The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form
The growing number of investigations involving digital traces from various data sources is driving the demand for a standard way to represent and exchange pertinent information. Enabling automated combination and correlation of cyber-investigation information from multiple systems or organizations enables more efficient and comprehensive analysis, reducing the risk of mistakes and missed opportunities. These needs are being met by the evolving open-source, community-developed specification language called CASE, the Cyber-investigation Analysis Standard Expression. CASE leverages the Unified Cyber Ontology (UCO), which abstracts and expresses concepts that are common across multiple domains. This paper introduces CASE and UCO, explaining how they improve upon prior related work. The value of fully-structured data, representing provenance, and action lifecycles are discussed. The guiding principles of CASE and UCO are presented, and illustrative examples of CASE are provided using the default JSON-LD serialization.
This work has been encouraged and supported by Steven Shirley and William Eber at DoD Cyber Crime Center, Barbara Guttman and Mary Laamanen at the National Institute of Standards and Technology, Erwin van Eijk and Ruud van Baar at Netherlands Forensic Institute, and Greg Back, Eric Katz and Justin Grover at MITRE.
- Barnum S (2014) Whitepaper: standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX), February 20, 2014, Version 1.1, Revision 1. http://stixproject.github.io/getting-started/whitepaper
- Casey E (2013) Reinforcing the scientific method in digital investigations using a case-based reasoning (CBR) system. PhD Dissertation, University College DublinGoogle Scholar
- Casey E, Biasiotti MA, Turchi F (2017) Using standardization and ontology to enhance data protection and intelligent analysis of electronic evidence. In: Proceedings of discovery of electronically stored information workshop (DESI VII), ICAIL 2017. Available at https://www.umiacs.umd.edu/~oard/desi7
- Cosic J, Baca M (2015) Leveraging DEMF to ensure and represent 5ws&1h in digital forensic domain. Int J Comput Sci 13(2):7–10Google Scholar
- Egger SA (1984) A working definition of serial murder and the reduction of linkage blindness. J Police Sci Admin 12(3):348–357Google Scholar
- Garfinkel SL (2009) Automating disk forensic processing with SleuthKit, XML and Python. In: Proceeding of systematic approaches to digital forensics engineering (IEEE/SADFE 2009), Oakland, CAGoogle Scholar
- Nelson AJ, Steggall EQ, Long DDE (2014) Cooperative mode: comparative storage metadata verification applied to the Xbox 360. In: Proceedings of the 14th annual DFRWS USA conference. J Digit Investig, vol 11(1)Google Scholar
- Office of the Director of National Intelligence (2017) XML data encoding specification for intelligence document and media exploitation. https://www.dni.gov/index.php/about/organization/chief-information-officer/information-security-marking-access?id=1204. Accessed 15 Mar 2017
- van Baar RB, van Beek HMA, van Eijk EJ (2014) Digital forensics as a service: a game changer. In: Proceedings of the 1st annual DFRWS EU conference. J Digit Investig, vol 11(S1): S1–S120Google Scholar
- van Beek HMA, van Eijk EJ, van Baar RB, Ugen M, Bodde JNC, Siemelink AJ (2015) Digital forensics as a service: game on. J Digit Investig (Special Issue on Big Data and Intelligent Data Analysis) 15:20–38Google Scholar