⚠️ This guide is based on my own experience competing in Trace Labs OSINT CTF events, and does not replace or attempt to replace the official Trace Labs guide which you can find on the official Trace Labs website --> https://www.tracelabs.org
Trace Labs sources intelligence from the #OSINT and #Cyber community through Search Party CTFs and ongoing operations.
Analysts process the data and create actionable reports for law enforcement to act on, whether revisiting cold cases or locating missing persons.
More information --> https://www.tracelabs.org/
I have crafted this guide to streamline your participation in Trace Labs CTF events. It's designed to help competing teams understand precisely what they should and shouldn't submit, as well as shed light on the overall process.
By knowing what to submit, teams can work more efficiently, resulting in fewer flag rejections.
This not only ensures a smoother Trace Labs CTF experience but also lightens the load for the Trace Labs judges and the overall organization."
I've participated in five Trace Labs events, and I take each event very seriously. Among these, my teams achieved 2 silver badges coming in at 2nd Place 🥈, a gold badge (previously known as a Black Badge) for winning the event 🥇, and a sixth-place finish 6️⃣.
Unfortunately, 1 out of the 5 events I competed in led to our disqualification 🟥 due to a rookie teammate unknowingly breaking the rules with a passive recon technique which doesn't alert the target, but that is forbidden in Trace Labs rules.
It underscores the importance of:
-
Reading the Rules: Before participating, ensure you're familiar with the official rules.
The rules can be found here --> https://www.tracelabs.org/about/search-party-rules -
Joining the Trace Labs Discord Server: Engage and stay informed through the Trace Labs Discord server --> https://discord.com/invite/tracelabs
Remember, in team events, individual actions can impact everyone. Always be considerate of your teammates, take the time to read the rules.
Trace Labs judges are volunteers from the cyber community, always treat them with kindness and respect.
When you submit:
- Remember that your assigned judge knows just as much about the case as you do!
- The judge has not worked on the case and has no prior knowledge of it
- This means that when you submit, you need to explain the findings to your judge, how you found this information, how you can be sure of it, what proves it, how you came to this conclusion.
- Submitting poorly explained information, wrong information, or the same information many times will only lead to making the event less user-friendly for you and your team, it gives the judge a lot more work to do, it gives the Trace labs staff a lot more work to do, it will also make your team look bad, and the judge needs to trust you and your team and the information you are submitting.
- Do not ever speculate, it's not a time or place for a hunch.
- Dress your submissions! Simply submitting a link and naked information is pointless. Explain to your judge the findings and why your submission is useful to the investigation.
If you feel that a perfectly good and legitimate flag submitted by your team was rejected:
- Talk to your judge about it on the Trace Labs Discord server and open a ticket
- Send a mesage to the Trace Labs staff and they will look into it.
Information relating to friends of the Missing Person
What to do ✅ :
- Submit profiles of friends on social media who have interacted with the MP!
- Pertinent data linked to friends of the MP pertinent to the investigation.
- This can encompass notable interactions between "friends" and the MP, significant photos from friends' social media, remarks or posts from friends about the MP's disappearance, and more.
What not to do ❌:
- Do not submit information on all social media friends! the submissions need to include proven friends of the missing person, people the MP actually interacts with.
- Example: The missing person has 1200 facebook friends, it would be pointless to submit the 1200 facebook friends list.
- Remember that the event lasts for 4 hours, submitting good and correct information is vital, the event needs to run smoothly, don't waste the judge's time, the Trace Labs staff's time, and also your own time.
Information relating to the employer of the Missing Person or the previous employer
What to do ✅ :
- Name of current or previous employer and CEO
- Address of current or previous employer
- Website of the company, company number, contact details of the company.
- Known issues with the company (past problems of disappearances, a dangerous employment)
- Any important information about the job environment that can be found/seen online. (Example: Is there any proof of troubles at work? Arguments online with other members of staff or the Boss, posts that may mention difficult times at work, harrassment from members of staff or from people entering the business (the public). (Example: a Waitress that may say online that she feels afraid of a creepy customer that comes in every day and follows her in the street)
What not to do ❌:
- Do not submit the Linkedin profile of every single employee in the company
- No need to go too deep in the company unless you notice that the main issue is coming from the work environment
- If it's a big company with hundreds of employees nationwide, it would be pointless trying to submit emails of all company employees!
Basic Information about the Missing Person
What to do ✅ :
- Submit Aliases/Handles (Usernames)
- Photos which help the investigation, a photo may show habits or places the MP likes to go to (Photos with friends, family, at sport, work, any kind of photo that would help to know more about the missing person)
- Forum profiles and posts
- Social Network profiles and posts (only highly relevant posts)
- Dating sites
- Phone number
- email address
- Personal blogs or websites
- Home address
What not to do ❌:
- If the MP's username is
superman, you will find hundreds of profiles on various websites by using dedicated username enumeration tools, it would be pointless submitting them all, because there is a very high chance none or only a few profiles will really belong to the MP, so when you submit a profile with the same username, make sure you have proof it's indeed the profile of the MP, meaning there is a name on the profile, or some type of correlation, for example the same avatar is used. It's a case of using your brain and being logical here, obviously if it's a very unique username that no one else would use, you would know it's the MP. - Do not submit all the MP's posts, it has to be relevant and classed as Intelligence or important info.
- Do not submit poor information to "game the system", for example if the Missing Person has a very commom name such as Michael Smith and lives in the US, you will find thousands if not millions of people called Michael Smith, some people submit things just because they found the same name. Make sure to narrow down the search to --> State --> City --> and make sure that the age and dates of birth match so that your submission can be accurate.
Information & Intelligence regarding the Missing Person (MP) that goes deeper that just Basic Subject Information
What to do ✅ :
- Submit Unique physical identifiers (e.g. tattoos, scars, piercings)
⚠️ If any of these are mentioned in the press or a Police report, it's not a valid submission. - Medical issues/conditions. Can be physical or psychological. (Not mentioned in the press or Police reports), you may actually find family or friends talking about this on social media. Could even be a post such as "Well {The MP} changed a lot recently, he/she started really abusing drugs and was being and acting weird and having bad thoughts".
- Licence Plate, make and model of the MP's car (Not mentioned in the press or Police reports)
- Evidence of the Missing Person no longer missing (This could be a post by a family member saying the MP has been found or press or even the Police)
- Evidence of the Missing Person having passed away. (Press, family, Police records, Grave finder websites)
- Previous reports about the MP (Press and Police reports are accepted and this is the only instance in which Trace Labs judges and staff will accept a submission, the MP may have been mentioned years ago as having ran away and then found)
- Breached passwords: either Hash or clear text (If you can Dehash the PW, even better!)
- Information about the location the MP may have gone to,it can come from the MP, friends, family. (This could be for example a post in which the MP shows woods and says "I love to come here just to be alone and to think"), this kind of allows for speculation, because if you have proof on the exact location of the MP, go for the 5000 points flag!
What not to do ❌:
- Do not submit scars or tattoos or jewellery mentioned by the press of Police.
- Do not submit car information that has been mentioned by the press or Police.
- Don't submit anything already mentioned online.
⚠️ Don't try and get part of a password or part of an email or phone number by doing password resets, you will be immediately disqualified!
Information on the day the MP was last seen (Disappearance date)
What to do ✅ :
- Submit information about the subject's state of mind on the day last seen. (This could be a post by the MP stating he/she is tired of life, wants to disappear or leave the city, in a depressive state, angry, posts about having had an argument with someone, feels in danger or stressed to the max). The information could come from the MP or from family or friends.
- Submit information on the clothes the MP was wearing on the last day seen and general appearance. (Not mentioned in press or Police reports)
- Submit information on places the MP was seen at on the last day. (Not mentioned in press or Police reports)
- Submit any information on day last seen not mentioned in press or Police reports
What not to do ❌:
- Do not submit information seen in the press or in Police reports
- Do not submit unverified information
- Do not speculate
Information about the Missing Person's activity after the missing date
What to do ✅ :
- Submit photos of the MP taken after the missing date (confirmed with Exif or during a big event for example)
Remember that just because friends and family post many photos online after the missing date, it doesn't automatically classify them as photos taken after the missing date. - Activity from one of the MP's social media accounts or profiles after the missing date
- A new account or email creation after the missing date
- Submit new addresses found since the disappearance
- Video, CCTV, Webcam footage
- Any location the MP was at from the date missing up until present (CTF day). This information could be found on new photos by using Geoint techniques, by checking the Exif on a photo, or from posts by the MP.
What not to do ❌:
- Do not submit information seen in the press or in Police reports
- Do not submit unverified information
- Do not speculate
- Do not submit photos posted online that were taken before the missing date.
- If you find an email tied to a Google account, and you run a search with Ghunt, you will get date and time the Google account was updated, you can't submit this as advancing the timeline because:
1/ This method is not reliable, Google forces all accounts to accept Terms and Conditions even if the email is not active, so that would show as update date and time.
2/ Someone else could be accessing the email and making changes after the disappearance, many families share the same email and the same computer, many people also leave passwords in their browsers to save time during login.
The Google API method therefore can't be accepted by Trace Labs
Information about the Missing Person from the Dark Web
🚨
What to do ✅ :
- Submit Dark Web pages or sites created by the Missing Person.
- Submit photos of the Missing Person found on all types of sites, including human trafficking sites.
- Submit activity by the Missing Person (MP) such as purchased goods, reviews, or posts on Dark Web forums.
- Submit activity of the MP, like selling goods or services on the Dark Web.
- Submit leaked passwords or emails.
⚠️ However, note that even if this information is exclusive to the Dark Web and not on the clear web, the Trace Labs staff classify this underAdvanced Subject Information(100 points). So, you won't receive 1000 points for submitting pastebins or leaks from the Dark Web.
What not to do ❌:
- Avoid submitting .onion links from clear web mirrors, such as Facebook, the CIA, or New York Times.
- Do not provide inaccurate information.
- Refrain from speculating.
- Don't spend excessive time on the Dark Web. Remember, the Trace Labs events last only 4 hours. Since the Dark Web's primary purpose is to stay hidden, chances of locating the target there are slim. Often, the best strategy is to find clues or links on the clear web, such as the subject mentioning their site or services on the Dark Web. Be cautious with Dark Web search engines. They often miss information and can be unreliable.
Information about the current location of the Missing Person
What to do ✅ :
- Submit the current location. "Current" refers to the location the MP is or was at within the last 24 hours.
- "Current location" requires an exact address, not a vague or assumed location.
What not to do ❌:
- Do not submit police reports or press updates stating the person was found. This is considered Advanced Subject Information (100 points).
- Avoid speculating.Don't submit general locations; precision is key (e.g., house, apartment, hotel, motel).
- Simply providing a link or GPS coordinates is insufficient for 5000 points. Accompany your submission with a detailed report explaining how you sourced the intelligence and how you verified the subject was at that precise location in the last 24 hours.