Using Advanced Digital Forensic Techniques & Open Source Research
On 11 October 2014, a Facebook profile to a person named “Ruslan Boshirov” — the cover identity of Skripal poisoner Anatoliy Chepiga — posted a lone photograph of Prague, showing the heavily trafficked Old Town Square and the Astronomical Clock. The upload date of this photograph coincides with a report from the Czech publication Radiožurnal that “Boshirov” (Chepiga) visited Prague on 11 October 2014. The Daily Mail reported — which, obviously, requires more than a grain of salt when taking it under consideration — that Boshirov/Chepiga created this Facebook profile to add a Ukrainian woman as a friend after meeting her at a Prague cafe. The woman spoke with the Daily Mail, stating that she remembers meeting him “in 2013 or 2014” and that he created a Facebook page specifically to make contact with her. She was his only Facebook friend before she unfriended him on Facebook.
It is unclear if this profile actually belongs to Chepiga/Boshirov, and reports from the Daily Mail and one Czech publication may not hold enough sway on their own, but determining the time that the photograph was taken is an interesting case study.
Finding a Temporary Detail
Geolocating this photograph to central Prague takes no effort to anyone even remotely familiar with the city, but determining when it could have been taken is a more interesting challenge. Was the photograph actually taken on or around 11 October 2014, matching photograph’s upload date and the unconfirmed reports of Chepiga’s visit to Prague?
Determining the time of a photograph or video can be done with varying precision based on the observable temporary details. The weather and seasonal details provide a broad idea of the photograph — we can assume that this picture was snapped on a chilly, rainy day based off of the outerwear and umbrellas visible in the scene — but are imprecise.
Due to the fact that this scene is one of the most photographed and filmed in all of Europe, there is a huge array of reference material to compare the image against. However, all of these reference materials are useless without a particular temporary detail to focus on.
The Astronomical Clock is frequently under renovation, but during the time of the photograph, there was no such work on the landmark (the clock was under serious renovation in 2005, 2017, and 2018, but not 2014).
When comparing the scene from a June 2014 Google Street View image with the Facebook photograph, it is difficult to discern any differences.
However, when viewing a photograph of the area from November 2014, found on Google, there is one key detail that allows us to drill down the time of the photograph to within a few months.
On the Facebook photograph, in the distance, a yellow building is visible below the church where there are three words, with black squares flanking them.
The November 2014 photograph on Google shows that this same building — which is apparently an art gallery next to the restaurant “Cafe u Tyna” — does not have the same black squares near these three words, which are now legible as MUCHA WARHOL DALI (in that order). While the actual date of this photograph may not be November 2014, this gives us a window of opportunity to date the photograph.
Collecting Reference Materials
This tiny detail provides us a gateway to determining the potential dates in which the Facebook photograph was snapped. By using a combination of targeted searches on Google, Foursquare, TripAdvisor, YouTube, and other platforms, we can gather as many photographs and videos of the area as possible to establish a timeline of when the black squares and artist names appeared on this art gallery in Prague’s Old Town Square. However, a photograph’s upload time is not always correct, including with the November 2014 photograph we spotted of the building, thus it is important to find multiple images from around the same time frame showing the same detail to confidently assess when a change took place.
Below, we will list services and platforms that provide this chronological look at this building. Also consider targeted Google searches on other platforms, such as YouTube, by specifying the date of results with the site: search operator — for example, search Prague Old Town site:youtube.com with the date specifications of the autumn of 2014 to find only videos with these keywords on YouTube uploaded on the relevant dates.
(Tip: use a spreadsheet to keep track of all the dated and geolocated visual evidence that you have found with the methods described below.)
- Google: Navigate to Google Maps, then hold the yellow person (used for Street View) over the area where you are interested. For Old Town Square, dozens of small circles and other icons appear — these are both user-generated photographs of the area, according to the geotag from their image file, and Google’s own images. Each of these images, many of which are 360-degree panoramas, provides a month and year of upload.
- Yandex: Along with Google, the Russian service Yandex provides user-generated photographs from a particular area. From Yandex Maps, turn on the “Photos” option under panoramas (on the top-right of the screen) to turn on a layer of photographs geotagged for that location.
- VK: By conducting a geo-based search in the Russian social network VKontakte (VK), we can find all user-generated photographs with a geotag for a place we are searching for. After logging into a VK account, you can run this search by using the query “near:[coordinates]”. You can select only “Photo” attachments from the search parameters to further filter the results.
- Foursquare, TripAdvisor, Yelp…: Don’t underestimate the number and quality of photographs from tourist and review sites, though it is often difficult to search through the results. Tripadvisor allows for chronological viewing of uploaded photographs for a site, but Foursquare forces you to scroll through all results manually to find snaps from the correct time frame.
- Echosec: The only paid service on this list, but very powerful. Echosec aggregates results from many of the aforementioned services, including Foursquare and VK, onto one map, and also allows filtering based off of date. Below, a search for the area for the time we are interested in for the Facebook photograph is visualized on Echosec.
By searching through all of the services and platforms described below, we were able to determine the approximate time frame during which the design on the front of the building was established, reflecting exhibitions happening at the time.
17 and 19 June 2014, photographs on VK show the building with black squares and Mucha, Warhol, Dali — the same as in the Facebook photograph. This same design is also visible on the ‘June 2014’ (no date specified) Google Street View image of the building.
The Facebook photograph shows the three names with black squares, giving us a possible end point for the design on the building. Going further, we can establish that this building design was still evident when and after the Facebook photograph was published, though the names occasionally changed to match the current exhibits. This museum (the Gallery of Art Prague, or GOAP) keeps a regularly steady stream of exhibitions featuring the popular artists of Dali, Mucha, and Warhol (as the museum is centrally located in a heavily-trafficked tourist location), but occasionally includes other artists, such as Jan and Kaja Saudek in 2016 (seen here). However, the changing of the names (from Alphonse Mucha – Salvador Dali to a series of last names) and the addition of the black squares with “GOAP” flanking the artist exhibitions appear to be mostly permanent additions since June 2014, meaning that the “November” photograph we found may have been taken either at an unknown time or during a small period of November – December 2014 when the black squares were apparently temporarily taken down before being put back up. We found no photographs showing the black squares not present on the building since 2015; however, the last name format of the roster of exhibitions (without the Alphonse and Salvador) has persisted since June 2014, with occasional changes to those last names.
With all of this in mind, we can confidently say that the photograph uploaded by Ruslan Boshirov (who may or may not be the Skripal poisoner suspect Chepiga/Boshirov) was indeed taken in the latter half of 2014. Determining the exact day of the photograph is difficult without a more specific temporary detail, but considering the outerwear of the tourists in the photographs, it is more likely to be within a month or so of the upload date of 11 October 2014. Additionally, the weather in Prague on the day of the upload had a light drizzle in the late morning and was about 15 degrees Celsius. It is not possible to conclusively state when exactly the photograph was taken, but the historical weather data for the day of the upload does not preclude it as the date of capture.
Update – 28th October 2018
Bellingcat User “Simon Jones” commented on the following: