The Evolution of Expressing and Exchanging Cyber-Investigation Information in a Standardized Form

Part of the Law, Governance and Technology Series book series (LGTS, volume 39)


The growing number of investigations involving digital traces from various data sources is driving the demand for a standard way to represent and exchange pertinent information. Enabling automated combination and correlation of cyber-investigation information from multiple systems or organizations enables more efficient and comprehensive analysis, reducing the risk of mistakes and missed opportunities. These needs are being met by the evolving open-source, community-developed specification language called CASE, the Cyber-investigation Analysis Standard Expression. CASE leverages the Unified Cyber Ontology (UCO), which abstracts and expresses concepts that are common across multiple domains. This paper introduces CASE and UCO, explaining how they improve upon prior related work. The value of fully-structured data, representing provenance, and action lifecycles are discussed. The guiding principles of CASE and UCO are presented, and illustrative examples of CASE are provided using the default JSON-LD serialization.


Cyber Investigators Full Data Structure Digital Forensics Digital Evidence National Software Reference Library (NSRL) 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work has been encouraged and supported by Steven Shirley and William Eber at DoD Cyber Crime Center, Barbara Guttman and Mary Laamanen at the National Institute of Standards and Technology, Erwin van Eijk and Ruud van Baar at Netherlands Forensic Institute, and Greg Back, Eric Katz and Justin Grover at MITRE.


  1. Barnum S (2014) Whitepaper: standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX), February 20, 2014, Version 1.1, Revision 1.
  2. Brady O, Overill R, Keppens J (2015) DESO: addressing volume and variety in large-scale criminal cases. J Digit Investig 15:72–82CrossRefGoogle Scholar
  3. Casey E (2013) Reinforcing the scientific method in digital investigations using a case-based reasoning (CBR) system. PhD Dissertation, University College DublinGoogle Scholar
  4. Casey E, Back G, Barnum S (2015) Leveraging CybOX to standardize representation and exchange of digital forensic information. In: Proceedings of the 2nd annual DFRWS EU conference. Digital investigation, vol. 12(1)CrossRefGoogle Scholar
  5. Casey E, Barnum S, Griffith R, Snyder J, Beek H, Nelson A (2017) Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language. J Digit Investig 22:14–45CrossRefGoogle Scholar
  6. Casey E, Biasiotti MA, Turchi F (2017) Using standardization and ontology to enhance data protection and intelligent analysis of electronic evidence. In: Proceedings of discovery of electronically stored information workshop (DESI VII), ICAIL 2017. Available at
  7. Chabot Y, Bertaux A, Nicolle C, Kechadi T (2015) An ontology-based approach for the reconstruction and analysis of digital incidents timelines. J Digit Investig 15:83–100. CrossRefGoogle Scholar
  8. Cosic J, Baca M (2015) Leveraging DEMF to ensure and represent 5ws&1h in digital forensic domain. Int J Comput Sci 13(2):7–10Google Scholar
  9. Egger SA (1984) A working definition of serial murder and the reduction of linkage blindness. J Police Sci Admin 12(3):348–357Google Scholar
  10. Garfinkel SL (2009) Automating disk forensic processing with SleuthKit, XML and Python. In: Proceeding of systematic approaches to digital forensics engineering (IEEE/SADFE 2009), Oakland, CAGoogle Scholar
  11. Garfinkel SL (2012) Digital forensics XML and the DFXML toolset. J Digit Investig 8:161–174CrossRefGoogle Scholar
  12. Lanthaler M, Gütl C (2012) On using JSON-LD to create evolvable RESTful services. In: Proceedings of the 3rd international workshop on RESTful design (WS-REST 2012) at WWW2012, Lyon. ACM, New York, pp 25–32CrossRefGoogle Scholar
  13. Margot P (2011) Forensic science on trial - what is the law of the land? Aust J Forensic Sci 43(2–3):89–103CrossRefGoogle Scholar
  14. Nelson AJ, Steggall EQ, Long DDE (2014) Cooperative mode: comparative storage metadata verification applied to the Xbox 360. In: Proceedings of the 14th annual DFRWS USA conference. J Digit Investig, vol 11(1)Google Scholar
  15. Office of the Director of National Intelligence (2017) XML data encoding specification for intelligence document and media exploitation. Accessed 15 Mar 2017
  16. Turnbull B, Randhawab S (2015) Automated event and social network extraction from digital evidence sources with ontological mapping. J Digit Investig 13:94–106CrossRefGoogle Scholar
  17. van Baar RB, van Beek HMA, van Eijk EJ (2014) Digital forensics as a service: a game changer. In: Proceedings of the 1st annual DFRWS EU conference. J Digit Investig, vol 11(S1): S1–S120Google Scholar
  18. van Beek HMA, van Eijk EJ, van Baar RB, Ugen M, Bodde JNC, Siemelink AJ (2015) Digital forensics as a service: game on. J Digit Investig (Special Issue on Big Data and Intelligent Data Analysis) 15:20–38Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.School of Criminal SciencesUniversity of LausanneLausanneSwitzerland
  2. 2.Mitre CorporationMcLeanUSA
  3. 3.Department of Defense Cyber Crime CenterLinthicumUSA
  4. 4.Netherlands Forensic InstituteThe HagueThe Netherlands
  5. 5.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations