Anti-Forensic Methods Used by Jihadist Web Sites

IP-based Cloaking

Cloaking is a method that analyzes a visitor’s IP address and re-directs certain visitors to a bogus site, thus masking or “cloaking” the authentic one. Lance Cottrell, chief scientist at Anonymizer, described how IP-based cloaking worked during an educational seminar he delivered at FOSE 2006 last year. Here is the official description found at Anonymizer.com’s Government Threat Center section:

“When the Web server receives a page request, a script checks the IP address of the user against a list of known government IP addresses. If a match is found, the server delivers a Web page with fake information. If no match is found, the requesting user is sent to a Web page with real information.”

A similar technique, IP-based blocking, simply prevents certain users from access, rather than re-directing to a different site.

Conclusion

Internet-based attacks are extremely popular with terrorist organizations because they are relatively cheap to perform, offer a high degree of anonymity, and can be tremendously effective. As the efforts of cyber-jihadis continue to multiply in both sophistication and numbers, researchers like Dr. Chen are noticing that their message of recruitment for the holy war against the West is being reproduced in a growing number of languages, rather than just Arabic. Most of the experts referred to in this article anticipate seeing both an increased adoption of operational security measures, including anti-forensics, as well as the continued creation and distribution of custom software solutions by technology-savvy online extremist organizations.