Open in app

Sign in

Write

Sign in

OSINT Capture The Flag

Charlie Sierra Yankee
10 min readJul 5, 2021

Skip to:
OSINT CTF
 Key Takeaways

I was sitting in a car on surveillance when I was 10 years old. Well, I wasn’t on surveillance, I was bribed with a pack of chewing gum and a Girlfriend magazine to come and sit in a car next to a playground to wait for the subject to appear. My father had been surveilling a man and had learnt that, like any good father, the subject took his kids to the park. My father can’t just show up wielding a camera at a children’s playground. But, a proud father with his 10 year old daughter swinging and sliding happily (thanks to said bribe) could take all the pictures he wanted.

It was not the first time or the last time I was on surveillance, but I remember that day. It was 25 years ago. A different time. A time without technology. How times have changed.

Now we live dual lives, side by side, winding and inter-meshing. The life we live with what and who is in front of us and the life we live through our personal screen which is rarely beyond our reach. A screen connected to a world where we curate a version of ourselves. Where we make plans, tell secrets, buy groceries, pay bills, post selfies, search for information, create dream boards, flesh out ideas, snoop at ex-partners, chat to people we have never met, read about Britney Spears and check our timetables. Anything we could wonder about is there on the internet. Anything we could ever want to buy is there on the internet. Anything we ever want to do… there is instructions on how to. Our lives become so intertwined with these tiny little devices that we feel naked or ill at ease if we accidentally leave them at home.

25 years ago when a man made the decision to take his kids to the park and he picked up a newspaper, packed the kids in the car and left. Now, the man will pick up his phone to check the weather forecast, look at a couple of work emails, ensure there are no COVID related restrictions, check Facebook, quickly respond to some group texts about some sport with some GIFs only he thinks are funny and then flick through Facebook one more quick time, THEN he will grab the kids and leave. Once at the park he takes pictures, post them to his story and maybe even to his timeline to make sure his mother and aunt see. Maybe he will grab a coffee from across the road where he will have to do a COVID safe check-in on his phone and he will also check-in on Facebook for social purposes and promote his favourite café to his mates. He will check his phone several times. Even an average phone user checks their phone 58 times a day and spends 3.5 hours on the device. Why is this important? Because when our behaviours change, every industry has to change with it. And I mean EVERY industry. Including investigations.

This is exactly why OSINT is an important skill in any investigator’s toolbox. I’m just talking about basic OSINT skills. To be a highly skilled OSINT investigator takes a long time, a lot of experience and a lot of time spent learning. You don’t need to know everything but knowing some basic open source intelligence ways to gather information makes a difference. Therefore, I am investing my time and money into gaining some OSINT skills. Its also something that I have become quite passionate about and really enjoy! So, when the date was announced by Trace Labs for their new CTF- I purchased a ticket instantly!

I’m happy I wrote a blog on my first CTF experience (which you can read here) because it made me reflect at the time and I read it again just before this event so it helped me remember and avoid making the same mistakes again. That being said… I made some brand-new mistakes! Hence blog number 2! But that is the thing about an investigation, whether its factual, surveillance, OSINT, etc. There will always be chances for you to learn. And if you want to hone your skills you better take mistakes as a chance to learn as opposed to a strike against your ego. That’s the difference between a good investigator and a great investigator.

Trace Labs Global OSINT CTF

This time the event was on Saturday the 26th of June, 3pm-11pm UTC which meant it was on Sunday the 27th with a 1am start here in Australia. I slept until 12am then got up, put my slippers on, grabbed a coffee and croissant and made my way to my office.

I had done some prep before I went to bed on Saturday. I had my VM ready, all of my sock puppets ready and made my first mistake.

Mistake number 1- Trying to register less than 24 hours before the event. Technology is fantastic and we love it when it works, but sometimes it doesn’t. Whether it’s the user or the interface, things happen. This time, it was the user. I think I might have purchased the wrong ticket. So, when I tried to log in and register- I couldn’t. Trying to register for an event less than 24 hours before the start is never a good idea.

The event is run by volunteers who have created Trace Labs and the CTF’s that we know and love. In order to remove some of the burden on go day, register as soon as you can. That way if there is any issues the team can get to it for you and you feel less panicked! Emailing the team saying I couldn’t log in on the day was embarrassing, I should have known better. It didn’t appear a big deal at all to Adrian Korn who helped me between doing the live introduction and no doubt helping others and looking after judges, but I know I should have done the right thing and registered earlier to relieve some of the burden. Lesson learnt.

When I received my registration details and watched the intro, it was go time. There were four missing person profiles this time. None from Australia, and with even less information than the info we received last time. This was going to be tricky.

My team decided to take a person each as last time we concentrated on one person only and we didn’t get as many flags as we possibly could have so we decided to diversify. I chose a young girl, 16 years old, from Kansas in the US and she had only been missing a couple of days. I had a name, description, DOB, location and that’s it. Yikes.

A 16 year old no doubt has social media, so I started there. I put my google dorking skills to good use and found a school article with her photo, her Facebook, Insta, Pinterest, TikTok and YouTube accounts pretty quickly. Although there wasn’t much information on my missing person (MP), she had quite a unique name so that made it quite a bit easier to track her down quickly. For privacy and security reasons I suggest your future children’s names should be John and Mary Smith.

The MP’s accounts were quite shut down and didn’t reveal too much information and after checking her handles for any unique usernames, which there weren’t, I was pretty stumped. So, I submitted the accounts I had found and then pulled up the judging categories which we were given. The judging categories show you how many points you can receive for certain flags, it acts as a schema for you to move through.

Part of the judging categories.

With such a unique name, I thought I would try and find some family. Going off the surname and the area. Bingo. Found a bunch of people with the same surname and pictures of the MP. Although none of them had shared the MP’s missing case profile publicly which was vastly different to the last missing persons case I worked on where friends and family were sharing the missing profile far and wide. This is where I made mistake number 2.

Mistake number 2- Submitting a flag without verification.
I came across an account with a lady who seemed to be around the appropriate age to be the missing girl’s mother. She had the correct last name; her cover photo included the MP and she noted how much she missed her. I dove into the woman’s profile. She had a unique username which helped me find a bunch of other accounts and information on her. It was clear that this woman struggled with her weight and mental health. She spoke about it often and created YouTube playlists around both subjects. Ah! I thought, maybe a relationship breakdown mixed in with mental health issues means that the MP lives with the father, hence the note on why she misses her. I submitted this flag and I submitted it as — mother of missing girl, with her Facebook profile link. But it was REJECTED by the judge.

What? But I’m so clever and I found some circumstantial evidence? When a judge rejects your submission, they let you know why. I checked the judges notes and it said that I didn’t provide enough information. I did not provide screen shots of the image of the missing girl’s photo from the profile, or the note saying she missed her, or images with the grandmother, or the YouTube channel and the play lists. I just put forward the flag in its most basic form. Big mistake.

I’m unsure as to what possessed me to submit such a basic flag with no supporting evidence. Report writing for any investigator is the most important thing about what you do! You have no investigation without your report and evidence to back it up. *Insert facepalm here.* I think because I assumed so many other people are working on the same case as me, the judge would have seen the flag and it would be accepted. Easy. But the thing is, even if someone did submit that flag, they may have found more or different evidence and come to a different conclusion to me. Maybe they concluded she was an aunty? Or a big sister. Maybe a family friend from church.

When you submit a flag, you must show the evidence, even if it is circumstantial, to show your thinking and how you came to your conclusion. Just assuming everyone is doing the same thing as you, or that the judge already knows, is a mistake. The next mistake happened in quick succession…

Mistake number 3— thinking the MP’s grandfather was her father!
This mistake was a mix of two things — not verifying my flag properly like in mistake number 2 and forgetting the curation process of the images we put of ourselves on social media. Again, thanks to the unique name I found a man in the area who also had pictures of our MP. He looked fairly young and had multiple accounts. He lived not too far from the MP’s school and had the most recent photo of the MP I could find coupled with an image of a woman that I thought might have been his girlfriend (turned out it was his daughter). The lesson here was that we don’t put crap pictures of ourselves online. We post nice photos where we look young, beautiful, sexy, the light is hitting us just right, we have filtered and may have tinkered with a little bit in Facetune. We don’t post the photos of us sitting around the house with bad light, no make-up, terrible hair days and which make us look old. This grandfather looked like a suave middle-aged man- until I found an image of him at a BBQ with the grandkids where he looked like your normal grandfather.

Reality Vs Instagram.

When we are scouring the internet for other accounts of the same people, we have to keep the profile image curation process in mind. Some people look completely different from photo to photo, some people look the same and others look half their actual age. This even applies when your investigation moves online to offline. People look different so don’t make assumptions on age, even gender can be hard to pick. Verify verify verify. This is where unique identifiers come in also. Tattoos, piercings, scars, etc. So always keep an eye out for them as they will really help with identification.

Key Takeaways:

  • Register as soon as you can, don’t leave it until the day!
  • Don’t submit flags without the appropriate screen shots and information. Verify. Verify. Verify. Document. Submit.
  • You can use the judging categories as a schema to keep you on track and give you ideas as to what you should be looking for.
  • Judges give you feedback so even if you flag is rejected, have a look at why, correct it and resubmit.
  • Don’t make assumptions on people’s age, gender, relationship or anything without verification.
  • Don’t forget to lookout for unique identifiers!

All in all I am super happy with how I went. I was a lot less sporadic, I didn't fall down conspiracy or family drama rabbit holes and I believe I found some relevant information. We came 61st out of 171 teams with 41 flags submitted totaling 1285 points which is a fantastic effort by our team!

I cant recommend these CTFs enough to people who are starting out in the OSINT world and even old hats. It’s such a great cause because these are real world scenarios with real missing people. I know my takeaways and mistakes are quite simple in nature but sometimes its the simplest things we overlook.

To learn more about Trace Labs head to https://www.tracelabs.org/

Thanks for taking the time to read! Make sure you say hi :)

CSY

Osint
Private Investigator
Trace Labs
Open Source Intelligence
Capture The Flag

--

--

Charlie Sierra Yankee

Written by Charlie Sierra Yankee

18 Followers

Investigator, OSINT, philosophy, crypto, gamer, science, psychology, anything that takes my fancy and so many things do!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams