digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add action object

Browse Source
This commit is contained in:
Frank Xu
2021-02-06 16:02:14 -05:00
parent 0e61f49dee
commit b441420e41
1 changed files with 144 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
STIX_for_digital_forensics/readme.md
View File

@@ -40,7 +40,6 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties
- Cyber Forensic Domain Objects (CFDOs)
- [Tool State Evidence Object](#Tool-State-Evidence-Object)
- [Windows Event Evidence Object](#Windows-Event-Evidence-Object)
- [Webpage Visit Evidence Object](#Webpage-Visit-Evidence-Object)
- [Plug and Play (PnP) Event Evidence Object](#Plug-and-Play-PnP-Event-Evidence-Object)
@@ -56,10 +55,12 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties
- [RMU]($RMU)
- [MFT]($MFT)
- [AppLog](#AppLog)
- [Tool State Evidence Object](#Tool-State-Evidence-Object)
- [Disk Image Evidence Object](#Disk-Image-Evidence-Object)
- [Investigation Tool Object](#Investigation-Tool-Object)
- [Action Object](#Action-Object)
- [Timeline Object](#timeline-Object)
- [Timeline Object](#Timeline-Object)
- [Scenario Object](#Scenario=Object)
- Cyber Forensic observable Objects (CFOOs)
@@ -71,74 +72,6 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties
- [threat-actor-type-ov extension](#threat-actor-type-ov-extension])
- [ani-forenisc-tool-type-ov](#tool-type-ov-extension)
## Tool State Evidence Object
**Type Name:** x-tool-state-evidence
The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive.
### Properties
| Property Name | Type | Description |
| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-tool-state-evidence. |
| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. |
| enter_state_time | timestamp | Specifies the time a tool entering the state. |
| exit_state_time | timestamp | Specifies the time a tool exsiting the state. |
| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. |
### Relationships
| Source | Relationship Type | Target | Description |
| ------ | ----------------- | ------ | ----------- |
### Tool State Enumeration
**Enumeration Name**: x-tool-state-enum
| Vocabulary Value | Description |
| ---------------- | ------------------------------------------------------- |
| downloading | A tool was downloading |
| installing | A tool was installing |
| running | |
| uninstalling | |
| cleaning | All files that are related to the tool has been removed |
### Example: describes a system event generated by CD-Rom
```json
[
{
"type": "x-tool-state-evidence",
"spec_version": "2.1",
"id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"state": "installing",
"exit_state_time": "2005-02-06T20:03:00.000Z",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9",
"created": "2015-05-15T09:12:16.432Z",
"modified": "2015-05-15T09:12:16.432Z",
"name": "steghide",
"tool_types": ["steganography"],
"tool_version": "0.5.1",
"description": "steganography",
"external_references": [
{
"source_name": "steghide",
"url": "http://steghide.sourceforge.net/"
}
]
}
]
```
## Windows Event Evidence Object
**Type Name:** x-windows-evt-evidence
@@ -875,6 +808,74 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
]
```
## Tool State Evidence Object
**Type Name:** x-tool-state-evidence
The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive.
### Properties
| Property Name | Type | Description |
| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-tool-state-evidence. |
| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. |
| enter_state_time | timestamp | Specifies the time a tool entering the state. |
| exit_state_time | timestamp | Specifies the time a tool exsiting the state. |
| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. |
### Relationships
| Source | Relationship Type | Target | Description |
| ------ | ----------------- | ------ | ----------- |
### Tool State Enumeration
**Enumeration Name**: x-tool-state-enum
| Vocabulary Value | Description |
| ---------------- | ------------------------------------------------------- |
| downloading | A tool was downloading |
| installing | A tool was installing |
| running | |
| uninstalling | |
| cleaning | All files that are related to the tool has been removed |
### Example: describes a system event generated by CD-Rom
```json
[
{
"type": "x-tool-state-evidence",
"spec_version": "2.1",
"id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"state": "installing",
"exit_state_time": "2005-02-06T20:03:00.000Z",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9",
"created": "2015-05-15T09:12:16.432Z",
"modified": "2015-05-15T09:12:16.432Z",
"name": "steghide",
"tool_types": ["steganography"],
"tool_version": "0.5.1",
"description": "steganography",
"external_references": [
{
"source_name": "steghide",
"url": "http://steghide.sourceforge.net/"
}
]
}
]
```
## Disk Image Evidence Object
**Type Name:** x-disk-image
@@ -1053,7 +1054,10 @@ An action is one cyber criminal activity performed by a suspect.
"name": "Install ccleaner tool",
"description": "Install ccleaner anti-forensic tool",
"performed_time ": "2015-25-25T14:46:44:44Z",
"evidence_ref ": "[x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f, x-file-visit-evidence--83aee86d-1523-4111-938e-8edc8a6c804f]",
"evidence_ref ": [
"x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"x-file-visit-evidence--83aee86d-1523-4111-938e-8edc8a6c804f"
],
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
"modified": "2021-04-06T20:03:00.000Z"
@@ -1068,12 +1072,14 @@ A Timeline object describes a specific cybercrime scenario that is represented b
## Timeline Specific Properties
| Property Name | Type | Description |
| --------------- | --------------------- | ---------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-timeline. |
| actions | list of type x-action | Specifies a list of actions in chronological order. |
| name | string | Specifies the name of a timeline. |
| description | string | A description that provides more details and context about a timeline. |
| Property Name | Type | Description |
| ------------------ | --------------------- | ---------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-timeline. |
| actions | list of type x-action | Specifies a list of actions in chronological order. |
| name | string | Specifies the name of a timeline. |
| description | string | A description that provides more details and context about a timeline. |
| reconstructed_from | identifier | Specifies timeline is reconstructed from a crime case. |
| reconstructed_by | identifier | Specifies timeline is reconstructed by an identity. |
### Relationships
@@ -1091,7 +1097,11 @@ A Timeline object describes a specific cybercrime scenario that is represented b
"id": "x-timeline--5e54d8e8-1c4b-4a16-bb1b-7ab2acb06fff",
"name": "data leakage using a UBS",
"description": "An threat actor uses a USB to transfer files.",
"actions": "[x-action--6ba0fce7-1ff9-44a4-9fbb-28760afc7827, x-action--83aee86d-1523-4111-938e-8edc8a6c804f]",
"actions": [
"x-action--6ba0fce7-1ff9-44a4-9fbb-28760afc7827",
"x-action--83aee86d-1523-4111-938e-8edc8a6c804f"
],
"reconstructed_from": "x-crime-case--49aadd9f-8bb0-4728-bd56-7bc708714516",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
"modified": "2021-04-06T20:03:00.000Z"
@@ -1109,6 +1119,62 @@ A Timeline object describes a specific cybercrime scenario that is represented b
]
```
# Crime Case Object
**Type Name:** x-crime-case
A Crime Case object represents a background description of a potential cybercrime case given to a cyber forensics investigator. Note that a crime case may consist of multiple scanarios.
## Crime Case Properties
| Property Name | Type | Description |
| --------------- | ----------------------- | --------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-crime-case. |
| case_id | string | Specifies a case identifier that is assgined to a case. |
| name | string | Specifies the name of a case. |
| description | string | A description that provides more details and context about a case. |
| disk_images | list of type disk_image | Specifies a list of dis_images that are associated with a crime case. |
| case_file_refs | list of type file | Specifies docs (other than disk images) that are associated with the cases. |
### Relationships
| Source | Relationship Type | Target | Description |
| ------------ | ----------------- | ------------ | --------------------------------------------------------------------------- |
| x-crime-case | assigned-to | identity | This Relationship describes that the investigator was assigned to the case. |
| x-crime-case | has | threat-actor | This Relationship describes that a x-crime-case has a threat-actor. |
## Example: NIST data leakage case
```json
[
{
"type": "x-crime-case",
"spec_version": "2.1",
"id": "x-crime-case--5e54d8e8-1c4b-4a16-bb1b-7ab2acb06fff",
"name": "NIST data leakage",
"description": "The case study is provided by NIST.",
"disk_images": [
"x-disk-image--64da9550-6f78-4f2f-99dc-4693cf719338",
"x-disk_image--2a9f86c9-602b-43e3-bd2a-542b7544ce3e"
],
"case_file_refs": "[file--6ba0fce7-1ff9-44a4-9fbb-28760afc7827, file--83aee86d-1523-4111-938e-8edc8a6c804f]",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2021-04-06T20:03:00.000Z",
"modified": "2021-04-06T20:03:00.000Z"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7",
"created": "2021-05-15T09:12:16.432Z",
"modified": "2021-05-15T09:12:16.432Z",
"relationship_type": "has",
"source_ref": "x-timeline--5e54d8e8-1c4b-4a16-bb1b-7ab2acb06fff",
"target_ref": "threat-actor-2485b844-4efe-4343-84c8-eb33312dd56f"
}
]
```
---
## Disk Partition Object