Digital Forensics Analysis Search String Support

This project is a continuation to award 2008-CE-CX-K001.
Most computer forensics analysis tools, such as EnCase, FTK, and X-Ways, allow the use of regular expressions (strings with special characters) to form powerful, effective search strings. Specifying regular expressions involves learning a language of meta characters that many law enforcement agents find difficult - particularly when trying to form effective strings that do not cause an overwhelming number of false positives or do not miss evidence. Furthermore, there are common search strings that are useful in general classes of investigations (e.g. common strings for drug, for money laundering, for child porn, etc. cases). Allowing the law enforcement community to share these strings so that they do not have to re-create them each time would increase the efficiency and effectiveness of their investigations. This project will continue to develop two main capabilities. First, it will continue to develop an automated regular expression generator for the primary computer forensics analysis tools that allows investigators to type in simple English keywords and choose options for common variations (e.g. surrounded by white space, plurals, non-case sensitive).

Second, it will continue to develop a common shared repository where investigators can lookup, search, and add regular expression search strings by
category. This continuation will allow completion of a robust, polished, tool for law enforcement.

ca/ncf