diff --git a/STIX_for_digital_forensics/CFO_intro.svg b/STIX_for_digital_forensics/CFO_intro.svg index 2d99f81..b565c0d 100644 --- a/STIX_for_digital_forensics/CFO_intro.svg +++ b/STIX_for_digital_forensics/CFO_intro.svg @@ -3,7 +3,7 @@ + xml:space="preserve" color-interpolation-filters="sRGB" class="st15"> @@ -12,27 +12,40 @@ + + + + + + + + + + + - @@ -44,7 +57,166 @@ Page-1 - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Plain.1125 + + + + + + + + + + + + + + + + + + + + + + + + + Sheet.1126 + + Sheet.1127 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Sheet.1128 + Object Types + + Sheet.1129 + + + + + + + + + + + + + + + + + + + + + + + + Object Types + + + Rectangle x-disk-partition--1 @@ -52,9 +224,9 @@ - - x-disk-partition--1 - + + x-disk-partition--1 + Rectangle.4 x-secondary-storage--1 @@ -62,9 +234,9 @@ - - x-secondary-storage--1 - + + x-secondary-storage--1 + Rectangle.5 x-image--1 @@ -72,9 +244,9 @@ - - x-image--1 - + + x-image--1 + Rectangle.1000 x-action--1 @@ -82,9 +254,9 @@ - - x-action--1 - + + x-action--1 + Rectangle.1001 indicator--1 @@ -92,9 +264,9 @@ - - indicator--1 - + + indicator--1 + Rectangle.1002 observed-data--1 @@ -102,9 +274,9 @@ - - observed-data--1 - + + observed-data--1 + Rectangle.1003 x-webpage-visit--1 @@ -112,9 +284,9 @@ - - x-webpage-visit--1 - + + x-webpage-visit--1 + Rectangle.1004 x-computer--1 @@ -122,9 +294,9 @@ - - x-computer--1 - + + x-computer--1 + Rectangle.1005 x-crime-case--1 @@ -132,9 +304,9 @@ - - x-crime-case--1 - + + x-crime-case--1 + Rectangle.1006 x-timeline--1 @@ -142,9 +314,9 @@ - - x-timeline--1 - + + x-timeline--1 + Rectangle.1008 x-action--2 @@ -152,9 +324,9 @@ - - x-action--2 - + + x-action--2 + Rectangle.1009 x-image—2 @@ -162,18 +334,18 @@ - - x-image2 - + + x-image2 + Dynamic connector.1011 evidence-of - - - evidence-of - + + + evidence-of + Rectangle.1012 user-account --1 @@ -181,92 +353,92 @@ - - user-account --1 - + + user-account --1 + Dynamic connector.1013 exploits - - - exploits - + + + exploits + Dynamic connector.1014 action_refs - - - action_refs - + + + action_refs + Dynamic connector.1017 Indicated-by - - - Indicated-by - + + + Indicated-by + Dynamic connector.1018 based-on - - - based-on - + + + based-on + Dynamic connector.1019 object_refs - - - object_refs - + + + object_refs + Dynamic connector.1021 image-of - - - image-of - + + + image-of + Dynamic connector.1024 evidence-of - - - evidence-of - + + + evidence-of + Dynamic connector.1025 action_refs - - - action_refs - + + + action_refs + Dynamic connector.1026 has - - - - has - + + + + has + Dynamic connector.1027 reconstructed_from - - - reconstructed_from - + + + reconstructed_from + Rectangle.1028 file--2 @@ -274,18 +446,18 @@ - - file--2 - + + file--2 + Dynamic connector.1029 source_ref - - - source_ref - + + + source_ref + Rectangle.1030 software--2 @@ -293,72 +465,72 @@ - - software--2 - + + software--2 + Dynamic connector.1031 browser_ref - - - browser_ref - + + + browser_ref + Sheet.1032 directory-1 - - directory-1 - + + directory-1 + Dynamic connector.1033 parent_directory_ref - - - parent_directory_ref - + + + parent_directory_ref + Dynamic connector.1034 contains-refs - - - - contains- + + + contains-refs - + Sheet.1035 threat-actor--1 - - threat-actor--1 - + + threat-actor--1 + Sheet.1036 Identity--1 - - Identity--1 - + + Identity--1 + Dynamic connector.1037 attributed-to - - - attributed-to - + + + attributed-to + Dynamic connector.1038 related-to - - - related-to - + + + related-to + Rectangle.1039 identity--2 @@ -366,28 +538,28 @@ - - identity-- + identity--2 - + Dynamic connector.1040 reconstructed_by - - - r + + reconstructed_by - + Dynamic connector.1041 secondary_storage_refs - - - secondary_storage_refs - + + + secondary_storage_refs + Rectangle.1042 indicator--3 @@ -395,9 +567,9 @@ - - indicator--3 - + + indicator--3 + Rectangle.1043 observed-data--3 @@ -405,9 +577,9 @@ - - observed-data--3 - + + observed-data--3 + Rectangle.1044 x-pnp-evt--1 @@ -415,26 +587,26 @@ - - x-pnp-evt--1 - + + x-pnp-evt--1 + Dynamic connector.1045 based-on - - - based-on - + + + based-on + Dynamic connector.1046 object_refs - - - object_refs - + + + object_refs + Rectangle.1047 file--4 @@ -442,41 +614,41 @@ - - file--4 - + + file--4 + Dynamic connector.1048 source_ref - - - source_ref - + + + source_ref + Sheet.1049 directory-3 - - directory-3 - + + directory-3 + Dynamic connector.1050 parent_directory_ref - - - parent_directory_ref - + + + parent_directory_ref + Dynamic connector.1051 indicated-by - - - indicated-by - + + + indicated-by + Rectangle.1052 indicator—2 @@ -484,9 +656,9 @@ - - indicator—2 - + + indicator—2 + Rectangle.1053 observed-data—2 @@ -494,9 +666,9 @@ - - observed-data—2 - + + observed-data—2 + Rectangle.1054 x-windows-evt-2 @@ -504,26 +676,26 @@ - - x-windows-evt-2 - + + x-windows-evt-2 + Dynamic connector.1055 based-on - - - based-on - + + + based-on + Dynamic connector.1056 object_refs - - - object_refs - + + + object_refs + Rectangle.1057 file--3 @@ -531,78 +703,78 @@ - - file--3 - + + file--3 + Dynamic connector.1058 source_ref - - - source_ref - + + + source_ref + Sheet.1059 directory-2 - - directory-2 - + + directory-2 + Dynamic connector.1060 parent_directory_ref - - - parent_directory_ref - + + + parent_directory_ref + Dynamic connector.1061 indicated-by - - - indicated-by - + + + indicated-by + Dynamic connector.1062 contains-refs - - - - contains- + + + contains-refs - + Dynamic connector.1063 contains-refs - - - - contains- + + + contains-refs - + Dynamic connector.1065 part-of - - - - part-of - + + + + part-of + Dynamic connector.1066 used-in - - - used-in - + + + used-in + Rectangle.1067 Identify--3 @@ -610,10 +782,10 @@ - - Identify--3 - + + Identify--3 + Rectangle.1069 x-investigation-tool--1 @@ -621,17 +793,17 @@ - - x-investigation-tool--1 - + + x-investigation-tool--1 + Dynamic connector.1070 acquired_using_tool_ref - - - acquired_using_tool_ref - + + + acquired_using_tool_ref + Rectangle.1071 software--1 @@ -639,17 +811,17 @@ - - software--1 - + + software--1 + Dynamic connector.1072 software_ref - - - software_ref - + + + software_ref + Rectangle.1073 x-file-visit--1 @@ -657,18 +829,18 @@ - - x-file-visit--1 - + + x-file-visit--1 + Dynamic connector.1074 object_refs - - - object_refs - + + + object_refs + Rectangle.1075 file--1 @@ -676,35 +848,35 @@ - - file--1 - + + file--1 + Dynamic connector.1076 source-ref - - - source-ref - + + + source-ref + Dynamic connector.1077 contains-refs - - - - contains- + + + contains-refs - + Dynamic connector.1078 object-refs - - - object-refs - + + + object-refs + Rectangle.1079 Cyber Forensic Domain Object @@ -712,10 +884,10 @@ - - Cyber Forensic Domain Object - + + Cyber Forensic Domain Object + Rectangle.1080 Cyber Forensic Domain Object @@ -723,10 +895,10 @@ - - Cyber Forensic Domain Object - + + Cyber Forensic Domain Object + Rectangle.1081 STIX Object @@ -734,49 +906,49 @@ - - STIX Object - + + STIX Object + Dynamic connector.1082 assigned-to - - - assigned-to - + + + assigned-to + Dynamic connector.1083 invovles - - - invovles - + + + invovles + Dynamic connector.1084 acquired_by_ref - - - acquired_by_ref - + + + acquired_by_ref + Dynamic connector.1085 exploits - - - exploits - + + + exploits + Dynamic connector.1086 exploits - - - exploits - + + + exploits + Rectangle.1087 url @@ -784,26 +956,26 @@ - - url - + + url + Dynamic connector.1088 url_ref - - - url_ref - + + + url_ref + Dynamic connector.1089 object_refs - - - object_refs - + + + object_refs + Rectangle.1090 x-ram @@ -811,56 +983,48 @@ - - x-ram - + + x-ram + Dynamic connector.1091 ram_refs - - - ram_refs - + + + ram_refs + Dynamic connector.1092 image-of - - - image-of - + + + image-of + Sheet.1093 mac-addr--1 - - mac-addr--1 - + + mac-addr--1 + Sheet.1094 ipv4-addr--1 - - ipv4-addr--1 - + + ipv4-addr--1 + Dynamic connector.1096 communicates-use - - - - communicates-use - - Dynamic connector.1097 - has - - - - - has - + + + + communicates-use + Rectangle.1098 x-investigation-tool--2 @@ -868,17 +1032,17 @@ - - x-investigation-tool--2 - + + x-investigation-tool--2 + Dynamic connector.1099 processed-by - - - processed-by - + + + processed-by + Rectangle.1100 x-investigation-tool--3 @@ -886,9 +1050,9 @@ - - x-investigation-tool--3 - + + x-investigation-tool--3 + Rectangle.1101 x-investigation-tool--4 @@ -896,23 +1060,68 @@ - - x-investigation-tool--4 - + + x-investigation-tool--4 + Dynamic connector.1102 processed-by - - - processed-by - + + + processed-by + Dynamic connector.1103 processed-by - - - processed-by + + + processed-by + + Dynamic connector.1104 + has + + + + + has + + Rectangle.1105 + x-cloud-storage--1 + + + + + + + x-cloud-storage--1 + + Sheet.1106 + directory-4 + + + + directory-4 + + Dynamic connector.1107 + local_directory_ref + + + + + local_directory_ref + + Dynamic connector.1108 + contains-refs + + + + + contains-refs diff --git a/STIX_for_digital_forensics/CFO_intro.vsdx b/STIX_for_digital_forensics/CFO_intro.vsdx new file mode 100644 index 0000000..a7e05d8 Binary files /dev/null and b/STIX_for_digital_forensics/CFO_intro.vsdx differ diff --git a/STIX_for_digital_forensics/readme.md b/STIX_for_digital_forensics/readme.md index 220971a..4106d77 100644 --- a/STIX_for_digital_forensics/readme.md +++ b/STIX_for_digital_forensics/readme.md @@ -778,14 +778,38 @@ Specify a partition with NTFS Cloud Storage object represent a cloud space to store data. -| Property Name | Type | Description | -| --------------- | ----------------- | -------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be x-cloud-storage. | -| app_ref | identifier | Specifier the software. The value MUST be an ID reference to Software. | -| url_ref | identifier | Specifier the url to the storage. The value MUST be an ID reference to URL. | -| local_directory | identifier | Specifier the local storage directory. The value MUST be an ID reference to Directory. | -| contains_refs | list of type file | Specifier a list of Files. | -| size | integer | Specifier the size of storage in MB. | +| Property Name | Type | Description | +| ------------------- | ----------------- | -------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-cloud-storage. | +| software_ref | identifier | Specifier the software. The value MUST be an ID reference to Software. | +| cloud_url_ref | identifier | Specifier the url to the storage. The value MUST be an ID reference to URL. | +| cloud_file_refs | list of type file | Specifier a list of Files on the cloud. | +| local_directory_ref | identifier | Specifier the local storage directory. The value MUST be an ID reference to Directory. | +| size | integer | Specifier the size of cloud storage in MB. | + +### Relationships + +| Source | Relationship Type | Target | Description | +| --------------- | ----------------- | ------------ | ------------------------------------------------------------------------- | +| x-cloud-storage | requires | user-account | This Relationship describes that a Cloud Storage requires a User Account. | + +### Example 1: describes a "logon" event recorded in the security event file. + +```json +{ + "type": "x-cloud-storage", + "spec_version": "2.1", + "id": " x-cloud-storage--771c2a9a-db0c-4328-bfa0-5d1b5359da45", + "software_ref": "software--fe5b3c0d-810c-4e08-bdff-de9084aff90d", + "cloud_url_ref": "url--26164fad-f2c1-4aee-b517-bbedb84094ec", + "cloud_file_refs": [ + "file--39f88548-ff7f-4377-a79e-bd95aa92bf0b", + "file--dc2771e8-5b45-4e39-a162-a1465e80850f" + ], + "local_directory_ref": "directory--2c1f4e62-c6c7-48cc-b682-cbc04dc7c27b", + "size": 150000 +} +``` ## Windows Event Object diff --git a/STIX_for_digital_forensics/~$$CFO_intro.~vsdx b/STIX_for_digital_forensics/~$$CFO_intro.~vsdx new file mode 100644 index 0000000..2f2f056 Binary files /dev/null and b/STIX_for_digital_forensics/~$$CFO_intro.~vsdx differ