Cyber Detective OSINT CTF “Evidence Investigation” Writeup
The Cyber Society at Cardiff University runs the Cyber Detective CTF, a free OSINT CTF. After completing the “Life Online” challenges, I worked on the “Evidence Investigation” challenges, which involve OSINT, converting and translating data, finding geographic locations, and working with file metadata.
Here’s my writeup, including solutions (spoiler alert!).
If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!
dvla
Q: We’ve managed to snag a picture of the front of a new Person of Interest’s car. We need you to find out the make of the car and the month it was made in! We’ve attached the photo from a local CCTV camera, take a look?
A: I first tried a Google Images search, but the only exact matches were from writeups of this CTF, and I avoided those. Next I searched for “uk license plate lookup” and found https://vehicleenquiry.service.gov.uk/. When I entered CY10 HHB, it told me it’s a Ford registered in June, 2010.
connectionrefused
Q: We’re trying to access this web address: http://time-traveler.icec.tf/. The server is not responding! It is essential that we find the information contained on this site as we suspect it to be part of a criminal enterprise. Sources suggest that the site was accessible about 4 years ago, not sure how that is relevant but it might mean something to you?
A: I put the URL into the Wayback Machine and saw snapshots from 2016. The June 1, 2016 snapshot showed the text IceCTF{Th3y’11_n3v4r_f1|\|d_m4h_fl3g_1n_th3_p45t}.
chemtrails
Q: We’ve found this boarding pass; although it looks like whoever had it was a bit paranoid that someone like us would find it. We really need to find the SEAT NUMBER of this person, in order to connect it with other evidence the team has gathered.
A: The seat number had been marked out, and I didn’t see any other text that would reveal it. But, the pass had a barcode, so I uploaded it to this barcode reader and it gave the text from the barcode, including “SEAT NUMBER: 22B.”
bigbrother
Q: We’ve intercepted a live camera feed overlooking a public space. It is essential to our investigation that we find out the COUNTRY where this camera is operating from so we know which law enforcement agency to follow up with. LIVE CAMERA FEED: http://81.82.201.132
A: http://81.82.201.132 didn’t load. I put the IP address in https://geoip.com, which showed the location as Belgium.
balancethebooks
Q: We have reason to believe that a particular company, TECHNOLOGY SERVICES LIMITED is complicit in a case we are investigating. To gain a better understanding of the size and scale of this company, we need you to find out the AMOUNT OF CASH currently held by them. We’ve attached a document we acquired from hacking one of their laptops; hopefully this will help you find this information?
A: The document’s header says “Companies House” and since the Cyber Detective CTF is based in the UK, I searched online for “uk companies house” and found https://www.gov.uk/government/organisations/companies-house. I clicked Find company information and entered the company number shown on the document (01867162) to find the company’s record. On the Filing history tab were many filed documents. The document from the CTF was dated at the beginning of 2020, and the nearest document was “Total exemption full accounts made up to 31 March 2020,” which included a balance sheet, including the “cash at bank” amount of £102,347.
readyfortakeoff
Q: The special operations team has learned that a target of theirs always takes the first flight out of their local airport every morning. Please find the TIME OF ARRIVAL AT DESTINATION of that first flight, so that we can place officers to arrest them. Once again we have very little to go on, aside from what I think is a camera feed. LIVE CAMERA FEED: http://87.54.59.228
A: The camera feed has a “Bornholm Airport” label. I searched online and found https://bornholms-lufthavn.dk, which is in Danish. The site had no translation option, so I used Google Translate. That let me see the arrival times, but the CTF didn’t accept any of the times I tried.
inplainsight
Q: We suspect they are using steganography to obfuscate (hide) meaningful information within the otherwise insignificant image attachments. Surveilling the target’s laptop use in Starbucks via shoulder surfing has revealed that they use Stegosaurus, a bespoke online steganography tool. We’ve attached an image file from an e-mail that we believe has had something encoded into it by the target. Please tell us what the HIDDEN MESSAGE within the specimen image provided is. Stegosaurus: https://mystegosaurus.co.uk/
A: https://mystegosaurus.co.uk/ is offline. I couldn’t find it in the Wayback Machine. I tried several other online steganography tools, but none of them succeeded in extracting the message. I saw steganography tools named Stegosaurus which could be downloaded and run locally, but I didn’t go this far.
gunpowder
Q: Our surveillance team has discovered another camera that has been left open to the world! Could you please find the NAME OF THE ROAD that runs outside the building this camera is in.
A: The provided photo shows a window with the name “The Birchmount Lofts.” I searched online and found https://vcacanada.com/birchmount/pet-resort/accommodations-feline with the address 1563 Birchmount Road, Scarborough, ON, M1P 2H4. A map shows this is on Birchmount Road.
sos
Q: One of our SIGINT (Signals Intelligence) analysts recently found a strange broadcast sent over the airwaves. We are not certain on the source. Can you please draw a conclusion on the attached transmission?
A: The provided text file has a series of dots and dashes, which looks like Morse code. I searched online for “Morse code converter” and found https://morsecode.world/international/translator.html. It translated the provided code to GOLDENEAGLE.
rollingeyes
Q: We’ve been deploying drones to photograph the South Wales region for some time. Fortunately, one of those Google cars with cameras mounted to the roof appears to have been sailing by at the time. So we can be confident we’ve actually spotted them, can you confirm the COLOUR of their HOODIE and the COLOUR of their T-SHIRT. All they’ve given me is an overlay from the drone… We think they were getting out of a car at the time.
A: The provided image showed a Google Maps satellite image with 7 roads. I opened the area on Google Maps and went into Street View, starting on Amherst Cres. There was a person standing outside a car with a red hoodie and blue shirt.
proofinthesignal
Q: We’ve become aware that one of our targets, James Markson, has retained his links with the city of Bristol, UK. We’ve also learned that this individual always has his personal hotspot enabled on his smartphone, as he does not wish to subscribe to a regular home broadband service. This means the target’s WiFi signal from their phone may have registered on a public WiFi mapping service. One intelligence analyst noted that ‘jammy’ may be the SSID (the name of the wireless network). What is the STREET NAME where we the target has likely been in the city of Bristol?
A: I went to WiGLE and looked up Bristol, England, GBR with SSID jammy and saw dots on St Marks Road.
undercover
Q: The intelligence analysis team has recovered a mysterious file from one of our target’s computers following a sting operation in the early hours of this morning. It seems like there’s nothing there, but why would a target have a blank file on their computer? Are they hiding something? We really need to find the lock combination for the self-storage unit where the target has stashed counterfeit bank notes.
A: I opened the provided PDF in a text editor and looked at the text, but it wasn’t helpful. I opened the PDF and highlighted the entire page, which showed some white text on the white page. I copied it and pasted to reveal the text as Lock Code: 956445.
defrauded
Q: Their email, marked as urgent, stated that the invoice must be paid immediately or else the business relationship with Hutchings will be terminated. It contained a PDF of an invoice dated 03/02/2020, however upon looking up the Invoice Number, Hutchings realised that it referred to a genuine transaction, but was paid many years ago. They also deduced that the company named (TP and Co.) no longer exists!
To help us narrow down our investigation into how the fraudster even got the original invoices to manipulate in the first place, we need your help… Can you have a look at the attached fraudulent invoice and find out the ORIGINAL DATE OF CREATION by the legitimate TP and Co?
A: I checked the metadata of the provided PDF, which showed a creation date of May 13, 2012.
photophile
Q: I’ve recovered an image I think was taken by this individual from an unnamed online file storage folder. What is the CAMERA MODEL / DEVICE MODEL of the device used to photograph the poppies?
A: I checked the metadata of the provided photo, which showed device make Motorola and device model Moto G3.
xorelse
Q: A colleague in the cryptography team said something about a particular target using XOR encryption? Anyway… we’re planning on parking up outside their house and having a look at what’s going on inside their home network. We think that this XOR business will lead us to their WiFi password. All we’ve got to go on is this: QeOhnsr{KuZu)(
A: I couldn’t figure this out. Brett commented on this post to tell me how he solved it, and I was able to. I went to https://www.cryptool.org/en/cto/xor, enter QeOhnsr{KuZu)( as the Plaintext, then increased the value of key one at a time, checking the value of the Encrypted text until I saw something human-readable: MyStrongWiFi54.
mothertongue
Q: One of our linguists has found a strange email between two targets, it seems to be some kind of foreign script.
A: I pasted the provided text into Google Translate and it detected the language as Pashto, and the translation as Speaking multiple languages is an interesting thing. repeatedly. In the middle of the text was an untranslated string, so I copied it and pasted it into Google Translate. It detected it as Russian, with the translation The flag is around here. I looked at the original text and noticed other strings of different languages, and translated those. They all translated as something like The flag is around here, until one translated to clouds.
hostiletakeover
Q: I’ve attached a bank statement we secured after infiltrating the target’s personal holdings company network. It shows the sum paid for the property and the date of the purchase. We know there is publicly searchable data made available by the Land Registry which could help us with what we’re after. We must start gauging the risk to each business that this individual has acquired property from. Can you find out the BUSINESS NAME of the previous owner of the property that can be inferred from the seized bank statement?
A: I searched “uk Land Registry sale records” and found https://landregistry.data.gov.uk/app/ppd. I entered the amount and date from the bank statement, and found the address as Tesco Stores Ltd, Pontymister Industrial Estate, Newport, NP11 6NP.
bitcoinbuster
Q: The analysis team found that the ransomware demands a peculiarly specific sum of 3.581074451254057 bitcoins exactly. We know that the writer of the virus is highly likely to have selected this figure on 1st February 2020. We have reason to believe that this particular malware writer always uses the Market Open price as their point of reference (i.e. the price of one bitcoin at the very first moment of every day). It is not uncommon for cyber criminals to arrive at a specific amount of cryptocurrency from an arbitrary figure from their home currency. E.g. 10,000 British Pounds might get 1.34745439576493 bitcoins. Based on the 3.581074451254057 BTC figure being obtained on 1st Feb 2020 from the Market Open price alone, which COUNTRY is the ransomware creator most likely to be from? We’ve attached a HTML document containing links to all of the relevant bitcoin price pair history data-sets on Yahoo Finance.
A: I used the provided links to Bitcoin prices on Yahoo Finance to see what the open prices were on Feb 1, 2020. I then multiplied 1.34745439576493 by the open price for each country, and found that BTC-AUD was exactly 50,000, pointing to Australia.
