Application Case: Solving Crimes by Sharing Digital Forensic Knowledge Sources: Harrison et al., "A Lessons Learned Re pository for Computer Forensics," International Journal of Digital Evidence, Vol. 1, No. 3, 2002; S. Jarvenpaa and A. Majchrzak , Developing Individuals' Transactive Memories of their Ego-Centric Networks to Mitigate Risks of Knowledge Sharing: The Case of Professionals Protecting Cypher Security Digital forensics has become an indispensable tool for law enforcement. This science is not only applied to cases of crime committed with or against digital assets but is used in many physical crimes to gather evidence of intent or proof of prior relationships. The volume of digital devices that might be explored by a forensic analysis, however, is staggering, including anything from a home computer to a videogame console, to an engine module from a getaway vehicle. New hardware, software, and applications are being released into public use daily, and analysts must create new methods to deal with each of them. Many law enforcement agencies have widely varying capabilities to do forensics, sometimes enlisting the aid of other agencies or outside consultants to perform analyses. As new techniques are developed, internally tested, and ultimately scrutinized by the legal system, new forensic hypotheses are born and proven. When the same techniques are applied to other cases, the new proceeding is strengthened by the precedent of a prior case. Acceptance of a methodology in multiple proceedings makes it more acceptable for future cases. Unfortunately, new forensic discoveries are rarely formally shared-sometimes even among analysts within the same agency. Briefings may be given to other analysts within the same agency, although caseloads often dictate immediately moving on to the next case. Even less is shared between different agencies, or even between different offices of some federal law enforcement communities. The result of this lack of sharing is duplication of significant effort to re-discover the same or similar approaches to prior cases and a failure to take consistent advantage of precedent rulings that may strengthen the admission of a certain process. The Center for Telecommunications and Network Security (CTANS), a center of excellence that includes faculty from Oklahoma State University's Management Science and Information Systems Department, has developed, hosted, and is continuously evolving Web-based software to support law enforcement digital forensics investigators (LEDFI) via access to forensics resources and communication channels for the past 6 years. The cornerstone of this initiative has been the National Repositoly of Digital Forensics Information (NRDFI), a collaborative effort with the Defense Cyber Crime Center (DC3), which has evolved into the Digital Forensics Investigator Link (DFILink) over the past 2 years. Solution The development of the NRDFI was guided by the theory of the egocentric group and how these groups share knowledge and resources among one another in a community of practice (Jarvenpaa & Majchrzak, 2005). Within an egocentric community of practice, experts are identified through interaction, knowledge remains primarily tacit, and informal communication mechanisms are used to transfer this knowledge from one participant to the other. The informality of knowledge transfer in this ca expertise as well as redundancy of effort across the broader community as a whole. For example, a digital forensics (DF) investigator in Washington, DC, may spend 6 hours to develop a process to extract data hidden in slack space in the sectors of a hard drive. The process may be shared among his local colleagues, but other DF professionals in other cities and regions will have to develop the process on their own. In response to these weaknesses, the NRDFI was developed as a hub for knowledge transfer between local law enforcement communities. The NRDFI site was locked down so that only members of law enforcement were able to access content, and members were provided the ability to upload knowledge documents and tools that may have developed locally within their community, so that the broader law enforcement community of practice could utilize their contributions and reduce redundancy of efforts. The Defense Cyber Crime Center, a co-sponsor of the NRDFI initiative, provided a wealth of knowledge documents and tools in order to seed the system with content (see Figure 1). Results Response from the LEDFI community was positive, and membership to the NRDFI site quickly jumped to over 1,000 users. However, the usage pattern for these members was almost exclusively unidirectional. LEDFI members would periodically log on, download a batch of tools and knowledge documents, and then not log on again until the knowledge content on the site was extensively refreshed. The mechanisms in place for local LEDFI communities to share their own knowledge and tools sat largely unused. From here, CTA S began to explore the literature with regard to motivating knowledge sharing and began a redesign of NRDFI driven by the extant literature; they focused on promoting sharing within the LEDFI community through the NRDFI. Some additional capabilities include new applications such as a "Hash Link," which can provide DFI Link members with a repositoly of hash values that they would otherwise need to develop on their own and a directory to make it easier to contact colleagues in other depaltments and jurisdictions. A calendar of events and a newsfeed page were integrated into the DFI Link in response to requests from the users. Increasingly, commercial software is also being hosted. Some were licensed through grants and others were provided by vendors, but all are free to vetted users of the law enforcement community. The DFI Link has been a positive first step toward getting LEDFI to better communicate and share knowledge with colleagues in other departments. Ongoing research is helping to shape the DFI Link to better meet the needs of its customers and promote even greater knowledge, sharing. Many LEDFI are inhibited from sharing such knowledge, as policies and culture in the law enforcement domain often promote the protection of information at the cost of knowledge sharing. However, by working with DC3 and the law enforcement community, researchers are beginning to knock down these barriers and create a more productive knowledge sharing environment. Answer the following: a) Interpret why digital forensics information should be shared among law enforcement communities. b) Summarize the suggestion of egocentric theory about knowledge sharing. c) Explain the behavior that the developers of NRDFI observed in terms of use of the system