digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add memory object

Browse Source
This commit is contained in:
Frank Xu
2021-02-11 19:46:27 -05:00
parent bf11a251cf
commit 080a97949d
1 changed files with 111 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

190
STIX_for_digital_forensics/readme.md
View File

@@ -77,76 +77,6 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties
- [threat-actor-type-ov extension](#threat-actor-type-ov-extension])
- [ani-forensic-tool-type-ov](#tool-type-ov-extension)
## Tool State Evidence Object
**Type Name:** x-tool-state-evidence
The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive.
### Properties
| Property Name | Type | Description |
| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-tool-state-evidence. |
| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. |
| enter_state_time | timestamp | Specifies the time a tool entering the state. |
| exit_state_time | timestamp | Specifies the time a tool existing the state. |
| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. |
### Relationships
| Source | Relationship Type | Target | Description |
| --------------------- | ----------------- | ---------------- | ------------------------------------------------------------------------------------------------------- |
| x-tool-state-evidence | traced-back-to | user-account | This Relationship describes that a tool state evidence can be traced back to a user-account. |
| x-tool-state-evidence | extracted-from | x-disk-partition | This Relationship describes that a piece of x-tool-state-evidence is extracted from a x-disk-partition. |
### Tool State Enumeration
**Enumeration Name**: x-tool-state-enum
| Vocabulary Value | Description |
| ---------------- | ------------------------------------------------------- |
| downloading | A tool was downloading |
| installing | A tool was installing |
| running | |
| uninstalling | |
| cleaning | All files that are related to the tool has been removed |
### Example: describes a system event generated by CD-Rom
```json
[
{
"type": "x-tool-state-evidence",
"spec_version": "2.1",
"id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"state": "installing",
"exit_state_time": "2005-02-06T20:03:00.000Z",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9",
"created": "2015-05-15T09:12:16.432Z",
"modified": "2015-05-15T09:12:16.432Z",
"name": "steghide",
"tool_types": ["steganography"],
"tool_version": "0.5.1",
"description": "steganography",
"external_references": [
{
"source_name": "steghide",
"url": "http://steghide.sourceforge.net/"
}
]
}
]
```
## Disk Image Object
**Type Name:** x-disk-image
@@ -340,22 +270,93 @@ Use an open-source software to parse and decode $LogFile records
}
```
## Tool State Evidence Object
**Type Name:** x-tool-state-evidence
The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time manipulated by a threat actor, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive.
### Properties
| Property Name | Type | Description |
| ---------------- | ---------- | --------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-tool-state-evidence. |
| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. |
| enter_state_time | timestamp | Specifies the time a tool entering the state. |
| exit_state_time | timestamp | Specifies the time a tool existing the state. |
| tool_ref | identifier | An ID reference to a Tool object. |
### Relationships
| Source | Relationship Type | Target | Description |
| --------------------- | ----------------- | ---------------- | ------------------------------------------------------------------------------------------------------- |
| x-tool-state-evidence | traced-back-to | user-account | This Relationship describes that a tool state evidence can be traced back to a user-account. |
| x-tool-state-evidence | extracted-from | x-disk-partition | This Relationship describes that a piece of x-tool-state-evidence is extracted from a x-disk-partition. |
### Tool State Enumeration
**vocabulary Name**: x-tool-state-enum
| Vocabulary Value | Description |
| ---------------- | ------------------------------------------------------- |
| downloading | A tool was downloading |
| installing | A tool was installing |
| running | |
| uninstalling | |
| cleaning | All files that are related to the tool has been removed |
### Example: describes a system event generated by CD-Rom
```json
[
{
"type": "x-tool-state-evidence",
"spec_version": "2.1",
"id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"state": "installing",
"exit_state_time": "2005-02-06T20:03:00.000Z",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9",
"created": "2015-05-15T09:12:16.432Z",
"modified": "2015-05-15T09:12:16.432Z",
"name": "steghide",
"tool_types": ["steganography"],
"tool_version": "0.5.1",
"description": "steganography",
"external_references": [
{
"source_name": "steghide",
"url": "http://steghide.sourceforge.net/"
}
]
}
]
```
## Action Object
**Type Name:** x-action
An action is one cyber criminal activity performed under a user account.
An action is one cyber criminal activity performed under a user account. It is a meaningful ACID (Atomicity, Consistency, Isolation, Durability) activity related to file systems or a hardware component.
## Action Specific Properties
| Property Name | Type | Description |
| --------------- | ----------------------- | ------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be x-action. |
| name | string | Specifies the name of an action. |
| description | string | A description that provides more details and context about the Action. |
| performed_time | timestamp | Specified the time that performed an action. |
| note | string | Additional note that describes an action. |
| evidence_refs | list of type identifier | Specifies a list of evidence objects that are associated with an action. |
| Property Name | Type | Description |
| --------------- | ----------------------- | --------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-action. |
| name | string | Specifies the name of an action. It MUST come from x-action-name-ov. |
| target | identifier | Specifies the target of an action. It is an observable object. |
| description | string | A description that provides more details and context about the Action. |
| category | open-vocab | Specifies a category of the action. It MUST come from x-action-category-ov. |
| start_time | timestamp | Specifies the the time that an action is started. |
| end_time | timestamp | Specifies the the time that an action is ended. |
| evidence_refs | list of type identifier | Specifies a list of evidence objects that are associated with an action. |
### Relationships
@@ -363,6 +364,37 @@ An action is one cyber criminal activity performed under a user account.
| -------- | ----------------- | ------------ | -------------------------------------------------------------------------- |
| x-action | traced-back-to | user-account | This Relationship describes that an action is traced-back-to user-account. |
### Action Name Vocabulary
**Vocabulary Name**: x-action-name-ov
| Vocabulary Value | Description |
| ------------------ | ---------------------------------------------------------------- |
| power-on | |
| power-off | |
| login | |
| logout | |
| search | Search for strings, including key words, files, and directories. |
| download | Download files. |
| install | Install software. |
| execute | |
| uninstall | |
| delete | |
| read | |
| write | |
| update | |
| modify | |
| send | |
| receive | |
| encrypt | |
| decrypt | |
| steganography | Tools used to against steganography. |
| anti-steganography | |
| plug-hardware | |
| unplug-hardware | |
| other | |
| unknown | |
## Example: An action that search for anti-forensics tools
```json