being the full title of the workshop.

https://arij10thannualforum2017.sched.com/event/Cf6S/investigating-war-and-conflict-with-digital-information-hosted-by-bellingcat-br-hosted-by-bellingcat-tqswy-wqy-hrwb-wmntq-nz-blmlwmt-lrqmy

Sched.com utilizes separate subdomains for each event. The subdomains are associated with an event location, in our case the Movenpick Resort, and with a relative date range, in our case December 1-3, 2017. This makes it easy for us - having the indexed page autofill in the details based on the subdomain in the URL.

Note:

Indeed the previous X/Twitter search result also points to the same event, #ARIJ17, where the workshop took place. However, has no mention of a location. For more complex investigations, this would offer more information about the type of training provided and the subject, instead. 

The next step was to search for the resort's website. It's quite common that hotels and resorts publish their available event venues online in order to attract potential businesses that might want to host symposiums and workshops there. This lead had a very high confidence, especially due to the uniqueness of the event space decorations seen in the original challenge image.

Scrolling down on their website brings us to the section advertising event spaces. This section contains the "Find out more" button which will takes us to the full selection of rooms available to event organizers.

Having accessed the meeting rooms' page, we only need to scroll down to the bottom to find our match.

The Grand Ball room is the only meeting room that sports the light green wall panels, and the specific carpet model seen in the challenge image. A visual comparison has been drawn between the full picture, as presented on The Grand Ball room's dedicated webpage, and the original challenge image, to showcase the similarities.

Answer: The Grand Ball Room

Conclusion

Chronolocation is more than simply filtering search results by date. A significant part of the discipline lies in determining when photographic material was actually captured. This area merits its own in-depth exploration and will be covered separately, as it plays a critical role in verifying sources and strengthening analytical confidence.

A warm thank you to Sofia Santos for the challenges.