Technical Solutions Development (TSD)
As DC3’s technical solutions component, TSD supports DC3 Mission Areas, as well as the DoD Intelligence and Law Enforcement communities.
TSD Overview

Technical Solutions Development (TSD) tailors innovative software and system solutions engineered to the specific requirements of digital forensic examiners and cyber intrusion analysts. TSD validates digital forensic tools from the Commercial off-the-shelf, Government off-the-shelf, and open source domains to ensure relevancy and reproducibility as to expected use in coordination with our cooperative partnerships:

• Leads the way through proactively identifying, researching, and evaluating relevant new technologies, techniques and tools

• Actively participates in the development of industry standards including the Structured Threat Information eXpression (STIX) and Cyber-investigation Analysis Standard Expression (CASE)

• Shares in-house developed tools with federal, state and local law enforcement partners

• Maintains the Counterintelligence Tool Repository (CITR), a warehouse of classified and unclassified tools that support digital forensics and counterintelligence needs
 

  
Technical Objectives

  • Proactively identify, research and evaluate relevant new technologies, techniques and tools
  • Design and develop digital forensic, analytic and enterprise workflow tools
  • Test DC3-developed software to ensure required performance and reliability 
  • ​​Validate digital forensic tools to ensure relevancy and reproducibility as to expected use
Tools & Validations

 

DC3 offers a number of open source and CUI tools and validations. 
Open source tools are available on GitHub and SourceForge.

CUI tools and validations for U.S. DoD and Federal law enforcement and counterintelligence (LE/CI) can be obtained by authorized personnel with a CAC or PIV through the DC3 Customer Portal.
All others should contact: dc3.tsd@us.af.mil.

 

Contact Us
CITR

 

The Counterintelligence Tool Repository (CITR) is a warehouse of classified and unclassified tools that support digital forensics and counterintelligence needs. Whenever possible, the actual tool is provided through the repository portal in the form of a downloadable executable. When a downloadable executable cannot be provided, the repository advises how to obtain the tool from the hosting agency.

Authorized personnel with a CAC or PIV may access this tool list through the DC3 Customer Portal. All others should contact dc3.tsd@us.af.mil

TSD Technologies
Technical Solutions Development (TSD) maintains, develops, and supports a large variety of tools and enterprise solutions for DC3 mission areas, DC3 customers and other partnering agencies. Several notable efforts are highlighted below:

Analytic Customer Portal — Analytic Customer Portal is a system that hosts a number of datasets for analysts both internal and external to DC3. The system provides users the ability to search DNS monitored data, GeoIP data and a social media database. Additionally, users can submit Requests for Information (RFIs) to DC3’s Analytic Group (DC3/AG). https://analytics.dc3.smil.mil

Columbo — Columbo is a web-based application that provides a centrally managed repository to enable the collection and sharing of cyber threat data amongst analysts in DC3/AG, DC3’s Defense Industrial Base Collaborative Information Sharing Environment (DCISE) and partnering cybersecurity centers. Columbo’s backend repository is the DC3 Analytic Database (DAD). DAD merges existing analytic databases into a standardized database allowing for increased analytic capabilities, controlled access and increased sharing. DAD provides an API for current and future analytic applications allowing importing, exporting (through analytic tools) of threat data, and for execution of analytic scenario use cases.

Customer Portal — Customer Portal houses a number of services of interest to DC3’s external customers, including operational status updates, event coordination and product download links. The Portal provides information on DC3 Cyber Forensics Lab (CFL) case status, access to the DC3 legal document repository, and a management solution for the DCISE TechEx event, including session planning, logistical information, registration and post-conference survey. Additionally, the Customer Portal provides access to TSD developed tools and validation reports for forensics tools completed by DC3 and the U.S. Army. The tools below can be found in the Portal. https://customerportal.dc3.mil

DC3 Advanced Carver (DC3AC) — DC3AC is a state-of-the-art and patented file carving capability to extract complete or partial files from unknown data sets including unallocated space on device images, memory dumps, page files and corrupt files. Targeted file formats include images, videos, documents, databases and executables. DC3AC contains a number of unique algorithms for identifying, reconstructing and repairing file fragments that would be unreadable on their own.

DC3 SQLite Dissect — DC3 SQLite Dissect is a SQLite file parser with capabilities to recover and retrieve deleted
information. Data is recovered through analyzing the contents of the SQLite files and generating signatures for the data.
Those signatures are then used to dissect the unallocated space within the files. DC3 SQLite Dissect supports both
the SQLite databases and Journaling files. The tool uses the WAL file to produce a timeline of events which reveals
transactional history and reports on user activity (adding and deleting data over time). DC3 SQLite Dissect includes
an Application Programming Interface (API) and can export recovered results in multiple formats including CSV (Comma
Separated Values), XLSX (Excel), and SQLite.

Electronic Malware Submission (EMS) — EMS allows both DC3 analysts and external customers to safely
and securely submit malware for examination. Submitters have the option of requesting a human-based examination
by a reverse engineer from DC3’s Cyber Forensics Lab (CFL) or receiving an automated analysis report within minutes
based on dozens of exploitation tools created and curated by TSD and CFL subject matter experts. https://ems.dc3on.gov

Map My Case — Map My Case is an offline geospatial visualization and analysis tool based on a portable installation of OpenStreetMap. Functionality includes plotting of GeoIP information, cell tower locations, and WiFi hotspot locations based on open source and commercial data sets. The tool can also plot image and video locations based on file metadata, and can display points and paths of interest found within GeoJSON or KML files.

Missing Links — Missing Links is a forensic analysis tool suite comprised of two software components: the Missing Links Explorer and the Missing Links Extractor. The concept originated with a need to support forensic examiners, in both field and lab settings, in quickly identifying “missing” pieces of evidence associated with a case. Missing Links leverages the processing power of commercial tools to scale correlation capabilities across thousands of data sources and billions of forensic artifacts.