digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add tool state object

Browse Source
This commit is contained in:
Frank Xu
2021-02-04 11:05:18 -05:00
parent a1432eb134
commit 37d89b9bd9
1 changed files with 121 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
STIX_for_digital_forensics/readme.md
View File

@@ -13,6 +13,10 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
## Extension Format
- CFOs: We follow the STIX specification for [customizing objects](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
- Open Vocabulary extension: We follow [open vovaulary extension](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_bnnxah80y7by). Values that are not from the suggested vocabulary SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.
## Properites of CFOs
- [Required Properties for all CFOs](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx):
- **type** (string) The value of this property MUST be one of CFOs.
- **spec_version** (string): The current version is 2.1, i.e., **"spec_version": "2.1"**.
@@ -22,6 +26,7 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
- **modified** (timestamp): The modified property is only used by CFOs that support versioning and represents the time that this particular version of the object was last modified.
- **created_by_ref**(identifier): The object creator is the entity (e.g., system, organization, instance of a tool) that generates the id property for a given object. It is optional in STIX SDO.
- [Common Properties used in all CFOs](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx)
- description (string): A description that provides more details and context about the object.
- external_references (list of type external-reference): The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
---
@@ -30,7 +35,7 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
- Cyber Forensic Domain Objects (CFDOs)
- [Software Lifecycle](#Software-Lifecycle)
- [Tool State Object](#Tool-State-Object)
- [Windows Event Object](#Windows-Event-Object)
- [Webpage Visit Object](#Webpage-Visit-Object)
- [Plug and Play (PnP) Event Object](#Plug-and-Play-PnP-Event-Object)
@@ -55,8 +60,72 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
- Property Extension
- [Extension for Windows Registry Key Object](#Extension-for-Windows-Registry-Key-Object)
- Other extension
- [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference])
- Open Vocabulary extension
- [threat-actor-type-ov extension](#threat-actor-type-ov-extension])
- [ani-forenisc-tool-type-ov](#tool-type-ov-extension)
## Tool State Object
**Type Name:** x-tool-state
The Tool State object represents an attacking (anti-forensic) tool's state at a specific time, including including downloading, installing, running, uninstalling, cleaning. Each state is exclusive. It can be a SDO Tool.
### Properties
| Property Name | Type | Description |
| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-tool-state. |
| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. |
| enter_state_time | timestamp | Specifies the time a tool entering the state. |
| exit_state_time | timestamp | Specifies the time a tool exsiting the state. |
| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. |
### Tool State Enumeration
**Enumeration Name**: x-tool-state-enum
| Vocabulary Value | Description |
| ---------------- | ----------- |
| downloading | |
| installing | |
| running | |
| uninstalling | |
| cleaning | |
### Example: describes a system event generated by CD-Rom
```json
[
{
"type": "x-tool-state",
"spec_version": "2.1",
"id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"state": "installing",
"exit_state_time": "2005-02-06T20:03:00.000Z",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9",
"created": "2015-05-15T09:12:16.432Z",
"modified": "2015-05-15T09:12:16.432Z",
"name": "steghide",
"tool_types": ["steganography"],
"tool_version": "0.5.1",
"description": "steganography",
"external_references": [
{
"source_name": "steghide",
"url": "http://steghide.sourceforge.net/"
}
]
}
]
```
## Windows Event Object
@@ -64,20 +133,14 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
The Windows Event object represents an event recorded by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
### ID Contributing Properties
- event_source
- event_id
- event_id_string
### Properties
| Property Name | Type | Description |
| -------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be x-windows-evt-record. |
| record_number | string | Specified the number of the record. |
| time_generated | timestamp | Specified the time at which this entry was submitted. |
| time_written | timestamp | Specified the time at which this entry was received by the service to be written to the log. |
| record_number | string | Specifies the number of the record. |
| time_generated | timestamp | Specifies the time at which this entry was submitted. |
| time_written | timestamp | Specifies the time at which this entry was received by the service to be written to the log. |
| event_source | string | Specifies the name of the software or the name of a subcomponent of the application if the application is large that logs the event. |
| event_id | integer | The value is specific to the event source for the event, and is used with the source name to locate a description string in the message file for the event source. |
| event_id_string | integer | Specified the description string of event_id. |
@@ -174,10 +237,6 @@ Notes:
The Webpage Visit object represents a single visit to a webpage.
### ID Contributing Properties
- url_ref
### Properties
| Property Name | Type | Description |
@@ -248,7 +307,7 @@ The completed log properties can be accessed [Microsoft office docs- Format of a
| Property Name | Type | Description |
| ---------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-pnp-evt-record. |
| message_type | enum | The values of this property MUST come from the pnp-message-type-ov enumeration. |
| message_type | enum | The values of this property MUST come from the x-pnp-message-type-ov enumeration. |
| time_generated | timestamp | Specified the time at which this entry was submitted. |
| time_written | timestamp | Specified the time at which this entry was received by the service to be written to the log. |
| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of the predefined event_category operation strings, e.g.device installation. |
@@ -257,7 +316,7 @@ The completed log properties can be accessed [Microsoft office docs- Format of a
### Message Type Vocabulary
Vocabulary Name: pnp-message-type-ov
Vocabulary Name: x-pnp-message-type-ov
| Vocabulary Value | Description |
| ---------------- | -------------------------------------------------------------------- |
@@ -287,25 +346,25 @@ Vocabulary Name: pnp-message-type-ov
**Type Name:** x-file-visit
The File Visit object represents properties that are associasted with a file/directory visit (for various reasons) performed by operating systems or applications. The operation to the file durint the visit can be read, create, etc. The visit may be saved in different forms, e.g., file, cache, Windows registry, etc.
The File Visit object represents properties that are associasted with a file/directory visit (for various reasons) performed by operating systems or applications. The operation to the file during the visit can be read, create, etc. The visit may be saved in different forms, e.g., file, cache, Windows registry, etc.
### Properties
| Property Name | Type | Description |
| --------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-file-visit. |
| op | enum | Specifies how the file was visited. The values of this property MUST come from the file-visit-op-type-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visitor_ref | identifier | Specifier the a visitor, e.g., software or software components, who visited a file. |
| visit_count | integer | The total number of times the program has visited. |
| record_reason | enum | Specifies a main reasons why a software records the visit. It MUST come from the file-visit-record-reason-enum. |
| file_visited_ref (required) | identifier | Specifies a file or directory that was recently visited. |
| saved_to_ref(required) | identifier | Specifies the destination (e.g., file, registry, artifact, or directory) the record is saved to. |
| common_name | open-vocab | Specifies a name that is commonly used to describe the visit. It MUST from visit-common-name-ov. |
| Property Name | Type | Description |
| --------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-file-visit. |
| op | enum | Specifies how the file was visited. The values of this property MUST come from the x-file-visit-op-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visitor_ref | identifier | Specifier the a visitor, e.g., software or software components, who visited a file. |
| visit_count | integer | The total number of times the program has visited. |
| record_reason | enum | Specifies a main reasons why a software records the visit. It MUST come from the x-file-visit-record-reason-enum. |
| file_visited_ref (required) | identifier | Specifies a file or directory that was recently visited. |
| saved_to_ref(required) | identifier | Specifies the destination (e.g., file, registry, artifact, or directory) the record is saved to. |
| common_name | open-vocab | Specifies a name that is commonly used to describe the visit. It MUST from x-file-visit-common-name-ov. |
### File Visit Type Enum
**Vocabulary Name**: file-visit-op-type-enum
**Vocabulary Name**: x-file-visit-op-enum
| Vocabulary Value | Description |
| ---------------- | ---------------------------------------------------------------------------------------- |
@@ -324,7 +383,7 @@ The File Visit object represents properties that are associasted with a file/dir
### File Visit Event Record Reason Enum
**Vocabulary Name:** file-visit-record-reason-enum
**Vocabulary Name:** x-file-visit-record-reason-enum
| Vocabulary Value | Description |
| ---------------- | --------------------------------------------------------------------------------------------------------------------------- |
@@ -340,7 +399,7 @@ The File Visit object represents properties that are associasted with a file/dir
| compatibility | To identify and fix application compatibility or portability issues, e.g., shimcache. |
| history | Not for specific reasons, just logging key activties of a software. |
**Vocabulary Name:** visit-common-name-ov
**Vocabulary Name:** x-file-visit-common-name-ov
| Term | Description |
| --------------- | ----------------------------------------------------------------------------------------------------- |
@@ -857,19 +916,19 @@ Investigation Tools are software that can be used by cyber investigators to perf
### Investigation Tool Specific Properties
| Property Name | Type | Description |
| --------------- | ----------------------- | --------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-investigation-tool. |
| last_modified | timestamps | The last modified date of the investigation tool. |
| description | string | A description that provides more details and context about the investigation tool. |
| tool_types | list of type open-vocab | The values for this property SHOULD come from the investigation-tool-type-ov open vocabulary. |
| aliases | list of type string | Alternative names used to identify this investigation tool. |
| tool_version | string | The version identifier associated with the investigation tool. |
| software_ref | identifier | Specifier the software product (if CPE or SWID is known) used as the investigation tool. |
| Property Name | Type | Description |
| --------------- | ----------------------- | ----------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-investigation-tool. |
| last_modified | timestamps | The last modified date of the investigation tool. |
| description | string | A description that provides more details and context about the investigation tool. |
| tool_types | list of type open-vocab | The values for this property SHOULD come from the x-investigation-tool-type-ov open vocabulary. |
| aliases | list of type string | Alternative names used to identify this investigation tool. |
| tool_version | string | The version identifier associated with the investigation tool. |
| software_ref | identifier | Specifier the software product (if CPE or SWID is known) used as the investigation tool. |
## Investigation Tool Type Vocabulary
**Vocabulary Name:** investigation-tool-type-ov
**Vocabulary Name:** x-investigation-tool-type-ov
Investigation Tool Type is an open vocabulary that describes the type of tools used for cyber investigations. It doesn't include common software, such as MS Office, database, etc.
| Vocabulary Value | Description |
@@ -926,7 +985,7 @@ Use an open-source software to parse and decode $LogFile records
| bytes_per_sector | integer | Specifies the number of bytes per sector. |
| is_bootable | boolean | Specifies if a partition is bootable. |
| volume_serial_number | string | Specifies the serical number of a partition. |
| partition_type | string | Specifies the type of a partition. It MUST come from a partition-type-ov open vocabulary. |
| partition_type | string | Specifies the type of a partition. It MUST come from a x-partition-type-ov open vocabulary. |
| file_sys_type | string | Specifies the type of a file system. It MUST come from the [list](https://en.wikipedia.org/wiki/Comparison_of_file_systems). |
### Relationships
@@ -937,7 +996,7 @@ Use an open-source software to parse and decode $LogFile records
### Partition Type Vocabulary
Vocabulary Name: partition-type-ov
Vocabulary Name: x-partition-type-ov
| Vocabulary Value | Description |
| ---------------- | -------------------------------------- |
@@ -998,7 +1057,7 @@ We focus on extending the data property of registry value as the data may contai
---
## threat-actor-type-ov external reference
## threat-actor-type-ov extension
| Vocabulary Value | Description |
| ------------------------------------ | ------------------------------------------------------------------------------------- |
@@ -1016,7 +1075,21 @@ We focus on extending the data property of registry value as the data may contai
| insider-disgruntled-embarrassing | |
| insider-disgruntled-harassing | |
| illegal-possessor | An individual that owns, produces, distributes illegal information and device. |
| online- predators | An individual that makes sexual advances to minors. |
| online-predators | An individual that makes sexual advances to minors. |
### ani-forenisc-type-ov extension
| Vocabulary Value | Description |
| ---------------- | ---------------------------------------------------------------------------------------------------------------------------- |
| deletion | |
| overwriting | |
| encryption | |
| steganography | |
| tunneling | Allow private communications to be exchanged over a public network. |
| onion-routing | The process of sending messages which are encrypted in layers, denoting layers of an onion, is referred to as onion routing. |
| spoofing | |
| obfuscation | Hide the intended meaning of the contents of a file, making it ambiguous, confusing to read, and hard to interpret. |
| anonymization | |
# references:
@@ -1026,6 +1099,7 @@ We focus on extending the data property of registry value as the data may contai
- https://github.com/williballenthin/python-evtx
- https://www.loggly.com/ultimate-guide/windows-logging-basics/#:~:text=The%20Windows%20event%20log%20contains,For%20example%2C%20IIS%20Access%20Logs.
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/format-of-a-text-log-section-body
- https://blog.eccouncil.org/6-anti-forensic-techniques-that-every-cyber-investigator-dreads/
```