Using OSINT to reunite families in the 2020 Missing Persons Hackathon

On Thursday, 29 October, a small team from NCC Group APAC joined over 100 other teams to take part in the 2020 National Missing Persons Hackathon. This was a 6 hour event where teams were tasked with discovering information about actual missing person’s cases where the authorities have run out of leads.

The Hackathon is run by Trace Labs, a non-profit organisation whose mission is to reunite missing persons with their families while training members in Open Source Intelligence (OSINT).

The NCC Group team was led by Richard Appleby, and this is his account of the day.

We were provided with 12 missing persons’ details, including name, physical description and sometimes email addresses or usernames. Points were awarded for the information we could discover, with increasing points for details about friends, family, PII, details from the last day they were seen, information on the dark web or their location.

The event started, and we all picked a missing person to see what we could discover about them. We quickly discovered two things. One, that the older missing persons were a lot more difficult to discover information about online, their internet footprint was significantly smaller, and two, that searching for a single person’s information was far too slow.

While there was an emphasis in the briefings about providing quality over quantity, the points system rewarded the opposite. After half an hour, our team was in 4th place, but quickly dropped down the order as our previously verified findings were found to be ineligible due to certain sources being excluded (news websites and missing persons aggregators).

Settling in to discover more we realised the process really needed to be automated. The information for all the missing persons needed to be fed into our various search and scraping engines, and the outputs parsed for further leads. We quickly realised that is what the top teams were doing as the number of submissions for them increased more rapidly than we could keep up with.

As a bunch of pentesters, we also discovered that searching for unique individuals is quite different to our normal OSINT process of searching for information about a company. Some of our better information came from WHOIS records. Sometimes it is surprisingly difficult to show that one person is related to another even though they both have a social media presence. In general, one advantage we have as pentesters is that API abuses on social media platforms are rampant and allow for much deeper disclosure of personal details than many would expect.

The entire experience was very educational, and we are keen to compete again next year, with plans in the works to build our techniques into a well-oiled machine. In the meantime additional effort is required to up-skill into OSINT on persons, rather than organisations. These are not mutually exclusive, a better understanding of OSINT on individuals will improve our ability to target the organisations to which those individuals belong.