I have posted before on participating in other TraceLabs events (such as the Australian Federal Police Missing Persons Hackathon), so here goes a brief recounting of my experiences with a US missing persons event.
I had described earlier the bare minimum requirements to work through such a challenge. So I was prepared with software, seed accounts (email and federated identity providers), password management, and an identity to use for a sock puppet.
Today’s challenge unveiled 15 missing persons identities, which a very large majority are minors ranging in age from young teens to very early twenties.
Let me start with stating this up front: these cases are not easy, and as you dig through some elements of each identity you discover there is either no digital footprint (which is annoying and sometimes concerning) or there is an abundance of information (which needs to be contextually analysed).
Table of Contents
Establishing an online identity
Aside from the ideal goal of finding someone who is missing, the next ideal goal would be to establish a primary identity for the missing person. And thus could be the discovery of an email address, a phone number or even an address.
Being that Facebook has a subscriber base covering a substantial percentage of the world population, my first port of call is to usually try to find the profile of the person.
There are issues with this approach, but it’s aimed to try and establish an identity quickly. Reasons why this might not work could be:
- Person operates under an alias
- There are too many hits on the name, and not enough uniqueness to differentiate which account is theirs.
- Profiles are made private
- Profiles are deleted
The last two of these (made private or deleted), if they become applicable can change how you approach the investigation.
There are usually two reasons why an account would be made private, or deleted:
- Desire for privacy
- Desire to disappear
If there is a fair chance the missing person did have a Facebook account, but it can’t be found, we can look at friends accounts and their posts for the time prior to disappearance.
When a user deletes themselves, or removes the association’s from posts and images, the reference still remains, though it becomes unlinked. So in essence we are looking for the previous presence of an account through the absence of what was once there.
In the 12 or so I could determine might have a Facebook account, I only successfully found 2 user accounts which belonged to the missing person’s. And they were very definitely dormant and untouched from their dates of last sighting.
Unfortunately none of these accounts gave me an email address or phone number directly.
However some accounts have aliases, or usernames established for them. In one such case I established that the profile space for Facebook consisted of the missing person’s name concatenated and suffixed with a string of numbers “1234567890”.
The name is this case was unique enough that I could try to find secondary profiles (other sites) using the same profile name.
If I could establish the re-occurrence of that username elsewhere for services disconnected from Facebook, then we have identified a handle which might be used elsewhere.
I describe secondary accounts as those which don’t really establish an identity, but are niche specialised to the platform they’ve signed up for.
In one case I came across an ask.fm account through a username search on Google. Unfortunately, this missing person used the platform quite a lot, and there were questions and answers in the hundreds to sift through.
After a good 20 minutes of chasing the comments threads, there were questions related to phone numbers and Snapchat. So now I could record the Snapchat username, and do some recon from an Android emulator to get some more data.
The phone number was added to my burner phone as a contact to see if WhatsApp, Kik or Viber would do it’s magic, unfortunately nothing came from this.
A quick lookup of the number on reverse number search gave me a name (not the missing person), but did confirm the area code was the same as the missing person (phone may have been registered by a family member or acquaintance).
This are potential indicators which could be submitted as Basic or in some cases Advanced submissions.
I intentionally did not dig too much into the Dark web, except for doing cursory searches on a handful of search engines for the usernames and aliases which were identified earlier.
Unfortunately this did not give me any results worthy of sharing, but some search results do require me to say this:
The Dark Web is a cesspool. If you start indiscriminately start digging. I really, really recommend looking at what you’re searching for, and make a conscious decision if you should click on links. Some search engines do a good job of filtering out illegal content, and others have more work to do in this department.
As with previous OSINT CTFs I enjoyed the challenge, but the demographic in this case made things very difficult in some cases to find data.
One surprising aspect however was the open availability of voter registration data which was open to search, and very transparent on personal information.
I was able to find the address of one missing person through the voter registration database – whereas in Australia, this type of information is not normally made available for public consumption.
Comparing this event to another where we participated in a team of 4, there is a very clear deficiency in attempting to run this challenge solo. When you are approaching 12-15 cases individually, you can spend an average of 30 minutes on each case. But what you are really trying to do is find a case where you can pivot really well to pull indicators from many sources.
30 minutes per missing person is really not a long time, and this is assuming you even find anything meaningful on that identity.
Working within a team however, as evidenced by the amazing efforts of the top two teams, you can see the rate of submissions are very frequent, and the submission of those large point indicators are more frequent than what you could expect as a single entrant.