On July 28, 2018 in Toronto, Ontario, Canada the world’s first open source intelligence (OSINT) capture the flag (CTF) contest for missing persons occurred.
While CTFs are standard at most information security conferences to allow contestants to practice their skills win prizes, the concept of using a hackers online skills to locate real people is not. This event broke new ground and introduced the hacker community and showcased the value they bring to society.
Hackers are typically highly skilled individuals with high intelligence. As such they tend to question things rather than take it for granted. They like to understand how things work. If you have ever visited a “hacker space” you will immediately understand what I mean.
We often associate hackers with TV news clips of hacktivism and groups like Anonymous. While TV would like to dramatize and sensationalize the hacker with images of a teenager in a hoodie that hacks the government in seconds from a coffee shop, the fact is there are a wide variety of highly trained hackers out there and many just want to help people.
Trace Labs partnered with Defcon Toronto to create this inaugural event. Defcon Toronto provided physical space for over 150 hackers in a large room at the University of Toronto. Dozens of other hackers and information security enthusiasts joined virtually. The event started 8am Central and ran all day to close at 7pm Central.
Virtual teams that attended were from all over the world. The Trace Labs model is we have members from anywhere who operate any time. We never close and frankly don’t care who you are as long as your intel can be verified. In fact, we promote anonymity. One of teams were DevLeagueCyberLegends who were based out of Honalulu, Hawaii. Aloha!
Defcon Toronto did a great job of supporting those who were not able to be on premise with a live stream of the event. It can now be watched later by anyone: https://www.youtube.com/channel/UChP9O99C_yw7TqxOkes76-Q
There were some great sponsors for the event. This included:
The team Cyber Legends competing remotely wearing their new Hacker One gear.
At lunch the pizza was delivered and very quickly disappeared. OSINT is hard work so everyone had big appetites.
Robert Sell, the creator of Trace Labs gave a virtual talk via Google Hangouts which introduced Trace Labs. Trace Labs is a catalyst for the community to come together through crowdsourcing to find missing persons. It was the result of his profession in information security and volunteer passion in Search & Rescue (SAR). Robert spoke about his role as a tracker in SAR and the similarities of tracking someone in the woods to tracking someone on the digital landscape. He also advised contestants to conduct zero touch recon for two reasons: 1) we are only doing OSINT and do not want to interfere with any ongoing investigations, and 2) we need to be aware that any organized crime organization may have counter measures and if detected, OSINT operators are at risk.
After Robert’s talk, Lusia Dion from missingadults.ca came up to talk about the missing persons work her organization does. This really helped the attendees to understand that their targets were real people with real families. Their targets are someone daughter, son, husband, wife and loved one. She also helped to ensure everyone was aware of the dark world we were about to investigate which often involves drugs, prostitution and human trafficking.
In the afternoon Radar from DC416 gave a very good presentation on OSINT techniques and tools. Radar got into the details on tool selection and usage. Great opportunity for the attendees to learn which tools to try out.
The competition really took off as over 50 teams began contributing data. Soon there was over 2000 separate evidence submissions for the judges to sort through and verify. Teams quickly found intel and began chasing down locations of subjects. Two teams quickly dominated with high points which were: BlueTeamNinjas, CyborgBandits and DeskPawCheeto. Out of the gate they scored very well. The BlueTeam had a great strategy of diving resources and looking at different intel sources. This is similar to the technique used a by traditional trackers called “sign cutting” where you divide your resources and cut ahead. This worked out very well for them and prevented them from getting stuck.
Other teams that did very well included LowPrivs and GuidedKnights who had well thought out submissions. All teams were very active and achieved at least a foundation of intel. It is expected that if they had time, most teams would have ultimately done very well. There was some great expertise in the room and online.
Ultimately, the TeamCyberBandits were the winners. Great team work and dedication. While they were the winners and get a prize, all teams were part of history today and made a huge contribution that hopefully can be used by authorities to find these people. This event has proven what is possible and has forever changed how we search for people.
It was amazing to watch teams progress. The following are some screen shots taken during the event which shows how teams collaborated:
Team silent-hawks went straight to Facebook to begin their search.
Team black-widow actually found the IP address for one of the missing persons. This was done by looking at breach information on one of the services that the subject used.
Team the-seekers were a Spanish speaking team who collaborated in Spanish. It was awesome to see this variety. Great job team! This is the international inclusion that we were hoping to achieve. Notice how they found details on favorite restaurant. This sort of information all adds up and helps.
Team meme-cabin quickly found a lot of information on Facebook then used that to pivot to other sources. Pipl gave up more data on their subject. Good use of limited data to expand their search.
Team the-meme-cabin found lots of info on this missing person which included an email address, a wireclub account and more.
Team the-meme-cabin found some good pictures on Facebook and also profiles on LinkedIn.
Team desk-paw-cheeto came across the unfortunate reality that some missing persons end up deceased. Sad stories.
Team duo-q actually found the location of the missing person. This was huge and may no longer be the current location but was a great bit of intel. Nice work!
Team duo-q found a last know picture of the subject. Also found a badoo profile with good intel. This scored them a lot of points and was likely newly discovered intel. Good work!
Team desk-paw-cheeto found the body of the missing person deceased. This was not updated on the police website yet so the public was not aware that this case is actually closed. The person who committed the was caught.
Team Blue-Team-Ninja quickly found updates on Facebook:
Overall the event was fun and interesting for contestants. Defcon Toronto did an amazing job at hosting the event. Trace Labs was very pleased to test the model and overall we contributed to the intel on these missing persons.
Huge thanks to Defcon Toronto and the generous sponsors who allowed this event to happen.
All information will be submitted to the respective authorities. Defcon Toronto will be making this submission and is working directly with their local authorities.
The Trace Labs OSINT CTF model is to work with the local information security or hacker group to support them with this and introduce them to OSINT professionals and the missing persons industry. Each CTF may function slightly differently based off that local groups preferences.
If you are interested in learning more about Trace Labs or want to partner with them for an event the website is: www.tracelabs.org and they can be found on Twitter at @tracelabs.org