Abstract
The growing number of investigations involving digital traces from various data sources is driving the demand for a standard way to represent and exchange pertinent information. Enabling automated combination and correlation of cyber-investigation information from multiple systems or organizations enables more efficient and comprehensive analysis, reducing the risk of mistakes and missed opportunities. These needs are being met by the evolving open-source, community-developed specification language called CASE, the Cyber-investigation Analysis Standard Expression. CASE leverages the Unified Cyber Ontology (UCO), which abstracts and expresses concepts that are common across multiple domains. This paper introduces CASE and UCO, explaining how they improve upon prior related work. The value of fully-structured data, representing provenance, and action lifecycles are discussed. The guiding principles of CASE and UCO are presented, and illustrative examples of CASE are provided using the default JSON-LD serialization.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For more technical details, design decisions, and comprehensive examples, see Casey et al. (2017).
- 2.
- 3.
Linkage blindness is a term coined by a criminologist Steve Egger in the context of serial homicides to describe the failure to recognize a pattern that links one crime to another, such as crimes committed by the same offender in different jurisdictions (Egger, 1984).
- 4.
Duck typing allows data to be defined by its inherent characteristics rather than enforcing strict data typing. CASE objects can be assigned any rational combination of property bundles, such as a file that is an image and a thumbnail. When employing this approach, data types are evaluated with the duck test. Simply stated, if it walks like a duck, swims like a duck, quacks like a duck, and looks like a duck, then it probably is a duck.
References
Barnum S (2014) Whitepaper: standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX), February 20, 2014, Version 1.1, Revision 1. http://stixproject.github.io/getting-started/whitepaper
Brady O, Overill R, Keppens J (2015) DESO: addressing volume and variety in large-scale criminal cases. J Digit Investig 15:72–82
Casey E (2013) Reinforcing the scientific method in digital investigations using a case-based reasoning (CBR) system. PhD Dissertation, University College Dublin
Casey E, Back G, Barnum S (2015) Leveraging CybOX to standardize representation and exchange of digital forensic information. In: Proceedings of the 2nd annual DFRWS EU conference. Digital investigation, vol. 12(1)
Casey E, Barnum S, Griffith R, Snyder J, Beek H, Nelson A (2017) Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language. J Digit Investig 22:14–45
Casey E, Biasiotti MA, Turchi F (2017) Using standardization and ontology to enhance data protection and intelligent analysis of electronic evidence. In: Proceedings of discovery of electronically stored information workshop (DESI VII), ICAIL 2017. Available at https://www.umiacs.umd.edu/~oard/desi7
Chabot Y, Bertaux A, Nicolle C, Kechadi T (2015) An ontology-based approach for the reconstruction and analysis of digital incidents timelines. J Digit Investig 15:83–100. https://doi.org/10.1016/j.diin.2015.07.005
Cosic J, Baca M (2015) Leveraging DEMF to ensure and represent 5ws&1h in digital forensic domain. Int J Comput Sci 13(2):7–10
Egger SA (1984) A working definition of serial murder and the reduction of linkage blindness. J Police Sci Admin 12(3):348–357
Garfinkel SL (2009) Automating disk forensic processing with SleuthKit, XML and Python. In: Proceeding of systematic approaches to digital forensics engineering (IEEE/SADFE 2009), Oakland, CA
Garfinkel SL (2012) Digital forensics XML and the DFXML toolset. J Digit Investig 8:161–174
Lanthaler M, Gütl C (2012) On using JSON-LD to create evolvable RESTful services. In: Proceedings of the 3rd international workshop on RESTful design (WS-REST 2012) at WWW2012, Lyon. ACM, New York, pp 25–32
Margot P (2011) Forensic science on trial - what is the law of the land? Aust J Forensic Sci 43(2–3):89–103
Nelson AJ, Steggall EQ, Long DDE (2014) Cooperative mode: comparative storage metadata verification applied to the Xbox 360. In: Proceedings of the 14th annual DFRWS USA conference. J Digit Investig, vol 11(1)
Office of the Director of National Intelligence (2017) XML data encoding specification for intelligence document and media exploitation. https://www.dni.gov/index.php/about/organization/chief-information-officer/information-security-marking-access?id=1204. Accessed 15 Mar 2017
Turnbull B, Randhawab S (2015) Automated event and social network extraction from digital evidence sources with ontological mapping. J Digit Investig 13:94–106
van Baar RB, van Beek HMA, van Eijk EJ (2014) Digital forensics as a service: a game changer. In: Proceedings of the 1st annual DFRWS EU conference. J Digit Investig, vol 11(S1): S1–S120
van Beek HMA, van Eijk EJ, van Baar RB, Ugen M, Bodde JNC, Siemelink AJ (2015) Digital forensics as a service: game on. J Digit Investig (Special Issue on Big Data and Intelligent Data Analysis) 15:20–38
Acknowledgements
This work has been encouraged and supported by Steven Shirley and William Eber at DoD Cyber Crime Center, Barbara Guttman and Mary Laamanen at the National Institute of Standards and Technology, Erwin van Eijk and Ruud van Baar at Netherlands Forensic Institute, and Greg Back, Eric Katz and Justin Grover at MITRE.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Casey, E., Barnum, S., Griffith, R., Snyder, J., van Beek, H., Nelson, A. (2018). The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form. In: Biasiotti, M., Mifsud Bonnici, J., Cannataci, J., Turchi, F. (eds) Handling and Exchanging Electronic Evidence Across Europe. Law, Governance and Technology Series, vol 39. Springer, Cham. https://doi.org/10.1007/978-3-319-74872-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-74872-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74871-9
Online ISBN: 978-3-319-74872-6
eBook Packages: Law and CriminologyLaw and Criminology (R0)