My First Global OSINT Search Party CTF
Last year I started on my OSINT training journey and its been one hell of a ride so far…! The internet is like a terrible spouse that betrays you at every turn. You think you know them and they seem reasonable and straight forward enough but they’re not. Our level of attribution (digital footprint) on the internet is astounding. Many things that we think are:
- private — are not
- deleted — nope, its still there
- are not tracking our movements — are definitely tracking you
In fact its just safe to assume that nothing is private, nothing is deleted and everything is tracking you or leaking your information. This blew my mind. I felt like I wasn’t in the ‘completely ignorant’ category after having to do basic online investigations to confirm information about surveillance operations and my marketing experience. But, no, I really had no idea.
Excited by this information I really wanted to gain some proper skills in this area. I had been listening to Michael Bazzell’s podcast for a while and thought maybe I could start there. I knew a fellow private investigator who had pivoted into this arena and done his course so I asked her if I should do it. She said it was great but, of course, heavily weighted to the Americas (I am in Australia). A few months later she sent me a message saying she had just finished Chris Poulter’s OSINT Combine course and it was definitely worth it. I didn’t hesitate. I jumped straight in! I was in heaven. Learning about google dorking and checking source code and VMs! I sent my friend a message and thanked her for putting me onto the course and I was excited to try out my new skills! It’s one thing to do a bit of practice and its certainly another to do it for real. My friend mentioned that Trace Labs were having an OSINT search party CTF soon and she knew some people who were looking for a team mate, did I want an introduction? I don’t really want to admit this but I had to google what a CTF is — capture the flag for noobs like me — and after a google it was a hard yes! I didn’t even know this was a thing.
I counted down the days to the competition while plugging away at my OSINT Combine course, devouring OSINT Curious podcasts, adding as many OSINT professionals as possible on LinkedIn, nurturing my sock puppets and practicing using people from the AFP’s missing persons database. I also entered the Meme completion that Trace Labs held and was one of the top five finalists! That is how hard I am geeking out about OSINT! Just seems I am missing a black hoodie for effect.
Competition day finally rolls around. The time is set to UTC which is universal time as there are people from around the world who compete. Lucky for us Australians it started at 7am on Sunday morning. There was an hour live webinar by the organisers to start with. This was basic house keeping, reminder of the rules and all of the important information regarding the day. Then at 8am our contestant portal was opened up and there was a list of missing people we could research. There was an Australian lady on the list and we just so happened to recognise her as she is a fairly recent MP (missing person). We chose her and got to work. We were given their name, area, missing since date, age, disappearance details, characteristics and some known digital footprint data (social media, phone number and email).
Our team was relaxed and decided that we would do our own investigations and just report back in our discord channel now and then — on a side note, if you want to take this SUPER seriously and win one of the badges, then you will need to find a team that forges a plan, works together and probably has some of their own custom tools.
Two seconds into starting I made my very first OSINT investigator mistake, I abandoned the schema that I had put together and launched into what ever I felt like. One of the most important pieces of advice I received from my OSINT Combine training is that you have to have a plan in order to have repeatable success. In hindsight (my amazing superpower) if I had stuck to my plan, I would have had so much more success and I wouldn’t have ended up going in the circles and going down the unnecessary rabbit holes that I did. There are certain key bits of information that are important to any case when it comes to OSINT and should probably be your first point of call. That way, when you have the key information, you can then branch out into other avenues and will feel less confused when you come upon unexpected or emotionally charged information. Here is the schema that I created and then abandoned. Hopefully it might help other new OSINT’ers and can be critiqued by old hats.
These are some really basic things that I could have checked off. Unfortunately a lot of them I didn’t and many of them would have provided better context for my investigations further down the line. I’m a private investigator and we are accustomed to finding evidence/data and then handing it over to be turned into intelligence by the people that hired us. I think I got so excited by actually being allowed to turn some data into intelligence (and maybe I have been watching too many Scandinavian noir series) that I completely jumped the gun. It was an important lesson to learn- data first, intelligence second. Even with the time restraints of the competition, data first otherwise it’s not intelligence. Keeping in mind that the data points above are not an exhaustive list, I thought that would be a good list to start with and when searching those points, other data would reveal itself, which it did.
Unfortunately my 6 hours of OSINT was too sporadic which tired my mind even quicker because I was jumping from one thing to the next and reading comments by people in regards to her disappearance before it was time to start scouring comments. And comments by other people, let me tell you, is a rabbit hole unto itself. Because this MP’s family are very active in trying to find her and created a social media campaign hoping to find more information, it has attracted some very strange people. I don’t know if this is exclusive to this particular case (I don’t imagine it is) but there seems to be people there because of schadenfreude (they get joy from watching this terrible situation play out) and a whole other cluster of strange characters. Of course there are amazing people who have volunteered with the search (just like us) and genuinely want to see the MP reunited with her family, but the strange characters make a lot of noise and ‘muddy the pool’ when it comes to looking through comments and they had me mesmerised and gob smacked at the same time.
This was another important lesson to learn. A more experienced investigator would have gone about reading and processing the comments and discussions quite differently. Firstly they would have started off with better information than I did because they probably would have gone through the schema above and found all the appropriate data first. Secondly they probably wouldn’t have been as shocked as I was by the comments and behaviours by people online. So, I think its important to keep in mind that there are those people out there and that there will also be infighting between family members. With an MP, it is a terrible thing that has happened and highly emotional, then you add in the online dynamic where you get strangers who say what they want and also long standing family feuds that raise their head and are aired online. It makes for messy and emotive reading which is where a lot of our own biases will raise their head, that is for sure. For newbies, Psychology of Intelligence Analysis by Richard J Heuer, JR is a great read. It goes into some quite advanced intelligence analysis topics but it is still a fantastic read to help you get your head around our own biases, perceptions, keeping an open mind and so much more. I would love to hear/read about other investigators experience online when it comes to social media/forums comments and discussions and how they process these. Or if anyone knows of a good book or essay that tackles this, let me know!
Regardless of going round in circles and getting lost in comment sections, I did find a couple of flags! I also found some information in the source code, on Pinterest of all places! I was quite chuffed with that. The tools I used were:
- Trace Labs VM which you can download from their website and comes loaded with a whole bunch of OSINT tools.
- Spiderfoot and Maltego, two fantastic tools that I love and will definitely put more time into become proficient at.
- Google dorking.
- Reverse image search.
- I also did some manual cluster analysis on the people who were engaging with the Facebook page set up by the family.
It was such a fantastic experience. Trace Labs are unreal. The fact they have even put this together is amazing and such a good cause. The day ran seamlessly! The interface they have put together for contestants is nothing short of impressive. In your portal you can see the missing persons and their information, where you can submit flags for verification, whether your flag was accepted or denied and the judges notes on their decision. I cannot recommend the competition enough! Whether you are new or highly experienced, you can do a lot of good with your OSINT skills.
I hope this has been remotely helpful for new OSINT’ers and would love any feedback! Happy OSINT’ing!
