Where the hell is Coleen?

An OSINT write-up. We’re talking digital privacy, and how easy it can sometimes be to track down someone.

Disclaimer: this write-up is for educational purposes only. Use your skills for good.

I love OSINT challenges. I’m not very good at them, but it doesn’t matter.
With technology deeply making its way into everything we do in our lives, it has become easier to track down pretty much anything on the internet.

Are you looking for that website that went down in 2005 and never came back up? There’s a Wayback Machine for that. Or perhaps you’re curious to see where your friends are spending their summer — there’s Instagram, Facebook, Twitter, Snapchat, TikTok, and many more, for that.

Okay, we have social platforms for staying connected with our friends. So what?
Do we know it’s strictly friends that we include in our lists? If your profile is public, you’re practically living in a house of glass.
Okay. Should I panic, then? Maybe not.

Let’s assume for the sake of this write-up that this wasn’t an OSINT challenge, but rather a case on how a single picture that you posted online, correlated with other pieces of information, can reveal a lot about you.

Tools
Twitter
Periscope Downloader (optional)
Google Maps
— A keen eye

Let’s begin. Coleen posted this OSINT challenge.

Let’s figure out some interesting features in this picture.

—There’s coffee; this could be a coffee shop, or a restaurant.

Notice how it’s a plain white cup with no visible markings on it? Don’t let that fool you; you might need it later.

— Wooden interior: the restaurant/cafe has wooden decoration. It’s not entirely wooden interiors, but it does have wooden accents.

Note the tri-tone colors of the wooden decoration. This is helpful.

— Solid white, kinda low ceiling, with vents that are not too extruded: this is extremely helpful and important.

Also note the presence of green plant decorations on the left side, as well as the CCTV camera on the right side.

— Hanging wooden decoration with a dark gray accent

Note the chrome pipes. This could be important in some cases.
The folders shown at the bottom will most likely be of no value to our research since we’ll probably need a picture from around the same time frame, which is relatively difficult, or in some cases impossible, to obtain.

— The cherry on top: leather-back benches. This is unique, and important to our research.

Note the dark brown color.

Let’s begin our research.
We know Coleen was somewhere in San Diego, CA. But where in San Diego? We can’t just go browsing every single restaurant in the entire city!
Luckily, Coleen left some really great hints.

“She’s waitin on tyres, with her wet hair n shit”
Waiting on tires means what it means; she’s most likely getting a tire change for her car. Wet hair? This could mean she was at a hair salon, or it could imply the presence of a pool or a beach nearby. Luckily, San Diego does have beaches alright!

HOLY CRAP, THAT’S A HUGE MAP!

We can at least take comfort in the fact that it’s close to the beach. This kinda narrows down our search. It’s still too big, however, and would need a team to scrub the area in blocks—each team member getting specific blocks to search. Not very efficient, and will take a lot of effort.

Remember when I said Coleen left some juicy hints? Well, let’s take a look at this very live broadcast she streamed a few hours later.

We can hear around 11 seconds into the stream “Ah, Hillcrest is so awesome!”
This is great! We now know she was in Hillcrest, San Diego. That narrows our search down even further. We could download the video using the Periscope Downloader website, or simply watch it on Twitter. You can download online videos if you wanna export them to still-frames, but that’s a bit of an overkill in this case, so we’ll just watch it on Twitter, and pause when we think there’s good intel.

Around 52 seconds in, there’s a street crossing, and a building with a sign that’s not yet intelligible because of video compression.

Following along as we get closer, it’s much more clearer now. “HILLCREST DENTAL CENTRE”.

A quick Google Maps search points us to this very location.

Now we know we’ve narrowed down our search to this area. It’s still big, but at least it cuts down our search time and effort considerably. Let’s now look for tire shops in this current map view (this is why we searched for Hillcrest Dental Centre in the first place).

With the knowledge that we have, let’s find the tire shops closest to Hillcrest, as well as to the beach. I’ve spotted 2 Evans Tire & Service centers, and they’re relatively equidistant from Hillcrest.

There was another tweet in which we can see the car after the tire replacement.

There are many interesting points in these pictures. There are trees in the back, yellow parking guides (perpendicular to the wall), and white posters on the wall (which also happens to be beige/yellowish).

We know we need to eliminate one of the two Evans tire shops from our research. That’s where switching to Satellite view on Google Maps comes into play. Here’s the first Evans tire shop, which is located South to Hillcrest.

It’s a gray/white building, with white parking guides mostly at an angle. Probably not it. Let’s check out the other Evans West to Hillcrest.

Evans itself may not be in a beige/yellowish building, but I’m seeing a color close to that on the left side of that image! You know what else I see? Trees! Let’s confirm by going on a Google Street View tour. We’ll drive as if we’re pulling up to Evans’, so we’ll start right in front of it on Sports Arena Blvd. We’ll quickly find out that the Google Street View car didn’t drive through next to Evans; it drove on Sports Arena Blvd. That’s fine, we’ll turn right.

Bingo. Beige/yellowish building? Check. Trees? Check. We can zoom in to confirm the rest.

Yellow parking guides that are perpendicular to the wall? Check. White posters on the wall? Also check.

With this specific Evans tire shop marked on the map, we’ll start scanning the active map view for keywords like “restaurant”, “breakfast”, or “cafe”. We switch back to the 2D map for less distractions. You know what’s (great) about Google Maps? You can review places. You know what’s even better? You can post pictures in your reviews!

Let’s try searching for “cafe”. We can spot several cafes. Bear in mind that Coleen was having a tire change for her car, remember that? So, the cafe is likely within walking distance. Also, it’s summer in San Diego, and the picture was posted around 11:39 AM (San Diego time, UTC-07:00). So, this narrows down our search to the following places, ordered by proximity: Doctor’s Orders Cafe, Buffalo Wild Wings, and The Broken Yolk Cafe.

Let’s check out Doc’s. It’s temporarily closed, so that’s off the table.
What about Buffalo Wild Wings? It doesn’t really look like it has a white ceiling, plus the seats look different. So, not it either.

Which brings us to the last leg in our research: The Broken Yolk Cafe. At first glance, it looks like it’s not the same place, but we haven’t checked other photos yet.

Bingo!

Two-tone hanging wooden decoration? Check. Wooden interior? Check. Same CCTV camera? Check. Same solid (not tiled) white ceiling with the same spotlights? Check. Vents that are not too extruded? Check. Leather seats? Also check. Remember the plain white cup I said you might need later? Surprise, surprise!

We can now safely tell, with a high degree of confidence, that Coleen was indeed at The Broken Yolk Cafe.

So, why did I go through all this hassle? Well, it’s fun. It’s also informative and educational.
We now know that even the subtlest of details can give away information that could be leveraged against us if someone wanted to track us down.

When I first started this research, I was all over the place; checking Foursquare and going down the rabbit hole of different restaurants around Hillcrest. I would have spent more time searching the wrong area had it not been for Coleen’s second hint.

I was searching around the other Evans (South of Hillcrest) before I asked for this hint. Remember, it’s Open-Source Intelligence; in a real scenario where you’re trying to track down someone, this could be a tip from a local who knows the place, or can at least point you towards a warmer search perimeter.

Should I panic now, then? Depends on your threat model. If you worry you might be getting tracked down by, say, a stalker, definitely do not post your location or excessive details. Not everyone on the public internet needs to know the full details of what you’re doing. If your social media presence is well protected, and you know all your friends and followers, I can’t tell you what to do; that’s up to you. It’s still a good exercise to keep your private life, well, private.

I have been granted permission to post this write-up by Coleen prior to writing it. This was an OSINT challenge, mostly for fun, but I also thought it would be a good opportunity to give you an insight into the mindset I go researching with, as well as some of the techniques/methodologies.

Did you like this write-up? Do you think you have good OSINT skills?
You can make the world a better place, help reunite family members, and aid in stopping and/or solving potential crimes. Consider getting involved with Trace Labs; they host a Global Search Party CTF to help locate missing persons.

Do you want to help the cause, but lack the technical skills? Consider donating to Trace Labs or similar organizations.

Bonus: knowing Coleen was around Hillcrest, she also posted 2 pictures, one of which containing valuable information.

Notice something yet?

Google this: “ACE Hillcrest San Diego”. Yes, a price tag or a receipt can also contain really valuable intel.

Thanks for stopping by,
@X0RW3LL

Here to secure your sh*%, hopefully. Wire: @x0rw3ll

Here to secure your sh*%, hopefully. Wire: @x0rw3ll