Forensics for Commanders - Wikileaks

FOR OFFICIAL USE ONLYLatent prints collectedfrom the rear view mirrorof a pre-blast VBIED.Case StudyMajor Case Prints(Suspected VBIEDCell Leader)Figure 5Latent PrintsRecoveredABIS MatchMission Areas DefinedOperations Iraqi Freedom (OIF) and Enduring Freedom (OEF) havevalidated the importance of forensic science to the militarydecision-making process across all echelons of warfare, from nearreal-time actionable intelligence for tactical commanders toproducts relevant to combatant commanders, Services, DoD, andnational intelligence activities.Force protection: Preventive measures taken to mitigate hostileactions against DOD personnel (to include family members),resources, facilities, and critical information.Targeting: The process of selecting and prioritizing targets andmatching the appropriate response to them, consideringoperational requirements and capabilities.Sourcing: Linking the exploited forensic material in conjunctionwith other information obtained through law enforcement orintelligence channels, both deployed forward and in CONUS, toprovide an overarching picture of movement and origin ofcomponents, regional groups involved, and transnationalsponsorship.Support to prosecution: Matching individuals to particularlocations, events, or devices, through the collection, analysis, andexploitation of forensic material. Utilizing latent prints (LPs), toolmarks, trace evidence, DNA, and analysis from other forensicdisciplines. Forensics assists with “hold and release” decisions atthe site (see case study in Figure 5). Results can be compiled for acriminal prosecutorial package, which will be used in conjunctionwith testimony of experts in order to further detain or charge anindividual suspected or proven to have been involved in actsagainst coalition forces or Iraqi Security Forces.Medical: Identification of individuals and determination of thecause and manner of death.The Forensic LandscapeITO/ExpeditionaryLabs (OCONUS)JEFF 1JEFFJEFF 3JEFFCEXCC3 BxMND-BOperational UnitsMNC-IMNC-IPMOMND-CFEBMNF-WTactical UnitsFigure 6MNC-ISurgeonMNC-ICACEMND-NCSHsReach-backLabs(CONUS)NGICDIAUSACILAFDILBFCWithin MNC-I, a Forensic Exploitation Battalion (FEB) (seeFigure 6) is responsible for forensic operations. The FEBprovides C2 for four geographically dispersed JointExpeditionary Forensic Facilities (JEFF) (one per MND/F).The FEB provides MNC-I and subordinate commands withresponsive, time-sensitive forensic analysis andexploitation. The FEB helps to integrate and synchronizethe elements of the forensic functions and process shownin figures 3 and 4.JEFFs are relocatable laboratories (trailers, shelters, and/orbuildings) that provide the capability to performprocessing, analyses, and exploitation of non-IED forensicmaterial, disseminate and share information, and supportreach-back functions among laboratories, deployedelements, and/or at a site.The Combined Explosives Exploitation Cell (CEXC) wasinitially established in 2004 to provide in-theater analysis,TECHINT, advice to explosive ordnance disposal (EOD)personnel on IED construction and techniques in order toindentify trends, identify IED bomb makers and enableboth offensive and defensive counter-IED operations byCoalition Forces. All IED material is transferred to CEXC forinitial analysis.For additional capabilities, quality assurance, and surgecapacity, organizations in CONUS are utilized. Theseorganizations may include the National Ground IntelligenceCenter, Defense Intelligence Agency, U.S. Army CriminalInvestigation Laboratory, Armed Forces DNA Laboratory,and the Biometric Fusion Center.FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLYGatherContextual DataArrive onSceneIs SceneSafe?YESAppropriatePersonnel forCollection?YESTriage forOn-SceneProcess?YESDeliberateCollectionRemoveForensic Materialfrom SceneNONONOFigure 7Notify AppropriatePersonnel toAddress Safety/CollectionSupportingUnit Transitto SceneYESTimelyResponse NOPossible?NOHasty andLimitedCollectionThe Collection ProcessSite collection (Figure 7) may cover a wide-ranging varietyof physical evidence—blood and other biological materials,computer materials, explosives, drugs, firearms, and more.At a minimum, the collector must photograph and/orsketch the evidence in its original position; properly collectand package the evidence and properly mark the evidenceto ensure that it is legally sufficient for potential laterprosecutions. Collection involves carefully packagingdetected items so that their physical integrity is maintained(in containers providing appropriate levels of protection),cross-contamination with other items is prevented, and achain of custody is initiated.The collection of forensic materials for eventual submissionto a laboratory should be completed systematically topreserve the intelligence and/or evidentiary value of theitems, and the process needs to capture all of the relevantcontextual data (the five Ws—who, what, where, when,and why) that time allows. Collecting and submitting anyamount of forensic material (physical evidence) withoutproviding the context in which it was obtained severelylimits its usefulness for any subsequent forensic analyses.While recognizing and dealing with the safety and securityof each location, collectors and their leaders must learn toidentify, search for, locate (detect), collect, and preserveitems. This may also entail the limited “processing” ofitems, such as developing latent prints from fixed items(large and/or immobile structures or objects such asdoorways and desktops) when the need is present andsecurity allows for it.The Transfer ProcessCollection TeamTransfers Materialto Higher HQsIdentifyAppropriateFacilityHigher HQsPreserveMaterialCEXCJEFFBSTJDECFigure 8PrioritizeMaterials forTransferIdentifyTransferMethodDeliverMaterialsto FacilityTransfer consists of physically transporting materials ortransmitting electronic information. Once forensic materialsare in the hands of those collecting them, the materials andinformation are usually transferred to an appropriatelocation that allows for a more complete analysis. Factorssuch as the type of forensic material (e.g., IED, non-IED),perishability, the purpose of the follow-on forensicexamination (identification, targeting, detention,prosecution, or sourcing), the distance to the lab, the modeof transportation available (ground, air, or mail), conditions(a secure or non-secure area), and weather all play a role indetermining when, how, and where the collected materialwill be transported (Figure 8).Material related to explosives or a weapon of concern,including explosive charges, suspected HME, electroniccomponents, containers, timers, anti-material rifles, andimprovised or modified weapon systems or deliverymethods—should be transported to CEXC for exploitation.Material not related to explosives—such as firearms,human remains, and latent prints—may be transported toone of the JEFFs for exploitation.Documentation or media-related material, including suchthings as hard drives and manuals, should be transportedto the BST at the BCT level for exploitation and translation.Chain of custody, contextual information, and preservationof forensic material are paramount throughout the transferprocess.FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLYGlobalIntelligenceCommunityUnit on the Scene of the EventSpot ReportSIGACTCIDNECollation withAssociativeReportingContextual Dataand Other SceneDocumentationLimited DistributionEmailDistributionAmplifyingInformationfrom EventWeb-BasedDistributionOther/HigherUnitCollate All Informationfrom the SceneDead EndNoDistributionContextual Information Data FlowFigure 9 represents the unit’s flow of information resulting fromthe collection of forensic material and the supporting contextualdata.Spot report—produced by the unit responding to the scene. Whileon the scene of the event, the unit produces a SITREP, SALUTE, orspot report (in general) for higher headquarters and/or BDOC/JOC.It may request further support or indicate the level of activity andprovide feedback for completion of efforts at the scene of the event.SIGACT—the higher headquarters and or BDOC/JOC of the unitresponding to the scene of an event normally will normally producea SIGACT or significant activity report. The collection of forensicmaterial should always have a SIGACT associated with it topreserve the most contextual data possible and tie it to otherimportant information and distribute it to a global information pool.Amplifying data—upon returning from the site, the respondingunit should consolidate all contextual data associated with theevent. This should include all relevant reporting generated inrelation to the scene, detainee data, photographic records, andstoryboard-type information. Ideally, this amplifying informationshould be linked directly with the SIGACTs in order to distribute itwidely to the global intelligence community. The amplifying datashould be collated by the unit’s S-2 or S-3 and distributed to alarger audience through the direct association of the informationvia Combined Information Data Network Exchange (CIDNE), theCENTCOM-directed reporting tool for Iraq, Afghanistan, and thehorn of Africa for SIGACTS, IED, and HUMINT reporting.Figure 9IEDEventTRIAGERecognizepotentialforensicmaterialAnalyzeforensicmaterialscientificallyPreserveintegrity offorensicmaterialTransferStoreforensicmaterials,pendingdispositionACTIONCollectforensicmaterialShareinformation viastandardizedfiles, andreportsEXPLOITATIONIED Explosion: A Vignette Illustrating theSix Forensic Functions and OperationalProcessThe event of an Improvised Explosive Device (IED)explosion serves to illustrate the forensic functions. Amilitary convoy inadvertently explodes an IED. Personneltrained to recognize the potential items that can be furtherexamined for information must process the site. The searchfor IED parts begins at the crater created by the explosionand works outward, within the security limitations of thescene, until all possibilities are exhausted. The forensicitems are then preserved in such a way as to ensure theirintegrity, after which they are collected (recovered) andtransported to the appropriate forensic facility. Uponarrival, the items are subjected to scientific analyses. Thephysical materials are stored until their proper dispositionis determined. Reports are written and shared with thesubmitting unit, higher commands, and other decisionmakers. Commanders and supporting staff members canthen use the reports to make decisions and take action (seeFigure 10).ForceProtectionTargetingSourcingProsecutionMedicalFigure 10FOR OFFICIAL USE ONLY