Gone are the days when hackers only used American-made tools written only in English. Recently, native language tools and exploits started gaining momentum in the ever growing sphere of multinational cybercrime. Criminals are now developing their own tools in their own language – not just the comments either, but actual code has been observed before. This means that the forensics practitioner must be skilled in recognizing these languages and proficient in Google Translate. It also helps for easy discovery when one language is found, but can obscure others. For example, if a Mongolian language exploit comment is discovered common words can be searched for. But this may mean the digital forensic examiner is overlooking another language, such as Pashto.
This allows attackers and forensic examiners to leverage language to their advantage. If a known adversary is from Portugal, then automatically filtering for Portuguese will help. However, if the hacker knows this they can shy away from Portuguese and English tools in favor of something else, like Swedish. This way they can go undetected. This also allows attackers to write tools in their own language without needing to know English, giving more people an opportunity to use it. An examiner can also use language prevalence to gain insight into the nature of the group, or the attackers could use it to fool them.
This also translates to online forums that are targeted to specific languages. By using slang and internet/SMS style language, the hacking community can communicate under the radar of an automatic translator, requiring a native to understand. This makes the job harder for examiners who usually are combing through these to get tips on the latest exploits and movements, or who are understanding a group or tool in action. Through this natural obfuscation, the job of a forensic examiner becomes much harder and requires a bit of digging around to get the info.
Forensic examiners are now also getting local language support beyond English, which is giving significant power to local law enforcement. Teams can focus on the forensics of investigating or developing as opposed to English. It also means there are more sources of knowledge available and can give an examiner a larger set of more powerful tools.
