On the use of Counter Forensics Techniques during Terrorist Activities By Daniel de Jager
1.
Introduction
The terms anti-forensics and counter-forensics are used inter-changeably by security researchers. For the purpose of this paper we assume anti-forensics and counter-forensics are identical processes, aimed to enable anonymity, destroying
or
altering
incriminating
digital
evidence;
making
them
inadmissible, to thwart forensics investigations and to avoid detection.
This paper examines the counter forensics techniques and tools utilised by Terrorist organisations, and techniques specific to mobile devices. Section 3.1 discusses counter forensics techniques and tools in the realm of terrorism and section 3.2 investigates counter forensics in the realm of mobile devices.
Section 4 critically evaluates and deduces from the literature presented in section 3. Section 5 provides conclusions and recommendations, and then lastly section 6 provides areas for further research.
2
2.
Problem Statement
Criminal and State Security Investigators require accurate and timely access to data or information stored on computing platforms to aid in counterterrorism activities. Being able to access and having access to terrorist plans can save lives.
Counter Forensic techniques are being utilised by these organisations to keep their secrets, secret, as well as their identities anonymous, which presents the challenge for digital forensic investigators to be able to provide intelligence and evidence in a timely manner.
To what extend the National Security Agency or other State Security Agencies perform
surveillance
on
the
Internet
is
not
well
known,
although
whistleblower’s like Snowden has given some insight and some reports indicate that these agencies are making it more difficult for terrorist organisations to operate in secrecy.
The problem addressed in this paper attempts to answer the following questions: What counter forensic techniques are being used by terrorist groups? Are they well known and documented and which counter forensic techniques and tools would affect mobile or smart phones, as they are also most probably used for terrorist operations? Lastly, we attempt to answer the question what possible ramifications would these findings have on a digital forensics investigation?
3
3.
Literature Study and review of current Knowledge on Subject
3.1
Applied counter forensics in the realm of terrorism
From as early as 2002, digital evidence has been gathered from seized digital resources from al-Qaeda, which provide information about the United States Government Critical Infrastructure and their vulnerabilities. Although it did not reveal detailed plans for terrorist attacks, it revealed the level of skill and knowledge applied and the investment made to train Jihadists for cyber warfare (CNN, 2002).
The Internet is a low cost tool that is an efficient mechanism to support terrorist
activities.
These
activities
include
recruitment,
training,
communication, operations, propaganda, fund raising and psychological warfare. Counter-Forensics plays a crucial role during the training process, communications and terrorist operations (Grobler, Veerasamy, 2011).
The intent of using counter-forensic tools is to remain anonymous and covert during terrorist operations, and if digital resources are seized, that little or no digital evidence can be produced to reveal the inner workings or plans and links between cells, of the terrorist organisation.
A term coined by Mi5, virtual training camps (Security Service Mi5, 2015), describes the use of the Internet to train terrorists. Virtual Training occurs online through terrorist websites via video, audio and text, where future or current terrorists can learn how to build bombs, fire anti-aircraft missiles, how to shoot United States Military personnel and sneaking into terrorist occupied countries such as Iraq (Council of Foreign Relations, 2011).
Terrorists are trained in the techniques and tools of counter-forensics. Counter-Forensic tools can be downloaded from terrorist sites. Bumgarner and Mylrea (2010) describe how extremist groups distribute sophisticated encryption programs and other advanced counter-forensic tools through their websites, most of which are cracked copies of commercially available 4
software in order to avoid detection. Bumgarner and Mylrea (2010) further state that secure erasure techniques have been observed for file and internet history deletion, as well as the wide use of encryption, which are techniques used to hide or destroy evidence of attack planning and execution.
A report by the New York Times (2008) described attacks in Mumbai where VoIP technology was used in order to prevent tracing calls between the terrorists and their handlers. Although the terrorists could be traced, the report indicates that it is more difficult and time consuming than traditional phone traces.
It is evident that terrorist organisations are attempting to stay ahead of the curve by using advanced counter-forensics capabilities. The following section describes the counter-forensic techniques in some detail.
3.2.1
Steganography
According to a news report by InfoSecurity Magazine (2012), a 22 year old Austrian man was on trial in Germany, after travelling from Pakistan to Berlin. He was found to have a memory stick hidden in his underwear containing two pornographic videos. The pornographic videos where hiding around 100 documents believed to include Al-Qaeda training manuals and operational details. Although not made public information, speculation around the content is believed to be from the inner most circles of al-Qaeda, where they indicate future attacks within Europe, and explain their difficulties with international security agencies.
It is not just Al-Qaeda that uses Steganography tools. References are made by the United Nations Office of Drugs and Crime (2012) and describe the extensive use of steganography tools for secret message communication by many terrorist organisations.
5
In a case between the Columbian Government and a financier of terrorism, called “Leonardo�, who allegedly funded the Revolutionary Armed Forces of Columbia (FARC) from within Spain, showed evidence which supported the existence of an international commission within FARC which operated a security programme for communications over the internet to enable secure communications between the leadership and its network, where stenographic techniques forms the basis for secure communications.
Based on the findings by the United Nations Office of Drugs and Crime, one can deduce the professionalism applied by this specific group, having formal structures for information security.
3.2.2 Draft Message Folders
Also known as virtual dead dropping, or draft message folders, an email account is created and the login details shared between the writer of an email and the recipient. The email is never transmitted, but saved as a draft email message. This technique circumvents Governmental filtering (Council of Europe, 2007).
However, Google, Yahoo and Microsoft retain login details that reveal the particular IP addresses a consumer has logged in from. In the scandal reported by Soghoian (2012), metadata is the key for successful forensic investigation. He further explains that cloud providers can be compelled to save copies of everything in all the folders and that a mere subpoena can be used to gain access to these email messages.
To protect the Internet Protocol address using the dead-dropping technique is advantageous for the terrorist as it would make piecing the pieces of metadata together more time consuming if not impossible. Seeing that dead-dropping is a known method, it is then vital to use some form of privacy protection mechanism such as TOR, to hide the location of browsing to the email service as geolocation with the IP address is normally stored by the cloud providers. 6
3.2.3 Encryption
It has been reported that Al-Qaeda has been using encryption software referred to as Mujahideen Secrets since 2007. Key features of the encryption tool include the following as reported by Danchev (2008):
Encryption Algorithms using the best five in cryptography (AES finalist Algorithm) Symmetrical encryption keys along 256-bit (Ultra Strong Symmetric Encryption) Encryption Keys for symmetric length of 2048-bit RSA Pressure Data ROM (Highest levels of pressure) Keys and Encryption Algorithms changing technology ghost (Stealthy Cipher) Automatic identification algorithm encryption during decoding (Cipher auto-detection) Program consisting of one file facility. File does not need assistance to install and can run from memory portable. Scanning technology security for the files to be cleared with the impossibility of retrieving files (file shredder) Secure Messaging through multi-cast encryption via text messages Transfer files of all kinds to be shared across text forums (Files text encoding) Production of a digital signature Digital Signature of messages and files and to ensure the authenticity of message and files
Some reports indicate that since the Snowden leaks that alternative encryption software has been released by terrorist organisations. Table 2 in Appendix A shows a list of released software by different terrorist factions. Mujahideen Secrets is now live for version two.
3.2.4 IP Based Cloaking
Wang, Savage and Voelker (2010) define cloaking as a common “bait and switch” technique used to hide the true nature of a Web Site by delivering blatantly different semantic content to different user groups.
In the context of terrorism, these organisations use IP based cloaking to detect if web requests are coming from a known Government IP address. 7
Based on the IP address, either the real content or fake content is provided to the requestor, very similar to the blacklisting legitimate organisations use to block content from known malicious actors.
3.2.5 Proxies and Anonymising
Using proxies to enable the masking of your IP address is paramount in not disclosing your physical location. Grobler and Veerasamy (2011) indicate that this technique is used through a proxy and secure channel in order to mask Internet Protocol Addresses.
As per TOR (2015), the TOR Project is free software and an open network that helps one to defend against traffic analysis, network surveillance, confidential business activities and relationships, and state security. One can imagine that TOR can also be utilised by terrorist organisations, a conflict with what TOR represents on their description of what the TOR project is i.e. TOR can also be destructive for state security. Quite ironic since government created TOR.
However, it does not provide complete anonymity. If a user browses to a web site, only some information about your computers configuration is withheld. If you are to input your user name into a web form, then TOR will not be able to protect your identity, in that you need to use protocol specific support software to enable complete privacy.
3.3
Counter Forensics in the realm of Mobile Devices
With the consumerisation of mobile devices a new paradigm of digital forensics has evolved. According to statista.com (2015) in 2013, 73.4 percent of the global online population accesses the internet from their mobile phones and is expected to grow to 90.1 percent by 2017, as per Figure 3 in Appendix A.
8
Two mainstream mobile phone operating systems dominate the market, which is Android and iOS. Sporea, Aziz and McIntyre (2012) conducted a survey on the availability of counter forensic tools for Smartphones and indicated that the same principles for computer forensics applies to mobile phone technology, however with some challenges and constraints.
These challenges and constraints exist because of the nature of the operations of a mobile device, as data is always changing and being overwritten, this included lock codes and encryption.
During Sporea et al. (2012) experiments, the following counter forensics applications where tested:
File Shredding
Encryption
Steganography
Location Information
Sporea et al (2012) yielded the following results:
File Shredding is extremely effective. Forensic tools could not detect any traces of the deleted files.
Encryption could be detected by forensic tools, however the contents remain unknown.
Forensic tools used could not detect hidden messages using Steganography.
Forensic tools cannot detect counterfeited location information.
Clearly the results of experimentation from Sporea et al.(2012) are disturbing given that most crimes and acts of terror involve some form of mobile device technology. These results can easily thwart an investigation and produce inadmissible evidence since it would be unreliable.
9
Distefano, Me and Pace (2010) also agrees that “Mobile Forensics” is still experiencing a number of difficulties and problems that are to be overcome due to the heterogeneity and the limits in acquiring the data stored by mobile devices. However, through custom tools and experimentation it was possible to reconstruct data back to its original form after destruction or modification.
By making changes to community distributions of the Android platform, Karlson and Glisson (2014) achieved the following counter forensics results:
Prevented data extractions
Blocked the installation of forensics tools
Created extraction delays
Presented false data to industry accepted forensic analysis tools
Some researchers argue that there is too much of a dependency on forensic tools, and that digital forensic investigators must be extremely familiar with the standards provided by standardisation organisations, and understand simple and effective anti-forensic techniques to measure the resilience of the tools.
NIST (2014) provides guidelines on mobile device forensics and provides guidelines around forensic tools, preservation of evidence, acquisition of evidence, examination and analysis and then reporting.
It seems that the Android platform is the preferred platform for terrorist groups. Al-Qaeda developed encryption for Short Message Service (SMS) and Text Encryption for this platform. See Appendix A figure 2.
4.
Critical evaluation and Deductions
The Internet is a strategic asset for terrorist organisations and their factions for the following reasons:
10
1. 2. 3. 4.
Executive Communication Effective Operations Generation of Capital Global reach
Based on the counter forensic techniques applied to support their cause, terrorist organisations recruiting strategy might shift or has already shifted to lure, convince and train educated Information Technology professionals that have the ability to write custom applications or make changes to existing commercial applications in order to circumvent forensic detection. Highly skilled individuals are required to perform this type of work.
From the literature, Steganography is a key tool for communication. It is referenced by almost all sources. The literature indicated that there is no realtime effective detective control that is able to filter and screen every image or video that is being transferred over the Internet. It is simply not feasible. Much research in terms of thwarting forensic tools in terms of detection is being performed by researchers, which means that the effectivity of forensic tools are only as good as what is known at the time.
There is also the matter of awareness and capability by security agencies to be able to identify potential sources of incriminating evidence as not all Foreign States have the same level of expertise, such as the case presented in Germany in this paper, when “Leonardo� was transporting a memory stick in his clothing. Germany would be highly capable of performing forensic investigations. Why would one hide a memory stick on your underwear unless you have something to hide? That would be sufficient basis for search and seizure at borders, but also a clear giveaway that something is being hidden. There is a level of uncertainty as to whether the same detective controls would exist in third world countries. Steganography is very effective, as it hides information in plain sight.
A key technology for a terrorist group is encryption. What is astounding is that they are writing their own technology to support their cause based on the 11
highest level of security possible. As this is a closed system, it makes interception and decoding of messages very difficult.
Access to their
technology is also controlled via protection mechanisms.
The immaturity of mobile forensics poses a risk for all nations. As presented in this paper, customised software and off the shelf free software can defeat forensics.
There is also the risk of disinformation that can be purposefully generated on a mobile phone as to provide false information about plans and tactics. Understandably, training and education on mobile device forensics is an absolute necessity and proper certification including standard procedures for the analysis and examination of different mobile operating systems, including counter forensic software is a key requirement.
As stated in the section to follow, the digital evidence needs to be verified in the real world. It is therefore counterproductive to base future events on evidence without substance.
5.
Conclusion and Recommendations
Physical Intelligence and insider information in conjunction with the knowledge of counter forensic capabilities including effective digital forensics can prove successful in preventing terrorist attacks. It is my opinion that to base intelligence only in the digital realm might give some indications of possible future attacks; however it needs to be vetted in the physical world as a true indication.
It is therefore imperative that one becomes familiar with the techniques and tools utilised by terrorists in order to perform counter forensics, which speaks to training and education of intelligence services.
12
Much more focus should be placed on mobile forensic research as well as hardware protection mechanisms in order to prevent custom operating systems from being installed on these devices.
Most of the research taken places has been performed on the Android platform as supposed to iOS platform based on the survey performed in literature. It is possible that this is a result of the cost and popularity of the Android operating system.
The level of skill that is shown by these organisations is significant, and the perception is that if devices are not locked down, that the vendors selling these devices would be supporting acts of terror. It is therefore good corporate governance to incorporate counter forensics, as part of the design, implementation and testing phase, during the software development lifecycle, and take counter forensics into consideration as part of an existing security program, in order to keep innocent people safe.
13
6.
Identified Areas of Further Research regarding Counter Forensics
As indicated in the previous section, mobile forensics and mobile counter forensics require further research, including hardware based protection on mobile devices.
Another area of research would be the effectivity of forensic tools as they pertain to the latest research in data hiding from a steganography perspective in order to defeat forensics.
Lastly, from a terrorist perspective, the next generation of counter forensic tools and techniques to be utilised in the next wave of acts of terror and which counter measures are to be adopted. The internet of things pose a significant risk for normal citizens as security is not necessarily implemented in these devices.
14
Appendix A
Figure 1 Danchev (2008) Mujahideen Secrets
15
Figure 2 RecordedFuture.com (2015) Alternative Encryption Software
Figure 3 Statista.com (2015) Mobile Phone Internet Penetration
16
References
[1]
Bumgarner, J., Mylrea, M., (2010). [Online].Jihad in
Cyberspace.
Available from: http://www.homeland1.com/Critical-
Infrastructure-
cyber-security/articles/770270-Jihad-in-cyberspace.
[Accessed
13
March 2015].
[2]
CNN (2002). [Online]. U.S Infrastructure information found on al Qaeda computers. Available from: http://edition.cnn.com / 2002/US/06/27/ alqaeda.cyber.threat/index.html.[ Accessed 2 March 2015]
[3]
Council of Europe (2007). Analytical Report. In: Counter-Terrorism Task Force ed., Cyberterrorism – The use of the Internet for terrorist purposes, Strasbourg: Council of Europe Publishing, pp.40
[4]
Council of Foreign Relations (2011). [Online]. Terrorists and the Internet. Available from: http://www.cfr.org/ terrorism-andtechnology/terrorists-internet/p10005. [Accessed 15 March 2015].
[5]
Danchev, D. (2008). [Online]. Mujahideen Secrets 2 Encryption Tool Released.
Available
from
:
ddanchev.blogspot.com/2008/01/mujahideen-secrets-2-encryptiontool.html. [Accessed: 16 March 2015]
[6]
Dilitas (2015). [Online]. Cyber Terrorism and the Dark Arts of AntiForensics. Available from: http://www.dilitas.com/cyber-terrorism-darkarts-anti%C2%AD-forensics. [Accessed 10 April 2015]
[7]
Distefano, A., Me, G., Pace, F. (2010). Android Anti-Forensics through a local paradigm. Digital Forensics Workshop. Elsevier Ltd., pp.83-94.
[8]
Grobler, M., Veerasamy, N., (2011) Terrorist use of the Internet: Exploitation and Support through ICT Infrastructure: Proceedings of
17
the 6th International Conference on Information Warfare and Security, Academic Publishing International Limited, pp: 260-267
[9]
InfoSec-Magazine (2012). [Online]. Available from:
http://www.
infosecurity-magazine.com/news/al-qaeda-uses-steganographydocuments-hidden-in. [Accessed: 15 March 2015]
[10]
Karlsson, K., Glisson, W., (2014), [Online]. Available from: http:// arxiv.org/pdf/1401.6444. [Accessed: 5 April 2015]
[11]
New York Times (2008). [Online]. Mumbai Terrorists Relied on New Technology for Attacks. Available from: http://www.nytimes.com/ 2008/12/09/world/asia/09Mumbai.html?_r=0.
[Accessed
30
March
2015]
[12]
NIST SP800-101. (2014). [Online]. Guidelines on Mobile Device Forensics. Available from: http://csrc.nist.gov/publications/ PubsSPs.html#800-101. [Accessed: 10 April 2015]
[13]
United Nations Office on Drugs and Crime (2012). [Online]. Available from http://www.unodc.org/documents/frontpage/ Use_of_internet_for_terrori st_purposes.pdf.
[Accessed:
15
March
2015]
[14]
Wang, D., Savage, S., Voelker, G., (2011). Cloak and Dagger: Dynamics of Web Search Cloaking. CCS’11: October 17-21. ACM: pp.447
[15]
RecordedFuture.com.
(2015),
[Online].
Available
from
http://
www.recordedfuture.com/al-queda-encryption-technology-part-2. [Accessed 15 April 2015]
[16]
Security
Service
Mi5
(2015).
[Online].
Terrorist
Training
and
Indoctrination. Available from: https://www.mi5.gov.uk/home/about18
us/what-we-do/the-threats/terrorism/internationalterrorism/international-terrorism-and-the-uk/terrorist-training.html. [Accessed 1 April 2015]
[17]
Sikorski, M., Honig, A., (2012). Anti-Debugging. In: Law, A. ed., Practical Malware Analysis. San Francisco: No Starch Press: pp.351368
[18]
Soghoian, C., (2012). [Online]. Surveillance and Security Lessons from the Petraeus Scandal. Available from:
https://www.aclu.org/
blog/surveillance-and-security-lessons-petraeusscandal?redirect=blog/free-future/surveillance-and-security-lessonspetraeus-scandal. [Accessed 16 March 2015]
[19]
Sporea, I., Aziz, B., McIntyre, Z., (2012). On the availability of antiforensics tools for smartphones. International Journal of Security (IJS), Volume 6: Issue (4), 2012
[20]
Statista.com (2015). [Online]. Mobile phone internet user penetration worldwide
from
2012-2017.
Available
from:
http://
statistics/284202/mobile-phone-internet-user- penetration-worldwide/. [Accessed: 30 March 2015]
[21]
Tor. (2015), [Online]. Available from: https://www.tor.org. [Accessed: 21 March 2015]
19