Battlefield Triage Forensics

8/6/2019 Battlefield Triage Forensics

1/8

Special OperationsForces Industry Conference (SOFIC) 2009

Intelligence and Evidence Collection Using

Battlefield Digital Triage Forensic Processes

Stephen Frank PearsonHigh Tech Crime Institute Inc

Tampa, Florida

[email protected]

ABSTRACT

With current doctrines, field commanders are potentially denied real-time, actionable intelligence that is available

from digital media being seized. This is in part due to the lengthy time it takes to identify and exploit the media that

is seized.

Small teams such as the Weapons Intelligence Teams (WIT) are being employed to conduct a very unique task on

today's battlefield crime scenes. Small teams are being tasked to gather and identify digital media which may ormay not contain any actionable intelligence for the field commander. This task which in itself can be complicated is

further complicated with a time limit for scene processing of 5 to 60 minutes. In todays modern law enforcement

world there is typically no time limit for the processing of crime scenes as there are no tactical or typical time

challenges associated with a crime scene. At the traditional digital crime scene great care can be taken to preserve

the evidence in its most pristine form allowing for itemized evidence labeling and chain of custody documents being

created. Small teams such as WIT cannot operate using the policies and procedures of a stateside law enforcement

element. The combat crime scene does not allow for this diligence due to its safety and tactical element that

complicates the processing of evidence. Evidence is routinely lumped together and maintained in a single evidencecontainer. The evidence is not really identified until it is returned to the Forward Operating Base (FOB) for further

processing. This is the reality of the battle field crime scene and the OPTEMPO that our small teams such as WIT

exist under.

The good news is by employing the procedures of Digital Triage Forensics on the battlefield and using DigitalTriage Tools, the small team can conduct productive exploitations of Digital Media providing field commanders

with actionable intelligence.

ABOUT THE AUTHOR

Stephen Frank Pearson was born in Aylesbury, England in 1963 and has been involved with Digital MediaExploitation since the early 1990's. Stephen served in the United States Army as a Military Policeman for over 21

years. During this time, Stephen wrote and compiled numerous texts that are still used today. Stephen's last military

assignment was Non Commissioned Officer in Charge of the Advanced Technology Criminal Investigations

Division at the Military Police School, Ft Leonard Wood, Missouri. After retiring, Stephen accepted a position as

chief of detectives at the Pulaski County Sheriffs Office in Missouri. Stephen opened the first Digital Forensic Lab

at the Sheriff's Department which was responsible for numerous convictions. Stephen, during this time, also started

and ran the High Tech Crime Institute. In 2006 Stephen was contracted by the National Ground Intelligence Center

to teach and design a course in Digital Triage Forensics for the new WIT teams deploying to Iraq and Afghanistan.To date, Stephen continues to teach and design new procedures that enable small team units to gather and exploit

Digital Media from the Battle Space. Stephen currently lives in Palm Harbor, Florida and is the CEO of the HighTech Crime Institute.

SOFIC 2009 Paper No. 3202 Page 1 of 8
mailto:[email protected]:[email protected]


2/8


Intelligence and Evidence Collection using

Battlefield Digital Triage Forensic Processes

Stephen Frank Pearson

High Tech Crime Institute Inc

Tampa, Florida

[email protected]

INTRODUCTION

Digital media has made its way into just about everyaspect of our lives. We carry IPOD's with training pod

casts, music, and movies with storage capacities thatrival our desktop or laptop systems. The cell phones we

use today provide access to our email and documents.

Ten years ago investigators would find the gold

nuggets of evidence on systems owned by corporate

entities because that is where the bandwidth and

storage was located. In today's environment with the

advent of thumb drives, CF cards, and reliable online

storage, the nuggets have moved to those closely heldcontainers that are easily connected, used, and

destroyed.

This new world of personal storage provides unique

opportunities to anyone seeking intelligence or

evidence on a suspect. Most recently we have seen the

use of these personal digital media devices being used

to solve crimes spanning the spectrum of criminaloffenses; from students being bullied online to plots

being arranged to destroy schools or other national

assets. Terrorist use computers and portable storage

containers to pass strategic documents and plans.

These devices can pass by unnoticed by anyone.

During the Mumbai, India attacks in 2008 cell phones

were seen as tools to orchestrate and collaborate during

tactical actions. Insurgents in Iraq use cell phones to

record their criminal activities so that they can be paid

for there work. Cell phones make a convenientmedium to detonate IED's.

We know that the evidence and/or data is out there and

it is in real time. Investigators and Intelligence

gatherers need to be able to collect and exploit this real

time data, providing the command with actionable

intelligence as well as evidence that will later be used

to convict suspects of their crimes.

In June 2008 the cellular networks in Iraq wereupgraded to the digital standard of 1900 MHz. This

new bandwidth allows the user to take advantage of the

full digital capability that a cell phone has to offer.

New threats to the evidence or intelligence gathering

process have been identified with the use of this new

topology. New safety concerns for the on-scene

investigator have also now been raised as the

insurgents target the investigators in the battle space..

PROBLEM STATEMENT

With current practices and procedures, field

commanders are potentially denied real time actionable

intelligence that is available from the digital media

being seized due to the lengthy time it takes to identifyand exploit the media.

Under the current models, teams analyzing the data

have little time for a complete and/or thorough

examination of the media collected from the battlefield.

This time barrier has come to be because there is no

time to do it properly. This perception comes from

several factors.

First, the imaging process can be lengthy,

Second, investigators not having the available

media to image the data.

Third, providing the investigator the

programs, knowledge, and training in the

collection of data allowing the media to be

mailto:[email protected]:[email protected]


3/8


exploited for the field commanders.

To address the concerns above, specialized teams likethe Weapons Intelligence Teams (WIT) are being

employed to conduct a very unique task on today'sbattlefield crime scene. The WIT team is being tasked

to gather and identify digital media and triage the

media to find if the media contains any actionable

intelligence. The task of processing the battlefield

crime scene in itself is complicated but will be further

complicated with safety and tactical considerations as

well as a time limit for scene processing of 5 to 60

minutes on average.

Compare that to todays modern law enforcement

world there is typically no time limit for the processingof a crime scene. Compare that to stateside Law

Enforcement that have no tactical implications or time

challenges associated with their crime scene.

At the traditional digital crime scene great care can be

taken to preserve the evidence in its most pristine form,

allowing for itemized evidence collection, labeling, and

chain of custody documents to be created. The combatcrime scene does not allow for this diligence in

evidence collection due to its safety and tactical

element. When collected from the combat crime scene

evidence is routinely lumped together and maintainedin a single evidence container. The itemized evidence

is not identified until it is returned to the ForwardOperating Base (FOB) for its further processing. This

modified collection process is a reality of the battle

field crime scene and the OPTEMPO that our

specialized teams like WIT exist in.

The problem of providing actionable intelligence is

further challenged by the process of analysis after the

media has been gathered. Currently the exploitation or

analysis of the captured media is only done at a lab

level. The teams on the ground such as the WIT teams

are not allowed to exploit media. This makes littlesense as the teams like WIT have the equipment and

training to be able to conduct exploitation at the FOB.

In some cases the WIT team equipment is better thanthe labs in theater.


Prosecution

LAB

Finishes exploiting dataFound to have value by

The First Responder

Detective or AnalystIn this model the Analyst see s theActionable intelligence/evidence

Immediately. Saving the lab from havingTo process non yielding data

First Responder or Evidence CollectorUses the tools and training to find actionable

Intelligence immediately. Getting the evidence to the

Analyst much quicker.

Prosecution

LAB

Finishes exploiting dataFound to have value by

The First Responder

Detective or AnalystIn this model the Analyst see s theActionable intelligence/evidence

Immediately. Saving the lab from havingTo process non yielding data

First Responder or Evidence CollectorUses the tools and training to find actionable

Intelligence immediately. Getting the evidence to the

Analyst much quicker.

Prosecution

Detective or AnalystHas to wait for results

From the Lab whichWill be back logged

First Responder or Evidence CollectorForwards all media onto the Lab without any

Exploitation attempts.

Prosecution

Detective or AnalystHas to wait for results

From the Lab whichWill be back logged

First Responder or Evidence CollectorForwards all media onto the Lab without any

Exploitation attempts.

LAB

This is model shows that when you make the lab responsible for a ll processing

It becomes back logged very quickly by the sheer volume of data that must be

This backlog can be completely erased by implementing the DTF pr ocedures

Digital Triage ForensicsPreventing Lab Backlog

Current Digital Forensic ProcessingCausing an increasing Backlog at the Lab Level

Il

lustration 1:


4/8


SOLUTION

Over the past three years, the High Tech Crime

Institute (HTCI) has been training WIT Teams inDigital Triage Forensics. During this time HTCI has

seen a definite change in attitude towards the role of

Digital Forensic Investigator. This attitude change can

be attributed to several arguments.

Argument #1 - An attitude exists that roughly says,There are other people who can do Digital Forensics

so why not let them take care of it (in country labs).

This argument while partially true is the worst

argument to have. This attitude allows the small unit

investigator to say they can pass it off to someone else

and we don't have to worry about it. The problem

should be clear with this argument. If you let itcontinue, you create a procedural model that is now

bloated in the middle because of all the work being

sent to them. It is an operational fact that there aremore WIT Teams than there are Digital Forensic Labs

in theater. The WIT Team is poised perfectly to do the

initial evaluation to determine if an item has actionable

intelligence or not. Unfortunately we have learned

from the mistakes made in civilian Law Enforcement

that trying to use a single entity to do all digital

forensics does not work.

Initially your results are good but soon a severebacklog is created. This was seen very clearly when

the FBI began the use of the Regional ComputerForensic Labs (RCFL). The RCFL was designed to

take over all digital forensics in regions spread out

across the country. The FBI then told Law

Enforcement to send all Digital Media to the RCFL

which they did. The RCFL's were overwhelmed with

requests and a huge backlog was created. The RCFLhad to begin placing pre-requirements on media being

sent to them to try and reduce the backlog. This helped

but did not cure the problem. Even today, the RCFL's

are still backlogged. Cases wait to be examined

sometimes for as long as a year. The graphic above

illustrates what happens when one agency decides to

try and handle all Digital Media Exploitation as is

currently being done in Iraq.

This attitude is the easiest of the issues to correct asleadership can simply place the responsibility of

Digital Triage Forensics (DTF) back on the specialized

teams like WIT. WIT Teams should not be allowed to

pass off media but instead they should be required to

use the tools and training that they have, and exploit

the media that is either collected or brought to them.

We are by no means incurring new costs; we are simplyusing the training and equipment already provided to

accomplish the recognized mission at hand. Not to usethe WIT Teams in the role that they are designed for

but to instead allow the passing off of work for no real

reason is a misuse of the funding provided for these

programs.

Argument #2 - Has been that WIT Teams do not havethe tools necessary to conduct these investigations.

That only these specialized labs with highly skilled and

trained personnel are qualified to conduct the Digital

Forensic missions. This is absolutely not true. In fact,

the civilian world has a word for this argument. It is

called Job Security. The staff of the Joint Weapons

Intelligence Center (JWIC) and HTCI conductstraining at Ft. Huachuca, AZ to provide the highestlevel of professional training in the field of Battle Field

Crime Scene Investigations and Digital TriageForensics. Both staffs have dedicated their time to

making sure that the teams in the battle space have the

tools necessary to accomplish all of the WIT assigned

tasking which includes Digital Media Exploitation.

After speaking with other contractors and

organizations, I can without any reservation state that

the staff at JWIC Ft. Huachuca has compiled, with the

help of HTCI, the best mobile forensic lab available toany team world wide. As compared to the static labs

found in Iraq and now popping up in Afghanistan, theWIT Teams have identical if not better equipment in

most cases. Unfortunately in many circumstances the

tools sit idle and the training expertise is lost over time.

Argument #3 - It has been said that the WIT Team

member is not trained for the task. I have heard this

from WIT Team members both past, present, and from

the leadership of the WIT Team members. This is a

perpetuated lie that comes from teams currentlydeployed. The ones that pass on this information are

the Teams that are not conducting investigations orexaminations. You will find that these are the teams

that pass off the DTF mission to in country labs. Andas already noted, after time, the teams skills wither and

die. What skill doesn't if it is not exercised? WIT

Team members are told by group leadership that they

will not have to conduct these examinations or

exploitations in the battle space as there are other

agencies that can do it for them. This leads to a



5/8


training attitude of complacency and not caring. When

the group leadership put an emphasis on the training

the results are amazingly different.

The bottom line is that the WIT Team member is morethan capable of retaining the lessons learned in a

Digital Forensics class. The amount of time that is

currently dedicated to the training should be increased

by one or two days to allow for more hands on

examinations, but the time allocated meets the minimal

requirement to train someone to a skill level where theyare capable of conducting Digital Triage Forensic

Examinations. To ensure the team members are

prepared we can use the procedural model of Digital

Triage Forensics (DTF). We have referenced it as a

model for collecting actionable intelligence for the

field commander. As the name implies, it is a

methodology for processing digital media from a givenscene expeditiously ensuring the container and data ismaintained in as pristine a form as possible. The DTF

is best done by trained and equipped persons whomhave direct knowledge and input from the immediate

battlefield crime scene. These trained and equipped

personnel already exist in the form of the WIT Teams.

The WIT team brings knowledge and expertise from

the battle field crime scene that an examiner who is

afar may not recognize. Such as keywords or regional

programs that are of importance to an intelligence

entity.

To affect this new methodology, new rules or doctrinalpolicies must be used in the collection of this digital

media as the mainstream methods do not take into

account the tactical and time nature of the battle field

crime scene.

For the purposes of this paper we will isolate a specificmedia type and draw a comparison between the

collection of it in a traditional crime scene and that of

the battlefield crime scene.

We chose the Cell Phones as the media to compare, as

this is the fastest growing media in the battle space.

Even though we are showing a specific media type for

comparison, the principals applied in this model can

apply to any digital media found at the combat crime

scene as well.

Comparison of Doctrinal Options for Cell Phone

Collection

No matter if you are at the traditional crime scene or at

the battlefield crime scene, it is known and acceptedthat the cell phone must be isolated from it's carrier to

prevent contamination or the implementation of tacticsthat could cause permanent damage to the evidence

containers that exist on the phone. The following

would be core concepts for the collection of Cell

Phones in either situation:

1. Isolation of the evidence from outside sources

2. Prevention of contamination by examinererror

3. Expedient processing of the evidence to gather

actionable intelligence

4. Maintaining Isolation of the evidence during

the entire process.

Under the DTF methodology three new concepts are

added:1. Technical and Tactical Safety for personnel

involved

2. Place of the capture and the pre-existingcontaminations of the device by on scene

personnel

3. The restriction of time to collect the evidence

from the crime scene. (5 to 60 minutes)

The mission of the WIT dictates a greater priority on

processing digital evidence to gather actionable

intelligence before the items become true evidence. Aswas discussed earlier, a primary concept to collecting

the Cell Phone is to maintain absolute isolation of theevidence from any external source. This will prevent

any actionable intelligence from being destroyed. Four

different methods for isolation at the battlefield crime

scene include:

1. Place the device into an isolation bubble using

some type of Radio Frequency Jammer.2. Placing the device still turned on into a

Faraday container of some sort.

3. Powering off the evidence using the power

switch.

4. The DTF method of removing the battery at

the scene.

When discussing the four options, HTCI recommends

that the DTF method be followed every time regardless

if Faraday bags are available or not.At the traditional crime scene removing the battery is

strongly looked down upon as there is a possibility of

gathering some data from the volatile memory cache.



6/8


So why does HTCI support the DTF method of

removing the battery from the cell phone at the crime

scene? The main reasons are the addition of safety,time, and the ability of the cell phone to be wiped

remotely if connected. With these additional threeconcepts, the reason should be clear as to the need to

remove the battery and isolate the phone immediately.

Lets look at these three reasons in depth.

Technical and Tactical Safety - It is suggested

to turn the phone off by pushing the powerbutton. Unfortunately, in the technology

world today the possibility of having the cell

phones keyboard remapped is quite possible.

For example, if an insurgent wanted they

could remap the power button to send a pre

formatted text message or auto dial (a quick

dial number) which could detonate asecondary device on a scene very easily. Byremoving the battery, the investigator also

provides a natural and immediate Faradaycage around the cell phone. It then has no

ability to connect to the network; preventing

the phone from gathering any further

messages or data that could overwrite or

destroy evidence that is preexisting on the

phone. The phone can also not be tampered

with by any outside person or network. In the

world of the 1900 MHz cell phone, the serviceprovider has the ability to wipe the on-board

flash memory of the cell phone. This featurehas existed for only a few years but has

already been used by criminals in the United

States to hide or destroy evidence on the cell

phone. Another threat posed by the cell phone

comes from combination of cell phone and

GPS transceiver. With this capability the cellphone could be used as a tracking device;

providing GPS coordinates that could be

recovered from a website or from a Trojan

application placed on the phone that

continuously forwards GPS locations to

another digital device. Ultimately this could

provide targeting, location and/or tracking

information to an insurgent cell.

An argument can be made though that the

WIT Team is provided a Faraday bag.Problems that arise from this bag are that it is

a passive device not an active device.

Faraday bags are also susceptible to break

down over time. If the Faraday bag has a hole

or the fibers of the material are broken, this

will allow the Cell Phone to communicate

with the network rendering the isolationineffective It is also possible the WIT team

investigator may employ the bag incorrectly,not closing the Faraday bag properly, allowing

for the Cell Phone to continue its

communication with the network. This does

not mean that the Faraday bags are useless in

the DTF model. They provide a secondary

method of isolation. In certain circumstances,the use of the Faraday bag may be the primary

tool used by the investigator. Place of the capture and the pre-existing

contaminations of the device by on-scene

personnel -- It may not be possible to use an

RF Jammer in the location of collection. This

can be due to numerous factors including thelack of the equipment on the scene or theinability to deploy the device. The insurgents

are familiar with the traditional collectionprocesses used by WIT teams for collecting

Cell Phones and other devices on the scene.

The manuals and regulations are readily

available from National Institute of Science

and Technology or the Department of Justice

websites. The terrorist is also very aware that

Cell Phones attract attention by investigators

and others at the battlefield crime scene bythere very nature. This makes them an

excellent triggering device especially now thatthe networks are 1900 MHz instead of just

800 MHz allowing for true digital

connectivity. By removing the battery we

provide instant isolation. The restriction of time to collect the evidence

from the crime scene. (5 to 60 minutes) Depending on the Cell Phone, it might be very

easy to identify the power button. Other Cell

Phones may take a significant amount of time

to find the power button and finally turn off

the phone; providing plenty of time for the

Cell Phone to be contaminated or evidence

containers destroyed.

There is only one situation where the battery should not

be pulled and that is when there is actionable

intelligence that cannot be gathered on the screen of thedevice by any other means. In this situation the Cell

Phone should be gathered and placed into a functional

Faraday bag. At this point the phone needs to be

transported to the FOB as quickly as possible. The



7/8


Cell Phone battery will quickly begin to dissipate as it

tries to connect to the network.

With the arguments above, it is clear that the DTFmodel of removing the battery makes the most sense in

all situations except for the last where actionableintelligence will be lost. It is very important that the

investigator should not attempt to disassemble the Cell

Phone any further until returning to the FOB. When at

the FOB the investigator must be careful to not disturb

any other biometric evidence that is residual on the

phone surface such as fingerprints.Once the Cell phone is returned to the FOB the

investigator can continue to process the cell phone

continuing the Digital Triage Forensic process. At this

point, analysis of the phone can be accomplished in a

timely and safe manner.

Using Digital Triage Tools (DTT), actionable

intelligence can quickly be found. If the Cell phonedoes not reveal any immediately visible, actionableintelligence then the phone can be put to the end for

deeper analysis..If the cell phone yields visible, actionable intelligence

then the cell phone should be immediately forwarded

to the security cell to obtain the actionable intelligence

from the cell phone. This triage process will continue

for each cell phone until all Cell phones have been

processed. Using this process, the Cell phones

containing the most data will be identified and can be

sent directly for process front loading them. The otherCell phones can be further processed as time permits.

This model allows for the quick identification ofactionable intelligence and the ability to undo the log

jam of media being sent to single point processing

centers.

Summary and Implementation

Digital Triage Forensics, in my opinion, will be the

way digital evidence from a crime scene is processed in

the future. The understanding that the tactical soldier

can be competently trained to obtain actionable

intelligence is a reality with schools like JWIC at Ft.

Huachuca. In this paper I have spoken of the

methodology of applying the Digital Triage Forensic

procedure to a specific media type. The reality is this

system or procedural model can be applied to all media

items taken from the battlefield crime scene.

The procedures set forth here for Digital Triage

Forensics can be applied and instituted at any

battlefield or tactical level. As was referenced in thispaper, WIT teams have both the equipment and training

to accomplish the task of Digital Triage Forensics.This training and procedural set should be continued

and emulated in other environments. Currently many

other organizations are trying there own version of

WIT. These other team types are being deployed

around the world with the mission of providing the

field commander actionable intelligence, which may ormay not come, from the battlefield crime scene.

This paper covered the major components of the

Battlefield Triage Process.

The reality of Triage Forensics on the Modern

Battlefield.

The employment of the Triage Forensics. A comparison of the Cell Phone Procedural

Model using the Battlefield Triage Forensics.

The incorporation and uses of Battle FieldTriage Forensics in today's modern battle

space.

REFERENCES

Bill Hess, Herald Review (2008) Air Force NCO

describes forensic investigation work in

battlefield. Retrieved January 19, 2009, fromhttp://www.svherald.com/articles/2008/02/26/

news/doc47c3bbd30f681772690068.txt

Marcus K. Rogers, James Goldman, Rick Mislan,

Timothy Wedge, Steve Debrota (2006)

Computer Forensics Field Triage ProcessModel. Retrieved October 15, 2008, from

http://www.digitalforensics-

conference.org/CFFTPM/CDFSL-

proceedings2006-CFFTPM.pdf

http://www.svherald.com/articles/2008/02/26/http://www.svherald.com/articles/2008/02/26/


8/8



Documents

Battlefield Triage Forensics