Full Report
Google Maps is a treasure trove of information for open source researchers. Bellingcat frequently uses the platform’s satellite imagery and street view in investigations, and user-written reviews and user-uploaded images have also been useful in identifying people and places. One detail that we often don’t think about when viewing an image on Google Maps is […] The post What’s in a Name? Discovering Clues Hidden in Google Maps Image Filenames appeared first on bellingcat.
Analysis Summary
# Tool/Technique: Bellingcat Filename Finder
## Overview
The Bellingcat Filename Finder is a browser extension for Google Chrome designed to assist open-source intelligence (OSINT) researchers by automatically extracting and displaying the filenames of images viewed on the Google Maps platform. This information can provide contextual clues about an image's origin, creation time, or the device used to capture it.
## Technical Details
- Type: Tool (Browser Extension)
- Platform: Google Chrome (Browser extension)
- Capabilities: Automatically retrieves and displays the filename of Google Maps images in an unobtrusive manner. Can reveal embedded date/time information or device hints present in Android image filenames.
- First Seen: Information about the exact first seen date is not provided, but it is inspired by research by Kolina Koltai.
## MITRE ATT&CK Mapping
This tool is primarily used for information gathering and does not inherently map to offensive TTPs. However, the information it extracts can support the following reconnaissance tactic:
- **TA0043 - Reconnaissance**
- T1589 - Gather Victim Identity Information
- T1589.003 - Email Addresses (Less direct, but extracting image metadata supports information gathering)
- T1592 - Gather Victim Resources (Focusing on operational data/metadata)
## Functionality
### Core Capabilities
- **Filename Exposure:** Displays the image filename over the image in a black box on Google Maps.
- **Contextual Clue Extraction:** Allows researchers to analyze filenames that might contain timestamps (e.g., `PXL_20240830_150806479.jpg`, `IMG20240830150806.jpg`), device indicators (e.g., "PXL" indicating Google Pixel), or custom identifiers (e.g., "CMTeam.jpg").
- **Chronolocation Aid:** Helps in establishing timelines by revealing creation dates embedded in filenames from Android devices.
### Advanced Features
- **Distinguishing Upload vs. Creation Date:** Helps identify when filenames are prefixed with dates (e.g., "2024-08-30.jpg"), which may indicate the image's upload date to Google Maps rather than the original creation date.
- **OSINT Enhancement:** Facilitates deeper investigation by providing metadata potentially stripped or hidden by the platform by default.
## Indicators of Compromise
- File Hashes: N/A (This is a legitimate browser extension/tool)
- File Names: N/A (It displays existing filenames, but doesn't create persistent malicious files)
- Registry Keys: N/A
- Network Indicators: N/A (Connects to Google Maps infrastructure and Chrome Web Store)
- Behavioral Indicators: Background process scraping and overlaying data onto Google Maps web content.
## Associated Threat Actors
- Bellingcat investigative researchers and other OSINT practitioners. (Not associated with malicious threat actors mentioned in the context.)
## Detection Methods
- Signature-based detection: N/A (It's a clean Chrome extension)
- Behavioral detection: Monitoring for browser extensions that alter Google Maps DOM structure to inject overlay text.
- YARA rules if available: N/A
## Mitigation Strategies
- **Browser Security:** Users must trust the source (Chrome Web Store) and the developer (Bellingcat) before installing any extension.
- **Principle of Least Privilege:** Limit the installation of browser extensions to only those explicitly required and vetted.
- **Source Verification:** Researchers should cross-reference filename data with other geolocation and metadata sources, as the filenames displayed may sometimes reflect upload dates, not capture dates.
## Related Tools/Techniques
- Google Maps Satellite Imagery and Street View: Platforms leveraged by this tool.
- Reverse Image Search: Used in conjunction with filename analysis to confirm geographical context (as shown in the CasinoMentor example).
- OSINT research methodologies focusing on metadata extraction.