BATTLEFIELD DIGITAL FORENSICS

5
Onto the Battlefield
Christian Braccini
The asymmetric threat environment where SOF operate includes expected or unexpected exposure to
electronic devices and storage media being used by the enemy to process critical information. The opportunity
to target the enemy’s Battlefield Internet of Things, either for intelligence exploitation or legal actions against
illegal combatants/criminals, lies in the digital forensics capabilities of combat-compressed operations, typical
of SOF. These capabilities begin with SOF operators scanning and identifying the digital assets for transport,
then eventually turning them over to forensic specialists and intelligence analysts for technical exploitation [1].
Having established a proper chain of custody would be the key for any criminal prosecution.
SOF will have to deal with a complex set of procedures where different variables influence the overall success
of digital media collection. The triaged approach, as proposed in this monograph, aims at maximising the
effectiveness of decisions to be taken in combat-compressed operations that are likely to be also technical
exploitation operations. Far from turning SOF operators into IT experts, the maximum use of automation and
the latest technological findings, in terms of deployable architecture supporting data extraction, show the way
for SOF to achieve accuracy, agility and rapidity when it comes to digital data collection.
From this narrowed approach, focused on SOF operating in the battlefield, different scenarios might be derived
ranging from homeland counterterrorism to more conventional investigations. Different constraints, in terms
of survivability on the ground and technological support available, might therefore require specific tailoring of
digital forensics procedures as proposed in this study.
The chapters that follow are intended to describe in more detail the role of technology in leading digital
intelligence and evidence collection on the battlefield. Opportunities lie on both sides, the ally and the enemy,
where the effectiveness of digital forensics techniques and the sophistication of supporting architectures
confront the equivalent, advanced anti-forensics response of the opponents. The insights presented here aim
to support the different principles constituting the SIDSS triaging model: the IT architecture estimation of the
target infrastructure including anti-forensics measures potentially in place (scan); the most effective
procedures for physically extracting hard disk drives; expeditionary wireless ad-hoc networks supporting a
surveillance software-driven exfiltration of data (secure); and how to conduct the operation in line with the
legal framework and create a chain of custody.
In particular, the following chapters contain the present information:
Chapter 6 – ‘Computer Forensics’ covers in detail the technical architecture supporting SOF digital
forensics tasks. It also includes a description of the information statistically gatherable during analysis,
providing guidance for the SOF team’s prioritisation of acquisition.
Chapter 7 – ’Anti-Forensics Measures’ covers anti-forensics measures that the SOF should be aware of. It
concentrates on opposing techniques used to make the scanning and identification of evidence more
difficult; it also describes techniques that can be used by the enemy after the collection, for example to
wipe the evidence or to destroy forensics investigation tools.
Chapter 8 – ‘Exfiltration Solutions’ describes different data exfiltration scenarios for SOF digital intelligence
collection operations. Simple flowcharts with explanations clarify the SOF operator’s decision on how to
proceed if a specific type of device is identified. Basic mechanisms for how to secure an electronic device
that represents potential evidence are included in the chapter as well.
Chapter 9 – ‘Sustaining the Data’ gives an overview of requirements and possible technological alternatives
for the establishment of an information channel during the sustain phase of the SIDSS triaging model. This
18