Cyber Terrorism and the Dark Arts of Anti­-Forensics

Andrew Staniforth examines the devious processes by which online criminals hide evidential data. New Strategic Policing Requirements (SPR) published by the Home Secretary earlier this month reinforce the priority of police forces to ensure they have the capacity and capability to contribute to a national response to a cyber security incident. SPR is a central government tool to counter the growing concern among security professionals that a sophisticated cyber attack could cause grave damage to the safety and security of the UK and its citizens.

Cyber terror A national cyber incident may arise from numerous sources, but given the severe terrorist threat level assessment from international terrorism, an attack via an act of cyber terrorism by a terrorist organisation appears most likely.

Terrorists have a strong presence in cyberspace and are utilising its capabilities to progress their chosen political, religious or ideological extremist cause.

There are two principal motivations for the terrorist’s use of cyberspace which includes supporting their activity ­ the acquisition and laundering of money and the recruitment of individuals to their cause ­ and the use of tools in cyberspace to instigate an actual attack.

It is the terrorist’s use of cyberspace to attack UK interests that is the focus of the Home Secretary’s SPR ­ and all police forces have a responsibility to contribute to a national response when required.

Attack categories as a rule, a distinction should be drawn among three basic cyber terrorist attack categories: an attack on the gateway of an organisation, an attack on an organisation’s information systems ­ and the most sophisticated, an attack on an organisation’s core operational systems.

An attack on the gateway of an organisation, that is, its internet site, is the most basic level of attack. The simplest tactic is to mount an attack denying service designed to disrupt daily life and operations ­ but such attacks do not cause substantial, irreversible or lasting damage.

An attack on an organisation’s information systems is the intermediate level on the scale of damage in cyberspace which includes attacks against the organisation’s information and computer systems such as servers and communications networks. Such attacks cause substantial disruption, major embarrassment for organisations and the loss of community and customer confidence.

Critical infrastructures The highest level of cyber attack risk is an attack on an organisation’s core operational and operating systems. Examples include attacks against critical infrastructures ­ such as water, electricity and gas supplies and public transportation systems.

Such attacks may deny the provision of essential services for a given time, or in more severe cases, even cause physical damage by attacking command and control systems. The key difference with this level of cyber attack is that a virtual attack is likely to create physical damage and its effects are liable to be destructive – the very reason why the capacity and capability of police forces across the UK needs to be ready to respond to such a cyber crisis.

Anti­ forensics Responding to a national cyber incident will be complex, but the investigation of post incident cyber attacks presents its own unique challenges as cyber criminals and terrorists become increasingly aware of forensic analysis methods. As a direct result, they often implement counter measures to prevent an investigator harvesting useful information. This practice is called anti­ forensics, the purpose of which is to destroy or hide evidential data. There are a number of techniques that are used to apply anti­forensics and it is important for all cyber investigators to develop awareness of the practices cyber criminals put in place in an attempt to conceal their activities.

Methods such as “slack space anti ­forensics”, which hide malicious software in reserved, empty or spare capacity areas that are not being used by operating systems, and “smart anti ­Forensics technology”, used by a cyber­ criminal to identify whether a hard drive has been removed for a forensic duplication process, are all part of the dark arts of cyber crime to avoid capture.

Steganography One of the most common cyber tactics used to avoid detection is steganography ­ the art and science of hiding information by embedding messages within other, seemingly harmless messages.

Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound or text) with bits of different, invisible information. This hidden information can be plain text or even images. Steganography sometimes is used when encryption is not permitted, or, more commonly, is used to supplement encryption.

An encrypted file may still hide information using steganography. So even if the encrypted file is deciphered, the hidden message is not seen. Operational challenge Anti­ forensics is a reality. Terrorists and criminals conducting their activities online are just as devious as counterparts operating offline, making every attempt to conceal their crimes. Every cyber investigation will include some element of anti ­forensic tools or approach. Of course, cyber criminals may adopt operational security protocols that are not necessarily designed with anti ­forensics in mind.

For instance, passwords, code words and file shielders may be used that are in place simply to provide an appropriate level of safety, security and privacy ­ but they can be used as an anti­forensic tool since they can protect and conceal data. The technical complexity of contemporary cyber investigations has brought the skill of the cyber forensic investigator to the fore. Their increasingly important role in community safety and national security is not to be underestimated. The cyber forensic investigator today is a “safe hacker” who must use the full range of legitimate and lawful investigative tools and technologies to retrieve vital intelligence and evidence to bring cyber terrorists and criminals to justice. Increased connectivity Cyber criminals continue to develop new and increasingly sophisticated anti­forensic tools and technologies to thwart law enforcement efforts. The identification of anti­forensics and the sharing of knowledge of new and emerging anti­forensic tools and approaches between cyber investigators is essential to maintain an effective cyber investigative capability. The increased connectivity between cyber professionals working in different agencies is also vital if the UK is to be able to tackle cyber threats and respond effectively to a national cyber incident.