U.S. flag

An official website of the United States government, Department of Justice.

NCJRS Virtual Library

The Virtual Library houses over 235,000 criminal justice resources, including all known OJP works.
Click here to search the NCJRS Virtual Library

Verification Report, Toolkit for Selective Analyses & Reconstruction of Files (FileTSAR)

NCJ Number
306446
Author(s)
R. O’Leary; M.N. Parsons; M. Planty; J. Ropero-Miller
Date Published
July 2022
Length
6 pages
Annotation

This report provides a verification assessment of Purdue University’s Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR), for the acquisition and analysis of data from enterprise-scale networks for forensic investigations.

Abstract

This verification assessment report discusses the evaluation of the Toolkit for Selective Analysis and Reconstruction of Files (FileTSAR), which captures data flows and provides a mechanism to selectively reconstruct multiple data types, including documents, images, email, and Voice over Internet Protocol (VoIP) sessions, for large-scale computer networks. The verification effort assessed the system’s capabilities as described in the FileTSAR Final Summary Overview and the feasibility of the tool for law enforcement agency adoption and use, as well as any notable performance or conceptual gaps that may influence the implementation of this tool. The report describes the testing methodology, including server unit and laptop unit specifications; FileTSAR components, which require Linux Ubuntu 16.04 (64-bit) operating systems); test results; and authors’ conclusions. The authors note that due to the complicated design and configuration of FileTSAR and the lack of access to either the Purdue FileTSAR environment or copies of the FileTSAR virtual machines (VMs), testers were unable to complete installation and testing of FileTSAR operation or functionality and, as a result, could not confirm that the toolkit performs as reported; additionally, the data captured by FileTSAR are captured in motion, the collections could not be replicated to confirm the forensic soundness, and the process could not be conclusively determined to be consistent. The authors state that the collection of data in motion by government and/or law enforcement agencies is an intercept, and therefore is subject to court authorization before collection or capture. The authors conclude that FileTSAR does not meet the requirements of the National Institute of Justice solicitation, and that in its current state, FileTSAR is not a deliverable that should be released for use by the criminal justice community.