BATTLEFIELD DIGITAL FORENSICS

2
Introduction
Christian Braccini
2.1 The Battlefield Internet of Things
The enemy, whether an insurgent or a conventional, symmetrical one, needs to communicate. Command and
Control (C2) structures supporting the enemy’s operations reflect the technological evolution; and this
particularly applies to the miniaturisation of components providing the always-connected modality (Internet of
Things) in the battlefield. Digital data are therefore present in the form of devices associated with cyberpersonas,
being used in coordinating military or insurrectional activities. These activities may consist of
financing dormant troops or recruiting and training terrorists to operate in the coalition’s homelands. In this
regard, digital data collected from the battlefield, as evidence, might prove of strategical importance in
dismantling the enemy’s network. The ‘Battlefield Internet of Things’ (BIoT), including the systems that
insurgents use and the information they process over the internet via smartphones, computers, tablets, PDAs,
etc., must be successfully exploited: digital intelligence collection is an opportunity that coalition forces cannot
allow to pass by.
2.2 Exploitation of Digital Data
The battlefield is characterised by the extensive use of digital devices to process information. The capability to
exploit digital data, either in the form of media exploitation (MEDEX) or cell-phone exploitation (CELLEX), has
assumed a fundamental role in providing actionable intelligence, denying the enemy resources, or securing a
criminal conviction. In the intelligence cycle, digital elements of information collected from targeted sites, once
technically exploited, are disseminated in the form of intel-warnings on hostile activities. Friendly forces can
therefore maintain up-to-date situational awareness by feeding into their Common Operational Picture (COP).
From an intelligence exploitation perspective, digital data differ considerably from paper documents and
cannot be handled in the same way. The science of digital forensics, aimed at covering this gap, is still in its
infancy, with standards and best practices struggling to keep up with the lightning introduction of new
technologies. Digital forensics does not only relate to laptop and desktop computers: it includes mobile
devices, networks and cloud systems. It may also include the analysis of logs, passwords and internet access,
decoding data hidden with steganography, or retrieving deleted data from unallocated space, in order to build
a virtual user profile during an investigation.
The work of crime scene investigation, more mature compared to battlefield forensics, has also benefited
considerably from the introduction of digital forensics techniques. Digital data collected from the scene are
volatile in nature due to the complexity of their structure (file, database, information) and the fragility of digital
storage devices. Incorrect handling of devices may result in consistent data loss. Anti-forensics techniques are
significantly exploiting these vulnerabilities. Digital evidence collection needs to ensure that no alteration has
occurred, from the very beginning of the chain of custody, in order to maintain its probative value.
Crime scene investigation differs in many aspects from the battlefield environment, where other factors such
as force protection, agility and rapidity have predominant roles. This applies particularly to Special Operation
Forces (SOF), whose characteristic Technical Exploitation Operations (TEO) produce extra complexity but
considerable intel-payoff in terms of digital evidence collection.
The set of recommendations that this paper provides is intended to assist Special Forces or any other first
responders in recognising, collecting and safeguarding digital evidence in a hostile environment, most likely in a
TEO contest. It is not all-inclusive, but addresses situations encountered in combat-compressed operations
where exposure to enemy Information Technology (IT) systems occurs. When digital media devices can be
9