Action on cyber investigation standards
Tuesday, 27 June, 2017
Under the umbrella of Europol's European Cybercrime Centre (EC3), a number of the EU's leading digital forensic experts have called for the adoption of the Cyber-investigation Analysis Standard Expression (CASE) as a standard digital forensic format at a meeting hosted at the Agency's headquarters in The Hague on 11 and 12 May 2017.
A digital forensic specialist routinely uses software tools to extract, parse and analyse information on a hard drive or a mobile phone. So far, it was not possible to aggregate the digital in a standardised way, meaning that for each and every tool the investigators had to match the data extracted with the tool specification. This made the process time-consuming and costly.
Cyber-investigation Analysis Standard Expression (CASE) bridges this gap. On the occasion of the expert meeting, EC3's Forensic Lab was able to convince the vast majority of the market leaders to adopt this open-source data format for forensics. This event is a game changer in the specialised field of forensic analysis, as key laboratories and services have repeatedly called for the implementation of such a standard in the past.
CASE is a community-developed standard format, defined as a profile of the Unified Cyber Ontology (UCO). As such, CASE leverages contextually relevant components of the UCA; extending, constraining or renaming them as appropriate. CASE is specified at a semantic level and supports various serialisations, its default serialisation being JSON-LD.
After discussions with the market leaders, EC3 is happy to announce that the following industries companies are currently looking into implementing the standard:
* Access data
* Cellebrite
* Guidance software
* I2 - IBM
* Magnet forensic
* Mercure
* Mobile edit
* Network miner
* Nuix
* Oxygen
* Volatility
* XRY