Bellingcat’s Online Investigation Toolkit
THE BELLINGCAT TOOLKIT HAS MOVED TO bit.ly/bcattools
Welcome to Bellingcat’s freely available online open source investigation toolkit. You can follow our work on via our website, Twitter and Facebook. (We also provide three to five day open source investigation workshops.) This is version 5.3 (August 19, 2020). The list includes satellite and mapping services, tools for verifying photos and videos, websites to archive web pages, and much more. The list is long, and may seem daunting. There are guides at the end of the document, highlighting the methods and use of these tools in further detail. We also provide tailored digital forensics workshops. Feel free to suggest tools via email (christiaantriebert@bellingcat.com) or Twitter (@trbrtc). To view an outline of the document, click “View” and then “Show document outline”. There’s also one below. The “OSINT Landscape” — a condensed version of the online investigation toolkit below — can be downloaded in high resolution here. Content
|
1 — Maps, Satellites & Streetview | ||||
Name | Description | Pros | Cons | Link |
Check out this handy flow chart for finding and acquiring satellite imagery. | ||||
Airbus Geostore | Platform to get a preview of their imagery and order images. | |||
Baidu Maps | Baidu’s mapping service offering satellite imagery, street maps, and streetview (“Panorama” - zh:百度全景). | |||
Bing Maps | Bing’s mapping service offering satellite imagery and street maps. | More recent and higher resolution imagery than Google, e.g. in Afghanistan and Iraq. | Difficult to check the date of the imagery. | |
converting coordinates | Convert geographic coordinates between different notation styles. | synnatschke.de/geo-tools/coordinate-converter.php UTM grid zones dmap.co.uk/utmworld.htm | ||
Copernicus | The site for the European Space Agency and for images from Copernicus’ six Sentinel satellites. | Better resolution than Landsat. See explanation from the website GISGeography on how to download free images. | ||
Descartes Labs | A commercial service that collects data daily from public and commercial imagery providers. | Will help journalists. “We do not charge for these requests, only ask that they are credited.” (via GIJN) | ||
DigitalGlobe | Satellite imagery vendor. | Preview available via the catalogue, search tool very easy to use. | $ | |
DualMaps | Combines Google’s road maps, aerial view, and street view in one embeddable tool. | |||
EarthExplorer | From the US Geological Service. Provides mainly US images. Gives access to Landsat satellite data as well as NASA’s Land Data Products and Services. The USGS Global Visualization Viewer (GloVis) provides remote sensing data. The USGS archive contains a complete and well-maintained collection of NASA Landsat data. | |||
EOS Landviewer | EOS Landviewer provides free services for up to 10 images. More images and analysis are available to journalists at a discount. Contact: Artem Seredyuk artem.seredyuk@eosda.com. EOS is in the process of developing a service provisionally called EOS Media that will be providing free images and analysis of major natural disasters. | |||
ESA Earth Online | Consolidates European Space Agency’s earth observation data on topics such as temperature, agriculture, and ice sheets. | |||
ESA SNAP | ESA SNAP is a free remote sensing program created by the European Space Agency, it lets you perform various enhancements and manipulations to remotely sensed data. | |||
find2places | Allows querying Google Maps API for two specific places in precise distance from each other within given radius. Useful for geolocating photos and videos. | It’s a script, no user-friendly interface. | ||
Geograph | Georeferenced images. | |||
GeoNames | Database of location names. | A wide variety of different spellings in various languages. Draws upon many sources, including NGA’s Geonames. | ||
GeoVisual Search | Search engine that lets users visually query images for similar geographic features. The platform from Descartes Labs is built on satellite imagery from Landsat, the National Agriculture Imagery Program (NAIP), and PlanetScope. Description of how to use it. | |||
Google Earth Pro | Add a Bing Maps satellite imagery layer. Historical imagery. | |||
Google Earth Engine | Open-access satellite imagery and analytical framework | Virtually any satellite imagery collected from NASA, NOAA, USGS, etc. is available. | Moderate and coarse resolution imagery rather than high-resolution commercial imagery; Learning curve with Javascript | |
Google Maps | Google’s mapping service offering satellite imagery, street maps, and streetview. | Many 3D modelled places in Americas, Australia, Europe, N Africa, and SE Asia. Probably the easiest-to-navigate mapping service of all. | No historical satellite imagery, but historic Streetview images available in many places. | |
Google Photos (formerly Panoramio) | Geotagged photos. | R.I.P. Panoramio. | ||
HERE WeGo | More recent satellite imagery than Google in e.g. Iraq. | |||
IndustryAbout | Maps per country showing industrial plants, e.g. power, hydroelectric, nuclear, coal, oil refineries, etc. | Specifically to industrial plants. | Only mapped per country. | |
Map checking | Calculate the amount of people that are standing in the selected Google Maps area. | |||
Mapillary | Crowdsourced street-level photos. | A useful addition to Google StreetView. | Little to no coverage in countries like Syria, Iraq, etc. | |
Mapotic | Map making app useful for communities, easy to make categories and attributes. | |||
NASA EarthData | WorldView allows visualization of near real-time imagery from NASA. | A wide array of satellite and aerial images; broad search criteria; and other mapping and visualization tools such as FIRMS for fires. Access to more than a dozen NASA data centres and associated satellite data products. NASA Earth Observations: More than 50 datasets on atmosphere, land, ocean, energy, environment and more. | ||
Old Maps Online | Find old maps through numerous databases all around the world. | Easy-to-use, similar browsing as the DigitalGlobe catalogue. | ||
OpenStreetCam | ||||
OpenStreetMap | ||||
overpass-turbo | ||||
QGIS | Open source GIS programme. Here’s a guide how to use it. | Has many user add-ons. A recent update(QGIS 3.0) allows for users to create 3D landscapes using LiDAR data. | ||
Radiant Earth | A non-profit group that helps the global development community discover, explore and analyze satellite, drone and aerial imagery archives. | Radiant Earth is working with Code of Africa, among others. Apply to gain assistance via their website. Or contact Radiant Earth. | ||
Resource Watch | A nonprofit platform, still in beta, that provides hundreds of data sets on the state of the planet’s resources and citizens. It is sponsored by the World Resources Institute and other organizations. | Resource Watch data are free and users can download data. | ||
Satellites.pro | Combines different satellite services | Includes web based Apple Maps satellite view, great for seeing countries like Afghanistan. | ||
Sentinel Hub Playground | A user-friendly place for Sentinel 2/Landsat images. | Updated every 5-10 days with new imagery, dependent on cloud cover. | Generally low resolution of 10m/px. | |
Tencent Maps | Tencent Maps (formerly SOSO Maps) is a desktop and web mapping service application and technology provided by Chinese company Tencent, offering satellite imagery, street maps, street view (coverage) and historical view perspectives, as well as functions such as a route planner for traveling by foot, car, or with public transportation. Android and iOS versions are available. | |||
Topotijdreis.nl | Over 200 years of maps and topography from the Netherlands. | |||
what3words | Entire world divided into 3m by 3m squares, and each square is given a 3 word address. For example, the what3words address for Nelson's column in trafalgar square is: cube.soccer.these. | This website is especially useful when referring to remote locations and when you are unable to write down a lengthy sentence of exact coordinates. | ||
Wikimapia | Crowdsourced information related to geographic locations. | Possibility to switch between Google/Bing/OSM. Massive amount of UCG information. | Can be laggy, and need to refresh page after a view searches. Lost Google API. | |
Yandex Maps | ||||
2 — Location Based Searches | ||||
Name | Description | Pros | Cons | Link |
Echosec | Geo-based searches. | Twitter, VKontakte, Foursquare | $ (doesn’t list Facebook, genuine Instagram) | |
GeoNames | The GeoNames geographical database covers all countries and contains over eleven million place names that are available for download free of charge | Extremely useful in Geo Tagging, documentation, and data collection. | ||
Liveuamap | Interactive live map of conflict news. | Variety of countries available: Afghanistan, Iraq, Syria, U.S., Ukraine, Venezuela, etc. | ||
Photo-Map.RU | Geotagged VKontakte posts. | VKontakte | ||
SnRadar | Geotagged VKontakte posts. | VKontakte | ||
Insert in search box: geocode:[coordinates],[radius-km], for example: geocode:36.222285,43.998233,2km (only works with km, so 500m = 0.5km) | Easy to fake. | |||
WarWire | Geo-based searches. | Twitter, VKontakte, Instagram | $ (but does list Instagram) | |
YouTube | Geo-based searches | Unclear whether it shows where it was uploaded, from which server, or only filters on keywords (e.g. “Paris” in title shows up in Paris). | ||
3 — Image & Video Verification | |||||
Name | Description | Pros | Cons | Link | Guides |
ExifTool | Read, write, remove, and manipulate metadata for a vast number of file types. Note: no GUI | Floss, Cross-platform and very easy to integrate into scripts. | Yet to encounter any (Have only used on GNU/Linux). | See forum and FAQ on linked page | |
ExifPurge | EXIF Purge is a small portable application to remove EXIF metadata from multiple images at once. With the click of a button you can remove the camera, location and other technical information from a batch of photos which is embedded by the camera or the photo editing software. | ||||
Foca | Extracts metadata. | Windows-based, open sourced 2017. | No native Linux support. (needs wine installed within Linux) | ||
FotoForensics | Image forensics tool. | Simple, web-based. | Public access, information not private. | ||
GooFile | Extract metadata. | Simple to use. | Doesn't work well outside Kali | ||
Image Forensics | Web-based image forensics tool. | Can easily identify fake or doctored images | Public access, information not private. | ||
InVID | Verification plugin to help journalists verify images and videos. Contextual data, Metadata, reverse search (Google, Yandex, Baidu), image forensic, Magnifier) | invid-project.eu (plugins for Chrome, Firefox (Windows, Mac OS X, Linux) | https://www.youtube.com/watch?v=nmgbFODPiBY | ||
Irfanview | Extract metadata. | Windows-based | No native Linux support | ||
Jeffrey's Image Metadata Viewer | Extract metadata, online. | Only requires a web browser. | Public access, information not private. | ||
Reveal Image Verification Assistant | Forensic providing eight filters to detect still images alterations. | Web-based image tool. Also available within InVID verification plugin. | http://reveal-mklab.iti.gr/reveal/index.html
| Documented with examples and explanations of the different filters. Developed in Reveal project. | |
reverse image search | Locates similar images on the internet | Easy, simple and works! | Recommended plugin: RevEye, which searches Google, Yandex, Baidu and Bing. | ||
SpiderPig | Extract metadata. | Command line interface and scriptable. | Requires dependencies and knowledge of web technologies. | ||
Splunk | Extract metadata. | Report grade analysis and presentation. | Not simple to setup and deploy. | ||
VGG Image Classification (VIC) Engine | The VGG Image Classification (VIC) Engine is an open source project developed at the Visual Geometry Group and released under the BSD-2 clause. VIC is a web application that serves as a web engine to perform image classification queries over an user-defined image dataset. It is based on the original application created by VGG to perform visual searchers over a large dataset of images from BBC News. | ||||
VGG Face Finder (VFF) Engine | Visual Geometry Group and released under the BSD-2 clause. VFF is a web application that serves as a web engine to perform searches for faces over an user-defined image dataset. It is based on the original application created by VGG to perform visual searchers over a large dataset of images from BBC News. | ||||
VGG Image Search Engine (VISE) | This standalone application can be used to do a reverse image search on a large collection of images. | ||||
4 — Social Media | ||||
Name | Description | Pros | Cons | Link |
Getfbstuff | Online tool to download Facebook videos, including private ones, which is great. | Includes “private” videos you can download. | ||
Graph.tips/beta | Automatically advanced searches for Facebook profiles. | |||
Who posted what? | Find posts on Facebook | |||
IntelTechniques | Various tools for analyzing Facebook profiles and pages. | |||
Facebook Intersect Search Tool | This tool is designed to provide a simple method to conduct Facebook intersect searches across multiple variables. Missing intersect options are due to Facebook limitations. | |||
Facebook Live Map | Live broadcasts around the world. | |||
FBDOWN.net | Handy website to download public Facebook videos. Copy paste the URL of the video and download it in the available definition formats. | |||
peoplefindThor | Graph searches. | |||
Search Is Back! | Graph searches. | |||
Search Tool | Find accounts by name, email, screen name, and phone. | |||
StalkScan | Automatic advanced searches for your | |||
Video Downloader Online | Download Facebook videos. | |||
Skopenow | Social Media Investigations - name, phone, email, username searches. | |||
Name | Description | Pros | Cons | Link |
Gramfly | View interactions and activity of Instagram users. | See likes/comments of public users. | ||
StoriesIG | Tool for downloading Instagram stories. | |||
Save Instagram Stories | Allows you to do a username search for stories already saved. | |||
Name | Description | Pros | Cons | Link |
Socilab | Visualise and analyse your own LinkedIn network. | |||
LinkedIn Overlay Remover | Removes the overlay that displays over a linkedin profile. | http://addons.mozilla.org/nl/firefox/addon/linkedin-overlay-remover/ | ||
Name | Description | Pros | Cons | Link |
F5Bot | Sends you an email when a keyword is mentioned on Reddit. | |||
Skype | ||||
Name | Description | Pros | Cons | Link |
Snapchat | ||||
Name | Description | Pros | Cons | Link |
Snap Map | Searchable map of geotagged snaps. | Here’s how you can download them. | ||
Telegram | ||||
Name | Description | Pros | Cons | Link |
Telegago | Google-based search engine for Telegram. | |||
TelegramDB | ||||
TGstat | ||||
TikTok | ||||
Name | Description | Pros | Cons | Link |
TikTok Kapi | Search for by hashtag. | |||
Name | Description | Pros | Cons | Link |
botcheck | ||||
Botometer | ||||
InVID verification plugin | InVID plugin provides a Twitter advanced search by time interval up to the minute. | Allows documenting use cases from the past without APIs and time limit. Allows searching for content within a user-defined time range after a breaking news. | ||
Onemilliontweetmap | Tweets map per locations up to 6 hours old, keyword search option. | |||
Treeverse | Chrome extension to visualise Twitter conversations. | |||
Tweetreach | Find reach of tweets. | Advanced search operators available, same as Google advanced search. | ||
TwitterAudit | Check bots. | |||
Twittervideodownloader | ||||
Twitter advanced search | Search by date, keywords, etc. | |||
Twitter geobased search | geocode:[coordinates],[radius-km], for example: geocode:36.222285,43.998233,2km | There’s a tool for it too. | ||
twint | Advanced Twitter scraping tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations. | Need to know Python. | ||
Twlets | Download anyone’s tweets, followers and likes in an Excel sheet. | Easy and quick to use, there’s a Chrome extension too. | Goes up to 3,200 tweets, followers and likes. | |
quarter tweets | Geobased Twitter search. | |||
t | command-line power tool for Twitter (it is an open source command line script written in Ruby) | Highly flexible, can be put in Bash scripts to automate Twitter activity and searches Deeper search through REST API Output spreadsheets/CSV Fast performance for bulk operations | Set-up might be technical for some (ask if you want help) | |
YouTube | ||||
Name | Description | Pros | Cons | Link |
Amnesty YouTube Dataviewer | Reverse image (video still) search and exact uploading time. Here’s an Advanced | Searches for a number of stills, not each frame is included (thus results may be left out). InVID plugin is probably better at this stage. | ||
Geo Search Tool | Search for YouTube videos based on location. | |||
YouTube Geofind | YouTube Geofind; three different search functions, location, topic, and channel. | |||
youtube-dl | Python tool to download from a variety of sources. | Select video / audio formats, quality etc Updated frequently to support parsing the relevant sources | Intellect needed (read: cli usage only) | http://rg3.github.io/youtube-dl/ |
5 — Transportation | ||||
Air | ||||
Name | Description | Pros | Cons | Link |
ADS-B Exchange Global Radar | Tracking flights. | Includes a number of military aircraft. | ||
ADS-B Historical Flight Viewer | Look up flight history of a specific aircraft as far back as two years. Search by ICAO (a.k.a. registration number). | Like FlightRadar24, but free | ||
Airfleets | ||||
AirNav RadarBox | Tracking flights, including private and military jets. | |||
Federal Aviation Administration | Nationwide Plane Registry. Search by N-Number (a.k.a. callsign). | Comprehensive list of privately owned planes in the US | ||
FlightAware | ||||
FlightRadar24 | Tracking (civilian) flights. | $ to go back in 12-month archive. | ||
Live ATC | Audio from air traffic control towers in the United States. | Aircraft have to identify themselves to ATC towers, so in cases where aircraft are trying to obscure their information from other sites, it might be another way to grab tail numbers or just generally track flights. | More complicated to use than e.g. FlightRadar24. | |
OpenSky-Network | ||||
PlaneFinder | ||||
Water | ||||
Equasis | Vessel ownership and identification records. | Lists historical information | You’ll need an account to access information. | |
FleetMon | Vessel position tracking, including a global vessel and port database. Tools for the shipping industry, Maritime News and a lively community of shipspotters. | You’ll need an account to access information. | ||
Global Fishing Watch | No account needed. Identification of “dark vessels”, and includes Indonesian VMS layer. | |||
MarineTraffic | An open, community-based project, providing (near) real-time information on the movements of ships and their locations in harbours and ports. | No account needed. | ||
VesselFinder | No account needed. | |||
Winward | Platform which combines maritime-related data. | $$$ | ||
Land | ||||
Licence Plate Mania | ||||
Trains | Full interactive maps of various railway networks in European countries. | |||
Misc | ||||
WikiRoutes | Public transport database. | |||
6 — Date & Time | ||||
Name | Description | Pros | Cons | Link |
SunCalc | Make an approximation of the time of the day using shadow direction. | |||
Wolfram|Alpha | Does a load of things, including weather forecasts per day and location. | |||
7 — WhoIs, IPs & Website Analysis | ||||
Name | Description | Pros | Cons | Link |
Passive DNS | Collects, stores and analyses data from thousands of passive DNS collection sensors. | Complete unadulterated historical and current DNS information. | 15 API calls day, 15 searches a day. | |
Censys.io | Censys continually monitors every reachable server and device on the Internet. | A complete wealth of knowledge of internet connected devices. | None | |
DNS History | Collection of historical DNS information. | Free, simple and easy to use. | Sometimes limited in availability. | |
DNS Cyrillic check | Check if malicious or Cyrillic domains are registered | Free, simple and easy to use. | ||
DNS Trails | The World's Largest Repository of historical DNS data | Free, simple and easy to use. | ||
Geo IP Tool | Check your own IP, handy to check if your VPN is working, | |||
Moz link explorer | Anlayse the links of any website. | Only 10 free queries per month. | ||
OpenLinkProfiler | Analyse the links of any website. | |||
Shodan | Internet of things search engine. | Can find heaps of misconfigured network-connected devices. | Lives in the gray zone. | |
SpyOnWeb | Find out related websites via their tracking code. | |||
WebCookies.org | A website security and privacy scanner that, among many other features (mostly focused on GDPR compliance) aggregates large amount of information about advertiser and analytics identifiers of scanned websites, as well as the /ads.txt files. | This data has been used to identify some of the websites posing as independent but really managed by RT/Sputnik. | ||
WhoIs | For domain name search and information. | |||
8 — People & Phone Numbers | ||||
Name | Description | Pros | Cons | Link |
Peoplefastsearch | Mostly U.S. | Not so much outside U.S. | ||
Pipl | $ for upgrade | |||
Namechk | Username and domain check website. | Easy to see on which platforms a single username has been used. | Many mis-matches. | |
Numberway | Numberway is an international directory of white pages and yellow pages phone books, and online directory enquiries. It's a free, independent and up-to-date guide to telephone directories on the web. | |||
Spokeo | Pop in a username, and it will try to find you all of their social media accounts. | |||
URLscan | This is a sandbox that allows you to scan a URL to check it's safe before properly visiting it. | |||
9 — Archiving & Downloading | ||||
Name | Description | Pros | Cons | Link |
Archive.today | Archive any webpage. | Does archive Facebook and Instagram pages. | Privately owned, so what if the owner suddenly decides to take the archive offline? | |
Arweave | Decentralized (blockchain) archiving. | Decentralized. Search the public archive via site:arweave.net (not .org) | $ to archive, though 5 tokens for free. | |
DMCA | Search takedown notices | |||
Gruber | Slideshare downloader | |||
Hunch.ly | Research sidekick. | Automates the collection of all sites visited | $ | |
Wayback Machine | Archives websites. Download an entire website from the Wayback Machine. | Does not always include images from web pages or multimedia content | ||
Wayback Machine for Github | Finds and searches when and who did what! | Easy terminal interface. | ||
Gitrob | Reconnaissance tool for GitHub organizations | Easy, free and open source. | ||
Dumpster Diver | Tool to search for secrets in various file types. | Easy, free and open source. | ||
TruffleHog | Searches through git repositories for high entropy strings and secrets, digging deep into commit history | Easy, free and open source. | ||
Stone | A “research transparency” app that captures desktop research using screen capture and webcam commentaries.. | Free, “twitch for journalists” Audio and video files can also be directly uploaded from | Beta | |
WITNESS | An activists guide to archiving videos. | |||
Perma.cc | Archiving site meant for serious, academic research to preserve citations | Institutional backing (Harvard Library Innovation Lab | Relatively new, unclear what their content moderation policy is | |
10 — Company Registries | ||||
Name | Description | Pros | Cons | Link |
CYPRUS — cadastral map | ||||
CYPRUS — offshore companies | efiling.drcor.mcit.gov.cy/DrcorPublic/SearchForm.aspx?sc=0&lang=EN | |||
ESTONIA | Search companies and individuals in Estonia. | |||
EUROPEAN UNION | In Europe, business registers offer a range of services, which vary from on Member State to another. This is a curated list per country. | /e-justice.europa.eu/content_business_registers_in_member_states-106-en.do | ||
FRANCE — Societe | Search companies and individuals in France. | |||
ICIJ Offshore Leaks Database | Find out who’s behind more than 785,000 offshore companies, foundations and trusts from the Panama Papers, the Offshore Leaks, the Bahamas Leaks and the Paradise Papers investigations. | |||
OCCRP Investigative Dashboard | Search 178 million public records and leaks from 236 sources on company and individual names. | |||
OpenCorporates | Database of companies in the world. | |||
PORTUGAL — Portal da Justiça | Search companies and individuals in Portugal. | |||
RUSSIA — | Search companies and individuals in Russia. | |||
SWITZERLAND — Zefix | Search companies and individuals in Switzerland. | |||
SWITZERLAND — offshore companies | ||||
UNITED KINGDOM — Companies House | Search companies and individuals in the United Kingdom and Gibraltar. | |||
11 — Data Visualisation | ||||
Name | Description | Pros | Cons | Link |
DataBasic.io | Web tools for beginners that introduce concepts of working with data | |||
DataWrapper | Easy to use chart and mapping tool | |||
Google Fusion Tables | ||||
Maptia | ||||
Visual investigative scenarios | ||||
RAWGraphs | Free web tool to quickly visualize your data | |||
Open Desktop Semantic Search | Searches unstructured data well | |||
TrustServista | Online story verification and visualisation tool | |||
Neo4j | Graph Platform | neo4j.com | ||
12 — Online Security & Privacy | ||||
Name | ||||