The new SOLVE-IT ID formats
The ID scheme for SOLVE-IT has been changed. Introducing DFO, DFT, DFW, and DFMs. This has been on the agenda for a long time and with two SOLVE-IT workshops in March 2026, getting these breaking changes completed has been a priority.
New SOLVE-IT ID scheme
The ID scheme used in SOLVE-IT has been the same since it was launched at DFRWS EU 2025. Some issues with that early design decision have become apparent over the last year and captured in SOLVE-IT Issue #215.
The new scheme moves away from:
- Txxxx - Technique
- Wxxxx - Weakness
- Mxxxx - Mitigation
and now captures the digital forensic scope of the entities recorded. It appears a minor surface change but required changes across the data and codebase of multiple projects. The new scheme is:
- DFT-xxxx - Digital forensic technique
- DFW-xxxx - Digital forensic weakness (or potential weakness strictly speaking)
- DFM-xxxx - Digital forensic mitigation
and objectives have also been brought under the same scheme:
- DFO-xxxx - Digital forensic objective
This now allows sentences that span multiple knowledge bases to make sense. For example, using MITRE ATT&CK and SOLVE-IT it is now possible to say coherently:
“We suspected that T1456 Drive-by Compromise occurred on the system, so DFT-1069 (Browser analysis) was performed, specifically the sub-techniques DFT-1137 (Browser history analysis) which indicated a redirect that resulted in an executable being download. This was also confirmed using DFT-1142(Browser downloads examination). It was suspected that T1204 (User execution) was required to launch this, and DFT-1096 (Run programs identification (OS)) provided artifacts suggesting that was the case.”
This new ID system should be stable indefinitely, which is increasingly important with the deeplinks offered by the SOLVE-IT Explorer.
You may find some stale references to the old naming scheme in places (older documentation most likely), but we’ll try and get those updated too where possible.