For full text search please use the '?' prefix. e.g. ? Onboarding

OSINT Challenge

Introduction

Your are a detective and you have been instructed to find a suspect who was employed in a major
hotel chain and was responsible for the theft of US$ 3.5 million from his employers.   At the time
when you were given the instruction you were busy with another investigation and had to
immediately abandon that to start this new investigation.  You were also meant to be home hours
ago to take your loved one to a nice restaurant for a well deserved dinner and relax time.

During your investigation your attempts to find the suspect were recorded in this video which you
analyse at the office for the report.

The video is available online here, it has not been saved locally due to the size (> 1GB).

Video Notes

  • The video is 37:03 long, and appears to consist of the detective driving around Las Vegas. The detective is driving extremely slowly, likely intentionally to take in all the details. The footage appears to be a dash cam, due to the stability of the picture.
  • The Google Drive is owned by Fred Blogs (andrewfnam@gmail.com), the video file is named "LV.mp4".
  • Surveillence starts out by the Maldalay Bay Convention Center.
  • A minute further down the road, the driver passes the large MGM Grand Hotel on the right and the Luxor Hotel on the left.
  • The driver shifts left into the middle lane by the Hakkasan.
  • A few minutes later he passes the Monte Carlo on the left.
  • Driver crosses Flamingo Road by Caesars Palace at the 13:50 mark.
  • By the Wynn Hotel at 20:26.
  • 22:35 - TIME is 4:53, date is 12/14/17 (visible on Walgreens sign).
  • Crosses Elvis Presley Blvd at 23:58.
  • Crosses Bob Stupak Ave at 27:46.
  • Passed Hotel Shalimar at 30:30.
  • Crosses Carson Ave at 34:55.
  • Driver shifts into the lefternmost lane at 36:50, immediately before US 95 South.

Plotting all of the aforementioned observations on a custom Google Map gives us a general route of the driver's path, which will be useful for context. This map tells us that the driver was following South Las Vegas Blvd for the entirety of the video.

Question 1

This vehicle is being looked for and the owner is required for questioning as he may be able to
provide further information, report the time and place the vehicle was observed. (5)

OSINT question 1

So we have to review the video for a White Scion in front of the driver with the white Nevada license plate "266 LYK".

The car in question turns into view from Ogden Ave at the 35:31 timestamp, and the license plate is in clear view at the intersection of Stewart Ave. The car is seen in the left lane about to turn onto the highway at the end of the video.

Answer: The car turns left into view at 5:06, 12/14/17, at intersection of East Ogden Ave and Las Vegas Blvd. The video ends with the car in the left lane, about to turn onto Interstate 515.

Question 2

The number 795 2243 is possibly linked to a POI?  Provide all information obtained. (25)

Since the focus is in Las Vegas, we can assume that the area code is 702, giving us the 10-digit number 702-795-2243. Googling the number returns that it is a landline (source), and that it belongs to one "Randi Reed" (source). This information is corraborated by a returned LinkedIn profile for Randi Reed for the same phone number search. Spokeo tells us that the associated phone carrier is CenturyLink.

Randi Reed is a Corporate Surveillance Audit Specialist for Station Casinos. She slowly promoted up the corporate ladder, going from a Surveillance Agent (AUG2004-SEP2009) to a Surveillance Supervisor (SEP2009-OCT2017) to her current position in OCT2017. She has a Associates degree in Criminal Justice and Corrections from the College of Southern Nevada, earned between 2004 and 2007. Her LinkedIn also says that she lives in Henderson, NV, which is a suburb of Las Vegas (approx ~17 minute drive).

Question 3

This chapel has a live web cam, what is the name of the chapel?

What strip hotel does it have a view of?

Screen shot to be included.

What is the IP address of the network associated to the web cam? (25)

Chapel and Hotel

The chapel in question is the "Little Vegas Chapel", associated with the "Las Vegas Elvis Wedding Chapel" entry on Google Maps:

Matching Evlis Chapel

The website for the Chapel can be found here. Cross-referencing the location with Shodan cameras gives us a few likely IPs for the camera:

  • 107.84.45.188
  • 72.202.225.47

Question 4

What date did the Mandalay Bay shooting take place?

On 30/09/2017 at 14:57 Stephen Paddock was seen on CCTV footage, what was he doing?

What did he do immediately afterwards?

Provide a screen shot. (30)

Googling Mandalay Bay shooting returns the readily-available data, October 1, 2017. Searching "CCTV" AND "Stephen Paddock" yields the CCTV footage, which we need to watch to determine what footage occurred on Sunday, 30SEP2017.

Question 5

An email was received from our subject, in the headers the IP address of 173.247.242.190 was
discovered, trace the IP to a physical address and location name. (15)

IP Geolocation plots the IP address at the Cheney Reservoir in Kansas, coordinates 37.751000, -97.822000. This isn't a physical address and I'm not sure that this is what the question is looking for.

Question 6

This vehicle may be related to our investigation, what address did it go to? (10)

Yellow Vehicle

I decided to write a script that will search the video file frames for this still, and it is publicly available here for others to use for their own purposes. It is run with the following (adjust path names as necessary):

python3 find-frame.py -v LV.mp4 -i yellow_vehicle_address.webp

Unfortunately the script was not able to find a match, likely because the size of the image is not a 1-for-1 match with the video. My next idea was to create a file that breaks the video into individual frames for manual review, which can be run with the following:

python3 break-into-frames.py -v LV.mp4 -n 55

This worked like a charm, and I was able to locate the unidentified yellow vehicle at frame 53955 (timestamp 1800.2985, or just past the 30 minute mark) in just a few minutes by clicking through the frames. At frame 55660 (timestamp 30:57), the vehicle turns off the road.

Upon careful analysis of the frame, we can see that the vehicle turns right along a building labeled the "Monterey Motel", which is at 1123 South Las Vegas Blvd. Immediately before where they turn is labeled "1143", and the sign post right after is labeled "1133", so my best bet is that they were parling behind 1143 South Las Vegas Blvd, Las Vegas, NV, 89104.

Question 7

Provide the IP addresses and GPS coordinates of 4 IP CCTV camera systems within the Las Vegas
area, one of those cameras must be located on Bonanza Road. (40)

I decided to use Shodan to try to find this information. The first query I tried is camera city:"Las Vegas", which while generic, narrowed me down to 3,164 results. Using the Map View allowed me to hone in on Bonanza Road. Here are 4 of the IPs of Las Vegas CCTV cameras:

  • 174.68.36.132
  • 184.186.104.47
  • 72.211.59.195
  • 72.202.228.73

It would be a fun project to try to write a Shodan plugin that allows users to search by street name as well.

Question 8

Who are the 3 main shareholders of MGM?

Find MGM financial report in the form of a PDF document (not website) which contains the words
“Consolidated net revenues increased 13% compared to the prior year quarter to $3.2 billion”
submit the URL as evidence. (20)

The three main shareholders of MGM are Corey Ian Sanders, William Joseph Hornbuckle, and John M. McManus (source). Through Googling mgm financial report type:pdf before:2020, I was able to locate the link to the requested PDF document: http://q4live.s22.clientfiles.s3-website-us-east-1.amazonaws.com/513010314/files/doc_financials/quarterly/2019/q2/Q2-2019-ER-FINAL-(006).pdf

Question 9

The General Manager of the Luxus Hotel is believed to be involved in this criminal incident, find out
what his name is. (10)

There is no "Luxus Hotel" in Las Vegas. That name was used in the 2017 film Sleepless, according to this article. In the mobie, the GM is Stanley Rubino, played by Dermot Mulroney.

Question 10

What is the complete number?

Who is the owner and their email address? (15)

Obscured Phone Number

Using the same frame trick as question 6, we know to look for a red light by a street sign that ends in "E 500" and a yellow awning. The first thing I noticed is a street sign "E 100" at the 387 timestamp, right by Tropicana Ave (36.1010057,-115.1728015). This makes me think that "E 500" will be four streets further down the road.

Unfortunately that was not the case :) At the 1914 second mark (31:54), on the right side of the screen we can see a gray sign matching the "E 500" text depicted in the picture. At 33:32 we can see the number at the edge of the frame: 702-735-5***. Backing up to 33:12, we are able to find the final four numbers, 5700, making the complete number 702-735-5700.

Dropping the Google Street View guy, I was able to determine the address as 229 S Las Vegas Blvd, Las Vegas, NV 89101, and find a matching picture of the building for sale from the time period. The sign said "Leavitt Law Firm, Dennis M Leavitt". Using SpyTox, we are able to confirm that the user's full name is "Dennis Myron Leavitt Sr".

Their law firm's website has a contact page, but unfortunately it does not list an email address, just the phone number "702-996-6052". Looking for his LinkedIn is a bingo, we got his email address: Dennis@Leavittlawfirm.com.

Answer: 702-735-5700, Dennis Myron Leavitt Sr, Dennis@Leavittlawfirm.com

Question 11

What is the MAC address of Desert Star WIFI? (15)

Question 12

Find the personal Facebook page of the person linked to this email pirellirealestate@hotmail.com,
the URL to be submitted as evidence. (5)

Searching for the user assocaited with the email address on Facebook did not yield any results. Searching pirellirealestate@hotmail.com site:facebook.com returned a business Facebook page, but that wasn't what we were looking for.

Simply searching for "pirellirealestate@hotmail.com" returned a real estate site that mentions one "Cynthia Pirelli", which is corroborated by SpyTox. The site also gives a cell number of (720) 491-1722. SpyTox gave the name as Cynthia Marie Martinez, a 57-year-old female who has lived in Nevada.

Zillow gives us a picture of the woman for reference, so we can try to find visual matches on Facebook. Realtor.com offers us a different phone number for contact, which may be her office number at eXp Realty (10845 Griffith Peak Dr. Ste. 2, Las Vegas, NV, 89135).

Both http://www.vegashomestore.com/ and http://denvermetroareavalues.com/ redirect back to the Zillow site, so we know she likely owns the domain names. Her Linkedin is cpirelli, her Instagram username is cynthiapirelli, and her Facebook username is Thriveandprosper.

Possible matches:

Question 13

What is New York New York? (5)

New York-New York is a hotel and casino, located at 3790 Las Vegas Blvd S, Las Vegas, NV 89109. It is owned by MGM Resorts International.

Question 14

Where did you see a vehicle marked 110? (10)

First seen at timestamp 2:21, seen clearly at 3:12. Coordinates: 36.095174, -115.172735. TODO: Double-check coords

Question 15

Geolocate a Youtube video of the famous Bellagio Hotel Fountains filmed during July 2019 looking
towards Caesars Palace, if the video is longer than 4 minutes it is the wrong video, as evidence the
following is required:

Video tile

User Name

Date & time stamp of video publish

GPS coordinates (30)

Searching for Bellagio Hotel Fountains july 2019 site: youtube.com returned this video:

  • Title: Las Vegas Strip Fountains of Bellagio June 2019
  • Username: @jdgrandadventures (Private) (J&D Grand Adventures)
  • Date & time stamp of video publish: Jul 17, 2019 (2019-07-18T00:37:50Z)
  • GPS coordinates: 36.1126264, -115.1767051.

You used to be able to determine the timestamp a video was published at by pasting the URL into https://citizenevidence.amnestyusa.org/, but it appears that either their API key has expired or the API endpoint has been retired, because the request returns a failure in the console whenever I attempt a search. I will need to locate an alternative method of requesting the timestamp data, probably by getting my own API key and either making my own requests or trying to intercept the site's requests with Burp Suite. For the time being I've sent an email to their team at aimember@aiusa.org informing them of the issue to see if they want to resolve it on their end.

UPDATE: They got back to me and said they would handle it, but they never did. I was able to get my own API key and replace the key in their broken URL to parse the raw data, which got me the timestamp that the video was published (2019-07-18T00:37:50Z) and the recording coordinates (above).

Question 16

In 2018, a famous hacking conference was held in Las Vegas, who was the keynote speaker and she is
known as? (10)

This site lists the 2018 DEFCON keynote speaker as "Parisa Tabriz", also known as the "Security Princess" (link) and the "Browser Boss" (link). The actual link to her DEDCON 2018 user write-up is here, with the Keynote link being here.

Question 17

What does this belong to? The Devil is in the detail (10)

Mysterious Neon Sign

Thankfully I had just finished working on question 10 when I saw this picture again, and it is perfectly in the frame when the last four digits of the phone number are showing (33:12). Using the same coordinates in Google Maps (36.16692, -115.14197), I was able to navigate down the street and determine the name of the building: El Cortez Hotel and Casino.

Judging by the height and the distance from the top of the hotel in the video, I would guess that the neon lights are in the 13th story window. That is counting the base, however, and according to their website the building is only 15 stories tall. Using that information and counting down balconies, I would guess that the neon lights are in the 8th story window.

Question 18

What did you observe at this GPS coordinate 36.148417, -115.153915?

Is it working? Support your answer with a screen shot.

Obtain tweets between April 17 and 18, 2017 from the above geolocation within a 1 kilometer radius
only.

In the results returned, a user @xxxxxxxxxck (x=missing characters) provides a precise location in a
tweet on the same date, what was the location and what time was the tweet. (30)

On Twitter I was able to use the following search to locate the tweets in question: geocode:36.148417,-115.153915,1km since:2017-04-17 until:2017-04-18. The tweet in question is by @JessicaDBeck, it was at SLS Las Vegas (link) and was made at 3:32 PM.

Question 19

Did you see Deuce? Provide details if you did, time, place etc (20)

Likely referring to the American rapper "Deuce", who was probably on a billboard advert at some point in the footage.

Possibly referring to the double decker bus at time stamp 34:35, coordinates 36.169161, -115.140712, plate number 64190.

Question 20

What does this belong to? (15)

Slatted Image

Question 21

Provide the URL link to the live (i.e. real time) camera which has sight of the Hard Rock Café and
Shake Shack. (10)

According to this site, the "Las Vegas Strip Cam (American Eagle)" of "Worldcams.TV" captured at least the Shake Shack, but the live stream is no longer available, so I'm not sure if it was the Hard Rock Cafe as well.

Question 22

This picture was taken from inside a strip hotel, which hotel was it, and what is its ID number on
Instagram? (15)

Strip Hotel

This is what I've been able to find so far:

  • The building in the background with the red top might be the Mandalay Bay hotel with an advertisement for "Michael Jackson One".
  • The red building to the right might be Hilton's Resort World, but that doesn't have any tan strips, so it isn't a perfect match.

Hotels that it definitely isn't:

  • The Orleans
  • Resorts World
  • The Venetian
  • Ceasars Palace
  • MGM Resorts International
  • Virgin Hotels Las Vegas
  • The Cosmopolitan of Las Vegas

After a lot of digging through the Google Images search "las vegas hotels with pools", I was able to find this picture of the Palazzo that matches the curved indenture of the pool in the picture:

Palazzo Hotel

They are palazzovegas on Instagram. Comment Picker was able to convert that username into the Instagram ID 288684843.

Answer: Palazzo Hotel, Instagram ID 288684843

Question 23

What was the room rate advertised at the Monterey Motel when you drove past?

Obtain at least 2 pictures of the inside of the hotel. (15)

The address of the Monterey Motel is 1123 S Las Vegas Blvd. We can clearly see the hotel at the 31:02 minute mark, but the sign says it is available for sale and a room rate isn't available.

Question 24

Who is this?

What is his work address and telephone number? (20)

Mystery Doctor

Question 25

Where did you start this investigation? (10)

The driver was pulling out of the driveway of Signature Flight Support, which is located at 4500 S. Las Vegas Blvd, Las Vegas, NV 89119.

Question 26

What is the geolocation of this sign in GPS coordinates? (10)

Blurry Sign to Locate

Question 27

Are there any FBI surveillance vans located in Las Vegas?

What brought you to your conclusion? (15)

Seeing as the FBI has a field office in Las Vegas, it is reasonable to assume that there are FBI surveillance vans in Las Vegas.

Question 28

When you saw this person, where were the police? (10)

Person by Police

Question 29

What is signature? (10)

Question 30

What is the GPS coordinates of this CCTV camera?

Provide 4 YouTube videos from this location. (25)

CCTV Camera

Question 31

This picture was taken at the Hard Rock Café in Las Vegas on November 10, 2017, identify the
facebook user and the URL of the photograph (15)

Reverse searching the image did not yield any clues. The Google dork site:facebook.com & (after:2017-11-09 before:2017-11-11) hard rock cafe las vegas did not yield any results either.

Facebook Photo

Question 32

The sign at 36.131749, -115.164647 is advertising what show and it was hosted at which hotel on the
strip? (15)

Right at the 21 minute mark, the driver passes by the sign in question. The sign is advertising "An Evening With Mel Brooks" at the Wynn Las Vegas.

Question 33

What time and at which location did you see these people? (20)

Person to Locate 1 Person to Locate 2

Question 34

Facebook ID 250240925003365 is linked to a criminal group, what are they called?

Provide a street picture of their base from which they operate. (20)

Going to the Facebook URL redirects to The Mob Museum. The Mob Museum is located at 300 Stewart Ave, Las Vegas, NV 89101. Here is a street view of the museum:

The Mob Museum

Question 35

Shahid Uddin Khan is a wanted fugitive by Interpol (positive answers will be submitted to Interpol)

Can you find him?

Interpol has issued Red Notice on the members of a fugitive Bangladeshi family, who now are residing in Britain. According to information obtained by this correspondent, Interpol issued Red Notice on Md. Shahid Uddin Khan, his wife Farjana Anjum, and daughters Shehtaz Munasi Khan and Parisa Pinaz Khan for committing serious types of crimes, including terror-financing, money laundering and other types of crimes. The members of this family are convicted in a few criminal cases in Bangladesh.

According to newspaper reports, Md. Shahid Uddin Khan and members of his family had smuggled-out millions of dollars from Bangladesh since 2009 and deposited into various bank accounts in the United Arab Emirates. This family also has purchased immigrant status in Britain under Visa Tier 1, VAF Number 511702, and invested over 12 million pounds, while the entire amount had been dirty money. They also established a company named Zumana Investment & Properties Limited, Incorporation certificate number 0741417, dated October 25, 2010. The registered office of this company is located at Unit 29 Eleanor Street, London, E3 4UR, United Kingdom.

Sitting in Britain, Md. Shahid Uddin Khan and his family are operating their businesses in Dubai [in United Arab Emirates]. According to newspaper reports, this family is having business relations with notorious Dawood Ibrahim’s D-Company and has been involved in trafficking in drugs and arms.

The Khans also are also funding Islamic State as well as other militancy groups and madrasas.

On January 17, 2019, the Dhaka (Bangladesh) residence of this family was raided by the members of Counter Terrorism and Transnational Crime (CTTC) unit of Bangladesh Police. During this raid, a huge volume of arms, ammunition, detonators, explosives, counterfeit currency note, Islamic State propaganda materials, and recruitment tools. In the seized documents, CTTC also found evidence of the Khan family’s involvement in terror financing.

Three separate cases were lodged on the same day with the Cantonment Police Station in this regard against Md. Shahid Uddin Khan, Farjana Anjum Khan, Shehtaz Munasi Khan, and Parisa Pinaz Khan. These include, CR case number 4466/2009, dated December 30, 2009, under section 416, 467, 471 and 109 of the Bangladesh Penal Code, which is under trial with the Court of the Chief Metropolitan Magistrate; Case number 10, dated January 17, 2019, under section 6 (2), 7, 11 and 12 of the Anti-Terrorism Act of 2009; Case number 11, dated January 17, 2019, under section 25/A of the Special Powers Act of 1974; and Case number 12, dated January 17, 2019, under section 19/A of the Arms Act of 1878.

It was earlier reported in the newspaper that Md. Shahid Uddin Khan sent few thousand dollars to one of his jihadist counterpart days before the Easter Sunday terrorist attacks in Sri Lanka.

Commenting on Interpol’s Red Notice issued on the Khans, a source close to the family said, “This family posses’ threat to the British society. Authorities should immediately investigate the matter and deport them immediately”.

It may be mentioned here that on May 25, 2019, Politicalite had exposed the illegal activities of Md. Shahid Uddin Khan and his family while the matter had also been covered in The Sunday Times. It was further learnt that Khan had established business relations with Stephen Hammond MP and later had tried to blackmail the British lawmaker by publishing photographs of his secret meeting with Mr. Hammond.

There is a linked Red Notice as well, and the "VAF Number 511702" is bolded.