A development in complex data interpretation is set to significantly speed up digital forensic investigations – by enhancing the presentation of evidence from a range of commonly used devices. Researchers at CCL-Forensics have developed an innovative application for presenting the data held in XML format – a common data storage format, found on a wide range of digital devices and platforms including PCs, phones and SatNavs…Although XML is a text-based format, it’s not user-friendly in its raw format, meaning digital investigators often have to manually manipulate large amounts of data to locate evidence relevant to their enquiry. XML files can contain, for example, internet history, web searches, SatNav recent locations, social networking history – and more.
CCL-Forensics has developed “PIP” to eradicate this problem. PIP is a software tool which parses data from XML files, using the XPath query language and presents the investigator with a results in a user-friendly, easy-to-interpret form. This saves a considerable amount of time, and means costs to investigators are kept to a minimum.
In addition, PIP natively supports AppleTM’s property list (“plist”) file format, both in their XML and binary forms.
A regularly updated library of XPath queries is included within PIP and CCL-Forensics is constantly researching opportunities for new additions to the library, however, for the advanced practitioner, PIP allows bespoke queries to be written for new data types which may be uncovered during the course of an investigation.
The team behind PIP also recognised the need for investigators to process a number of similar files simultaneously, and therefore developed a batch processing capability.
PIP was created in response to demand from Law Enforcement Agencies to streamline the presentation from the increasingly complex range of digital devices – for little additional cost to the taxpayer.
The final beta test is now underway, and practitioners wishing to be involved should register at www.ccl-forensics.com/pip.
Alex Caithness, the developer of PIP says “One of the biggest frustrations of any digital examiner is the fact that their tools extract data which they have to manually interpret to turn into a reportable format.
PIP is designed to eradicate this problem for XML and plist files.
These files are used in many different devices and applications – the iPhone to name just one. Investigators are seeing a great deal more of these devices, and without a tool like PIP, they may spending time manually processing them.
This is doubly unfortunate, because they have already carried out the first step – by extracting the data. They just now need to interpret it. PIP does this effortlessly.”
PIP is a constantly evolving tool and the developers would welcome suggestions for future functionality. For more information e-mail pip@ccl-forensics.com.
