NFI co-creates international digital forensics knowledge base

News item | 02-05-2025 | 09:18

The knowledge base is named SOLVE-IT: Systematic Objective-based Listing of Various Established (Digital) Investigation Techniques. Besides outlining the steps in the process, it will also record the techniques that can be employed, what the weaknesses are, the potential methods to mitigate them as well as provide links to more information. The knowledge base was officially launched earlier this month at in the Czech Republic and was published in the international journal ‘Forensic Science International: Digital investigation’. The digital forensics investigation community responded enthusiastically to this initiative, Van Beek says: “There is a significant need for a central repository. The DFRWS community is supporting this development, just as they did with the universal cyber language CASE.”  

Objectives

SOLVE-IT is not merely a database with a collection of tools; it also explains each step involved in the digital forensics process. At the forefront of the knowledge base are the objectives to be achieved. “Examples of objectives include accessing a device, device data acquisition, determining who sent and received an email (and potentially what is in the email), securing information and assistance in prioritising the steps to be taken,” Van Beek explains. “For example, the subsection ‘acquire’ describes how to extract data from storage media such as USB sticks. One technique you can use is to make a complete copy. A weakness is that the process of connecting the USB stick to a computer can change original data, which is exactly what you don’t want. This weakness can be mitigated by using a specially designed write blocker.”

Source of inspiration

It is intended that the global digital forensics community will continue building the SOLVE-IT framework. “Collectively, we can keep pace with advancements,” says Van Beek. The knowledge base was inspired by the MITRE ATT&CK cybersecurity resource, fuelled by its success and broad applications in an area which focuses on the security of organisational systems. MITRE ATT&CK details the types of attacks that can occur, such as DDoS attacks, phishing and malware insertion. It also explains what can be done to prevent attacks and how to recognise them, what the impact could be, which attack detection and response methods can be employed and how to obtain evidence against any perpetrators. Like MITRE ATT&CK, SOLVE-IT is an international open source knowledge base and it is intended to be used and maintained by the international community. “We have begun the process of adding content to the knowledge base,” says Van Beek. “We have brought together information already collected by others. But it needs to be expanded further. Against the background of DFRWS community support for this project, we will be actively engaging with additional parties, as funding is essential to further develop the knowledge base and make it more accessible.”

Central knowledge sharing essential

Van Beek believed it was the right moment for a digital forensics knowledge database like MITRE ATT&CK in the cybersecurity area. “It is impossible for digital experts to be aware of all the possibilities, procedures and risks. Until now, there was no resource to consult. That is set to change with the introduction of SOLVE-IT, a knowledge base where information and insights are centrally collected and maintained.” In addition, digital forensic investigators are increasingly being asked to explain what they have done and how. “We need to explain clearly what we do, why we do it and the steps we take. Simply stating that results were obtained using tool X is often insufficient. It is important to explain how that tool was used and how reliable the results of the investigation are. This is crucial because the consequences can be severe for those involved in a criminal case.” 

Improving the quality of digital forensics

Besides helping digital forensic investigators in their work and raising awareness among them of potential risks, the knowledge base can also help organisations effectively structure digital forensic processes. “In the case of physical forensic processes such as forensic autopsies or DNA analysis, everyone is alert to potential weaknesses. Quality is a crucial aspect of our work. In the digital field, this is well understood, but the major difference is that the objects of our investigations are constantly changing. This knowledge base will help us stay on top of all the developments and information in the field of digital forensics,” says Van Beek. “The knowledge base describes all the stages of the forensic digital process, along with the potential risks where errors can occur. The knowledge base can be used to improve the quality of digital forensic processes in labs around the world.” Van Beek is happy to see lawyers using the framework in the future. “Even if we don’t document the weaknesses, they are embedded in a process. It is important to be transparent about what we do, why we do it and our efforts to minimise any weaknesses or knowingly accept risks. It makes investigators alert and helps prevent errors.”

Tool for AI

Finally, the knowledge base can also identify gaps in knowledge and highlight areas requiring additional research or investigation. “This is valuable for scientific researchers at forensic institutes, universities and in business.” Besides the knowledge base, there is already a tool that indicates whether AI is being utilised in a process. “It reveals potential future applications of AI, for example, in areas that are not yet well understood. Consequently, this tool also assists in highlighting where additional research or investigation might be needed.”

-------------------------------------------------

SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT&CK,

Forensic Science International: Digital Investigation, Volume 52, Supplement, 2025, 301864, ISSN 2666-2817,

https://doi.org/10.1016/j.fsidi.2025.301864.