Using OSINT to find missing persons – A Trace Labs Search Party OSINT CTF writeup

Hello everyone. This writeup was meant to come out sooner, but sadly life sometimes postpones things… Anyway, last weekend Trace Labs held one of its monthly OSINT CTFs for finding missing persons, in which I have participated. It’s not the first time I did so, since I have participated twice as a solo team in the past, but this is the first time I participated as part of a team and having prepared really well for it. My team Dwayne “The Sock” Johnson, which consisted of myself, @jakecreps, @BOsintBlanc and @beige_hat came 2nd place and this was very exciting for us since it was the first time we have ever participated together. The following information is meant to help future contestants and of course any feedback is welcome (as always).


Trace Labs




Trace Labs is a nonprofit organization whose mission is to accelerate the family reunification of missing persons while training members in the tradecraft of open-source intelligence (OSINT).
Among its initiatives and in order to fulfill this mission, Trace Labs hosts monthly (sometimes less frequently) OSINT CTFs. These CTFs allow contestants to hone their OSINT skills by using them in real-life cases of missing persons and getting hands-on practice on OSINT investigations, that would otherwise be difficult to have. I highly recommend you participate in any of these CTFs as a contestant. If you can’t afford to buy the ticket required for participating (20-25$), or just don’t feel ready yet, consider judging for any of these events. Looking at the submissions of contestants and how they find different leads on missing persons cases, will surely teach you tools and methodologies even if you already have a good grasp in OSINT investigation techniques.
So here we go…


Before the CTF


Create sockpuppet accounts

Create Sockpuppet accounts for at least the four most known social media: Facebook, Instagram, Twitter and LinkedIn. Sockpuppet accounts are essentially fake accounts that will allow you to investigate missing persons cases without exposing your real identity. For more information, Trace Labs has created a nice quick video for you here and another pretty extensive guide here. Here are a few things to consider about your sockpuppet accounts:

1. Don’t wait 1-2 days (or worse, hours) before the start of the event to make your sockpuppets. In OSINT life, things tend to break down often and sockpuppet accounts are one of the things that can easily get burned. Consider building a sockpuppet at least a week before the event and use it every once in a while until the event, to make it feel more real, thus decreasing the chances of getting burned that day.
2. Play games with your investigative accounts. I can’t remember who suggested this first, but seriously people: if you don’t know what to do to make an account feel more realistic, play games. I have long-lasting sockpuppet accounts just because I have been playing games in Facebook every once in a while, although I have followed zero of any other suggestions on maintaining a healthy investigative account. Another thing that seems to work but its less powerful, is joining groups and liking/commenting around.
3. No matter what, check your Sockpuppets at least an hour before the CTF starts. In case something is wrong, you will have enough time to make a new account without much of a problem.

Prepare yourself

Trace Labs OSINT CTF is challenging both physically and mentally. During the CTF you will sometimes dive deep enough to some cases, that it might affect you psychologically. Before people go missing, something goes wrong. This might involve from just psychological or mental issues of the persons to really bad stuff happening in their lives. These things might affect you since you sometimes empathize with the missing persons or view images and information that are disturbing. So, prepare yourself mentally for the things you might see during the CTF.

Apart from that, sitting on a chair for 6 hours straight, constantly submitting leads and further investigating into a case is exhausting by itself. Make sure to eat and sleep well before the CTF. Otherwise you will not enjoy it and you won’t be able to do as well as you thought. Prepare some snacks to take a bite if you get hungry and have a glass of water nearby (alcohol is not recommended, lol!) to keep you hydrated during the event.

Prepare a strategy

You can’t expect to just create a strategy at the last minute. If you work in a team, arrange a meeting with all its members. Considering deciding for the following:

Communication – A team without communication is destined to fail. If you submit the same flags, you will lose points from duplicate ones, because they will be rejected by the judges. If you communicate you will not be working as an individual, but your teammates will be able to help you with new approaches on a missing person case and point out things you ‘ve probably missed out and/or never thought of. They might also help you explore new leads using techniques or tools you don’t know, thus helping you advance faster than usual. Find an appropriate way to communicate over voice and not by typing in a chat all the time. It will save you time and it will allow empty space in the chat box to insert links that will help your teammates. My team used Discord, but there are many similar applications out there. Just choose the one that fits you better.

Approach – You need a general approach on missing persons. Meaning, when all cases appear, you need to already know what to do. Talk beforehand and analyze scenarios with your teammates: Who would do well on younger individuals? Who is more of an expert on US citizens? Who speaks French or any other language, that could prove useful to non-English speaking missing persons? How will you divide the cases among the team? These and many other questions should be answered before the CTF. You don’t want to lose time figuring out these things when the event starts. Some general advices that me and my team used are:
• Prioritize US citizens first,
• Prioritize people who had a better likelihood of having a good digital footprint,
• Divide different cases to different members of the team,
• First go for the low scoring flags, then proceed gradually to higher scoring flags if possible

Note: Even if you are participating as a solo team, you need to have a basic strategy in mind.

Create checklists and workflows

This is not mentioned often in writeups, but I cannot stress enough how important that is. Checklists allow you to stay focused, be sure that you don’t miss anything during your investigation and stay calm during the CTF. I know some people who just froze at the very moment they saw the cases appear in their screens, not sure where to start. Whenever you don’t know what to do, look at your checklists. Whenever you come across a social media profile, look at your checklists. Whenever you are overwhelmed by information…..look at your checklists! Workflows and methodologies allow you to make a structured approach of nearly everything and let your mind free to concentrate on the things that actually matter. Trust me and you won’t lose. You can find some workflows here by the awesome sinwindie. I will be making a blog post about checklists soon. Don’t miss it!

Print the flag categories

I found that printing the different categories that can grant you points, is better than having them in an open window. Less alt-tabbing and you can look at them fast in case you need to (and you are going to need it a lot).

Automate stuff

Automating OSINT stuff using tools or JS/Python scripts will save you time for boring things that you need to do manually. There are thousands different tools out there, which can help you save some time. If you don’t know where to start with tools, take a look at the OSINT framework to get an idea. Start learning JavaScript at your own pace and create your first bookmarklets or learn some python and start playing around.

Automation is the future of OSINT and honestly, it’s not that hard to do it. When you start seeing the impact of automation in your OSINT investigations, you will wonder why you haven’t done this earlier! Anyway, regarding the CTF I have seen my available time doubling for what really matters, when using automation. Just make sure you check that everything works in advance, because as I said OSINT things tend to break regularly! If you don’t know where to start, I would suggest w3schools. It is by far the best resource I know in taking your first steps in everything programming related.

During the CTF


Submit Leads non-stop

Start submitting leads for anything you find. It doesn’t matter what it is: an alias, a friend, a family, a social media handle, an e-mail or anything else, as long as it is related to the case. This will help you better organize things in your mind and keep track of the case better. It will also help you maintain a “victorious” spirit throughout the whole event and your mental state plays a crucial role to keep you going. Even small flags can bring you a lot of points at the end, if accumulated. Do not look at the scoreboard. I repeat. DO NOT LOOK AT THE SCOREBOARD during the CTF. It won’t be of any use to you, it will distract you and it means nothing. The only score that matters is the final one. Until all submissions are examined after the end of the event, there is no point on looking at the scoreboard.

Choose flag categories wisely

You can just go around submitting leads about all of the missing person’s friends but that won’t help you much: 10 points for each submission plus you don’t really help Law Enforcement agencies on the case (let’s not forget what the event is really all about at the end of the day!). Prefer the best time-to-points ratio flags and go for them. My experience shows that Basic and Advanced Subject info are the best ones, at least in the beginning.

Do not underestimate scrolling

Although automation and using tools can get you a long way, good-old traditional OSINT techniques are eventually more valuable. Scrolling is one of them. You cannot imagine how many times I found things in the second page of google search results (including reverse image search results), that I didn’t find in the first one, or how many times I found leads in the very beginning (bottom) of a Facebook profile. Scroll down until you are satisfied.

Help (and get help from) your teammates

You are not alone. You can ask help from your teammates but watch out to help also when they ask you to. Keep the team spirit high during the event, it will help all of you.

Know when to switch to another case

There will be a point when 15 or 20 minutes have passed and you are not able to find anything else on your case. Switch to another case, after letting your teammates know you can’t find anything else on your case. A fresh mind/look from someone else might help progress this case further.

Take breaks if you need to

We are all humans and its hard being 100% there during the whole 6-hour duration of the event. Drink some water, eat some snacks, go the bathroom or just distance yourself from the laptop. Worst case scenario you will take a refreshing break. But you might also return with new ideas and a fresh mind. A 15 minute break won’t hurt you w/e happens. Your teammates got you covered.


After the CTF


Celebrate

No matter what the outcome was, you gave it your best and it was worth it! You helped other people while having fun. What more could you ask? Chat a little bit with your team to analyze what went well or bad, reflect on your choices and provide feedback to each other. You have everything fresh and recent in your mind and you can make clearer decisions about future events. It will also help everyone become better for next time.

Delete everything related to the event

I would suggest deleting every file/image or anything else related to the case. Since you have submitted everything, you don’t need them anymore and its best to clean your machine from your OSINT investigation. If you had a VM running, you can just delete it and move on to create another one for when the next time comes.

Also, make sure to “mentally” delete everything from your mind. Don’t let the cases bother you anymore or interfere in your life. You ‘ve probably seen some bad things during the event, but that’s just normal in these kind of investigations. Play a game, listen to some music, chat for something irrelevant with your girlfriend/boyfriend to get distracted. Then move on with w/e you do.

Provide self-feedback

Write down everything you would like to change next time or become better at. It will help you the following days to further advance generally in OSINT, but also specifically to future CTFs.

Provide feedback to others

Make a writeup or just post something letting others know how they can become better. People in the OSINT community are awesome at helping each other. Be like them.

I always have a lot of fun in these CTFs and they have become a kind of healthy addiction to me. In addition, I have always believed that helping others while helping yourself, is the best thing to do in all aspects of life and these CTFs allow me to do exactly this.

Well, that’s all folks! I hope you enjoyed reading this writeup.

If this writeup was not enough for you or just want to know more, check out this recent guide by @cybersecstu who won 3 times a black badge (first place) in Trace Labs or this repository of all writeups written in the past for Trace Labs OSINT CTFs.
Until next time, stay healthy!


Meme by @OSINTconscious
(Original drawing by @SarahCAndersen)


Do you have a question/comment regarding this methodology? Please e-mail me at theinspector32@protonmail.com.

Comments

Popular posts from this blog

Skype – A hidden OSINT goldmine

Geolocation & Chronolocation challenge #1: A trip to Cologne