A Beginners write up to Trace Labs 2020 OSINT CTF for missing persons
The Trace Labs CTF
If you’re not aware Trace labs is a company that assists law enforcement in crowdsourcing new leads on missing persons cases using open source intelligence (OSINT). One way on which they do this is through their OSINT Capture the Flag where volunteers submit intelligence (flags) on missing persons cases. The most recent event sold out and saw 650 participants and 190 teams! Participants had a 6 hour window to look for information and collect evidence, after which all of the intelligence gathered is compiled, put into a report by the Trace Labs team and handed over to law enforcement to assist in the investigations.
I am by no means an OSINT expert but have been using OSINT for a while and finally took part in my first OSINT CTF. I thought I would do a short write up from a first timer’s point of view. I’ve been following Trace Labs for a while and love the work they do, so as soon as I saw they were doing a CTF I had to get involved. This was a great chance to help law enforcement in finding missing persons and to also test my skills in a timed environment.
Preparation
So, naturally I started freaking out as soon as I had signed up as I wanted to make sure I gave it a good shot and was an asset to my team. Getting everything ready before hand helped massively in work flow. For this event I used the the Trace Labs OSINT Virtual Machine which came with all of the tools I needed as well with a custom Firefox with categorized bookmarks, tools and useful websites ready to go. I had also created sock puppet accounts on my computer and burner which made work flow much quicker whilst looking through social media and apps.
Having tools such as Sherlock for looking through usernames on social media, setting up tabs with the OSINT framework and everything book marked and ready to go meant submissions and finding info were a lot quicker and efficient. Joining the Trace Labs slack was vital! It was great in learning from other participant, keeping up with announcements and I also found my team on there who I would have been lost without!
Organizing a slack in advance for our team was a great help and helped in organizing whilst the event was live and before hand. Our team split up cases to start with which we switched every hour or when we each hit a wall in our cases. This helped massively as a fresh pair of eyes is always helpful in finding new information. From there we could all then help each other out and look for new avenues of intelligence. I can’t stress enough how having sock puppet accounts set up for Facebook, Instagram and Twitter as well as an email account helped. Setting these up can be time consuming so getting done in advance was ideal.You can’t afford to not have access to intelligence on social media as it contains vital information and helps put together a picture of what the missing person is like and what could have potentially happened.
The CTF
Finding and submitting approved info was really rewarding and the judges comments were great. Being able to read why submissions were rejected was helpful, and often was due to lacking more supporting evidence. This meant going back and looking for more intelligence and creating stronger reasons why it was relevant, backed up by supporting evidence such as screenshots and URLs. Being able to go back and create stronger submissions was really rewarding and helped building useful and clear intelligence submissions.
Xmind was great for mind mapping info and was useful to keep track of various missing persons and what we had found on them such as addresses, aliases, vehicle information and relationships. Next time I’m definitely investing in Hunchly to keep track of my findings as taking screenshots got tedious and a bit messy!
The interaction with the Trace Labs web application for submitting flags was really smooth, and the judges’ feedback helped understanding why they were accepted or not. As the judges were swamped with submissions there was sometimes a long gap of a few hours where you submitted a flag and were waiting for it to be accepted or rejected. The feeling when you had something accepted was fantastic, especially when you were at a point banging your head a against a wall stuck on another case
Over time I got used to gathering intelligence and fitting together various pieces of information to create a strong submission whilst using supporting evidence. One accepted piece of intelligence I was proud of was putting together submissions and intelligence using a Snapchat photo and caption plus Facebook posts and comments to piece together possible movements the day after they had gone missing which could potentially assist new lines of inquiry. Although this was rewarding there were a lot of time-consuming submissions that were rejected even though they seemed relevant, yet this was an important part of the CTF as it allowed you to learn whilst working.
Conclusion
Meeting people from Trace Labs community online and forming a team that worked well together is great not only for the CTF but for learning more about OSINT and investigations. Our team hit around the middle of the scoreboard and considering it was most of our first times it was a brilliant achievement. Next time I’m sure I will definitely be more competitive as learning the structure of the CTF and time management play a big role in performance.
The cases themselves were difficult to process, these are real missing people. You read through posts of the families who are desperately trying to find their loved ones. You also learn so much about the people in the cases and their lives and the time line before they disappeared. You become very involved and this is why I’ll continue to do these events, we as a society can become desensitized to cases such as these and they can become lost in the maelstrom that is life.
Overall remembering what you’re doing this for is important and Trace Labs are doing great work. I’d sometimes have to check in with my self whilst taking part in this, I kept getting caught up in the excitement of the investigations and somewhat loosing sight of what you're doing and the implications of such. There are huge ethical elements within this activity and that’s why it’s great that its only passive recon as the subject matter is incredibly sensitive and going in all guns blazing and taking over accounts can have knock on effects not just for the investigation but or the families involved.
Although the subject matter is sensitive, that shouldn't dissuade anyone from wanting to take part. I would be remiss if I didn't discuss the emotional and serious side of the CTF, but the overall experience was incredibly eye opening and educational. The Trace Labs team are really helpful and have created an amazing community and run it well, I can’t thank you enough for doing these events. I can’t wait for the next one not only to improve my skills but to help Trace Labs in the incredible work they do, if anything it’s given me a huge boost in wanting to take a bigger dive into the OSINT world.
