BATTLEFIELD DIGITAL FORENSICS

More documents

Recommendations

Info

Scan networks. Calculate amount of networks. Scan how much traffic networks have (custom tools needed). Detect suspicious networks. NO Networks visible? YES NO SCAN Fake or suspicious networks present? NO YES Jam wireless networks Detect fake wired networks Identify standalone device. See and proceed with flowcharts of Section 6.3. In addition: Identify hidden and obfuscated devices, booby-traps and kill-switches (and their type) from standalone devices. Identify connections. See and proceed with flowcharts of Section 6.3. In addition: Identify wireless networks and devices used for booby-traps and kill-switches, and wired booby-traps and kill-switches. Booby-traps or killswitches identified? NO NO Booby-traps or killswitches identified? IDENTIFY YES. Wireless booby-traps or kill-switches identified YES. Wired booby-traps or kill-switches identified Identify the device type. See and proceed with ‘Exfiltration process’ flowchart of Section 6.3. In addition: Identify suspicious, obfuscated and hidden devices. YES. Wired booby-traps or kill-switches identified YES. Wireless booby-traps or kill-switches identified. Document all discovered anti-forensics techniques, and suspicous connections and devices. See Sections 6.3 and 6.5. DOCUMENT Do not remove wired kill-switches or devices. Capture the setup as is, if possible. See and proceed with ‘Device collection process’ flowcharts of Appendix C. SECURE Secure wireless devices into faraday bags. Use same bags for devices connected to each other wirelessly. See and proceed with ‘Device collection process’ flowcharts of Section 6.3. Use techniques described in Section 6.4, especially for servers. SUSTAIN Be aware of AF-techniques able to destroy forensics analysis equipment or make forensics otherwise more difficult AFTER THE STRIKE Flowchart 2. Anti-forensics mapped to SIDSS. 41
8 Exfiltration Solutions Michal Sadlon Exfiltration is one of the most difficult parts of the forensics process and covers activities over the entire triaging model. Exfiltration does not only consist of acquisition: there are also other important operations that should be done throughout. As mentioned in Chapter 6 – ‘Computer Forensics‘, there are several aspects leading to different scenarios. 8.1 Exfiltration Process Flowchart 3 depicts the exfiltration process by including all steps of the SIDSS triaging model. Scenarios mainly depend on the type of electronic device being identified. Therefore, the identification phase is important. SCAN IDENTIFY electronic device Small electronic devices and media (very portable) Type of device Laptops, tablets, cell phones (portable) Desktops, servers, disk arrays (not portable) DOCUMENT Proceed with flowchart 5 Proceed with flowchart 4 SECURE SUSTAIN Flowchart 3. Exfiltration process. Device type/size: (see Flowchart 3) the following types have been recognised: ·VERY PORTABLE: small electronic devices and removable media (USB media, CD/DVD, external hard disk, camera, audio recorder, SIM cards ...). 42
Page 1 and 2: Christian Braccini, Teemu Väisäne
Page 3 and 4: About the NATO CCD COE The NATO Coo
Page 5 and 6: Table of Contents About the NATO CC
Page 7 and 8: Figures Figure 1. The Targeting Cyc
Page 9 and 10: LED Linux LTE MANET materiel MEDEX
Page 11 and 12: properly discovered, preserved and
Page 13 and 14: From a targeting perspective, digit
Page 15 and 16: . Utilise the existing internet con
Page 17 and 18: Figure 3. A faulty laptop explosive
Page 19 and 20: 5 Onto the Battlefield Christian Br
Page 21 and 22: 6 Computer Forensics Agostino Panic
Page 23 and 24: In a wireless ad-hoc network, all t
Page 25 and 26: However, this solution is impossibl
Page 27 and 28: Connection Backup: The vector shoul
Page 29 and 30: The goal of this statistical approa
Page 31 and 32: 7 Anti-Forensics Measures Teemu Vä
Page 33 and 34: Recommendation: When designing and
Page 35 and 36: As presented by Azadegan, Liu, Sist
Page 37 and 38: Recommendation: Be aware that harml
Page 39 and 40: security for smartphones are descri
Page 41: If any marks of explosives are dete
Page 45 and 46: Portable device found Laptop Type o
Page 47 and 48: As with other portable devices (suc
Page 49 and 50: Devices might be found in different
Page 51 and 52: 4. Remove the drive from the drive
Page 53 and 54: items of the evidence, typically on
Page 55 and 56: 9.1 Surveillance Software Installat
Page 57 and 58: A communication channel to satellit
Page 59 and 60: Figure 21. ABSOLUTE System Architec
Page 61 and 62: 10 Chain of Custody Kris van der Me
Page 63 and 64: police or other official investigat
Page 65 and 66: [15] E. Imsand and J. A. Hamilton,
Page 67 and 68: [46] J. M. Kahn, R. H. Katz, and K.
Page 69: 13 Acknowledgements Authors of the

BATTLEFIELD DIGITAL FORENSICS

Create successful ePaper yourself

Delete template?

Save as template?