Trace Labs is a nonprofit organization established in 2015 with the mission to be “a catalyst for improving the state of missing persons location and family reunification.” The organization created the Search Party platform to crowdsource OSINT and empower the global community to use their cyber skills for good.

In this blog post, I’ll share my experience participating in the Search Party CTF, focusing on the event’s format, recommended tools, and effective tactics and strategies. Read on to see how I approached the challenge.

Introduction to the Trace Labs Search Party CTF 🔗︎

The Trace Labs Search Party is a four-hour Capture the Flag (CTF) event where participants compete to gather open-source intelligence (OSINT) on real missing persons cases. This initiative was created to support law enforcement around the world by bringing hundreds of fresh sets of eyes to each case. The collected intelligence is reviewed and then passed on to law enforcement, who can take appropriate action based on the findings. To get started, visit the Trace Labs website and join their Discord community.

How the Challenge is Structured 🔗︎

Search Party stands out from other CTFs because participants are not expected to find a specific set of predetermined answers. Instead, organizers define categories of information that contribute varying point values based on their relevance and usefulness to the investigation. For example, a submission like “Social media profiles of friends shown to interact with the missing person (MP)” may earn 10 points, while “Relevant information pertaining to the current location of the subject” can earn up to 5,000 points.

At the start of the event, participants are provided with an advisory page issued by local law enforcement. This typically includes details such as the MP’s name, general location, photo, physical description, clothing last seen wearing, and the circumstances surrounding their disappearance. Participants then have four hours to submit as much relevant and verifiable information as possible.

Essential Tools for OSINT Investigations 🔗︎

Below are some tools that can be used during this CTF. While the paid versions offer advanced capabilities, all of them also provide a free version or community edition suitable for OSINT investigations. Please note that this is not an endorsement of any specific tool; this list is provided for informational purposes only.

Corporate Data 🔗︎

To better understand an MP’s whereabouts, it’s important to consider their corporate footprint: did they register a company, and if so, where? While this approach is not as frequently applicable as strategies like searching for social media accounts tied to the MP, it can provide valuable information. For example, it may reveal connections to other entrepreneurs or lead to business addresses that could aid in the investigation. Here are two tools you can use:

• North Data: It allows you to look up company ownership structures or search for a person’s name in the corporate registries of European countries. You can access the data through their website or query it directly on Maltego Graph, presenting the results in an easily understandable graph.
• OpenCorporates: This tool operates similarly to North Data but covers a broader range of jurisdictions. It includes over 160 million companies across 130 jurisdictions, such as the US, UK, Switzerland, Panama, and more, all brought together into a standardized global schema. You can also query the data directly on Maltego Graph.

Facial Recognition 🔗︎

Missing person advisory pages almost always include a picture of the missing person, for obvious reasons. A natural way to take advantage of this is to perform a reverse image search. However, this is likely to return results related to the person’s disappearance rather than personal profiles. To go beyond simply identifying where the picture was posted before the person went missing, we can use facial recognition technology. Below are two tools you can incorporate into the investigation:

• PimEyes: This website allows you to upload multiple pictures of the MP to search for other instances of their images online. However, please note that the free version will only provide links to the websites where the pictures were posted, not the exact URLs.
• FaceCheck.ID: This tool is straightforward and user-friendly. You can upload a photo of the MP, and it will suggest other images of the same face found online. Like PimEyes, the free version has limitations. It only provides links to the websites where the images appear, but not the specific URLs.

Social Media Profile Discovery 🔗︎

Social media profiles are often a treasure trove of insights into the life, relationships, and habits of the MP. But how do we find them? The tools below can help you discover social media accounts using a phone number, email address, or username.

• Epieos: The free version allows you to check if an email address or phone number is associated with an account on a platform, but it won’t reveal the specific account details. If you’re a Maltego Professional or Organization user, you get the full platform experience and access to all Maltego Data Pass modules, including Person of Interest, which features Epieos and other trusted and secure data sources.
• Sherlock and Holehe: Both command-line-based tools require installation, but they are highly efficient. Sherlock is designed to find accounts linked to a given username, while Holehe focuses on discovering accounts tied to an email address.

Maltego Graph 🔗︎

Maltego Graph is our flagship product, an all-in-one OSINT and investigation platform that the brand is best known for. It brings all intelligence into one place with advanced link analysis capabilities.

While I wear the hat of a SME at Maltego, I can confidently say that Maltego Graph is instrumental in uncovering the full story and the surrounding context of a person of interest. But it doesn’t stop there. You start with a single piece of information, such as an email address, name, alias, or social media account, and seamlessly pivot and scale your investigation to gain a comprehensive understanding of one’s online presence.

This is made possible through the flexible use of data credits, which provide access to high-quality, reliable data sources included in your plan (as mentioned above in the social media profile discovery section).

Breaking Down the Challenge 🔗︎

Let’s walk through a real challenge to demonstrate how I approached it. The starting point was a MP case reported shortly before the CTF. We were provided with a physical description, a photo, and a list of the clothes and personal items the MP had at the time of their disappearance.

Three other participants and I (a group of four) began the investigation by Googling the MP’s name. This initial search led to two notable findings: a private Instagram account and a Facebook profile. The Facebook account contained recent photos of the MP, as well as the names of their spouse and child. It also revealed the MP’s surname at birth, which could be helpful for further investigation.

Continuing the search, we looked into the spouse’s name and found documents related to a 2015 court case from a neighboring country involving a sexual assault charge. However, after verifying the details, we confirmed that the photo of the person convicted did not match that of the spouse, ruling out a connection.

Returning to the Facebook account, we used Maltego Graph to gather additional data. Starting with a Person Entity, we ran the [POI] Search Profiles (Facebook) Transform to locate the MP’s profile. We then applied [POI] Get Posts (Facebook) to collect their posts and [POI] Get Friends (Facebook) to obtain a list of their connections. Searching for the MP’s last name within this friend list helped quickly identify potential relatives.

After collecting nearly 1,500 posts, we performed a keyword search to identify content that might offer clues about the MP’s disappearance or provide insight into their personal situation. This analysis surfaced several posts from the early 2010s in which the MP discussed mental health struggles, offering important context to the investigation.

To supplement our investigation, we searched for the MP’s name in breached data. Starting from a person Entity in Maltego, we ran the Transform [POI] Leaked Records Search (person). Luckily, the MP’s name was distinctive enough that all the search results matched known details about the MP. Both contained the same Gmail address.

To confirm that this Gmail address belonged to the MP, we ran the [POI] Search Profiles Transform to look for associated accounts. This expanded our graph with accounts from various platforms, including Bible.com, Tumblr, and EA Games, giving us a broader view of the MP’s digital presence. Some of these profiles included valuable details such as date of birth and additional photos of the MP and their spouse. The results also revealed partial phone numbers and secondary email addresses tied to these accounts. A particularly notable finding was a Google account that had its last recorded activity just four days before the MP went missing.

Repeating the same process using the MP’s surname at birth yielded 18 breached records containing that name. The next step was to distinguish the records that truly belonged to the MP from others with identical names. To do this, we used the date of birth retrieved earlier from accounts tied to the MP’s email address to filter out unrelated Entities. This left us with 8 breached records, though they didn’t contain enough information to definitively confirm or dismiss a connection to the MP.

The most efficient way to assess their relevance was to link the data from these records to known social media accounts and compare the results with what we already knew about the MP. From the remaining breached record entities, we ran the Transform [POI] Extract ALL Personally Identifiable Information. This yielded 6 email addresses. We then used [POI] Search Profiles to investigate those addresses. One of them returned a Myspace account listing a city that matched the MP’s known location.

Assuming this email address belonged to the MP, we pivoted on it and searched for it in breach data using [POI] Leaked Records Search (email). This uncovered additional records, including a Myspace account with the MP’s spouse listed as a friend, strengthening the likelihood that the email address was accurate. We also found a LiveJournal account containing several public diary entries from the mid-2000s. These records revealed four new aliases and three unhashed passwords, which could be used to continue the investigation.

Key Takeaways from the Trace Labs Search Party CTF 🔗︎

While this was by no means an exhaustive investigation into the MP’s whereabouts, the time-limited nature of the CTF eventually forced us to move to another case. Nevertheless, the process demonstrated just how powerful OSINT can be in uncovering relevant information rapidly and ethically. And with the right tools and intelligence, such as Maltego at hand, investigators have the depth, breadth, and speed needed to confidently navigate the digital investigation.

Participating in the Trace Labs Search Party was both rewarding and eye-opening. It sharpened my investigative skills, reminded me of the investigative analytical mind, and highlighted how even small digital clues can lead to meaningful insights. The experience also emphasized the importance of collaboration, with teammates sharing findings and working in parallel to piece together complex puzzles.

I hope this blog post has sparked some ideas, introduced you to new tools and strategies, and maybe even inspired you to participate in a future Search Party CTF event. Whether you’re just getting started with OSINT or looking to enhance your skills, a CTF like the one from Trace Labs provides a unique opportunity to apply your knowledge in a way that truly makes an impact. #OSINTForGood

Stay connected with us on X and LinkedIn with the latest news and developments!

About the Author 🔗︎

Mathieu Gaucheler

Mathieu is a Senior Subject Matter Expert at Maltego, where he helps customers realize the platform’s full capabilities in support of their investigative missions. He specializes in designing investigative workflows and delivering hands-on training focused on OSINT and effective use of the Maltego platform. Since joining Maltego in 2021, following his work at a Cyber Threat Intelligence startup in Barcelona, Mathieu has been dedicated to enabling organizations to operationalize open-source intelligence. His core expertise spans SOCMINT, GEOINT, and internet infrastructure investigations.