9. Geolocation

The Geolocation view shows the (estimated) locations of all search results that have geolocation information on the world map.

Geolocation view

This chapter will help you understand how this visualization works.

9.1. Basics

Currently, geolocation data is extracted from the following sources:

  • Images – GPS coordinates in the EXIF metadata.
  • Cellphone reports – available information depending on the device model, extraction utility and extraction method.
  • Emails – through geolocation lookup of the sender IP.
  • Google Maps URLs – e.g. from browser histories and bookmarks.

Using this information, a set of search results can be mapped to a set of geographic coordinates, roughly representing the “where” of the found items.

Any items that do not have any geolocation information associated with them are omitted in this view.

Showing each item’s estimated location on the map would make the view very cluttered. Items laying in the same area are therefore grouped into clusters, shown as a blue circle in the screenshot above. The number in a cluster represents the number of items whose geolocation falls in that area.

When zooming in, the geographic size of what constitutes the “same area” will be reduced, resulting in clusters getting split up into smaller clusters. Zooming out of the map consolidates clusters into fewer and larger clusters again. This cluster management allows the user to inspect specific locations in detail.

Zoom in

Zoom In

Zoom out

Zoom Out

The clustering is determined by imposing an invisible grid on the map and bundling all items in a grid cell into a cluster.

9.2. Interaction

Zooming can be done using the control buttons in the bottom-left toolbar or by using the mouse wheel.

To pan (move sideways) in a zoomed map, move the mouse while holding down the left mouse button.

To inspect the content of clusters, the user can select a single cluster, by clicking on it.

The contents of the selected cluster will be displayed in the Details view below the Geolocation view.

9.3. Resources

Intella may need two resources to make the most out of the Geolocation visualization.

9.3.1. Tile server

By default, Intella uses tiles (images containing parts of the map) that are embedded in Intella Connect to construct the world map. This makes it possible to use the Geolocation view without any configuration and without requiring an Internet connection to download these tiles.

Due to the enormous size of a complete tile set covering all zoom levels of the entire world map, the embedded tile set is limited to the first 6 zoom levels. As a rule of thumb, this usually shows the major cities in most countries, but it will not let you zoom in to see where in the city an item is located.

To zoom in beyond that zoom level, a connection to a tile server is needed. This can be a public tile server or one located in your network. An administrator of Intella Connect can configure a tile server and the configuration steps are described in Administrator manual.

Note

Note that a tile server may not only let you zoom in and create more fine-grained maps, it can also let you apply a different map rendering, e.g. a map containing elevation data, infrastructural information, etc.

9.3.2. IP geolocation database

To determine the geolocation of emails, Intella uses the chronologically first IP address in the Received email headers (i.e. the one nearest to the bottom of the SMTP headers). Next, a geolocation lookup of that IP address is done using MaxMind’s GeoIP2 or GeoLite2 database. These databases are not distributed with Intella and therefore one needs to be installed manually.

An administrator of Intella Connect can acquire and install an IP Geolocation database. The configuration steps are described in Administrator manual.

9.4. Caveats

While the Geolocation view can quickly give a unique and insightful overview of a data set, there are some aspects of geolocation visualization to be aware of. Geolocation data is approximated by nature and manual verification of the findings will always be required. This is not an Intella limitation; it is inherent to the complexity and unreliability of the systems producing the geolocation information. Make sure that you are fully aware of these aspects and their consequences before relying on the findings.

9.4.1. GPS coordinates

GPS coordinates, such as obtained from the EXIF metadata of images or location-bound items extracted from cellphones, are usually quite accurate. However, they are subject to the limitations of GPS:

  • In the best-case scenario, the accuracy is typically in the range of several meters. The accuracy can be lower or coordinates can even be completely wrong when the GPS hardware cannot receive a good signal (e.g. in the direct vicinity of buildings), due to hardware limitations of the GPS device (the theoretical maximum precision possible varies between devices) or simply due to bugs and hardware faults in the device.
  • The same applies to comparable satellite-based navigation systems such as GLONASS.
  • Geolocation coordinates may also have been determined using other techniques, e.g. based on geolocation information about nearby Wi-Fi networks and cell towers.
  • Some devices combine several of these techniques to improve accuracy and coverage. Therefore, what is commonly referred to as “GPS coordinates” may not have been established through GPS at all.
  • Coordinates may have been edited after the fact by a custodian using an image metadata editor. A set of different images with the precise same coordinates may point in that direction. This may be harmless, e.g. to fill in the coordinates of images taken with a camera that does not have GPS functionality.

9.4.2. IP geolocation

The determination of an email’s geolocation by using its sender’s IP address is imprecise by nature, typically even more so than GPS coordinates. First, the determined Source IP address may be incorrect due to several reasons:

  • Some email servers mask such IP addresses. Instead, it may in fact be the second IP address of the transport path that is being used.
  • A web email client (e.g. Gmail used through a web browser) may have been used to send the email.
  • The IP address may have been spoofed.
  • The IP address may not reflect the sender’s location due to the use of a VPN, Tor, etc.

Second, IP geolocation databases are typically never 100% accurate and the accuracy varies by region. See MaxMind’s website for statistical information on their accuracy. Reasons for this imprecision are:

  • The geolocation of an IP address may change over time.

Note

Note: take this into account when indexing an older data set!

  • Some IP addresses may only be linked to a larger area like a city or even a complete country, yet the precise coordinates may give a false sense of GPS-style precision.
  • The techniques behind the collection process for creating this database introduces a certain amount of imprecision.

9.4.3. Tile servers

Using a public tile server may reveal the locations that are being investigated to the tile server provider and anyone monitoring the traffic to that server, based on the tile requests embedded in the retrieved URLs.

Note

Note that to use a public tile server, you need to ensure that you comply with the tile server’s usage policy. This is your responsibility, not Vound’s.

9.5. Attribution

We are grateful for obtaining the data we have used for the embedded tiles generation from the OpenStreetMap project, © OpenStreetMap contributors. See http://www.openstreetmap.org/copyright for more information on this project.

The tile set is made available under the Open Database License: http://opendatacommons.org/licenses/odbl/1.0/. Any rights in individual contents of the database are licensed under the Database Contents License: http://opendatacommons.org/licenses/dbcl/1.0/.