Cyber forensic awareness: The value of forensic triage in military operations

Captain Nathan Mark recently argued (pdf, p. 57) that the Army needs much higher cyber and digital forensic awareness to match rapid global technological advancement. The rise in use of mobile technologies and computer systems by both state and non-state actors means that an increasing amount of potential intelligence exists that we can and should exploit.

In contemporary operations, soldiers are often required to balance military objectives with law enforcement outcomes, weighing up the security benefits of gathering information from a device immediately with the legal outcomes if the traditionally lengthy process of obtaining information in a forensically sound manner is not followed. This raises an important issue: how can we rapidly exploit devices which may contain information of immediate value to a military operation, while still supporting the larger governance issues surrounding law enforcement, the judicial system and other institutions that are essential to the functioning of a civil society?

Digital forensic triage is an effective way of achieving this. By definition, triage refers to 'a fast, initial screen of potential investigative targets in order to estimate their evidentiary value'. Using both administrative and technical triage, it provides a way to assess a large number of digital devices so that those with a greater potential to provide information of value are analysed first. Administrative triage involves having an experienced investigator or subject matter expert prioritising on a case-by-case basis, determining when and how a device should be analysed by considering factors including the type of crime committed and the potential for further harm. Technical triage uses software to rapidly screen a device for information. The operator could specify a quick scan for different file types or keywords and a significant number of hits could indicate the potential value of further analysis.

In support of Captain Mark's article that addresses the need for increased cyber forensic awareness in Army, an understanding of digital forensic triage also needs to be fostered. As soldiers, we are required to operate in dangerous environments where failure to meet certain timings or deadlines can have serious consequences. We also operate in environments characterised by a lack of information where an enemy will conduct their own planning process to shape the battlespace. Any information we can gather on an enemy sooner rather than later is beneficial. Digital triage allows us to gain an advantage in planning, decision-making and execution.

Consider this scenario: An infantry platoon has engaged an enemy and forced them to withdraw from their position. This position may hold significance to the enemy and they may intend to regroup to counter-attack or move to establish themselves elsewhere. A number of digital devices are encountered at the scene. By performing digital triage on these devices, with forensically sound tools that have been proven effective through their use in law enforcement and private industry, the platoon commander may be able to gather information on an enemy's locations, activities or evidence of chat messages that were sent hastily upon withdrawal from the position. This type of information can then be incorporated into the platoon commander's immediate planning process and rapidly passed on to higher command providing actionable military intelligence with an immediate battlefield advantage. It also promotes initiative by providing information that allows for better prediction of an enemy commander's actions. An effective initial forensic triage at the scene will not only provide information in time critical situations, but also maintain the integrity of data to allow law enforcement assets to provide legally admissible evidence that could be essential in judicial proceedings. While Captain Mark does briefly mention 'live analysis' to provide quick assessment of a situation, the true value that can be gained from triage also needs to be explored further.

Overall, Captain Mark's article highlights the importance and need for cyber forensic awareness and specialisation in Army, with which I wholeheartedly agree. This knowledge needs to be extended to the troops on the ground most likely to encounter devices in hostile situations. Let's train them to conduct rapid triage for information with forensically tried and tested tools or embed a solider with specialised forensic training into each platoon conducting a task. Unfortunately we don't always have the luxury of time, so if a triage process can provide a commander with a greater chance to achieve mission success it is an invaluable capability to develop for our personnel.

Lieutenant Benjamin Rice is an officer in the Australian Army.

The views expressed in this article and subsequent comments are those of the author(s) and do not necessarily reflect the official policy or position of the Australian Army, the Department of Defence or the Australian Government. Further information.


  • response from Major Ellis-Smith, 21 September 2015

    Lieutenant Rice has correctly observed that the Army needs much high cyber and digital forensic awareness in the contemporary battlefield, and that there is a requirement for a tactical level means to exploit media and devices, embedded down to the platoon level. He may be happy to know that this is an existing capability with Army. A range of specialist collection teams are trained and equipped to exploit a wide range of digital devices. These teams train to follow in direct support of combat troops, or be embedded in patrols, with the task of moving forward to exploit digital devices during the reorganisation phase of the battle. Training on specialist exploitation equipment and techniques is also provided to combat elements as required.

    I would argue, however, that the argument for digital triage on the basis of limited time at an incident site is flawed. In that circumstance, items are simply removed from the site for more detailed exploitation in a secure area. Specialist exploitation teams are trained to capture and handle material to evidentiary standard, if required.

    Lieutenant Rice has identified that there is an increasing amount of potential intelligence due to the rise in use of mobile technologies and computer systems. I would suggest that capturing this material isn't the more significant problem; the greater burden lies in analysing the information that is now available so that it can be made available to commanders as actionable intelligence. Consider the amount of data available on a smart phone; processing and analysing all of that information in detail takes significant time and effort. A human being must invariably conduct that analysis. If there is scope for capability development, it is likely to be of more use in the back end, assisting a limited number of analysts prioritise vast amounts of data from the exploitation of digital devices, among a range of other sources.


    Major Ellis-Smith is a sub-unit commander with experience in exploitation operations.