Purdue University researchers combined open source tools and code wrappers to create FileTSAR (Toolkit for Selective Analysis and Reconstruction of Files) that will allow forensics investigators to capture and reconstruct files from network traffic. FileTSAR has been made available to US law enforcement agencies for free.
Zeljika Zorz filed this report on FileTSAR for HelpNet Security:
The toolkit collects data at the network packet level and allows investigators to reconstruct documents, images, email and VoIP sessions for large-scale computer networks. “The current network forensic investigative tools have limited capabilities,“ said Kathryn Seigfried-Spellar, assistant professor of computer and information technology, and lead of the research team. “They cannot communicate with each other and their cost can be immense. This toolkit has everything criminal investigators will need to complete their work without having to rely on different network forensic tools.”
FileTSAR uses hashing for each carved file to maintain the forensic integrity of the data, and this makes the results of the investigation admissible as evidence in court proceedings. One of the team’s goals was to create a tool that will be able to present digital evidence the way it looked in real time at the moment it was created or transmitted, to make it easier for prosecutors to show it and explain it, and for judges and juries to understand it.
FileTSAR was developed in collaboration with law enforcement agencies from around the country, including the High Tech Crime Unit (HTCU) of Tippecanoe County, Indiana, and the project was funded by the US Department of Justice (i.e. the National Institute of Justice, its research and development agency).
