digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add action object

Browse Source
This commit is contained in:
Frank Xu
2021-02-05 20:22:03 -05:00
parent 37d89b9bd9
commit 90928d16d0
1 changed files with 201 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

317
STIX_for_digital_forensics/readme.md
View File

@@ -4,20 +4,25 @@
The goal of the project is to explore and build an extended STIX™ (xSTIX), to exchange Cyber Forensic Intelligence (CFI). While STIX focuses on understanding, responding to, and mitigating computer-based attacks, the xSTIX allows cyber forensics communities to better understand what and how digital evidence is left on hosts and networks during these attacks and to reconstruct digital forensic-based crime scenes after attacks.
The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categrized as follows:
The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties, and exended open vocabulary. They are categrized as follows:
- **Cyber Forensic Domain Objects (CFDOs):** CFDOs are CFI domain objects that are corresponding to concepts used in hosts and networks but are more intensively used for CFI, e.g., the concepts of file and webpage visits. Each CFO represents an event generated and recorded by firmware, drivers, operating systems, and software applications. The recorded event is often used to meet functional or non-functional requirements of a feature/system. For example, the Windows security feature requires logging all security-related activities for auditing; Google drive records all files' status for a faster local and remote files synchronization. CFOs are different from STIX Cyber-Observable Data objects because CFOs are pre-processed data in the context of CFI instead of raw data that Cyber-observable Objects want to describe.
- **Cyber Forensic observable Objects (CFOOs).** CFOOs are the extensions to STX SCO. They are used to describe Cyber-observable Objects that typically used for computer forensics. For example, a disk image object represents a computer file containing the contents and structure of a disk volume or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc, or USB flash drive.
- **Cyber Forensic observable Objects (CFOOs):** CFOOs are the extensions to STX SCO. They are used to describe Cyber-observable Objects that typically used for computer forensics. For example, a disk image object represents a computer file containing the contents and structure of a disk volume or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc, or USB flash drive.
- **Custom Properties to STIX objects:**: Customize properties of exsiting STIX objects to support forensic investigations. For example, registry value as the data may contain rich information that needs to be organized and formalized as digital evidence. The organized information will be formaized in new customized properties.
- **Open Vocabulary extension:** Add vocabulary in the field of cyber forensic investigations.
## Extension Format
- CFOs: We follow the STIX specification for [customizing objects](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
- Open Vocabulary extension: We follow [open vovaulary extension](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_bnnxah80y7by). Values that are not from the suggested vocabulary SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.
- **CFOs:** We follow the STIX specification for [customizing objects](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
- **Custom Properties:** We follow the [doc](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_8072zpptza86).
- **Open Vocabulary extension:** We follow [open vovaulary extension](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_bnnxah80y7by). Values that are not from the suggested vocabulary SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.
## Properites of CFOs
- [Required Properties for all CFOs](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx):
- [Required Properties for all CFOs (CFDOs and CFOOs)](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx)
- **type** (string) The value of this property MUST be one of CFOs.
- **spec_version** (string): The current version is 2.1, i.e., **"spec_version": "2.1"**.
- **id** (identifier): This id MUST meet the requirements of the identifier type [see STIX section 2.9](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_64yvzeku5a5c).
@@ -26,8 +31,8 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
- **modified** (timestamp): The modified property is only used by CFOs that support versioning and represents the time that this particular version of the object was last modified.
- **created_by_ref**(identifier): The object creator is the entity (e.g., system, organization, instance of a tool) that generates the id property for a given object. It is optional in STIX SDO.
- [Common Properties used in all CFOs](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx)
- description (string): A description that provides more details and context about the object.
- external_references (list of type external-reference): The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
- **description** (string): A description that provides more details and context about the object.
- **external_references** (list of type external-reference): The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
---
@@ -35,11 +40,11 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
- Cyber Forensic Domain Objects (CFDOs)
- [Tool State Object](#Tool-State-Object)
- [Windows Event Object](#Windows-Event-Object)
- [Webpage Visit Object](#Webpage-Visit-Object)
- [Plug and Play (PnP) Event Object](#Plug-and-Play-PnP-Event-Object)
- [File Visit Object](#File-Visit-Object)
- [Tool State Evidence Object](#Tool-State-Evidence-Object)
- [Windows Event Evidence Object](#Windows-Event-Evidence-Object)
- [Webpage Visit Evidence Object](#Webpage-Visit-Evidence-Object)
- [Plug and Play (PnP) Event Evidence Object](#Plug-and-Play-PnP-Event-Evidence-Object)
- [File Visit Evidence Object](#File-Visit-Evidence-Object)
- [RecentFileCache](#RecentFileCache)
- [Shimcache](#Shimcache)
- [UserAssist](#UserAssist)
@@ -51,8 +56,9 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
- [RMU]($RMU)
- [MFT]($MFT)
- [AppLog](#AppLog)
- [Disk Image Object](#Disk-Image-Object)
- [Investigation Tool](#Investigation-Tool)
- [Disk Image Evidence Object](#Disk-Image-Evidence-Object)
- [Investigation Tool Object](#Investigation-Tool-Object)
- [Action-Object](#Action-Object)
- Cyber Forensic observable Objects (CFOOs)
@@ -64,42 +70,47 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs). These CFOs are categr
- [threat-actor-type-ov extension](#threat-actor-type-ov-extension])
- [ani-forenisc-tool-type-ov](#tool-type-ov-extension)
## Tool State Object
## Tool State Evidence Object
**Type Name:** x-tool-state
**Type Name:** x-tool-state-evidence
The Tool State object represents an attacking (anti-forensic) tool's state at a specific time, including including downloading, installing, running, uninstalling, cleaning. Each state is exclusive. It can be a SDO Tool.
The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive.
### Properties
| Property Name | Type | Description |
| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-tool-state. |
| type (required) | string | The value of this property MUST be x-tool-state-evidence. |
| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. |
| enter_state_time | timestamp | Specifies the time a tool entering the state. |
| exit_state_time | timestamp | Specifies the time a tool exsiting the state. |
| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. |
### Relationships
| Source | Relationship Type | Target | Description |
| ------ | ----------------- | ------ | ----------- |
### Tool State Enumeration
**Enumeration Name**: x-tool-state-enum
| Vocabulary Value | Description |
| ---------------- | ----------- |
| downloading | |
| installing | |
| running | |
| uninstalling | |
| cleaning | |
| Vocabulary Value | Description |
| ---------------- | ------------------------------------------------------- |
| downloading | A tool was downloading |
| installing | A tool was installing |
| running | |
| uninstalling | |
| cleaning | All files that are related to the tool has been removed |
### Example: describes a system event generated by CD-Rom
```json
[
{
"type": "x-tool-state",
"type": "x-tool-state-evidence",
"spec_version": "2.1",
"id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"state": "installing",
"exit_state_time": "2005-02-06T20:03:00.000Z",
"created": "2021-01-06T20:03:00.000Z",
@@ -127,17 +138,17 @@ The Tool State object represents an attacking (anti-forensic) tool's state at a
]
```
## Windows Event Object
## Windows Event Evidence Object
**Type Name:** x-windows-evt
**Type Name:** x-windows-evt-evidence
The Windows Event object represents an event recorded by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
The Windows Event Evidence object represents an event recorded by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
### Properties
| Property Name | Type | Description |
| -------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be x-windows-evt-record. |
| type (required) | string | The value of this property MUST be x-windows-evt-evidence. |
| record_number | string | Specifies the number of the record. |
| time_generated | timestamp | Specifies the time at which this entry was submitted. |
| time_written | timestamp | Specifies the time at which this entry was received by the service to be written to the log. |
@@ -147,7 +158,7 @@ The Windows Event object represents an event recorded by Windows OS, including a
| event_type | string | It MUST be one EventType defined in [Windows Doc](https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-eventlogrecord) |
| event_category | enum | Categories help to organize events |
| user_account_ref(required) | identifier | The user account that is associated with the event. |
| saved_to_ref(required) | identity | Specifies object type that event object belongs to. It MUST be a type of file or artifact |
| source_ref(required) | identity | Specifies object type that event object belongs to. It MUST be a type of file or artifact |
Notes:
@@ -164,9 +175,9 @@ Notes:
```json
[
{
"type": "x-windows-evt",
"type": "x-windows-evt-evidence",
"spec_version": "2.1",
"id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"id": "x-windows-evt-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"record_number": "12145",
"time_generated": "2015-01-06T20:03:00.000Z",
"time_written": "2015-01-06T20:03:00.100Z",
@@ -175,7 +186,7 @@ Notes:
"event_id_string": "An account was successfully logged on",
"event_type": "EVENTLOG_AUDIT_SUCCESS",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d",
"source_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab",
@@ -213,44 +224,44 @@ Notes:
```json
{
"type": "x-windows-evt-record",
"type": "x-windows-evt-evidence",
"spec_version": "2.1",
"id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"id": "x-windows-evt-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"record_number": "4512",
"time_generated": "2015-01-06T20:03:00.000Z",
"time_written": "2015-01-06T20:03:00.100Z",
"event_source": "cdrom",
"event_id": "16388",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d",
"source_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--e2dd9934-e6aa-440a-9d51-21ccf990c4f5",
"source_ref": "file--e2dd9934-e6aa-440a-9d51-21ccf990c4f5",
"created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab"
}
```
## Webpage Visit Object
## Webpage Visit Evidence Object
**Type Name:** x-webpage-visit
**Type Name:** x-webpage-visit-evidence
The Webpage Visit object represents a single visit to a webpage.
The Webpage Visit Evidence object represents a single visit to a webpage.
### Properties
| Property Name | Type | Description |
| ---------------------- | ---------- | ------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be x-webpage-visit-record. |
| record_number | string | Specifies the unique entry ID in a file (i.e., save_to_ref) that the event saved to. |
| url_ref | identifier | Specify a visit to a URL. |
| title | string | Specifies the title of a web page (if a URL is a webpage) that has been visited. |
| visit_time | timestamp | The last time visited. |
| visit_count | integer | The number of times visited |
| browser_ref | identifier | The value type for this property SHOULD software. |
| file_requested_ref | identifier | The ID of the file the HTTP requested. |
| user_account_ref | identifier | The user account that is associated with the record. |
| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact. |
| Property Name | Type | Description |
| -------------------- | ---------- | ------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be x-webpage-visit-evidence. |
| record_number | string | Specifies the unique entry ID in a file (i.e., save_to_ref) that the event saved to. |
| url_ref | identifier | Specify a visit to a URL. |
| title | string | Specifies the title of a web page (if a URL is a webpage) that has been visited. |
| visit_time | timestamp | The last time visited. |
| visit_count | integer | The number of times visited |
| browser_ref | identifier | The value type for this property SHOULD software. |
| file_requested_ref | identifier | The ID of the file the HTTP requested. |
| user_account_ref | identifier | The user account that is associated with the record. |
| source_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact. |
### Relationships
@@ -262,9 +273,9 @@ The Webpage Visit object represents a single visit to a webpage.
```json
[
{
"type": "x-webpage-visit",
"type": "x-webpage-visit-evidence",
"spec_version": "2.1",
"id": "x-webpage-visit--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"id": "x-webpage-visit-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"url_ref": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622",
"title": "B.S. in Cyber Forensics | University of Baltimore",
"visit-time": "2021-01-06T20:03:22.000Z",
@@ -272,7 +283,7 @@ The Webpage Visit object represents a single visit to a webpage.
"browser_ref": "software--b67a8d52-d438-4ace-8285-c6d485e34192",
"file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f",
"source_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2014-04-06T20:03:00.000Z",
"modified": "2014-04-06T20:03:00.000Z"
@@ -294,25 +305,25 @@ The Webpage Visit object represents a single visit to a webpage.
]
```
## Plug and Play (PnP) Event Object
## Plug and Play (PnP) Event Evidence Object
**Type Name:** x-pnp-evt
**Type Name:** x-pnp-evt-evidence
The Plug and Play (PnP) Event object represents an event recorded by Windows Kernel-Mode Plug (pnp) and Play Manager. PnP manager is a combination of hardware technology and software techniques that enables a PC to recognize when a device is added to the system. With PnP, the system configuration can change with little or no input from the user.
The Plug and Play (PnP) Event Evidence object represents an event recorded by Windows Kernel-Mode Plug (pnp) and Play Manager. PnP manager is a combination of hardware technology and software techniques that enables a PC to recognize when a device is added to the system. With PnP, the system configuration can change with little or no input from the user.
### Properties
The completed log properties can be accessed [Microsoft office docs- Format of a text log section body](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/format-of-a-text-log-section-body)
| Property Name | Type | Description |
| ---------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-pnp-evt-record. |
| message_type | enum | The values of this property MUST come from the x-pnp-message-type-ov enumeration. |
| time_generated | timestamp | Specified the time at which this entry was submitted. |
| time_written | timestamp | Specified the time at which this entry was received by the service to be written to the log. |
| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of the predefined event_category operation strings, e.g.device installation. |
| formatted_message | string | Contains the specific information that applies to the log entry. |
| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact (e.g., cache, memory), e.g., steupAPI.log |
| Property Name | Type | Description |
| -------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-pnp-evt-evidence. |
| message_type | enum | The values of this property MUST come from the x-pnp-message-type-ov enumeration. |
| time_generated | timestamp | Specified the time at which this entry was submitted. |
| time_written | timestamp | Specified the time at which this entry was received by the service to be written to the log. |
| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of the predefined event_category operation strings, e.g.device installation. |
| formatted_message | string | Contains the specific information that applies to the log entry. |
| source_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact (e.g., cache, memory), e.g., steupAPI.log |
### Message Type Vocabulary
@@ -328,25 +339,25 @@ Vocabulary Name: x-pnp-message-type-ov
```json
{
"type": "x-pnp-evt",
"type": "x-pnp-evt-evidence",
"spec_version": "2.1",
"id": "x-pnp-evt--58959aae-d1e0-4e12-a879-270efe33c6e3",
"id": "x-pnp-evt-evidence--58959aae-d1e0-4e12-a879-270efe33c6e3",
"message_type": "other-info",
"time_written": "2021-01-06T20:03:22.000Z",
"event_category": "device installation",
"formatted_message ": "Device Install (Hardware initiated) - USB\\VID_0781&PID_5517\\4C5300124505311010593",
"saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5",
"source_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2014-04-06T20:03:00.000Z",
"modified": "2014-04-06T20:03:00.000Z"
}
```
## File Visit Object
## File Visit Evidence Object
**Type Name:** x-file-visit
**Type Name:** x-file-visit-evidence
The File Visit object represents properties that are associasted with a file/directory visit (for various reasons) performed by operating systems or applications. The operation to the file during the visit can be read, create, etc. The visit may be saved in different forms, e.g., file, cache, Windows registry, etc.
The File Visit object represents properties that are associasted with a file/directory/network directory visit (for various reasons) performed by operating systems or applications. The operation to the file during the visit can be read, create, etc. The visit may be saved in different forms, e.g., file, cache, Windows registry, etc.
### Properties
@@ -359,10 +370,10 @@ The File Visit object represents properties that are associasted with a file/dir
| visit_count | integer | The total number of times the program has visited. |
| record_reason | enum | Specifies a main reasons why a software records the visit. It MUST come from the x-file-visit-record-reason-enum. |
| file_visited_ref (required) | identifier | Specifies a file or directory that was recently visited. |
| saved_to_ref(required) | identifier | Specifies the destination (e.g., file, registry, artifact, or directory) the record is saved to. |
| source_ref(required) | identifier | Specifies the destination (e.g., file, registry, artifact, or directory) the record is saved to. |
| common_name | open-vocab | Specifies a name that is commonly used to describe the visit. It MUST from x-file-visit-common-name-ov. |
### File Visit Type Enum
### File Visit Operation Enum
**Vocabulary Name**: x-file-visit-op-enum
@@ -424,15 +435,15 @@ RecentFileCache.bcf only contains references to programs that were recently exec
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--83aee86d-1523-4111-938e-8edc8a6c804f",
"id": "x-file-visit-evidence--83aee86d-1523-4111-938e-8edc8a6c804f",
"op": "execute",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"record_reason": "performance",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5",
"source_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5",
"common_name": "recentfilecache",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -475,15 +486,15 @@ Shimcache is created to identify application compatibility issues. Two actions/e
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--83aee86d-1523-4111-938e-8edc8a6c804f",
"id": "x-file-visit-evidence--83aee86d-1523-4111-938e-8edc8a6c804f",
"op": "execute",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"record_reason": "compatibility",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
"source_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
"common_name": "shimcache",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -513,16 +524,16 @@ An Example of a Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-10
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"id": "x-file-visit-evidence--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"op": "execute",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_count": 1,
"file_visited_ref ": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
"record_reason": "usability",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
"source_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
"common_name": "userassist",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -551,16 +562,16 @@ Prefetch preloads the most frequently used software into memory. The Typeshows t
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--116964e0-56c8-42ef-850c-9b84e4fc6b4f",
"id": "x-file-visit-evidence--116964e0-56c8-42ef-850c-9b84e4fc6b4f",
"op": "execute",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_count": 71,
"file_visited_ref ": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
"record_reason": "performance",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
"source_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
"common_name": "prefetch",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -591,15 +602,15 @@ USN (Update Sequence Number) Journal records all files' changes (e.g.., rename)
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"id": "x-file-visit-evidence--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"op": "modify",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
"record_reason": "reliability",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
"source_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
"common_name": "usnjournal",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -630,15 +641,15 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--36e6b5d9-f04e-45f0-90fd-ead11a3069a6",
"id": "x-file-visit-evidence--36e6b5d9-f04e-45f0-90fd-ead11a3069a6",
"op": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "directory--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"record_reason": "performance",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--14a4a46c-0957-4b9d-900d-35cb8379055c",
"source_ref": "windows-registry-key--14a4a46c-0957-4b9d-900d-35cb8379055c",
"common_name": "shellbag",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -666,15 +677,15 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"id": "x-file-visit-evidence--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"op": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"record_reason": "performance",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--14a4a46c-0957-4b9d-900d-35cb8379055c",
"source_ref": "windows-registry-key--14a4a46c-0957-4b9d-900d-35cb8379055c",
"common_name": "jumplist",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -705,15 +716,15 @@ lnk is a shortcut or "link" used by Windows as a reference to an original file,
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--ac69c037-c578-4c5e-ad6a-23d53a0b1d6e",
"id": "x-file-visit-evidence--ac69c037-c578-4c5e-ad6a-23d53a0b1d6e",
"op": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
"record_reason": "usability",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663",
"source_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663",
"common_name": "lnk",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -744,15 +755,15 @@ Most Recently Used files.
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--8cdbf030-89d9-48be-b733-5f4900706f0e",
"id": "x-file-visit-evidence--8cdbf030-89d9-48be-b733-5f4900706f0e",
"op": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
"record_reason": "usability",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663",
"source_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663",
"common_name": "rmu",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -783,15 +794,15 @@ A desktop.ini in MFT
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--9880e636-38b0-471a-8266-8a622a95b3a5",
"id": "x-file-visit-evidence--9880e636-38b0-471a-8266-8a622a95b3a5",
"op": "other",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref": "file-f7d4aa7a-d02c-481e-8bdc-450cb0669b5d",
"record_reason": "functionality",
"visitor_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--19be1a16-4b87-4fc4-b056-dc9e0389d4bd",
"source_ref": "file--19be1a16-4b87-4fc4-b056-dc9e0389d4bd",
"common_name": "mft",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -822,15 +833,15 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
```json
[
{
"type": "x-file-visit",
"type": "x-file-visit-evidence",
"spec_version": "2.1",
"id": "x-file-visit--a2b48cc8-aaba-429f-9c1f-bcf1dbf3ada2",
"id": "x-file-visit-evidence--a2b48cc8-aaba-429f-9c1f-bcf1dbf3ada2",
"op": "delete",
"visit_time ": "2021-01-06T20:03:22.000Z",
"file_visited_ref ": "file-8cdbf030-89d9-48be-b733-5f4900706f0e",
"record_reason": "functionality",
"visitor_ref": "software--764c3bcd-e053-46dc-b77d-51de1a311b39",
"saved_to_ref": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69",
"source_ref": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69",
"common_name": "applog",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
@@ -863,7 +874,7 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
]
```
## Disk Image Object
## Disk Image Evidence Object
**Type Name:** x-disk-image
@@ -889,9 +900,9 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
```json
{
"type": "x-disk-image",
"type": "x-disk-image-evidence",
"spec_version": "2.1",
"id": "x-disk-image--87a3e4ee-102c-4cc9-9017-96089a0e0680",
"id": "x-disk-image-evidence--87a3e4ee-102c-4cc9-9017-96089a0e0680",
"partitions": [
"x-investigation-tool--c65a985d-dc31-441e-840b-54381cef4e31",
"x-investigation-tool--9bc65596-8fa7-441c-b5a1-71a43d46b221"
@@ -906,14 +917,12 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
}
```
## Investigation Tool
## Investigation Tool Object
**Type Name:** x-investigation-tool
Investigation Tools are software that can be used by cyber investigators to perform digital forensic investigations. This CFO MUST NOT be used to characterize malware and SDO tools.
### Optional Common Properties: external_references
### Investigation Tool Specific Properties
| Property Name | Type | Description |
@@ -964,6 +973,80 @@ Use an open-source software to parse and decode $LogFile records
}
```
## Action Object
**Type Name:** x-action
An action is one cyber criminal activity performed by a suspect.
## Action Specific Properties
| Property Name | Type | Description |
| --------------- | ----------------------- | ------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be x-action. |
| name | string | Specifies the name of an action. |
| description | string | A description that provides more details and context about the Action. |
| performed_time | timestamp | Specified the time that performed an action. |
| note | string | Additional note that describes an action. |
| evidence_ref | list of type identifier | Specifies a list of evidence objects that are associated with an action. |
### Relationships
| Source | Relationship Type | Target | Description |
| ------ | ----------------- | ------ | ----------- |
## Example: An action that search for anti-forensics tools
```json
[
{
"type": "x-action",
"spec_version": "2.1",
"id": "x-action--87a3e4ee-102c-4cc9-9017-96089a0e0680",
"name": "Search anti-forensic tool online",
"description": "Search application online using IE",
"performed_time ": "2015-25-25T14:46:44:44Z",
"evidence_ref ": "[x-webpage-visit-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f]",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
"modified": "2021-04-06T20:03:00.000Z"
},
{
"type": "x-webpage-visit-evidence",
"spec_version": "2.1",
"id": "x-webpage-visit-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"url_ref": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622",
"visit-time": "2015-25-25T14:46:44:44Z",
"visit-count": 2,
"browser_ref": "software--b67a8d52-d438-4ace-8285-c6d485e34192",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"source_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2014-04-06T20:03:00.000Z",
"modified": "2014-04-06T20:03:00.000Z"
}
]
```
## Example: Install ccleaner tool
```json
{
"type": "x-action",
"spec_version": "2.1",
"id": "x-action--87a3e4ee-102c-4cc9-9017-96089a0e0680",
"name": "Install ccleaner tool",
"description": "Install ccleaner anti-forensic tool",
"performed_time ": "2015-25-25T14:46:44:44Z",
"evidence_ref ": "[x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f, x-file-visit-evidence--83aee86d-1523-4111-938e-8edc8a6c804f]",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
"modified": "2021-04-06T20:03:00.000Z"
}
```
---
## Disk Partition Object
**Type Name:** x-disk-parition
@@ -987,6 +1070,7 @@ Use an open-source software to parse and decode $LogFile records
| volume_serial_number | string | Specifies the serical number of a partition. |
| partition_type | string | Specifies the type of a partition. It MUST come from a x-partition-type-ov open vocabulary. |
| file_sys_type | string | Specifies the type of a file system. It MUST come from the [list](https://en.wikipedia.org/wiki/Comparison_of_file_systems). |
| label | string | Specifies the label of the paritition, e.g., "C", "D", "E", etc. |
### Relationships
@@ -1023,6 +1107,7 @@ Specify a partition with NTFS
"volume_serial_number": "c8ca0c8dca0c7a48",
"partition_type": "dos",
"file_sys_type ": "ntfs",
"label": "C",
"part-of": "x-disk-image-42eaa6d5-93ad-46f0-95f2-8343094abe52"
}
```