BATTLEFIELD DIGITAL FORENSICS

More documents

Recommendations

Info

3 Statement of the Problem Christian Braccini 3.1 Digital Intelligence and Evidence Collection Today’s military is adapting to asymmetrical warfare and evolving real-time threat matrices that require new approaches to military operations. Digital intelligence and evidence collection (as part of site exploitation) represent the new approach in targeting mobile, social, virtual and collaborative threat models to process information. Site exploitation is composed of tactical exploitation and technical exploitation as described in ATP 3-90.15 [2]. Tactical site exploitation consists of activities performed at or near a specific spot. These activities enable materiel at the site to be effectively detected, collected, and processed. The materiel exploitation that follows will likely answer information requirements and facilitate future operations. Conversely, technical exploitation is conducted off-site, in most cases. The security environment of forward operating bases (FOB) or national-level laboratories for technical exploitation allows for the later use of advanced processing techniques. ATP 3-90.15 [2] further describes the use of forensic-based procedures to ensure that identification and collection tasks support the analysis and dissemination in the targeting cycle presented in Figure 1. The targeting cycle can quickly take apart the network of an insurgency or at least damage it to such an extent as to make it a low-level threat. Figure 1. The Targeting Cycle [3]. As tactical site exploitation capabilities evolve, Special Operations Forces (SOF) are challenged with more technically advanced core activities on-site, including: Search techniques; Biometrics; Forensics; and Document and media exploitation. 11
From a targeting perspective, digital media found in a site potentially produce evidence indicating C2 activities with nodes of the enemy’s network (proxies). A thorough Tactical Questioning (TQ) of detainees might provide hints for the attribution of social media accounts operating C2 covert activities. A surveillance operation of proxies’ location potentially produces further intelligence and a subsequent raid, which in turn provides other evidence and more intelligence. Site exploitation is composed of five core activities [2]: Detect; Collect; Process; Analyse; and Disseminate. These activities inform the methodology (triage) to adopt during the media and cell-phone collection performed while on site, which is of specific interest in this paper. A dedicated paragraph will address the (digital) triage in the context of site exploitation compressed operations. 3.2 The SOF Digital Challenge The likelihood that SOF will encounter enemy computers, portable electronic equipment and digital storage media has definitely grown since Perry [1] first stated it. One of the biggest challenges for SOF is collecting and handling the discovered data so that it can be subjected to forensic analysis. As Perry [1] explains, ‘successfully discovering, preserving, and assuring digital intelligence for exploitation and legal purposes is essential to support mission assurance and national security objectives’. Digital data are inherently volatile due to the complexity of their structure and the fragility of the digital storage; the corruption of a few bits of data might render the information impossible to retrieve. In order not to contravene courts’ rules of admissibility, digitalbased evidence has to be presented in a suitable way that will lead to the successful conviction of terrorists. How can SOF conduct tactical site exploitation (from tactical entry, discovery of digital assets and the establishment of a valid chain of custody) without endangering the lives of operators, while still assuring the integrity of digital information? When dealing with digital evidence, general forensics procedures should be applied: The process of collecting, securing, and transporting digital evidence should not alter the evidence. Digital evidence should be processed only by those qualified specifically for that purpose. Everything done during the seizure, transportation and storage of digital evidence should be fully documented, preserved and available for review. Chaos and unpredictability characterise the battlefield. Force protection (FP) and prioritisation should remain the primary consideration for responders. Assuring electronic evidence collection is therefore one of the biggest challenges for SOF. Every team operating on the site will have to rapidly identify sources of valuable digital information, document the findings, and secure computers and storage media. To accomplish this new mission, SOF will consider employing a Digital Forensics Asset (DFA), ‘which basically is adding yet another skill to SOF’s already full rucksacks’ [1]. 12
Page 1 and 2: Christian Braccini, Teemu Väisäne
Page 3 and 4: About the NATO CCD COE The NATO Coo
Page 5 and 6: Table of Contents About the NATO CC
Page 7 and 8: Figures Figure 1. The Targeting Cyc
Page 9 and 10: LED Linux LTE MANET materiel MEDEX
Page 11: properly discovered, preserved and
Page 15 and 16: . Utilise the existing internet con
Page 17 and 18: Figure 3. A faulty laptop explosive
Page 19 and 20: 5 Onto the Battlefield Christian Br
Page 21 and 22: 6 Computer Forensics Agostino Panic
Page 23 and 24: In a wireless ad-hoc network, all t
Page 25 and 26: However, this solution is impossibl
Page 27 and 28: Connection Backup: The vector shoul
Page 29 and 30: The goal of this statistical approa
Page 31 and 32: 7 Anti-Forensics Measures Teemu Vä
Page 33 and 34: Recommendation: When designing and
Page 35 and 36: As presented by Azadegan, Liu, Sist
Page 37 and 38: Recommendation: Be aware that harml
Page 39 and 40: security for smartphones are descri
Page 41 and 42: If any marks of explosives are dete
Page 43 and 44: 8 Exfiltration Solutions Michal Sad
Page 45 and 46: Portable device found Laptop Type o
Page 47 and 48: As with other portable devices (suc
Page 49 and 50: Devices might be found in different
Page 51 and 52: 4. Remove the drive from the drive
Page 53 and 54: items of the evidence, typically on
Page 55 and 56: 9.1 Surveillance Software Installat
Page 57 and 58: A communication channel to satellit
Page 59 and 60: Figure 21. ABSOLUTE System Architec
Page 61 and 62: 10 Chain of Custody Kris van der Me
Page 63 and 64:
police or other official investigat
Page 65 and 66:
[15] E. Imsand and J. A. Hamilton,
Page 67 and 68:
[46] J. M. Kahn, R. H. Katz, and K.
Page 69:
13 Acknowledgements Authors of the
show all

BATTLEFIELD DIGITAL FORENSICS

Create successful ePaper yourself

Delete template?

Save as template?