The Cyber-Investigation Analysis Standard Expression Transitions to Linux Foundation
The Linux Foundation | 07 December 2021
SAN FRANCISCO, Calif., December 7, 2021— The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the Cyber-investigation Analysis Standard Expression (CASE) is becoming a community project as part of the Cyber Domain Ontology (CDO) project under the Linux Foundation. CASE is an ontology-based specification that supports automated combination and intelligent analysis of cyber-investigation information. CASE concentrates on advancing interoperability and analytics across a broad range of cyber-investigation domains, including digital forensics and incident response (DFIR).
“Becoming part of the Linux Foundation is a major milestone for CASE that will significantly benefit the broader open source and cyber-investigation communities,” said Eoghan Casey, Presiding Director of CASE. “As an evolving standard supporting structured expression and exchange of cyber-investigation information, CASE will substantially enhance efforts to address growing challenges in the modern world, including cyberattacks, ransomware, online fraud, sexual exploitation, and terrorism. Our objective is to create a culture of common comprehension and collaborative problem solving across cyber-investigation domains.”
Organizations involved in joint operations or intrusion investigations can efficiently and consistently exchange information in standard format with CASE, breaking down data silos and increasing visibility across all information sources. Tools that support CASE facilitate correlation of differing data sources and exploration of investigative questions, giving analysts a more comprehensive and cohesive view of available information, opening new opportunities for searching, pivoting, contextual analysis, pattern recognition, machine learning and visualization.
Development of CASE began in 2014 as a collaboration between the DoD Cyber Crime Center (DC3) and MITRE, led by Dr. Eoghan Casey and Sean Barnum, involving the National Institute of Standards and Technology (NIST). In response to international interest, this initiative became an open source evolving standard, with hundreds of participants in industry, government and academia around the globe.
Early contributors include the Netherlands Forensic Institute (NFI), the Italian Institute of Legal Informatics and Judicial Systems (IGSG-CNR), FireEye, and University of Lausanne. CASE governance and community coordination were formalized with support of Harm van Beek, Rich Brown, Ryan Griffith, Cory Hall, Christopher Hargreaves, Jessica Hyde, Deborah Nichols, and Martin Westman. Growing international involvement is tracked on the CASE website: https://caseontology.org/community/members.html
The Technical Director is Alex Nelson, and the Ontology Committee is led by Paul Brandt. The Adoption Committee brings together developers from diverse backgrounds to share experiences and battle test ontologies. The success of these efforts depends on members of the community actively contributing to CASE development and implementation. The project welcomes anyone interested in elevating cyber-investigation capabilities to strengthen evidence-based decision making in any context, including court, boardroom, and battlefield.
CASE, built on the Hansken trace model developed and implemented by the NFI, aligns with and extends the Unified Cyber Ontology (UCO). This year has seen the release of UCO 0.7.0, and most recently CASE 0.5.0. CASE and UCO now both are built on SHACL constraints, providing an instance data validation capability. Currently, CASE is developing a representation for Inferences, both human formulated and computer generated, to bind investigative conclusions to supporting evidence and associated chain of custody.
The CASE community has multiple collaborative repositories and activities, including translators for common digital forensic tool outputs as well as mapping CASE to the W3C provenance ontology (PROV-O). CASE uses the Apache-2.0 license.
Organizations and individuals interested in contributing to CASE can go to https://caseontology.org/
“The news that CASE will be transitioning to The Linux Foundation is an exciting move for the Digital Forensics, Incident Response, and Cyber Security communities,” said Jessica Hyde, founder of Hexordia. “One of the special things about CASE is that it has been developed to specifically support cyber investigations by those who understand the domain from a variety of sectors including academia, law enforcement, government, non-profits, and commercial entities. This uniquely positions CASE to describe the provenance, metadata, and data recovered in a multitude of environments and allow different organizations and a variety of tools to look at data with the same definitions of what the data is describing. What an exciting day for uncovering truth in data and ensuring common definitions of data as it moves through the nexus of tools, organizations, and jurisdictions that need to work together in today’s cyber investigations.”
“The CASE transition to the Linux Foundation is remarkable news and encourages widespread use of this standard in a broad range of cyber-investigation domains to foster
interoperability, establish authenticity, and advance analysis,” said Fabrizio Turchi, senior
technologist at the IGSG-CNR, Italian National Research Council. “The European EXEC-II project includes a bespoke application for packaging evidence with metadata in CASE format for automated exchange, while maintaining provenance information to streamline cross-border cooperation among judicial authorities in the EU member states. In addition to searching for specific keywords or characteristics within a single case or across multiple cases, having a structured representation of cyber-investigation information allows more sophisticated processing such as data mining, machine learning and natural language processing techniques as in the European INSPECTr project and a shared intelligent platform for gathering, analysing and presenting key data to help predict, detect and manage crime in support of multiple law enforcement agencies.”
“The MITRE Corporation is proud to see the continued growth and acceptance of the Cyber-investigation Analysis Standard Expression (CASE) open source project. MITRE is one of several organizations that helped create CASE and bring together the initial community of contributors,” said Cory Hall, principal cybersecurity engineer at MITRE. “With the transition of CASE to the Linux Foundation we see a bright future for the effort as the community advances this project to benefit digital investigators everywhere. The MITRE Corporation expects to continue contributing to this effort for years to come.”
“As a long-term member of the CASE open source project, MSAB looks forward to the new possibilities that Linux Foundation will provide for CASE as the de facto standard for adoption by digital forensic tools. MSAB is preparing to implement CASE on our XRY and XAMN solutions to enable our products to seamlessly interact with tools from other vendors, academia, nonprofit organizations, and enthusiasts alike. With the common data exchange platform that CASE provides, our industry can process greater volumes of data faster, more accurately and with greater interoperability than ever before. We are committed to continuing to develop CASE under the Linux Foundation and are excited for the future of the project,” said Martin Westman, exploit research manager, MSAB.
Netherlands Forensic Institute
“CASE is the solid foundation for interconnecting digital forensic tools and combining their results to come to new insights. This is paramount not only for the NFI, but for the entire community to quickly apply science to day-to-day operations to fight crime,” said Harm van Beek, senior digital forensic scientist at the Netherlands Forensic Institute (NFI). “We support CASE and the digital forensic community by implementing and extending the standard in Hansken, our open digital forensic platform.”
About the Linux Foundation
Founded in 2000, the Linux Foundation and its projects are supported by more than 1,800 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, Hyperledger, RISC-V, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.
About The Linux Foundation
Founded in 2000, the Linux Foundation is supported by more than 1,000 members and is the world’s leading home for collaboration on open source software, open standards, open data, and open hardware. Linux Foundation’s projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, and more. The Linux Foundation’s methodology focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.