U.S. flag

An official website of the United States government, Department of Justice.

FileTSAR Final Report

NCJ Number
254635
Date Published
Agencies
NIJ-Sponsored
Grant Number(s)
2016-MU-MU-K091
Annotation
This is the final Summary Overview of the methodology and outcomes of a project with the goal of creating for law enforcement agencies a unifying toolkit known as FileTSAR (Toolkit for Selective Acquisition and Reconstruction of Files).
Abstract
In the implementation, the acquisition and analysis of data from the network were divided into the following processes: 1) packet capture (recording the packet traffic on a network); 2) protocol parsing (parsing out the various network protocols and fields; 3) search and analysis; and 4) visualization. The architecture was divided according to function, with a storage repository included. The collector module captures network traffic and saves the traffic to the Storage implementation The only interconnections to the large-scale network required for FileTSAR are via the Collector. The engine is built by using open source tools and custom code wrappers. This makes it compatible with existing incident response system and provides a standardized interface into other modules in FileTSAR. Although the tools focus on conducting live captures during active investigations, an additional set of functions designed into the toolkit can ingest previously captured data (PCAPs) from other systems already present in the enterprise network. This enables the ingestion of a previously captured image from the intrusion detection/prevention system, firewall, incident response system, and logs. Based on the feedback and suggestions provided, the examiners were satisfied with the core functions of FileTSAR, such as analyzing network data via the Visualizer and the reconstruction of files, email, and voice over IP sessions. The survey results showed support for how the volume of data was handled, as well as the level of granularity that could be attained in the data provided. 3 figures and a dissemination journal article entitled, File Toolkit for Selective Analysis & Reconstruction (FileTSAR) for Large-Scale Networks
Date Created: April 20, 2020