We entered a team called BoomBoomLemon and finished 7th of 187 teams.

For context, the TraceLab CTF (or SearchParty as it’s also called) is a competition to find missing people using OSINT. You can learn more about what TraceLabs are all about by [visiting their website here].

Here are some reasons that I am pleased with this result:

  • It was the very first time we played
  • Two of the team members were not experienced in OSINT
  • The competition ran from 00h00 to 04h00 in our time zone (GMT+2)

I wanted to play the CTF essentially because I believe in ‘eating your own dogfood‘. I wanted to see if using Vortimo and OSINT-tool.com was going to be useful in a real world scenario. You can talk about something for so long and then you need to put your money where you mouth is. All analysts in our team would use Vortimo and have access to a fully loaded OSINT-tool.com. Well, almost fully loaded since some of the providers these days are just too expensive for small teams.

Team members were as follows:

  • Roelof Temmingh – that’s me.
  • Andrew MacPherson (@AndrewMohawk). You know him from the Maltego videos!
  • Nina – lawyer, no OSINT experience.
  • Jaime (@pacrat90) – engineer at @PhishFort

In the photo you can see that we were dressed really stylish, this is important too 😉 Andrew was remote (he is not a tiny man that lives in a black and white frame) and me, Nina and Jaime were in the same location. This helped too.

We prepared as well as we could – we watched many “Things I wish I knew about competing in the CTF” videos and read all of the documentation. If you want to do well in the competition you should do this too. This post tries to build on top of those. Don’t skip on the documentation / videos. It helped us a lot.

Before the competition I gave team members a few slides that I’ve made for the competition. I think it helped to create the right thinking / mindset. You can download it [here] but keep in mind that it was an internal memo. The explore vs farm theme was important for us.

Things we did that worked out well for us:

  1. We had one team member that only worked on submitting flags. This is not just an administrative job – it’s understanding the scoring system perfectly and submitting flags in the right (maximum points) categories and also “farming” the raw data from the analysts to see if it can be submitted as multiple flags. Our team member that worked with the judge was a ninja lawyer (her day job is deed transfers), this worked out really well for us.
  2. We did resource management – making sure we spend time on all cases. Each analyst took two cases and spent roughly 1.5h on each case. It left us with an hour at the end. In this time we could swap cases where analysts were stuck, go for maximum point flags, or dig deeper in the cases where we have not exhausted the ‘farmland’. These flags are ‘moon-shot’ kind of flags; the chances of getting them is small but if you do – you are almost certain of a overall win.
  3. We used Vortimo (duh!) and OSINT-tool.com. Using Vortimo helped a lot. There was a situation where a judge asked for clarification on a specific case about 2hours into the competition. I was already on the second case. Without Vortimo it would be have impossible to recall the exact path I took to get to the data. With Vortimo I loaded the case database, recalled all tagged images – found the image and the site it was found on and looked at previous visits to see how I got there. It also helped in the last hour when I was going back to the first case – even though you’ve seen the data two hours ago – it’s hard to do context switching on the fly. Having all the data right there was great.
  4. For OSINT-tool.com we had API keys for many of the providers. Having access to dump/leak data is very useful and I would recommend having some way to access that data. Having the links right there is also helpful – when you’re in a competition mode and the adrenalin is pumping you tend to get tunnel vision and having all the resources right there is … calming… in a way 😉 This is work you do before the competition because during it you’re in a different mind space. Having the ability to ‘kitchen sink’ an email address, phone number etc – e.g. running it against all the service providers in one go was VERY useful. Nobody has the time to log in everywhere and cross check during a competiton.

Things that we will do differently next round (if we play again):

  1. Have a better protocol / workflow / procedures that you can stick to. When you’re in the competition time runs at a different speed. You might think that 4h is a lot but it’s over in a wink. Having a set protocol helps you not to faff about like a headless chicken. As an example – in my second case I spend a lot of time trying to find aliases, social profiles, email addresses of the subject. In the end the better information was located on social media profiles of the subject’s friends and family. It might seem obvious now, but if I had a set procedure that said “Hunt for 20 minutes for aliases, email addresses, social profiles. If not found, move to family” it would be helped. Again, this is thinking you can do before the competition that you don’t need to do during the competition.
  2. Farm more, submit more. We left many 500 pointers on the floor because we were exploring too far and farming too little. I cannot stress this enough – you’re playing a game that requires two skills – being good at finding people and being good at playing the game. Of the top 10 teams we had the highest points per flag ratio. We submitted 59 flags at ~84 points per flag and the winning team submitted 121 (> twice more!) at ~61 points per flag. Did they have more than twice the information we had? Maybe more – but certainly not twice as much more. But they farmed better. They submitted more. They played the game better than us.

Things that’s important to remember:

  1. If you’re going to have one team member submit flags it is VERY important that the workflow between the analysts and the submitter is 100% friction free. We ended up using Trello with a combination of cards, columns and tags but you can use whatever you want. Just make sure the workflow is… working. You want to make sure that the analysts are not bogged down with submissions details while at the same time that the submitter has enough info to get through the submissions fast enough and not get overwhelmed.
  2. If you’re located in a time zone like ours you need to get sleep beforehand. I didn’t. I am not 25 years old anymore – and essentially skipping a night’s sleep and performing at your best is not that easy.
  3. Read the case notes. It’s probably the worst time to carefully read something because you’re rushing / tunnel-visioning. Next time I am printing mine out and putting it next to the keyboard.

Personally it was kind of scary for me to put myself out there again. As Andrew said afterwards “Thank f### we did not suck”.

Till next time,

Roelof