FileTSAR: Free digital forensic investigations toolkit for law enforcement
Purdue University cybersecurity experts have created FileTSAR, an all-in-one digital forensic investigations toolkit for law enforcement.
FileTSAR, which stands for Toolkit for Selective Analysis & Reconstruction of Files, combines open source tools and code wrappers to provide a tool for network forensic investigators to capture, selectively analyze, and reconstruct files from network traffic.
The toolkit collects data at the network packet level and allows investigators to reconstruct documents, images, email and VoIP sessions for large-scale computer networks.
“The current network forensic investigative tools have limited capabilities,“ said Kathryn Seigfried-Spellar, assistant professor of computer and information technology, and lead of the research team.
“They cannot communicate with each other and their cost can be immense. This toolkit has everything criminal investigators will need to complete their work without having to rely on different network forensic tools.”
FileTSAR uses hashing for each carved file to maintain the forensic integrity of the data, and this makes the results of the investigation admissible as evidence in court proceedings.
One of the team’s goals was to create a tool that will be able to present digital evidence the way it looked in real time at the moment it was created or transmitted, to make it easier for prosecutors to show it and explain it, and for judges and juries to understand it.
Efficiency and availability
FileTSAR was developed in collaboration with law enforcement agencies from around the country, including the High Tech Crime Unit (HTCU) of Tippecanoe County, Indiana, and the project was funded by the US Department of Justice (i.e. the National Institute of Justice, its research and development agency).
“To validate the large-scale capabilities of the toolkit, we conducted a ‘stress test’ of the system using approximately 123,500,000 packets from a collection of packet capture files totaling nearly 100GB,” the researchers explained.
“Additionally, sixteen digital forensic examiners participated in a 3-day law enforcement training workshop for FileTSAR from across the United States; the examiners expressed substantial support for FileTSAR with large-scale investigations as well as an interest in a scaled-down version for smaller agencies with storage, budget, and back-end support limitations.”
The toolkit is available to US law enforcement agencies for free, trainings are available remotely (through online videos) or onsite at Purdue University.