Computer forensics investigators are often employed to analyse an attack on a system and to find out who carried out the attack, when the attack happened and how to prevent the attack in the future. Not a small task and often this level of analysis requires digging into something called “metadata”. Almost every file will have some kind of metadata and photos are a great example. When you take a photo on a smartphone, the photo can tell you where it was taken, when it was taken and all sorts of information about how the photo was taken. This kind of data is how forensic investigators track criminals and hackers alike to work out what to do next.

What the CIA is wanting, is a way of tricking and hindering forensic investigators from being able to use the metadata in CIA malware to trace everything back to them. precisely what any hacker would dream of being able to do. Marble framework is a tool that changes investigations quite dramatically and is what is referred to as an “Anti-Forensic” framework. Marbles are “specific algorithms that scramble and unscramble data” so really we are looking at something referred to as “obfuscation”  or if you want to get really simple with it just hiding specific data. You can hide data in many ways and one of the most common ways of doing this is with an algorithm or a set of rules. If I wanted to send “hello” to you but keep it private, the rule could be to replace each letter with the number of its place in the alphabet so hello becomes “8 5 12 12 15”. If someone doesn’t know the algorithm they will think it’s some random numbers and that’s the point. That’s a very basic example that can be cracked easily but it helps you understand the principle.

So how is the CIA code hiding data? Let’s get started. In C++ (a programming language), you will define variables which are methods of storing data that can be manipulated like this.

Variabledef

That’s the standard way of doing it and it allows you to do all sorts of fancy data storing but, the Marble framework allows you to define variables that can be “obfuscated”. Inside the framework (which is a C++ library for programmers), you can define either strings or characters to be hidden. So in defining a string of  “hello” you would add a “Warble” flag which is defined for “wide character strings”  (A fancy term for words) to hide the information when opening the file without the key. You can also use the “Carble” flag for “Multi-byte characters” this flag lets you type in Bytes of data in a hexadecimal form, for more info on hexadecimal click this link. It is essentially encryption for programs. When the program runs with the scrambled variables they will be de-scrambled.  In order to keep everything mixed up, the Marble framework has quite a few algorithms that will be selected at random to make life harder for forensic investigators, and most are either in the programming languages C or C++. The data they could hide may be anything from IP addresses to the nearest Starbucks but it’s an interesting lens into the world of encryption and how hackers might go about attempting to cover their tracks. It begs the question If we don’t know who is attacking us how do we know if we can stop them?

Bibliography