Detective for a Day: Winning the MVO at a Tracelabs Event
A while has passed since my team won the MVO at a Tracelabs event, and I’ve been contemplating writing down some of my experiences so they aren’t forgotten. Information on how a team wins an MVO often seems shrouded in secrecy, but I want to show that it’s not always overly complicated. In my case, it involved a fair amount of luck and making strategic choices within the limited time of the event. Please note, I won’t be sharing any real names or information in this write-up to respect the privacy of the missing person involved. Additionally, it’s against the rules of TraceLabs to discuss the specific details of our findings.
Before diving into the story, I want to explain what TraceLabs is for those who may not be familiar. TraceLabs is a non-profit organization dedicated to crowdsourcing open-source intelligence (OSINT) to assist in finding missing persons. They organize Capture the Flag (CTF) events where participants use their skills to gather valuable information and provide leads to law enforcement agencies, making a tangible impact in real-world cases. You can read more about it here: https://www.tracelabs.org/
The first part of the puzzle was finding the missing person’s email address. This is usually the most valuable piece of information in my process as it opens up many doors. For this write-up, I will create a stereotypical fictional name for this missing person: let’s call them “John Doe”. What I did was manually create a short list of possible email addresses. It sort of looked like this:
john.doe@gmail.com
john.doe@hotmail.com
john.doe@icloud.com
john.doe@outlook.com
john.doe@yahoo.comIf I were to do this again, I would definitely use some form of automation. The website NAMINT is particularly useful for generating email permutations based on a first and last name.
The next step is to determine if any of these generated email addresses actually belong to the missing person. Fortunately, there are a few ways to do this. At that time, I used Epieos, which allows you to enter an email address and, if the account has an uploaded profile picture, it will display a thumbnail of the picture. If I were to do this now and had some money to spare, I would use OSINT Industries, which simplifies the process of pulling information about an email address.
I got really lucky when one of my permutated email addresses landed me a profile picture that matched the missing person. To confirm the match, I always use AWS Rekognition. With an AWS account, you can upload a real picture of the missing person and the suspected matching picture. The Rekognition platform uses AI to compare the images and determine if they are a match.
My next step was to input this newly confirmed email address into Have I Been Pwned and other free data breach search engines. These tools notify you if your email address has been compromised in any data breaches. Some of these services provide partial details of the breach upon account registration, while others offer comprehensive details through a subscription fee.
Tracelabs explicitly states that they do not accept submissions that cannot be verified for free by the judges. Consequently, if breach information is behind a paywall, it cannot be submitted. This presents a challenge but not an insurmountable one. Various resources on the internet and dark web allow free searching and downloading of data breaches. I will not disclose these places for ethical reasons and because they are frequently shut down and relocated, rendering links potentially obsolete by the time of reading.
Despite these challenges, I successfully identified a match for the email address on a popular dating site that had been breached twice. Three of the table column names from this breach were particularly significant for the search, can you spot them?
{
"id": "",
"first_name": "",
"last_name": "",
"user_nicename": "",
"user_email": "",
"email_status": "",
"user_status": "",
"widget_guid": "",
"sex": "",
"interested_in": "",
"relationship": "",
"birthday": "",
"location_id": "",
"latitude": "",
"longitude": "",
"zipcode": "",
"country": "",
"discoverable": "",
"user_activation_key": "",
"media_request_id": "",
"user_registered": "",
"last_login": "",
"last_flirted": "",
"last_available": "",
"lastupdated": "",
"migrated": "",
"height": "",
"ethnicity": "",
"education": "",
"religion": "",
"politics": "",
"children": "",
"smoking": "",
"drinking": "",
"bodytype": "",
"income": "",
"pets": "",
"settings": "",
"currency_id": "",
"balance": "",
"provider_map": "",
"photo_source": "",
"photo_count": "",
"locale_id": "",
"timezone_id": "",
"source": "",
"is_remarketed_to": "",
"dscore": "",
"rscore": "",
"sscore": ""
}The three crucial columns were “latitude”, “longitude”, and “last_login”. These key pieces of information indicated that the missing person had been active on the site after their disappearance and provided the GPS coordinates of their location. While it is unclear whether these coordinates were from the account registration date or the last login date, this information is nonetheless invaluable in the effort to locate the missing individual.
At the beginning of this write-up, I mentioned that I was lucky and made strategic choices. Let me explain what I meant by that. When the event started, this missing person had an email address that was known to everyone. I can’t remember if it was part of the information provided by Tracelabs or if it was easily found with a quick Google search. This meant that all the teams would be using this particular email address in their investigations. When provided with an email address, it’s easy to overlook the possibility that the missing person might have additional email addresses.
During these events, we often find that some missing people have up to 5–10 different Instagram and Facebook accounts. So, why should we automatically assume they only have one email address? I made the decision to search for another email address, and this gamble proved successful. When I submitted this information to the judges, I didn’t expect it to land us the MVO, so it was a pleasant surprise when they announced the winners at the end of the event.
I am very grateful for the opportunity Tracelabs provides to us hackers, allowing us to use our skills for good. Winning the MVO was an honor, but the real satisfaction comes from knowing our efforts are helping. My team was instrumental in providing support along the way, and I’m excited to keep contributing and making a positive impact in the future.
