NFI designs international knowledge base on digital forensics

Harm van Beek of the NFI contributed to the design of the knowledge base: "Currently there is no central place to gather knowledge on how to conduct digital forensic investigations. In the knowledge base, the various steps in the forensic digital process are recorded in an unambiguous and structured manner. The knowledge base will soon give digital forensic investigators a better grip on knowledge and developments in the constantly renewing world of digital forensic techniques."

The knowledge base is called SOLVE-IT, which stands for Systematic Objective-based Listing of Various Established (Digital) Investigation Techniques. In addition to the steps in the process, it records what techniques you can use, what the vulnerabilities are, what you can do to mitigate them, and links to resources that offer more information.

The knowledge base was presented this month at the Digital Forensics Research Conference Europe (DFRWS EU 2025). in the Czech Republic and published at the international journal 'Forensic Science International: Digital investigation'. The digital forensics community responded enthusiastically, says Van Beek: "The need for a central place is great. The development is supported by the DFRWS community. They did the same earlier with the universal cyber language CASE."

Goals

SOLVE-IT is not a database of only tools, but describes all the steps to be taken in the digital forensics process. At the top of the knowledge base are the goals (objectives) you want to achieve. "Examples of objectives are getting access to a device, getting data out of a device, making emails insightful, making sure information doesn't disappear, and helping prioritize the steps to take," Van Beek explains.

"For example, under block 'acquire,' it describes how to extract data from data carriers such as a USB flash drive. One technique you can use is to make a one-to-one copy. One vulnerability is, that by connecting the USB stick to a computer, the data on the USB stick is modified, which is exactly what you do not want. To prevent that vulnerability, you can use a device specifically designed for that purpose, called a write-blocker."

Improve quality digital forensics

Besides helping digital forensic examiners get started and make them aware of potential risks, the knowledge base can also help organizations set up digital forensic processes properly. "In physical forensic processes such as a forensic autopsy or in DNA testing, everyone is alert to potential vulnerabilities. Quality is an important part of the work. In the digital field, everyone knows that too, but the big difference is that the things we investigate are constantly changing. This knowledge base helps us get a grip on all the developments and knowledge there is about digital forensics," says Van Beek.

"The knowledge base describes all the steps in the digital forensic process, as well as the risks where things can go wrong. You can use the knowledge base to improve the quality of digital forensic processes in all labs worldwide."

That lawyers will soon be able to use the framework is fine, according to Van Beek: "Even if we don't write down the vulnerabilities, they are in a process. It is important to be transparent about what we do, why we do it and what we do to minimize any vulnerabilities or consciously accept the risks. It makes researchers alert and actually prevents mistakes."

Read the full article on the website of the NFI.