Authors: Vik Harichandran (MITRE), Cory Hall (MITRE), Andrew Sovern, Deborah Nichols, Navaneeth Subramanian, Trevor Bobka



As the cybersecurity domain has grown, the amount of increasingly varied information needing to be shared has increased. There is now a greater need to validate, normalize, combine, and correlate investigative data between different countries, domains, organizations, teams, individuals, classification levels, and tools – the status quo is insufficient.
CASE is an international open-source and community-developed ontology/specification language that aims at covering this gap in the most inclusive manner possible [1]. Members of the community come from academic, private sector, and law enforcement/government. Work on what eventually became CASE began in 2015 and the project now involves over two dozen public organizations [2, 3]. CASE is designed to work alongside other (e.g. private) preexisting ontologies/schemas. CASE attempts to bring domains together, including incident response, counter-terrorism, criminal justice, forensics, intelligence, and situational awareness. This will enable better workflow efficiencies in laboratories, the cross-correlation between investigations under different jurisdictions, potentially on the same malicious actors, and a more aware view of criminal patterns. Expanding awareness of the standard is essential to pushing forward a standard such as this. Thus, we propose to do at least a poster for DFRWS USA.
However, workshops have been conducted at DFRWS EU and at MITRE but not this venue. During 2019 the community, now with a centralized Github, increasingly documented bylaws, and a governance committee, plans to finalize version 1.0. It would be extremely useful to have the greater western community’s feedback on the supporting tools, ontology structure, and CASE team’s plans in order to reach this goal effectively. Thus we also would like to propose a brief demo to spark a discussion that can be included within the demonstration slot, or on the one-on-one, after attendees are given the brief tutorial of how to understand the ontology’s mapping and integration. Both E.U. and U.S. governments have begun discussing a mandate for widespread adoption – another reason it is pertinent to get any major flaws ironed out this year.

1. Casey, E., S. Barnum, et al. “Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language.” Digital Investigation 22(2017): 14-45,

2. Harichandran, V., Walnycky, D., et al. “CuFA: A more formal definition for digital forensic artifacts.” Digital Investigation 18(2016), S125-S137, 3. CASE official website.”