This blog will focus on solving an OSINT (Open-Source Intelligence) challenge put out by Sofia Santos (“Gralhix”), a very skilled OSINT practitioner and contributor at the Center for Information Resilience (CIR). CIR is a non-profit organization focused on combating human rights abuses. Gralhix posts OSINT challenges of varying difficulty on her website and then provides walkthroughs on her YouTube channel.
Also, I wrote a previous blog post on OSINT/GEOINT challenges – if you find this interesting, see if you can crack that one with me too!
Gralhix Challenge 005
For this blog post, I did not watch the walkthrough beforehand, but attempted the challenge without any preconceptions. The following writeup is the process I used to solve it.
The task in question is Challenge 005, which is rated Medium-Hard for beginners, Easy-Medium for Experts. The task is an IMINT/GEOINT style challenge involving examining a reference image and discovering specific information about it.
The photo in question is of two polar bears in an enclosure:
The task consists of three parts:
- Identify the zoo where the bears are located.
- What was the temperature at the time of the photo?
- What are the exact coordinates of where the bears are lying?
We’re also given some additional information, such as when the photo was taken: “January 15, 2023 at around 2pm local time” and that the image is a still from a zoo live cam.
Breaking down the information we have, we know:
- The image was taken from a zoo live camera
- The zoo has polar bears (which is likely a much rarer instance than a regular bear, limiting candidate institutions)
- The climate is warm, given the greenery in the image and the fact that the image was taken from a live camera in January with a lack of snow or ice
- There are distinctive structures in the image which can help us identify the location if we are able to collect candidates
Challenge 005 Location
A Google image search for “polar bear zoo cam” results in a number of images, one of which has similar structural materials to our candidate bear enclosure:
The zoo mentioned in the Google Image preview is the San Diego Zoo. Further image searches for this zoo result in a very similar-looking enclosure:
Given that San Diego is in a warm state in the US (California), this aligns with our established information about the image.
If we take a look at the website for the San Diego Zoo “Polar Cam” we notice that the camera rotates through a set of locations and is not currently on the bears themselves. However, we do notice the exact same icon as in our reference image, which is an excellent sign we’re on the right track:
After viewing the cam for a while, we can see the same structures as shown in our reference image, confirming that this is indeed the same zoo and polar bear enclosure:
At this point we have answered the first part of the task and determined that the zoo is the San Diego Zoo.
Challenge 005 Temperature
Our next step is to identify the temperature at the time of the photo. To do this, we can use the Weather Underground website.
This will allow us to search for historical temperature records for a specific location, in this case via zip code. First, we’ll find the zip code of the San Diego Zoo itself:
Next, we’ll search in Weather Underground for historical temperature data for the specific date we have for our reference image:
This provides us with an hourly breakdown of temperatures for the location, indicating that the temperature at the time of the photo was 63F:
At this point, we’ve solved the first two parts of our task. Now we need to find the exact location of where the bears are lying in the photo.
Challenge 005 Coordinates
To do this, we’ll use the Google Earth Pro software application. But first, we’ll want to discover where exactly within the zoo the polar bear exhibit is located. Most zoos have public maps of their facilities; the San Diego Zoo is no exception. On their website, they have a link to a PDF of the map brochure used at the zoo:
Zooming in on the map, we can see the location of the polar bear exhibit (at the top of the image) as well as two unique-looking aviary buildings which will be useful to identify the location on satellite imagery:
Searching in the Google Earth Pro application for “San Diego Zoo”, we can see the overview of the zoo itself. However, we need to orient our view to match that of the zoo map we recovered earlier. To do so, we’ll identify the aviary buildings we saw on the map and rotate the view to match that of the map:
We can then zoom in on the polar bear exhibit and examine the overall configuration of the enclosure. To further confirm our findings and take a look at the scene from a ground-level perspective we can utilize Street View:
By navigating the footpaths within the enclosure area using Street View, we can see what the enclosure area looks like and confirm that it is indeed the same location as in the reference image. We can see what appears to be similar major structures shown in the reference; the large pillar to the left, the central lean-to, and the stone slab in the far rear of the image:
However, it’s difficult to tell which of these align with the structures in the reference. Additionally, in the Google Earth view, there are canopies which occlude the enclosure and the resolution of the 3D model is not sufficient to differentiate such small structures. Let’s try Google Maps to see if it will improve the result:
Not really. The resolution is pretty poor in this area and the structures are not immediately obvious. However, by going back and looking at the live cam, we discover another clue:
There is a pedestrian walking behind the bears in the back of the camera scene, fairly close by. This rules out the possibility of the structures in our reference photo being on the left side of the enclosure (as viewed from the glass visitor area). It would need to be on the rightmost side of the enclosure, near the outer wall. Looking back at Google Maps, we can identify several features from the image now that we know the general area to look:
In the above image, we can see the standing dead tree on the left, the fallen tree stump on the top-right and the lean-to structure at the bottom.
Comparing these to our reference image, we can determine that the polar bears are between the standing dead tree and the corner where the platform changes direction closest to the camera. If we compare that to the Google Maps imagery, we can see the exact location:
Right-clicking and copying the coordinates results in the answer to the third part of our task: 32.734447845419396, -117.1545958670987
Challenge 005 Conclusion
After completing my investigation, I reviewed Gralhix’s solution video to confirm my results. The investigation steps were similar for both the first stage and the second. She came up with 62°F as her final answer for the second part; I had 63F. This seems to be the result of her using the graph view at Weather Underground, whereas I used the time listing view which had a close (but not entirely accurate) time of 1:51 pm for sampling. This constitutes a lack of precision on my part.
Additionally, her final location for the bears was slightly different than mine. She identified a location slightly north of the one I selected. I’m unsure in this case which is more accurate, although, according to the distance scale from Google Maps, the difference would be less than 10 feet, which I feel is an acceptable margin of error.
I hope this exercise was interesting and gave a useful process for OSINT investigation. I highly recommend watching Gralhix’s YouTube videos on OSINT investigations to learn more or stay tuned for more pentesting challenge walkthroughs.