Digital forensics for large-scale networks
With a new collection of open-source tools and code wrappers, network forensic investigators can capture, selectively analyze and reconstruct files from network traffic. The all-in-one toolkit is free for law enforcement teams in the U.S.
To make it easier for criminal investigators to solve cases where evidence resides on large-scale computer networks, researchers at Purdue University have developed a toolkit that brings together the top open source investigative tools used by digital forensic law enforcement teams at the local, state, national and global levels.
Available to law enforcement for free, the Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR) was funded by the National Institute of Justice to improve the way digital evidence is collected. With the open-source tools and code wrappers, network forensic investigators can capture, selectively analyze and reconstruct files from network traffic.
Law enforcement officials are often limited by tools that are expensive, limited in scope, quickly outdated and incompatible with each other – especially when it comes to investigations involving large networks – making it difficult to identify salient evidence from the vast amounts of network data.
“The current network forensic investigative tools have limited capabilities – they cannot communicate with each other and their cost can be immense,” said Kathryn Seigfried-Spellar, an assistant professor of computer and information technology in the Purdue Polytechnic Institute, who helped lead the research team.
FileTSAR captures data flows and allows investigators to selectively reconstruct multiple types of data, including documents, images, email, VoIP conversations and messaging for large-scale computer networks. It could be used to uncover any network traffic that may be relevant to a case, including insider trading or workplace harassment, Seigfried-Spellar said.
The toolkit also uses hashing for each file carved from a bulk data capture to maintain the integrity and provenance of the data throughout the analysis processes. This helps ensure the data and analysis can be admissible as evidence in court.
FileTSAR was stress-tested using approximately 123,500,000 packets from a collection of packet capture files totaling nearly 100GB, researchers said in an abstract of their work. Sixteen digital forensic examiners from across the U.S. who participated in a three-day law enforcement training workshop for FileTSAR "expressed substantial support for FileTSAR with large-scale investigations" and suggested a scaled-down version for agencies with storage, budget and back-end support limitations.
FileTSAR is available to any law enforcement office in the United States with online training conducted by the Purdue University Cyberforensics program.