OSINT for Missing Persons (Part 1 – Intro)

Sometime ago I participated in an event run by TraceLabs in conjunction with the Australian Federal Police to locate pieces of information for missing persons across Australia. The twist on this event being it was gamified to allow competing teams to try and beat each other to amass the most amount of points according to a points award system.

I will now be competing in the Missing Persons CTF on the 11th of April 2020, and in the lead up to this now virtual CTF – I will be building some more capable infrastructure and tooling to support this challenge.

So for those new starters, what do you need as a bare minimum to start digging and submitting indicators?

What tools do you need?

  • A separate laptop or PC, or VM.
  • Your most comfortable browser
  • TOR software
  • Social Media accounts (preferably some fake ones)

My own complete setup will be a little more complex than the above, but for now, let’s walk through the basic requirements for a Windows 10 VM deployment.

For this exercise, I will be rolling a Windows 10 VM from scratch with no Live account associations, and from the outset it will be built with very few references back to myself.
I don’t want to taint the search results for example with associations Google may make with my home IP address.

As a minimum I will be downloading and installing the following:

  • Chrome
  • TOR Proxy
  • I2P Proxy
  • Python3
  • OSForensics

I also highly recommend applying the latest system patches to mitigate anything you might download through the course of the CTF event.

Python is there to enable some other modules which you may find useful. Including Sherlock and Recon-ng.

OSForensics is there for file analysis, including pulling metadata from files, and author information. This is useful if you come across files authored by your missing person.

Building Identities

Something we ran into on our last CTF was how some sites reacted to 4 people using the same social media accounts from 2 or more different connections.

What you will need for this to build a truly anonymised identity:

  • A name from a name generator
  • A profile picture (Thispersondoesnotexist.com is recommended)
  • A burner prepaid phone for validations
  • A working proxy, or even TOR
  • A password manager (KeePass is recommended)

Now that we have the basics, consider generating accounts for the following mainstream social media sites:

  • Google
  • Facebook
  • Twitter
  • Instagram
  • Flickr

Also consider generating another email account on Protonmail, because if you’re going to be delving into Dark Web resources, you might need another layer of insulation.

I’m not going to link to every marketplace and dark web social networking resource, but these can be very valuable when looking for identities who may have interacted on the dark web.

External APIs

There are many APIs which can be used to do some more programmatic searches for users and keywords.

Some which could be considered include:

  • Flickr
  • Twitter
  • Shodan
  • GreyNoise (conditions to free access)
  • Google (search and vision)
  • Have I Been Owned

Now that we have some tools, API keys and access to some services, we need to establish how to use search engines effectively to find information without getting bogged down into missing persons data which is not applicable.

Google Dorking

You should already have an idea of how to Google, but let’s look at a few unique operators which might be useful, especially where potential aliases, or middle names may obscure results.

AROUND(x)

Proximity search. Find pages containing two words or phrases within X words of each other.

For example: John AROUND(3) Smith

This will look for both John and Smith, but they must be within 3 words of each other. This is handy in trying to improve search results and cut out results where the two terms are too far apart to be useful.

Before:

This will constrict search results to content indexed before the nominated date.

For example: Before:2001-01-01 John Smith

This will look for all occurrences of John Smith where the content was created prior to 1st of January 2001.

After:

This will constrict search results to content created after the nominated date.

For example: After: 2001-01-01 John Smith

This will look for all occurrences of the term where the content was created after 1st of January 2001.

The use of After can be useful where pivoting from anecdotal reports and data in blog posts after the last seen date is being assessed.

The Investigative Process

I highly recommend going wide with finding indicator data for your subjects as soon into the challenge as you can. The more points of data you acquire which strengthen the identity as a whole, the better your pivots down the line when you really start digging.

Whilst not completely useful, Facebook and Twitter are gold mines for family members, and finding the missing person’s profile. Also be on the lookout for profile pictures, avatars and usernames – these may come in very handy for locating related data through search engines.

Anymore?

Take breaks, stretch, and if you get stuck on one profile, change to another one. There is ample time, and more than enough candidates to go around, and keep you busy.

I highly suggest submitting your entries as you find them too. I have often used submitted indicators as pivot points to further information.

Above all, have fun, and remember it is all for a good cause.

Adam.



Categories: OSINT

1 reply

Trackbacks

  1. TraceLabs Missing Persons 11th of April 2020 – McHughSecurity

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: