What is the Trace Labs CTF?
Trace Labs organise regular OSINT Capture the Flag events, crowdsourcing data about missing people where law enforcement has requested the public’s assistance. According to the value and difficulty involved in finding the clues, they provide the submitting team different number of points. The advantage is that by creating a larger community, there is more varied experience in the people researching and so data points which may have been missed by the top teams are still handed back to law enforcement. I managed to participate in the February 2021 CTF and the team ranked in the top 50 (out of 290!) despite all members being complete rookies.
Preparing for the CTF
In order to isolate the research from my machine, I went with the Tracelabs VM. Imported the nameFinder tool to streamline looking up additional sources for accounts. (I would later discover one of the dependencies was not working as expected, meaning all hits had to be tested manually). Cloned the VM for the CTF and called it quits on the technical side.
For the team I found someone interested in participating in a local hacker group, a mate on the other side of the world and then we found the 4th on the Trace Labs Slack. I got some good feedback from other participants here for last minute prep to which Heather’s feedback was particularly extensive.
During the CTF
The CTF platform allows you to see the active cases, how many flags you’ve submitted and any flags that have been rejected by the judge. Rejections will include comments from the judge explaining why it was rejected, which makes it easier to keep track and resubmit if necessary.
We used a group DM for team communications, and then added an additional group DM with our judge as soon as one was attributed to us. Our judge was particularly pro-active in their communications to us which was very useful in guiding our research.
After the CTF
Once the CTF platform closed, the flags were counted & validated and the top teams & MVO awards were given out. After some celebration with the participants on the good work done that night, I promptly hit the hay as it had been an intense (but highly rewarding) all nighter.
Hindsight == 20/20?
In terms of personal preparation I think there is little more that I could have done between signing up & the contest, simply due to lack of experience in the field. Following this CTF I definitely feel more confident in exploring different routes and having a larger toolkit to pivot from existing datapoints.
As a team, Mon hit it on the head that having appropriate workflows in place is the way to get higher up in the leaderboard. We went at it as 4 individuals, simply divvying up the cases, but without sharing the data points. I’m certain we could have obtained many more flags had we used appropriate data sharing tools. The issue becomes of course trusting the sharing service to not be leaking sensitive data. A solution I’d like to try before the next CTF is using Obsidian MD with Syncthing to share the notes accross team members.