digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add stix

Browse Source
This commit is contained in:
Frank Xu
2021-01-30 22:42:59 -05:00
parent 47c07475a9
commit 5ca88e8b3d
1 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
STIX_for_digital_forensics/readme.md
View File

@@ -1,8 +1,17 @@
# STIX for Digital Forensics
The goal of the project is to customize STIX™ for facilitating the sharing of Cyber Forensic Intelligence as well as building the foundations for automated digital forensic investigations. The extension includes:
The goal of the project is to extend STIX™ to (1) facilitate the sharing of Cyber Forensic Intelligence (CFI) (2) building the foundations for automated digital forensic investigations.
- create a list of customized STIX™ Cyber-observable Objects. We follow the STIX specification for [customizing objects](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
The major extension of STIX for the goal is Digital Forensic Objects (DFO). DFO are events generated and recorded by firmware, drivers, operating systems, and software applications. These recorded events are often used to meet functional needs or non-functional requirements. For example, the Windows security feature requires logging all security-related activities for auditing. Google driver records all files status for a faster local and remote files synchronization.
Distinguish from STIX™ Objects
- Different from STIX™ Cyber-observable Objects: Digital Forensic Objects are pre-processed data instead of raw data that Cyber-observable Objects want to describe.
- Extension of STIX™ Domain Objects: Digital Forensic Objects correspond to concepts used in hosts and networks but are more intensively used for cyber investigations.
The extension details include:
- Create a list of DFOs. We follow the STIX specification for [customizing objects](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
- property extension for Windows™ Registry Key Object. We focus on extending the data property of registry value as the data may contain rich information that needs to be organized and formalized as digital evidence. The pattern of the extension is shown below. Note that the string **"x_data"** is assigned to **"data"** (e.g., **"data": "x_data"**) as a place holder and **x_data:[]** is the extended property that contains formalized information of data.
```json