Discover more from The OSINT Newsletter
The OSINT Newsletter - Finding Missing Persons - Trace Labs CTF Review (DEFCON 31)
An overview of the tools, tactics, and techniques I used in the most recent Trace Labs CTF
👋 Hey, everyone. This is a special edition of The OSINT Newsletter. In this issue, I’ll be going through a few methods my team and I used to help find missing persons at the DEFCON 31 Trace Labs CTF. Our team won the bronze badge in this CTF. In previous CTFs, my teams have won silver and black badges. I’m now on the hunt for MVO!
🗒️ This issue is also a great guide for investigations in general but has special applications for missing persons. Don’t skip if this use case appears irrelevant to you!
🙏 This issue is free to all subscribers. My hope is to raise awareness of how OSINT can be used for good to find missing persons. If you’re already a Trace Labs contestant and want to improve, this issue is for you. If you’ve never heard of Trace Labs before, consider checking them out and supporting their cause. Thank you for reading.
🚨 I want to give a special shoutout to Epieos. Epieos made the OSINTER tier of their reverse email and phone number tool free to use without login required specifically for the Trace Labs CTF. 👏👏
😿 The referral program is currently suspended. I’ve had too many people referring disposable emails to earn rewards. This is unethical and has ruined it for everyone.
🪃 In case you missed recent newsletters, here are a few links to help you catch up.
Let’s get started. ⬇️
If you’re new to TraceLabs CTF or need to improve your basic OSINT capabilities to get into the top 50, check out these videos. They provide a good primer for newcomers or investigators with limited experience. If you’re already placing in the top 50, consider moving on to the next section.
It never hurts to review though. 🤷
📺 How Cyber Pros Use OSINT To Help Find Missing Persons (Tracelabs CTF)
A team of cyber professionals was interviewed about their experience competing in the CTF. They discuss the skills needed and how you can get involved in the next event. This will help you go from 0 to 1.
📺 Finding Missing People using OSINT (Tracelabs Recap)
My teammate Cody Bernardy created a video after the DEFCON 31 TraceLabs event. He spent a lot of time analyzing videos that had one of the missing persons in it. By watching older videos, he was able to find many 50 and 100-point flags that wouldn’t be found by just looking at text.
📖 Trace Labs Flag Categories Guide
OSINT Tactical wrote a guide based on his own experience with Trace Labs CTFs. It includes tips for each category. This is similar to what I’ll be doing in this issue. If you find yourself struggling with a certain category, give this a read!
If you’re stuck…
💭 Before considering any of the steps in this guide, I wanted to bring up one point. Most missing person cases start with only a name and an image. Sometimes you get a social media profile but it’s not common. If you’re struggling to find your first lead, consider the following.
🏴 Reverse image search the images from the missing person report in Pimeyes. This might be the first lead you need to begin your search. If you don’t want to pay the $30 for Pimeyes, run the search through Pimeyes, take the found images, and run them through Facecheck.
💭 In my experience, the same images are indexed in both (for the most part) but the facial recognition mechanism for Facecheck is weaker. You can sometimes find exact matches with URLs revealed (Pimeyes paywalls). Next, find new links that aren’t to the missing person reports and submit any useful information in the respective categories.
🗒️ This method led to an escort website where one of the missing persons’ images was matched. I’m stupid and thought it was a false positive so I didn’t submit it (the hair was different and I didn’t recognize the tattoos). Another team took home MVO with this submission. 🤦♂️
Friends - 10 points
🏴 Search for the missing person’s name on Facebook, YouTube, Reddit, TikTok, and other social media platforms. Look for people posting about the missing person. Capture their usernames or display names and resolve them into an identity. Determine if they’re family and if not; if not, submit them as a friend.
🏴 Pivot on those usernames to find other social media profiles of the friend where more information about the missing person may be posted.
🏴 Sometimes friends will post images with the missing person. Those images typically aren’t found in missing person reports or the missing’s social media profile. Details from that image can be used for other flag types.
🏴 Look for any comments or tagged posts in the friend’s profile mentioning the missing person before the person went missing and the friend posted about them.
💭 In the DEFCON 31 CTF, I found a Facebook photo a friend posted about one of the missing persons. He was wearing glasses in the photo and that detail wasn’t present in the missing person report. The image also had the missing person’s son in it which also wasn’t mentioned in the report. These details turned into 110 points: friend, glasses, son.
Employment - 15 points
🏴 Search for the missing person by name first, then add any found locations as add-ons if the name is too common. If you find a profile, submit it and get 15 points. Only submit it if there’s an image and verifiable information. Don’t submit a blank profile.
🏴 If you find an employer on LinkedIn, submit each of the employers as individual submissions. You might get knocked for farming but it’s worth a shot. Don’t submit self-employment or any MLMs.
🏴 Find the addresses of known employers and submit these as well. 15 more points each. If it’s a larger company, find the address closest to the missing person’s known or previous addresses. Don’t submit a New York office address if your missing person is from Nebraska.
🏴 Look through recommendations to find former colleagues or supervisors. These people can be classified as friends and the recommendation might reveal more details about the missing person.
💡 Sign up for Signalhire or a similar service for the CTF and get the browser extension. When you find a confirmed LinkedIn profile, run the browser extension to try to find contact information. You can often find phone numbers and email addresses using this method. More flags, more pivots.
💡 If you’re looking for additional points at the end of the CTF, try Indeed Resume Search. Indeed Resume doesn’t allow you to search by name but it does allow you to search by keyword and location. Enter the employer and location you found on LinkedIn and look for it on Indeed. You might find additional employers, education, or other details.
🗒️ Don’t spend too much time on the employment section. Find the easy flags and move on. It will take 10 employment submissions to get the same number of points as 3 basic subject information submissions. In my opinion, basic subject information is sometimes easier to find than employment.
💭 If you find a LinkedIn profile that has information in it, this should create 15-45 points, a Signalhire pivot, and an Indeed pivot. Follow those pivots, collect some more points, and stop with employment. You will lose.
Family - 20 points
🏴 Sometimes local newspapers will publish a story about the missing person. These stories often include family members, especially family members they live with. Take those family names and search for them on social media.
🏴 Like the friends category, search for the missing person’s name on Facebook, Reddit, YouTube, or any other social media platform that allows for comments. Look for posts by people who have the same last name as the person or look visually similar. Confirm they’re family by searching within images or looking for other context clues.
🏴 Use a combination of Google Dorks and people search engines. This will give you several leads to check on social media platforms like Facebook to verify. This is time-consuming, though. Unless you’re short on leads I’d advise using this method last.
Unless the missing person has an incredibly common last name, consider the following method:
site:thatsthem.com OR site:truepeoplesearch intext:"missing person's last name" intext:"city + state"
🗒️ Finding family members’ social media profiles is an easy 20 points. Once you find their profile, finding comments from family relevant to the investigation is also a 20-point flag. This effort might also lead to the address of the missing person, which can be helpful in other flags or help identify sexual predators in the neighborhood.
In the last Trace Labs CTF, I was able to find several profiles of family members in a missing person case that had few leads because the missing was a young minor. This led to several submissions that ended up being the 40-point lead we needed to grab third place.
Basic subject information - 50 points
🏴 Try to find an email address. This will lead to several 50-point submissions. You can often find email addresses on ThatsThem, TruePeopleSearch, and other people search engines; you can also find them on social media profiles. Verify the email and submit for 50 points each.
🏴 Extract usernames from the first half of the email address. Run that username through Whatsmyname, Sherlock, or another username tool. Verify that the username matches the missing person. Submit for another 50 points per relevant profile plus a general submission for a valid username.
🗒️ Don’t submit empty profiles or profiles without profile images. Judges often classify this as irrelevant.
🏴 Try to find phone numbers. Like emails, this will lead to several 50-point submissions. It’ll also lead you to social media profiles with the right tools. You can find these using the same person search engines and by analyzing social media profiles.
💡 You can also get tips from area codes. This can give you the current or previous regions where the missing person has lived.
🏴 Once you have email addresses and phone numbers, you can use tools like Dehashed to find more pivots. While you can’t submit Dehashed links to Trace Labs, you can use the data found to reverse back into people search engines or run newly found emails and phone numbers into popular tools for more information.
🗒️ Before paying for Dehashed, you can check an email address in their free search engine and see if there are results. You can also run it into haveibeenpwned to see if it’s part of known breaches (where Dehashed gets its data from).
🧰 Tools: Epieos, OSINT Industries, Castrick Clues, Dehashed, Email Rep, That’s Them, TruePeopleSearch, Seon, Defastra, Whoxy, Poastal, True Caller, Nuwber (just to name a few)
Advanced subject information - 100 points
🏴 Search images on social media for any tattoos, glasses, hairstyles, piercings, etc. These details can score you 100 points each, depending on relevance.
🗒️ Before submitting, make sure these details aren’t already listed on the missing person report. Some images can contain multiple details you can submit separately with the same evidence.
🏴 Search within social media profiles for the word “doctor”, “hospital”, or “sick” to see if there’s any information that will reveal a medical condition. This is valuable information for law enforcement.
🏴 If you find an image on their social media profile of a vehicle, submit the make and model if you can. If you’re not a car person, try using CarNet.
🏴 If the license plate is visible, submit that separately. This can also give you the current or former locations the person has lived in.
💡 You can also run a Facebook search for the plate number; Facebook has OCR built into its search capability. I’ve found new images using this method in past CTFs.
🏴 Geolocate any photos where the missing person is often found. This can give you more details about a pattern of life or possible unusual travel. (MVO potential).
💭 I once geolocated a Domino’s pizza found in an image in a past CTF that gave evidence of the missing person being in a different state than what was shown on their record. This image was taken a few days before the person went missing. I didn’t get MVO, sadly. 😿
🏴 Any behavioral information such as suicidality, drug addiction, evidence of being an escort, etc. is very useful information for this category.
💡 Look for semicolon tattoos, any images of drug use or partying, etc.
Day last seen - 300 points
🏴 Use date filters for ~3 days before and after the day last seen. Apply this filter to any social media platforms you’re analyzing and to any Google Dorks you’ve applied to your search strategy.
🗒️ Clues 3 days before the day last seen will give you possible leads; clues 1-3 days after the day last seen may be just delayed getting online.
💡 Keep the dates the missing persons were last seen on a separate monitor or physically write them down. If not, they’ll get lost in tabs and you’ll lose time trying to find the report again.
💭 This category is in what I call a “golden snitch” category. If you don’t know the Harry Potter reference, I’m not sorry. 🥸
Don’t spend too much time here unless you’re out of leads at the end. If you do find something, though, this will be incredibly valuable for law enforcement.
Advancing the timeline - 700 points
💭 This category is also a “golden snitch” category. Looking for flags in this category by doing manual analysis will likely take more time than it’s worth; however, there are methods that exist that provide update metrics you can use to score big points if you’re lucky.
🏴 Using a tool like GHunt, Epieos, OSINT Industries, or Castrick Clues (take your pick), you can find the “last update” field when entering an email address that is associated with a Google account. If this last update date is far beyond the date last missing and doesn’t show signs of being a family account, this could potentially advance the timeline.
🏴 If you’re a paid user of any of the tools mentioned above for Google, you can also leverage the Chess module which includes a “last_login_date” field to let you know when the app was last logged in. If this date is after the last seen date, you’ve advanced the timeline.
🥸 Shameless plug: I’ve also added this method to the paid version of The OSINT Newsletter in Issue #19 if you’re more interested in learning the method than just using it.
🏴 Similar to Chess and Google, Strava also provides an “updated at” data point that can be used to advance the timeline. Furthermore, an updated date might indicate a new Strava record which could lead you to approximate location. This method is available on Epieos, OSINT Industries, etc.
💭 I’ll be writing about this method in a future issue of The OSINT Newsletter where, similar to Chess, I show you step by step how you can recreate the method yourself without needing paid tools.
🏴 OSINT Industries recently launched a VSCO method that includes a “last update” field. This app is popular with among younger generations and could prove useful when trying to advance the timeline. The method comes with other data points such as images and usernames for verification.
🗒️ Teams that place in the top 3 typically have 4000+ points. Grabbing a few 700 point flags can take you from top 100 to top 10 in a few minutes; however, big flags like these are subject to review and may be rejected later.
Dark web - 1000 points
💭 Unless you have access to a premium tool that scans scraped Dark Web data, this is probably a long shot. Even if you have one of those, the likelihood that the URL that was scraped and stored is still valid is probably 0.
I don’t think a ‘real’ dark web flag has ever been accepted. In the early days, people often found breach data search engines that were on .onion URLs and submitted that as a Dark web flag. That’s no longer valid.
🗒️ Do a few searches in dark web search engines using first and last names, email addresses, phone numbers, etc. and if you don’t find any matches move on.
Location - 5000 points
💭 If you have a verified location of a missing person, there’s a good chance with the modern rule set that you will win the black badge. This is a very difficult task and most people will stumble into this knowledge, there isn’t really a set method to finding this.
💡 Reverse image search methods → escort websites is one possible option for this flag. Many escort sites have fake phone numbers and locations, though, so the flag may still be rejected.
💡 If investigating a minor if you can locate a divorced/separated parent and find convincing evidence that the minor is now with that parent, you might have a shot as well.
🗒️ In a CTF I did in 2021, my team and I were very close to confirming that a female minor was with her father and that father was in Alabama. Most of the evidence we had was circumstantial. That case was later solved and we were right, she was with her father in Alabama. While we didn’t get the flag, I hope any information we provided was helpful in solving this case.
✅ That’s all for this issue of The OSINT Newsletter. Thanks for reading and supporting this publication.
🏁 Remember OSINT != tools. Tools help you plan and collect data but the end result of that tool is not OSINT. You have to analyze, verify, receive feedback, refine, and produce a final, actionable product of value before it can be called intelligence.