File Toolkit for Selective Analysis & Reconstruction (File TSAR) for Large Scale Computer Networks

Almost every criminal investigation involves some form of digital evidence, and thanks to
the growth of technology, these cases often involve multiple digital devices. As a result, law enforcement relies on specialized digital forensic investigative tools to fully acquire, evaluate, process, and present the probative data in a forensically sound manner in order to meet the admissibility standards of the criminal justice system. However, the digital forensic tools that are currently available to law enforcement have significant challenges: limited scope, multiple tools required to complete an examination, incompatible with other tools, outdated for newer/ever-evolving technologies (e.g., mobile phones), large amounts of data (big-data problem), and the financial burden of purchasing, certifying, and maintaining licenser for many of these digital forensic tools. These issues are especially prevalent in digital forensic investigations involving large-scale computer networks.

Our objective is to resolve this issue for law enforcement agencies through the creation of a unifying toolkit that will provide a platform for officers to retrieve the necessary data; maintain provenance of that data throughout the analysis processes; and preserve admissibility of the evidence. The main functions of this tool will be to capture data flows and provide a mechanism to selectively reconstruct multiple types of data, including documents, images, email, VoIP conversations, and messaging. Validity of this toolkit will be assessed by certified digital forensic examiners from the National White Collar Crime Center (NW3C) and the High Tech Crime Unit (Tippecanoe County, Indiana). This toolkit will address the current challenges, as detailed by Rand (2014), that digital forensic examiners face when investigating cases involving large-scale computer networks. Our toolkit, File TSAR, will be accessible to any law enforcement agency in the United States through the use of online training modules, as well as onsite trainings conducted through the Purdue University Cyberforensics program. We will also disseminate the scientific findings of this project to highly selective journals and conferences that target a broader audience. ca/ncf