OSINT Teamwork: How We Won The Trace Labs DEFCON29 Black Badge
Forming a team might be one of the most important aspects of participating in the Trace Labs OSINT Search Party event. A team that works seamlessly in tandem while also communicating openly is key to winning the Black Badge and providing the best intel for Law Enforcement. In this blog, Chase Matheson and I will reveal some of our secrets for planning a winning team, executing a great game-day strategy, and successfully submitting flags to avoid rejection. Due to the sensitive nature of the cases and out of respect for the family and friends of the subjects in the event we will not go into case specifics.
Choosing Team Members
A good strategy for choosing your team begins with the skillset of the players. Our team for DECON29 is a good example of leveraging OSINT expertise to cover all flag submission types. The Federal Bureau of OH SHINT (TFBOOS) is comprised of OSINT analysts @Sinwindie, Joe Gray (C_3PJoe), @Chase Matheson, and wondersmith_rae. Most of us had worked together previously and are aware of each other’s strengths and weaknesses. Choosing a team that works well together, plays off of each other’s strengths, and fills in the skill gaps of others will bring you one step closer to the black badge.
- Start scouting your team well ahead of the event date
- Choose a team that has varying skillsets
- Don’t discount new players, they might look at things from a new angle
- Choose committed players so you aren’t down a member on game day
Communication and Planning
It is good practice to gather your team together prior to the event in order to discuss a strategy. TFBOOS met on Zoom where we planned to use Slack as our main communication method during the game. In addition, we set up a Google Document so that when the game began we could drop in the subject names and begin filling in their personal details. Every second counts so the more administrative tasks you can plan ahead of time, the better. Maintaining constant communication in Slack facilitated feedback and brainstorming amongst us which led to some of our larger submissions including the flag that won us the Most Valuable OSINT Award.
- Meet ahead of the event to formulate a plan
- Pick a communication method (Discord, Teams, Slack, Zoom)
- Pick a method for keeping track of submissions (Coggle, Google Sheets)
- Check-in often and share findings with the team
- Ask for help from your team and switch subjects as needed
Setting roles and expectations on your Trace Labs team is paramount to discuss ahead of time. Decide who will be submitting flags, talking to the judge, and any preferences for selecting subjects. In TFBOOS, 90% of the team had played and won the 2nd Place Silver Medal in the previous event so we knew that Joe Gray (C_3PJoe)is excellent at working with the judge and finding high-point flags while Chase Matheson prepared to take on the MVO Award. @sinwindie is exceptional at people hunting, while wondersmith_rae likes to dive deep into social media profiles for the tiny details. The beauty of this team was the fluidity that we had moving between tasks and subjects. I believe this was due in part to having open discussions.
- Plan for who will be the main communicator with the judge
- Set clear expectations for tasks
- When the game opens, divvy up the subjects according to player skillsets (some players are better at finding U.S. based subjects, some are better with teenagers, etc)
Working with your judge
Being a judge is hard. If you have not judged a Trace Labs event I highly recommend giving it a try. Being on the other side of the game will give you insight into how the scoring and verification work. Many of the judges are brand new and managing more than one team throughout the game. Be patient when communicating with your assigned judge. Introduce your team, be polite even if frustrated, and remember you can always escalate an issue up to a senior judge.
- Be sure to introduce yourself to your judge
- Be kind, some judges are new and trying to understand the rules
- Don’t hesitate to escalate an issue to a senior judge for review
- Remember most judges are judging more than one team at a time
It’s always the small pieces that make the picture.
Submitting flags should be three things: Fast, thorough, and relevant. Teams need to submit flags often in order to get enough points to rank high at the end of the game. My personal rule (wondersmith_rae) is to submit a flag every 10 minutes or move onto something else. Getting sucked into a rabbit hole can sometimes pay off but more often it just wastes time. It is a better practice to have one team member dig deep on a subject while another submits the easy-to-find flags such as tattoos, hair color changes, family members, school, etc. Be thorough in your submissions and make sure to provide enough context for a judge to open the flag and determine its legitimacy in under a minute. Obviously larger point flags like Day Last Seen, require much more context to tell the story and possibly even a senior judge for verification. Finally, keep your submissions relevant! Submitting the subjects ENTIRE family is not a good idea. Instead, submit close relatives, close friends, people who have interacted with the subject recently and might know their location.
- When submitting flags, provide enough context that the judge is able to make a determination without working too hard
- Submit the small things (tattoos, ear piercings, hair color, necklace that is always worn)
- Have the person who communicates with the judge check the rejected flags often for any that may need a second review
- Many high-value dark web submissions come from breach data, be sure to pivot appropriately from emails and usernames
While working on one of the MP cases, we came across one of the MP’s multiple Facebook profiles and began going through the photos. We were specifically analyzing the last uploaded photos, looking for any possible recent activity or important clues. In one of the photos, the MP was standing inside a bathroom taking a selfie. While looking closely at the photo, we noticed very tiny wording on a soap dispenser, as well as a first-aid choking sign that spelled out the name of a restaurant. Since we already knew the last known location of the MP from the missing person’s report and which school they were attending from their Facebook, we were able to narrow down a location radius and found the exact restaurant where the MP took the selfie. This spot ended up being only a few miles away from where the MP said to have disappeared. We knew that most restaurants often have surveillance cameras and that law enforcement could check this location for possible clues or potential witnesses. Chase then took all of our intelligence and created a detailed overview graphic in Photoshop that contained the enhanced sharpened text of the restaurant, the MP selfie, and a Google Maps overview of the connected locations. Once we had it all pieced together, we submitted it as day last seen. Ultimately the flag was rejected because the photos were uploaded prior to the individual’s disappearance, however, it may still be of importance for Law Enforcement.
- Be sure your team is on the lookout for an intriguing story before the game starts
- Can you tell a story through flags or imagery that would be compelling?
- Example: A person takes a photo in a store, your team geolocates the building based on the signage in the background and the proximity to the subject’s work. Put this in a report and submit it.
- Don’t be afraid to spend extra time on a detailed overview of your submission explanation, especially for the information you may believe to be crucial. In this case, Chase spent nearly 30 minutes piecing together an explanation that consisted of a detailed overview and relevant imagery.
This is a capture the flag game but please never lose focus of the true purpose of Trace Labs Search Party — the reunification of missing people with their families. At the end of the day, the excitement of winning is second to the possibility of providing closure to the friends and family of those we investigate.
We hope some of these tips help your team win the next Black Badge! If you are looking for gameplay anecdotes from Chase Matheson and wondersmith_rae check out the companion post “OSINT Methodology and Tradecraft: Tips for Winning The Trace Labs Black Badge”
Written by wondersmith_rae and Chase Matheson