Skip to Main Content
Official Seal - Department of Defense Cyber Crime Center (DC3)

DC3

Department of Defense
Cyber Crime Center

A Federal Cyber Center

TSD Completes Missing Links


(Photo courtesy of the Open University. http://www.open.ac.uk/)

By Stephen Murphy, DC3 Public Affairs

The DoD Cyber Crime Center (DC3) Technical Solutions Development (TSD) launched an upgraded version of its “Missing Links” software in January. Missing Links, among other features, aids field law enforcement agents and others who seize or discover digital devices, such as cellphones, while conducting investigations by helping them to quickly identify other digital devices to which the seized/discovered devices had been connected.

The new version replaces the original Missing Links software released in November 2018, with an upgrade that includes integration support for Cellebrite and Autopsy digital forensic platforms.

With today’s technology, it is common for one to use multiple types of digital devices interchangeably, including thumb drives, tablets, smart phones, the Cloud, etc., to transfer and store digital information.

“While this is a major convenience for the average person, it is something that poses a challenge for digital forensic examiners in the lab and investigators in the field,” said Ryan Griffith, TSD Chief Special Projects. “This is because traditional forensic tools display large quantities of data stored on a device, but do little to help forensic analysts find red flags that indicate evidence is missing, encrypted or otherwise concealed.”

Examiners operating in a field environment may not have the time to do a deep-dive look at the media, so the Missing Links Extractor becomes a valuable tool for scanning media to determine what drives, etc., were plugged into that media.

“Missing refers to items of interest that an agent or examiner may be unaware of,” said Griffith. “For example, a portable hardware tucked away in a drawer that was frequently used with the computer being seized. Another example could be evidence of cloud storage, which tells the agent or examiner that the subject used offsite storage and a data preservation order may be required.”

Missing Links is comprised of two components: Missing Links Extractor and Missing Links Explorer. The Missing Links Extractor is a data processing tool for field or lab use that identifies other devices and remote storage that could contain additional data sources. It was engineered with the requirement that existing extracted and parsed data sources did not have to be re-ingested and parsed by Missing Links.

“We did not want to reinvent the wheel,” said Griffith. “Plenty of COTS (commercial off-the-shelf) and GOTS (government off-the-shelf) tools parse and interpret data sources. We leverage these existing technologies and layer in a correlation component that brings to light relationships between devices, both accounted for and otherwise missing.”

Missing Links Explorer is a user interface for analyzing ingested data from multiple data sources, with a focus on identifying links between them. It was designed in a way that allows users to point the Missing Links tool at their parsed data for further visual correlation.

“We call it ‘bridge code,’ and Missing Links Explorer ships with support for a number of popular tools such as Axiom, UFED and Autopsy,” said Griffith. “The beauty of this feature is that it allows developers to easily craft their own bridge code to analyze their favorite tool’s output in our interface.”

Technical Solutions Development has deployed the Missing Links Explorer at DC3 and several of its sister agencies. The DC3 analysts are able to correlate across smaller datasets, while DC3’s sister agencies take advantage of Missing Links ability to correlate across large historical holdings.

“The power of Missing Links is most realized in its modular ability to adapt to interpret third party tool output,” said Griffith. “This is powerful in that it eliminates the need to reparse years of data to correlate across historical holdings. It is also unique in that we focus on a top-down correlation approach, eliminating the need to have a starting point for pivoting across the data.”

“The power of Missing Links is most realized in its modular ability to adapt to interpret third party tool output,” said Griffith. “This is powerful in that it eliminates the need to reparse years of data to correlate across historical holdings. It is also unique in that we focus on a top-down correlation approach, eliminating the need to have a starting point for pivoting across the data.”

Technical Solutions Development partners with the Office of the Under Secretary of Defense (OUSD) Research and Engineering (R&E) to develop and deliver prototype applications that would serve the broader defense community. TSD prepares and presents gaps in capabilities to OUSD (R&E), and if accepted, they in turn provide funding for these efforts.

For more information on TSD, go to https://www.dc3.mil/technical-solutions.