Terrorists Deploy New Techniques To Counter Digital Forensics

Terror groups are using new and better techniques to hide files and data in computers and phones to reduce the intel value of seized laptops and cellphones.

Special operators rely on data ripped from acquired phones and laptops their operations. ISIS, for example, rode its mastery of information technology to power and prominence, but found that digital records could also be an Achilles heel.

Coalition forces soon exploited seized electronics to find and hit ISIS targets, and shared the information with global law enforcement agencies tracking the group’s plots in other countries. So ISIS turned to steganography — hiding secret information inside ordinary-looking digital records — but that trick no longer works against coalition investigators, said Nicholas D. Anderson, who works as an engineer and technical support aide for U.S. Special Operations Command.

But the advancing field of countering digital forensics could have a big impact on those U.S. led operations, Anderson said. New tips and techniques are proliferating widely in online forums, academia, and elsewhere, and that is going to make it harder for U.S. and friendly forces to get useful information off devices seized in places like Syria.

SOCOM’s response: dial up the research. Digital forensics techniques will play a larger role in in the 2019 and 2020 broad agency announcements, Anderson said.

Among the new techniques is writing information in parts of the hard drive that are supposed to be off-limits to users. These include core parts of a device’s operating system, and go by names like Host Protected Area, or HPA, and Document Content Architecture, or DCA. Many tools that scan hard drives skip these areas..

“Those are files that you aren’t supposed to be able to change because it’s how Windows operates. Guys are starting to hide stuff there,” Anderson said. “Whenever [investigators] go to rip it, they come up to the drive and they do a pass first. They’re like,

‘This is everything on the drive.’ But if it’s an HPA and DCA, they’ll ignore it. Or they will read it, but the way these guys are hiding it, the way it’s reading, it’s coming off as clean. But if you really go in there and start at the hashes, it’s not the same,” said Anderson.

Another emerging tactic that Anderson worries about is hash rewriting. Hashing abbreviates a string of digital characters into a shorter string, concealing the original message yet allowing it to be uniquely identified. It differs from encryption in that an encrypted message is built to be decrypted, while information in a good hash cannot be teased out.

“They’ve gotten to the point now where they can rewrite a hash and unless you actually physically go in and look at it, you can’t tell it’s rewritten. Now, physically, you can look at it and know that hash isn’t real. It’s masked,” he said.

Anderson said SOCOM operators are running into these kinds of techniques more and more frequently. “Don’t write off the Middle East. They’re not as backward as everyone thinks they are,” he said. He added that counter digital forensics were also gaining popularity in Asia and South and Central America.

He’s particularly worried about a feature that’s increasingly prevalent in consumer devices: code that wipes the hard drive when it detects an investigator’s scan.

“I’ve got one opportunity to search a hard drive. I might want to know about it before I go in and mess some stuff up,” he said.

Nextgov:

You Might Also Read:

Terrorism, A Sea Change In Tactics:

Terrorist Activities On Social Media:

« Florida Universities Launch A Joint Cyber Training Platform
Police Are Mishandling Digital Forensic Evidence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Lima Networks

Lima Networks

LIMA design and deliver IT Infrastructure solutions and services including managed Security Monitoring services.

CERT Polska

CERT Polska

CERT Polska is the first Polish computer emergency response team and operates within the structures of NASK (Research and Academic Computer Network) research institute.

KOVRR

KOVRR

Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

Slovenska Akreditacija (SA)

Slovenska Akreditacija (SA)

Slovenska Akreditacija is the national accreditation body for Slovenia. The directory of members provides details of organisations offering certification services for ISO 27001.

TechStak

TechStak

TechStak is the easiest way for businesses to find and connect with IT Pros and other technology solution providers in their area.

Gytpol

Gytpol

Gytpol is a leader in Endpoint Configuration Security (ECS) solutions, providing validation, remediation & securing of IT Policies and IT Infrastructure on-premise and in the cloud.

24By7Security

24By7Security

24By7Security are Cybersecurity & Compliance Specialists with extensive hands on experience helping businesses build a defensive IT Infrastructure against all cyber security threats.

Siege Technologies

Siege Technologies

Siege Technologies is a pioneer of multi-purpose cybersecurity products and services that enable customers to leverage both offensive and defensive technologies.

Trapp Technology

Trapp Technology

Trapp Technology combines the very best cloud, Internet, IT managed services, and IT consulting to provide a true all-in-one IT solution for small to mid-sized businesses.

Open Quantum Safe (OQS)

Open Quantum Safe (OQS)

The Open Quantum Safe (OQS) project is an open-source project that aims to support the development and prototyping of quantum-resistant cryptography.

ViewQwest

ViewQwest

ViewQwest is a regional telecommunications & information technology services company. We specialize in providing Connectivity, Managed Network, Managed SD-WAN, and Managed Security solutions.

Open Web Application Security Project (OWASP)

Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

CloudWave

CloudWave

CloudWave, the expert in healthcare data security, provides cloud, cybersecurity, and managed services to healthcare organizations.

Oxylabs

Oxylabs

Oxylabs is the largest datacenter proxy pool in the market, with over 2 million proxies. Designed for high-traffic, fast web data gathering while ensuring superior performance.

BreakPoint Labs

BreakPoint Labs

BreakPoint Labs is dedicated to providing the methods and means for sustainable, measurable, and effective cybersecurity operations.