Any investigation can have a digital dimension, often involving information from multiple data sources, organizations and jurisdictions. Existing approaches to representing and exchanging cyber-investigation information are inadequate, particularly when combining data sources from numerous organizations or dealing with large amounts of data from various tools. To conduct investigations effectively, there is a pressing need to harmonize how this information is represented and exchanged. This paper addresses this need for information exchange and tool interoperability with an open community-developed specification language called Cyber-investigation Analysis Standard Expression (CASE). To further promote a common structure, CASE aligns with and extends the Unified Cyber Ontology (UCO) construct, which provides a format for representing information in all cyber domains. This ontology abstracts objects and concepts that are not CASE-specific, so that they can be used across other cyber disciplines that may extend UCO. This work is a rational evolution of the Digital Forensic Analysis eXpression (DFAX) for representing digital forensic information and provenance. CASE is more flexible than DFAX and can be utilized in any context, including criminal, corporate and intelligence. CASE also builds on the Hansken data model developed and implemented by the Netherlands Forensic Institute (NFI). CASE enables the fusion of information from different organizations, data sources, and forensic tools to foster more comprehensive and cohesive analysis. This paper includes illustrative examples of how CASE can be implemented and used to capture information in a structured form to advance sharing, interoperability and analysis in cyber-investigations. In addition to capturing technical details and relationships between objects, CASE provides structure for representing and sharing details about how cyber-information was handled, transferred, processed, analyzed, and interpreted. CASE also supports data marking for sharing information at different levels of trust and classification, and for protecting sensitive and private information. Furthermore, CASE supports the sharing of knowledge related to cyber-investigations, including distinctive patterns of activity/behavior that are common across cases. This paper features a proof-of-concept Application Program Interface (API) to facilitate implementation of CASE in tools. Community members are encouraged to participate in the development and implementation of CASE and UCO.

任何调查都可以具有数字维度，通常涉及来自多个数据源，组织和辖区的信息。现有的表示和交换网络调查信息的方法是不够的，特别是在组合来自多个组织的数据源或处理来自各种工具的大量数据时。为了有效地进行调查，迫切需要协调如何表示和交换此信息。本文通过使用称为社区调查分析标准表达（CASE）的开放社区开发的规范语言满足了信息交换和工具互操作性的需求。为了进一步促进通用结构，CASE符合并扩展了统一网络本体（UCO）的结构，它提供了一种表示所有网络域中信息的格式。该本体抽象了非CASE特定的对象和概念，因此可以在可能扩展UCO的其他网络学科中使用它们。这项工作是数字取证分析表示（DFAX）的合理发展，用于表示数字取证信息和出处。CASE比DFAX更灵活，可以在任何情况下使用，包括犯罪，公司和情报。CASE还基于由荷兰法证学会（NFI）开发和实施的Hansken数据模型。CASE支持融合来自不同组织，数据源和取证工具的信息，以促进更全面，更紧密的分析。本文提供了一些示例性示例，说明了如何实施CASE并将其用于以结构化形式捕获信息，以推进网络调查中的共享，互操作性和分析。除了捕获技术细节和对象之间的关系之外，CASE还提供了用于表示和共享有关如何处理，传输，处理，分析和解释网络信息的细节的结构。CASE还支持数据标记，以在不同级别的信任和分类下共享信息，并保护敏感和私人信息。此外，CASE支持共享与网络调查相关的知识，包括案例之间常见的独特活动/行为模式。本文采用概念验证应用程序接口（API）来促进在工具中实现CASE。鼓励社区成员参与CASE和UCO的开发和实施。