CTF Writeup: Trace Labs Search Party February 2023

Note: The subjects investigated in this event are real people, so there will be no screenshots and this writeup will be more about the principles than the details.

I’m a big believer in Capture the Flag as an educational experience. The time-limited, gamified nature of the event encourages you to really stretch yourself with new techniques, tools, and research. Afterward, your experience can be shared with the community through write-ups like the one you’re reading now. Trace Labs, however, takes things another step with Search Party. They collaborate with law enforcement to crowdsource open-source intelligence collection for missing persons cases. It’s a great way to make a difference in the real world while increasing your skills.

The February 11, 2023 Search Party was my third TL event as a contestant and my first as a member of a team (up to four-person teams are permitted). We met up on the TL Discord server the day of the competition and collaborated there during the event. We are all established professionals in our fields with at least some OSINT experience. Together we made a respectable showing and finished in the top five percent of all teams. During the four-hour event, each of us took responsibility for one missing person, ensuring each case would be investigated by our team. We crossed over a bit when a person asked for help, but each of us mostly stayed focused on “our” case. There are numerous ways to handle team play, but I felt this structure worked pretty well for us.

I used no commercial tools in this CTF. I have a number of sockpuppet accounts for social media research to keep that activity separate from my real identity. I came up with a persona based on a carefully selected AI-generated photo from This Person Does Not Exist. I have experimented a little with having Chat GPT create some personas, but I didn’t have a need for them this time around.

OSINT investigation on my missing person was extremely fruitful as they had a robust social media presence, but there were a couple of complications. The subject often had multiple accounts on the same network (the final report I submitted noted eight separate Facebook profiles) under different names, from different time periods, and with different profile photos. Additionally, many of these photos so were heavily edited with cosmetic filters that it was difficult to even identify them as the missing person.

Here’s where a little inside baseball for Search Party comes in. My judge kept rejecting a number of the Facebook profiles I submitted. Aside from the photo confusion, some details in one of the profiles appeared to indicate an event that was unlikely at the missing person’s age. I talked with my judge and resubmitted with more supporting evidence, including cross-referencing a few family members among the different profiles. These flags were then accepted, but I could have saved myself some time by doing all that for the first round of submissions.

Simple web searching turned up further context. The subject was missing in one country but had emigrated from another, and their native language was not very well supported in search engine indexing. After some digging, I was able to learn that they had actually been reported missing in their native country several months before. It did not appear from the reports provided that law enforcement in the new country were aware of this history.

As I moved forward from the date the subject first went missing, I saw a number of updates from the authorities and the subject’s family saying they were still missing. I identified a single blood relative who seemed to be in current contact with the subject. They are a potential source of further leads, whether through interviews or legal process on their social media accounts or devices.

One family member reposted the new country’s missing persons report along with criminal allegations about a person of interest who might have been in the company of the subject before their disappearance. A social media profile for an ex-partner of the subject shows they feel betrayed. The timeline of their relationship overlaps with the person of interest’s involvement with the missing person.

My biggest find was a selfie on a Facebook profile for the subject posted only eight days before the CTF. In it, they pose with the person of interest, who is referred to in the caption with a term of endearment. They appear to be at a birthday party, but other attendees are obscured and little is visible of the room. Knowing how much data Facebook collects on its users, I felt sure that legal process on this account would lead law enforcement to the missing person’s current location and could even provide information regarding other alleged crimes.

While Search Party is a CTF, it’s not all about the points. High scorers win prizes, but the real first prize (and the one that gets you a black badge) is the Most Valuable OSINT award. At TL’s DEF CON event, that black badge is the real deal. It reflects the priorities of the organization to reward contestants who make the biggest impact on the real-world cases and the real missing people that Trace Labs is trying to bring home. The way that TL staff described this event’s MVO winner (they speak in generalities to protect privacy), I suspected they had been able to go a lot farther with the photo I found.

This Search Party, I wasn’t only a contestant. I volunteered as a report writer to help distill the collected intel for our law enforcement partners. As luck would have it, I was assigned the same case I had worked on during the CTF. I received a spreadsheet containing all submitted flags, whether or not they were accepted for points. This offered me a surprising amount of insight! I saw that people were making much better use of the flag submission system than I was. For the one image the system accepts, I was using a single screenshot and explaining the connections I made in the text box. Many players were instead submitting collages of screenshots and were able to lay out their reasoning much more efficiently.

As for the Most Valuable OSINT award, my gut was right. The winning team also found that same selfie, and they ran with it. While I didn’t see many valuable details in the image, they were not so limited. They cross-referenced other social media and saw that a cousin of the person of interest posted a video from the same party on TikTok. They determined a likely city based on the locations listed by the person of interest and their family members. The TikTok video provided a wider view of the room the party was in.

The team’s flag submission says they then used Google Maps to search in the target city for the type of building they assumed hosted the event. Photos from the facility’s website showed the inside of the building was a clear match to the event venue. While I was writing my summary report, I double-checked the buildings that could be seen through the windows in the website photos on Google Street View to be certain the location was accurate. Every step checked out. Hats off to them!

In this case, much of the difficulty arose simply in navigating language and cultural barriers. While I don’t know whether the black badge winners used any advanced techniques, they could have made their findings entirely from information available on the clear web. The lesson they taught me is a valuable one; it is always worth digging a little deeper. I gave up too soon, but they pivoted like good OSINT investigators. Their diligence was richly rewarded. No lead is too small.