BSides Portland | OSINT CTF

I had the opportunity to attend the BSides Portland event this year and I had a great time. There were some great talks this year and I feel like I’m walking away with more knowledge than I walked in with which is a success in itself. I also had the opportunity to participate in a missing persons OSINT CTF. Now this concept has only taken place a few times at most since it’s inception.

Trace Labs has planned out and launched the first of its kind “missing persons CTF”. It operates like a traditional “capture the flag” competition only instead of flags, you’re trying to collect information on actual missing persons that can be used to assist law enforcement and their families in finding them. I was surprised to be able to walk away grabbing second place working by myself but I was dedicated to doing everything I could during that time to tack people down. Before I talk about my experience, I am pleased to announce that 3 of the 8 people were actually able to be found (in the sense that we were able to establish their general location and that they were safe). Of those three, one was actually successfully reunited with their family already but the missing persons systems didn’t reflect that.


FINDING THE PEOPLE

Due to the nature of the competition, I won’t be disclosing personal details since they involve real people with real circumstances. What I will be doing is telling their stories and how in just a few hours I (and others in their own ways) pieced together puzzle pieces from publicly available information to locate these people registered as missing. This is only my part of the story and there are plenty of others who were doing investigating of their own to help make this a reality. While I don’t have specific names (their teams are on the scoreboard) they all deserve immense credit for giving up their time to this cause and forfeiting some pretty great talks to spend their time “competing”. Of the 3 found, I was awarded points, along with others, for the find. Since one was already reunited, I’ll tell the stories of the other two in as much detail as I can without identifying them.

RUNAWAY STAYCATION

The first target I ended up finding was a male minor. He had been listed as missing since March with no clear sign of having been found as of this date. Upon some initial searching, he had some social media profiles that appeared in Google but they had since been deactivated and were not cached. Eventually after crafting some pretty specific strings, I was able to dig up a second Instagram account that only had 3 pictures / videos on it, all from August, months after he had been missing. Two of the videos were from one event, multiple vehicles at night doing donuts amidst a pretty sizeable crowd. After a few failed searches, I was able to uncover this article which not only showed pictures of a strikingly similar event, it was posted a day prior to his social media posts. He was at the event from this article. In Portland.

This was a bit of relief as it verifies a couple of things: 1) He’s alive and 2) he’s okay. It also adds speculation that he’s potentially a runaway considering he’s not marked as found and he’s now identified himself among a crowd of illegal street racing and shows.

The last post on the Instagram account was… a SnapChat account. Now I have a SnapChat account but I don’t really know much about it. Someone next to me however, who was participating in a different CTF, leaned over to me and mentioned an interesting feature of SnapChat called “Snap Map”. Now if you’re wondering what it is, it’s exactly what it sounds like. The real question is if someone has enabled that feature or not. Much to my surprise, you’ll never guess who had it enabled…

I probably wouldn’t have found this one without Franklin’s help.

THE ELOPING FOSTER CHILD

The next person that I ended up tracking down was 17 year old girl who was in the foster system at the time she went missing. This was a story that actually turned out pretty interestingly. Thankfully, she had a pretty unique first name which made searching for her a little bit easier.

The first piece of intelligence I discovered on her was actually pretty suspicious. The day she went missing, there’s a record of a civil court case having been opened. Was it related? We’ll probably never know, but it definitely seems more than coincidental.

Next, I did some targeted searching on social media and found a Facebook post mentioning her name but not actually tagging a profile. I went digging through the comments and likes and what would you know, an account with the same first name but different last name showed up in the list. One click on that and we have a verified Facebook profile with public posts over 6 months after her reported missing date. Things have changed quite a bit for this woman in this time. I was able to establish the profile as having similar pictures to the one used on the missing persons ad as well as one from the same time frame that matched her description exactly. Her profile also touted some newborn twins and a husband. The profile listed her as down in a city in California and with that, I was awarded a “location” flag which is the highest available flag at 5,000 points with the next highest flag below it being only 1,000 points. As I continued digging for minor points to continue to build her information profile, I stumbled across yet another Facebook profile. Still hers, still a different name, and with public posts as recent as last week. This profile still showed off the newborn twins but it listed her back in Washington in the area she was missing from, as well as leaving out any mention of a certain male figure in her life. I wasn’t awarded extra points for this as I already had a “location” flag for her but I did update it for law enforcement’s purposes. It’s important to note that at this point, she’s now an adult. She hasn’t committed a crime so the only real resolution here is that her family can be assured she is alright which is all we hope for when taking these things on.

LESSONS LEARNED

OSINT is a powerful tool. People go missing for different reasons. The two I found happened to be runaways. One case that stumped me was a woman who had gone missing from a bar at 2am with a male suspected of malicious intent and neither have been found in over a year. Even the FBI has looked into it and not been able to turn up much. Other cases are simply runaways.

At the end of the day though, what gave these two runaways away was their social media. We volunteer so much information about ourselves to the general public and in the age of technology we live in, that information can be quite powerful. I don’t know these people and likely never will. Thanks to the power of the internet though and their freely submitted information, I was able to puzzle pieces together and track them down (again others did too, this wasn’t a solo effort but we weren’t necessarily cooperating during the course of this competition). It was a pretty fulfilling experience and also a pretty eye opening one as well. What can a stranger find out about you?


BONUS CONTENT

This competition totally felt like this: