diff --git a/STIX_for_digital_forensics/readme.md b/STIX_for_digital_forensics/readme.md index 8b1f8db..cb39dd7 100644 --- a/STIX_for_digital_forensics/readme.md +++ b/STIX_for_digital_forensics/readme.md @@ -77,76 +77,6 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties - [threat-actor-type-ov extension](#threat-actor-type-ov-extension]) - [ani-forensic-tool-type-ov](#tool-type-ov-extension) -## Tool State Evidence Object - -**Type Name:** x-tool-state-evidence - -The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive. - -### Properties - -| Property Name | Type | Description | -| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be x-tool-state-evidence. | -| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. | -| enter_state_time | timestamp | Specifies the time a tool entering the state. | -| exit_state_time | timestamp | Specifies the time a tool existing the state. | -| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. | - -### Relationships - -| Source | Relationship Type | Target | Description | -| --------------------- | ----------------- | ---------------- | ------------------------------------------------------------------------------------------------------- | -| x-tool-state-evidence | traced-back-to | user-account | This Relationship describes that a tool state evidence can be traced back to a user-account. | -| x-tool-state-evidence | extracted-from | x-disk-partition | This Relationship describes that a piece of x-tool-state-evidence is extracted from a x-disk-partition. | - -### Tool State Enumeration - -**Enumeration Name**: x-tool-state-enum - -| Vocabulary Value | Description | -| ---------------- | ------------------------------------------------------- | -| downloading | A tool was downloading | -| installing | A tool was installing | -| running | | -| uninstalling | | -| cleaning | All files that are related to the tool has been removed | - -### Example: describes a system event generated by CD-Rom - -```json -[ - { - "type": "x-tool-state-evidence", - "spec_version": "2.1", - "id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "state": "installing", - "exit_state_time": "2005-02-06T20:03:00.000Z", - "created": "2021-01-06T20:03:00.000Z", - "modified": "2021-01-06T20:03:00.000Z", - "created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab" - }, - - { - "type": "tool", - "spec_version": "2.1", - "id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", - "created": "2015-05-15T09:12:16.432Z", - "modified": "2015-05-15T09:12:16.432Z", - "name": "steghide", - "tool_types": ["steganography"], - "tool_version": "0.5.1", - "description": "steganography", - "external_references": [ - { - "source_name": "steghide", - "url": "http://steghide.sourceforge.net/" - } - ] - } -] -``` - ## Disk Image Object **Type Name:** x-disk-image @@ -340,22 +270,93 @@ Use an open-source software to parse and decode $LogFile records } ``` +## Tool State Evidence Object + +**Type Name:** x-tool-state-evidence + +The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time manipulated by a threat actor, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive. + +### Properties + +| Property Name | Type | Description | +| ---------------- | ---------- | --------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-tool-state-evidence. | +| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. | +| enter_state_time | timestamp | Specifies the time a tool entering the state. | +| exit_state_time | timestamp | Specifies the time a tool existing the state. | +| tool_ref | identifier | An ID reference to a Tool object. | + +### Relationships + +| Source | Relationship Type | Target | Description | +| --------------------- | ----------------- | ---------------- | ------------------------------------------------------------------------------------------------------- | +| x-tool-state-evidence | traced-back-to | user-account | This Relationship describes that a tool state evidence can be traced back to a user-account. | +| x-tool-state-evidence | extracted-from | x-disk-partition | This Relationship describes that a piece of x-tool-state-evidence is extracted from a x-disk-partition. | + +### Tool State Enumeration + +**vocabulary Name**: x-tool-state-enum + +| Vocabulary Value | Description | +| ---------------- | ------------------------------------------------------- | +| downloading | A tool was downloading | +| installing | A tool was installing | +| running | | +| uninstalling | | +| cleaning | All files that are related to the tool has been removed | + +### Example: describes a system event generated by CD-Rom + +```json +[ + { + "type": "x-tool-state-evidence", + "spec_version": "2.1", + "id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "state": "installing", + "exit_state_time": "2005-02-06T20:03:00.000Z", + "created": "2021-01-06T20:03:00.000Z", + "modified": "2021-01-06T20:03:00.000Z", + "created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab" + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "steghide", + "tool_types": ["steganography"], + "tool_version": "0.5.1", + "description": "steganography", + "external_references": [ + { + "source_name": "steghide", + "url": "http://steghide.sourceforge.net/" + } + ] + } +] +``` + ## Action Object **Type Name:** x-action -An action is one cyber criminal activity performed under a user account. +An action is one cyber criminal activity performed under a user account. It is a meaningful ACID (Atomicity, Consistency, Isolation, Durability) activity related to file systems or a hardware component. ## Action Specific Properties -| Property Name | Type | Description | -| --------------- | ----------------------- | ------------------------------------------------------------------------ | -| type (required) | string | The value of this property MUST be x-action. | -| name | string | Specifies the name of an action. | -| description | string | A description that provides more details and context about the Action. | -| performed_time | timestamp | Specified the time that performed an action. | -| note | string | Additional note that describes an action. | -| evidence_refs | list of type identifier | Specifies a list of evidence objects that are associated with an action. | +| Property Name | Type | Description | +| --------------- | ----------------------- | --------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-action. | +| name | string | Specifies the name of an action. It MUST come from x-action-name-ov. | +| target | identifier | Specifies the target of an action. It is an observable object. | +| description | string | A description that provides more details and context about the Action. | +| category | open-vocab | Specifies a category of the action. It MUST come from x-action-category-ov. | +| start_time | timestamp | Specifies the the time that an action is started. | +| end_time | timestamp | Specifies the the time that an action is ended. | +| evidence_refs | list of type identifier | Specifies a list of evidence objects that are associated with an action. | ### Relationships @@ -363,6 +364,37 @@ An action is one cyber criminal activity performed under a user account. | -------- | ----------------- | ------------ | -------------------------------------------------------------------------- | | x-action | traced-back-to | user-account | This Relationship describes that an action is traced-back-to user-account. | +### Action Name Vocabulary + +**Vocabulary Name**: x-action-name-ov + +| Vocabulary Value | Description | +| ------------------ | ---------------------------------------------------------------- | +| power-on | | +| power-off | | +| login | | +| logout | | +| search | Search for strings, including key words, files, and directories. | +| download | Download files. | +| install | Install software. | +| execute | | +| uninstall | | +| delete | | +| read | | +| write | | +| update | | +| modify | | +| send | | +| receive | | +| encrypt | | +| decrypt | | +| steganography | Tools used to against steganography. | +| anti-steganography | | +| plug-hardware | | +| unplug-hardware | | +| other | | +| unknown | | + ## Example: An action that search for anti-forensics tools ```json