Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language
Détails
Télécharger: 1-s2.0-S1742287617301007-main.pdf (9307.17 [Ko])
Etat: Public
Version: Final published version
Etat: Public
Version: Final published version
ID Serval
serval:BIB_7344E101D9D5
Type
Article: article d'un périodique ou d'un magazine.
Collection
Publications
Institution
Titre
Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language
Périodique
Digital Investigation
ISSN
1742-2876
Statut éditorial
Publié
Date de publication
09/2017
Peer-reviewed
Oui
Volume
22
Pages
14-45
Langue
anglais
Résumé
Any investigation can have a digital dimension, often involving information from multiple data sources, organizations and jurisdictions. Existing approaches to representing and exchanging cyber-investigation information are inadequate, particularly when combining data sources from numerous organizations or dealing with large amounts of data from various tools. To conduct investigations effectively, there is a pressing need to harmonize how this information is represented and exchanged. This paper addresses this need for information exchange and tool interoperability with an open community-developed specification language called Cyber-investigation Analysis Standard Expression (CASE). To further promote a common structure, CASE aligns with and extends the Unified Cyber Ontology (UCO) construct, which provides a format for representing information in all cyber domains. This ontology abstracts objects and concepts that are not CASE-specific, so that they can be used across other cyber disciplines that may extend UCO. This work is a rational evolution of the Digital Forensic Analysis eXpression (DFAX) for representing digital forensic information and provenance. CASE is more flexible than DFAX and can be utilized in any context, including criminal, corporate and intelligence. CASE also builds on the Hansken data model developed and implemented by the Netherlands Forensic Institute (NFI). CASE enables the fusion of information from different organizations, data sources, and forensic tools to foster more comprehensive and cohesive analysis. This paper includes illustrative examples of how CASE can be implemented and used to capture information in a structured form to advance sharing, interoperability and analysis in cyber-investigations. In addition to capturing technical details and relationships between objects, CASE provides structure for representing and sharing details about how cyber-information was handled, transferred, processed, analyzed, and interpreted. CASE also supports data marking for sharing information at different levels of trust and classification, and for protecting sensitive and private information. Furthermore, CASE supports the sharing of knowledge related to cyber-investigations, including distinctive patterns of activity/behavior that are common across cases. This paper features a proof-of-concept Application Program Interface (API) to facilitate implementation of CASE in tools. Community members are encouraged to participate in the development and implementation of CASE and UCO.
Mots-clé
Law, Medical Laboratory Technology, Computer Science Applications
Web of science
Site de l'éditeur
Création de la notice
15/01/2019 20:40
Dernière modification de la notice
21/08/2019 6:09