BATTLEFIELD DIGITAL FORENSICS

6
Computer Forensics
Agostino Panico
As mentioned by Lorge in [4], in the past, a unit would probably have cleared a building and moved on, or
detonated an improvised explosive device, but today they might dust for fingerprints, take water bottles for
DNA testing, and collect other evidence first. The same can happen for digital forensics.
Perry describes computer forensics as follows: ‘Computer forensics involves the identification, extraction,
documentation, preservation, and interpretation of computer data.’ [1] Computer forensics actually begins
when SOF operators scan and identify the digital assets for transport, and then eventually turn them over to
forensic specialists and intelligence analysts for technical exploitation. Digital information seized as a result of
special operations might be used for intelligence-gathering, typical of technical exploitation operations. It
might also serve as evidence in legal proceedings, typical of evidence-based operations (EvBO). For the latter, a
well-documented chain of custody is therefore fundamental, as detailed in Chapter 10 – ‘Chain of Custody‘.
This chapter first introduces computer forensics and then details the technical architecture supporting SOF
digital forensics tasks. It also describes the information statistically gatherable during the analysis, providing
guidance for prioritisation in any SOF team acquisition.
6.1 Computer Forensics: Introduction
Digital forensics has consistently been used by law enforcement, resulting in procedures, rules and best
practice continually being developed. Nowadays, the minimum requirements for handling digital evidences are
well established.
Digital forensics has also featured in fiction, in the criminal investigation context. This might have led to a
misleading idea of digital forensics as a point-and-click feature, with which any kind of information can be
retrieved in a matter of seconds. Unfortunately this is not completely true.
In this monograph, the more restricted scenario of battlefield digital forensics is considered rather than
criminal scene digital forensics. SOF operates in the context of combat-compressed operations, where different
dynamics apply in comparison to law enforcement.
This potentially makes the acquisition of evidence an issue, if police investigation best practices are to be used
in the battlefield. In addition, it is noteworthy that there is no publicly available and updated source that
explains how to carry out data acquisition in a hostile environment.
There are a number of general principles that underpin the collection and preservation of digital information
seized during operations. The SIDSS acronym captures the essence of what should be performed by SOF.
Force protection always comes first. Next, actions taken regarding electronic information should avoid creating
or causing changes or damage to electronic evidence. Personnel should have basic knowledge of how to
acquire digital information. Appropriate tools should be used when possible. All steps taken to preserve the
digital evidence collected should be fully documented, including pictures and/or notes when possible.
Documentation of the scene should possibly include the entire location – for example, the type and the
position of computers, their components and peripheral equipment, and other electronic devices. These
activities can be done later after combat action, once security is assured and probably off-site.
Best practices for conducting forensics computer operations are as follows:
train personnel in basic computer forensics and anti-forensics techniques;
20