Logos for conINT, The Many Hats Club, Trace Labs, and NCPTF
Logos for conINT, The Many Hats Club, Trace Labs, and NCPTF
The inaugural conINT Intelligence Conference was held on October 17th and 18th, 2020.

Trace Labs OSINT Search Party CTF — My conINT 2020 Writeup

conINT is a two-day INTelligence conference and fundraising event hosted by The Many Hats Club, Trace Labs, and the National Child Protection Task Force (NCPTF). Held live on Twitch this year, attendees had the opportunity to develop intelligence acquisition and analysis skills, learn about digital investigation, and more with the first full day of presentations and hands-on technical workshops. The second day of conINT allowed attendees to apply these skills by assisting international law enforcement agencies in locating missing persons from real cases using OSINT techniques during the six-hour Trace Labs OSINT Search Party CTF.

Trace Labs

Trace Labs is a nonprofit organization founded in 2017 by Rob Sell, a tracker for search and rescue and computer security professional, dedicated to organizing global Capture-the-Flag (CTF) “Search Parties” for missing persons and children across the world. To date, Trace Labs has assisted in over 300 investigations across 35 search parties, both online and in-person at notable security conferences including DEF CON.

Trace Labs is a nonprofit organization that collects OSINT to help law enforcement find missing persons.

If you’d like to request an op for a missing person, Trace Labs has a form you can submit.

Search Party CTF — Missing Persons Gamified

During the Search Party, participants use open-source intelligence (aka OSINT) techniques to find online leads and other digital evidence — these would be the “flags” in the capture-the-flag — that will help law enforcement advance the investigation of or locate missing persons and children.

This is a strategy known as crowdsourcing — training a large, coordinated group of digital researchers of varying experience levels to search for a small number of targeted cases in the hopes of maximizing the potential return, and it seems to be very effective!

Flag Tiers

An experienced judge panel reviews all submitted flags before points are awarded to ensure the quality of the submissions passed to law enforcement. The judge for my team had very high standards, as about a quarter of my submissions were rejected, but this is reasonable and most likely to be expected of my first time. I’m certain that none of the Trace Labs staff nor any other participants desire to waste law enforcement’s time with low-quality submissions.

Flags are scored based on their potential value to the investigation, with basic information such as the names and contact information of friends being the most basic at 10 points each to recent information that could reasonably be assumed to be the subject's present location valued at 5000 points per submission. The ranges of information and points between these two categories vary widely, from the contact information of their relatives, social media habits, and nearby sex offenders to the subject’s social media profile, identifying tattoos or piercings, and even hacked accounts (with important stipulations — more on that later). Another important category involves any data about the subject found on the dark web via Tor, worth 1000 points per submission.

Each flag requires the public link (no paywall or other inaccessible links as law enforcement likely won’t have a subscription to the service) to the data, the category the flag is in, justification about why the flag is important to the case, and any supporting links or previously accepted flags that would strengthen the case for the discovered intelligence to be valid. The judges manually review submissions in real-time during the competition and in an hour between the competition end time and the winner announcement.

List of scorable categories in the Trace Labs Search Party CTF. An accessible breakdown can be found on Trace Labs’ site.
List of scorable categories in the Trace Labs Search Party CTF. An accessible breakdown can be found on Trace Labs’ site.
The Search Party scoring rubric

Teams

Search Party teams are capped at four members, although the number of teams allowed to participate only seems limited by infrastructure and judging capacity. There ended up being 125 teams total as teams were still forming even five minutes before the start of the event.

I joined the team Prime Detective with three team members who had more OSINT experience than I did. I cannot recommend this enough if possible (it almost certainly should be as there were many teams still looking for a fourth member a few minutes before the competition started. Don’t let inexperience stop you from asking — an inexperienced fourth team member is still better than no fourth team member at all!) find a more experienced team willing to mentor you.

The CTF is meant to be a community effort, and it’s little fun to go at it alone when you are new, especially when the subject matter can be somber at times. Your team can assist you in supposed dead ends, provide suggestions on new tools and investigation techniques, and swap subjects among team members to get a new take on the case as well. If any team members know other languages, that’s a bonus!

The Platform

Trace Labs’ OSINT Search Party CTF

Trace Labs has produced an excellent video that gives an overview of how the CTF platform functions. New participants will probably find it just as helpful as I did.

The conINT YouTube channel and logo
The conINT YouTube channel and logo
The conINT YouTube Channel, where talk archives are posted

conINT Talks

Day 1 of conINT hosted talks from over 25 speakers on a wide range of intelligence and investigation techniques. All of the talks from across the three tracks are now available on the conINT YouTube channel.

Here are some of the talks that I thought would best help a beginner investigator like myself immediately before starting a Search Party:

Of course, definitely watch all of the videos if you have time! They are all very well done and contain exceptional opportunities to learn.

Investigation Methods and Tools

I came into my first Search Party CTF with a bit of OSINT and investigation experience from other conferences (namely Layer 8 Con), internships, and personal projects. This prior knowledge and some excellent tools definitely helped me make a good start and score several flags in the friends category through advanced subject info categories.

Trace Labs OSINT Virtual Machine

It is good practice to use a virtual machine such as the Trace Labs OSINT VM, or, preferably, a completely separate physical machine (if possible) when conducting all investigations. This will avoid the possibility of inadvertently contaminating your investigation with personal accounts and other information you might not want to be connected to the missing persons cases you are researching.

Even though such an event is unlikely, making a simple mistake, such as forgetting which browser tab has your personal Facebook account and which has your Facebook account for OSINT investigations, could be costly. There’s nothing like notifying the subject or any adversaries that an OSINT professional would like to be friends with them.

A Virtual Private Network (VPN)

If you are not using one already, it is a good idea to purchase a VPN for use during this CTF, preferably one that will automatically change your IP address every few minutes so that you can remain somewhat anonymous and avoid sending and receiving a lot of data related to missing persons from a single location in a concise amount of time. This stands simply to avoid tipping off the subject or any perpetrators that they are being researched, as it is much harder to correlate a few searches or profile views each for “John Doe Washington DC” from IP addresses in Canada, Sweden, and Brazil than it is for a hundred spontaneous searches from Rochester, NY.

Chat Platforms

A place to communicate with your team and share evidence is crucial, especially for a remote CTF. Since conINT was using Discord for conference communications already, my team chose to create another Discord server for this purpose. We created one channel per subject to gather and share important information about each of the cases.

Search Engines

While this may be obvious, most CTF participants begin researching their cases with a simple web search for “<subject> <location>” and read about any developments that Trace Labs or their sponsors may not yet have. As long as such developments are not from news media or law enforcement agencies (in which case the data will almost certainly already be known by Trace Labs), these flags can be submitted for easy points. Often they can be as simple as the relatives of the missing person making an advertisement or video with additional (frequently unverified) information about messages or sightings of the individual and/or others accompanying them.

Other popular search methods include Google’s Advanced Search, which uses search operators to filter keywords, perform logical operations, search for specific sites or file types, search Google’s cache, and many others. There is an excellent list of search operators for OSINT applications here.

Image Searching

The traditional image search is simple and powerful. Type in a name and get photos of an individual…in addition to everyone and everything else that does (and in many cases doesn’t) have a similar name. Results can usually be narrowed when coupled with a location, but I wish you luck with any subjects that have common last names for their region or nationality.

A more refined technique (and a favorite in the OSINT and infosec communities) is the reverse image search. Provided any image, a search engine can find other occurrences of that image (and in many cases, similar-looking images) online. Taking it one step further, many specialized face searching sites like PimEyes incorporate artificial intelligence to build a model of an individual and then match the model to images of other people. This is especially helpful if the person being investigated has changed their name or uses a pseudonym.

The sites that these images are displayed on can often reveal previously unknown social media accounts for the subject and their close relations. In other cases, they may help identify places the subject frequently visited, reveal new day last seen imagery, or even uncover sightings on CCTV or other footage.

Some individuals may go to greater lengths to conceal identifying facial features, tattoos, and the like through digital image manipulation. Sites like FotoForensics and Forensically can help root out these changes and deduce what parts of the image may be altered.

DeHashed

DeHashed provides deep-web scans for credential leaks and other hacked data similar to HaveIBeenPwned, the free data breach search site. The difference between HIBP and DeHashed, though (besides the cost), is that DeHashed displays the leaked or cracked passwords and other PII if it is available. Although other sites offer similar services, from what I gathered, DeHashed is often considered the most complete of the services. If you can spare the $4.50 for API access like one of my team members did, it is often well worth the investment.

While it can’t directly be used as a source for submitted flags (Trace Labs rules require that sources be publicly accessible — this means no subscription or paywall sites since law enforcement isn’t likely to have access to them), DeHashed is an excellent tool to get a glimpse into a subject’s online life, however much or little there may be. In our case, it returned results on four of the five subjects that we could then locate on publicly available sources and submit for scoring.

Be careful, though — it is AGAINST THE CTF RULES to log in or otherwise access any accounts owned by the subject or related individuals that may be returned in DeHashed’s results as it may interfere with active investigations and/or tip-off the subject or adversaries. Limit the use of this source to correlating publicly available information only.

Hunchly

Hunchly is a web capture tool and Chrome extension for OSINT investigations. As you browse the web researching a subject and collect more and more data, it often becomes difficult to correlate information and draw relevant conclusions. There were many times during the competition that I had more open tabs than I could reasonably go through, and I ended up closing them in frustration.

I started using the free 30-day trial of Hunchly on the suggestion of one of my teammates. When the extension is activated, Hunchly will save all websites visited in Chrome to a case file, which can then be viewed and categorized (“tagged”) directly in Hunchly. The most important feature of Hunchly, however, is its ability to use selectors. Creating a text selector in Hunchly will cause the application to scan all collected webpages for that string of text. Multiple selectors can be created and saved, and Hunchly will continue to scan any newly collected pages for the selector as well. Hunchly even extracts images and files from websites and allows the user to view each type of data aggregated in its own tab. As the number of pages selected can grow into the hundreds (or thousands), Hunchly’s search will become slower. However, I didn’t notice any major performance issues when I collected 500 pages at a point.

If you do many digital investigations, I suspect that Hunchly would be well worth the price at $130 per year. Even if you don’t, I still highly recommend obtaining a trial for the Search Party.

Tool Aggregators

These spreadsheets are not mine, but they are a fantastic resource for “I have (a type of OSINT data), how do I pivot?” questions.

Modifying my CTF Approach

As always, I also learned many new or more effective techniques from my teammates and other competitors during the Search Party CTF.

Burner Phone Number

Almost any popular social network or communications service used today will require a phone number as a way to verify identities and deter spam. This, of course, resulted in the introduction of burner phone apps and numbers (such as Burner and Hushed). Unfortunately, most services will recognize and decline these numbers for verification purposes now that they are proliferating.

Social media accounts play a huge role in investigations and the Search Party. They are a category that I have not yet been able to effectively participate in due to my lack of any sockpuppet accounts (more on that later). However, I was fortunate to have a team with good sockpuppet accounts that provided us flags and other useful information in the available cases. For the next CTF, I plan to purchase a cell phone number and an inexpensive and pay-as-you-go plan from Tracfone to set up burner accounts.

Sockpuppets

Since I don’t have any presently, I plan on setting up “sockpuppets,” or fake accounts with reasonable pretexts, before the next CTF. In social engineering, a pretext is a fabricated scenario (in this case, a person) that could pass as realistic to the target audience.

There are a few important precautions that I learned to take when setting up sockpuppets:

  1. NEVER link your real identity to that of your sockpuppet. Since Trace Labs CTFs search for real missing persons, there’s always the possibility that a real kidnapper or another malicious individual involved with the case may notice your account(s). As previously mentioned, it is best to use a virtual machine such as the Trace Labs OSINT VM or preferably a completely separate physical machine (if possible) when conducting all investigations to avoid any overlap of personal data and that of your sockpuppets.
  2. An older account will be less likely to draw scrutiny than an account created a few days ago. Accounts with a significant amount of activity during certain timeframes(say, a few days before a CTF) that are mostly inactive for the rest of the year will also raise eyebrows.
  3. Having multiple accounts will help avoid suspicion and can circumvent blocks by accounts relevant to the CTF cases. Still, it may also increase your risk of being flagged or suspended by social networks if you use the same email or phone number multiple times. Starting over with new accounts and different pretexts erases all previous credibility your accounts may claim to have, and creating new accounts and pretexts will take time.
  4. Adding or following a significant number of missing persons on a social network will make you look suspicious to the subjects or the individuals mentioned above. They will not be as likely to interact with the account, making them more scrutinous of other players’ attempts to research them.

There is an excellent, reasonably up-to-date list of the most popular social media apps used by teens frequently posted in articles discussing Trace Labs CTFs (although it was last updated in March 2020 as of this writing, so I would probably add TikTok to the list). Creating sockpuppets on these platforms and other popular platforms like Facebook and other apps with social media-esque features such as Venmo will allow you to maximize the amount of OSINT that you can collect during the competition.

A note — some of these services are mobile-only, which can be inefficient for investigators (especially when time is of the essence), but this can be easily circumvented using platforms such as Android in a Box. Just be sure not to be signed in on both OSes at the same time.

Visualizing Data

Templates

At the start of the Search Party, I had no difficulty discovering information about the subjects. The challenge came when I was expected to determine which information was relevant to the case and what could be submitted as a flag. The amount of data a CTF like this can return is incredible, even for more experienced competitors than myself.

For the next Search Party, I plan to have OSINT templates prepared with fields for common flags (based on the scoring rubric and similar data I found myself collecting throughout the process) so that when I find a particular flag, I can immediately know its relevance and how to score it.

Mind Maps

I saw several teams mention using mind mapping software throughout the competition. I hadn’t considered this, but a shareable mind map from LucidChart or another free online service for each subject could be an excellent medium for an OSINT template. Not only this, but keywords from a template would make great Hunchly selectors, and the free-flowing form of a map (as opposed to a static document or note-taking software) may indicate connections between concepts more effectively and provide an easy way to populate the supporting information field of the submission requirements.

Reports

In addition to the first, second, and third places in the CTF, Trace Labs also offers a Most Valuable OSINT (MVO) Award. This award goes to a team that has the highest value and/or most complete flag submission. Per the judges, the winner of this award during the conINT Search Party, team Hansolo, apparently submitted a full report on one of the subjects that was “good enough we could probably just hand it to law enforcement.”

In my opinion, this is an excellent idea. I feel that reports are totally within reach of most teams who collected and shared information among their members but then simply left the collected data to get buried in a group chat as soon as it was submitted for a flag. It might be in the best interest of teams that plan to go after this award to spend some time throughout the competition compiling a report as they find relevant data, both for their benefit and for that of Trace Labs, which will have to spend less time compiling the raw OSINT collected during the Search Party into a deliverable that can be used by law enforcement.

Image for post
Image for post
The Search Party CTF scoreboard at the end of the competition

Investigative Steps

Subject names and sensitive data have been redacted for privacy.

Subject #1

Subject #1 was a missing child, last seen leaving their home earlier this year. It was the most recent case we researched. After noting important physical characteristics from missing persons sites and social media accounts (not submitted for a flag because these were already known), we began searching for the subject's name.

Our first search brought up a local news article that stated police in a nearby city were receiving tips that the subject was in the area a few months after they had gone missing.

Next, we used DeHashed to match the subject’s name and location to an email address. This couldn’t be submitted for a flag because it isn’t publicly accessible by itself, but really helped later in the investigation.

Image for post
Image for post
Searching DeHashed

Searching for that email address led to a Throwbin dump containing cracked usernames and passwords. The dump contained the subject’s username and password to a paid service.

===================
Username: (redacted)
Password: (redacted)

As Combo: (redacted):(redacted)
Proxy: (redacted)
Current Plan: Premium
...
Country: (redacted)
(Cracker name) | by (author)
===================

Continuing, the email address also resulted in a directory listing on TruthFinder, which contained a phone number and possible guardians or relatives.

These results led us to their guardians’ Facebook accounts. They both had banners and profile pictures announcing a reward for finding the missing subject. The mother’s account was tagged with multiple last names.

Next, we found a YouTube interview with the mother and a relative from the TruthFinder result. This interview was beneficial because it mentioned several things that were not listed in the missing persons reports:

  • Ancestral details
  • Family matters
  • Times the subject had been missing previously, where they were found, and the individuals that were found with them
  • An Instagram account username

This Instagram account hadn’t turned up in our search results. They also stated their personal cell phone numbers.

There was another Instagram account we found under a different name but with the subject’s photo. Unfortunately, it was set to private.

Using Whitepages and the phone numbers we found, we obtained the subject’s parents’ current and previous addresses. We also performed sex offender and criminal checks on the neighborhood through a government website and obtained two local results.

Unfortunately, we were not able to get any further with this subject. Our remaining efforts mostly resulted in duplicates.

Subject #2

Subject #2 was also a missing child, although the case was about a year old. Unfortunately, they had very little information on them beyond what was already provided by missing persons services and news articles.

We were able to find Facebook and Instagram accounts for the subject by searching. We also found a Pinterest pin that stated the subject had gone missing a few months before this disappearance but was found quickly.

Subject #3

Subject #3 was reported missing several years ago. There were no new developments in the case, as reported by law enforcement or the media.

We found the subject’s Facebook and LinkedIn accounts via a search. We also used DeHashed and found an email address, an address, and a phone number. On Facebook, we identified close relatives and the subject’s children. We identified a vehicle by guessing the make and model and comparing results to the image but could not look up the license plate.

Then we noticed that the subject frequently liked pages relating to emigration to a specific country. Fortunately, one of our team members spoke the language! Switching to search results specific to that country gave us new results.

Unfortunately, we soon identified a memorial post on a Facebook page containing a gravestone inscription. Further research on the page determined that the subject had passed away due to complications from the pandemic.

(significant chapter of a religious book)
Grave number: (redacted)
(subject name)
The date is (redacted)
(religious phrase for a deceased loved one)
Goodbye
Have mercy on (them)

This was very sad to find, but at least their loved ones know what happened.

Subject #4

Subject #4 had been missing for a little over a year. There were no new developments in the case, as reported by law enforcement or the media.

The subject had many results on DeHashed. It took us quite a while to sift through these:

  • Three potential email addresses
  • Seven usernames
  • Two addresses
  • Two IP addresses
  • Two phone numbers
  • Four compromised services
  • One cracked password
  • Three hashed passwords

We eventually determined that only one of the email addresses was relevant based on additional DeHashed searches. By searching for this email, we were able to find additional accounts on several streaming services, Facebook, LinkedIn, and YouTube.

We also found a close relative tagged on Facebook.

Unfortunately, we were unable to find any other relevant information on the subject after this.

Subject #5

Subject #5 had gone missing two years ago. Unlike the previous cases, they had many developments in their case (later identified to be mostly due to the family’s repeated attempts to locate the subject). Many of these articles appeared in search results.

CCTV footage of the subject in a store before their disappearance was available on a missing persons website, but additional outdoor CCTV footage supposedly of the suspect and another individual appeared on a police video site a year later.

During an interview with a popular YouTube missing persons channel, the family claimed that the subject had been sighted at various locations near their hometown, making a timeline incredibly difficult to construct. They also detailed a significant amount of information, including:

  • A partial timeline of the subject’s actions on the day last seen
  • Interviews of people claiming to see the subject on the day last seen
  • The subject’s close relatives and children
  • Multiple social media accounts dedicated to finding the subject
Image for post
Image for post
My attempt to organize some of the information around this subject in a mind map

Unfortunately, due to the complicated timeline and concerns over the reliability of most of the information available online, we spent more time with the previous cases.

Conclusion

Image for post
Image for post
The scoreboard at the end of the event

My team, Prime Detective, took 24th place of 125 teams that submitted flags during the Search Party. I was able to submit several high-value flags, which I was delighted to be able to do for my first time playing. I am also grateful to my teammates for answering my many questions, and cannot wait to participate in future Trace Labs events.

Trace Labs Contestant 2020 Badge
Trace Labs Contestant 2020 Badge
The Trace Labs Contestant badge — maybe a winning badge will be in my future, hopefully?
4575 submissions processed, 1351 submissions rejected, 3225 submissions accepted.
4575 submissions processed, 1351 submissions rejected, 3225 submissions accepted.
A breakdown of the Search Party Results published by Trace Labs

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store