Threat Inteliigence / OSINT / NETSEC / NATSEC

Take to the skies with OSINT - open source air traffic tracking

I have been observing airplanes for a long time, the natural direction of OSINT's interests was therefore sources of information allowing for live tracking of airplanes routes. Currently, such tracking is possible mainly due to the widespread use of the system Automatic Dependent Surveillance - Broadcast (ADS-B) in which aircrafts determine their position using satellite navigation and other available sensors and then periodically transmit this information. Naturally, ADS-B was not created with OSINT and aviation fans in mind - the system increases aviation safety by increasing the awareness of pilots' surroundings, enables receiving weather data, and thanks to more accurate information about the location of aircraft, air traffic control can more effectively direct traffic, reducing the time spent by planes. in air. However, since the system receivers are widely available, the benefits of the system can be used by aviation enthusiasts and OSINT researchers to observe traffic.

An example flight from Madrid to Toronto tracked by Flightradar24

So let's see what information we can get, on the example of Flightradar24:

Planned flight path including take-off and landing aerodromes, planned and actual take-off and landing times, as well as the length and duration of the flight.

Call sign - an identifier consisting of numbers and letters that the aircraft uses during the flight. Passenger flights typically use callsigns identifying the connection in question, private flights will often use aircraft registration.

Registration - Similar to cars, planes are also subject to registration and receive their own ID. As in the case of cars, the registration may change due to the change of the owner of the machine, registration in a new country, etc.

Serial number (MSN - Manufacturer Serial number) - The serial number of a specific machine given by the manufacturer when it left the production line - the equivalent of a car VIN. And as with cars, while registration may change, the serial number will remain the same throughout the life of the aircraft.

Flightradar24 then provides flight data - speed, altitude, ascent / descent speed and finally transponder data - unique 24-bit identifier, transponder code (squawk) and position.

There have been quite a few websites that enable flight tracking recently - a list of the more interesting ones can be found in the section Tools and on the table on start.me. Personally, I use three services the most - Flightradar24, ADSB Exchange and FlightAware. At this point, however, it should be noted that FR24 and FlightAware are commercial services offering different data ranges depending on the level of the account we have - I just have free access to the highest accounts (Business and Enterprise respectively) because I provide these services with data from my home ADS-B receiving station. If are planning to spend more time tracking flights, I definitely recommend this solution, a station based on Raspberry Pi is much cheaper than buying a subscription.

Moving on to the description of the capabilities of websites, let's start with Flightradar24.

The most popular flight tracking service, with many useful functions, regardless of the account level we have. The website has a very nice and fast-acting interface that graphically shows, for example, the height of the plane or allows you to enter a 3D view showing the plane model superimposed on a satellite map, which gives us an overview of the plane's route in relation to all characteristic points of the terrain. We also have access to information about the airport, including the history of arrivals and departures as well as the routes operated.

The availability of historical data depends directly on what type of account we have, with a Business account allowing access to the history of flights up to three years back.

The range of data available for Basic, Silver, Gold and Business accounts.

From my perspective, the biggest advantage of paid accounts is the ability to download a KML (Keyhole Markup Language) file that we can import, for example, to Google Earth. Why it's so interesting in a moment.

ADS-B Exchange

ADS-B Exchange is a project of aviation enthusiasts based on crowdsourced collection and sharing of data from private ADS-B stations. While FR24 and FlightAware also rely on data provided by private individuals to obtain better coverage, the very idea of ADS-B Exchange is to provide open access to this data without any costs or account requirements - all service capabilities are provided free of charge, maybe for except for the commercial use of data, which requires the consent of the website. The most important consequence of this approach to the topic is that the tracked planes are not filtered out in any way. So here we can track military, VIP, and any other planes that are not displayed on other sites for various reasons. This functionality is, of course, invaluable when observing military maneuvers, operations in conflict areas or analyzing media political events.

FlightAware.com

Finally, FlightAware is the opposite of ADS-B Exchange. It is a service focused on commercial aviation that provides functionalities useful to frequent flyers, such as notifications about the take-off and landing of the plane, delayed or canceled flights. Additionally, FlightAware maintains an aviation news feed - Squawks - operating on a reddit basis of users giving up or down arrows to posts posted by other users. As in the case of FR24, the amount of data available depends on the level of the account we have. So we have access to three, five or eight months of data for Free, Premium and Enterprise accounts, respectively.

An additional source that definitely needs to be mentioned is Twitter - entering the aircraft's call sign in the Twitter search engine will often allow us to find information about the flight status or photos provided by hobbyists dealing with aerial photography.

How can flight data be used in OSINT investigations in practice? The most obvious example is the analysis of activity in a situation where we have already determined the flights of interest to us - as in the case of The Rendition Project which tracked CIA planes used in the kidnapping and interrogation program of people who fell into the agency's circle of interest. Another example is the tracking of government aircraft routes to see if they conform to official information.

At this point, however, I would like to show a slightly different one, namely the use of aerial data as an auxiliary tool for locating objects or the place where the photo was taken. This is where the KML file that I mentioned earlier will come in handy. Let's look at an example photo of an airplane made by Bartosz Kaczmarek - whom I would like to thank very much for agreeing to use the photo:

The first thing that catches the eye are the markings of the plane - Alitalia airline and EI-RND registration. Using Flightradar24, we can get more detailed information about the machine by searching after the registration of the aircraft:

And to trace where the plane flew recently:

Of course, in the case of planes running, very often the problem may be determining which flight we were dealing with, so let's look at the photo properties:

The file was modified on October 10, which coincides with the day on which the plane had one flight from Rome to Bydgoszcz. Now the function of exporting flight route data as a KML file will come in handy, which will allow us to analyze flight path in Google Earth. If we are curious what is hidden in such a file, we can open it in notebook. Inside, we will find information about the next points on the route that Google Earth will be able to put on the map and visualize the route:

After opening the file in the application window, we will see the following view:

We can now begin to consider where the photo was taken. The first problem is whether we are actually dealing with a plane takeoff or landing. Without a visible runway and not knowing the height of the plane, it is difficult to judge whether the machine is about to land or has just taken off the ground. We can look for clues in the elements of the plane - we know the exact model, so we can compare, for example, the position of the flaps with photos or videos, here, for example, we can find the Embraer E190STD landing in quite high quality:

and observe the extension of the flaps:

Here, on the other hand, we have a starting machine:

Unfortunately, based on these photos, it is difficult for me to determine the difference in settings, so let's take a look at the aircraft's manual and training materials to see if we learn anything useful. In the reference manual for pilots we can find the settings of the flap switch and how it translates into the positions of the flaps and slats:

As we can see in both positions 4 and 5, the angle of the surface is the same, so this information will not be very helpful 🙁

Let's go further - the wheels are another element that can help us in the assessment. Since they are the only element of the plane in contact with the ground, they can provide some clues - just after landing, we can observe smoke when they come into contact with the ground, and after take-off, they can still rotate. Since our photo shows the plane already in the air, we can only try to see if the wheels are spinning:

The resolution does not allow us to take a very close look at the wheels, but we can see the individual bolts, which may indicate that the wheels were actually not spinning and the plane landed while the photo was taken. However, the final diagnosis will be made on the basis of observation of the elements of the terrain, also determining the place where it was made. Due to the flaps unfolded and the landing gear extended, as well as taking into account the angle from which the photo was taken, we know that the plane cannot be very far from the ground, so let's look at its take-off and landing sites. Let's start with Rome airport:

As you can see, the information from ADB-S even shows us how the plane was taxiing to the runway. Not bad! 🙂 In our photo we saw the forest and the buildings sticking out from behind it. In the vicinity of the airport, the only forest is located on the left side of the runway, towards the beach. Let's go back to Google Earth and check if there are any buildings sticking out from behind the trees:

There are no buildings on the horizon, let's look at the area behind the trees - the model may not be up to date, so let's look for squares, construction sites and other seeds of buildings:

Lake, dunes and trees - most likely we will not find any taller buildings here, now let's check the situation in Bydgoszcz:

There are many more forests here, and more importantly, the two stretches of trees separating the runway from the city and dense buildings immediately catch the eye. So let's look at the ground level:

This time it looks much more promising - the blocks sticking out from behind the trees resemble what we saw in the photo. When we look closely at our photo, we will see fragments of two buildings:

So we see a white building sticking out from the trees with a balcony on the left side, and further on the left a yellowish building nearby. When you zoom in on the panorama behind the trees, you will find two buildings with a balcony in such a way, including one standing near the yellow block next to it.

After zooming in, we can confirm the relative arrangement of the building, taking into account the perpendicular collapse of the building visible next to the balcony:

If now, following the arrangement of the buildings and zooming the view out so that they protrude from above the trees at a similar angle, we can approximately determine that the photo was taken from the airport area:

In this way, after visiting airports in two countries, looking for the Embraer E190 manual and getting to know the panorama of Bydgoszcz, we managed to get to the place where the photo was taken. I hope you found this trip interesting and showed how much information we can get from a simple photo of an airplane.

One thought on “Z OSINTem w przestworza – śledzenie ruchu lotniczego w otwartych źródłach

Leave a Reply

Your email address will not be published. Required fields are marked *

en_USEnglish