OSINT Investigation Techniques for Missing Person Cases (Trace Labs)
Hi I am Alexis Lingad:
- CRTO, OSWP, eCCPT, PenTest+, eWPT, eCDFP, CEH, CySA+
- Philippine Hacker Games Champion 2015 and 2017
- Former Founder of Cryptors Cyber Security
- Author of the book Cyber Defender: The Power of Hacking
- Creator of Hackuna-AntiHack (1 million+ installs)
- Currently #1 Hacker in HackTheBox Philippines (As of January 2023)
- Top 8 in Trace Labs Global CTF (Last October 2022)
The Struggle
Before my team landed in one of the teams in the top 10 in Trace Labs Global CTF last October 2022 and became slightly confident, we struggled a lot. We don’t know what to study and practice specifically to effectively investigate missing person cases. The feeling of, “we already finished different OSINT books and training courses but it feels like we’re still not ready yet”. I even apply OSINT in my day-to-day job as Security Analyst / Ethical Hacker but we realized that applying it for investigating missing person is a different beast to tame.
The Strategy
As a solution, we came up of a strategy of joining a lot of other OSINT CTFs and doing OSINT investigation regularly in real life missing persons in some news online, in subreddit r/MissingPersons and many more. We set the real life investigation like a real Trace Lab CTF and make sure that it is purely passive, no hacking involved. At first, we do it one person for 1 hour. Then, we do it two person for 2 hours. Then few weeks before the CTF, we do it four person for 4 hours. We did this, again and again, consistently.
From those never ending practice, we saw a lot of our weaknesses and strengths. We were able to formulate a methodology that can be helpful for beginners to get started with their investigation without being stuck for too long. We also realized the power of analysis and observing the details to create a more meaningful findings. We also apply the following strategy for every findings; Identify, Verify and Amplify:
- Identify: Observe the macro and micro details in a given data
- Verify: Think of several ways to validate the authenticity of the data
- Amplify: Analyze and expand the relevance of the data
We can say that the best teacher is experience since we’ve learned more a lot of things in real life investigation than when we are just watching or reading about it. After getting the top 8 in Trace Labs, this hard work and dedication to learn OSINT on a deeper level was noticed by some big players in the industry. Maltego and Social Links supported us on our journey and they sponsored us also a professional license for the upcoming competitions which makes us more motivated. Social Links Pro tool helped us a lot to save time in the competition and focus on much more advance investigation.
The Tools and Techniques
Before I give out some of the basic things we’re doing here, always remember that “automated tools” are just subordinates. There will still be a lot of things that you can discover in manual analysis that an automated tool can miss out. Another thing, what I will discuss here is not the standards but just what we usually do for the basics.
- You will be given a real name of the missing person, so first thing we can do is to Google the name, and then fine tune it with some Google Dorking techniques like this to get some social media results:
“alexis lingad” site:reddit.com OR site:facebook.com OR site:twitter.com OR site:linkedin.com OR site:instagram.com OR site:tiktok.com
You can tweak it a lot more than this. You can even tweak this to get some file results regarding the target:
allintext:”alexis lingad” filetype:pptx OR filetype:ppt OR filetype:doc OR filetype:docx OR filetype:pdf OR filetype:xls OR filetype:xlsx
So again, up to you. There are still a lot of things you can do about this and here are some of it: https://www.exploit-db.com/google-hacking-database .
If you found an alias or username along the way, it is worth to try this technique too for that by changing the real name to it. Believe me, you’ll find a lot of good stuffs! - Sometimes, the real name cannot be seen on the surface internet but on the deep web where it is not indexed in a search engine. There may be times that it is within the Google results but it is too crowded for you to see that info. The following sites can help you:
- InstantCheckmate : This is for US-based people and so far the most powerful people search I’ve ever seen even on its free version. However, some of the data given here still needs cross-checking since some of them might be false positive. For example, if you see a criminal record, you can double check it with sites that give public details of court records like judyrecords .
- Webmii : This is an alternative in case your target is not from US and still a pretty decent tool since the result is clickable and will redirect you to the main source that can help you for cross-checking faster than finding an alternative public record.
There’s a lot more people search engine out there so feel free to explore what works for you. - We can think of the worst case scenario that the missing person might be dead already. So the goal here is to find any records of unidentified dead body that match the physical characteristic of our missing person.
At first, I thought this would be very useless tactic. Until, we legitimately tracked a person in our practice session using this technique! We use this site that time and start inputting the details of our missing person: https://www.namus.gov/UnidentifiedPersons/Search
Of course, it is not that easy. We need to analyze and run some scenario like the missing person might be losing weight and if she lose weight, why? And then, we must validate it with other supporting data and then input an estimation on the tool. We also need to analyze the timeline and other unique scenario for our missing person. See? The tool will be useless if we just input and not analyze things here. - We can also use DeHashed to see some e-mails related to the real name that we’ve got. Of course, we need to verify first if the e-mail is really from the missing person that we have since most of the time, it will be just a different person with the same real name. In order to verify if the email is from this person, we can use Epieos to check if the profile picture used in the email and other online accounts related to that email matched the face of our missing person. However, in Trace Labs, submitting the Epieos screenshots is not valid. In this case, we need to do it manually, but at least, we now know when to do the manual and not do the manual in every results. The flow is Epieos just helped us to save our time and do the manual method on the real email of the missing person for submission in Trace Labs.
One way we can do the manual validation for Google E-mail is by opening a Google Sheet, then pasting the email there and hover it to see the profile picture of that e-mail:
Once we got usernames/alias, emails or phone numbers, there will be a lot of other manual methodologies that we can use but I will save it for the next post since this is getting longer haha.
Social Links Pro inside a Maltego Pro is a very powerful tool to automate the finding of related accounts for username, emails and phone numbers. After running the transforms for it, it is just a matter of time to manually validate each and submit it. Warning, we only use transform for username, email and phone number since if you do it in a real name, it will bombard your graphs with hundreds of false positives which is not good. This tool helped us save time and let our team focus on analyzing much bigger things to help solve the case:
The Failure
We joined the Trace Lab competition again last February 2023 but we just ended in the top 43 instead of the previous top 8 since the judge that we had rejected most of our findings and it took us several hours to defend and explain a simple finding and get a score since our judge is new to OSINT. We got “very unlucky” as a senior judge described it and they say that it is normal to encounter something like that in Trace Labs competition. However, we also saw some faults in our team’s side.
We are too fixated in getting points!
We forgot the essence of the competition, which is to help law enforcement to find these missing persons. As one of the organizers said, ranking has little impact on getting the biggest prize for the competition which is the MVO (Most Valuable OSINT) since they want to emphasize that the goal is to produce quality findings instead of quantity for points. I am not saying that our submission does not have quality, we have several advance info and some info regarding the online activity of the missing person after the missing date which indicates that the missing person is still alive. However, I am very sure that we can still push ourselves to create a much more valuable intel than that if we shift our mind on producing a high quality submission instead of wasting most of our time on submitting basic info findings that I am really sure that the other player will submit already.
The Continuation
I was fortunate to be surrounded by people that motivates and inspires me on this OSINT journey of mine starting from my teammates, the Trace Labs community, and the people from Social Links. I am currently planning to write my next blog after this for username, email and phone number OSINT since what I just tackled here is for Real Names. Then afterwards, I might dig deeper on the analysis part which I think is the best part of any investigation. I am not an expert though. The main goal of this blog is to help the other people who is struggling to start or they already started but don’t know how to apply it in real world.
I know this is not the best write up or tutorial you can find out there but I hope this motivated you to strive even more in your own OSINT journey! :)
Wanted to Learn More?
Train here: https://referral.hackthebox.com/mzw8Olf