In order to promote the CybOX/DFAX standard formalism for representing data and meta-data involved in the Electronic Evidence Exchange process it has been chosen the Plaso tool, a very well known tool in the forensics community, and two repositories on GitHub, of the CNR-ITTIG organization account, have been created:
- plaso;
- plaso2dfax.
In the first one it has been created a fork of Plaso with DFAX extension that allows to directly create a DFAX/CybOX xml, as output, starting from a proto buffer as input of psort tool. This solution hasn't been considered the best one because the output produces a lot of noise. On the basis of an academic case it has been proposed an alternative solution: starting from the l2tcsv output produced by the psort tool, it is necessary to select a specify set of rows that are significant for the investigation and it's not always possible to extract/isolate them through the available filters provided by psort.
An attempt is being made to develop a tool, having in mind the forensics analyst needs, to some extent an analyst centred application, at the aim to let an analyst to make the minimum effort to produce his/her analysis in DFAX/CybOX language (for the sake of the success of the formalism itself), therefore it is to be developed an external tool (plaso2dfax) able to take in input the l2tcsv produced by psort and turn it in DFAX/CybOX.
Of course this means that, in the future, each forensics tool (e.g. X-Ways, Autopsy, etc.) will have its own tool/plugin to export its output into DFAX/CybOX, but this is a very good starting point.
The tool was presented, as a demo live, during the workshop within the Digital Forensics Research Work that was held in Lausanne in March 2016.