Trace Labs Missing Persons CTF IV — Review & Summary
Late-night OSINT for the phenomenal cause of finding missing persons
Suggested Beer: Wold Top Scarborough Fair IPA (6%)
Metal Artist of the Week: Judicator
Welcome to the first real post on my new blog. Before we settle down into the thoughts and opinions on the recent Trace Labs event I took part in, let’s have a little sip of our beer of the week. This week I’ve opted for the exquisite Scarborough Fair by Wold Top. This gluten-free 6% IPA packs a delightful punch and is perfect for the warmer evenings we were experiencing in the UK prior to this week. If you can get hold of it, I wholeheartedly recommend giving this beer a try next time you’re thinking about firing up the barbeque.
Gloria
This weeks metal artist I recommend is a new band to me, Judicator. Their latest track, ‘Gloria’ has this absolutely stonking riff I’ve not been able to get out of my head since I first heard it. I’ll be digging into a lot more of Judicator over the next couple of weeks, and I urge each one of you to do the same. Now on to the important stuff and the mission behind this post.
Trace Labs Missing Persons CTF – What is it?
Trace Labs is a non-profit organisation, dedicated to using the power of OSINT and the skills within the community to help find missing people and to provide an extra capability for law enforcement investigations.
Over the recent Easter long weekend, Trace Labs ran a missing persons Capture The Flag (CTF) exercise for over 500 contestants (forming over 170 different teams) to find information on missing persons online. Held over six hours, and with fifteen different individuals, ranging from young teenagers to senior citizens, and from people missing a couple of months to several years.
The Power of #OSINTForGood
The CTF proved to be hugely fruitful for Trace Labs, with over 8000 separate intelligence submissions being submitted, of which 6326 were accepted. This means that all of the accepted intelligence will be packaged and sent to local law enforcement agencies to aid in the cases for each missing person.
The data identified included information on the individuals, their friends and family (within reason, set out by TL at the outset), information on the dark web, when and where the individuals were last seen and anything that could help identify their current whereabouts. A phenomenal amount of data that potentially could help to unlock the mystery in some of these cases.
My team had a bit of a disaster from the outset. Originally we were going to be a four-person outfit, which ended up being drastically reduced to two men by the time the CTF started. Which didn’t help us in any bid to win, but of course the real reason to take part was trying to help in any way we could, and we gave it our best shot, ending the CTF in 74th place. Not a bad showing. The teams at the top of the leaderboard must have had a lot of coffee, as I was struggling in the end with the event running 2300–0500 UK time.
Trace Labs Missing Persons CTF – The Event Itself
Moving on to the event itself, as it went live and we logged in to the portal for taking part in the CTF. We saw several individuals names on the boards, each individual then had information about them, their disappearance and a link to a web page describing them. From there, it was our job to find any useful information, submit it to judges for approval and try to score as many points as possible.
The point scale ranged from 10 points for basic information, through to 5000 points if you were able to locate the actual subject. At the time of writing, I don’t believe anyone was successful in doing that, but time will tell.
We started our attempts looking at a teenage girl who’d been missing for a couple of months. We felt that this would be an excellent chance to find a lot of information as the case was still fresh.
We combed through social media profiles, identifying friends and families, where they fit into the individuals’ life and any tidbits that may help us find what happened or where she went. We made several submissions, and after feeling like we’d exhausted all avenues, we moved on. This process was more or less how we approached each individual we investigated.
One of the missing person websites was proving very difficult to load for both myself and Karl (my solitary teammate), as well as others according to the Trace Labs Slack. This hindered us a little as it meant we had to switch focus to other individuals, but I’m sure other teams were able to do some excellent research on those we missed.
I saw a Tiger
One of the individuals on the board for the CTF and I’d be remiss not to mention, was Don Lewis; famed for being at the centre of some rather fiery accusations on the recent Netflix docuseries Tiger King. We decided not to investigate Don’s case for a couple of reasons:
- Don has been missing for over twenty years. We felt we’d struggle to find useful information about him online.
- Mr. Lewis was quite old when he went missing, we thought it unlikely he’d be active online then, and even less so now if he is still alive.
- He’s definitely either under the septic tank or made into tiger food. Definitely. I’m not having any other possibilities.
Further Missing Persons OSINT Opportunities with Trace Labs
Along with the CTF, the group maintains an active Trello board that contains ongoing missing person cases that they ask the community to assist in researching, after two weeks any new leads are packaged and sent to the relevant authorities. The CTF is essentially the same thing, but on steroids, with more people and at a much larger scale for a shorter period.
It is critical to note that the techniques used for these investigations are all passive and are based on information that can only be found using OSINT. It is strictly forbidden to try any ‘active’ techniques, such as contacting family or friends, trying out hacked passwords for social networks etc. The group have banned members who fall foul of this and with good reason.
The work done by the Trace Labs community is to support law enforcement investigations, not instead of them. The relevant authorities have legal authority to contact individuals or to gain access to accounts as appropriate, this would go against the essence of OSINT, and we as a community must embrace these rules and abide by them.
OSINT Techniques
The techniques used for conducting research range from your traditional searches across Google and other search engines, social media (SOCMINT), business records, tax records and any other potential leads anyone could find. Some of the interesting results highlighted by Trace Labs following the event have included the use of coloured contact lenses by the individuals, insurance and death certificates. Of course, the latter is a terrible find, but as a community, we hope that all these discoveries help to bring the family some much needed new information, or in the worst case, some closure.
Dark Web
One area that was available for research that we didn’t embark on was the dark web. There’s the potential to find some highly valuable information on Tor or other non-indexed services. However, with that comes a lot of inherent risks, and as first-timers for this particular CTF, they weren’t risks we were willing to take at this time.
When it comes to cases involving missing people, you may, of course, stumble upon the darkest areas of not just the internet, but society as a whole. Doing this from your personal laptop in the early hours of a Sunday morning might not be the best approach, especially when the risk of seeing highly-illegal material is increased. In future events, we may provision for some dark web access, but this would be with strict caveats and appropriate protections put in place for our team members.
Discounting the use of the dark web though, the CTF is a great event to allow you the flexibility to be creative in your research while doing it all for a great cause. Combing through social media posts by friends and family to understand links, and spotting content that may be relevant to why the individual went missing is highly rewarding. In one instance, we found a social media post that claimed specific individuals might have played a pivotal role in the circumstances around the disappearance. Whether or not this leads to new developments remain to be seen, but if this one tweet helps unlock the mystery, then we’ve done our job. Fingers crossed.
OSINT Tools
Something I hope we get more of on the back of this and future events is an insight into how the winning teams rack up so many points in the time allotted. I assume that they’re using a wide range of OSINT tools, such as Twint and Spiderfoot, to aid their research and speed up the process. However, I’d love to see more blogs/videos/podcasts etc. from the highest-scoring teams to understand their approach and see what I could use and adapt for my own research going forward.
For this event, we were very manual in our methods, something which I am a big advocate of, particularly when it comes to the largest social networking sites. Subtle changes and differences can and do happen constantly, so relying on tools which don’t always get updated can cause you issues. If you’re aware of how the underlying code is presented on specific pages and how to get the critical data you need, then you may take more time, but you can be assured you have the information you need.
A sweet spot is required to maximise the returns you get and the tools you use. I think this is something you never really get to grips with, and will always be a constant battle. Either way, if any of those leading point scorers are reading, please let us know your secrets!
Trace Labs Missing Persons CTF – Final Thoughts?
Overall, the Trace Labs Missing Persons CTF was a wholly worthwhile and rewarding experience. The opportunity to flex some under-used OSINT skills and help find missing people was incredibly inspiring. Seeing so many people come together and provide genuine, tangible leads that may reunite families genuinely does help to point why we do what we do. I wholeheartedly recommend anyone reading to consider joining the Trace Labs cause on their Slack or the Trello board.
I think I’ll end this post here. I reiterate if you have even a passing interest in OSINT, please consider joining a future Trace Labs CTF, or get involved with the community. My next post will likely include some thoughts on the Kaspersky Security Analyst Summit, taking place April 28–30th 2020. The conference is focused on APT and Nation-state cyber actors, so should have plenty of interesting thoughts and opinions for CTI analysts and practitioners. If you can’t wait until then, you can follow me on Twitter and some times I’ll post witty tweets. They’re great, trust me.
Until then, stay safe and stay indoors.
Aaron.