You saw a ship on the news, but how do YOU find it using OSINT?

I've had some requests to walk people through, with more detail, how to look up ship-related information, and I'm not hiding any methods, the whole idea is for YOU to be able to loo up your own information for free (or for cheap), and not need to launch your own spy satellite.
(but if you have the chance, you really should - I'm looking at you Elon)

There are many, many, ways to skin this cat. I'm just going to go over one way as an example - this is by no means an exhaustive how-to. There are marine ship registries, forums, accident reports, all sorts of other resources - but I'm going to show you MarineTraffic.com and focus on AIS.

Let's take an article which was in the news and walk you through the process. The first thing is to figure out what is the subset of vessels, out of the tens of thousands presently at sea, that you're interested in. You need to scope out the breadth of your investigation. Here is a good start;

St Helena's cherished lifeline ship to return as anti-piracy armory

Joe Brock - APRIL 17, 2018 / 10:38 PM (original here)

JOHANNESBURG (Reuters) - The RMS St. Helena, Britain’s last working postal ship, was for nearly three decades the main source of contact between one of humanity’s remotest islands and the outside world.

Now the ship, cherished by the 4,500 residents of British-ruled St. Helena, will start a new life as a floating armory, packed with automatic weapons, bullet-proof jackets and night vision goggles, all stored for maritime security operatives.

Renamed the MNG Tahiti, the 340-foot ship will undergo some tweaks before sailing to the Gulf of Oman where it will be used to ferry guns and guards to passing vessels navigating stretches of water lurking with pirates, its new operator said on Tuesday.

“The ship is good to go with a few adjustments,” said Mark Gray, a former British Royal Marine and founder of floating armory firm MNG Maritime. “By the middle of the year we hope to have her operating.”

Tahiti Shipping, a subsidiary of MNG Maritime, bought the ship for an undisclosed fee on Tuesday, the St. Helena government said in a statement.

The construction last year of a commercial airport on the isolated island in the middle of the South Atlantic rendered the 156-passenger ship obsolete, prompting St. Helena authorities to put it up for sale and begin planning a gala farewell.

Before weekly flights to South Africa began in October, a five-night voyage to Cape Town on the RMS St. Helena was the only major transport route off an island made famous as the windswept outpost where French emperor Napoleon Bonaparte died.

The yellow-funnelled ship was purpose-built by the British government in 1989 to service the island and is the last of a royal mail fleet that once connected the far-flung tentacles of the old British Empire.

Its final voyage was marked with a public holiday on St. Helena, with flag-waving crowds gathering on the rocky coastline to catch one last glimpse of the ship that had delivered them everything from car parts to Christmas turkeys.

A flotilla of fishing vessels and yachts flanked the ship with those on board popping champagne corks as plumes of balloons were released into the sky to cheers from St. Helena residents, known locally as “Saints”.

“I fully appreciate the role this vessel has played in all Saints’ lives,” MNG Maritime’s Gray said. “It is not a responsibility we take on lightly. We will continue to treat her in the manner to which she has become accustomed.”

Writing by Joe Brock; Editing by Mark Heinrich (Reuters)

After reading that, do you have more questions than you started with? I sure do. First, how many ships like this does MNG Maritime and their subsidiaries have? What about other floating armouries? ...and where are they? Someone must have already made a list, hopefully with IMO or MMSI numbers which definitively identify the ships that might have duplicate names.

Web search engines like Google and Duck Duck Go will help you greatly, since none of these operations are in any way secret or covert, they are publicly discussed and licensed. These are extremely heavily armed vessels moored in strategic locations around choke points where there is high pirate activity.

Here is a fantastic resource:

"Stockpiles at Sea, Floating Armouries in the Indian Ocean"

SMALL ARMS SURVEY 2015, Chapter 8, Pages 216-241

written by Ioannis Chapsos and Paul Holtom

http://www.smallarmssurvey.org/fileadmin/docs/A-Yearbook/2015/eng/Small-Arms-Survey-2015-Chapter-08-EN.pdf

Google some more more and you'll soon find this:
https://seenthis.net/messages/688184

From those, you should have a list of a few dozen Vessels of Interest (see what I did there?)

Put all the vessel information you can find in a spreadsheet; with a little luck copy & paste works.

I'm going to use the IMO numbers because they're tied to the ship, whereas the MMSI number change with the registration and ownership. Sometimes you have access to one, or the other - always record both, and the callsign if you have it. Keeping a spreadsheet of the ships you've put information together about is essential. I recommend using Google Docs.

Now we come to the MarineTraffic.com portion of our lesson; 

Create an account, and if you're really into this, pay your yearly pound of flesh and get access to more than the free account offers.  First of all, you need a "fleet" of 50. Their basic account would provide you that. The "fleet" concept groups vessels in whatever category you would like, and allows you to control them in bulk groups easily.

Here are all the IMOs from the aforementioned floating armouries:

8112823

6524230

7027502

8965593

5278432

8107713

8107036

7313432

5427784

8701105

8129084

7406215

9606194

8131386

7412018

7624635

8413174

7353432

7709253

8206105

7911777

7115567

9050101

4908729

8410691

8912572

8333283

8301216

7932006

8003175

7319242

7636339

7392854

8333506

First, search for one of those ships, any one

Click the result, it will open up a details page on that ship

You want to make a new fleet, so click the down arrow beside "Add to default fleet" and scroll to the bottom, select "Add to new fleet". Name it something obvious, like "Floating Armouries"

Now, click the little person icon at the top right, and pull down to "My Fleets"

Select the Floating Armouries fleet you created previously. Notice the "import" line? That's what you want! That's why having a spreadsheet with the list of ships you're tracking is very handy.

Now you're presented with a big empty box for IMO or MMSI numbers; paste the whole list in that box. Any duplicates will disappear, so don't be too careful.

Import, and voila - you have a MarineTraffic fleet with all the Floating Armouries in it.

Then, you can show only the vessels in your fleet at the map view, and exclude all the others so you're not distracted.

You're ready to follow these, or other ships that match your interests, around the globe.

Did I cheat by using a pre-made list that someone else already published in a PDF? Yes. Absolutely. OSINT is all about that sort of "cheating". Use what others have already blazed the trail with, and add to that. There is no reason to start from scratch, but remember to both protect your sources, and credit them - those two things may seem at odds, because they are. I've offended people both by crediting, and not crediting them. I try to error on the side of giving credit publicly, unless someone tells me not to.

Happy hunting!

Argentine Navy research vessel operates near Falklands; catches the Royal Navy's eye

https://surenio.com.ar/2016/05/buque-ara-puerto-deseado-finalizo-participacion-la-campana-oceanografica

Following ship movements is greatly more entertaining when you can spot an interaction between vessels that have otherwise not been identified as being related. I think this makes a great example of that. The interaction was nothing out of the ordinary, I'm sure this sort of thing happens every day, but it's neat to catch it all the same.

Weeks ago Argentinian sources reported that the ARA Puerto Deseado would be conducting operations near the Falklands from 2018-08-22 onward. On 2018-08-30 the Argentinian Navy oceanographic survey ship ARA Puerto Deseado had been performing operations for over a week in the same area, then seemed to depart, and head toward the Falkland Islands. After not reporting their position via Satellite-based AIS for an hour, the HMS Clyde departed from where she was, and headed toward the Argentine Ship at full speed. Shortly after that, ARA Puerto Deseado reappeared on AIS-S, it seems their transponder was beaconing again to the satellite above. They had already turned around, and were no longer heading toward the British territorial limit. Minutes after returning to AIS visibility, with their heading reversed, HMS Clyde turned around as well.

marinetraffic.com

marinetraffic.com

🇦🇷 Argentine Navy oceanographic survey ship ARA Puerto Deseado was operating rather near the British territorial waters around the Falkland Islands, and I do believe the @RoyalNavy noticed. Good reaction time too.#ARAPuertoDeseado #AGS #Q20 https://t.co/i0k7fgEe1E pic.twitter.com/OXPzWpNKOr

— Steffan Watkins 🇨🇦 (@steffanwatkins) 3 September 2018

This piqued author HI Sutton's curiosity, and he wrote up his assessment in his blog, here (with credit to me too, which was appreciated!)

The Telegraph UK contacted the Royal Navy for a quote, so they did some legwork, but failed to mention the OSINT origin of the story. Poor show.

Then The Sunday Express got a hold of this story (here - wow...)

Finally, the Argentine Navy had to put out a statement (here)

Conclusion:

The short version? It is absolutely remarkable that a ship, any ship, changed its behaviour and headed straight at the Falklands as they did.

...but was it nefarious? There is no reason to believe there was anything malicious afoot.

I still think it's odd that ARA Puerto Deseado's AIS transponder beacons feverishly (as Juanma Baiutti pointed out), then drops silent for two hours, but evidently that's the way they have it configured, or that's the way it's working The Argentinian Navy say they didn't disable their AIS. None the less, they were close enough to provoke the HMS Clyde to start to head in their direction briefly, until it became evident they'd turned around already. There was nothing nefarious about anyone's; activities, but its the Royal Navy's job to be prepared for anything.

Another misconception that was circulating was their speed; that they were headed toward the Falklands at "full speed"... I'm not sure what their maximum speed really is, but they were only doing 7-8kn, so I would hope not.

Lastly, I must thank the Telegraph for this gem from the Royal Navy:

"This was unusual activity (..) it was the course and speed [of the Argentinian ship] towards the islands which was unusual"

said the UK Ministry of Defence Spokesperson (per The Telegraph)

Much thanks to @feibianAjax who tipped me off to the presence of the ARA Puerto Deseado near the Falklands!

Keeping up with the Royal Canadian Navy (LIVE)

"Canadian Navy HMCS St John's FFH-340 passing Greenock outbound from Glasgow for Joint Warrior"
Photo and caption by Iain Cameron - 2018-04-22

The Royal Canadian Navy deploy their fleet of Halifax-class frigates globally, but only some of their deployments are noticed and picked up on on the press. This isn't from the military's lack of trying; there are multiple cases where a story has been floated by DND's official social media accounts, but gets no press coverage. Thanks to the magic of AIS transponders, installed on the whole fleet, but only activated with the consent of the ship's command, we can skip all the middle management at DND and get the ships' coordinates directly from the the ship itself, over marine VHF (~162MHz), and the Automatic Identification System (AIS).

To many people it seems concerning that we would be able to follow a military deployment with live location data, as it beacons every few minutes. Thankfully, Canada and NATO's adversaries don't rely on AIS to target or find Canadian ships worldwide. They know NATO procedures and understand in a time of conflict or operations the AIS transponder is set to receive only, turned off for our viewing, and will not transmit, so as to not give away their location either through ELINT, or reading the AIS data for free from MarineTraffic.com. Here are the twelve Halifax-class frigates of the Royal Canadian Navy, and the locations they last beaconed from using terrestrial based AIS (AIS-T) .

ship name	№	mmsi
HMCS Halifax	FFH330	316138000
HMCS Vancouver	FFH331	316160000
HMCS Ville de Quebec	FFH332	316127000
HMCS Toronto	FFH333	316135000
HMCS Regina	FFH334	316148000
HMCS Calgary	FFH335	316158000
HMCS Montreal	FFH336	316129000
HMCS Fredricton	FFH337	316143000
HMCS Winnipeg	FFH338	316147000
HMCS Charlottetown	FFH339	316130000
HMCS St Johns	FFH340	316196000
HMCS Ottawa	FFH341	316195000

(click on any of the hot MMSIs above for ship & location details)

Update 2018-06-27: I wasn't giving enough credit to the brave men and women and men who operate the Kingston-class coastal defence vessels of the Royal Canadian Navy, so I have included them on the dynamic map. BZ!

(Click the "minus" to zoom out if you don't see the whole map)



(Illustration of locations recently identified by AIS transponder; data collected and displayed by MarineTraffic.com)

Using AIS to track the United States Navy Nuclear-Powered Aircraft Carrier Fleet

First off, tracking US Navy aircraft carriers using AIS is a terrible idea, because of the seemingly-random and inconsistant US Navy AIS transponder policy. The policy made it's public debut recently as a result of two fatal collisions; that of the USS John McCain, and the USS Fitzgerald. The US Navy provided guidance to commanders to use AIS when travelling in proximity to civilian vessels. However, the safety of the Carrier Strike Group, and the carrier itself, is of paramount concern; so it seems the US Navy is a little reluctant to expose their location consistently across the fleet.

Some ships in the US Navy pop up on public unclassified AIS tracking sites like MarineTraffic.com routinely, while others haven't beaconed once for the past 5+ years. The aircraft carriers are a mixed bag; they aren't just using their AIS transponder to send a "message" to adversaries that they can operate anywhere they want in International waters, they're also broadcasting their location to foreign port facilities who send out pilot vessels and tugs to help their approach into harbour.

Another point about OPSEC; if a US Navy vessel activates their AIS transponder, the commanding officer made a judgement to do so, and expose their position to anyone with an internet connection who can pull up the MarineTraffic.com web page. These are not accidents, they are deliberate beacons for strategic messaging as well as local inter-operation with allied port facilities. Their position is neither secret, or dangerous.  But don't take my word for it; it was the commanding officer who indicated as much when they turned on their transponder. If the ship's commander is perfectly alright with broadcasting their position to the world, you are allowed to know as well, guilt-free, without being a "spy"!

This is not a "loose lips sink ships" situation.

USS Nimitz	#CVN68	MMSI:303981000	NMTZ	Naval Base Kitsap, Bremerton, Washington
USS Dwight D. Eisenhower	#CVN69	MMSI:368962000	NIKE	Naval Station Norfolk, Norfolk, Virginia
USS Carl Vinson	#CVN70	MMSI:369970409	NCVV	Naval Air Station North Island, San Diego, California
USS Theodore Roosevelt	#CVN71	MMSI:366984000	NNTR	Naval Air Station North Island, San Diego, California
USS Abraham Lincoln	#CVN72	?	NABE	Naval Station Norfolk, Norfolk, Virginia
USS George Washington	#CVN73	MMSI:368913000	NNGW	Naval Station Norfolk, Norfolk, Virginia
USS John C. Stennis	#CVN74	MMSI:368912000	NJCS	Naval Base Kitsap, Bremerton, Washington
USS Harry S. Truman	#CVN75	MMSI:368800000	NHST	Naval Station Norfolk, Norfolk, Virginia
USS Ronald Reagan	#CVN76	MMSI:369970410	NRGN	Yokosuka Naval Base, Yokosuka, Japan
USS George H.W. Bush	#CVN77	MMSI:369970663	NGHW	Naval Station Norfolk, Norfolk, Virginia
USS Gerald R. Ford	#CVN78	?	?	Naval Station Norfolk, Norfolk, Virginia

On April 27th 2017 the Russian Navy Moma-Class AGI Liman|Лиман had a really bad day.

Photo Credit: Alper Böler‏ @alperboler
October 21, 2016

FACTS:
On April 27th the Togo-flagged livestock vessel "Youzarsif H" (also referred to as "Youzar Sif.H"), IMO 7611547, and the Russian Navy Moma-Class AGI Liman|Лиман collided, between 08:30Z and 08:43Z, in thick fog, outside Turkish territorial waters, in the Black Sea. A breach below the water line caused the Liman to sink, reportedly after several hours. All crew were rescued in an orderly fashion from the pictures that were released by the Turkish coast guard. It was reported that the Youzarsif H headed back to port to check for damage and out of concern for the livestock; sheep.

Pretty much everything beyond that is speculation.

You should really read this excellent in-depth analysis by Tony Roper, a frequent contributor to IHS Jane's publications, before reading further, to get up to speed.
https://planesandstuff.wordpress.com/2017/05/29/full-analysis-of-the-sinking-of-liman/

Sharing speculation; refuting, proving, discussing, and arguing points, makes for very good banter on Twitter, Reddit, or any social media platform where you can get people with different views together and crowd-source information and experience. I'm not sure if that friendly banter and respectful exchange of ideas was lost on Mr Roper, but for professing to not be an "Expert", he sure does seem to condescend when he portrays those who would speculate about the ships' purpose, and circumstances of it's demise, as idiots, conspiracy theorists, stupid, ignorant, and stubborn. Well,

SPECULATION & UNANSWERED QUESTIONS: 

• Any ship could have an accident while at sea, in the fog, early in the morning. But, this wasn't "any" ship; just by being a Russian Navy AGI (a "Spy Ship") it makes me +1 suspicious. There is no good rational basis for that suspicion, except it's a Russian Navy AGI, it definitely has sensitive gear aboard, and having it sink leaves a gap in whatever task it was doing, on the deployment it was on.
  This is a seemingly inadvertent win for NATO, and a loss for the Russian Black Sea Fleet.
• There have been no reports regarding who ran into who; or if it was a mutual effort. The news media is making it sound like they were both moving and collided in the fog. I'm not sure that's correct.
  Was this a "T-Bone" collision while both were moving?
  Was this a T-Bone collision, while the Liman was stationary?
  Was this a glancing bow-on-bow strike?
  We know the Youzarsif H was moving at 11kn before the collision, and suffered superficial damage to its bow, but we don't know if the Liman was stationary or not, since it conducts its operations without using an AIS transponder.
• While the Liman does not transmit its location with an AIS transponder, can it receive AIS?
  Could it not "see" the other ship coming?
  AIS-T uses VHF marine frequencies
  87B (161.975 MHz)
  88B (162.025 MHz)
  Could these frequencies have been "jammed" intentionally, or accidentally?
  Likely not; any disruption to those frequencies should have affected all VHF maritime communications in the area. No such issues were reported, and most ships were beaconing fine on AIS.

• The Liman was not a "stealth" ship, and as far as I understand, should have shown up on the navigational radar of the Youzarsif H; isn't that why navigational radar exists?
  How didn't the captain or navigator of the Youzarsif H see it?
  ...or did they, and dismissed it as noise because it didn't transmit AIS?
  Shouldn't there be a collision alarm built into the system?
  They were in thick fog, only navigating by instruments, and didn't see a ship directly in front of them on radar?
  Isn't that weird?
  I don't think it reflects well on the Youzarsif H's crew, unless the operations of the Liman were causing issues for the radar of the Youzarsif H. Yes, that's wild speculation, because it makes no sense how a ship doesn't notice a giant hulk of floating steel in front of it on radar. Make up your own crazy theory! It's better than what we have now, which is nothing.
• The Youzarsif H's AIS signal was being received by terrestrial based AIS receivers, which Mr Roper described in his blog post with excruciating detail. The signal was very spotty before the collision, and crystal clear after the collision. This is the thing that really draws my eye and triggers my curiosity; it is the basis for much of my suspicion regarding this event. On the day Mr. Roper and I were discussing this he specifically dismissed my speculation that the issue could be related to the sender and insisted the gap in reception must be related to the receiver, or environmental conditions.
  "This totally depends on the receiver not the sender! The receiver may have been off."
  -Tony Roper, 6:29 PM EST, May 4 2017
  I tried to convey that my interest was less with the gap before the collision, and more with the immediate change to the signal quality (seemingly crystal clear reception) instantaneously after the collision, which Mr Roper had no explanation for at the time. It seems after reflection, he now theorizes the sender, may have had their antenna(s) facing away (blocked by the ship's superstructure?) from the shore-based receiver when travelling Southbound (toward the Liman) and immediately after the collision turned around and faced their AIS antenna(s) toward the shore-based AIS-T receiver. This is fantastic speculation, and would explain how the signal went from terrible, to perfect, immediately, while other ships in the area had AIS-T signal all along.
  Can we prove this theory with the available data? Well, it's certainly not as clear as I would like it to be. It is still crystal clear that immediately after the collision the AIS transmissions went from random times between successful transmissions to a steady stream at 3-4 minutes. (please refer to the spreadsheet snippet below)
  
  

  Date	Receiver	Speed	Longitude	Latitude	Course	Delta
  2017-04-27 06:55 (UTC)	Terr-AIS	11.4	41.82308	28.98331	177
  2017-04-27 07:02 (UTC)	Terr-AIS	11.4	41.79881	28.98457	177	0:07
  2017-04-27 07:05 (UTC)	Terr-AIS	11.3	41.78935	28.98486	178	0:03
  2017-04-27 07:26 (UTC)	Terr-AIS	11.2	41.72423	28.98452	182	0:21
  2017-04-27 08:20 (UTC)	Terr-AIS	11.1	41.55295	28.97452	185	0:54
  2017-04-27 08:22 (UTC)	Terr-AIS	11.1	41.55295	28.97452	185	0:02
  2017-04-27 08:30 (UTC)	Terr-AIS	11	41.52769	28.96805	194	0:08
  2017-04-27 08:41 (UTC)	Terr-AIS	9.5	41.49945	28.95921	194	0:11
  2017-04-27 08:44 (UTC)	Terr-AIS	0.7	41.49731	28.95823	199	0:03
  2017-04-27 08:48 (UTC)	Terr-AIS	0.2	41.49696	28.95755	253	0:04
  2017-04-27 08:51 (UTC)	Terr-AIS	0.5	41.49689	28.95732	241	0:03
  2017-04-27 08:55 (UTC)	Terr-AIS	0.7	41.49654	28.95673	228	0:04
  2017-04-27 08:59 (UTC)	Terr-AIS	0.7	41.49685	28.95632	19	0:04
  2017-04-27 09:02 (UTC)	Terr-AIS	0.9	41.49718	28.95667	45	0:03
• When did the collision occur?
  At 08:30Z, as you can see, the Youzarsif H was moving at 11kn on a course of 194 degrees.
  At 08:41Z, 11 minutes later, it was doing 9.5kn, still on the exact same course of 194 degrees. Could they have hit the ship, and shoved it aside, keeping the exact same course? I don't think so. They had significantly reduced speed by then; did they see the Liman coming and reduce speed, or were they in the middle of colliding with it at that moment?
  At 08:44Z, only 3 minutes later, they had dropped to 0.7kn and changed course to 199 degrees; the collision had already happened.
  I suspect the collision happened between 08:41 and 08:44, based on the course and speed.
  You'll notice the AIS-T problems cleared up at that exact moment too; they were at 3-4min intervals from then on.
  
  ¯\_(ツ)_/¯

The left hand line of dots (and gaps) are the locations where the AIS-T signal from the Youzarsif H was received by a shore-based receiver while headed South, the right hand line of dots represents the return trip where AIS was crystal clear. You might notice there was a spot where it turned around and didn't seem to have any problem transmitting it's position too. Proof of anything? Not really. (data courtesy of MarineTraffic.com)

Photo Credit: Yörük Işık‏ @YorukIsik
October 21, 2016

There is supposed to be an investigation underway by the Turkish authorities regarding this incident, and I look forward to hear what their conclusions are.