BATTLEFIELD DIGITAL FORENSICS
BDF_Battlefield_Digital_Forensics_final
BDF_Battlefield_Digital_Forensics_final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
From a targeting perspective, digital media found in a site potentially produce evidence indicating C2 activities<br />
with nodes of the enemy’s network (proxies). A thorough Tactical Questioning (TQ) of detainees might provide<br />
hints for the attribution of social media accounts operating C2 covert activities. A surveillance operation of<br />
proxies’ location potentially produces further intelligence and a subsequent raid, which in turn provides other<br />
evidence and more intelligence.<br />
Site exploitation is composed of five core activities [2]:<br />
<br />
<br />
<br />
<br />
<br />
Detect;<br />
Collect;<br />
Process;<br />
Analyse; and<br />
Disseminate.<br />
These activities inform the methodology (triage) to adopt during the media and cell-phone collection<br />
performed while on site, which is of specific interest in this paper. A dedicated paragraph will address the<br />
(digital) triage in the context of site exploitation compressed operations.<br />
3.2 The SOF Digital Challenge<br />
The likelihood that SOF will encounter enemy computers, portable electronic equipment and digital storage<br />
media has definitely grown since Perry [1] first stated it. One of the biggest challenges for SOF is collecting and<br />
handling the discovered data so that it can be subjected to forensic analysis. As Perry [1] explains, ‘successfully<br />
discovering, preserving, and assuring digital intelligence for exploitation and legal purposes is essential to<br />
support mission assurance and national security objectives’. Digital data are inherently volatile due to the<br />
complexity of their structure and the fragility of the digital storage; the corruption of a few bits of data might<br />
render the information impossible to retrieve. In order not to contravene courts’ rules of admissibility, digitalbased<br />
evidence has to be presented in a suitable way that will lead to the successful conviction of terrorists.<br />
How can SOF conduct tactical site exploitation (from tactical entry, discovery of digital assets and the<br />
establishment of a valid chain of custody) without endangering the lives of operators, while still assuring the<br />
integrity of digital information?<br />
When dealing with digital evidence, general forensics procedures should be applied:<br />
<br />
<br />
<br />
The process of collecting, securing, and transporting digital evidence should not alter the evidence.<br />
Digital evidence should be processed only by those qualified specifically for that purpose.<br />
Everything done during the seizure, transportation and storage of digital evidence should be fully<br />
documented, preserved and available for review.<br />
Chaos and unpredictability characterise the battlefield. Force protection (FP) and prioritisation should remain<br />
the primary consideration for responders. Assuring electronic evidence collection is therefore one of the<br />
biggest challenges for SOF. Every team operating on the site will have to rapidly identify sources of valuable<br />
digital information, document the findings, and secure computers and storage media. To accomplish this new<br />
mission, SOF will consider employing a Digital Forensics Asset (DFA), ‘which basically is adding yet another skill<br />
to SOF’s already full rucksacks’ [1].<br />
12