Terrorists Deploy New Techniques To Counter Digital Forensics

Terror groups are using new and better techniques to hide files and data in computers and phones to reduce the intel value of seized laptops and cellphones.

Special operators rely on data ripped from acquired phones and laptops their operations. ISIS, for example, rode its mastery of information technology to power and prominence, but found that digital records could also be an Achilles heel.

Coalition forces soon exploited seized electronics to find and hit ISIS targets, and shared the information with global law enforcement agencies tracking the group’s plots in other countries. So ISIS turned to steganography — hiding secret information inside ordinary-looking digital records — but that trick no longer works against coalition investigators, said Nicholas D. Anderson, who works as an engineer and technical support aide for U.S. Special Operations Command.

But the advancing field of countering digital forensics could have a big impact on those U.S. led operations, Anderson said. New tips and techniques are proliferating widely in online forums, academia, and elsewhere, and that is going to make it harder for U.S. and friendly forces to get useful information off devices seized in places like Syria.

SOCOM’s response: dial up the research. Digital forensics techniques will play a larger role in in the 2019 and 2020 broad agency announcements, Anderson said.

Among the new techniques is writing information in parts of the hard drive that are supposed to be off-limits to users. These include core parts of a device’s operating system, and go by names like Host Protected Area, or HPA, and Document Content Architecture, or DCA. Many tools that scan hard drives skip these areas..

“Those are files that you aren’t supposed to be able to change because it’s how Windows operates. Guys are starting to hide stuff there,” Anderson said. “Whenever [investigators] go to rip it, they come up to the drive and they do a pass first. They’re like,

‘This is everything on the drive.’ But if it’s an HPA and DCA, they’ll ignore it. Or they will read it, but the way these guys are hiding it, the way it’s reading, it’s coming off as clean. But if you really go in there and start at the hashes, it’s not the same,” said Anderson.

Another emerging tactic that Anderson worries about is hash rewriting. Hashing abbreviates a string of digital characters into a shorter string, concealing the original message yet allowing it to be uniquely identified. It differs from encryption in that an encrypted message is built to be decrypted, while information in a good hash cannot be teased out.

“They’ve gotten to the point now where they can rewrite a hash and unless you actually physically go in and look at it, you can’t tell it’s rewritten. Now, physically, you can look at it and know that hash isn’t real. It’s masked,” he said.

Anderson said SOCOM operators are running into these kinds of techniques more and more frequently. “Don’t write off the Middle East. They’re not as backward as everyone thinks they are,” he said. He added that counter digital forensics were also gaining popularity in Asia and South and Central America.

He’s particularly worried about a feature that’s increasingly prevalent in consumer devices: code that wipes the hard drive when it detects an investigator’s scan.

“I’ve got one opportunity to search a hard drive. I might want to know about it before I go in and mess some stuff up,” he said.

Nextgov:

You Might Also Read:

Terrorism, A Sea Change In Tactics:

Terrorist Activities On Social Media:

« Florida Universities Launch A Joint Cyber Training Platform
Police Are Mishandling Digital Forensic Evidence »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Duane Morris LLP

Duane Morris LLP

Duane Morris is a global law firm with offices in the USA, UK and Asia. Practice areas include Cybersecurity.

Perspective Risk

Perspective Risk

Perspective Risk provides penetration testing, security assessments, risk management & compliance solutions, InfoSec training and consultancy services.

Onapsis

Onapsis

Onapsis is a pioneer in cybersecurity and compliance solutions for cloud and on-premise ERP and business-critical applications.

Magix Security

Magix Security

Magix Security assesses the cyber threat, gives you visibility of how vulnerable your business is to attack, and provides cybercrime detection and prevention services.

CSIRT-NQN

CSIRT-NQN

CSIRT-NQN is the Computer Incident Response Team for the Argentine province of Neuquen.

NetNordic Group

NetNordic Group

NetNordic is a Nordic system integrator focusing on solutions and services in the area of networking, smart data centers, cybersecurity, and unified communication.

INFRA Security & Vulnerability Scanner

INFRA Security & Vulnerability Scanner

INFRA is a powerful platform with an easy interface for any kind of Ethical Hacking, from corporate monitoring and VAPT (vulnerability assessments and penetration testing) to military intelligence.

Qohash

Qohash

With a focus on data security, Qohash supports security, compliance and optimization use cases enhancing your risk management process.

Grove Group

Grove Group

Grove provides businesses with the tools that work best for their unique operations, through cybersecurity and cloud services, custom software development and our big data analytics expertise.

PhishFirewall

PhishFirewall

PhishFirewall is an advanced AI-driven CyberSecurity Awareness Education, Threat Emulation, and Human Security Analytics Platform.

Defentry

Defentry

Defentry have created an Ecosystem that lets our users easily monitor, train and resolve their digital security issues.

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies (BGSW)

Bosch Global Software Technologies offer an advanced innovation for AI security. The Bosch AIShield is the definite answer to safeguard your business against model extraction attacks.

8com

8com

8com is an established Managed Security Service Provider (MSSP) with over 75 employees and customers in over 40 countries.

Cypfer

Cypfer

CYPFER is a global market leader in ransomware post-breach remediation and cyber-attack first response.

US Insider Risk Management Center of Excellence (US-InRM)

US Insider Risk Management Center of Excellence (US-InRM)

The US-InRM Center of Excellence is a nonprofit organization dedicated to promoting private, public, and academic partnerships to foster knowledge sharing and resources to mitigate insider risk.