Introduction

The SOLVE-IT knowledge base (Systematic Objective-based Listing of Various Established digital Investigation Techniques) is conceptually inspired by MITRE ATT&CK and captures digital forensic techniques that can be used in investigations. It includes details about each technique, examples, potential ways the technique can go wrong (weaknesses), and potential mitigations to either avoid, detect, or minimize the consequences of a weakness if it does occur.

SOLVE-IT was introduced at DFRWS EU 2025. The associated academic paper in FSI:Digital Investigation can be cited as:

Hargreaves, C., van Beek, H., Casey, E., SOLVE-IT: A proposed digital forensic knowledge base inspired by MITRE ATT&CK, Forensic Science International: Digital Investigation, Volume 52, Supplement, 2025, 301864, ISSN 2666-2817, https://doi.org/10.1016/j.fsidi.2025.301864

This is a community project so please see the contribute page for information on how to contribute to the knowledge base.

Concepts and structure

The high-level concepts are:

  • Objectives: based on ATT&CK tactics, objectives are “the goal that one might wish to achieve in a digital forensic investigation”, e.g. acquire data, or extract information from a file system.

  • Techniques: “how one might achieve an objective in digital forensics by performing an action”, e.g. for the objective of ‘acquire data’, the technique ‘create disk image’ could be used.

  • Weaknesses: these represent potential problems resulting from using a technique. They are classified according to the error categories in ASTM E3016-18, the Standard Guide for Establishing Confidence in Digital and Multimedia Evidence Forensic Results by Error Mitigation Analysis.

  • Mitigations: something that can be done to attempt to prevent a weakness from occurring, or to attempt to minimize its impact.

Each of these concepts are contained in subfolders within the data subfolder of the GitHub repository. Each technique, weakness, and mitigation is represented as a JSON file that can be directly viewed.

Organisation of the techniques

The file solve-it.json is the default categorization of the techniques, but other categorizations are possible with custom JSON files. The examples repository discusses how this can be done and provides examples for carrier.json and dfrws.json. See here for more information.

Supporters

The contributors page acknowledges all those individuals who have made contributions to the knowledge base so far.

In addition, the following organizations provide support to the SOLVE-IT project.