Autopsy Support for CASE (the Cyber-investigation Analysis Standard Expression)
As the cybersecurity domain has grown, the amount of increasingly varied information needing to be shared has increased. There is now a greater need to validate, normalize, combine, and correlate investigative data between different countries, domains, organizations, teams, individuals, classification levels, and tools – the status quo is insufficient.
CASE is an international open-source and community-developed ontology/specification language that aims at covering this gap in the most inclusive manner possible. Work on what eventually became CASE began in 2015 and the project now involves over two dozen public organizations. Unlike prior domain-specific specifications like Structured Threat Information Expression (STIX) and Digital Forensics Analysis eXpression (DFAX), CASE attempts to bring domains together, including incident response, counter-terrorism, criminal justice, forensics, intelligence, and situational awareness. This will enable better workflow efficiencies in laboratories, cross-correlation between investigations under different jurisdictions, potentially on the same malicious actors, and a more aware view of criminal patterns.
The latest release of Autopsy by Basis Technology includes a CASE export for filesystem data. This is the first official implementation of CASE by a commercial company. A developer from Basis and a representative from MITRE will briefly talk to the future utility of CASE and demonstrate how to export to CASE’s JSON-LD format.About Vik Harichandran
Vik Harichandran is a Senior Cybersecurity Engineer at the MITRE Corporation. He has helped lead the CASE effort over the past 1.5 years and currently serves as the Adoption Committee Chair. CASE aims to formalize terminology within the cyber domain, facilitate sharing and automation, and allow for higher-level analysis and inference.About Eugene Livis
Eugene Livis is a Software Engineer at Basis Technology making contributions to Autopsy framework development, its internal modules, as well as customer interactions.