An OSINT Guide to Bear Watching

Over 150,000 Russian forces have encircled Ukraine in the past months. Thanks to Open-Source Intelligence (OSINT), the world is watching. 

Everything we know about the units and hardware positioned along Russia’s and Belarus’ frontier with Ukraine is due to satellite imagery, social media, flight and vessel trackers, railcar registries, and other open-source resources. If, and when, Russia further invades Ukraine, OSINTers will learn almost immediately.

You can also stay on top of the situation with this brief pocket guide on using OSINT for monitoring the accumulation of Russian troops at Ukraine’s doorstep. We aim to spotlight some brief ideas you can implement right now to #knowmore about Russia’s war preparations. 

If you are interested in an analysis of the Russian military build-up, see our article on T-Intelligence (our sister platform).  


TikTok has been the go-to social media platform for eyewitness footage of Russian hardware rushing to the Ukrainian border. We first observed this (at a large scale) in March-April 2021 (see our analysis on the topic here, here, and here), when the current build-up began.

It was surprising to see TikTok so fervently embraced by Russian users who are typically loyal to Vkontakte and Telegram. Coping with this realization, we developed a module on TikTok for OSINT for the Knowmad OSINT course, drawing from the lesson learned in spring 2021. 

You might say that you saw most videos on Twitter, but nearly all of those came from TikTok. Look for tell-tell signs like the uploader’s username and TikTok logo watermarked on the footage. If you want to check the source of a video (which you should), add the username, watermarked on the video, after “,” in your URL bar. You’ll land on his/her profile. You can try this process using one of the many videos that @GirkinGirkin aggregates on Twitter. 

From there, feel free to further investigate by downloading videos of interest. To archive the footage, you can use any online TikTok video downloader, the in-app “save the video” option (don’t recommend using the app), or from the source code (desktop): 

  • right-click on video -> select “inspect element” -> ctrl+f/command+f for search console -> type .mp4 -> click on the hyperlinked line of code (usually second result) which will open the video in new tab -> right-click and select “save video as”

Once downloaded, you may run a frame-by-frame analysis or attempt a number of other methods to derive information from the video – see next section. 


The influx of social media footage allowed analysts to take stock of the myriad of equipment deployed towards Ukraine. As part of this process, you need to:

  • identify hardware (entity recognition) – this can be quick if you’re already familiar with Russian military systems. If you identify the hardware, you can narrow down where it’s from. 
  • geolocate the footage – the critical process to determine where a video or photo was taken. Most TikTok uploaders either state the approximate area where they shot, input a location, or namedrop a place as a hashtag. Exploit these breadcrumbs to kickstart your geolocation. 
  • determine origin & assess destination – as most equipment came via train, all you had to do was find an identifier (usually painted on the railcar) number, and use Russian railcar databases to see its origin. However, Russia started removing railway data from public records in December 2021 – a clear operations security (OPSEC) measure. However, you can still try to determine the cardinal directions and assess where it came from and where it is heading (follow the railways on mapping services). The Conflict Intelligence Team (CITEAM) is the master of the “railcar game” (and not only) so check out their work for more on this topic. 
  • Keep a database – it can be as simple as an excel or something more SQLish, but if you’re in this for the long run, it’s always good to keep track of what the videos showed, when, and where. It would be even better to have a geospatial representation of that data, much like the Center of Information Resilience did.



Those familiar with our work at T-Intelligence know that openly available satellite imagery is one of our tenet instruments. We mainly work with high-resolution (HR) imagery (3m/px resolution), which is enough to notice infrastructure change, the concentration of equipment, and other significant changes like ground scaring. 

We also use Synthetic Aperture Radar (SAR) to see through cloud cover and bad weather. The image return is more similar to radiography than the crisp, true-color picture people expect when they hear satellite imagery. SAR was handy as Belarus and western Russia was under constant cloud cover and snowstorms, blocking the view for optical lenses. However, thanks to the European Space Agency’s Sentinel-1, we could monitor the identified staging points for hardware supplementation or drawdown/re-deployments elsewhere, and see infrastructure like pontoon bridges pop-up overnight.  

HR imagery and SAR are great, but very-high-resolution (VHR) imagery (submetric) is even better. But it comes at a premium. However, as a beginner, you can take advantage of the plethora of VHR images released by Maxar Technologies, Airbus, Planet, and others. The quality is breathtaking – you can practically touch the Iskander launchers and field hospitals exhibited in Belarus’ “winter wonderland” or the tank clusters at the now infamous Pogonovo training ground. 

Practice identifying the hardware exhibited and take note of anything that seems mentionable. VHR imagery doesn’t grow on trees. 

Bonus: what happens if you combined SAR with VHR? 


Those who have taken our OSINT course are familiar with the importance of metadata. However, the leaders of the Russian-backed separatist republics are not. 

On February 18, the “Luhansk People’s Republic” (LPR) and “Donetsk People’s Republic” (DPR) released videos showing the presidents of the two organizations ordering an “emergency evacuation” following a car bomb explosion in Donetsk, blamed on Ukraine, and due to a claimed-imminent Ukrainian offensive. However, a look at the video’s metadata clearly shows that the file was created on February 16 – two days before the bomb exploded. 

The least they could have done was to delete or alter the metadata before uploading the file on Telegram – the only major social media platform that doesn’t remove metadata. Sometime there’s a lot to be learned just by opening the “properties” tab on a file. When in the possession of an original file, preferably image, use any online EXIF data readers to obtain information such as creation date and hour, author, and more. 

People were expecting that Russia would engineer a casus belii through a false flag operation for weeks. A perfect justification for unleashing its forces over the Ukrainian frontier. Was this Moscow’s best try? 


We’ll have to wait and see how the situation develops. The likelihood of a further Russian invasion targeting Kiyv and Kharkiv is alarmingly high, potentially imminent.

Russian troops and hardware are re-deploying from major staging grounds to smaller pockets shadowing the Ukrainian border. The pontoon over Pripyat river is back as of February 19th. In war-torn Donbas, the DNP/LPR have called for an all-out mobilization and continue to violate the ceasefire using nearly all heavy artillery at their disposal. 

So do what FORTE10, “invalid transponder code,” and others have been doing for years, and keep a watchful eye on the situation using flight trackers. 


Hi there!

Interested in our OSINT Training? Contact us for a live demo!

Post by I. Vlad Sutea

Comments are closed.