Terrorists Deploy New Techniques To Counter Digital Forensics

Terror groups are using new and better techniques to hide files and data in computers and phones to reduce the intel value of seized laptops and cellphones.

Special operators rely on data ripped from acquired phones and laptops their operations. ISIS, for example, rode its mastery of information technology to power and prominence, but found that digital records could also be an Achilles heel.

Coalition forces soon exploited seized electronics to find and hit ISIS targets, and shared the information with global law enforcement agencies tracking the group’s plots in other countries. So ISIS turned to steganography — hiding secret information inside ordinary-looking digital records — but that trick no longer works against coalition investigators, said Nicholas D. Anderson, who works as an engineer and technical support aide for U.S. Special Operations Command.

But the advancing field of countering digital forensics could have a big impact on those U.S. led operations, Anderson said. New tips and techniques are proliferating widely in online forums, academia, and elsewhere, and that is going to make it harder for U.S. and friendly forces to get useful information off devices seized in places like Syria.

SOCOM’s response: dial up the research. Digital forensics techniques will play a larger role in in the 2019 and 2020 broad agency announcements, Anderson said.

Among the new techniques is writing information in parts of the hard drive that are supposed to be off-limits to users. These include core parts of a device’s operating system, and go by names like Host Protected Area, or HPA, and Document Content Architecture, or DCA. Many tools that scan hard drives skip these areas..

“Those are files that you aren’t supposed to be able to change because it’s how Windows operates. Guys are starting to hide stuff there,” Anderson said. “Whenever [investigators] go to rip it, they come up to the drive and they do a pass first. They’re like,

‘This is everything on the drive.’ But if it’s an HPA and DCA, they’ll ignore it. Or they will read it, but the way these guys are hiding it, the way it’s reading, it’s coming off as clean. But if you really go in there and start at the hashes, it’s not the same,” said Anderson.

Another emerging tactic that Anderson worries about is hash rewriting. Hashing abbreviates a string of digital characters into a shorter string, concealing the original message yet allowing it to be uniquely identified. It differs from encryption in that an encrypted message is built to be decrypted, while information in a good hash cannot be teased out.

“They’ve gotten to the point now where they can rewrite a hash and unless you actually physically go in and look at it, you can’t tell it’s rewritten. Now, physically, you can look at it and know that hash isn’t real. It’s masked,” he said.

Anderson said SOCOM operators are running into these kinds of techniques more and more frequently. “Don’t write off the Middle East. They’re not as backward as everyone thinks they are,” he said. He added that counter digital forensics were also gaining popularity in Asia and South and Central America.

He’s particularly worried about a feature that’s increasingly prevalent in consumer devices: code that wipes the hard drive when it detects an investigator’s scan.

“I’ve got one opportunity to search a hard drive. I might want to know about it before I go in and mess some stuff up,” he said.

Nextgov:

You Might Also Read:

Terrorism, A Sea Change In Tactics:

Terrorist Activities On Social Media:

« Florida Universities Launch A Joint Cyber Training Platform
Police Are Mishandling Digital Forensic Evidence »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Interpol

Interpol

Interpol is the world’s largest international police organization. It is committed to the global fight against cybercrime, as well as tackling cyber-enabled crimes.

Continuum

Continuum

Continuum is the IT management platform company that allows Managed IT Services Providers to maintain and back up on-premise and cloud-based servers, desktops, mobile devices and other endpoints

PhishLine

PhishLine

PhishLine helps Information Security Professionals meet and overcome the increasing challenges associated with social engineering and phishing.

GreatHorn

GreatHorn

GreatHorn offers the only cloud-native security platform that stops targeted social engineering and phishing attacks on communication tools like O365, G Suite, and Slack.

Kapalya

Kapalya

Kapalya empowers businesses and their employees to securely store sensitive files at-rest and in-transit across multiple platforms through a user-friendly desktop and mobile application.

GlobalPlatform

GlobalPlatform

GlobalPlatform’s specifications are highly regarded as the international standard for enabling digital services and devices to be trusted and securely managed throughout their lifecycle.

AttackIQ

AttackIQ

AttackIQ delivers continuous validation of your enterprise security program so you can strengthen your security posture and your response capabilities.

InterGuard

InterGuard

As the pioneer for Unified Insider Threat Prevention and productivity monitoring tools, InterGuard offers on premise and SaaS-based services that are easily available and affordable.

Unlimited Technology

Unlimited Technology

Unlimited Technology offers a wide range of talent and experience, from assessing your requirements to implementing technologically advanced security solutions to best fit your needs.

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance is a nonprofit, nonpartisan collaboration of individuals, businesses, government entities, and professionals advocating for more effective cyber security solutions.

FortifyIQ

FortifyIQ

FortifyIQ's mission is to advance maximum security against side-channel attacks across the entire computing spectrum.

Resolvo Systems

Resolvo Systems

Resolvo is provides comprehensive security assessment and testing services in Asia.

Guardey

Guardey

Guardey protects thousands of SME's environments. Whether your team works at the office, at home, at the customer or remotely. We protect your business. We do this in an accessible and affordable way.

Technology Mindz

Technology Mindz

Technology Mindz is a leading provider of cybersecurity services. We offer a wide range of services to help businesses. Our services are Identity and access management, Governance risk and compliance.

LevelBlue

LevelBlue

LevelBlue simplify cybersecurity through award-winning managed security services, experienced strategic consulting, threat intelligence and renowned research.

SKADI Cyber Defense

SKADI Cyber Defense

At SKADI Cyber Defense, we specialize in enterprise-grade cybersecurity solutions tailored for small to medium businesses.