The Vanishing of Rosie Parker - Beta

The first clue we are given is a video file about a red SUV that was driving around the area on the evening Rosie went missing.

We haven't been able to get a plate yet due to the poor quality of the CCTV. Can you figure out the plate number?

One thing that seemed useful here was OpenALPR, but it is a paid product and thus outside of the scope of the assignment. I signed up for a free trial of Plate Recognizer Stream to see if their product was good enough to detect the license plate in question. After spinning up the Docker container and loading in the video file in lieu of a camera stream, it failed to detect any license plates in the film. I then started looking for something in open source, and Geeks for Geeks had a code snippet that seemed like it might do the trick. Unfortunately, when I ran scan_video.py on the video file, it also failed to detect any license plates.

I did some more digging, and it turns out that there is an open source version of OpenALPR available on GitHub to use!
```
# Build docker image
docker build -t openalpr https://github.com/openalpr/openalpr.git
# Download test image
wget http://plates.openalpr.com/h786poj.jpg
# Run alpr on image
docker run -it --rm -v $(pwd):/data:ro openalpr -c eu h786poj.jpg
```
Eventually I decided to just play the video on super slow speed and try to guess combinations of what I thought it could be. These are what I came up with:

CTE3 XMP
CTW3 XMP
CTW3 CMP
CTW3 CXP
CVE3 C
CTF3 C

But no dice. Eventually I gave up and asked for a clue, and this is what I got:

I'm pretty sure that's a red SUV something... a Land Rover, maybe?

Isn't there something called a 'wildcard search'? I think that's the trick that Wilson, my police constable, uses.

I have no idea how to actually search up a plate like that, so I guess it's time to buckle down and do some research. First I decided to look up Cheltenham to see where the police department is supposed to be out of, and it's a town in England; so now I know where the license plate lookup has to support.

As I learned once I did some reserach into how the license plates are created, digits 3 and 4 have to be numbers in the UK, with the first 2 digits being an area code and the last 3 digits being random letters.

The site https://www.partialnumberplate.co.uk/ has a search feature that allows you to search for partial license plates, so I combined that with the "Other" search option, a "Red" color and the make of "Land Rover". I started with CVE3X??, but no dice. As much as it pains me to admit, I opted to use the second hint here to make sure I was on the right track at least, and I'm glad I did:

I had my lab techs work on the quality of the image and they are certain the first part of the plate is OV6. That should help a bit, I hope.

So my next search was for OV63 C??, which was also a miss. Next was OV63 O??, which came back with 9 matches! These are them:
OV63ODS
OV63OEO
OV63OGK
OV63OJP
OV63OJR
OV63OKC
OV63OKG
OV63OMS
OV63ONM

Unfortunately none of them were the right answer, so we had to keep digging. In case I had the wrong number, I switched it up and tried OV6? OX?, but no luck; next step was assuming the O was wrong, and trying to guess the last letter via OV6??XP. That worked, and we found the vehicle in question!

Answer: OV69EXP

Can you find the name of the business that owns this brand?

My first step was obviously to conduct a reverse image search with Google, but no matching image could be found. No luck with Google Lens either, lot of visually similar coins but nothing with the same logo as ours. A quick search on TinEye unfortunately didn't net anything either.

I tried a few other random tools (SmallSEOTools, Duplichecker, Search Engine Reports, ReverseImageSearch), but all of them proved to be pretty useless and were just frontends for other image search sites.

I decided to stop focusing on the image and to go back through the documents we had been given earlier in the scenario, to see if there were any other leads I could follow up on. One interesting thing that was noted at the very end of a secion of the Missing Persons Report as the fact that Rosie had been to rehab, so I decided to tug on the thread because I know that mental health facilities typically give out custom coins to former patients upon their discharge.

I searched up Cheltenham, UK + rehab and the first result turned out to be just what we were looking for: https://www.abbeycarefoundation.com/

Answer: Abbeycare Group
What is the contact number for this business in Cheltenham?

First I searched up abbeycare + cheltenham and found their page, then grabbed the 24/7 number from there.

Answer: 01603 513 091
Identify who wrote the threatening letter.

We initially have two clues to go on: the initial S and that the person doesn't live far away from 10 Charlton Park Gate. I found the exact location in question (10, Charlton Park Gate, Cheltenham, Gloucestershire GL53 7DJ) by searching for Cheltenham, UK + 10 Charlton Park Gate, so we can use Google Maps to check the distance from any other locations of interest that we may identify.

We don't know who or how, but we know that Rosie's father allegedly messed with the kidnapper's family. Since the kidnapper says that Rosie and Catherine wouldn't mind them stopping by, it isn't a big leap to assume that all three individuals know the kidnapper in real life.

Since SGT Clarke mentioned our pro technical abilities, it tracked that there may be some details about the person behind the letter associated with the PDF metadata. I started with exiftool, but the only information I was able to pull out was that the producer was Epson Scan 2. I looked online in case there was a way to get more information about the document from either the document or instance UUID, but there is not.

Looking back through all the case documentation, I noticed that the initial dialogue mentioned that the ransom payment request for cryptocurrency was similar to an MP case in Norway, which may be a thread worth tugging on.

Rental car belonged to Hertz in Cheltenham, was tracked down to Calais, France
A male tried to make a purchase with a female's stolen credit card at a Shell gas station
We have surveillence footage from the gas station of the man in question

Since the individual has a coin from the rehab center, it's reasonable to assume that they were there together. However, the only people with the initial "S" were Sophie Jones, Daniel Scott, and Emma Smith and those weren't the answer. The person in question may be an employee there, or the two may have a friend in common

I was out of ideas, so I decided to get a hint:

'Gormless moronic pillock', Hah! That sounds pretty original... I don't think I've heard anyone say that before.

Searching Google for "Gormless moronic pillock" did not yield any hits, but did teach me that "gormless" means someone lacking intelligence and vitality. I tried the variants "Gormless pillock" and "moronic pillock" as well, but still no relevant hits.

I paused this for a while, and when I came back to it, the hint had been updated:

'Gormless moronic pillock', Hah! That sounds pretty original... I wonder if sensitivity filters would catch that phrase?

$ exiftool motivation.pptx
ExifTool Version Number         : 12.63
File Name                       : motivation.pptx
Directory                       : .
File Size                       : 3.8 MB
File Modification Date/Time     : 2023:07:29 15:45:33-04:00
File Access Date/Time           : 2023:07:29 15:45:54-04:00
File Inode Change Date/Time     : 2023:07:29 15:45:43-04:00
File Permissions                : -rwxrwxrwx
File Type                       : PPTX
File Type Extension             : pptx
MIME Type                       : application/vnd.openxmlformats-officedocument.presentationml.presentation
Zip Required Version            : 20
Zip Bit Flag                    : 0
Zip Compression                 : Deflated
Zip Modify Date                 : 2023:04:01 22:34:52
Zip CRC                         : 0x34824576
Zip Compressed Size             : 255
Zip Uncompressed Size           : 743
Zip File Name                   : _rels/.rels
Company                         :
Presentation Format             : Widescreen
Paragraphs                      : 6
Slides                          : 6
Notes                           : 0
Total Edit Time                 : 1.8 hours
Hidden Slides                   : 0
MM Clips                        : 0
Scale Crop                      : Unknown (0)
Heading Pairs                   : Fonts used, 4, Theme, 1, Slide Titles, 6
Titles Of Parts                 : Arial, Calibri Light, Calibri, Bahnschrift Condensed, Office Theme, PowerPoint Presentation, PowerPoint Presentation, PowerPoint Presentation, PowerPoint Presentation, PowerPoint Presentation, PowerPoint Presentation
Links Up To Date                : Unknown (0)
Shared Doc                      : Unknown (0)
Hyperlinks Changed              : Unknown (0)
Application                     : Aspose.Slides for .NET
App Version                     : 22.1000
Title                           : PowerPoint Presentation
Revision Number                 : 2
Create Date                     : 2023:04:01 20:45:48Z
Modify Date                     : 2023:04:01 22:34:51Z
Preview Image                   : (Binary data 12214 bytes, use -b option to extract)

What is the name of the person behind the 2017 alias darkcoiner?

We are given the following two images as clues:

These things tell us that the postcard was sent from Spain, as Viva España translates to "Long Live Spain". We also know that the crypto address in question is 1DOHO93X24SBS4JYPW6WN87XJQSUFS8WRT, which the Crypto Abuse Database connected to the 2017 alias darkcoiner.

I started off by looking up "darkcoiner", which according to this blog was a cryptocurrency developed by one "Evan Duffield" (possibly GitHub user prettyhatemachine). Unfortunately that wasn't the answer, the the formerly-owned DarkCoin domain and DarkCoin forums domain were bought out by the wallet app Dash, so we have to keep digging.

I did find a Reddit user named DarkCoiner, but the trail of utility ended there. I was eventually able to get hits here. According to ChainAbuse, a scam report was filed against the account in 2017, which tracks with what we knew going in. Sophos Labs also has the address flagged as shady, which is also a good sign.

According to CheckBitcoinAddress, the abuser in the recorded incident is Poloniex, which gives us something else to go off of. But just our luck, looking up the name turns up that Poloniex is just a cryptocurrency exchange site, so we're back to square one. According to every site I've looked at, including Blockchain.com, the account has yet to complete any transactions.

I was able to locate the owner of darkcoiner@hotmail.com via nuwber.com, but unfortunately Joseph Larson wasn't the culprit we were looking for. I decided to take a hint here:

Did you find anything on the bitcoin address? A common OPSEC mistake is to re-use the same address for different things on the web. I'm sure they've made some sort of mistake that you can pivot from.

This didn't tell me anything I didn't already know, I had already looked into the address and didn't find anything, so it's time to reevaluate our approach.

Answer: Nathaniel Green
Where was the postcard sent from?

I was able to use Google Lens to focus on a specific part of the postcard image and reverse search to find a matching location.

Whenever I clicked the matching image on the right, it took me to this property listing that had a Google Earth shot of the location from the sky:

So I knew that once I searched for Secur de Calafell it would only be a matter of time until I located the marina. Turns out I was right, because the pictured marina is Port Segur-Calafell in Segur de Calafell, Tarragona, Spain.

Answer: Segur de Calafell
What is the name of the road that Nathan is driving down in the video?

Video of Nathan driving

To answer this question, we have to submit a report using the template document.