But nothing prepared Morgan Marquis-Boire for what he saw last October while analyzing the contents of a malicious ZIP file found in Syria: a video of a civilian male being brutally slaughtered with a knife, then rolled into a shallow grave.
"Unthinkingly, once I'd managed to extract everything I actually watched the video, which I shouldn't have done," says Marquis-Boire. "It was actually really horrible. … It was probably one of the most traumatic days of malware analysis sitting at a desk in San Francisco that I've ever had."
For the last two years cyberwarriors loyal to Bashar al-Assad have made cyberspace a second front in the Syrian conflict. For nearly as long, Marquis-Boire and his colleagues Eva Galperin and John Scott-Railton have been tracking and analyzing the arsenal of computer malware used against the Syrian opposition, journalists and NGOs. It's a very different kind of forensic analysis than researchers usually perform — urgent, chaotic, and with human lives on the line.
That's because the spyware circulating in Syria is used specifically to gather intelligence that winds up, according to the researchers, in the hands of the Assad regime, where it guides raids, attacks and arrests. In some cases, the military has rounded up suspected rebels and interrogated them about activities they conducted on their computers, without having seized the machine.