Cyber Investigator OSINT CTF “Crime Scene Investigation” Writeup

6 min readJan 31, 2022

The Cyber Society at Cardiff University runs the Cyber Investigator CTF, a free CTF with OSINT, forensics, and investigation challenges.

Here’s my writeup of the “Crime Scene Investigation” challenges, including solutions (spoiler alert!).

If you know of any other CTFs or challenges that provide good OSINT or CTI practice, please let me know!

oink

Q: The other day, we forced entry to someone’s house and found something really odd smeared on the living room walls in black paint. I’ve got no clue what it could mean but we found a stuffed pig and a pen neatly placed on the kitchen table…

A: I tried using a few font identifiers, but none worked. A Google Image search didn’t help. I unlocked a hint in the CTF, which was “Pig… pen… cipher :).” I searched “pig pen cipher” and found https://crypto.interactive-maths.com/pigpen-cipher.html, which I used to decipher the message: the truth is out there somewhere.

spintowin

Q: We have just attended an address linked with multiple cases of arson and upon checking the garden shed, officers found two burning candles, 4 and 5, wedged into a shelf. They also found the message ‘Yheehp max fhgxr’ etched into the wooden structure of the shed with what can only be presumed to be a razor blade or a knife. Put two and two together for us; what does the message mean?

A: I searched “45 cipher” which showed results for the Swiss NEMA cipher machine, but I couldn’t find a way to decipher. I unlocked a hint in the CTF, which was “There are these ciphers called rotation ciphers — or ROT ciphers — the 45 could align with how many steps are in the rotation :).” I searched “rotation cipher” and found https://www.dcode.fr/rot-cipher, which I used to decipher the message: follow the money.

gonemissing

Q: I’ve been handed a cold case about a body found in a bush in Hackney, London in December 2015. I’ve not worked a missing persons’ case before but I’m told that it has a case reference number of 15–007500. Could you find out the brand of the jacket that they were wearing at the time of their dissappearance? This will help me spot them when I’m checking the CCTV clips recorded by cameras around where they were discovered; hopefully we’ll find out how they ended up dead in the bushes!

A: I searched “missing persons case london” and found https://missingpersons.police.uk/en-gb/home. I did a Case Search and entered the Unit Reference as 15–007500. The case details said, “Jacket — Anorak — Black — Plain — ‘Northface’.”

restinpeace

Q: This afternoon, some property developers made a rather morbid discovery of bones when they began digging up a plot of land to build houses on in Glasgow. Alongside the remains, a Surrey County Council library card with the name ‘Ms Doris Ellen Smith’ was found together with a business card from a sewing club. This is potentially a bit odd as Surrey is over 400 miles away from Glasgow. This, combined with the location of the bones, has prompted us to launch a murder investigation. Now, assuming that Ms Smith had links with family, friends or her sewing club, then it is likely that she was reported missing and subsequently a death certificate would have been issued owing to her not being seen again. Could you find out the year that she was presumed dead?

A: I searched “england record presumed dead” and found https://www.nationalarchives.gov.uk/help-with-your-research/research-guides/birth-marriage-death-england-and-wales/, which led me to https://www.freebmd.org.uk/, but there were too many matching results. I unlocked a hint in the CTF, which was “Ancestry might help you out here; their free data will let you know the year a particular person passed away.” I used https://www.ancestry.com/search/ to find a record from Surrey, England with a death date of 1996.

urbanplanners

Q: Last Thursday night, someone threw a petrol bomb at the site of an ongoing construction project at 40 Heol-Y-Deri, Rhiwbina, Cardiff, CF14 6HH. It is necessary to apply for planning permission for these sorts of things I think, and I reckon the public are able to voice their views on proposed buildings before the decision is made by the council as to whether to approve the project and allow construction to proceed. Perhaps there’s someone who complained? Could you find the full name of the person who objected to the new properties being built?

A: I searched the address and found https://planning.org.uk/app/163/_CARDIFF_DCAPR_132839/, which linked to the local council’s website, https://planningonline.cardiff.gov.uk/online-applications/applicationDetails.do?activeTab=summary&keyVal=_CARDIFF_DCAPR_132839. The Comments tab had 1 public comment, which was an objection from Mrs Mary Landon Goodman.

discharged

Q: Basically, the witness attended the accident and emergency department at a local hospital and was sat in the only seat positioned directly opposite the front desk, in clear view of a computer with direct access to the hospital’s server. We found some literature folded where they were sat, and the doctors have given us a copy of the X-ray — looks like a broken thumb. The radiologist told us that he was somewhat famous and spoke with a bit of a Scottish twang, but could not remember any more detail than that. Due to the data loss, we cannot tell who attended the hospital for treatment that day (catch 22), so the two items of evidence below are all we have to go on. So, can you find the name of the person who was sat in that chair opposite the front desk?

A: I searched some of the text from the literature, and found it’s from Shakespeare’s Macbeth. I didn’t know what to do next, so I unlocked a hint in the CTF, which was “Somebody who has something to do with Shakespeare, and also broke their thumb. The specific play could be important too. Get Googling!” I searched “shakespeare macbeth broken thumb” and saw results for James McAvoy.

burningrubber

Q: We recently attended the scene of a road traffic accident where the car involved was suspected to be carrying too much weight (at top speed) and subsequently, one of the tyres blew out leading to the driver veering off the M6 motorway into a ditch — flipping over several times. The car is a complete write-off; we’ve just barely identified the make and model of it and have found that it weighs 2200KG from checking the DVLA database. The driver was carrying three engine blocks from a nearby scrapyard, one in the boot and two on the back seats. Each weighs 160KG. We’re interested to know how many kilograms the car was overweight by, assuming that the driver weighs 85KG. I’ve attached a photo of one of the tyres; all four of them are identical (including the one that blew out).

A: The tires say “205/55 R 16” and “91 V.” The total weight of the car (2200 kg), driver (85 kg), and engines (480 kg = 160 kg * 3) is 2,765 kg. I searched “tire load index” and found that tires have a “load index” which specifies how much weight they can carry. I found https://calculla.com/tyres_load_index_table, which helped me figure out that 91 is the load index for the tire in question, which indicates a max weight of 615 kg. The 4 tires together have a load index of 2,460, which means the car was 305 kg overweight.

jigsaw

Q: A recently-foiled terror plot has led us to raiding an address in Newcastle upon Tyne, subsequently recovering numerous weapons and a copious amount of digital evidence. One outlying seizure that strikes me as particularly odd is a cardboard box which contained an image of someone cut out into 100 rectangles; given the history of who we are dealing with, it would be interesting to find out who it depicts. I’ve scanned each part in no particular order but to me it is not obvious who it is. Can you find out the full name of person seen in the recovered photo fragments?

A: I stitched the photos together to make a face, and put it in Google Images, which failed. I searched “online face recognition” and tried a few results, and https://tineye.com/ found matching photos across the web. I put one in Google Images, and it identified the person as Jacinda Ardern.