Last weekend (6th November) I took part in my first ever OSINT capture-the-flag competition – the Trace Labs Global OSINT Search Party. For those unfamiliar with it – it’s a gamified, competitive and global event, aimed towards locating missing persons.
Mind you – this means REAL missing persons, in real life. The idea is to dig through their digital footprints in order to find any new information on them and ultimately to help locate them.
Even as a somewhat tenured ex-law enforcement OSINT practitioner, I felt outside of my comfort zone when signing up for the Trace Labs CTF.
I have never before used any open source intelligence gathering techniques to find missing people (witnesses, fugitives and subjects of European Arrest Warrants – yes, but this isn’t the same thing as looking for missing persons).
Moreover, my OSINT style has always been a slow-burning, analysis oriented, methodical process that followed a certain workflow, culminated in a written report.
The CTF approach is very different: it’s a fast paced, gamified egg hunt, a rapid fire style of information gathering under significant time pressure – I could compare it to doing OSINT with a gun to your head, in a building that’s on fire, with a dynamite bundle clock mercilessly ticking in the background.
The Trace Labs CTF was a team effort, as I joined forces with a former ex-law enforcement colleague and friend, Barry Keegan – who is also the author of the Discovering Data blog.
The result, at least in terms of our two-man team’s placement on the scoreboard after the dust settled, was a little underwhelming – around halfway down the table of participants (out of approximately 220 teams in total).
We submitted a total of 30+ valid flags, but failed to score any “heavy hitter” types of submissions.
However, as an experience and overall learning event, the CTF was enjoyable (albeit frustrating at times, too) and illuminating – even if it felt like we got our asses handed to us by many much better and more experienced CTF players.
So, with the benefit of hindsight, I decided to write this guide to Trace Labs Search Party CTF – for anybody who is contemplating competitive participation and who wants to avoid the mistakes our team made due to being novices at this game.
By failing to prepare, you are preparing to fail.
* * *
When it comes to competitive participation in this CTF, there is a world of difference between “kind of preparing” and “preparing for real”. I guess if I knew this simple truth prior to participating, I would not be writing these words right now. But at least now I understand how “kind of (un)prepared” our team was, even if we ticked the boxes on many of the things I mentioned below.
- Find a team of 4 people – yes, you can participate solo, in a duo or in a trio – but if you are looking to win, maximise the benefit of the allowed team member headcount – which is four people.
- Read the Contestant Guide.
- Read the Judge Guide.
- Watch the Trace Labs YouTube channel – with the focus on the most recent videos and the CTF training playlist, but no harm watching them all to see what changed and how things evolved.
- Set up the CTF environment – both physically (2 or even 3 monitors, I’m not joking!) and virtually (dedicated VM or dedicated OSINT machine, with all software updates done, etc.). This stage includes creation of dedicated accounts on as many platforms as possible – you don’t want to hit a roadblock during the CTF as a result of having to create user accounts on some platform in a hurry to be able to access content there. Also, stock up on food and water – since the moment the platform goes live, you will be on the clock and under pressure.
- Assemble the team – meet appropriately early to discuss operational details: communication methods, roles, tactics, responsibilities. Ideally you want to have conducted some dries runs way before the CTF date to see how the team operates together and what the best approach to information gathering is for your entire team.
- Go over the plan – there is nothing worse than wasting precious time on internal debates about how to best submit flags and in what format, who is in charge of talking to your judge, and so on. Division of labour is crucial – going into the CTF you should have already decided who is focusing on what flags and who is managing submissions. If you have 4 people working on the same missing person at the same time, somebody needs to ensure that individual efforts aren’t being duplicated and team members don’t end up submitting the same flags.
- Map out the paths ahead – this CTF focuses on the digital footprint of the missing persons – but what if the missing person doesn’t have any? What if one of the missing people is a child under the age of 6? Be prepared for these pivots – everybody has some kind of an extended family, so if one of your targets is too young to have social media accounts, you should try to anticipate who to focus on next and how. A template spreadsheet or something like an empty (unpopulated) Maltego graph can be helpful in knowing who and what to look for.
- Create information sharing channels – whatever works best for the team: be it a Google doc that the team members are working on simultaneously, a spreadsheet with drop down fields listing flag categories and point values, a Slack or Discord chat – plus a live voice chat (Zoom, Goole Meet, Discord) for overall coordination. Optionally, you can have a communal or individual note taking space.
- Define specialities – know who is good at what and play to that advantage. Some people are better at people searching, others can excel at data breach research, while others are strongest when it comes to website recon. If a certain difficulty arises, you need to know who the best person is to tackle it.
- Pick a team leader / manager – one person should be nominated to assume the responsibility for coordinating flag collection, assessing flags and submitting them in their correct categories. This means that this person will most like spend no time on hands on research and finding their own flags. However, in the grand scheme of things, the responsibility for shipping the findings correctly is way more important than focusing on the perceived glory of being the person who makes them. If possible, the team leader role should not be rotated amongst team members in order to ensure consistent submissions standards and parameters.
I’m in competition with myself – and I’m losing.
* * *
The correct mindset is important and it means circling back to the reasons why you decided to participate in this CTF. Yes, there are prizes and badges to be won, there is the online glory and fame – but ultimately it’s about doing some OSINT for good, while having fun at it.
- There’s no I in Team – this CTF is all about teamwork. There are no individual scores for participants within any team. It does not matter who found a flag – it matters that it gets submitted correctly, approved and scored adequately for the benefit of the whole team. Every role should be treated with equal importance and you should credit your every flag success not to yourself, but to your team.
- Flexibility in dividing the workload – the only constant in life is change and the same can be said about the CTF game. Previous Trace Labs CTFs were 6h long – this one was 4h. Previous teams had to focus on 8 missing persons – this time there were 4. While the competition focuses largely on the English speaking parts of the Internet, there may be a need to delve into some unexpected online territories, like Chinese, Russian or Indian social media sites. It’s crucial to be able to adapt to these changes quickly and dish out tasks in a way that enables the whole team to progress.
- Game the game – in a positive meaning of the phrase only, of course. This means tweaking your efforts in accordance with the values assigned to various types of flags. For instance: while researching a social media profile you found some information that was not included in the missing person report (like additional tattoos, not accounted for in the person’s physical description section). You should try to submit such details within the flag category that scores the highest. Will it help locate that person? Probably not. But it’s something new, so you should not submit this as “basic info” type of a flag, but as something that could score the maximum amount of points available.
- Stuck? Get unstuck & move on – you might be doing very well in terms of flags submission for one missing person and then struggle to find anything meaningful for another individual. Well, it happens. If possible, you can ask your team mate to switch roles – or you can just move on to other categories of flags and sources. The key part here is to avoid dwelling on your difficulties and prospects of failure. Valuable flags can be waiting around the next corner, so go get to that corner.
- Even one flag can make a difference – while usually this will be the MVO flag (Most Valuable OSINT), remember that your participation alone counts and that giving up your time for a noble cause like this can potentially make a big difference. You never know what tiny snippet of information can help locate a missing person or give hope to their relatives.
- Know the boundaries – speaking of hope and missing person’s relatives, it’s very important to know what is allowed and what isn’t allowed during and after the CTF. This is a real missing person search event, and the missing people have families who desperately want them back. You should not communicate with anybody (a person’s family, friends, etc.) or try to actively solicit information from any sources. The Trace Labs CTF is a passive reconnaissance type of an event and your participation in it should not generate any digital footprint of your own making. NB: A huge NO is attempting to do password resets on any of the accounts you identified as belonging to the missing people. It’s unethical, it’s wrong and it might create false hopes for the families who could be in possession of the account in question and who might think that the person themselves initiated a password reset. Trace Labs keeps hammering this point home and it simply cannot be emphasised enough.
- Have fun & stay cool – while the objective of the Trace Labs CTF is to help find missing persons, you should not treat it with deadly seriousness. This includes avoiding any personal clashes with either your team mates, the judges or other members of the CTF community. It also means not getting salty because a flag was rejected or because somebody said something in the channel. This is a relatively small community and offensive remarks, trolling or other manifestations of unacceptable conduct will not be received kindly by anybody.
Do. Or do not. There is no try.
* * *
You have prepared, you have adopted the correct mindset – now go get ’em, tiger.
- Narrow down the timeline – beginning with broad and general searches for the missing person’s digital trails is a good starting point – but that’s all that it is. You need to quickly establish the timeline of when the person was reported missing and what can be considered potentially fresh information. You need to be able to separate and limit your exposure to old data (information noise) – any flags submitted in relation to events or people from a long time ago will likely score only very basic flags (if any at all). A good idea is to create appropriate search strings for a number of scenarios – then all you need to do is fill the blanks with relevant variables.
- Narrow down the sources – this means localising your sources (from example Google); if you are based in the US but searching for a missing person who lived all his / her life in Australia, you should switch to search engines local to Australia. This might also mean switching your VPN servers and making similar efforts aimed at positioning yourself (virtually) in the geographical location of interest.
- Weigh up various types of digital footprint – a person’s online presence can manifest in various forms and you need to establish what the best angle for research is: are they using the same nickname / handle / avatar / photo / logo across multiple platforms? Are they more into posting images or videos? What are their favourite social media platforms? Do they create content? If so, what kind? What are their hobbies and interests – and respectively, what online sources do you know that cater to those interests, so you can focus your searches there?
- Fire and forget – you should not spend too much time debating whether a flag is valid, whether it will be accepted or rejected, whether it is relevant or not. All this will be up to the judges to decide. You should literally pepper the submissions page with flags and not overthink the validity of evidence. Obviously, you don’t want your submissions to be spam – there has to be some standard of quality, but this standard can be decided and agreed on amongst team members prior to the CTF. Once the event starts, the flag submissions should be done within the agreed parameters and without debates.
- Don’t worry about the scoreboard – do not even bother looking at it and trying to compare your flag count to the submissions made by others while the competition is in progress. Initially there will be a backlog of flags that the judges will have to process and an hour into the event you might see your score still displaying zero. This is fine, don’t worry, just do your thing.
- Mine your findings for full details – it’s all well and good to find an additional, seemingly unidentified Facebook profile for the missing person. But this is only the beginning of the efforts. Every page, photo, forum thread, every newly found interaction between the missing person and others needs to be literally mined for details in accordance with the flag score and value guidelines. It is impossible to get this done effectively by just one person, but that’s where division of labour comes into play: one person searches for new content like social media profiles and then turns that content for thorough examination to another team member.
- Master the screen grabbing – for the sake of efficiency, use browser extensions or rely on pre-configured mouse / keyboard shortcuts for taking screenshots. Not getting this right can slow down the search efforts significantly.
- Big game hunting – it might make sense to devote time and resources to going after the really valuable flags. You can spend an hour submitting 100+ low end and low score flags like information on friends and family of the missing person – or you can spend that time trying to score one rare flag that is worth 1000 points. You can’t do both effectively – unless you have a team of 4 with distinct responsibilities and diverse roles. Note that the most valuable flags are also those that have the biggest chance of yielding information that can lead to locating the missing person.