MH17 BUK Route Reconstruction: OSINT Methodology
How Bellingcat traced the MH17 BUK transporter using dashcam footage, social media imagery, and satellite corroboration — a step-by-step methodology breakdown.
Why This Case Is Worth Studying
The Bellingcat investigation into the BUK missile transporter connected to the MH17 shootdown is one of the few public OSINT cases where every analytic link is documented, the dead ends are acknowledged, and the confidence language is explicit enough to audit. Abstract OSINT pipelines — collect, geolocate, correlate, assess — are easy to describe. This case shows what that chain actually looks like when it’s under load, and where it can snap.
What follows is a methodology reconstruction: what the workflow looked like stage by stage, where the analysis could have broken down, and what confidence statements were defensible at each step.
Primary sources: Bellingcat’s November 2014 BUK origin investigation, the Bellingcat case studies archive, and the MH17 tag index. Geolocation technique references draw on Google Earth Pro documentation and Sentinel Hub EO Browser technical documentation.
Stage 1: Video Frame Extraction and Geolocation Primitives
Collection hygiene first
The first task was not geolocation — it was collection hygiene. Every video and image showing a candidate BUK transporter needed a log entry covering:
- Platform of origin (which account, which dashcam channel)
- Upload timestamp (not capture time — a distinction that matters)
- Preservation copy (original resolution, before platform compression)
- Metadata state (whether EXIF or equivalent was present or had been stripped)
Skipping this step produces downstream problems that are nearly impossible to recover from. If you can’t establish chain of custody for your raw material, every geolocation you build on top of it is floating on an unverifiable base.
For the BUK case, the most actionable material came from dashcam footage uploaded to Russian video-sharing platforms and still photographs posted by apparent residents of the relevant towns. Dashcam footage is analytically strong here because dashboard cameras record continuously, often embed a timestamp on the frame itself, and capture environmental context — road markings, signage, building facades, foliage state — that is highly geolocatable.
Frame extraction technique
Treat video as a sequence of individually geolocationable frames, not as a narrative unit. The practical workflow:
- Extract frames at a rate sufficient to capture any visible landmark or road feature — one frame per second is a reasonable starting cadence for vehicle-following footage.
- Flag frames containing three or more simultaneous geographic anchors: a named road sign, a recognizable building corner, a utility pole configuration, painted road markings.
- Build a per-frame anchor inventory before starting any map comparison.
In the BUK reconstruction, the key geolocation primitives were building facades in the background of passing footage, distinctive road intersection geometries, and in some frames, readable street signage. These were cross-referenced against satellite basemap imagery to establish ground-truth coordinates for each confirmed frame.
Confidence at Stage 1
At the end of Stage 1, the defensible confidence statement is narrow: “We can place this vehicle at [coordinate] at approximately [time], based on visual match to [n] independent environmental anchors, with uncertainty radius of approximately [x] meters.”
It says nothing about origin, ownership, or intent. Analysts who conflate geolocation confidence with attribution confidence at this stage introduce a structural flaw that contaminates everything downstream.
Dead end: Several circulating videos showed BUK-type vehicles that, on frame-by-frame analysis, couldn’t be geolocated to eastern Ukraine at all — background architecture, vegetation, and road surface markings were inconsistent with the claimed location. These were correctly discarded rather than forced into the route model. Knowing when to drop material is as important as knowing how to analyze it.
Stage 2: Route Reconstruction from Temporally-Stamped Frames
Building the waypoint sequence
Once individual frames are geolocated, the task shifts to ordering them into a coherent route. This is where temporal metadata becomes critical. Timestamps come from multiple sources with different reliability profiles:
- On-frame dashcam timestamps: High reliability if the camera clock was synchronized — but cameras are often misconfigured. Treat as a starting point, not ground truth.
- Platform upload time: Establishes a latest possible capture time. Not a capture time.
- Solar angle analysis: Footage with visible sky or shadows can be constrained to a capture window using solar position software. This is independent of any clock the original recorder was using.
- Witness corroboration: Accounts from people who observed the convoy and whose own timestamped activity — posts, phone records, purchases — can be cross-referenced.
For the BUK route, the team assembled a sequence of geolocated waypoints ordered by most probable capture time, then tested whether the implied travel speed and direction between consecutive waypoints was physically plausible for a heavy tracked vehicle on that road network.
This is internal consistency testing. If Waypoint A and Waypoint B are 40 kilometers apart and the timestamps imply 20 minutes of travel time, either a timestamp is wrong, a geolocation is wrong, or the vehicle didn’t take the most direct route. Each discrepancy needs resolution, not averaging.
Road network and infrastructure constraints
Heavy military transporters can’t use arbitrary roads. Bridge weight limits, road surface conditions, tunnel clearances, and the operational logic of military convoy planning all constrain the plausible route between two waypoints. These constraints let you eliminate route hypotheses even without direct visual coverage of every segment.
In the BUK reconstruction, the road topology of the region funneled heavy vehicles through a limited number of corridors, which meant gaps in visual coverage were less damaging than they’d be in a dense urban grid.
Dead end: An early route hypothesis connected waypoints via a road segment that, on checking satellite basemap data, had a bridge rated below the vehicle’s probable weight. That hypothesis was eliminated; the route was reconstructed through an alternate corridor. Always validate route hypotheses against infrastructure data, not just map geometry.
Confidence at Stage 2
“The vehicle observed at [waypoint sequence] most probably traveled route [X] between approximately [time window A] and [time window B]. This route is consistent with road network constraints and implied travel speed. Confidence is moderate-to-high for the overall corridor; moderate for specific sub-segments where visual evidence is absent, contingent on infrastructure constraint analysis.”
Stage 3: Cross-Source Corroboration Against Satellite Imagery
Corroboration is not confirmation
Satellite imagery gets treated as a gold-standard verification layer. It’s powerful, but it has specific failure modes analysts need to track.
For a moving convoy, satellite imagery is useful for two distinct purposes:
- Establishing baseline state: Pre-event imagery showing a BUK at a particular military installation establishes a plausible origin point.
- Detecting anomalies consistent with route reconstruction: Post-event imagery showing disturbed ground, changed vehicle parking configurations, or similar indicators.
What satellite imagery generally cannot do for a fast-moving event is provide frame-by-frame coverage. Open-source analysts working with commercial imagery archives are dependent on what happened to be imaged and what’s been made publicly accessible.
In the BUK investigation, satellite imagery played a corroborative rather than primary role. The dashcam and social media footage established the route; satellite data helped anchor the origin point and provided a second evidence line for the vehicle’s presence at specific locations.
The corroboration matrix
Build an explicit matrix. Track independence level — it’s the column most analysts skip:
| Claim | Primary Evidence | Corroborating Source | Independence Level | Assessment |
|---|---|---|---|---|
| Vehicle present at Location A at Time T | Dashcam frame + geolocation | Social media photo from different user | High (different source, different angle) | Confirmed |
| Vehicle origin at Installation B | Social media imagery | Satellite imagery showing matching vehicle | Medium (corroborates but doesn’t independently witness transit) | Corroborated |
If two pieces of evidence trace back to the same original source — two accounts that both reposted the same video — they constitute one piece of evidence distributed across two accounts, not independent corroboration. Analysts who count reposts as independent confirmations inflate their apparent evidence base.
Imagery access and the baseline problem
Open-source analysts in 2014 had a narrower range of satellite imagery than analysts today. Tools like Sentinel Hub’s EO Browser now provide time-series optical imagery at resolutions suitable for detecting large military vehicles and changes in installation configurations. Google Earth Pro’s historical imagery layer covers the baseline function.
The methodological point isn’t about any specific tool. It’s about using imagery archives to establish what was normal before an event, so departures from normal become analytically significant. A parking area that held four vehicles before a specified date and two vehicles after it is a data point — not independently conclusive, but a corroborating signal when combined with other evidence.
Dead end: Some satellite imagery appeared at first to show a BUK-type vehicle at a location consistent with the route reconstruction. On closer analysis, the resolution was insufficient to distinguish the target vehicle from other similarly-sized tracked vehicles legitimately present at that location. This material was downgraded from “corroboration” to “consistent with but not confirmatory” — a distinction that matters when you’re writing up confidence statements.
Stage 4: Attribution and Confidence Language
Attribution is structurally different from route reconstruction
Attributing the vehicle to a specific military unit is a qualitatively different analytic task from establishing where it went. Route reconstruction is a spatial and temporal problem: does the evidence support a coherent sequence of positions? Attribution is an organizational problem: who had custody of this vehicle, who ordered its movement, and who bears responsibility?
Open-source evidence speaks directly to the first problem. It speaks to the second only indirectly — through visible unit markings, comparison with documented equipment inventories, and analysis of the organizational structures that would have controlled a vehicle of this type.
In the Bellingcat investigation, the team compared visible markings and physical characteristics of the observed BUK against documented inventories of BUK systems operated by different military organizations in the region. That comparison supported attribution to a specific Russian military brigade.
Calibrated confidence language
When an analytic conclusion is presented without graduated confidence language, the reader can’t distinguish “we are certain” from “we think this is probably true but have significant gaps.” For public OSINT work that’s aimed at non-specialist audiences, this failure is especially costly.
For a case like this, the graduated language looks like:
- High confidence: The vehicle in the geolocated footage is a BUK-TELAR. The route places it in eastern Ukraine on or around the date of the MH17 shootdown. These conclusions rest on multiple independent geolocations.
- Moderate-to-high confidence: The vehicle’s physical markings and unit identifiers are consistent with documented inventories of a specific Russian military brigade. Subject to the caveat that markings can be altered.
- Moderate confidence: The vehicle was under the operational control of this unit at the time of the shootdown. This inference draws on physical evidence plus organizational analysis; it’s a reasonable conclusion but involves inference steps beyond what direct visual evidence establishes.
- Assessed, not confirmed: The chain of command above unit level. Requires evidence about decisions made by actors not visible in the open-source record.
Stating and eliminating alternative hypotheses
The principal alternative hypothesis in the BUK case was that the vehicle was Ukrainian military rather than Russian. The Bellingcat investigation addressed this by documenting specific physical characteristics that differentiated the observed vehicle from known Ukrainian inventory — a form of negative identification that strengthens the primary attribution by eliminating the most credible alternative.
Document this elimination process explicitly. “We considered hypothesis X and assessed it as less probable for the following specific reasons” is analytically stronger than silence on the alternative, and it accurately represents the nature of the evidence.
What Transfers to Other Investigations
Five principles emerge from this reconstruction that apply to any investigation tracking a physical object through a geography using heterogeneous open-source evidence:
Separate your confidence layers. Geolocation confidence, route confidence, and attribution confidence are different things. High confidence at one layer does not implicitly elevate confidence at another.
Document your dead ends. The videos discarded, the route hypotheses eliminated, the satellite imagery downgraded — these are part of the analytic record. They show that the surviving conclusions have been stress-tested.
Test for independence. Two pieces of evidence tracing back to the same source are one piece of evidence. Build a corroboration matrix and track provenance explicitly.
Use infrastructure constraints. Bridge ratings, road surface conditions, and military convoy logistics are free data that constrain route hypotheses without requiring additional visual evidence.
Write confidence statements that communicate uncertainty. A “high confidence” label on a conclusion with significant gaps is an analytic failure. Graduated language lets readers and downstream analysts calibrate appropriately.
The Bellingcat MH17 investigation pages and case studies archive remain the most fully documented public example of this kind of open-source route reconstruction. Study the dead ends as carefully as the conclusions. The methodology is reusable; the BUK route is just the case it was applied to.
If you want to pressure-test your own methodology against this template, pull the November 2014 investigation, map each evidentiary claim to a confidence tier, and check whether the tier assignments hold up. Most analysts find at least one place where the chain is thinner than the write-up implies — which is useful information.