Trace Labs CTF August 2020 – Approach & Methodology
Looking at how I do OSINT on missing people with my Trace Labs CTF team.
CyBeer of The Week: Estrella Galicia
Metal Artist of The Week: Corey Taylor
Welcome friends. It’s a hot Sunday afternoon in London as I type this, and that means it’s perfect for a crisp, refreshing lager. For this job, I recommend Estrella Galicia. At a solid 5.6%, this is just the ticket for enjoying the summer sun and having a merry old time. My wife is also from Galicia, so it has a special place in my beer rankings. This week, I suggest you enjoy the new tunes coming from Slipknot frontman Corey Taylor, with a new album on the horizon, his newly released tracks will surely whet the appetite for his future release in October this year.
To the Matter at Hand
Anyway, this blog is about the most recent Trace Labs OSINT Search Party. As I write, it took place last night from 7 pm until 1 am. By the time the results were finalised, it was 2:30 am, and I was knackered. Previously I wrote about my thoughts on the CTF format run by Trace Labs here. However, I thought it would be beneficial and hopefully enjoyable to go through how my approach has changed and the actual methodology we approached the August CTF with. We’ll also see how it’s evolving each time we take part.
The August event had 199 different teams competing, which is a slight increase on the previous events I’ve taken part in. The teams are made of a combination of individuals and groups of up to four. This CTF had eight different missing people and the usual six-hour time limit to find as much OSINT on the people as possible. This time around, we had a team of four (shout-out to Rob, Karl and Paul!), so TCP79PetesMum (don’t ask) had a full complement. Which is the first learning point I took home from my first CTF and write-up! So that’s one box ticked. But let’s look at the actual methodology in the event itself.
Trace Labs CTF – How do we start doing OSINT on eight random missing people?!
Before we jump in, I think it’s imperative (and maybe obvious), but you must have a way of communicating with your team. We have chosen a Discord server, it easily enables voice chat but also sharing of links, images etc. This is the foundation for your whole event, and if you can’t clearly communicate or ask for thoughts on things. You will probably struggle. Find whatever platform you like best and use it. Our voice chat was open the whole time with all of us, and we often shared links and images or text to help us make decisions.
On your marks
When the Trace Labs CTF begins, and the names appear within the Search Party platform, the first thing I do is identify who within the list is likely to have a social media presence. This is important, in my opinion, as you can get off to a good start and get some flags early, which can help with your momentum across the whole event. How do we identify who’s going to be active on social? It’s not very scientific, but we start with age. People younger than 40 are more likely to be on social media to some extent than those over. It’s not very scientific, but after last nights event, it definitely rang true.
With that in mind, we have a quick discussion and split up to investigate different individuals, so far this has been in pairs somewhat organically, but could easily change. Once we start, it’s looking at the usual candidates:
- LinkedIn (if age-appropriate)
This can be a reasonably straightforward process, or indeed very difficult. The August event had several people who were much harder to find information on than July’s for example. But usually, a combination of name and location can help you to hone in on a likely candidate.
I typically start on Facebook, as the largest social network, I can use any information I find there to help inform on other sites. This information could be:
From there, I might also look at friends and family. Is there a particular person who is a constant on posts either through reactions or comments? Could that be a relationship partner or potential suspect etc.? Within the categories for scoring points, all this information is valid & goes toward your overall score, and towards the end report for law enforcement. Which, of course, is the real reward for taking part.
In previous Trace Labs events, we would then take things like usernames and manually search for them across different platforms. I alluded to this in my initial review, but subsequently, as a team, we have adopted and started using Spiderfoot.
Available as an open-source tool or subscription-based cloud offering. It’s an excellent OSINT tool that has 50 different API integrations and runs very quickly. I had initially got it set up on my computer when Karl in my team had the idea of hosting one in the cloud for everyone to use. This was a stroke of genius, and it gave all of us access to not only search using the tool but also to see the results of everyone’s queries. It only cost $1.68 all event long too using a Digital Ocean Droplet.
This would be a definite recommendation to anyone in my book. The primary benefit of Spiderfoot is that it can also run against domains, IP addresses, names, usernames, email addresses, sub-domains, ASNs, subnets or phone numbers. If you take the time to set up the integrations, you won’t regret it.
A couple of other automated tools were set up by me beforehand. Twint and Maltego. Twint is a Twitter scraping tool that doesn’t need an API key. This is a crucial point as the Twitter API limits results to the last 3200 tweets of any given search. The way Twint works bypasses this and allows you to download every tweet from a specified user/hashtag/keyword and output into something like a CSV file. This can be an advantageous way to quickly check if an account looks like your subject or not.
Maltego is a well-known link-analysis tool, but with all the transforms can be a potent tool for analysis. For one reason or other, I didn’t use it in anger in this event, but it’s set up and ready for the next one. If you’re not familiar with Maltego, you can download the Community Edition for Free, or it’s installed by default in Kali Linux or the Trace Labs OSINT VM.
Not necessarily a ‘tool’, but something we have also started to make use of is facial recognition. Using Microsoft Azure’s facial recognition, we’re able to very quickly compare images taken from social media or other sites against those released by law enforcement. It works by analysing both pictures and giving you a score back and an assessment if the two people in the images are likely to be the same or not. It’s incredibly powerful for finding out if you’re on the right profile or down the right path very quickly.
There are lots of other tools and workflows out there too. This is just where my team and I sit at the moment. This list will most likely increase as do more events and come across other tools.
Back to the Investigating
The above forms the crux of what we (and presumably other teams) were doing throughout the event, but there are other things to be aware of that can score significant points too. It would help if you had excellent attention to detail, but even relatively inconsequential things could help.
From the make and model of a phone, the operating system used on a computer, details in the background of an image, any comments on social media posts about potential location or sightings, or even further information (are they on a certain kind of website for example).
I’ve started trying to identify where the people went missing from and who locally is registered as a sex offender, grim work, of course. Still, for the CTF, it’s valuable information (of course, local law enforcement will already have this information).
The rest of the event for our team was mostly around creative Google dorks and trying to find more information. We did identify a potential location for one subject, who had a somewhat unique name and the area matched, but our judge ruled the finding was too vague to be awarded.
I also had several Tor search engines up and running throughout the event. I wasn’t able to find any useful information this time, but given only one submission in total was approved for the dark web, it’s maybe not that surprising. However, some of my search results did bring back some rather disgusting looking results. Hence, as always – Please approach anything like this with the relative caution and safety mechanisms in place. Best practice for Tor would be inside a VM and be VERY careful with any links you follow-through on. If you do find any illegal material, please report it via the appropriate channels.
I should note that on at least three out of the eight missing people, we struggled to find much information. We weren’t alone in that either, but I guess that can happen sometimes. It’s frustrating from the point of view that we want to help the families find their loved ones, and you never know if the lead you need is right under your nose. However, I hope that across the board, there will be useful submissions across all the missing people.
Trace Labs CTF – The Results
By the end of the night, we had 60 submissions accepted in total and 4905 points awarded. This was good enough for us to finish 26th out of 199 teams overall. We’re all very pleased with that result (previously we finished 75th and 22nd). The one thing that has utterly astounded me is the sheer number of submissions the teams at the top had made, with the top two both making 178 submissions each! Mind-blowing numbers I’m sure you’ll agree. Like most other contestants, I’d love to know what they’re submitting and their process for doing it, so please, do blog/vlog/tweet/something about it!!
Overall the event had 6500 accepted submissions, with 102 starred submissions. My understanding of this is that the starred submissions are highlighted in the final report to law enforcement for the relevant individual as potentially significant intelligence. One of my submissions got starred this time, which makes the whole thing worthwhile.
Trace Labs – The Next Steps from a competitor
For me, I think I will volunteer as a judge for the next event, as I’d love to see the other side as well as seeing the breadth of information the community pulls in. I feel like being a judge would also make me a better contestant. For example, understanding what the highest submitting teams are scoring points on, and realising all those missed opportunities from before.
For taking part, I think I would look to fine-tune what tools we use and where. A lot of the time, it boils down to remembering what you can do with a specific piece of information. This time I remembered that there are tools like What’s My Name that can help enumerate usernames very quickly and easily, and on websites you probably wouldn’t even think to check against. It’s not perfect, but it allows you to identify which avenues to explore further quickly. Also understanding where we’re losing out on submissions and why. We’re very exhaustive in our searches, so there must be something straightforward we can change. We’ll see next time!
I also intend to complete the OSINT Combine training that comes bundled with the first 300 tickets for the monthly events. I attended a webinar of theirs a little while back about social network analysis, and I think using this to look at the subjects social networks to try and identify their close friends could be a really useful contribution to both the CTF, and the overall case. Bear in mind that a lot of this work could be done by law enforcement, but in most cases, they just don’t have the resource or man-power to conduct in-depth investigations like this.
As mentioned above, trying to remember what tools and services are available at any one time, it gives me great pleasure to also make publicly available my own list of CTI & OSINT resources. Currently available in Google Sheets. This is a comprehensive list of search resources and checks, as well as tools, downloadable bookmarks and other aggregated search tools.
I started working on this after the July Trace Labs event, initially for myself, but I feel like this would be a handy resource to the community. A lot of the basis originates from Michael Bazzell’s (@IntelTechniques) OSINT books, but I’ve added to it with more CTI-specific resources and tools. If you haven’t already, I would highly recommend purchasing the seventh edition of Open Source Intelligence Techniques as it includes an extensive section on building and maintaining your own tools for OSINT research. This self-reliance will probably be the way forward as time moves on and automated tools come and go.
The resource list is still in its very early stages, so if you have any suggestions, comments or find a broken link, please let me know via the contact page of this site, and I will look into it.
I hope you have found this small insight into my approach to the Trace Labs CTF enjoyable, and helpful! If you have any questions or suggestions on things I can do differently, please comment or hit me up on Twitter or LinkedIn. I will see you next week with a new blog post, and at the next Trace Labs event. Until then, enjoy that beer and crank up the metal.