BATTLEFIELD DIGITAL FORENSICS
BDF_Battlefield_Digital_Forensics_final
BDF_Battlefield_Digital_Forensics_final
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Recommendation: When designing and configuring tools, be aware of the possibility of various data hiding<br />
techniques.<br />
Recommendation: If possible, try to do live imaging of storage media and RAM instead of only seizing them<br />
(secure). Note that this might take too much time to be accomplished during the special operation;<br />
however it could be possible to use additional devices and techniques as presented in Chapter 9 –<br />
‘Sustaining the Data‘ to transfer the live images after the special operation.<br />
Recommendation: If data is collected wirelessly during and after the operation via specific extractors, it<br />
should be possible to physically destroy them remotely when wanted or automatically after the data<br />
collection.<br />
Recommendation: Be aware that hard drives or SSD disks might be encrypted, so if possible, try to capture<br />
computers ‘as is’, without shutting them down or removing any storage media (secure).<br />
7.2 Artefact Wiping<br />
Artefact wiping means techniques for automatically or manually eliminating particular data, files or entire file<br />
systems, usually permanently. 14 It includes data erasure (also referred to as data clearing or data wiping), and<br />
disk degaussing and destruction 15 techniques. As mentioned in [18], artefact wiping tools make analysis more<br />
difficult for forensics examiners, but they are not perfect. This chapter describes artefact wiping techniques<br />
that the (SOF)DFA should be aware of.<br />
If the (SOF)DFA is able to login to the OS or access an unlocked screen, and assess that destructive processes<br />
are running, the device should be immediately turned off by removing power cord or its battery including<br />
connected devices. The following example terms can indicate the destruction: ‘wipe’, ‘delete’, ‘format’,<br />
‘remove’; however, the system’s language may not be English and destructive processes can also be done<br />
stealthily. Still, it is important to check screens during the seizure, because it is possible that a destructive<br />
technique such as data wiping is started after the forensics tools are connected to the device.<br />
7.2.1 Wiping Data Remotely and Self-Destruction<br />
In a normal situation, artefact wiping is done by specific cleaning tools. 16 In such situations there is no need to<br />
do it fast, but during (or after) the operation, the enemy may use faster, more automated, and remotely<br />
working techniques. This chapter describes self-destruction techniques and techniques usable for remotely<br />
wiping the data.<br />
As described by Jane Wakefield in [19], criminals have used remote wiping functions to wipe mobile devices<br />
that were seized by police officers and secured in police stations. Because of this, it is important to store<br />
devices properly immediately after capturing them. For this, anything providing the functionality of a Faraday<br />
cage is suitable. 17 However, it is good to remember that kill-switch software exists, which wipes the device if it<br />
cannot be connected or connect to a certain location in a certain amount of time. Self-destruction can be<br />
implemented in smart phones, for example, by using specific clients that connect to the management server,<br />
and if there is no connectivity, the smartphone will be wiped. Use of self-destruction functionality is not<br />
14 Even if the purpose is to eliminate data permanently, in some cases and with specific tools it might be possible to get information about<br />
it. See, for example, cases where formatting a disk once has not been enough.<br />
15 It is possible to send remote commands to disks to destroy them physically, or to use booby-traps.<br />
16 One cleaning tool is CCleaner, which is downloadable from https://www.piriform.com/ccleaner.<br />
17 Military and intelligence agencies use Faraday bags to prevent unwanted applications being invoked remotely or data altered after<br />
devices are seized. More details about Faraday bags can be found in Chapter 4 ‘The SIDSS Triage’.<br />
32