This website uses cookies

Read our Privacy policy and Terms of use for more information.

AI-assisted content

BLOCK01 · GEO & CHRONO
TOPICWI-FI POSITIONING · GEO-IP
TOOLSWIGLE.NET · IPINFO.IO · MAXMIND GEOLITE2 · SHODAN
DIFFICULTYINTERMEDIATE

01

Network identifiers locate subjects when visual evidence fails

When footage contains no recognisable landmarks and metadata has been stripped, the network infrastructure visible in a device's environment can still place it in a neighbourhood, a building type, or a specific address range. Wi-Fi BSSID records, geo-IP mappings and passive network scans form a parallel geolocation layer that operates independently of camera angle, sun position or terrain.

Wireless access points broadcast a hardware identifier, the BSSID, that is fixed to the device and logged in crowdsourced wardrive databases. When a screenshot, a leaked config file or a background detail in video reveals a network name or partial BSSID, that string can resolve to a latitude and longitude without any active engagement with the subject. The technique is passive, legal in most jurisdictions when restricted to public databases, and repeatable.

IP geolocation works at a coarser grain: it maps an internet-routable address to an autonomous system, a city-level location and sometimes a postal district. Used alone it is rarely conclusive. Used alongside BSSID evidence, leaked device logs or corroborating imagery, it narrows a geographic hypothesis to a testable claim. Together, these two network-layer signals give investigators a location chain that is structurally independent of the visual content they are trying to verify.

In the field

In 2018–2019, Bellingcat's GRU officer identification series used IP address and ASN analysis to confirm that communications originated from Russian military infrastructure. Cross-referencing the IP data with routing records and ISP ownership established the institutional affiliation of multiple individuals, corroborated by The Insider and Der Spiegel.

  • ASN attribution. IP addresses in leaked documents resolved to autonomous systems registered to Russian Ministry of Defence entities, placing communications within military infrastructure.
  • Cross-reference with open records. ASN ownership was corroborated against RIPE NCC registry records, providing a second independent data point that met the VERIFIED threshold.
  • Confidence hedging. Investigators stated explicitly that IP geolocation confirmed institutional affiliation rather than physical location, demonstrating correct application of the evidence tier.

Bellingcat · GRU officer identification series · 2018–2019

Learning outcomes

By the end of this tutorial you will be able to:

  • Query crowdsourced BSSID databases to resolve a network name or partial hardware identifier to a geographic coordinate

  • Interpret IP geolocation outputs at the correct grain, distinguishing ASN-level from city-level from postal-district resolution

  • Cross-reference BSSID and geo-IP evidence against imagery and open records to build a corroborated location claim

  • Document the network-layer evidence chain to evidentiary standard, noting the confidence tier of each data point

logo

This tutorial is for Signal subscribers.

Methods goes deep on a single technique each fortnight. The decision framework, the tools, the failure modes, and the evidentiary standard required to use the finding defensibly.

Join Signal

A Signal subscription gives you:

  • Full OSINT Reference Card library
  • Methods, all tradecraft tutorials in full
  • Shadow Analysis, all evidence-based reporting
  • Forensic Dossiers, full access
  • Discord access included

Keep Reading