A little before midnight on August 8, Subhajeet Singha sat in front of his computer, unusually alert, excited and slightly stressed. He was just about to judge an online competition wherein 12 volunteers would race against the clock to work on missing person cases.
The 19-year-old recalls how his heart pounded as the competition kicked off. “I was participating for the first time,” he explains over a phone call from Darjeeling, where he is based.
The competition—a unique version of a popular contest called Capture the Flag, or CTF, that’s often played by the hacker, cybersecurity and information security community—was organised by the open source intelligence platform, Trace Labs. The Canadian NGO works on missing person cases where “the police have requested the public’s help” through such events, where tech-savvy volunteers like Singha help with cases online. There are some rules: contacting the subject and his/her family and friends is forbidden, as is illegal hacking—players can only use open source intelligence or OSINT, which Trace Labs describes as “data collected from publicly available sources to be used in an intelligence context”. These sources could be social media accounts, relevant news articles and so on. The prizes include access to in-demand training courses and VIP subscriptions to popular platforms such as Hack the Box, which give contestants an opportunity to test and improve their penetration testing skills.
The competition was a bit of an emotional roller coaster for Singha, a malware analysis enthusiast. It was a far cry from the fun, ‘Identify this picture’ type photo and geolocation challenges he was used to participating in on social media, where nothing was at stake.
“We worked on a case where a US marine was last seen boarding a train,” he recalls. “In another case in the US, an 80-year-old man’s car crashed into a tree and he vanished. There were no blood stains in the car.”
The teams trawled the internet and the players sent about 20 submissions every hour about the cases, along with screenshots, pictures and URLs as proof. As a judge, Singha had to validate the information before awarding points to teams.
“But we didn’t discover anything apart from the subjects’ social media accounts. Such basic information is worth 50 points. Advanced subject information about, say, birthmarks, tattoos and scars is worth 150.”
It wasn’t an entirely futile exercise, though. In one case, he says, the subject was a 17-year-old drug addict with acute depression. “We verified that she was last seen in a supermarket with a 47-year-old, after reading a Twitter thread where the security guard shared this information.” Such clues about subjects’ location are much valued in the contest and Singha says it helped the team bag 5,000 points.
He is not alone in this pursuit. Shweta Chawla, head and chief investigator of Pune-based SC Cyber Solutions, says that there is growing interest in online detective work among young OSINT enthusiasts and techies. This number, she says, has spiked over the past few months. This is partly because the competitions have moved entirely online now, making them more accessible.
“Since mid-2019, I’ve noticed an interest among students in the ‘detection’ aspect of cybersecurity, though there are no forums or communities for them in India that I know of. But the interest, especially in OSINT, has hit a new level over the past 3-6 months. Due to the Covid-19 lockdown, CTFs on real-life cases, which were previously restricted to professionals who sometimes gathered at a venue to work on cases online, have now opened up to all and made them more mainstream and popular in India,” says Chawla, who has worked with national investigating agencies and taught forensics for 15 years.
Entry barriers are also low for people who have interest and the resources.
“There was a half-hour briefing session for judges and a guide with very detailed instructions on rules, how to judge the contest and so on. Besides, the Trace Labs team and experienced judges are available throughout the competition for help, so we end up learning new skills as well,” says Singha.
The CTFs are broadly divided into two, Singha explains. Trace Labs partners with an organisation for events where participation is limited. And then there is their global virtual OSINT search party CTF event which, according to its website, is held once a month and open to all who will work on cases from around the world. The organisation also has a space on Slack where sleuthing enthusiasts gather to exchange ideas, discuss tools and techniques and work on cases. Trace Labs did not reply to detailed queries emailed by HuffPost India.
By the time the contest ended, Singha was mesmerised by this world he had just travelled through. “It gave me an adrenaline rush. It taught me how to use social media API (application programming interfaces) testing tools to find people, how to create sock puppet accounts on various social media platforms for my anonymity, how to leverage Google Dorks in my search and how to use virtual private networks (VPNs) and set up virtual machines (VMs) to cover my digital footprint.”
It also whetted his appetite for more. For the next CTF, Singha prepared by “reading blogs and watching videos on online investigations.”
Can missing people really be tracked online?
The success rate of such CTFs is unclear. But according to a recent BBC Future article, during a Trace Labs event in Toronto last year, one participant unearthed a YouTube clip of a missing person entering a car and its license plate helped investigators track the person down.
Canberra-based Linda Cavanagh, national network lead of the NGO Australian Cyber Security Growth Network (AustCyber), founded a National Missing Persons Hackathon last year, in which 354 people participated. “Participants generated 3,912 pieces of information for cases,” Cavanagh told HuffPost India over a call. This included drone footage of an area where one of the subjects had gone missing from. “That was brand new information which the police didn’t have,” she adds.
“I read about Trace Labs in an article and that was when I learnt that CTFs could be organised to find missing people. So I reached out to them,” Cavanagh said.
The Hackathon’s second edition in October this year will go completely virtual for the first time due to current travel restrictions. Although contestants will still be limited to Australian residents and citizens, volunteers from all over the world, including India, can participate as judges, says Cavanagh. The upcoming edition is organised by AustCyber in collaboration with the Australian Federal Police, the National Missing Persons Coordination Centre and Trace Labs.
Elaborating on the hackathon and Trace Labs’s CTFs in general—although she stresses a few differences may exist, especially with their global CTFs—Cavanagh explains that strict rules are in place to protect privacy. Participants are required to agree to terms and conditions—which include not contacting the subject’s friends and family—and sign a waiver. Sensitive police information is not shared as well. “They are not provided with details like birth dates because of possible identity theft crimes. But these missing cases are provided with the approval of the person’s family,” she points out.
At the end of the contest, Trace Labs conducts an analysis of the information that’s provided.
“They sort it out in terms of relevant cases, the jurisdiction the missing person belongs to and provide an intelligence report. Then it’s up to the police to continue investigating,” says Cavanagh.
A new world unlocked by the lockdown
Chirag Jariwala, a 23-year-old IoT security researcher, has participated in the CTFs both as a player and a judge (he paid $12.24 to join as a player). The Surat resident says that online sleuthing is a bit like having a superpower. “You are using your skills for a good cause, to help family members and law enforcement agencies collect and process information easily,” he says.
While Jariwala has earlier used OSINT to hack into systems, he has now also learnt to use tools such as Sharelock, Hunchly and Maltego to work on these cases.
“Unlike India, countries abroad have good public websites like law enforcement databases. You get everything, from records of court proceedings and someone’s car details to the crime rates of a certain city, which any person can use to gather information and connect the dots.”
In suspected cases of human trafficking, he adds, volunteers also search the dark web and its illegal marketplaces, although he hasn’t done so himself.
Recently, Jariwala worked on the case of a 17-year-old girl in the US using Sharelock and Recon-ng.
“She had multiple accounts on Instagram and linked one of them to the app VSCO, where I discovered it. There were pictures of her buying and smoking marijuana, and intimate ones with her boyfriend as well. I concluded that she was in a relationship with a marijuana seller.”
But he doesn’t know whether his hypothesis was accurate. “We don’t get updates about the cases,” he says.
Privacy and security concerns
Chawla is careful about using the word ‘investigators’ to describe this cohort of sleuths. “There is only detecting, no investigating and no forensics involved,” she points out. She also cautions that while they are learning useful skills, “these 18, 19, and 20-year old children may not have the maturity to use it ethically”.
The expert warns that OSINT gained “most of its learnings from techniques of stalking”. Her warning rings true—just last year in Japan, a stalker was arrested for sexually assaulting a young pop star. According to reports, he found her location by zooming in on her eyes in a selfie she had clicked, where a train station was reflected. He used Google Street View to identify the station, and even studied the “placement of her curtains and direction of natural light” to find out her flat’s floor number.
Closer home, the frenzy over actor Sushant Singh Rajput’s death illustrates the dangers of social media users appointing themselves as armchair detectives.
“One problem is that when an investigation is being conducted in a public domain, half-baked conclusions float about, which leads to a greater chance of mistrials,” says Chawla.
‘It’s an addiction’
Three days after the Air India Express plane crash in Kozhikode, an OSINT researcher, who prefers to be known by his online alias ‘Reconmadness’, logged into Twitter and saw something that infuriated him. “People tweeted that the crash didn’t matter as most of the passengers were Muslims,” says the Kerala resident.
So the Sherlock Holmes fan decided to retaliate in the way he knew best—by investigating the crash “to present a holistic picture”.
Over the next four hours, the 25-year-old pored over first responders’ videos and images of the crash and media reports. “I traced the airplane’s flight path and visited aviation-safety.net for details about the aircraft, Boeing 737. I got details of the engine’s serial number, number of accidents resulting in hull loss, the runway terrain profile and even a 30-second video of a news channel’s analysis of the black box from YouTube.” He published the collated information on Medium. “Probable reason for landing gear failure: improper rigging/repairs or maintenance, or parts worn beyond their allowable service limits,” he concluded in the post.
Reconmadness says he often develops what he calls “tomato eyes” due to a lack of sleep. “It’s a complete addiction,” he chuckles. “Once, I identified an obscure picture of a beach in Cyprus by analysing the patterns of the buildings, using Google Maps and reverse searching the image on Yandex. I didn’t sleep the whole night. I also sometimes visit (the subreddit) Reddit Bureau of Investigation and discuss the challenges with my friends.”
For other enthusiasts too, there is a price to pay. Jariwala participates in CTFs only on the weekends, while Singha survives on four hours of sleep.