My setup
I had Parallels setup on my Mac, where I had a Kali Linux VM, and a Mac OSX Catalina VM running. The Mac OSX VM was great because I used it to do my searching on social media. I have social media accounts under an alias that I use when searching for these missing people. I do want to get better at creating Sock Puppets by the next CTF. Kali Linux was great to have to run tools such as Sherlock, and having it by my side for image reversing, and potential dark web access. Another skill I want to improve in is dark web hunting, and I hope by the next CTF I can leverage the dark web more to get flags.
During the time of this CTF, I was in the final month of my Express VPN subscription, so I was leveraging that when needed. However, recently I switched over the Proton VPN, and I look forward to using it for the next CTF.
Team Approach
Our team approach was to divide the missing people between the team. During this CTF, I investigated three of the five missing persons.
Subject 1
Subject 1 was missing for over 2000 days. My first approach was to check all social medias. I started with Facebook and found a Facebook account for the subject, an updated location of where the subject was currently living and more importantly, this Facebook account was active. I was able to find family information for example how many kids the subject has, their spouse, close relatives and so on. After collecting all the respective flags from Facebook, I checked LinkedIn for the subject, and I was able to find the subject’s current occupation, in the same city listed on their Facebook. At this point I knew that the subject wasn’t in the same city they went missing from and moved to another country. These findings were good for several flags and points for our team. I then proceeded to find the subject’s Instagram. The subject’s Instagram was public, so it was easy to analyze what the subject posted. I found out that the subject had a mark on their arm, a smoking habit and much more. These were more flags that got our team solid points. I now wanted to find a potential email and address for the subject. To do this, I first tried searching the yellow pages for the subject’s country. However I could not find anything. A tool like DeHashed could have helped in this case, and perhaps in the future CTFs we can leverage DeHashed. DeHashed costs USD 4.50 for API Access, and can be useful to get insight and information about a subject such as potential emails and addresses. Please note that it is against TraceLabs rules to submit a flag that is behind a paid firewall, but Dehashed can be leveraged to find specific details to help with further investigation. I was unsuccessful in finding an address or email for the subject. Later in the investigation, I came across a Facebook page for the subject, and it was some sort of memorial for the subject. It was evident looking at this page that the subject had passed away. This was another flag for our team. This missing person was able to give our team great flags, but most importantly I hope that the subject’s family stay strong upon hearing the news of the subject passing away.
Subject 2
Subject 2 was challenging to find information on. I was able to find the subject’s TikTok, and Facebook. I was also able to find a common alias/username that the subject went by. When I ran this through Sherlock, I was able to find more social media accounts for the subject (such as Pin-interest, Tumblr and more). On one of the subject’s social media accounts, it showed the location of the subject, but different from the location they went missing from.
Subject 3
Subject 3 had a wide cyber footprint, as they had accounts on social media such as Facebook, Instagram and Twitter. The subject’s social media was able to give us solid flags, as I was able to find the subject’s guardian, and mother. Using Duckduckgo, I put the subject’s name on the search engine, and I came across a YouTube podcast, where the hosts were interviewing the mother and guardian of the missing person. This podcast helped me get many flags such as specific information about the subject and their behaviour.
This was a high level overview of my approach in this CTF and helping team SAVOSINT come in fifth place. A big shoutout to Adrian from TraceLabs, and the rest of the TraceLabs team for hosting these CTFs.
I am looking forward to February 2021 for the next CTF, as the team and myself want to build upon our fifth place finish, and continue to use our skills in OSINT to help make a positive difference.
Syed Ali Turab
Referenced the following writeups:
