[TW: suicide]
I’m still new to this OSINT game, and this week I learned just how new. I was very excited to join in on my first ever OSINT CTF (Capture the Flag competition), to try and improve my skill set. Even more than that, the aim was to find eight international missing persons (legitimately posted by various local law enforcement agencies), so it was a really good cause. The amassed information is then forwarded to law enforcement after the event so that it can be properly verified and followed up by professionals.
I’ve done a bit of OSINT before; played around with a few tools, hunted a few unwitting people from news articles who were up to no good, or who had tried to send me Malware. I hadn’t always got very far, necessarily, but I have a vague idea of techniques and tools I can try, places I can look.
The thing is, when it’s people who are sending out Malware or are causing trouble online one thing about them seems to be true, which didn’t occur to me before: they live online. They are trying to hide their trail, sure, but if you can find them they do tend to have accounts on GitHub or StackOverflow, Reddit or Twitter or Tumblr, or various dark web forums and marketplaces and bitcoin wallets and the like. You can, if you can manage it, follow some kind of trail.
Missing Persons, though. Well, it depends on why they are missing. I was not prepared.
They might be online, but it isn’t necessarily the same. Maybe they live on Instagram and WinkyBingo and MoneySavingExpert, but don’t really post much. Maybe they are on forums you’ve never heard of. You aren’t often tracking them through their technical connections, you’re tracking them through their friends. And sometimes their friends are crying out for them being missing, and it’s heartbreaking, fair enough. But then there are the odd ones where you know the person is missing, but you can see that the friends and maybe even the family don’t really seem to have posted about it, and you wonder what’s happened there, and is your subject actually disowned and all alone? Do they have 500+ friends they are close to, or have they just added everyone that ever requested it? How many friend connections do you add to your investigation? (I mean, the answer is all of them if you’re using an investigation management tool like Maltego, but narrowing your focus is always the issue.)
And then there are the ones where you can see that their social media is less and less active, and you are left wondering if they just became very privacy conscious or if they became very withdrawn. Have their friends noticed? And you realise that the search for them may not end well.
Which leads me back to the CTF. My very first ‘flag’ for my very first Missing Person turned out to be the ‘last known location’ of my subject, who had been declared a suicide. I always knew this was a possibility. I guess I wasn’t prepared for it being so early in the proceedings. (As an aside, I am sure this was not the case when the team selected the Missing Person, it was just an unfortunate development before the CTF started). I struggled for the next few hours, as subsequent points for ‘flags’ for info on their friends and family and other basic info just felt ghoulish, but I still tried to get more info on what might have happened in the lead up to the event. I eventually moved on to other missing persons in the list, realising I could maybe still be useful there. It would be fair to say I finished the event feeling like I hadn’t accomplished anything useful for those people. But I think objectively I have to acknowledge that the thoughts in this post prove it at least taught me something.
I don’t regret doing the CTF, and I am actively doing more Missing Persons work.
But it is useful to understand the difference in what you are likely to encounter. Missing Persons work is a different style of searching than what I was used to, and (while I’m no psychologist and not even that experienced at OSINT yet) I can see how you can get a feeling from the social media about what kind of a case it could turn out to be. Understanding whether your Missing Person might be a potential suicide or a potential kidnap victim seems important – (recording, connecting and verifying everything should still be the aim). Important for your investigation, but also for the way you prepare your own mind.
