BATTLEFIELD DIGITAL FORENSICS
BDF_Battlefield_Digital_Forensics_final
BDF_Battlefield_Digital_Forensics_final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
9.1 Surveillance Software Installation and Forensics Data Extraction<br />
There are commercially available surveillance software tools 46 that are used by law enforcement bodies for the<br />
purpose of tracking criminal suspects. These tools place malware on the suspect’s computer using various<br />
methods such as compromising vulnerabilities in popular software, using flaws in their update mechanisms or<br />
installing malicious code with spear-phishing e-mails. Removable storage devices like USBs can easily be used<br />
for the same purpose. The malware enables the law enforcement body to control the suspect’s computer<br />
remotely, obtain important files and credential information, and intercept the suspect’s communications.<br />
In the battlefield forensics scenario, surveillance software can be used to extract forensics data during and after<br />
the operation. As SOF operators can physically access digital devices, they can install this software through<br />
USBs or similar removable media. The main function of the installed software is to find and extract relevant<br />
data on the target device and send them automatically to the data collector server. It may seek internet<br />
connectivity and then send the forensics data to the data collector server over the internet. If there is no<br />
existing internet connection, the software can use a network connection established during the operation by<br />
the SOF operators.<br />
The inherent nature of the target infrastructure puts many technical and operational restrictions on the<br />
duration of the connection and the amount of data that can be obtained. Therefore, the data extraction<br />
strategy should rely on searching the data for specific content rather than obtaining the whole image of the<br />
target device. Equipping the surveillance software with the relevant search patterns can be a vital forensics<br />
preparation step for the operation. Search patterns may include user credential data, as this data may be<br />
useful for the analysis of other digital devices directly collected from the site or it may enable further cyber<br />
operations to be conducted against other enemy information systems.<br />
Digital devices for surveillance software installation can be selected according to intelligence available before<br />
the operation or decisions made by SOF operators during the operation. Operators may prefer to install<br />
malware in the computers which weigh more than the carriage limits and those which may be assumed to have<br />
critical information.<br />
9.2 An Optimised E-Discovery Tool<br />
In recent years, e-discovery forensics tools 47 have been developed which allow transferring selected files,<br />
system and other forensics-related data from remote computers to a central server; these are used to help the<br />
IT and legal departments of businesses. These tools require the installation of software agents in the remote<br />
computers. Rather than conducting analysis of the data, the aim of the software agent is to transmit the<br />
selected data to the central server over the existing network infrastructure. Under the extreme conditions of<br />
the SOF strike, forming a communication channel by installing surveillance software can be combined with the<br />
rapid installation of an e-discovery solution. Quick and automatic installation of the software agent in the<br />
target computer is essential. This agent should be able to carry out possible network configurations before<br />
sending the data; it should include the relevant search patterns and should be able to optimise the length of<br />
search results and even erase itself after the completion of the mission. Once the relevant network<br />
infrastructure is established in the site area, an optimised e-discovery tool can be the solution for sustaining<br />
the forensics data.<br />
46 One commercial tool is FinFisher: https://www.finfisher.com/FinFisher/products_and_services.html<br />
47 Examples of e-discovery tools are AccessData’s AD eDiscovery http://accessdata.com/solutions/e-discovery/ADeDiscovery and Guidance<br />
Software’s EnCase eDiscovery https://www.guidancesoftware.com/encase-ediscovery.<br />
54