Digital forensics for large-scale networks
To make it easier for criminal investigators to solve cases where evidence resides on large-scale computer networks, researchers at Purdue University have developed a toolkit that brings together the top open source investigative tools used by digital forensic law enforcement teams at the local, state, national and global levels.
Available to law enforcement for free, the Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR) was funded by the National Institute of Justice to improve the way digital evidence is collected. With the open-source tools and code wrappers, network forensic investigators can capture, selectively analyze and reconstruct files from network traffic.
Law enforcement officials are often limited by tools that are expensive, limited in scope, quickly outdated and incompatible with each other – especially when it comes to investigations involving large networks – making it difficult to identify salient evidence from the vast amounts of network data.
“The current network forensic investigative tools have limited capabilities – they cannot communicate with each other and their cost can be immense,” said Kathryn Seigfried-Spellar, an assistant professor of computer and information technology in the Purdue Polytechnic Institute, who helped lead the research team.
FileTSAR captures data flows and allows investigators to selectively reconstruct multiple types of data, including documents, images, email, VoIP conversations and messaging for large-scale computer networks. It could be used to uncover any network traffic that may be relevant to a case, including insider trading or workplace harassment, Seigfried-Spellar said.
The toolkit also uses hashing for each file carved from a bulk data capture to maintain the integrity and provenance of the data throughout the analysis processes. This helps ensure the data and analysis can be admissible as evidence in court.
FileTSAR was stress-tested using approximately 123,500,000 packets from a collection of packet capture files totaling nearly 100GB, researchers said in an abstract of their work. Sixteen digital forensic examiners from across the U.S. who participated in a three-day law enforcement training workshop for FileTSAR “expressed substantial support for FileTSAR with large-scale investigations” and suggested a scaled-down version for agencies with storage, budget and back-end support limitations.
FileTSAR is available to any law enforcement office in the United States with online training conducted by the Purdue University Cyberforensics program.
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company’s government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.