Authors: Eoghan Casey, Christopher Daywalt, Chris Hargreaves

DFRWS USA 2025 — “History in the Making” — Jubilee 25th Anniversary

Abstract

In this workshop you will contribute to the development of SOLVE-IT, an open source knowledge base for and by the digital forensic community. SOLVE-IT describes and indexes techniques available to digital forensic investigators during an examination. Uniquely, it also describes potential weakness at each stage of a digital forensic investigation, including in digital forensic tools. It also provides Python tooling to compile the contents of the knowledge base into different formats, making it useful for a number of different applications. One of the most interesting and immediate applications of SOLVE-IT is to avoid missed or unmitigated errors in digital forensic processes.

There are number of ways that you can contribute to SOLVE-IT:

  • Adding or updating the content of techniques within the knowledge base
  • Adding or updating weaknesses of techniques within the knowledge base
  • Adding mitigations that can be put in place to address the impact of weaknesses
  • Developing systematic techniques to identify weaknesses in techniques
  • Linking relevant research in the references for a specific technique, weakness, or mitigation
  • Developing mechanisms to browse and extend the knowledge base

Learning Objectives

By the end of this workshop you will be able to:
  • Define and describe the SOLVE-IT Knowledge Knowledge Base, and its potential use cases.
  • Understand the structure and data elements of SOLVE-IT.
  • Use the SOLVE-IT report generation scripts to produce spreadsheets and graphs of techniques and their associated weaknesses and mitigations.
  • Enable SOLVE-IT usage by AI applications via a Model Context Protocol (MCP) server.
  • Describe how SOLVE-IT can be programmatically integrated with your own custom applications.
  • Use SOLVE-IT to assess and improve examination procedures and protocols, both manually and automatically using AI-assisted evaluations.
  • Contribute to the SOLVE-IT project.

Biographies

Eoghan Casey
Eoghan Casey

Eoghan Casey is Field CTO at Salesforce, advancing technology solutions and business strategies to protect SaaS data. As Chief Scientist (ST) of the DoD Cyber Crime Center (DC3), he was responsible for innovation, enhancing capabilities, strategic collaborations, and advancing standards and practices related to DFIR and malware/CTI analysis. As a Professor of Digital Forensic Science and Investigation at University of Lausanne, he has performed teaching, research, and expertise. He has extensive experience working on a wide range of digital investigations, and he has helped organizations investigate and recover from severe security breaches, including network intrusions with international scope. He has delivered expert testimony in civil and criminal matters in the United States, Canada, and international tribunals. He has contributed to development of advanced capabilities for extracting and analyzing digital evidence, including SQLite Dissect and DC3 Advanced Carver (Patent no. 16/014067). He is on the Board of DFRWS.org and is cofounder of the Cyber-investigation Analysis Standard Expression (CASE).
Christopher Daywalt
Christopher Daywalt

Christopher Daywalt is not an AI. If he was, he’d probably be part of a Generative Adversarial Network trained through repeated, semi-supervised interaction with advanced threat actors. In actuality, he’s a freelance cybersecurity consultant with a career spanning over 2 decades, including an extended stint with the U.S. Department of Defense as well as work with a variety of other public and private sector organizations. His experience is roughly 1/3 DFIR, 1/3 teaching DFIR and 1/3 other security operations functions.

He’s pushed the incident response rock up the hill enough times to know how Sisyphus feels, so these days he tries to focus on working with others to improve their own operational capabilities. His current projects include developing training, building automation, and generally helping SecOps teams to become more effective.
Chris Hargreaves
Chris Hargreaves

Chris Hargreaves is a lecturer in the Department of Computer Science at the University of Oxford, UK. He also runs a part-time digital forensics R&D consultancy, which he previously worked at full time before joining Oxford. Prior to this, he spent seven years as a lecturer at Cranfield University (Cranfield Forensic Institute), where he also acted as Course Director for the MSc in Digital Forensics. He holds a BSc in Computer Science from the University of Bristol, an MSc in Information Security and Computer Crime from the University of South Wales, and a PhD in Digital Forensics from Cranfield University. His doctoral research, completed in 2009, focused on “Assessing the Reliability of Digital Evidence from Live Investigations Involving Encryption.”

 

Downloads