Cyber forensic awareness: The value of forensic triage in military operations
Captain Nathan Mark recently argued (pdf, p. 57) that the Army needs much higher cyber and digital forensic awareness to match rapid global technological advancement. The rise in use of mobile technologies and computer systems by both state and non-state actors means that an increasing amount of potential intelligence exists that we can and should exploit.
In contemporary operations, soldiers are often required to balance military objectives with law enforcement outcomes, weighing up the security benefits of gathering information from a device immediately with the legal outcomes if the traditionally lengthy process of obtaining information in a forensically sound manner is not followed. This raises an important issue: how can we rapidly exploit devices which may contain information of immediate value to a military operation, while still supporting the larger governance issues surrounding law enforcement, the judicial system and other institutions that are essential to the functioning of a civil society?
Digital forensic triage is an effective way of achieving this. By definition, triage refers to 'a fast, initial screen of potential investigative targets in order to estimate their evidentiary value'. Using both administrative and technical triage, it provides a way to assess a large number of digital devices so that those with a greater potential to provide information of value are analysed first. Administrative triage involves having an experienced investigator or subject matter expert prioritising on a case-by-case basis, determining when and how a device should be analysed by considering factors including the type of crime committed and the potential for further harm. Technical triage uses software to rapidly screen a device for information. The operator could specify a quick scan for different file types or keywords and a significant number of hits could indicate the potential value of further analysis.
In support of Captain Mark's article that addresses the need for increased cyber forensic awareness in Army, an understanding of digital forensic triage also needs to be fostered. As soldiers, we are required to operate in dangerous environments where failure to meet certain timings or deadlines can have serious consequences. We also operate in environments characterised by a lack of information where an enemy will conduct their own planning process to shape the battlespace. Any information we can gather on an enemy sooner rather than later is beneficial. Digital triage allows us to gain an advantage in planning, decision-making and execution.
Consider this scenario: An infantry platoon has engaged an enemy and forced them to withdraw from their position. This position may hold significance to the enemy and they may intend to regroup to counter-attack or move to establish themselves elsewhere. A number of digital devices are encountered at the scene. By performing digital triage on these devices, with forensically sound tools that have been proven effective through their use in law enforcement and private industry, the platoon commander may be able to gather information on an enemy's locations, activities or evidence of chat messages that were sent hastily upon withdrawal from the position. This type of information can then be incorporated into the platoon commander's immediate planning process and rapidly passed on to higher command providing actionable military intelligence with an immediate battlefield advantage. It also promotes initiative by providing information that allows for better prediction of an enemy commander's actions. An effective initial forensic triage at the scene will not only provide information in time critical situations, but also maintain the integrity of data to allow law enforcement assets to provide legally admissible evidence that could be essential in judicial proceedings. While Captain Mark does briefly mention 'live analysis' to provide quick assessment of a situation, the true value that can be gained from triage also needs to be explored further.
Overall, Captain Mark's article highlights the importance and need for cyber forensic awareness and specialisation in Army, with which I wholeheartedly agree. This knowledge needs to be extended to the troops on the ground most likely to encounter devices in hostile situations. Let's train them to conduct rapid triage for information with forensically tried and tested tools or embed a solider with specialised forensic training into each platoon conducting a task. Unfortunately we don't always have the luxury of time, so if a triage process can provide a commander with a greater chance to achieve mission success it is an invaluable capability to develop for our personnel.
The views expressed in this article and subsequent comments are those of the author(s) and do not necessarily reflect the official policy or position of the Australian Army, the Department of Defence or the Australian Government.