Special OperationsForces Industry Conference (SOFIC) 2009

Intelligence and Evidence Collection Using

Battlefield Digital Triage Forensic Processes
Stephen Frank Pearson
High Tech Crime Institute Inc
Tampa, Florida
stephen@gohtci.com

ABSTRACT
With current doctrines, field commanders are potentially denied real-time, actionable intelligence that is available
from digital media being seized. This is in part due to the lengthy time it takes to identify and exploit the media that
is seized.

Small teams such as the Weapons Intelligence Teams (WIT) are being employed to conduct a very unique task on
today's battlefield crime scenes. Small teams are being tasked to gather and identify digital media which may or
may not contain any actionable intelligence for the field commander. This task which in itself can be complicated is
further complicated with a time limit for scene processing of 5 to 60 minutes. In today’s modern law enforcement
world there is typically no time limit for the processing of crime scenes as there are no tactical or typical time
challenges associated with a crime scene. At the traditional digital crime scene great care can be taken to preserve
the evidence in its most pristine form allowing for itemized evidence labeling and chain of custody documents being
created. Small teams such as WIT cannot operate using the policies and procedures of a stateside law enforcement
element. The combat crime scene does not allow for this diligence due to its safety and tactical element that
complicates the processing of evidence. Evidence is routinely lumped together and maintained in a single evidence
container. The evidence is not really identified until it is returned to the Forward Operating Base (FOB) for further
processing. This is the reality of the battle field crime scene and the OPTEMPO that our small teams such as WIT
exist under.

The good news is by employing the procedures of Digital Triage Forensics on the battlefield and using Digital
Triage Tools, the small team can conduct productive exploitations of Digital Media providing field commanders
with actionable intelligence.

ABOUT THE AUTHOR

Stephen Frank Pearson was born in Aylesbury, England in 1963 and has been involved with Digital Media
Exploitation since the early 1990's. Stephen served in the United States Army as a Military Policeman for over 21
years. During this time, Stephen wrote and compiled numerous texts that are still used today. Stephen's last military
assignment was Non Commissioned Officer in Charge of the Advanced Technology Criminal Investigations
Division at the Military Police School, Ft Leonard Wood, Missouri. After retiring, Stephen accepted a position as
chief of detectives at the Pulaski County Sheriffs Office in Missouri. Stephen opened the first Digital Forensic Lab
at the Sheriff's Department which was responsible for numerous convictions. Stephen, during this time, also started
and ran the High Tech Crime Institute. In 2006 Stephen was contracted by the National Ground Intelligence Center
to teach and design a course in Digital Triage Forensics for the new WIT teams deploying to Iraq and Afghanistan.
To date, Stephen continues to teach and design new procedures that enable small team units to gather and exploit
Digital Media from the Battle Space. Stephen currently lives in Palm Harbor, Florida and is the CEO of the High
Tech Crime Institute.

SOFIC 2009 Paper No. 3202 Page 1 of 8

 Special OperationsForces Industry Conference (SOFIC) 2009

Intelligence and Evidence Collection using

Battlefield Digital Triage Forensic Processes
Stephen Frank Pearson
High Tech Crime Institute Inc
Tampa, Florida
stephen@gohtci.com
INTRODUCTION gatherers need to be able to collect and exploit this real
time data, providing the command with actionable
intelligence as well as evidence that will later be used
Digital media has made its way into just about every to convict suspects of their crimes.
aspect of our lives. We carry IPOD's with training pod
casts, music, and movies with storage capacities that In June 2008 the cellular networks in Iraq were
rival our desktop or laptop systems. The cell phones we upgraded to the digital standard of 1900 MHz. This
use today provide access to our email and documents. new bandwidth allows the user to take advantage of the
Ten years ago investigators would find the gold full digital capability that a cell phone has to offer.
nuggets of evidence on systems owned by corporate New threats to the evidence or intelligence gathering
entities because that is where the bandwidth and process have been identified with the use of this new
storage was located. In today's environment with the topology. New safety concerns for the on-scene
advent of thumb drives, CF cards, and reliable online investigator have also now been raised as the
storage, the nuggets have moved to those closely held insurgents target the investigators in the battle space..
containers that are easily connected, used, and
destroyed. PROBLEM STATEMENT

This new world of personal storage provides unique

opportunities to anyone seeking intelligence or
evidence on a suspect. Most recently we have seen the
use of these personal digital media devices being used
to solve crimes spanning the spectrum of criminal
offenses; from students being bullied online to plots
being arranged to destroy schools or other national
assets. Terrorist use computers and portable storage
containers to pass strategic documents and plans.
These devices can pass by unnoticed by anyone.
During the Mumbai, India attacks in 2008 cell phones
were seen as tools to orchestrate and collaborate during
tactical actions. Insurgents in Iraq use cell phones to
record their criminal activities so that they can be paid
for there work. Cell phones make a convenient
medium to detonate IED's.
We know that the evidence and/or data is out there and
it is in real time. Investigators and Intelligence
With current practices and procedures, field
commanders are potentially denied real time actionable
intelligence that is available from the digital media
being seized due to the lengthy time it takes to identify
and exploit the media.
Under the current models, teams analyzing the data
have little time for a complete and/or thorough
examination of the media collected from the battlefield.
This time barrier has come to be because there is no
time to do it properly. This perception comes from
several factors.
• First, the imaging process can be lengthy,
• Second, investigators not having the available
media to image the data.
• Third, providing the investigator the
programs, knowledge, and training in the
collection of data allowing the media to be

SOFIC 2009 Paper No. 3202 Page 2 of 8


exploited for the field commanders.
To address the concerns above, specialized teams like
the Weapons Intelligence Teams (WIT) are being
employed to conduct a very unique task on today's
battlefield crime scene. The WIT team is being tasked
to gather and identify digital media and triage the
media to find if the media contains any actionable
intelligence. The task of processing the battlefield
Prosecution
LAB
Finishes exploiting data
Found to have value by
The First Responder
Detective or Analyst
In this model the Analyst sees the
Actionable intelligence/evidence
Immediately. Saving the lab from having
To process non yielding data
First Responder or Evidence Collector
Uses the tools and training to find actionable
Intelligence immediately. Getting the evidence to the
Analyst much quicker.
Digital Triage Forensics
Preventing Lab Backlog
lustration 1:
crime scene in itself is complicated but will be further
complicated with safety and tactical considerations as
well as a time limit for scene processing of 5 to 60
minutes on average.
Compare that to today’s modern law enforcement
world there is typically no time limit for the processing
of a crime scene. Compare that to stateside Law
Enforcement that have no tactical implications or time
challenges associated with their crime scene.
At the traditional digital crime scene great care can be
taken to preserve the evidence in its most pristine form,
allowing for itemized evidence collection, labeling, and
chain of custody documents to be created. The combat
crime scene does not allow for this diligence in
SOFIC 2009 Paper No. 3202 Page 3 of 8
Special OperationsForces Industry Conference (SOFIC) 2009
evidence collection due to its safety and tactical
element. When collected from the combat crime scene
evidence is routinely lumped together and maintained
in a single evidence container. The itemized evidence
is not identified until it is returned to the Forward
Operating Base (FOB) for its further processing. This
modified collection process is a reality of the battle
field crime scene and the OPTEMPO that our
specialized teams like WIT exist in.
Prosecution
Detective or Analyst
Has to wait for results
From the Lab which
W ill be back logged
LAB
This is model shows that when you make the lab responsible for a ll processing
It becomes back logged very quickly by the sheer volume of data that must be
This backlog can be completely erased by implementing the DTF pr ocedures
First Responder or Evidence Collector
Forwards all media onto the Lab without any
Exploitation attempts.
Current Digital Forensic Processing
Causing an increasing Backlog at the Lab Level
Il
The problem of providing actionable intelligence is
further challenged by the process of analysis after the
media has been gathered. Currently the exploitation or
analysis of the captured media is only done at a lab
level. The teams on the ground such as the WIT teams
are not allowed to exploit media. This makes little
sense as the teams like WIT have the equipment and
training to be able to conduct exploitation at the FOB.
In some cases the WIT team equipment is better than
the labs in theater.

SOLUTION
Over the past three years, the High Tech Crime
Institute (HTCI) has been training WIT Teams in
Digital Triage Forensics. During this time HTCI has
seen a definite change in attitude towards the role of
Digital Forensic Investigator. This attitude change can
be attributed to several arguments.
Argument #1 - An attitude exists that roughly says,
“There are other people who can do Digital Forensics
so why not let them take care of it (in country labs).”
This argument while partially true is the worst
argument to have. This attitude allows the small unit
investigator to say they can pass it off to someone else
and we don't have to worry about it. The problem
should be clear with this argument. If you let it
continue, you create a procedural model that is now
bloated in the middle because of all the work being
sent to them. It is an operational fact that there are
more WIT Teams than there are Digital Forensic Labs
in theater. The WIT Team is poised perfectly to do the
initial evaluation to determine if an item has actionable
intelligence or not. Unfortunately we have learned
from the mistakes made in civilian Law Enforcement
that trying to use a single entity to do all digital
forensics does not work.
Initially your results are good but soon a severe
backlog is created. This was seen very clearly when
the FBI began the use of the Regional Computer
Forensic Labs (RCFL). The RCFL was designed to
take over all digital forensics in regions spread out
across the country. The FBI then told Law
Enforcement to send all Digital Media to the RCFL
which they did. The RCFL's were overwhelmed with
requests and a huge backlog was created. The RCFL
had to begin placing pre-requirements on media being
sent to them to try and reduce the backlog. This helped
but did not cure the problem. Even today, the RCFL's
are still backlogged. Cases wait to be examined
sometimes for as long as a year. The graphic above
illustrates what happens when one agency decides to
try and handle all Digital Media Exploitation as is
currently being done in Iraq.
This attitude is the easiest of the issues to correct as
leadership can simply place the responsibility of
Digital Triage Forensics (DTF) back on the specialized
teams like WIT. WIT Teams should not be allowed to
pass off media but instead they should be required to
SOFIC 2009 Paper No. 3202 Page 4 of 8
Special OperationsForces Industry Conference (SOFIC) 2009
use the tools and training that they have, and exploit
the media that is either collected or brought to them.
We are by no means incurring new costs; we are simply
using the training and equipment already provided to
accomplish the recognized mission at hand. Not to use
the WIT Teams in the role that they are designed for
but to instead allow the passing off of work for no real
reason is a misuse of the funding provided for these
programs.
Argument #2 - Has been that WIT Teams do not have
the tools necessary to conduct these investigations.
That only these specialized labs with highly skilled and
trained personnel are qualified to conduct the Digital
Forensic missions. This is absolutely not true. In fact,
the civilian world has a word for this argument. It is
called “Job Security.” The staff of the Joint Weapons
Intelligence Center (JWIC) and HTCI conducts
training at Ft. Huachuca, AZ to provide the highest
level of professional training in the field of Battle Field
Crime Scene Investigations and Digital Triage
Forensics. Both staffs have dedicated their time to
making sure that the teams in the battle space have the
tools necessary to accomplish all of the WIT assigned
tasking which includes Digital Media Exploitation.
After speaking with other contractors and
organizations, I can without any reservation state that
the staff at JWIC Ft. Huachuca has compiled, with the
help of HTCI, the best mobile forensic lab available to
any team world wide. As compared to the static labs
found in Iraq and now popping up in Afghanistan, the
WIT Teams have identical if not better equipment in
most cases. Unfortunately in many circumstances the
tools sit idle and the training expertise is lost over time.
Argument #3 - It has been said that the WIT Team
member is not trained for the task. I have heard this
from WIT Team members both past, present, and from
the leadership of the WIT Team members. This is a
perpetuated lie that comes from teams currently
deployed. The ones that pass on this information are
the Teams that are not conducting investigations or
examinations. You will find that these are the teams
that pass off the DTF mission to in country labs. And
as already noted, after time, the teams skills wither and
die. What skill doesn't if it is not exercised? WIT
Team members are told by group leadership that they
will not have to conduct these examinations or
exploitations in the battle space as there are other
agencies that can do it for them. This leads to a

training attitude of complacency and not caring. When
the group leadership put an emphasis on the training
the results are amazingly different.
The bottom line is that the WIT Team member is more
than capable of retaining the lessons learned in a
Digital Forensics class. The amount of time that is
currently dedicated to the training should be increased
by one or two days to allow for more hands on
examinations, but the time allocated meets the minimal
requirement to train someone to a skill level where they
are capable of conducting Digital Triage Forensic
Examinations. To ensure the team members are
prepared we can use the procedural model of Digital
Triage Forensics (DTF). We have referenced it as a
model for collecting actionable intelligence for the
field commander. As the name implies, it is a
methodology for processing digital media from a given
scene expeditiously ensuring the container and data is
maintained in as pristine a form as possible. The DTF
is best done by trained and equipped persons whom
have direct knowledge and input from the immediate
battlefield crime scene. These trained and equipped
personnel already exist in the form of the WIT Teams.
The WIT team brings knowledge and expertise from
the battle field crime scene that an examiner who is
afar may not recognize. Such as keywords or regional
programs that are of importance to an intelligence
entity.
To affect this new methodology, new rules or doctrinal
policies must be used in the collection of this digital
media as the mainstream methods do not take into
account the tactical and time nature of the battle field
crime scene.
For the purposes of this paper we will isolate a specific
media type and draw a comparison between the
collection of it in a traditional crime scene and that of
the battlefield crime scene.
We chose the Cell Phones as the media to compare, as
this is the fastest growing media in the battle space.
Even though we are showing a specific media type for
comparison, the principals applied in this model can
apply to any digital media found at the combat crime
scene as well.
Comparison of Doctrinal Options for Cell Phone
Collection
SOFIC 2009 Paper No. 3202 Page 5 of 8
Special OperationsForces Industry Conference (SOFIC) 2009
No matter if you are at the traditional crime scene or at
the battlefield crime scene, it is known and accepted
that the cell phone must be isolated from it's carrier to
prevent contamination or the implementation of tactics
that could cause permanent damage to the evidence
containers that exist on the phone. The following
would be core concepts for the collection of Cell
Phones in either situation:
1. Isolation of the evidence from outside sources
2. Prevention of contamination by examiner
error
3. Expedient processing of the evidence to gather
actionable intelligence
4. Maintaining Isolation of the evidence during
the entire process.
Under the DTF methodology three new concepts are
added:
1. Technical and Tactical Safety for personnel
involved
2. Place of the capture and the pre-existing
contaminations of the device by on scene
personnel
3. The restriction of time to collect the evidence
from the crime scene. (5 to 60 minutes)
The mission of the WIT dictates a greater priority on
processing digital evidence to gather actionable
intelligence before the items become true evidence. As
was discussed earlier, a primary concept to collecting
the Cell Phone is to maintain absolute isolation of the
evidence from any external source. This will prevent
any actionable intelligence from being destroyed. Four
different methods for isolation at the battlefield crime
scene include:
1. Place the device into an isolation bubble using
some type of Radio Frequency Jammer.
2. Placing the device still turned on into a
Faraday container of some sort.
3. Powering off the evidence using the power
switch.
4. The DTF method of removing the battery at
the scene.
When discussing the four options, HTCI recommends
that the DTF method be followed every time regardless
if Faraday bags are available or not.
At the traditional crime scene removing the battery is
strongly looked down upon as there is a possibility of
gathering some data from the volatile memory cache.

So why does HTCI support the DTF method of
removing the battery from the cell phone at the crime
scene? The main reasons are the addition of safety,
time, and the ability of the cell phone to be wiped
remotely if connected. With these additional three
concepts, the reason should be clear as to the need to
remove the battery and isolate the phone immediately.
Let’s look at these three reasons in depth.
 Technical and Tactical Safety - It is suggested
to turn the phone off by pushing the power
button. Unfortunately, in the technology
world today the possibility of having the cell
phones keyboard remapped is quite possible.
For example, if an insurgent wanted they
could remap the power button to send a pre
formatted text message or auto dial (a quick
dial number) which could detonate a
secondary device on a scene very easily. By
removing the battery, the investigator also
provides a natural and immediate Faraday
cage around the cell phone. It then has no
ability to connect to the network; preventing
the phone from gathering any further
messages or data that could overwrite or
destroy evidence that is preexisting on the
phone. The phone can also not be tampered
with by any outside person or network. In the
world of the 1900 MHz cell phone, the service
provider has the ability to wipe the on-board
flash memory of the cell phone. This feature
has existed for only a few years but has
already been used by criminals in the United
States to hide or destroy evidence on the cell
phone. Another threat posed by the cell phone
comes from combination of cell phone and
GPS transceiver. With this capability the cell
phone could be used as a tracking device;
providing GPS coordinates that could be
recovered from a website or from a Trojan
application placed on the phone that
continuously forwards GPS locations to
another digital device. Ultimately this could
provide targeting, location and/or tracking
information to an insurgent cell.
An argument can be made though that the
WIT Team is provided a Faraday bag.
Problems that arise from this bag are that it is
a passive device not an active device.
Faraday bags are also susceptible to break
down over time. If the Faraday bag has a hole
SOFIC 2009 Paper No. 3202 Page 6 of 8
Special OperationsForces Industry Conference (SOFIC) 2009
or the fibers of the material are broken, this
will allow the Cell Phone to communicate
with the network rendering the isolation
ineffective It is also possible the WIT team
investigator may employ the bag incorrectly,
not closing the Faraday bag properly, allowing
for the Cell Phone to continue its
communication with the network. This does
not mean that the Faraday bags are useless in
the DTF model. They provide a secondary
method of isolation. In certain circumstances,
the use of the Faraday bag may be the primary
tool used by the investigator.
 Place of the capture and the pre-existing
contaminations of the device by on-scene
personnel -- It may not be possible to use an
RF Jammer in the location of collection. This
can be due to numerous factors including the
lack of the equipment on the scene or the
inability to deploy the device. The insurgents
are familiar with the traditional collection
processes used by WIT teams for collecting
Cell Phones and other devices on the scene.
The manuals and regulations are readily
available from National Institute of Science
and Technology or the Department of Justice
websites. The terrorist is also very aware that
Cell Phones attract attention by investigators
and others at the battlefield crime scene by
there very nature. This makes them an
excellent triggering device especially now that
the networks are 1900 MHz instead of just
800 MHz allowing for true digital
connectivity. By removing the battery we
provide instant isolation.
 The restriction of time to collect the evidence
from the crime scene. (5 to 60 minutes) –
Depending on the Cell Phone, it might be very
easy to identify the power button. Other Cell
Phones may take a significant amount of time
to find the power button and finally turn off
the phone; providing plenty of time for the
Cell Phone to be contaminated or evidence
containers destroyed.
There is only one situation where the battery should not
be pulled and that is when there is actionable
intelligence that cannot be gathered on the screen of the
device by any other means. In this situation the Cell
Phone should be gathered and placed into a functional
Faraday bag. At this point the phone needs to be
transported to the FOB as quickly as possible. The

Cell Phone battery will quickly begin to dissipate as it
tries to connect to the network.
With the arguments above, it is clear that the DTF
model of removing the battery makes the most sense in
all situations except for the last where actionable
intelligence will be lost. It is very important that the
investigator should not attempt to disassemble the Cell
Phone any further until returning to the FOB. When at
the FOB the investigator must be careful to not disturb
any other biometric evidence that is residual on the
phone surface such as fingerprints.
Once the Cell phone is returned to the FOB the
investigator can continue to process the cell phone
continuing the Digital Triage Forensic process. At this
point, analysis of the phone can be accomplished in a
timely and safe manner.
Using Digital Triage Tools (DTT), actionable
intelligence can quickly be found. If the Cell phone
does not reveal any immediately visible, actionable
intelligence then the phone can be put to the end for
deeper analysis..
If the cell phone yields visible, actionable intelligence
then the cell phone should be immediately forwarded
to the security cell to obtain the actionable intelligence
from the cell phone. This triage process will continue
for each cell phone until all Cell phones have been
processed. Using this process, the Cell phones
containing the most data will be identified and can be
sent directly for process front loading them. The other
Cell phones can be further processed as time permits.
This model allows for the quick identification of
actionable intelligence and the ability to undo the log
jam of media being sent to single point processing
centers.
Summary and Implementation
Digital Triage Forensics, in my opinion, will be the
way digital evidence from a crime scene is processed in
the future. The understanding that the tactical soldier
can be competently trained to obtain actionable
intelligence is a reality with schools like JWIC at Ft.
Huachuca. In this paper I have spoken of the
methodology of applying the Digital Triage Forensic
procedure to a specific media type. The reality is this
system or procedural model can be applied to all media
items taken from the battlefield crime scene.
SOFIC 2009 Paper No. 3202 Page 7 of 8
Special OperationsForces Industry Conference (SOFIC) 2009
The procedures set forth here for Digital Triage
Forensics can be applied and instituted at any
battlefield or tactical level. As was referenced in this
paper, WIT teams have both the equipment and training
to accomplish the task of Digital Triage Forensics.
This training and procedural set should be continued
and emulated in other environments. Currently many
other organizations are trying there own version of
WIT. These other team types are being deployed
around the world with the mission of providing the
field commander actionable intelligence, which may or
may not come, from the battlefield crime scene.
This paper covered the major components of the
Battlefield Triage Process.
• The reality of Triage Forensics on the Modern
Battlefield.
• The employment of the Triage Forensics.
• A comparison of the Cell Phone Procedural
Model using the Battlefield Triage Forensics.
• The incorporation and uses of Battle Field
Triage Forensics in today's modern battle
space.
REFERENCES
Bill Hess, Herald Review (2008) Air Force NCO
describes forensic investigation work in
battlefield. Retrieved January 19, 2009, from
http://www.svherald.com/articles/2008/02/26/
news/doc47c3bbd30f681772690068.txt
Marcus K. Rogers, James Goldman, Rick Mislan,
Timothy Wedge, Steve Debrota (2006)
Computer Forensics Field Triage Process
Model. Retrieved October 15, 2008, from
http://www.digitalforensics-
conference.org/CFFTPM/CDFSL-
proceedings2006-CFFTPM.pdf
 Special OperationsForces Industry Conference (SOFIC) 2009

SOFIC 2009 Paper No. 3202 Page 8 of 8