If you follow the National Child Protection Taskforce (@NCPTF8) on twitter, you may have noticed they recently held their annual conference in June. As an attendee I was able to watch enlightening presentations by numerous OSINT experts; all detailing specific investigative techniques that can be deployed in the effort to assist child exploitation investigations. More information on the organization can be found at https://www.ncptf.org/.
During the virtual conference a series of OSINT capture the flag (CTF) questions could be attempted, as a way to help attendees actively practice and develop their OSINT skills. As you likely have guessed by now, below are some write-ups on how I came to some of the solutions. *Spoiler!* though none of them are a deep dive into any ground-breaking techniques (as the title suggests), my hope is there may be one or two useful tips for someone who has recently found their way into the brave new world of OSINT. The CTF questions below are separated into two sections, Web Technology and Geolocation. Let’s get started.
SECTION I — WEB TECHNOLOGY
Question 1:
“Which retailer uses the IP address 54.239.28.85?”
There are several websites that can handle basic IP address resolution, and depending who you ask you will find a variety of preferences. Some favorites that come to mind are https://www.shodan.io/, https://centralops.net/co/, and https://myip.ms/.
There are no discrepancies between any of these results, all pointing to the correct retailer.
Solution 1: Amazon Inc.
Question 2:
Don’t overthink this one. Sometimes successful research comes down to competent Googling. A simple google search for “eepsite” will reveal several sources mentioning I2P. I2P or the “Invisible Internet Project” is a network, and sites on that network are referred to as “eepsites”. If you are curious and want to learn more, here is a medium article by Masayuki Hatta specifically about I2P eepsites.
Solution 2: I2P
Question 3:
For this question we need to look at the relationship between two websites. A great tool to attack this is Builtwith. In fact if you find yourself repeatedly returning to Builtwith, you can check out an article here on integrating transforms in Maltego.
When we enter “manutd.com” in the domain search we are presented with details such as a Technology Profile. Navigate to the Relationship Profile and notice the “Connected Websites” section. As we hover over the MANUTD.COM Tag History, we can see that the “GTM-AW-1009678457” tag fits the given time range. When we hover over it, buccaneers.com becomes highlighted. This GTM tag was common to both sites between July 2019 and April 2020.
Solution 3: GTM-AW-1009678457
Question 4:
As the question suggests, Shodan is the preferred site to answer this question. Shodan is an extremely useful resource when it comes to domain investigations. In this case we need to start by simply searching the IP address given ‘212.47.232.167’ in the Shodan search bar. Shodan details information you can find on each of the domain’s accessible ports. Under the information found on port 443 we can see data associated with the ‘.onion’ URL.
A clue within the question suggests we don’t need to visit the ‘.onion’ URL, so it is likely that the solution can be found within the Shodan results. Within the port 22 “OpenSSH” data we can see the line “Fingerprint: e3:94:a4:c8:0c:dd:31:b2:14:0a:04:76:e5:f5:b1:3b”
By searching the fingerprint string within Shodan, we land on a page with two IP results, one given in the answer, and one which is our solution.
Solution 4: 136.144.188.173
SECTION II — GEOLOCATION
Question 5:
“Our target used this shipping container between 2004–2018. We need to track down most recent CSC number of this container as this will help us log it’s use and key people involved. Can you find the CSC (Convention for Safe Containers) number for this container?”
If you don’t track shipping containers daily, you can Google “container tracker” to reveal container tracking websites within the first few hits. I found the site track-trace.com to be helpful in both tracking the container in question and also providing useful resource links. A quick zoom-in to the top right corner of the container reveals the tracking number that needs to be searched: “LGEU4416973”.
Upon searching we discover this container belongs to the CARU fleet and bears a manufacturing date of July 2004. We are also presented with a “Lloyd Inspection Release Note” in the form of an attachment. The inspection release note reveals the solution.
Solution 5: NL-LR 70003–03/07
From an OSINT perspective alone, the amount of useful details associated with tracking this container is staggering. Not only can we see the last depot location of “CARU Rotterdam, NLRTMCARA” but if this container was actively traveling we should be able to locate its position on Google Maps; a good OSINT resource to keep in your back pocket.
Question 6:
“What is the name of the city or town this image is taken?”
The first detail I was drawn to in this image were the hanging flags from the street lamps. The blue flag can be pretty quickly identified as the flag of the European Union, blue with a ring of gold stars. Studying the country flags of the European Union members we can easily isolate the Slovakian flag as the white, red, and blue flag draped next to The European Flag.
Knowing the country alone will not be enough to answer the question, we need to determine the city. Directing our attention to the opposite side of the image there is a sign fixed to another street lamp. The black and yellow sign is difficult to read. If you’ve just discovered OSINT, this may be a good opportunity to dip your toes into enhancing images. @JakeCreps tweeted about two de-blurring tools in December 2020, to give you an idea of what is possible.
Though its difficult, even without fancy image enhancing tools it is possible to make out the word “CASINO” on the black and yellow portion of the sign. I was also able to make out the letters “ANCO” above the word “CASINO”. A search in google maps in the region of Slovakia did return a result for “BANCO CASINO” in the Slovakian city of Bratislava.
Solution 6: Bratislava
Question 7:
Which country is the image most likely to be taken in?
This was a quick fun question if you remember to think outside of the box, or in this case, outside of the keyboard. The google translate mobile app has a helpful feature that can translate text using the mobile camera. Simply open the app, use the camera function and focus on the text to be translated. It’s a pretty neat trick that quickly identifies some of the text language as Bengali. With Bengali being the official and popular language of Bangladesh, we’ve come to our solution easily.
Solution 7: Bangladesh
Question 8:
“In the image a vehicle with a license plate can be seen in the background. Which country is the vehicle from?”
This question took me longer to solve than I would like to admit. The best idea I could come up with for identifying the license plate was to visually compare it with the hundreds of license plates found at a site aptly titled ‘License Plates Of The World’ . The main distinctive feature I kept looking for was the combination of a rather blank white plate with a set vertical dividers, or black bars. After two incorrect initial attempts including Russia, I eventually stumbled across Morocco’s plates.
Several of the Morocco plates clearly share the vertical divider which was the unique identifier. Luckily the solution was Morocco, but I would love to hear from you if you know of a better or more efficient way of tackling license plates.
Solution 8: Morocco
Question 9:
“The case file you are investigating includes a picture of a plug socket that seems unusual. Which country was this image taken?”
This challenge can be solved largely by using the Yandex reverse image search. Navigate to Yandex Images and conduct a visual search by uploading the image of the socket. A result in the visually similar section leads to an informative article about different types of sockets: Know about electrical socket types popular today .This informative resource mentions that this socket, the Type H socket, is very much used in Israel.
Solution 9: Israel
Question 10:
“Where did this plane land?”
In examining the image we can clearly make out the Airline and tail number, “US Airways N106US”. Out of habit I usually begin an OSINT question by testing out my “Google-Fu”. I instinctively Googled “US Airways” “N106US”.
The first result is all we needed to answer this question.
Indeed you could also utilize several easy-to-find flight tracking websites and come to find the information regarding this rather remarkable landing.
Solution 10: Hudson River
Hopefully you were able to pickup a trick or tip you have not used before; regardless thanks for reading through!
Thanks again to @NCPTF for an awesome virtual conference, and all of the presenters who shared really insightful OSINT knowledge. If you like OSINT and agree helping children is a worthy endeavor, check them out and consider donating or even volunteering.
