BATTLEFIELD DIGITAL FORENSICS

More documents

Recommendations

Info

4 The SIDSS Triage Christian Braccini In [1] Perry has identified a set of ‘rational and well-conceived principles to guide operators when involved in the search and seizure of digital information and electronic devices’. The set, underpinning the scan, identify, document and secure phases of the process, is further expanded with the sustain phase in this monograph. Basic principles are as follows: 1. SCAN 2. IDENTIFY 3. DOCUMENT 4. SECURE 5. SUSTAIN a. Visually scan the environment for the presence of electronic media and devices. Be aware of hidden and obfuscated devices. b. Scan the area for the presence of a wireless/wired network. Use the information obtained to calculate the probable number of devices. However, be aware that fake networks may also exist. a. Identify electronic devices, all digital devices, media and connectors. b. Identify devices connected to any network (local or external). c. Examine the devices for any visible damage. d. Identify booby-traps, kill-switches and devices using other anti-forensics techniques. a. Log any visible physical damage. b. Video/photographically document room(s) in which the equipment is found, the front and back of the computer or sketch any physical evidence (including cords and connections) to be seized, before removing. c. Operators should generally avoid active interaction with the computer, unless planned (e.g., on-loading surveillance software may actually be the mission). d. Use labels (to include the collector’s initials, date, and time), putting evidence tape on the back of the machine. e. List the contents of each container that is being transported, when time permits, and seal with evidence tape. f. Record all activities conducted and maintain a chain of custody. a. Secure any printed material or hard-copy evidence. b. Determine if device is on or off; if on, the screen might have content of interest (take pictures). Otherwise, look for lights or sounds. c. Try to access volatile data content. Be aware that anti-forensics memory techniques might have been used to modify volatile content. d. Power down any devices only if forced to (i.e. physical extraction of HDDs) and log the time of the shutdown. e. Safely secure seized electronic devices and media for transport in a hard-shell case (if available), Faraday bag, packing foam, antistatic plastic wrap, or cotton cloth. a. Install surveillance software if conditions allow. 13
. Utilise the existing internet connection or create a temporary communication channel for data extraction from the relevant digital devices. c. Utilise wireless networks and other possible communication technologies according to the requirements of the Theatre. SCAN Network not visible/detected Network detection Network detected Wireless connection detected Identify connections Wired connection detected Identify standalone devices Wireless devices identification Wired devices identification DOCUMENT SECURE SUSTAIN Flowchart 1. Collecting digital evidence. A visual representation of the triage is shown in Flowchart 1. Certain activities might or might not be initiated simultaneously with others: for example, pending time availability and force protection, the document phase might happen off-site, once team security is granted. Nevertheless, behind any principle of necessity a certain 14
Page 1 and 2: Christian Braccini, Teemu Väisäne
Page 3 and 4: About the NATO CCD COE The NATO Coo
Page 5 and 6: Table of Contents About the NATO CC
Page 7 and 8: Figures Figure 1. The Targeting Cyc
Page 9 and 10: LED Linux LTE MANET materiel MEDEX
Page 11 and 12: properly discovered, preserved and
Page 13: From a targeting perspective, digit
Page 17 and 18: Figure 3. A faulty laptop explosive
Page 19 and 20: 5 Onto the Battlefield Christian Br
Page 21 and 22: 6 Computer Forensics Agostino Panic
Page 23 and 24: In a wireless ad-hoc network, all t
Page 25 and 26: However, this solution is impossibl
Page 27 and 28: Connection Backup: The vector shoul
Page 29 and 30: The goal of this statistical approa
Page 31 and 32: 7 Anti-Forensics Measures Teemu Vä
Page 33 and 34: Recommendation: When designing and
Page 35 and 36: As presented by Azadegan, Liu, Sist
Page 37 and 38: Recommendation: Be aware that harml
Page 39 and 40: security for smartphones are descri
Page 41 and 42: If any marks of explosives are dete
Page 43 and 44: 8 Exfiltration Solutions Michal Sad
Page 45 and 46: Portable device found Laptop Type o
Page 47 and 48: As with other portable devices (suc
Page 49 and 50: Devices might be found in different
Page 51 and 52: 4. Remove the drive from the drive
Page 53 and 54: items of the evidence, typically on
Page 55 and 56: 9.1 Surveillance Software Installat
Page 57 and 58: A communication channel to satellit
Page 59 and 60: Figure 21. ABSOLUTE System Architec
Page 61 and 62: 10 Chain of Custody Kris van der Me
Page 63 and 64: police or other official investigat
Page 65 and 66:
[15] E. Imsand and J. A. Hamilton,
Page 67 and 68:
[46] J. M. Kahn, R. H. Katz, and K.
Page 69:
13 Acknowledgements Authors of the
show all

BATTLEFIELD DIGITAL FORENSICS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?