Digital Forensics Analysis Search String Support

Most computer forensics analysis tools, such as EnCase, FTK, and ILook, allow the use of
regular expressions (strings with special characters) to form powerful, effective search strings. Specifying regular expressions involves learning a language of meta characters that many law enforcement agents find difficult - particularly when trying to form effective strings that do not
cause an overwhelming number of false positives, or do not miss evidence. Furthermore, there are common search strings that are useful in general classes of investigations (e.g. common strings for drug, for money laundering, for child porn, etc. investigations). Allowing the law
enforcement community to share these strings so that they do not have to re-invent them each time would increase the efficiency and effectiveness of their investigations.

This project will develop two main capabilities. First, it will develop an automated regular expression generator for the primary computer forensics analysis tools (EnCase, FTK, ILook) that allows investigators to type in simple English keywords and choose options for common
variations (e.g. surrounded by white space, plurals, non-case sensitive). This project's software will generate the search strings for the investigator, allow them to test correctness and effectiveness of the string, and allow them to export the string for use in their analysis tool. Second, it will develop a common, shared repository where investigators can lookup, search, and
add regular expression search strings by category. Both the search string generation and repository capabilities will be embodied in a web site hosted at the University of Rhode Island's Digital Forensics Center, but constructed in a way so that it can be moved to a Department of Justice site when/if appropriate.

ca/ncf