Things You’ll Wish You’d Known Before Your First Search Party CTF

‍

(But you’re reading this, so you WILL have known them)

Know With What You Start <--> Start With What You Know

Every investigation has to start somewhere. Take your time and familiarize yourself with the information that you already have. You may have more in front of you then you realize at first. The information you start with will be the foundation that your entire investigation is built on. This information can be used to verify additional pieces of intelligence as you gather them. 

For example: If you have a picture of a person then you can use that to verify social media accounts. Or if you know their age then that could be used as well. If you know someone is 17 but the account you’re looking at on Instagram is posting recent pictures from their 21st birthday then that might not be the right account.

In an investigation, the validity of progress is much more important than the pace of progress.

I’m Somewhere Else. Now What?

Congratulations. You found your first piece of social media intel. Once you are somewhere, refer to the section above: What do you see? What do you know? What does that mean? Once you’ve verified your current intel is correct, take some time to understand what you see in front of you. Finally, ask yourself where you can go from here and what you can use to get there. 

Do you see links to other social media platforms?

Do you see a unique handle that could lead to accounts on other platforms? 

Are there pictures that might be reused on other accounts?  

Pivot. That’s it. That’s the expression. Pivot.

Think about how many things you reuse every day in the physical space: Same belt. Same coffee cup. Same jokes. Cyberspace is no different. Most people are going to reuse things across accounts/platforms. If you follow the first two steps above you should have some pieces of intel to pivot with. 

• Try searching their handle/username to see what pops up elsewhere.
•  Pictures? Search those as well!
•  Keep in mind the intel you’ve gathered along the way. 
•  The more intel you verify now, the more you’ll be able to verify later.

‍

Always read the comments. Seriously, the best OPSEC in the world is no match for the people interacting with an account. 

Remember, the account you’re looking at isn’t the only one sharing information on a given page. What are other people saying? Is it valuable?

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

                                                                                                                           2-16-21 -> Challenge Unlocked

                                                                                                     2-17-21 -> Challenge  Closed. Thank you all for participating

Would you like to play a game?

‍

Tom and Alex are the authors of this blog post. Do some digging and see if you can find the flags below.

‍

After reading the above article you have all the tools you need to track down the following flags: 

• Tom’s Slack handle in the Trace Labs slack channel
• Alex’s Slack handle in the Trace Labs slack channel
• Toms’s Twitter URL
• Alex’s Twitter URL
• Tom’s personal YouTube URL
• Tom’s phone number

‍

First 5 to collect all five flags get a free GA ticket for this weekend's Search Party CTF

Email the flags to: content@tracelabs.org to claim your prize.