OSINT Search Party
Cyber Hunter Academy write-up | A rookie team approach
Last Saturday, June 26th, I participated in the OSINT Search Party, a CTF organized by Trace Labs. This CTF, focused on OSINT, has a particularity: the goal is to find information that can help solve missing persons cases. These are real open cases, in which the information obtained is reviewed and sent to the law enforcement agencies in charge of the case. In a collaborative and gamified way, teams have six hours to send flags (clues), which the judges evaluate and reward with points.
Also, in this CTF, there is not always a solution for every case. When you test your skills in Hack The Box for example, you start from the premise that there is a way to get the machine. There is a solution. Here that is not the case. You can find something, or you can find absolutely nothing.
Our team of 3, managed to validate 29 flags, which gave us 1270 points and allowed us to place 63rd. To give some context, there were 250 teams participating, of which 171 managed to score.
As you will see, the teams at the top of the table swept most of the participants in points. I wish those teams would publish their own write-up, I’m sure we have a lot to learn. I would love to read a write-up from the winners: M3SS and Palenath.
Our team was able to present information on the 4 cases presented to us. In two of them, we got pieces of information valued at 150 points. We were not able to get anything from the next two categories: Day Last Seen and Dark Web.
We got most of the flags from information sources available to everyone that are not technically complicated, such as search engines, social networks and other web services.
From this first experience, I have taken away a lot of lessons learned, put new ideas into practice and have been able to apply OSINT for Good.
But, let’s go back a little further. Days before the CTF, Jezer contacted several members of Cyber Hunter Academy. He wanted to help this good cause, and offered to sponsor our participation. He also decided to help in other ways, but I’ll leave that to him to tell. So we signed up several people and formed two teams:
The three members of the CyberHunter_ES team are researchers and enthusiasts of OSINT, intelligence methodologies, ethical hacking and cybersecurity.
Our backgrounds and interests are varied, which is always interesting for this type of CTF. Of the three team members, only Jaime had participated in a CTF of this type before. Alvaro and I (Naiara) were new to this field.
If you already know how OSINT Search Party works, I invite you to jump directly to the section about our participation. If not, I recommend you to keep reading.
Search Party CTF
Rules and restrictions
The CTF has a number of rules, of which I would like to highlight three.:
1. Passive Reconnaissance
This means that you can observe and collect evidence, but not engage. And this is for two reasons: to avoid accidentally interfering with an active investigation, and to avoid causing further pain or trauma to family members. Zero contact. That means that, for example, tagging, sending friend requests, «liking» and/or any other interaction is prohibited. The penalty is expulsion from the CTF.
2. Login Attempts/Password Resets
As a corollary to the above, Login Attempts/Password Resets are absolutely prohibited. This includes using and attempting to login with passwords obtained through OSINT, but also initiating and executing any password recovery process. And this is important, as there was at least one case of a team being banned for violating this rule.
In my view, Trace Labs takes a conservative approach. Although many researchers can understand the difference between the password recovery procedure on Instagram or LinkedIn and the one on Twitter or Instagram. In the first case, as you initiate the process, a notification comes to the user. In the second case, you are shown a notice with censored information about the email address before any notification is sent. But you can always have a rookie or someone who simply clicks where they shouldn’t, so this rule is severely enforced.
3. Information must be accessible and verifiable.
Both by judges and by law enforcement. This means that every flag you send must be able to be checked. The information behind a paywall is not worth any points as it cannot be verified. It would be interesting to know Trace Labs’ stance on using paid services to identify valuable information, and then using accessible services to back up and document the evidence.
The participants, organized in registered teams and at the exact start time of the CTF, gain access to a platform.
On it, we were presented with 4 cases. Each case is accompanied by a link that gives some information about the disappearance. In some instances, the starting information is very brief.
When the team finds something of interest, they have to submit it to the corresponding case. For each submission, you have to choose the category of information, provide a URL for the judge to verify, and properly contextualize the evidence. There are several categories:
And this is a key part. It is necessary to explain why we consider this piece of information relevant and how it is linked to the case. In addition, an image can be attached to support the submission.
One of the things we wanted to do, was to give the virtual machine created by Trace Labs a try. We customized it a bit: update, customize keyboard, OSINT combine bookmark, Data Miner, Scraper, Hunter, One Click Reverse / Search by Image, Full Page Screen Capture, VLC video downloader…
The reality is that although the machine was ready on time, we did not have time for the whole team to have it downloaded and running before the event started. Clearly this is a lesson learned for the future.
In the end, everyone used what they had ready. In my case, the Trace Labs machine. But as I had not had time to familiarize myself with it, I used almost all the time advanced searches and dorks from Google + other search engines and web solutions.
In addition, we decided to use Discord to communicate with each other and Telegram as plan B.
We were presented with four cases, which for privacy reasons I will redact information.
- James Doe. Adult male, Canada. Missing for six months.
- John Doe. Young man, USA. Four months missing.
- Jane Doe. Young woman, UK. Two years missing.
- Jade Doe. Teenage female. Less than a month missing.
We each chose one case to start with and put one on hold. We agreed to rotate cases as we got stuck and at any time if we felt overwhelmed.
As in almost all cases the information was limited to the subject’s name, age and place and date of disappearance, the first thing we did was to launch a quick search: «first name last name» + «location». With this we could usually get more information about the case, usually from news sites. Information from news sites does not provide points, but it does contain valuable contextual information for the investigation.
In addition, you can find information from family and friends, which is worth between 10 and 20 points, if the relationship is meaningful.
In all cases the search engines provided us with useful information. In some cases, such as James Doe, we had to use parameters to exclude results, as the name matched another person with a large Internet presence. To reduce noise, we excluded results that mentioned the profession.
Four different people, with different demographics. The social media usage profile of an adult male in Canada differs from that of a teenage girl in the USA. To optimize search time, it is useful to take demographics into account to prioritize searches. You can support yourself with articles about it, such as this one.
With James Doe we were starting with a Facebook account with hardly any content and a possible unverified Instagram account. We weren’t able to find Facebook accounts of family members, but I know other teams did.
John Doe was relatively frustrating. Because of its demographics, it was rare not to find any social network accounts. We didn’t find them, but other teams did:
- A team checked Steam and found an account where the name matched, the date of activity was prior to the disappearance and the location matched the one identified. From there they were able to pivot to other social networks using WhatsMyName. Most interestingly, they found a YouTube channel with several playlists, one of which was updated after the disappearance. One of the keys to validate these accounts was the reuse of the profile picture and username. In addition, the interests matched..
- Another team located on Twitter a post in which the father of a college classmate shared the missing poster. Through there they located the friend, then the friend’s Steam account, and finally the missing person’s Steam account. A great example of lateral movement/pivoting.
What we did find was the Facebook account of his mother and other relatives. With them we were able to identify her father and sister.
With a photo of his mother, with his father in work clothes, we made a hypothesis about the father’s profession, which we could not validate. And through her parents’ data, we were able to locate his exact address, which we documented and attached with a screenshot from Google Maps..
We were able to reconstruct almost the entire family tree of Jane Doe (mother, father, siblings, cousins and aunts and uncles) and link it to specific Facebook profiles. In addition, her family’s postings led us to identify other people of interest, hobbies and photos that we were able to use in image searches.
We also identified her father’s business Facebook page and his Google Maps profile. Which led us to what I consider the most disturbing flag of all. A review accusing one of the employees of improper conduct with minors. We couldn’t find the employee, so we documented everything as best we could and submitted it as a flag.
This flag is a good example of a premise that any participant should keep in mind during a CTF of this nature: always keep in mind the line between what you as a CTF participant can do and what is the responsibility of law enforcement handling the case.
Searches on Jade Doe profiles provided a large number of results, but difficult to confirm. This was mainly because they were either private, or had little content. And in many instances, this content was images or photos that were neither of her nor about her.
Where we got more information was from a Youtube account with a couple of videos posted. Although none of them showed her face, since they were recorded from her point of view, we found no evidence against this hypothesis.
The age of the person recording coincided with Jane’s age at the time of the video, as well as what appeared to be the location, a school. In analyzing the video frame-by-frame, we identified a mark on her left hand, which we sent as a flag (Advanced subject Info, possible unique identifier).
Another participant commented that in the frame-by-frame analysis, he was able to identify the exact location of the school. Taking into account the place of residence, he found out which schools were in the area and was able to identify which school it was thanks to the mascot of the school / institute.
Other information sources
Our team identified and cross-checked most of the flags using search engines (Google, Yahoo, Bing, etc.) and social networks. We used other web services to help us validate the information obtained and to support it.
Through True People Search we obtained physical and email address information for both missing persons and family members in the USA. We searched for email addresses on Have I Been Pwned and other similar services to obtain information on services they use.
We would have liked to be able to use some sources of information that we know have great value, such as Pipl, but it fell into the paywall category and was vetoed.
It is an experience that I would like to repeat and one that adds on many levels.
First of all, I hope that some of the flags that one of the teams has submitted can shed some light on any of the missing persons cases we investigate.
Secondly, it’s an awesome CTF to test your skills in a real environment under pressure (remember, six hour time limit).
And thirdly, it’s a great opportunity to work in a team and test and learn new skills and tools.
From these intense 6 hours of participation, I come back with several ideas that I would like to put into practice in the next event:
- Document yourself. Read write-ups from other participants. Both winners, because they will leave you with your mouth open, as well as people from another level. Learn what works and what doesn’t work.
- Maximize the team. This CTF had four missing persons cases. There were three of us. That means there was always at least one case that wasn’t getting attention.
- Diversify the team. You are investigating people. It is very helpful to have people with different skills and interests. One of our cases had occurred in a French-speaking area and none of our team members spoke French. Is that a serious handicap? Probably not. But when you only have 6 hours for 4 cases, it’s better to spend them on research than on translating text.
- Communicate. Establish a communication channel beforehand. Ideally, one that supports text, voice and screen sharing. Test it in advance.
- Have your work environment ready. We wanted to test the virtual machine created by Trace Labs, with some modifications (updates and extra tools). The machine was ready on time, but we didn’t have time to share it among all team members.
- Have working templates ready, like this one or this one, or structured ways of organizing information. Make sure you can work collaboratively in real time. You can spend an hour on a case and then pass it on to a colleague. The idea is that your partner can hand it off to you, not have to start from scratch.
Things I would do again
We also got a lot of things right. I list them here and invite you to add them to the list of lessons learned. The combination of the two is key.
- It makes it easier for the judge to review the flag. Or in other words, document each submission well. Use the text fields to explain your reasoning. Take advantage of the possibility to send an image. Think about whether it is worth including a mind map to support your evidence when it is difficult to express it in text.
- Be polite to the judge and understand his or her role, mission and method of evaluation. Read the judge’s guide.
- Familiarize yourself with the platform. If you have not participated before and your teammates have, ask them to explain their experience. Read the participant’s guide.
- Use a virtual machine and test it in advance. Follow the guidelines from Trace Labs or Michael Bazzell’s great book, Open Source Intelligence Techniques.
- You research people, and people often have social networks. Even if your target doesn’t, it’s possible that the people around them do. Create sock puppet accounts. Be aware that they can be banned and have a plan B if you can.
- Be aware of demographics. The Internet and social media usage profile of a teenage female in the US is not the same as that of an adult male in Canada. The differences in the social networks they use, lingo and how they interact can be huge.
- Stop when you need to stop and team play. When researching real cases, you may encounter complicated issues. Take a few minutes off or switch cases if you need to.
- Be aware of your biases. And in an event like this, primarily illusory correlation bias and confirmation bias.
- Don’t lose sight of the goal. Which is none other than to assist law enforcement in their investigations. Understand where your work begins and ends.
👉🏾 Join the @cyberhunteracademy channel on Telegram to learn more OSINT