Combat cybercrime with universal cyber language

To combat cybercrime, it is important to have international cooperation among investigative services. The NFI was one of the initiators for a ‘language’ to make this possible. TNO is one of the parties who is further developing this CASE language to facilitate the exchange of information among international investigative systems.

CASE and Hansken

The victim could be Dutch, the criminal could be Spanish, the software is made in the Czech Republic and runs on a Polish server. Cybercrime knows no boundaries. To combat this variant of crime, it is important to have international cooperation among investigative services, but that is difficult in practice. ‘Cybercrime barely existed five years ago’, says Freek Bomhof, Data Science business consultant for Safety & Security at TNO. ‘It is a new form of crime, changes continuously and complicates collaboration. If Dutch detectives investigate a case together with other countries, there is often a language barrier. You resort to English, but nobody speaks it perfectly. And the definition of a wallet or hidden server is slightly different in the context of one country than that of another country, which can cause confusion of what is being meant.’

Series of arrangements

It may take months before another country honours a request for mutu al legal assistance. To facilitate this international cooperation, the NFI, together with other partners, developed a universal cyber language: Cyberinvestigation Analysis Standard Expression (CASE). Bomhof: ‘It is a computer language containing a series of mutual agreements concerning specific words and definitions. Like: if we use this term, then that is the exact definition. That is pertinent, because if you bring a case to court, it must be clear to everyone how the evidence has been established.’

Hansken

NFI uses the Hansken data platform to capture and analyse trace evidence. The problem was that this system did not speak CASE yet. In 2021, TNO created a module that allows Hansken to exchange data with other international investigative systems using CASE language. ‘We have created a link within Hansken using CASE, so that Hansken can exchange data with other information systems.’

CASE community

TNO has also contributed to the expansion of CASE's words and terms. ‘In cooperation with INTERPOL, we have developed a glossary and definitions for cryptocurrency and underground market places’, says Bomhof. TNO remains active in the CASE community and calls on other organisations that work with cybercrime data to join the community. ‘At the annual event of our business unit it was nice to win the Impact Award with this Hansken project. We had achieved this in a short space of time and with very little budget, and that impressed everyone.