BATTLEFIELD DIGITAL FORENSICS
BDF_Battlefield_Digital_Forensics_final
BDF_Battlefield_Digital_Forensics_final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
6<br />
Computer Forensics<br />
Agostino Panico<br />
As mentioned by Lorge in [4], in the past, a unit would probably have cleared a building and moved on, or<br />
detonated an improvised explosive device, but today they might dust for fingerprints, take water bottles for<br />
DNA testing, and collect other evidence first. The same can happen for digital forensics.<br />
Perry describes computer forensics as follows: ‘Computer forensics involves the identification, extraction,<br />
documentation, preservation, and interpretation of computer data.’ [1] Computer forensics actually begins<br />
when SOF operators scan and identify the digital assets for transport, and then eventually turn them over to<br />
forensic specialists and intelligence analysts for technical exploitation. Digital information seized as a result of<br />
special operations might be used for intelligence-gathering, typical of technical exploitation operations. It<br />
might also serve as evidence in legal proceedings, typical of evidence-based operations (EvBO). For the latter, a<br />
well-documented chain of custody is therefore fundamental, as detailed in Chapter 10 – ‘Chain of Custody‘.<br />
This chapter first introduces computer forensics and then details the technical architecture supporting SOF<br />
digital forensics tasks. It also describes the information statistically gatherable during the analysis, providing<br />
guidance for prioritisation in any SOF team acquisition.<br />
6.1 Computer Forensics: Introduction<br />
Digital forensics has consistently been used by law enforcement, resulting in procedures, rules and best<br />
practice continually being developed. Nowadays, the minimum requirements for handling digital evidences are<br />
well established.<br />
Digital forensics has also featured in fiction, in the criminal investigation context. This might have led to a<br />
misleading idea of digital forensics as a point-and-click feature, with which any kind of information can be<br />
retrieved in a matter of seconds. Unfortunately this is not completely true.<br />
In this monograph, the more restricted scenario of battlefield digital forensics is considered rather than<br />
criminal scene digital forensics. SOF operates in the context of combat-compressed operations, where different<br />
dynamics apply in comparison to law enforcement.<br />
This potentially makes the acquisition of evidence an issue, if police investigation best practices are to be used<br />
in the battlefield. In addition, it is noteworthy that there is no publicly available and updated source that<br />
explains how to carry out data acquisition in a hostile environment.<br />
There are a number of general principles that underpin the collection and preservation of digital information<br />
seized during operations. The SIDSS acronym captures the essence of what should be performed by SOF.<br />
Force protection always comes first. Next, actions taken regarding electronic information should avoid creating<br />
or causing changes or damage to electronic evidence. Personnel should have basic knowledge of how to<br />
acquire digital information. Appropriate tools should be used when possible. All steps taken to preserve the<br />
digital evidence collected should be fully documented, including pictures and/or notes when possible.<br />
Documentation of the scene should possibly include the entire location – for example, the type and the<br />
position of computers, their components and peripheral equipment, and other electronic devices. These<br />
activities can be done later after combat action, once security is assured and probably off-site.<br />
Best practices for conducting forensics computer operations are as follows:<br />
<br />
train personnel in basic computer forensics and anti-forensics techniques;<br />
20