Standarised aggregation of digital forensic data agreed across Europe

News by SC Staff

The CASE unified format for aggregating digital data from different forensic tools has been agreed at an event hosted by Europol's EC3 this week.

At a meeting hosted by Europol's European Cybercrime Centre (EC3) in The Hague this week several of the EU's leading digital forensic experts joined together to call for adoption of the Cyber-investigation Analysis Standard Expression (CASE) as a standard digital forensic format.

Cyber-investigation Analysis Standard Expression (CASE) is intended to enable standardised aggregation of results from different digital forensic software tools used to extract, parse and analyse information on a hard drive or a mobile phone.  

In a press release, EC3's Forensic Lab explains that it was able to convince the vast majority of the market leaders to adopt this open-source data format for forensics, a move it describes as “a game changer in the specialised field of forensic analysis.”

CASE is a community-developed standard format, defined as a profile of the Unified Cyber Ontology (UCO). It is reported to leverage contextually relevant components of the UCA; extending, constraining or renaming them as appropriate. CASE is specified at a semantic level and supports various serialisations, its default serialisation being JSON-LD.

In its release EC3 confirms that the following organisations are currently looking into implementing the standard:

  • Access data
  • Cellebrite
  • Guidance software
  • I2 – IBM
  • Magnet forensic
  • Mercure
  • Mobile edit
  • Network miner
  • Nuix
  • Oxygen
  • Palantir
  • Volatility
  • XRY
  • Xways-forensics 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews