CTF Flag and Category Changes

Summary

If you’ve competed in a Trace Labs CTF over the last several years then you haven’t seen many changes in the structure of our Categories or in the Flags that we award points for.

We now have a lot of experience behind us and believe there are some opportunities for improvement in the way the CTF is scored and intelligence is collected.

Before we have the rest of this conversation, it’s important to reflect on the core purpose of these CTFs:

The points don’t matter. The prizes don’t matter. Winning doesn’t matter. What matters is empowering good people without a formal tech or investigative background to contribute intelligence to a missing persons case in a fun and safe way.

That being said, we believe the changes reflected below keep the contest fun for both contestants and volunteer judges while still generating quality intel for law enforcement.

Methodology

You’ll find that the lower point value categories now have less “explicit” flags. This means there are now less pieces of intelligence that will earn you points simply because they exist.

This does not mean that those old flags are not valuable to an investigation. It simply means that those old flags are not always useful to an investigation.

The lower point categories now have a “wildcard” flag where you can submit any piece of intelligence from that category you think is relevant. The key word here is “relevant” and it’s something you will have to explain your judge in the submission.

This change does introduce additional subjectivity in to the scoring of the competition. We encourage you to work with your judges on this process. Communication during the CTF will be critical to this process.

As always, our DMs will be open during the event to help resolve disputes. Additionally, we’re tailoring our Judge training to address these Flag and Category changes.

It’s DEF CON. Why are you messing around with the CTF?

It’s DEF CON. Why wouldn’t we mess around with the CTF?  Seriously, we think this is a step forward for the event and our community. What better place to try it out than with the greatest OSINT investigators in the world?

This is a big change. If you feel strongly about these changes (either positive or negative) you can always reach out to humanDecoded: tom.hocker@tracelabs.org and belouve: alex.minster@tracelabs.org. We’re a community and your feedback matters to us. The changes outlined below were made in collaboration with the TL leadership team along with veteran community members but we obviously weren’t able to collaborate with everyone. Let us know what you think.

For reference, the old categories and point values are still live in the Judge and Contestant guides found here:

https://www.tracelabs.org/initiatives/search-party

‍

_________________________________________________________________________________________________________________________________________________________________

The categories and flags listed below represent our best effort to stay true to the intention of the CTF listed above.

Just a reminder: We cannot accept any intel from speculative sources (opinions about the MP's case being discussed on Reddit for example) or from news outlets. Generally speaking, information regarding the MP reported by news outlets would likely be known to law enforcement either before or after the news publication.

Friends - 10 points

Relevant information involving friends of the MP

“Relevance” will be determined at the discretion of the volunteer judge

• Social media profiles of friends shown to interact with MP
• Information involving friends of the MP relevant to the investigation. This may include meaningful interactions from Friends with the MP, meaningful photographs on Friend’s social media accounts, insightful comments from Friend’s concerning the disappearance of MP and so on….

Employment - 15 points

Relevant information involving the MP’s Employer(s)

“Relevance” will be determined at the discretion of the volunteer judge

• Name of current or previous employer(s)
• Address of current or former employer(s)
• Information involving MP’s employment relevant to the investigation. This may include information about MP’s behavior at work, MP’s feelings toward employer and so on…

Family - 20 points

Relevant information involving the MP’s Family

“Relevance” will be determined at the discretion of the volunteer judge

• Social media profiles of family members relevant to the investigation
• Social media comments from family relevant to the investigation
• Information about MP’s family members relevant to the investigation

Home

This Category has been removed and any relevant flags captured under Basic Subject Info

Basic Subject Info - 50 points

Basic information concerning the MP relevant to the investigation.

“Relevance” will be determined at the discretion of the volunteer judge

• Aliases/Handles
• Relevant photos that would contribute to the investigation. Examples of this may include photos showcasing different hairstyles, manners of dress or other physical characteristics not mentioned in the MP report for example
• Forum profile(s) and/or relevant posts
• Dating site profile(s)/posts
• Social Media profile(s). Examples of this may include Facebook, Twitter, TikTok, Reddit, Instagram, LinkedIn and so on…
• Any other online persona or profile. Examples of this may include. Github, Adult Entertainment websites (either customer or content creator), Gaming profiles, Etsy, Pinterest and so on….
• Personal websites
• Email address(es)
• Any other basic information about the MP relevant to the investigation as explained in your submission

Advanced Subject Info - 100 Points

Information about the MP that goes above and beyond Basic Subject Info relevant to the investigation

“Relevance” will be determined at the discretion of the volunteer judge

• Unique physical identifiers (e.g. tattoos, scars, piercings)
• Major medical issues/conditions. Can be physical or psychological
• Any information about where the MP might have gone. May include social media posts, social media interactions or recollections from friends/family for example
• license plate of vehicle(s)
• make and model of vehicle MP may be traveling in
• Breached Passwords: Must show hashed or cleartext password and associated account(s)
• Previous missing persons history - this is the only instance that reports from a news outlet will count for points
• Evidence of MP being deceased
• Evidence of MP being no longer missing
• Any other information about the MP that transcends Basic Subject Info relevant to the investigation

Day Last Seen - 300 Points

New Information about the last day the MP went missing

• Details about subject's physical appearance on day last seen (clothing, hair, etc) not stated in MP report
• Details of subject's state of mind on day last seen (mood, altercations, conversations, etc)
• This information could come from Friends/Family or from the MP themselves
• Any other new information about the MP on their last day seen relevant to the investigation

Advancing the Timeline - 700 Points

Information showing activity from the MP after their missing date

• Activity from a social media account (including aliases) exclusively controlled by the MP after they went missing
• Location information since subject went missing, up to the current date. An example of this would be information pointing to a city they were likely living in today (while not narrowing down their actual physical location)
• Account creation after day last seen
• CCTV picture/video of MP
• Any other information that showcases MP’s activities after they were reported missing

Darkweb - 1000 points

Your submission must originate from a .onion URL to be considered Dark Web - Eg.• http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion and must only exist on the Tor network – Eg. http://facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion would not count as Dark Web

• Pictures or details of subject on human trafficking related dark web sites
• The sale of goods by the subject on the dark web
• Any activity or post by the subject on the dark web

Location - 5000

• Relevant information pertaining to the current location of the subject. Current location being defined as: Exact location/address the subject has been in past 24 hours, or will imminently be present at. Broad geographical descriptions will not count for this category
• As this is the highest point flag, it will require the highest level of accuracy and thoroughness in reporting and context. Speculation has no place in this intel
• This does not include a police update saying the person was found or an obituary - this will get you 100 points and can be submitted under the category Advanced Subject Info

‍