Skip to main content
SpringerLink
Log in
Book cover

Handling and Exchanging Electronic Evidence Across Europe pp 43–58Cite as

The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form

  • Chapter
  • First Online:

Part of the book series: Law, Governance and Technology Series ((LGTS,volume 39))

Abstract

The growing number of investigations involving digital traces from various data sources is driving the demand for a standard way to represent and exchange pertinent information. Enabling automated combination and correlation of cyber-investigation information from multiple systems or organizations enables more efficient and comprehensive analysis, reducing the risk of mistakes and missed opportunities. These needs are being met by the evolving open-source, community-developed specification language called CASE, the Cyber-investigation Analysis Standard Expression. CASE leverages the Unified Cyber Ontology (UCO), which abstracts and expresses concepts that are common across multiple domains. This paper introduces CASE and UCO, explaining how they improve upon prior related work. The value of fully-structured data, representing provenance, and action lifecycles are discussed. The guiding principles of CASE and UCO are presented, and illustrative examples of CASE are provided using the default JSON-LD serialization.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   119.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   159.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   159.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    For more technical details, design decisions, and comprehensive examples, see Casey et al. (2017).

  2. 2.

    https://sites.google.com/view/casework/

  3. 3.

    Linkage blindness is a term coined by a criminologist Steve Egger in the context of serial homicides to describe the failure to recognize a pattern that links one crime to another, such as crimes committed by the same offender in different jurisdictions (Egger, 1984).

  4. 4.

    Duck typing allows data to be defined by its inherent characteristics rather than enforcing strict data typing. CASE objects can be assigned any rational combination of property bundles, such as a file that is an image and a thumbnail. When employing this approach, data types are evaluated with the duck test. Simply stated, if it walks like a duck, swims like a duck, quacks like a duck, and looks like a duck, then it probably is a duck.

References

  • Barnum S (2014) Whitepaper: standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX), February 20, 2014, Version 1.1, Revision 1. http://stixproject.github.io/getting-started/whitepaper

  • Brady O, Overill R, Keppens J (2015) DESO: addressing volume and variety in large-scale criminal cases. J Digit Investig 15:72–82

    Article  Google Scholar 

  • Casey E (2013) Reinforcing the scientific method in digital investigations using a case-based reasoning (CBR) system. PhD Dissertation, University College Dublin

    Google Scholar 

  • Casey E, Back G, Barnum S (2015) Leveraging CybOX to standardize representation and exchange of digital forensic information. In: Proceedings of the 2nd annual DFRWS EU conference. Digital investigation, vol. 12(1)

    Article  Google Scholar 

  • Casey E, Barnum S, Griffith R, Snyder J, Beek H, Nelson A (2017) Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language. J Digit Investig 22:14–45

    Article  Google Scholar 

  • Casey E, Biasiotti MA, Turchi F (2017) Using standardization and ontology to enhance data protection and intelligent analysis of electronic evidence. In: Proceedings of discovery of electronically stored information workshop (DESI VII), ICAIL 2017. Available at https://www.umiacs.umd.edu/~oard/desi7

  • Chabot Y, Bertaux A, Nicolle C, Kechadi T (2015) An ontology-based approach for the reconstruction and analysis of digital incidents timelines. J Digit Investig 15:83–100. https://doi.org/10.1016/j.diin.2015.07.005

    Article  Google Scholar 

  • Cosic J, Baca M (2015) Leveraging DEMF to ensure and represent 5ws&1h in digital forensic domain. Int J Comput Sci 13(2):7–10

    Google Scholar 

  • Egger SA (1984) A working definition of serial murder and the reduction of linkage blindness. J Police Sci Admin 12(3):348–357

    Google Scholar 

  • Garfinkel SL (2009) Automating disk forensic processing with SleuthKit, XML and Python. In: Proceeding of systematic approaches to digital forensics engineering (IEEE/SADFE 2009), Oakland, CA

    Google Scholar 

  • Garfinkel SL (2012) Digital forensics XML and the DFXML toolset. J Digit Investig 8:161–174

    Article  Google Scholar 

  • Lanthaler M, Gütl C (2012) On using JSON-LD to create evolvable RESTful services. In: Proceedings of the 3rd international workshop on RESTful design (WS-REST 2012) at WWW2012, Lyon. ACM, New York, pp 25–32

    Chapter  Google Scholar 

  • Margot P (2011) Forensic science on trial - what is the law of the land? Aust J Forensic Sci 43(2–3):89–103

    Article  Google Scholar 

  • Nelson AJ, Steggall EQ, Long DDE (2014) Cooperative mode: comparative storage metadata verification applied to the Xbox 360. In: Proceedings of the 14th annual DFRWS USA conference. J Digit Investig, vol 11(1)

    Google Scholar 

  • Office of the Director of National Intelligence (2017) XML data encoding specification for intelligence document and media exploitation. https://www.dni.gov/index.php/about/organization/chief-information-officer/information-security-marking-access?id=1204. Accessed 15 Mar 2017

  • Turnbull B, Randhawab S (2015) Automated event and social network extraction from digital evidence sources with ontological mapping. J Digit Investig 13:94–106

    Article  Google Scholar 

  • van Baar RB, van Beek HMA, van Eijk EJ (2014) Digital forensics as a service: a game changer. In: Proceedings of the 1st annual DFRWS EU conference. J Digit Investig, vol 11(S1): S1–S120

    Google Scholar 

  • van Beek HMA, van Eijk EJ, van Baar RB, Ugen M, Bodde JNC, Siemelink AJ (2015) Digital forensics as a service: game on. J Digit Investig (Special Issue on Big Data and Intelligent Data Analysis) 15:20–38

    Google Scholar 

Download references

Acknowledgements

This work has been encouraged and supported by Steven Shirley and William Eber at DoD Cyber Crime Center, Barbara Guttman and Mary Laamanen at the National Institute of Standards and Technology, Erwin van Eijk and Ruud van Baar at Netherlands Forensic Institute, and Greg Back, Eric Katz and Justin Grover at MITRE.

Author information

Authors and Affiliations

  1. School of Criminal Sciences, University of Lausanne, Lausanne, Switzerland

    Eoghan Casey

  2. Mitre Corporation, McLean, VA, USA

    Sean Barnum

  3. Department of Defense Cyber Crime Center, Linthicum, MD, USA

    Ryan Griffith & Jonathan Snyder

  4. Netherlands Forensic Institute, The Hague, The Netherlands

    Harm van Beek

  5. National Institute of Standards and Technology, Gaithersburg, MD, USA

    Alex Nelson

Authors
  1. Eoghan Casey
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sean Barnum
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ryan Griffith
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jonathan Snyder
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Harm van Beek
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Alex Nelson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eoghan Casey .

Editor information

Editors and Affiliations

  1. ITTIG-Institute of Legal Information Theory and Techniques, CNR-National Research Council of Italy, Florence, Italy

    Maria Angela Biasiotti

  2. RUG-University of Groningen, Groningen, The Netherlands

    Jeanne Pia Mifsud Bonnici

  3. RUG-University of Groningen, Groningen, The Netherlands

    Joe Cannataci

  4. ITTIG-Institute of Legal Information Theory and Techniques, CNR-National Research Council of Italy, Florence, Italy

    Fabrizio Turchi

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Casey, E., Barnum, S., Griffith, R., Snyder, J., van Beek, H., Nelson, A. (2018). The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form. In: Biasiotti, M., Mifsud Bonnici, J., Cannataci, J., Turchi, F. (eds) Handling and Exchanging Electronic Evidence Across Europe. Law, Governance and Technology Series, vol 39. Springer, Cham. https://doi.org/10.1007/978-3-319-74872-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-74872-6_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-74871-9

  • Online ISBN: 978-3-319-74872-6

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation