Accessibility Settings

color options

monochrome muted color dark

reading tools

isolation ruler

Image: GIJN.



10 Lessons from Bellingcat’s Logan Williams on Digital Forensic Techniques

Read this article in

Image: GIJN.

Logan Williams is a data scientist on the Bellingcat investigative technology team. He spoke about digital forensic reporting labs at the 2022 International Journalism Festival in Perugia, Italy. GIJN attended the panel and caught up with Williams afterward to hear his top tips and advice for using digital forensic techniques in your reporting.

1. Preservation is Important

Logan Williams: For a journalist with no experience, working with digital data or digital forensics can sound really intimidating. But there are a few very specific and easy things that will make a big difference. One is the preservation of digital data. If a journalist encounters, for instance, a video on WhatsApp of something that could be important, it’s important to save that video and archive it because these sources on social media are transient and they’re not necessarily going to stick around forever. That can just be as simple as uploading [the video] to Google Drive. The other thing is, of course, being alert to signs of manipulation of content or coordinated spreading of disinformation.

2. Archive and Verify Metadata

LW: There are some great tools that are already out there for journalists to use. One of my favorites is called InVID and it lets you look into the metadata. You can check that metadata against other evidence to look for signs that it wasn’t taken at the time that it said it was, that sort of thing. You can also look for signs that the image was Photoshopped and that’s all available in this browser plug-in. That’s very easy to use even for people that don’t have a lot of experience in this area.

There’s a Twitter account called @quiztime that I personally really like. It tweets quizzes about analyzing social media information or photographs from an open source investigation perspective, so that’s a great way to… build up your skills in working with this sort of data.

I think the important thing [about metadata] is that it’s auditable with a record of when it was uploaded and that sort of information to prove to the readers that you are showing the data that you claim to be showing and most tools like Google Drive will provide this for you. In terms of collecting larger amounts of information, I also think Google Sheets is a really great tool for collaborating with multiple people, including perhaps members of the public that are contributing information to your data-gathering projects.

3. Validate Data by Cross-Referencing 

LW: Validating data is one of the most important parts of any data-driven data collection story, and it really depends on the particular incident or type of data that you’re looking at. For instance, many of our researchers at Bellingcat right now are very, very focused on analyzing social media data and the photographs that are coming out of Ukraine. When you’re looking at this data, you can try to cross-reference the photos with others from the same area. You can try to search through images that were previously posted perhaps from the war in 2014 and make sure that it’s not an old image being reposted. Then you can use completely different sources of data like satellite imagery to try to find the blast crater from a munition that’s actually visible from space and that helps you show that that image is what it claims.

4. Protect Your Sources

LW: Balancing privacy and the data that you make available is really important, especially if you’re trying to provide the data transparently to the audience. To go back to this example of the invasion of Ukraine, one of the projects we’re working on at Bellingcat is a map of all of the incidents we’ve found where civilians have been harmed by the ongoing war. When we made this map, we had more incidents than we could release to the public because, for instance, if it’s filmed through someone’s apartment window or in their home garden that’s potentially quite sensitive if their city then gets occupied by the Russians. They might seek out people that provided this information. So we, of course, need to be responsible in how we release information and make sure that no one’s life is being put at risk.

5. Establish Special Relationships with Satellite Imagery Providers

LW: It depends on the time it takes to get the satellite image available. It depends a bit on the provider in general; they can be available one to three days after the image was taken, sometimes faster but usually only if you have a special relationship with the provider of the satellite imagery.

6. Think Twice Before Collaborating with Law Enforcement

LW: I think that this is a question that’s very dependent on the local context and on the goals of the particular newsroom or media organization itself. My personal experience and feeling about this is very colored by being from the United States, where the police and media are often in conflict with each other, and reports from the police about allegations of a particular incident aren’t necessarily always credible. In that case, I think it can harm the reputation or credibility of a media organization to collaborate closely with the police.

In other circumstances, I think it can be a little bit more complicated. For instance, Bellingcat has collaborated with Europol several times on their “trace an object” challenges, where they have just a tiny photograph of a water bottle or something that was part of evidence collected in a child abuse investigation and by figuring out where that water bottle was sold or where it came from it can be a lead to track down a subject of interest. In that case, because it’s an international organization that is tracking down a very clear-cut kind of case of criminal activity, it can be a little bit easier for investigators to collaborate with that police organization. But in every case, I think it requires careful thought and consideration of the editorial challenges.

7. Fakes Can Be Easily Detectable

LW: In Ukraine, what we most frequently see is actually not deepfakes or really intricately modified imagery, but instead something like an image from 2014 [presented] as though it’s an image from 2022, and that can be discovered by reversed imagery.

We also frequently see images that are just mis-described, especially by the Russian state, as something that they’re not. Again, frequently you can prove this is not what it is claimed by finding other examples of the same type of, for instance, missile strike. You can just look at the image rather than reading the description of what it is. These very simple misinformation techniques are 90% of what we see and, with a relatively small amount of these validation techniques like geolocation, and chronolocation [the sun’s location or position in the sky] you can disprove it relatively easily.

8. Sourcing Is Not Important If the Verification Is Solid

LW: Frequently, we don’t trust the source of the images. An image could be posted by a radical far-right movement, or an image could be posted by a US police department or the [far-right Ukrainian] Azov Battalion, or these relatively untrustworthy groups that have their own motivations for publishing. But if you use the image itself as the source of truth, rather than the context around it, you can extract information from it that’s useful for an investigation without having to trust where the image came from. If you can prove that it was taken at the time that it claims it was — or it wasn’t — or if you can show that it was taken in the year that you’re trying to look at and in the place, that you can cross-reference it with satellite imagery, you don’t need to trust anything rather than the image itself.

Of course, images can be Photoshopped or manipulated, but those are frequently detectable as well using forensic image analysis techniques by looking at how the “noise” in the image is distributed. When you take a photograph with a digital camera, the camera has some inherent noise property grain in the image and if you Photoshop that or alter it, it changes the grain of the image. That may not be visible directly with your eye, but by using forensic image analysis software, you can discover these modifications and have more evidence that an image, maybe even with geolocation, is or isn’t trustworthy.

9. If Collecting Evidence for Possible Criminal Prosecution, Compartmentalize your Work

LW: Justice and accountability are one of our mandates, but sometimes that is in conflict with our role as a media organization that publishes investigations. For example, what we’ve set up in our work to identify civilian casualty incidents in Ukraine is two separate processes and two totally separate teams. So one of our teams is focused on finding these incidents after they’ve been identified and turning them into an investigative report that can be published either on our website or in collaboration with other newsrooms. And we have an entirely different team that takes that information, including maybe the location that was found by the media research team, and validates independently, works with it independently, stores it independently, and that team then can use that and work with justice and accountability organizations — like international criminal courts — in an independent way from our media organization. That way, we can keep our reporting independent from the justice process.

10. Fight for Truth

LW: The idea of truth is somewhat clichéd at this point, but it is a core value of what we do at Bellingcat. We believe that there is a truth in most incidents that can be discovered and by revealing that truth you don’t necessarily know that alone is going to hold someone accountable, but it is a necessary first step to establish accountability. That truth can be revealed through investigation, it can be revealed through data collection, or it can be revealed by teaching someone else methods that lets them discover a truth in their own local environment or their own reporting process. That is what we’re trying to do at Bellingcat — to seek accountability.

Additional Reading

Tips for Archiving Telegram Messages on Russia-Ukraine War

Bellingcat’s Grozev on Investigating Russia’s Invasion of Ukraine

Bellingcat’s Open Source Digital Forensics Tools

Marthe Rubio is GIJN’s French editor. After working for five years in Spain and Argentina, she is now based in her native France. She worked for two years on the data team of Argentina’s La Nacion, has published in Slate and Libération, and worked as a correspondent in Buenos Aires for Le Figaro and Mediapart. 

Republish this article

Material from GIJN’s website is generally available for republication under a Creative Commons Attribution-NonCommercial 4.0 International license. Images usually are published under a different license, so we advise you to use alternatives or contact us regarding permission. Here are our full terms for republication. You must credit the author, link to the original story, and name GIJN as the first publisher. For any queries or to send us a courtesy republication note, write to

Read Next