Verification Report, Toolkit for Selective Analyses & Reconstruction of Files (FileTSAR)

This verification assessment report discusses the evaluation of the Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR), which captures data flows and provides a mechanism to selectively reconstruct multiple data types, including documents, images, email, and Voice over Internet Protocol (VoIP) sessions, for large-scale computer networks. The verification effort assessed the system’s capabilities as described in the FileTSAR Final Summary Overview and the feasibility of the tool for law enforcement agency adoption and use, as well as any notable performance or conceptual gaps that may influence the implementation of this tool. The report describes the testing methodology, including server unit and laptop unit specifications; FileTSAR components, which require Linux Ubuntu 16.04 (64-bit) operating systems); test results; and authors’ conclusions. The authors note that due to the complicated design and configuration of FileTSAR and the lack of access to either the Purdue FileTSAR environment or copies of the FileTSAR virtual machines (VMs), testers were unable to complete installation and testing of FileTSAR operation or functionality and, as a result, could not confirm that the toolkit performs as reported; additionally, the data captured by FileTSAR are captured in motion, the collections could not be replicated to confirm the forensic soundness, and the process could not be conclusively determined to be consistent. The authors state that the collection of data in motion by government and/or law enforcement agencies is an intercept, and therefore is subject to court authorization before collection or capture. The authors conclude that FileTSAR does not meet the requirements of the National Institute of Justice solicitation, and that in its current state, FileTSAR is not a deliverable that should be released for use by the criminal justice community.