TraceLabs Global Search Party 2021–02– Mentoring LHS
So this weekend I was lucky enough to compete in the TraceLabs Global Search Party CTF, and I was even more lucky to mentor the LHS Alpha team. I’ve been wanting to mentor a team for a while, pass on some of my tradecraft from some of the previous competitions and wins, impart the mindset required to compete and help find intel on missing people.
Firstly I’m incredibly proud of the team, we did exceptionally well, and placed 12th out of 200 odd teams, and for one of the team members Reg it was her first ever TL CTF!
Team Members:
- Tanya
- Helen
- Reg
- Me
They were all delighted with their place, and I’m sure they are all set to achieve great things in the future! This is but the beginning of their journey!
Methodology
I wanted to share some of my methodology for competing in TraceLabs Global Search Parties, as this may also be of useful for you whether you’ve taken part before or not.
Mental Prep
This is the most important thing to consider before you take part in a TraceLabs CTF, are you mentally prepared for what you might uncover. We never know the cases before we start the CTF, or the circumstances that led to the target going missing, you might discover something that you find uncomfortable.
Mentally preparing yourself for this before you go into a CTF is vital. If you know you are potentially at risk of being impacted by say seeing something disturbing on the darknet, or finding out the target has been abused, then ensure your team knows this, and you take the steps necessary to take a break the second you feel uncomfortable or overwhelmed by what you have discovered.
Theluckymon wrote something on this in her post, I recommend you check it out here. Also Nicole Beckwith also did an amazing talk at conINT on this very subject.
Stock up
Now this seems like an obvious point but you defo need to stock up on Coffee, Water, Snacks, and anything else required to get you through the next 6 hours. I also recommend plenty of fruit, feed the body, feed the mind.
Pre Flight Checklist
Things always seem to go wrong when you least need them to, so always (and I mean always), be mindful of this. Have you checked your VM, are all the tools and image up to date? Do you have all the bookmarks you need, do they all still work? Are your sock puppets still active, when did you last login to check? Have you checked out the latest techniques and tools from groups such as OSINT Curious? My Weekly Newsletter — shameless plug I know!
Are you truly ready?
If you haven’t set up your sock accounts yet, you can always use my handy workflow below. Thanks to WebBreacher and Jake Creps for the ideas on the Swapping EXIF ❤
Team Prep
Whilst you don’t have to take part in a TraceLabs CTF as a team, it is highly recommended. The learning experience is magnified by combining ideas and different approaches to finding intel on targets. In the past when I competed with The Many Hats Club team we constantly bounced ideas off each other, and constantly would cross verify our intelligence to ensure we hadn’t missed anything.
It is highly recommended that you set up a Discord, Slack, Teams or whatever you feel comfortable with, to share ideas and keep each other motivated. Having a voice channel open for the entire competition is crucial not only for motivation, but can be pivotal for refocusing efforts on a particular target.
If you have a team, make sure you meet before the CTF ideally a week (or more), before the event to decide on your strategy. If you don’t have a team, make sure you head to the TraceLabs Slack there are always people on the day still looking for team members! You never know, it could be the start of an amazing OSINT journey.
Ready, Set, GOSINT
I wish I could tell you that there is some super secret method for how The Many Hats Club team originally won 3 back to back TraceLabs CTF’s… but there isn’t one, no special techniques (maybe darknet), we didn’t even use any automated tools.
But the key was following and pivoting off the data.
Every post, image, every data point is a potential lead. For example what can you see in the background of an image, is there evidence of the target smoking, using drugs, what landmarks can you pick out. Who else is there with them?
What about the target, can you identify any tattoos, birth marks, scars, unique moles piercings etc?
If the target has taken a selfie, can you see the make of the phone in any reflection, can you identify anything else from any reflection such as their car?
Now this is a competition, and everyone wants to win, however the objective is to find intelligence that can help Law Enforcement successfully locate the missing person. Every submission should have a reason for being included. Let me explain..
So you find the profile picture on one of the target, you submit that to the judge. It gets accepted.
You look through the profile of the target, you find another image. Now ask yourself, what does this tell Law Enforcement, why is this image useful? What have you identified over an above the fact its another image of the target?
Some examples could be EXIF, identifying marks, the fact the post was edited after the person was reported missing. Maybe a reflection that shows the phone model. Maybe the image shows clues to where the subject was heading.. or the state of their surrounding?
There are so many ways to pivot off data, reverse image searching, checking username reuse and also checking the missing person has more than one account on the same platform (which is very common). The key is following the data, contacts, harvesting the potential leads from each post, image, email, phone number, and then pivoting and repeating. I’ve created a rough process to show some of the steps you can take, its by no means complete, but its a start and hopefully helpful.
Summary
Taking part in a TraceLabs CTF is both exhilarating and rewarding by using your OSINT skills for good. Whether you are starting out or have competed before. every submission you make, potentially is one step closer to Law Enforcement successfully finding the missing person.
I thoroughly enjoyed mentoring LHS Alpha, and its great to see how everyone pulled together through the CTF.
If you’ve never taken part I cannot recommend it highly enough, the trouble is when you start, you won’t want to stop. In the words of Angus “OSINT is the drug your mother never told you about”…
