Putting this out there as I am preparing for an OSINT CTF. I have not participated in something like this before, so I want to document my steps as I prepare so I can learn from the mistakes that I definitely will make.
The first thing that I need to do is scope the op. I understand that the CTF is put on by TraceLabs. I have been following these guys for a while and have wanted to get into OSINT, but i really do not have yone to teach me how to do it, but once I saw the subject for this CTF, I couldn’t resist. Based on the hit TV show, Tiger King, TraceLabs has received a ton of op requests to help the law enforcement officials find out the truth about the cold case of Carol Baskin’s husband, Jack “Don” Lewis.
My first step was to set up a Slack workspace for our team to work in. This would allow us to communicate about the op. I also added a MIRO board with all the Slack integrations for collaboration. That handles communications, now we need to think about actual OSINT tools.
The first thing that comes up when you do a search for OSINT tools is the OSINT Framework. This is a really cool application that can point you in the right direction regarding different places where you can gain more knowledge.
What…. no social media?
If the target was more recent, I would have relied a bit more on social media scraping tools, but Don went missing in 2002, and at that time, he was a bit too old to be on social media. In this case, I assume we will be relying on legal documents and possibly photo comparisons to find any evidence. Another resource I can rely on is Google Dorking, which is just manipulation of the Google search query to really drill down on the results that I want to see.
Lastly, I found a cool article on the OSINT steps, written by Petro Cherkasets, which will definitely come in handy Saturday when this all kicks off:
- Start with what you know (email, username, etc.)
- Define requirements (what you want to get)
- Gather the data
- Analyze collected data
- Pivot as-needed using new gathered data
- Validate assumptions
- Generate report
Based on these steps, I think that we will at least be able to put some facts together. As scummy as some of these sites are, they will probably pay off when it comes to OSINT for this case: