October 10, 2019•660 words
This past weekend, my local meetup group and I attended BSides Toronto. The main event, for us at least, was the Trace Labs OSINT CTF for missing persons.
OSINT CTF? WTF?
For the uninitiated, Trace Labs is an open source intelligence (OSINT) collective who aims to use OSINT to solve real world problems. Most of their events so far revolve around solving missing persons cases. These come in the form of capture the flag (CTF) events, where teams are given 8 subjects and they compete to find the most/best info on whoever they can.
Unlike traditional CTFs where teams solve prepared challenges to get a single deterministic flag, the "flags" for these OSINT CTFs are pieces of information about the subjects. You submit your findings to a board of judges, who then assign varying point values based on the usefulness of the information.
If you read my last blog entry, you'll know that the running plan was to take the victory at BSides. Fortunately, all went according to plan and we actually won the CTF!
This was my 3rd time attending an IRL Trace Labs event. The team was myself, v01dwalk, Theodore, and 647ninja. At the last event, we didn't have 647ninja and came in 4th place, so he definitely gave us that push we needed to get to the top.
The 8 targets for this CTF were absolute ghosts when it came to online presence. Normally, I'm accustomed to a bit of social media presence from at least 1 or 2 of the subjects. This time around, the cases were very difficult. All of them were local Toronto/GTA cases, with some being as many as 4 years old and still unsolved. This meant we had to rethink our approach.
For the first 2-3 hours, very little was found by any of the teams. We began to doubt whether we would find any information at all. The search was extended from the targets themselves to family members and any identifiable friends. We found a couple hits, but almost everything we found wouldn't lead to other findings. The same seemed to be the case for other teams, with many of the scores hitting plateaus for several hours.
At one point, we looked at a YouTube video provided in the case information of one subject. We initially glossed over the video since it didn't provide any useful information, but after revisiting the video, we noticed something about the channel: the uploader was actually a friend of the target. This obviously led to us fuzzing through the entire channel's contents, and oh was there ever some information in there.
We found out that the target was a scrap metal thief who worked for a local "company" that sold scrap metal. Much to his own detrement, his friend recorded almost everything they did and put it up on YouTube. This included them stealing copper pipes, loading them onto trucks, and random other videos of them visiting places like coffee shops.
We pulled a license plate off the target's truck in one of the videos, which the police then used to get the address of its registered owner (did I mention the Toronto Police were involved in the CTF?). Interestingly enough, they actually sent a cruiser to the location during the CTF to see if they could find the suspect. No dice, but they said they'd let us know if/when they found him.
I'm glad we were able to help the cops get closer to finding someone. As frustrating as it was that most of the targets were unfindable, at least we can say we did something good. It's also pretty cool that the Toronto Police Cyber Division now knows who Microwave Gang is. Who knows... maybe we'll all be private investigators in a few years.
Also, if you want more information on Microwave Gang, check out our team page here.