Following the death of Osama Bin Laden, media attention has turned to the digital devices that were found in the compound and the methods that will be used to analyse and extract data. Several articles refer to the use of a technique called “media exploitation” to obtain data from drives, but they are vague on its meaning and the type of activity it entails. So what is it?
The most common definition of Document & Media Exploitation (DOMEX), to give its full title, is provided in an Intelligence Community Directive. This describes DOMEX as:
“The processing, translation, analysis, and dissemination of collected hard copy documents and electronic media, which are under the U.S. government’s physical control and are not publicly available.” (Intelligence Community Directive Number 302, 2007, p7.)
The ICD definition offers a useful starting point but, as with many definitions, is broad to the point of meaningless, potentially encapsulating all intelligence gathering and processing activities performed by the U.S. government. Fortunately, greater clarity is provided by examining the type of information that it does not cover:
“This definition excludes: handling of documents and media during the collection, initial review, and inventory process; and, documents and media withheld from the IC document and media exploitation dissemination system in accordance with Director of National Intelligence-sanctioned agreements and policies to protect sources and methods.” (Intelligence Community Directive Number 302, 2007, p7.)
The list excludes information handled during the initial gathering and analysis phase, as well items that have been declared out of bounds by a suitable authority. By omission, we can determine that the definition does include information gathered during the subsequent investigation phase. Not much use, but it’s a start.
Similarities and differences between DOMEX and other types of forensic investigation
There is considerable overlap in the methods used for Document & Media Exploitation in the intelligence community and other forms of digital forensics, such as those applied by the law enforcement community. Both approaches adopt broadly similar processes and utilise the same tools. However, three key differences may be identified in the handling and usage of information:
- The role that the gathered information performs in the investigation process;
- Quality thresholds assigned to the information based upon its evidential value;
- Techniques used to analyse information
In an article for Power Management magazine, Simson Garfinkel (2007) indicates that the distinction between DOMEX and other forms of digital forensics lies in its use within the investigation process. In addition to providing forensic evidence that may be used in a court of law, information collected from physical and digital media may be used to shape the investigation, enabling the investigator to ask new questions that were not part of its original remit.
“The goal of information exploitation is to get and use the data—the ends justify the means. It’s OK if these results aren’t good enough for a conviction. Exploitation rarely seeks to prove or disprove the details of a case; instead, it seeks to make the fullest use of all the data that has been obtained. The standard of success is the usefulness of the result, not the reliability of the process.” (Garfinkel, 2007, p25 )
To enable information to be used as part of an ongoing investigation, there is greater emphasis upon the speed of identification and analysis, recognising data of value as quickly as possible. As a result, it is recognised that quality thresholds associated with establishing authenticity and integrity may be lower than that applied to data of evidential value.
A third distinction that may be established between the digital forensic approaches used in intelligence gathering in comparison to those used to prepare forensic evidence for a court case lies in the handling of data. While those performing legal investigation are concerned with protecting the evidential value of each item, establishing processes to handling each media item in isolation and avoid cross-contamination, the intelligence community have greater interest in search and analysis across many types of media as quickly as possible. By analysing multiple information sources, an investigator may be able to identify social networks that share common data files or trends that would not be possible by examining a single data source in isolation.
Some concluding thoughts
The approach advocated in DOMEX has considerable value to the archival and digital preservation community. Although the authenticity requirements of digital archives are potentially closer to those of the law enforcement community, the open-ended approach to a DOMEX investigation is better suited to the investigative work performed by archivists when researching notable academics, allowing the information gathered to set the direction of investigation. The use of cross-collection analysis techniques also has wider application in an academic environment, enabling researchers to address research questions using large-scale analysis, such as distribution patterns of information within a department or group.
Garfinkel, S.L (2007). Document & Media Exploitation. Power Management Magazine. Volume 5 Issue 7, November/December 2007. http://portal.acm.org/citation.cfm?id=1331294
McCullagh, D. (2011) Bin Laden’s computers will test U.S. forensics. May 6, 2011. http://news.cnet.com/8301-31921_3-20060321-281.html
National Intelligence. (2007). Intelligence Community Directive Number 302: Document and Media Exploitation, 6 Jul 2007. http://www.fas.org/irp/dni/icd/icd-302.pdf