The Linux Foundation has announced that the Cyber-investigation Analysis Standard Expression (CASE) is becoming a community project as part of the Cyber Domain Ontology (CDO) project under the Linux Foundation. CASE is an ontology-based specification that supports automated combination and intelligent analysis of cyber-investigation information. CASE concentrates on advancing interoperability and analytics across a broad range of cyber-investigation domains, including digital forensics and incident response (DFIR).
Organizations involved in joint operations or intrusion investigations can efficiently and consistently exchange information in standard format with CASE, breaking down data silos and increasing visibility across all information sources. Tools that support CASE facilitate correlation of differing data sources and exploration of investigative questions, giving analysts a more comprehensive and cohesive view of available information, opening new opportunities for searching, pivoting, contextual analysis, pattern recognition, machine learning and visualization.
CASE, built on the Hansken trace model developed and implemented by the NFI, aligns with and extends the Unified Cyber Ontology (UCO). This year has seen the release of UCO 0.7.0, and most recently CASE 0.5.0. CASE and UCO now both are built on SHACL constraints, providing an instance data validation capability. Currently, CASE is developing a representation for Inferences, both human formulated and computer generated, to bind investigative conclusions to supporting evidence and associated chain of custody.
The CASE community has multiple collaborative repositories and activities, including translators for common digital forensic tool outputs as well as mapping CASE to the W3C provenance ontology (PROV-O). CASE uses the Apache-2.0 license.