NFI among the founders of universal cyber-language to simplify international crime-fighting efforts
To effectively combat criminal behaviour, it is essential for investigative services and digital-forensic examiners to cooperate internationally with one another. One example of this is exchanging forensic instruments for the purpose of cracking encrypted phones. Their cooperation becomes easier when the various instruments use the same ‘cyber language’ to record all the traces. To that end, an international language has now been developed: Cyber-investigation Analysis Standard Expression (CASE). The Netherlands Forensic Institute (NFI) is one of the founders of this worldwide language. As of this month, the continued development of the language is a project of the Linux Foundation in the United States (USA). Virtually all innovative digital companies are members of this foundation, which provides assistance for innovative open source projects.
If a person wants to talk to someone in another country, they do so using a common language such as English. This is useful for understanding one another and for avoiding Babelesque miscommunication. ‘Forensic tools for the analysis of digital material must also speak a common language in order to be able to exchange data with one another’, explains Harm van Beek. He is a senior digital-forensic examiner at the NFI and has been involved in the development of the language from the outset. ‘To give an example: imagine that various seized devices contain emails in multiple apps, such as Gmail, Outlook or Apple Mail. These emails all look just a little different and can be cracked using different forensic tools.’ Each tool also uses slightly different terms to describe the emails – ‘mail’, ‘email’, ‘e-mail’ or ‘email message’. The same applies to the details of the emails; one tool might refer to the ‘sender and recipient’, while another refers to ‘from and to’. If you want to conduct a quick and organised search of these emails, you have to extract them from the tools and combine them first. ‘To do this, you must first make sure they all have the same terms, such as by making each one an “email” with a “sender and recipient”. CASE is the language that establishes how we refer to digital traces.’
Easier international cooperation
‘The development of this shared language is an important step toward the standardisation of digital forensic science worldwide’, Van Beek continues. The universal language for forensic tools will simplify international cooperation with regard to cybercrime, online fraud, sexual exploitation, terrorism and so on. As it stands now, forensic institutes, investigative services, universities and other parties are all developing their own, more or less similar, forensic instruments for unlocking data from various apps and devices. Each of them does this in their own way and using their own language. ‘Thanks to CASE, it is now possible for us to utilise each other's tools. The instruments record the digital traces they retrieve from an app or device in the same way using CASE. This eliminates the need to translate the results when sharing. So when we develop an instrument to decode a new app, forensic examiners in other countries will be able to use that tool as well’, Van Beek says.
NFI one of the initiators behind universal language
CASE began in 2014 as an initiative from a group of individuals working at government organisations, investigative services, scientific and commercial organisations. That included the NFI, but also the American Department of Defense Cyber Crime Center (DC3), the American National Institute of Standards and Technology (NIST) and the University of Lausanne in Switzerland. Besides being one of the initiators of the universal language, Van Beek is also among the ‘founding fathers’ of the digital search engine Hansken. This works according to the same principle: ‘Hansken also brings together digital traces from various tools and enables the user to search that data. This makes it possible to combine the information retrieved from a phone with information gathered from an internet tap.’ In cooperation with TNO, the NFI is now teaching the CASE language to the Hansken search engine so that Hansken can be linked to all the other tools that ‘speak’ CASE. ‘The CASE standard is gaining increasing traction. For example, TNO worked with Interpol and other parties to develop what is known as a Dark Web & Virtual Assets taxonomy. The CASE community, in turn, plans to integrate that taxonomy into CASE. The NFI initiative to equip Hansken with a CASE interface is an extremely welcome next step towards achieving broader application of this crucial standard’, according to Freek Bomhof of TNO.
Fighting cyber crime
CASE is involved with a variety of European initiatives aimed at taking a joint approach to fighting cybercrime, such as FORMOBILE, EXEC-II and INSPECTr. ‘The fact that there is now a shared language will streamline the exchange of forensic tools between different countries.’ CASE is vital to the ability to quickly apply scientific advancements in the day-to-day operations of fighting crime. The language also facilitates data mining and machine learning by providing a structured representation and processing digital traces.
Today, over 50 organisations from some 20 countries are taking part in CASE's development. Europol, Interpol, universities and businesses have all embraced the idea. The Linux Foundation intends to further develop the language within a project. ‘This step will make CASE self-sufficient and enable us to manage various aspects independently. Previously, we were always dependent on one of the partners, like the NFI, to organise something’, Van Beek says. He hopes that, in the year ahead, the number of CASE users will continue to grow and that – like Hansken – more and more forensic tools will begin supporting CASE. The project welcomes anyone who is interested in improving the possibilities for cyber-investigations.
Tech podcast NOS with Harm van Beek
Harm was also interviewed by the tech journalists of the NOS, the Dutch news organization. In their tech podcast, he indicates the relevance of CASE and enlightens the audience about the developments.