Special Operations Command Takes Aim At Enemies Hiding Files Inside Seized Electronics


Terror groups are using new techniques to reduce the intel value of seized laptops and cellphones.

Terror groups are using new and better techniques to hide files and data in computers and phones, undermining the devices’ value as intelligence bonanzas.

Special operators rely on data ripped from acquired phones and laptops their operations. ISIS, for example, rode its mastery of information technology to power and prominence, but found that digital records could also be an Achilles heel. Coalition forces soon exploited seized electronics to find and hit ISIS targets, and shared the information with global law enforcement agencies tracking the group’s plots in other countries. So ISIS turned to steganography — hiding secret information inside ordinary-looking digital records — but that trick no longer works against coalition investigators, said Nicholas D. Anderson, who works as an engineer and technical support aide for U.S. Special Operations Command.

But the advancing field of countering digital forensics could have a big impact on those U.S. led operations, Anderson said. New tips and techniques are proliferating widely in online forums, academia, and elsewhere, and that is going to make it harder for U.S. and friendly forces to get useful information off devices seized in places like Syria.

SOCOM’s response: dial up the research. Digital forensics techniques will play a larger role in in the 2019 and 2020 broad agency announcements, Anderson said.

Among the new techniques is writing information in parts of the hard drive that are supposed to be off-limits to users. These include core parts of a device’s operating system, and go by names like Host Protected Area, or HPA, and Document Content Architecture, or DCA. Many tools that scan hard drives skip these areas..

“Those are files that you aren’t supposed to be able to change because it’s how Windows operates. Guys are starting to hide stuff there,” Anderson said. “Whenever [investigators] go to rip it, they come up to the drive and they do a pass first. They’re like, ‘This is everything on the drive.’ But if it’s an HPA and DCA[rewrite], they’ll ignore it. Or they will read it, but the way these guys are hiding it, the way it’s reading, it’s coming off as clean. But if you really go in there and start at the hashes, it’s not the same,” said Anderson.

Another emerging tactic that Anderson worries about is hash rewriting. Hashing abbreviates a string of digital characters into a shorter string, concealing the original message yet allowing it to be uniquely identified. It differs from encryption in that an encrypted message is built to be decrypted, while information in a good hash cannot be teased out. “They’ve gotten to the point now where they can rewrite a hash and unless you actually physically go in and look at it, you can’t tell it’s rewritten. Now, physically, you can look at it and know that hash isn’t real. It’s masked,” he said.

Anderson said SOCOM operators are running into these kinds of techniques more and more frequently. “Don’t write off the Middle East. They’re not as backward as everyone thinks they are,” he said. He added that counter digital forensics were also gaining popularity in Asia and South and Central America.

He’s particularly worried about a feature that’s increasingly prevalent in consumer devices: code that wipes the hard drive when it detects an investigator’s scan. “I’ve got one opportunity to search a hard drive. I might want to know about it before I go in and mess some stuff up,” he said.