“In this scenario we’re putting you in the shoes of Jack Stone, an OSINT analyst working with the British police. Through Jack you’ll get to experience what it’s like to work as an OSINT analyst on a high profiled missing persons case. This scenario will challenge you on many aspects of Open Source Intelligence, digital investigations and complimentary skills.”
So a couple days after I finished the last one, KASE did a Black Friday sale for one day where you could buy all three of the paid offerings for $65, and I went ahead and nabbed them all.
I’m going to start with their newest, intermediate-level scenario, The Vanishing of Rosie Parker, who by the way, is giving me major Fiona Apple vibes here:
Let’s get into it…
In this scenario you’re working as Jack Stone, OSINT analyst who partners with the British Police to help find Rosie.
Rosie is considered a high profile case because she is the daughter of a prominent politician. This means that she will be getting more attention than the usual missing riff-raff.
Seems like Rosie is being held for ransom somewhere, so we know she is at least alive.
Apparently there was a red SUV in the area where Rosie went missing that attracted attention. There is a video attached with the SUV stuck in traffic:
Though the video looks like it was shot on a baked potato, you can KINDA make out the license plate with an earlier frame:
And of course the plate number is the first question, so I will do what I can. I think the first 2 letters are GY maybe?
Here is more info on what UK plate numbers mean from Wikipedia:
Next I need the age identifier. I did a Google image search to see if I could find any info on the year of the make/model of this vehicle:
Seems like it is probably the Range Rover Velar.
I don’t know too much about Range Rovers, and I know Google tagged it as the “Sport” model, but the Velar has a more rounded butt compared to the Sport, which is more square.
It first released in summer of 2017, and all the models look quite similar, so it could have been any of these sets of numbers:
I don’t know guys, I’m doing my best here, but I’m not a CSI Detective or a wizard, so I can’t just scream ENHANCE at my computer.
I tried GY67EXP which was wrong, but are you telling me SARGE could have enhanced the image this whole time!?
I was definitely wrong. OV comes from the Birmingham area. So I spent the next half hour or so trying to input registration numbers into this UK website and getting no Range Rover hits.
Then I found a way to search partial plates using some random guy’s website from Reddit. You can only use two wildcards before you have to pay, so I picked
OV6? ?X?
I was very sure of the X, so then I just cycled in numbers after the 6 according to the chart above, because it could only be 66, 67, 68, or 69.
Then I looked through the list finding red Range Rovers and tried them in the answer spot until one worked.
OV69EXP
However, I feel like this was not the ideal way to go about it, because you can’t just try random numbers in a real investigation.
But there is NO WAY I would have ever gotten the O. Here it is after my sister did some enhancing on it to try and help me, and it definitely appears to be a G, right?
I’m sure there is a better way to do the wildcard searches for UK license plates, but this worked!
Next we meet up with Constable Wilson.
Sgt. Clark informs us that he did indeed talk to the rental company, and apparently the SUV was rented by Rosie, all alone.
Hmm, weird. What if she left on purpose? You’d think she would have tried to signal to the rental clerk that she was under duress?
And also, why pick such a memorable vehicle? A bright red Range Rover? That doesn’t scream “trying to lay low” to me.
After this we get the case files. I went ahead and Googled her address. I don’t know if I’d want to leave all this on purpose unless something crazy was going on:
Maybe something WAS going on though, because the maid mentioned that she had just got back from rehab:
Her mom seems to be freaking out, especially since she left her important items at home. But honestly, someone who lives in a house like that with a maid could probably easily replace all those things. So I’m not convinced she didn’t leave on purpose yet.
By this time the GPS data has been collected:
Looks like she would have to get on the Dover ferry to cross into France. I wonder if there is surveillance footage from it?
Here are some stills from the gas station footage:
Again, leaving Rosie alone in the car with the opportunity to run or alert someone.
The person runs away quickly after they leave the store:
According to the gas station employee, he panicked when asked why the name on the card was a female when he was obviously a male, implying that it was stolen.
He ran out and left a bunch of stuff from his pockets on the counter, including a weird coin.
I obviously put it through Google images, which came up empty, as well as Yandex.
This was the closest I could find with Google images. It’s close, but not quite there:
I know they asked for ransom in crypto, so I was thinking maybe it represented some obscure cryptocurrency? But I could not find any that were represented by a tree.
Only on Question #2 and I’m already having this much trouble. It’s not looking good for me guys.
I meticulously looked through all the online photos of the house in a couple realty sites to see if I could find any tree stuff, but that was unsuccessful.
I then started thinking it could possibly be one of those coins you get from places like AA or something for being sober, since the police report said she had just got out of rehab. I searched for “Rehab Cheltenham UK” and immediately found the Abbeycare Group:
So if HE had the coin, maybe they met in rehab?
After this, Sgt. Park and Rosie’s parents come to the exact same conclusion:
The police get a warrant and retrieve a list of about 30 individuals who received coins from the rehab center over the last few years.
The scenario then immediately moves on to a threatening letter Mr. Parker has received.
The most concerning line is, “You have messed with my family and maybe we’ll see how you like it when I mess with yours. 10 Charlton Park Gate isn’t very far away and I’m sure Rosie and Catherine wouldn’t mind me stopping by.”
The next task is to identify who wrote the letter. As you can see, they just signed it with, “S”.
There is only one person on the patient list that starts with S, Sophie Jones, but that was not the answer. I also tried Emma Smith and Daniel Scott, but none of those names worked. Why would it be that easy?
The only other thing I can see that really stands out in the letter is the creative insult, “gormless moronic pillock”, which seems very distinct. Maybe the person used it in other places online, like forums, comment sections, etc.?
I tried just Googling it, but got no initial results:
I decided to move on to social media sites, and luckily I tried Twitter first, because this popped up:
Going through the profile, there is just a bunch of ranting about politics. Classic Twitter stuff:
In between all that though, he has a file that he posts twice for, “motivation for runners”
This is a PowerPoint presentation with slides of random quotes they got from Reader’s Digest.
I immediately checked the metadata to see if the author was listed, but they were not.
I did manage to find the location of the background photo for every slide though. It’s Hollybrush Wood in Sussex, south of London. Perhaps this person likes to run there.
At this point I right-clicked the PowerPoint and unzipped it all onto my desktop and started going through all the files one by one. When I came to the media files, I noticed that all of the motivational quotes had been cropped from larger screenshots of a browser image:
This gave me more leads. As you can see here I now have a couple of bookmarked sites. Even what bank they use.
I see they have YouTube bookmarked and also “Chelts Walk’n’Talk”. The Walk’n’Talk thing looks like it is from Strava, which tracks activities like running and biking. The only issue with that is, due to an OPSEC controversy a few years ago, you can no longer easily search user made activities on Strava.
At this point I started collaborating with a friend from the official Discord, which was nice since I usually do all of these types of things alone.
I ended up having to make a user account in order to search “clubs” on Strava.
The club had one user, Simon James:
Well, it turned out that was all for nothing, because Mr. James ended up having an alibi:
At this point, Rosie’s mom is obviously still freaking out and wants us to talk to Rosie’s good friend, Olivia about the people on the list, to see if maybe Rosie mentioned any of them to her:
After this, Rosie’s dad receives a postcard with a crypto address on it so that a ransom can be delivered:
Wilson already looked up the address for us, so that saves some time.
Also, I did everyone a favor and typed it out, so feel free to copy/paste:
1Doho93x24sbs4jyPw6wn87xjQSuFS8wrt
When you search this on Google you find the abuse record from 2017:
The empty Bitcoin address:
A compiled list of compromised addresses on Github:
And then finally, a piece of shared code:
The code is for turning text into handwriting, for say, a ransom note.
It seems like the code was just named something random, and was posted by an anonymous user. So that was a dead end.
I went back and checked out GitHub. I didn’t get anywhere with the first one that popped up from Google, but when you search for that bitcoin address specifically within GitHub, the same code pops up from the user “darkcoiner”
If you look through the commit history you can see where they added in the ransom note text:
If you add .patch to the end of a GitHub commit URL, you can see more info about the user. This person had 3 commits in total. The email is obscured in the most recent commit, but the older two had their email as “darkcoiner@kasescenarios.com”
Kinda got stuck here for awhile, until I found THIS tool, which checks email reputation:
It showed this person has a Gravatar account:
From here I was able to use Gravatar to find his first name, thanks to this blog post HERE:
I hashed his email and then appended “.json” on the end of the URL to get more info about him:
Now I know he is going by “Nate 💸”.
If you search on that list of names from the rehab, there is actually a Nathaniel Green.
At this point, Rosie’s dad is arguing with police about how he wants to just pay off the ransom and get this over with. But the police are trying to explain that it won’t guarantee Rosie will be returned.
The cops start investigating Nate:
They then want us to find out more about the postcard, the location of it, etc.
When I did a reverse image search on it earlier, it looked like a port in Spain. The stamp is pretty cute:
The town looks like it’s called Segur de Calafell
After this, Rosie calls her dad from Spain!
Seems like it was all a plot between her and Nate to try and get some money from her dad. They were actually in a romantic relationship.
The dad is pretty forgiving about it though.
Since Rosie’s dad is picking her up, the investigation turns to locating Nate.
While Rosie is being transported home, Nate sends her a video message, and it’s up to us to geolocate him with it:
The thing that stands out is obviously the mountains in the back. And since we know Rosie was dumped near Girona, we can start from there.
You need to put all this info in a report and Kase scenarios will review it.
I found a website called Smappen, where I could input the address from the Girona train station and then see how far someone could drive from there:
I ended up with a wide area:
I noticed there was what looked like a grape farm in the video, but that wasn’t exactly helpful because there are like a billion grape farms in the area since it’s wine country.
Anyways, so at this point I wasted 4 hours wandering around Google Earth looking for the correct mountain. I had already taken a screenshot from the video and tried a reverse image search, but apparently not at the right spot because I got nothing the first time.
Then I reached out to my Discord friend who said he found it easily using a reverse image search. I tried once again in a different spot from the video and it came right up.
The picture I found was a stock image described as, “Vine in the Roses region, or Rosas, and the hinterland in the background. Roses is a commune on the Costa Brava at northeastern Catalonia in Spain”
So moral of the story, take multiple spots from videos if you are using stills to search. MULTIPLE!
I searched for “Rosas, Spain” and got a small area on Google maps. From here I just used street view to find the exact spot.
Luckily I dropped almost right on it:
Here’s this exact tree from the video:
This is Ctra. de les Arenes, Roses, Catalonia, 42.27776094440473, 3.176829050221029
I uploaded my report and called it a night.
According to the intel yesterday, Nate is headed towards France. The authorities are attempting to intercept him there.
Meanwhile, Rosie and her mom re-unite at the airport in the UK and Rosie ends up being arrested as soon as she lands. She is charged with fraud, counterfeiting, and forgery in both the UK and Spain. Her parents try to fight for her, but the cops won’t listen.
“Rosie, darling, don’t worry, Daddy is going to fix this!” — Rosie’s Mom
Rosie cries and gets taken away.
Meanwhile, Nate is still sending Rosie text messages and hasn’t been apprehended yet.
Nate sent the airport name in full view, but then blocked out all his personal info on the boarding pass. It seems like he is trying to trick everyone to the wrong airport.
Unfortunately for him, he didn’t block out the bar codes on his boarding pass.
I found a barcode scanning website and ran it through to receive info about his flight:
This shows how to decipher it:
Looks like he is going to be taking off from Nice Côte d’Azur Airport, and landing at Istanbul Airport on flight number 1814, which is serviced by Turkish Airlines. He claims his name is “Zak Smart”.
And that concludes the scenario! I had a lot of fun with this one. It was MUCH more difficult than the first one, and it also taught me some new OSINT skills.
I look forward to working through the remaining two scenarios. ❤
