March 7, 2019
An all-in-one cyber toolkit for criminal investigations
New technology makes it easier to follow a criminal’s digital footprint
WEST LAFAYETTE, Ind. – Cybercriminals can run, but they cannot hide from their digital fingerprints.
Still, cybercrimes reached a six-year high in 2017, when more than 300,000 people in the United States fell victim to such crimes. Losses topped $1.2 billion.
Now, Purdue University cybersecurity experts have come up with an all-in-one toolkit to help detectives solve these crimes. Purdue has a reputation in this area – it is ranked among the top institutions for cybersecurity.
“The current network forensic investigative tools have limited capabilities – they cannot communicate with each other and their cost can be immense,” said Kathryn Seigfried-Spellar, an assistant professor of computer and information technology in the Purdue Polytechnic Institute, who helps lead the research team. “This toolkit has everything criminal investigators will need to complete their work without having to rely on different network forensic tools.”
The toolkit was presented in December 2018 during the IEEE International Conference on Big Data.
The Purdue team developed its Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR) by collaborating with law enforcement agencies from around the country, including the High Tech Crime Unit of Tippecanoe County, Indiana. The HTCU is housed in Purdue’s Discovery Park.
FileTSAR is available free to law enforcement. The project was funded by the National Institute of Justice.
The Purdue toolkit brings together in one complete package the top open source investigative tools used by digital forensic law enforcement teams at the local, state, national and global levels.
“Our new toolkit allows investigators to retrieve network traffic, maintain its integrity throughout the investigation, and store the evidence for future use,” said Seunghee Lee, a graduate research assistant who has worked on the project from the beginning. “We have online videos available so law enforcement agents can learn the system remotely.”
FileTSAR captures data flows and provides a mechanism to selectively reconstruct multiple data types, including documents, images, email and VoIP sessions for large-scale computer networks. Seigfried-Spellar said the toolkit could be used to uncover any network traffic that may be relevant to a case, including employees who are sending out trade secrets or using their computers for workplace harassment.
“We aimed to create a tool that addressed the challenges faced by digital forensic examiners when investigating cases involving large-scale computer networks,” Seigfried-Spellar said.
The toolkit also uses hashing for each carved file to maintain the forensic integrity of the evidence, which helps it to hold up in court.
Their work aligns with Purdue's Giant Leaps celebration, celebrating the global advancements in artificial intelligence as part of Purdue’s 150th anniversary. This is one of the four themes of the yearlong celebration’s Ideas Festival, designed to showcase Purdue as an intellectual center solving real-world issues.
The team is working with the Purdue Research Foundation Office of Technology Commercialization to patent the innovation.
About Office of Technology Commercialization
The Office of Technology Commercialization operates one of the most comprehensive technology transfer programs among leading research universities in the U.S. Services provided by this office support the economic development initiatives of Purdue University and benefit the university's academic activities. The office is managed by the Purdue Research Foundation, which received the 2016 Innovation and Economic Prosperity Universities Award for Innovation from the Association of Public and Land-grant Universities. For more information about funding and investment opportunities in startups based on a Purdue innovation, contact the Purdue Foundry at email@example.com. For more information on licensing a Purdue innovation, contact the Office of Technology Commercialization at firstname.lastname@example.org. The Purdue Research Foundation is a private, nonprofit foundation created to advance the mission of Purdue University.
Seunghee Lee, email@example.com
File Toolkit for Selective Analysis and Reconstruction (FileTSAR) for Large-Scale Networks
Kathryn Seigfried-Spellar, Seunghee Lee, Siddarth Chowdhury, Niveah Abraham, John Springer, Baijian Yang, Marcus Roger and Raymond A. Hansen
There are many challenges in digital forensic investigations involving large-scale computer networks; these include large volume of data, the limited scope of tools, the ﬁnancial burdens of purchasing and licensing those tools, and identifying salient evidence from the vast amounts of network data. We have implemented a collection of open-source tools and code wrappers to provide a tool for network forensic investigators to capture, selectively analyze, and reconstruct ﬁles from network trafﬁc. The main functions of this tool (FileTSAR) are capturing data ﬂows and providing a mechanism to selectively reconstruct documents, images, email, and VoIP conversations. To validate the large-scale capabilities of the toolkit, we conducted a “stress test” of the system using approximately 123,500,000 packets from a collection of packet capture ﬁles totaling nearly 100GB. Additionally, sixteen (16) digital forensic examiners participated in a 3-day law enforcement training workshop for FileTSAR from across the United States; the examiners expressed substantial support for FileTSAR with large-scale investigations as well as an interest in a scaled-down version for smaller agencies with storage, budget, and back-end support limitations.