FileTSAR+ An Elastic Network Forensic Toolkit for Law Enforcement

While there are several well-known and reputable commercial products for capturing and analyzing evidence that originates from computers, there are too few complete tools of the same caliber for network forensics. In addition, the rapid rise in technology has led to data overflow and the Big Data problem. In response to this problem, the National Institute of Justice requested proposals through the “Developing Improved Means to Collect Digital Evidence” program (NIJ-2016-8976) to develop innovative tools to “Process large-scale computer networks for digital evidence in a forensically sound manner that preserves the probative value of the evidence that the computer network may contain.” This research team was awarded a grant to develop the Toolkit for Selective Analysis and Reconstruction of Files (File TSAR) for the analysis and reconstruction of files from large-scale computer networks (more than 5,000 computers).

The success of File TSAR attracted law enforcement agencies of different sizes from around the world. Many are eager to deploy the toolkits in their own IT infrastructure. However, the original goal of File TSAR was to capture network traffic and restore digital evidence, in its original file format, in large enterprise network settings. As such, File TSAR requires high-performance storage units and assumes high-performance servers or workstations available on premise within the law enforcement agency in which it is deployed.

Therefore, in order to serve law enforcement agencies of all sizes, we propose the creation of File TSAR+ as a complement to File TSAR. This elastic version of File TSAR will benefit state and local law enforcement agencies that have storage, budget, and back-end support limitations. The validity of File TSAR+ will be assessed by certified digital forensic examiners from the National White Collar Crime Center (NW3C) and the Tippecanoe High Tech Crime Unit. In addition, the Science Gateway Community Institute (SGCI) funded by the National Science Foundation will provide free consultation for the user experience interface of File TSAR+.

File TSAR+ will operationally impact law enforcement by allowing smaller agencies to more effectively investigate cases that involve digital evidence from networks. We will create meaningful deliverables, including online training modules and scholarly products, to help disseminate File TSAR+ for free to any law enforcement agency worldwide. Note: This project contains a research and/or development component, as defined in applicable law, and complies with Part 200 Uniform Requirements - 2 CFR 200.210(a)(14). CA/NCF