Walkthrough: Kase Scenarios – The Vanishing of Rosie Parker

I recently completed the Betrayal, Sinister Obsession, Dark Waters, and Vanishing of Rosie Parker Kase Scenarios. They are immersive, realistic OSINT training scenarios. I LOVE the format and had a great time doing them. You can see my review HERE. I’m not going to lie, I learned a lot on the fly while going through them. I decided to do a walkthrough for The Vanishing of Rosie Parker. I like walkthroughs that don’t immediately show the answer so I can be pointed in the right direction. That’s what I’m going to attempt to do here.

If you’re reading this and haven’t done a Kase Scenario yet, just know that this walkthrough is completely boring compared to the experience of going through a scenario with the storyline, video, audio and images.

The goal of this scenario is to find Rosie Parker. You play OSINT Analyst Jack Stone and work with the British police on the case.

First, you are given a blurry video of a suspicious red SUV and need to find the plate number. I tried a few video enhancers to see if I could see the plate number. No luck there. Then I tried cleaning up a still image from the video to no avail. Running the image through Plate Recognizer also couldn’t get the license plate number, but it did get the make and model of the SUV which does help me find the plate number later.

Image Not Found

I decided to go for the hints offered and was given the first 3 numbers of the license plate. Off to Google I went to find out about license plates in the UK. I came across a Reddit post about a partial UK number plate search which appeared to be exactly what I needed. After numerous attempts using the 2 question marks for the free version, I finally got the correct plate.

Image Not Found

OV69EXP

It was discovered that the plates belonged to Hertz in Cheltenham and the vehicle was tracked to Calais, France. You are given a video of the suspected driver at a Shell station who tried to pay with a stolen credit card. Before running out of the store, he left a coin on the counter when he emptied his pockets. You are given a photo of the coin and need to figure out where it came from.

I failed at numerous attempts of doing a reverse image search. The missing persons report I was previously given mentioned that Rosie spent time in rehab, so I looked up rehab centers in Cheltingham and finally found it after visiting a few websites.

The next question asks for the phone number. This is listed on the website from the link to the answer above.

Next, you are given a PDF list of patients who were at rehab the same time as Rosie. You are also given a PDF of a threatening letter received by Rosie’s father. The letter was signed “Forever Yours, S” which didn’t seem like much to go on. After a few wrong attempts, I took a hint that mentioned some choice words in the letter (“Gormless moronic pillock”) as well as something about sensitivity filters. The first thing I thought of was Twitter so I started looking there and found what looked like the right account.

Image Not Found

Scrolling through the Twitter account, there were some more ramblings as well as a MEGA file with motivational quotes.

Image Not Found

I downloaded the file and it was a PowerPoint of motivational quotes. I was hoping to find the author of the PowerPoint file, but no such luck.

Image Not Found

I decided to run it through Autopsy. When I looked at the images, I could see a screenshot which included a few bookmarks and a YouTube video.

Image Not Found

Unfortunately, I did not know what the orange bookmark icon was so I tried to investigate the YouTube video. That was a dead end. I ended up doing a reverse image search on the icon and found out it was for Strava. It didn’t look like much could be done without an account, so I created one. I found the group referenced in the bookmark searching under Clubs. There was one member, the person who wrote the letter.

Image Not Found

Simon James

It turned out, he had an alibi and was ruled out. Then, Rosie’s father receives a postcard demanding money be sent to a cryptowallet if he wants to see his daughter again.

Image Not Found

It was also determined that the BTC address was connected to the alias “darkcoiner” in 2017. Now I have to find a name to attach to that user. Using WhatsMyName.app, I searched for the username and got a few results.

Image Not Found

After looking through them, the GitHub page seemed the most promising.

I recently learned that you could get an email address by adding “.patch” to the end of a commit url, so I tried that and got an email addresses.

Image Not Found

I took advantage of OSINT Industries Black Friday sale so I entered the email address there and got two results. One for the Github account I got the email address from, and one for a Gravatar account. For a free option, try Holehe.

Image Not Found

I didn’t really know what to do with Gravatar at this point, so back to Google I went. I found an article by cyb_detective (who has a wealth of OSINT information) called 4 easy tricks for using Gravatar in OSINT. I followed the article, created an MD5 hash of the email address, and found a first name.

Image Not Found

Nate

I then looked at the list of people in rehab to see if there was anyone with that first name and was able to answer the next question.

Image Not Found

The next question has to do with the postcard above. I need to figure out where it came from. After spending some time doing reverse image searches and going through Google Earth, I found it.

Image Not Found

Segur de Calafell

Then Rosie calls. The person mentioned above is on the run and sent Rosie a video of himself driving down a road. I need to figure out where he’s driving and write a report. Note: I left out all of the exciting parts of the story.

Image Not Found

Since there are three parts to this report, I’ll enter each one separately below:

Image Not Found

I used the free version of Smappen to create a visual representation of how far Nathanial Green could have driven.

I took a screenshot of part of the video and ran it through Google Image Search. A couple of the results mentioned Roses, Spain so I started my search for mountains there using Google Earth.

Image Not Found

This took a lot of ‘driving’ down different roads using Street View, but I was eventually able to find the exact location using a combination of Google Earth 3D and Street View.

Image Not Found

After that, he sends Rosie a couple more messages containing images of him at an airport. I went down a long rabbithole of trying to geolocate the images until I found out that boarding passes could be scanned online. I found an articled by shamooo called Have a safe flight (hacking the boarding pass) and was able to figure out where he was.

Image Not Found

Per the article, NCE would be the departing airport they’re flying from. NCE = Nice Côte d’Azur Airport

He was caught, and I earned my badge 🙂 I can’t wait to see what Kase Scenarios comes out with next!

Image Not Found