Trace Labs Global Missing Persons CTF – July 2019

Security Researcher

Trace Labs Global Missing Persons CTF – July 2019

Introduction

Welcome to my latest blog post (It’s been a while I know, I’m sorry). Recently a group of us from TheManyHatsClub participated and won the Trace Labs Global Missing Persons CTF. Due to popular demand for us to document our experiences with the CTF here we are. If you’re not aware of what the CTF is, all of the teams are given the same 10 targets. All 10 are actual missing people and the aim of each team is using OSINT techniques to track down and provide actionable intelligence through Trace Labs to the relevant authorities to help track these people down as local law enforcement typically doesn’t have the skills nor the time to conduct OSINT investigations into each case. The teams are given 8 hours to find as much information as they can about all the targets with each piece of information being verified and being worth points depending on what it is. So for example, deep web information is worth 1000 points and the physical location of a target is worth 5000 points. But a photo of the subject is just worth 10 points unless it has key identifying information like scars, tattoos and the likes. Each piece of information submitted must be verified in real-time by a judge before any points are awarded. (Thanks to all the judges, you did a fantastic job even though we were bombarding you with messages)

Points Breakdown

The Team

So, let’s get to the meaty part! Who are the team?! The TMHC Team was made up of myself (Rag), CyberViking, AlanTheBlank and Styx. We are all moderators from TMHC and key players in an intelligence group called the \ gang. We spend a lot of our time hunting down and gathering intelligence on Blackhat, APT and Terrorist groups and pass that information when we have enough to provide actionable intelligence to the authorities. But it’s not all doom and gloom we also have people stood by to use their OSINT and HUMINT talent to help track down people who are in dire situations and dark mental places. We do this to help whoever we can get through what they’re going through by getting in touch with local authorities and requesting a welfare check or tipping off a physically close friend or family member so that the person in need doesn’t do something stupid. We also then reach out to groups like the Mental Health Hackers and tip them off that said person is struggling so that they can reach out with the correct resources to get these people some help.

The CTF

Right let’s get to what we’re all here for and that’s the CTF. So, in this blog post I’m going to specifically talk about the tracking of one of the subjects, Let’s call him Steve (I have redacted their name for their and their family’s privacy in this touch time). In my opinion, Steve was the easiest target of the whole event because straight from the get-go you had his Mother’s and Aunt’s full name directly available from the police appeal video that had been distributed via their social media. From there you had a few options; directly go digging for the Aunt and Mother, cross-reference with the comments section, like and shares of the post to see if the surname matched or if there were any people with mutual friends with the subject. So straight away we have started building that family tree. From just a quick scroll down of their news feeds on their Facebook accounts we can see that the families are massively superstitious and religious, this is important later for building a psychological profile of the subject. After doing a bit more digging down the Aunts feed, we can see that there is a photo of the subject, the mother and the aunt and an unknown male with the caption “at our telco”. From this, we can see that the family own a refueling station as their source of income. So, who is this male In the picture, he shows up in a few of the pictures? Well, this is an easy find His name is Rob and he is the subject’s brother. The brothers account is interesting it has more photos of the subject including a link directly to the subjects Facebook account, so we now have the Aunt, Mother, Brother and the Subjects Facebook accounts! There are more accounts which can be found by going to the about page of the mother which details the wider family, but we aren’t interested in that, we are interested in the direct relations so and what information they can pose. Just like the Aunt and Mother, the Brother is just as if not more active on social media. One of the first things we see on the brother’s news feed is a picture of the subject which confirms his involvement in the disappearance. Looking at the caption of the post combined with the comments we can see that the brother is the last person the subject spoke to. He describes the voice of the subject as scared before his phone dies on a hillside way. A reply from an ex-resident of the area backs up that there is an off-road walking track in the area and that they should be looking down there (More key information). There is a 2nd post from the brother which details the route that the subject was walking more key information. If we cross-reference these 2 things we can see that the subject would have directly passed this walking track! We’ll come back to this later.

Time to dig into the subjects personal Facebook account. A quick scroll down shows us that the subject likes to take selfies, likes to take blurry photos, and to take pictures of his 2 cats (I am the cat doxer – Credit the TMHC team as I submitted and got approved for photos of different subjects cats). If we go and look at his photo albums we can see a category called ghost hunts. This fits into the superstitious stereotype that the family seems to be involved in. So we are getting to a potential reason for his disappearance if the subject believes he saw something just off the track there’s a potential he went that way and got lost in the dark. Just some facts about the subject we can tell he is a stoner, he describes himself as one in the bio of his Facebook profile, there are numerous photos of him with and of weed paraphernalia, we also know he is a drinker due to the number of posts on his Facebook account about him wanting/needing a drink. We also know he is a keen gamer, favorite games being GTA V and Final Fantasy. Unfortunately, this account didn’t seem available anywhere else from my searching, but I know other teams did find it. A keen bit of information that got passed to us after the CTF was up was that the subject was using his PlayStation a matter of minutes before his disappearance.

Starting to wrap it up now, So going back over the brothers post we spoke about earlier if we scroll to the bottom of the comments you’ll see a small thread of 3 comments which detail that the family had gone to the trail and had found his shoes, hat and keys for his truck which would point towards him being in the forest area.

So we are starting to understand who the subject is, what their day to day life looks like and who they regularly engage with. So if we jump back to the brothers Facebook we can see that he shared a google maps screenshot of the area where the subject was walking when his phone died. If we cross-reference that with the discovery of the keys, our own satellite imagery of the area and the tip from a previous resident of the area we have our location profile complete. We have shrunk down the area that the subject could have got to. Now as to why the subject moved into the area, I doubt we will ever know but this pretty much concludes the search for one of the 8 subjects in the Trace Labs Missing Persons CTF. In total, we had 47 accepted submitting for this subject 4 of which being information about the subjects last known location.

Conclusion

Overall, the CTF was a fantastic experience for myself and everyone involved we all did some fantastic work and contributed to a real-world scenario, that’s what I think is the biggest difference between a typical CTF in InfoSec. To be work on a real case, real person and real intel the learning experience is so much better than a typical pwn or web CTF (Not to say these aren’t valuable. They are!). My advice would be if you’re interested in OSINT and want to learn more about it jump on the Trace Labs Slack, get involved in the CTF and just have fun with it. Also just as a note from the TMHC team we are aiming for 20k points next year so come keep us on our toes the whole time 😉 Hope to see you all participating next time.

For those of you interested in Trace Labs and the fantastic work that they do you can reach out to and join them here:
Website: https://www.tracelabs.org/
Twitter: https://twitter.com/TraceLabs

And if you’re interested in getting involved with TheManyHatsClub you can join us at https://discord.gg/infosec

Thank you for reading and if you have any questions hit me up on twitter or discord!