digital forensic2
digital forensic2

At a meeting hosted by Europol's European Cybercrime Centre (EC3) in The Hague this week several of the EU's leading digital forensic experts joined together to call for adoption of the Cyber-investigation Analysis Standard Expression (CASE) as a standard digital forensic format.

Cyber-investigation Analysis Standard Expression (CASE) is intended to enable standardised aggregation of results from different digital forensic software tools used to extract, parse and analyse information on a hard drive or a mobile phone.  

In a press release, EC3's Forensic Lab explains that it was able to convince the vast majority of the market leaders to adopt this open-source data format for forensics, a move it describes as “a game changer in the specialised field of forensic analysis.”

CASE is a community-developed standard format, defined as a profile of the Unified Cyber Ontology (UCO). It is reported to leverage contextually relevant components of the UCA; extending, constraining or renaming them as appropriate. CASE is specified at a semantic level and supports various serialisations, its default serialisation being JSON-LD.

In its release EC3 confirms that the following organisations are currently looking into implementing the standard:

  • Access data
  • Cellebrite
  • Guidance software
  • I2 – IBM
  • Magnet forensic
  • Mercure
  • Mobile edit
  • Network miner
  • Nuix
  • Oxygen
  • Palantir
  • Volatility
  • XRY
  • Xways-forensics