Real World CTF: The Search for Missing Persons

Fri, Jul 31, 2020 5-minute read

Last month I stumbled upon Trace Labs, a nonprofit organization focused on using open source intelligence (OSINT) to find missing persons. The concept of Trace Labs was so obvious to me that I was surprised I hadn’t heard about it sooner. After all, it makes perfect sense that those in the security world can provide invaluable research for law enforcement agencies that often lack the bandwidth to spend multiple days on each missing persons case.Trace Labs CTFs provide hundreds of hours of free manpower from all over the world and all levels of expertise to research open source leads on missing persons. At the end of each CTF the compiled research is then packaged up and sent to local law enforcement.Outside of CTFs, Trace Labs also offers open source intelligence (OSINT) training to law enforcement agencies and search & rescue teams. They also have a Missing Persons Awareness initiative that “teaches communities the risk of not acting quickly on missing persons.”

The OSINT Capture the Flag (CTF) spanned six hours on a Saturday afternoon. All teams were provided with eight provided missing person cases, six of which were located in the United States and the other two in Austria and Australia. Each case contains brief details such as a link to the missing persons bulletin and basic information on where and when they were last sighted. Scoring is based on categories of information from least valuable (names of friends, 10 points) to most valuable (current subject location, 5000 points).

Examples of relevant information are:

  • Friends (10 points)
  • Employment (15 points)
  • Family (20 points)
  • Subject’s Home (25 points)
  • Basic Subject Information, such as Birth Date, Emails, Pictures, Social Media, Dating Profiles, etc. (50 points)
  • Advanced Subject Information, such as Vehicle, Medical Issues, Dangerous Habits, Cell Phone Carrier, IP Address (150 points)
  • Day Last Seen (500 points)
  • Darkweb (1000 points)
  • Current Location of Subject (5000 points)

Once you’ve obtained a piece of intelligence in one of the above categories, you submit it via their online platform where it then goes to a volunteer judge for review. If the judge deems it as accurate intelligence, your team is awarded points. By having this point system, Trace Labs maintains the traditional competitive atmosphere–appealing to people used to standard CTFs and hackathons–while upholding a sense of purpose for less competitive attendees who care more about making an impact than acquiring points. This latter bucket of attendees is where I fall, which is why I had such an appreciation for this CTF compared to others I’ve participated in. This was the first CTF I’ve found where participants could choose the source of motivation that best suits them, and for myself the only motivation I needed was the idea of potentially helping a family reunite with a loved one.

While the aforementioned sense of purpose was a fantastic motivator, it also brought with it an emotional weight that is unique to Trace Labs CTFs. During the CTF orientation, Trace Labs spent a significant amount of time talking about the emotionally taxing nature of this sort of research. Being a first time participant, I didn’t fully understand this until after the CTF was complete.

I started my research by finding basic information like their social media profile, the profiles of friends and family members, and where they worked before they went missing. Then, I dug deeper. I learned about their hobbies, what they wanted for Christmas, and which family members they were closest to. I learned about how many kids they had, how their family has been searching for them for months, and how they weren’t the kind of person to just up and leave. I dove deep into cases about girls who were in high school when they disappeared. I read their social media posts that felt eerily similar to what I or my friends would post when we were in high school. You can’t help but wonder if the person you’re trying to find is in danger at this moment or worse. At the end of the day once the CTF ends, those missing people are still missing and it’s difficult to find resolution after spending hours becoming intimate with their entire digital footprint. I feel it’s important to highlight this portion of my experience not to deter people from participating, but to bring awareness to the emotional toll this sort of CTF can cause so new participants aren’t taken unaware.

Security is often a field that feels distanced from real people. We research and build and test code that should protect people but how often do we interact with individual end users, especially when those end users are customers all over the world? I love that in the security field I am able to utilize my skills to help others, but I hope as security researchers we become known not only for our technical ability but our ability to also be empathetic humans. In the Trace Labs CTF, I was presented with 8 names of people who were missing and I was challenged to use my skills to find them. It was incredibly humbling and scary, and it was a stark reminder of the real-world applications of being a security researcher.

The Trace Labs CTF was one of the most unique experiences I’ve had the pleasure to participate in, and for those of you reading this I highly recommend trying it out for yourself. The cost of a ticket is only $20 USD and 100% of it goes directly towards helping law enforcement agencies track down missing persons. No matter how experienced or technical you are, I promise it will be a fulfilling experience.