# Geolocation and Media Analysis ## Table of Contents - [Image Analysis](#image-analysis) - [Reverse Image Search](#reverse-image-search) - [Geolocation Techniques](#geolocation-techniques) - [MGRS (Military Grid Reference System)](#mgrs-military-grid-reference-system) - [Metadata Extraction](#metadata-extraction) - [Hardware/Product Identification](#hardwareproduct-identification) - [Newspaper Archives and Historical Research](#newspaper-archives-and-historical-research) - [Google Street View Panorama Matching (EHAX 2026)](#google-street-view-panorama-matching-ehax-2026) - [Road Sign Language and Driving Side Analysis (EHAX 2026)](#road-sign-language-and-driving-side-analysis-ehax-2026) - [Post-Soviet Architecture and Brand Identification (EHAX 2026)](#post-soviet-architecture-and-brand-identification-ehax-2026) - [IP Geolocation and Attribution](#ip-geolocation-and-attribution) - [Google Lens Cropped Region Search (UTCTF 2026)](#google-lens-cropped-region-search-utctf-2026) - [Reflected and Mirrored Text Reading (UTCTF 2026)](#reflected-and-mirrored-text-reading-utctf-2026) - [What3Words (W3W) Geolocation (UTCTF 2026)](#what3words-w3w-geolocation-utctf-2026) - [Monumental Letters / Letreiro Identification (UTCTF 2026)](#monumental-letters--letreiro-identification-utctf-2026) --- ## Image Analysis - Discord avatars: Screenshot and reverse image search - Identify objects in images (weapons, equipment) -> find character/faction - No EXIF? Use visual features (buildings, signs, landmarks) - **Visual steganography**: Flags hidden as tiny/low-contrast text in images (not binary stego) - Always view images at full resolution and check ALL corners/edges - Black-on-dark or white-on-light text, progressively smaller fonts - Profile pictures/avatars are common hiding spots - **Twitter strips EXIF** on upload - don't waste time on stego for Twitter-served images - **Tumblr preserves more metadata** in avatars than in post images ## Reverse Image Search - Google Lens (crop to specific region, best for identifying landmarks/shops/signs) - Google Images (most comprehensive) - TinEye (exact match) - Yandex (good for faces, Eastern Europe) - Bing Visual Search ## Geolocation Techniques - Railroad crossing signs: white X with red border = Canada - Use infrastructure maps: - [Open Infrastructure Map](https://openinframap.org) - power lines - [OpenRailwayMap](https://www.openrailwaymap.org/) - rail tracks - High-voltage transmission line maps - Process of elimination: narrow by country first, then region - Cross-reference multiple features (rail + power lines + mountains) - MGRS coordinates: grid-based military system (e.g., "4V FH 246 677") -> convert online ## MGRS (Military Grid Reference System) **Pattern (On The Grid):** Encoded coordinates like "4V FH 246 677". **Identification:** Challenge title mentions "grid", code format matches MGRS pattern. **Conversion:** Use online MGRS converter -> lat/long -> Google Maps for location name. ## Metadata Extraction ```bash exiftool image.jpg # EXIF data pdfinfo document.pdf # PDF metadata mediainfo video.mp4 # Video metadata ``` ## Hardware/Product Identification **Pattern (Computneter, VuwCTF 2025):** Battery specifications -> manufacturer identification. Cross-reference specs (voltage, capacity, form factor) with manufacturer databases. ## Newspaper Archives and Historical Research - Scout Life magazine archive: https://scoutlife.org/wayback/ - Library of Congress: https://www.loc.gov/ (newspaper search) - Use advanced search with date ranges **Pattern (It's News, VuwCTF 2025):** Combine newspaper archive date search with EXIF GPS coordinates for location-specific identification. **Tools:** Library of Congress newspaper archive, Google Maps for GPS coordinate lookup. ## Google Street View Panorama Matching (EHAX 2026) **Pattern (amnothappyanymore):** Challenge image is a cropped section of a Google Street View panorama. Must identify the exact panorama ID and coordinates. **Approach:** 1. **Extract visual features:** Identify distinctive landmarks (road type, vehicles, containers, mountain shapes, building styles, vegetation) 2. **Narrow the region:** Use visual clues to identify country/region (e.g., Greenland landscape, specific road infrastructure) 3. **Compile candidate panoramas:** Use Google Street View coverage maps to find panoramas in the identified region 4. **Feature matching:** Compare challenge image features against candidate panoramas: ```python import cv2 import numpy as np # Load challenge image and candidate panorama challenge = cv2.imread('challenge.jpg') candidate = cv2.imread('panorama.jpg') # ORB feature detection and matching orb = cv2.ORB_create(nfeatures=5000) kp1, des1 = orb.detectAndCompute(challenge, None) kp2, des2 = orb.detectAndCompute(candidate, None) bf = cv2.BFMatcher(cv2.NORM_HAMMING, crossCheck=True) matches = bf.match(des1, des2) score = sum(1 for m in matches if m.distance < 50) ``` 5. **Ranking systems:** Use multiple scoring methods (global feature match, local patch comparison, color histogram analysis) and combine rankings 6. **API submission:** Submit panorama ID with coordinates in required format (e.g., `lat/lng/sessionId/nonce`) **Google Street View API patterns:** ```python # Street View metadata API (check if coverage exists) # GET https://maps.googleapis.com/maps/api/streetview/metadata?location=LAT,LNG&key=KEY # Street View image API # GET https://maps.googleapis.com/maps/api/streetview?size=640x480&location=LAT,LNG&heading=90&key=KEY # Panorama ID from page source (parsed from JavaScript): # Look for panoId in page data structures ``` **Key insights:** - Challenge images are often crops of panoramas — the crop region may not include horizon or sky, making geolocation harder - Distinctive elements: road surface type, vehicle makes, signage language, utility poles, container colors - Greenland, Iceland, Faroe Islands have limited Street View coverage — enumerate all panoramas in the region - Image similarity ranking with multiple metrics (feature matching + color analysis + patch comparison) is more robust than any single method --- ## Road Sign Language and Driving Side Analysis (EHAX 2026) **Pattern (date_spot):** Street view image of a coastal location. Identify exact coordinates from road infrastructure. **Systematic approach:** 1. **Driving side:** Left-hand traffic → right-hand drive countries (Japan, UK, Australia, etc.) 2. **Sign language/script:** Kanji → Japan; Cyrillic → Russia/CIS; Arabic → Middle East/North Africa 3. **Road sign style:** Blue directional signs with white text and route numbers → Japanese expressways 4. **Sign OCR:** Extract text from directional signs to identify town/city names and route designations 5. **Route tracing:** Search identified route number + town names to find the road corridor 6. **Terrain matching:** Match coastline, harbors, lighthouses, bridges against satellite view **Japanese infrastructure clues:** - Blue highway signs with white Kanji + route numbers (e.g., E59) - Distinctive guardrail style (galvanized steel, wavy profile) - Concrete seawalls on coastal roads - Small fishing harbors with white lighthouse structures **General country identification shortcuts:** | Feature | Country/Region | |---------|---------------| | Kanji + blue highway signs | Japan | | Cyrillic + wide boulevards | Russia/CIS | | White X-shape crossing signs | Canada | | Yellow diamond warning signs | USA/Canada | | Green autobahn signs | Germany | | Brown tourist signs | France | | Bollards with red reflectors | Netherlands | --- ## Post-Soviet Architecture and Brand Identification (EHAX 2026) **Pattern (idinahui):** Coastal parking lot image. Identify location from architectural style, vehicle types, signage, and local brands. **Recognition chain:** 1. **Architecture:** Brutalist concrete buildings → post-Soviet region 2. **Vehicles:** Reverse image search vehicle models to narrow to Russian/CIS market cars 3. **Script:** Cyrillic signage confirms Russian-language region 4. **Flags:** Regional government flags alongside national tricolor → identify specific federal subject 5. **Brands:** Named restaurants/chains (e.g., "Mimino" — Georgian-themed chain popular across Russia) → search for geographic distribution 6. **Coastal features:** Caspian Sea coastline + North Caucasus architecture → Dagestan/Makhachkala **Key technique — restaurant/brand geolocation:** - Identify any readable business name or brand logo - Search for that business + "locations" or "branches" - Cross-reference with other visual clues (coastline, terrain) to pinpoint exact branch - Google Maps business search is highly effective for named establishments **Post-Soviet visual markers:** - Panel apartment blocks (khrushchyovka/brezhnevka) - Wide boulevards with central medians - Concrete bus stops - Distinctive utility pole designs - Soviet-era monuments and mosaics --- ## IP Geolocation and Attribution **Free geolocation services:** ```bash # IP-API (no key required) curl "http://ip-api.com/json/103.150.68.150" # ipinfo.io curl "https://ipinfo.io/103.150.68.150/json" ``` **Bangladesh IP ranges (common in KCTF):** - `103.150.x.x` - Bangladesh ISPs - Mobile prefixes: +880 13/14/15/16/17/18/19 **Correlating location with evidence:** - Windows telemetry (imprbeacons.dat) contains `CIP` field - Login history APIs may show IP + OS correlation - VPN/proxy detection via ASN lookup --- ## Google Lens Cropped Region Search (UTCTF 2026) **Pattern (W3W1/W3W2):** Challenge image contains multiple elements but only one is useful for identification. Crop to just the relevant portion before searching. **Technique:** 1. Identify the most distinctive element in the image (shop sign, building facade, landmark) 2. Crop the image to isolate that element — remove surrounding context that adds noise 3. Search the cropped region using Google Lens (`lens.google.com` or right-click → "Search image with Google Lens" in Chrome) 4. Review visually similar results to identify the specific location or business **When to crop:** - Shop fronts: crop to just the storefront and signage - Landmarks: crop to the distinctive architectural feature - Signs: crop to just the sign text - Churches/buildings: crop to the unique facade **Key insight:** Google Lens performs significantly better on cropped regions than full scene images. A full scene may return generic landscape results, while a cropped shop sign returns the exact business with its address. **Example workflow (W3W2):** 1. Challenge image shows a street scene with a shop 2. Crop to just the shop portion 3. Google Lens identifies the shop and its location 4. Verify on Google Maps Street View 5. Convert coordinates to What3Words --- ## Reflected and Mirrored Text Reading (UTCTF 2026) **Pattern (W3W3):** Text visible in the image is reflected/mirrored (e.g., sign reflected in water or glass). Must read the text in reverse to identify the location. **Technique:** 1. Identify reflected text in the image (common in water reflections, glass surfaces, mirrors) 2. Flip the image horizontally to read the text normally 3. If text is partially obscured, search for the readable portion as a prefix/suffix: - "Aguas de Lind..." → search `"Aguas de Lind"` → find "Aguas de Lindoia" 4. Use the identified text to locate the place on Google Maps **Partial text search strategies:** ```text # Search with wildcards/partial terms "Aguas de Lind" # Quoted partial match "Aguas de Lind" city # Add context keyword "Aguas de Lind*" brazil # Add country if identifiable from image ``` **Image flipping for reflected text:** ```bash # Flip image horizontally with ImageMagick convert input.jpg -flop flipped.jpg # Or with Python/PIL python3 -c " from PIL import Image img = Image.open('input.jpg') img.transpose(Image.FLIP_LEFT_RIGHT).save('flipped.jpg') " ``` **Key insight:** When a letter in reflected text is ambiguous (e.g., "T" vs "I"), try both variants as separate searches. Partial text searches with quoted strings are effective for identifying place names even with only 60-70% of the text readable. --- ## What3Words (W3W) Geolocation (UTCTF 2026) **Pattern (W3W1/W3W2/W3W3):** Photo of a location. Find the exact What3Words address (3-meter precision grid). Flag format: `utflag{word1.word2.word3}`. **What3Words basics:** - Divides entire world into 3m x 3m squares, each with a unique 3-word address - Words are in a SPECIFIC language (English by default) - Adjacent squares have COMPLETELY different addresses (no spatial correlation) - Website: https://what3words.com/ **Workflow:** 1. **Identify the location** using standard geolocation techniques (reverse image search, landmarks, signs, architecture) 2. **Get precise GPS coordinates** from Google Maps satellite view 3. **Convert coordinates to W3W** using the website (enter coordinates in search bar) 4. **Fine-tune:** The exact 3m square matters — shift coordinates by small amounts to check adjacent squares **Coordinate-to-W3W conversion:** ```text # Navigate to what3words.com and enter coordinates: # Format: latitude, longitude (e.g., 30.2870, -97.7415) # Or click on the map at the exact location # The W3W API requires an API key (not always available in CTF): # GET https://api.what3words.com/v3/convert-to-3wa?coordinates=30.2870,-97.7415&key=API_KEY ``` **Common pitfalls:** - **3m precision matters:** A building entrance vs. its parking lot may have different W3W addresses. Match the EXACT viewpoint of the photo. - **Camera position vs. subject:** The W3W address may refer to where the camera IS, not what it's pointed at. - **Satellite vs. street-level:** Google Maps pin may not perfectly align with the actual W3W grid. - **Multiple buildings nearby:** Churches, shops, and landmarks may have several candidate squares. **Tips for accurate pinpointing:** - Use Google Street View to match the exact camera angle - Cross-reference with OpenStreetMap (OSM) for precise building footprints - Try 5-10 adjacent W3W addresses around your best guess - The challenge image often shows a specific feature (entrance, sign, landmark) — find THAT exact spot - **Micro-landmark matching:** Identify small distinctive features in the challenge image (utility poles, pathway rocks, bollards, planters) and locate the same features in Street View to pinpoint the exact 3m square - **Background building triangulation:** Match buildings visible in the background from the challenge image angle. Find those same buildings in Street View, then determine where the camera must be positioned to produce the same perspective - **Geographic feature narrowing:** When you know the city but not the exact spot, use distinctive geographic features (lakes, rivers, coastline) visible in the image to narrow the search area before switching to Street View --- ## Monumental Letters / Letreiro Identification (UTCTF 2026) **Pattern (W3W3):** Photo of large 3D letters spelling a city/location name, often reflected in a pool of water. Common in Latin American cities as tourist landmarks. **Identification clues:** - Large colorful 3D block letters - Often located in main plaza (praça) or tourist area - May include city name in local language - Reflection in decorative water pool is a common design **Search strategy:** - Google: `"letras monumentales" [city name]` or `"letreiro turístico" [city]` - OpenStreetMap: search for nodes tagged as `tourism=attraction` near the city center - Google Maps: search `[city name] sign` or `[city name] letters` and check photos **Key insight:** These monumental letter installations ("letras monumentales" in Spanish, "letreiro turístico" in Portuguese) are extremely common in Latin American cities. The exact GPS coordinates of the installation can be found on OpenStreetMap or Google Maps photo pins.