diff --git a/STIX_for_digital_forensics/readme.md b/STIX_for_digital_forensics/readme.md index ee49c7c..87c36af 100644 --- a/STIX_for_digital_forensics/readme.md +++ b/STIX_for_digital_forensics/readme.md @@ -40,7 +40,6 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties - Cyber Forensic Domain Objects (CFDOs) - - [Tool State Evidence Object](#Tool-State-Evidence-Object) - [Windows Event Evidence Object](#Windows-Event-Evidence-Object) - [Webpage Visit Evidence Object](#Webpage-Visit-Evidence-Object) - [Plug and Play (PnP) Event Evidence Object](#Plug-and-Play-PnP-Event-Evidence-Object) @@ -56,10 +55,12 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties - [RMU]($RMU) - [MFT]($MFT) - [AppLog](#AppLog) + - [Tool State Evidence Object](#Tool-State-Evidence-Object) - [Disk Image Evidence Object](#Disk-Image-Evidence-Object) - [Investigation Tool Object](#Investigation-Tool-Object) - [Action Object](#Action-Object) - - [Timeline Object](#timeline-Object) + - [Timeline Object](#Timeline-Object) + - [Scenario Object](#Scenario=Object) - Cyber Forensic observable Objects (CFOOs) @@ -71,74 +72,6 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties - [threat-actor-type-ov extension](#threat-actor-type-ov-extension]) - [ani-forenisc-tool-type-ov](#tool-type-ov-extension) -## Tool State Evidence Object - -**Type Name:** x-tool-state-evidence - -The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive. - -### Properties - -| Property Name | Type | Description | -| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be x-tool-state-evidence. | -| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. | -| enter_state_time | timestamp | Specifies the time a tool entering the state. | -| exit_state_time | timestamp | Specifies the time a tool exsiting the state. | -| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. | - -### Relationships - -| Source | Relationship Type | Target | Description | -| ------ | ----------------- | ------ | ----------- | - -### Tool State Enumeration - -**Enumeration Name**: x-tool-state-enum - -| Vocabulary Value | Description | -| ---------------- | ------------------------------------------------------- | -| downloading | A tool was downloading | -| installing | A tool was installing | -| running | | -| uninstalling | | -| cleaning | All files that are related to the tool has been removed | - -### Example: describes a system event generated by CD-Rom - -```json -[ - { - "type": "x-tool-state-evidence", - "spec_version": "2.1", - "id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", - "state": "installing", - "exit_state_time": "2005-02-06T20:03:00.000Z", - "created": "2021-01-06T20:03:00.000Z", - "modified": "2021-01-06T20:03:00.000Z", - "created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab" - }, - - { - "type": "tool", - "spec_version": "2.1", - "id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", - "created": "2015-05-15T09:12:16.432Z", - "modified": "2015-05-15T09:12:16.432Z", - "name": "steghide", - "tool_types": ["steganography"], - "tool_version": "0.5.1", - "description": "steganography", - "external_references": [ - { - "source_name": "steghide", - "url": "http://steghide.sourceforge.net/" - } - ] - } -] -``` - ## Windows Event Evidence Object **Type Name:** x-windows-evt-evidence @@ -875,6 +808,74 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has ] ``` +## Tool State Evidence Object + +**Type Name:** x-tool-state-evidence + +The Tool State Evidence object represents an attacking (anti-forensic) tool's state at a specific time, including downloading, installing, running, uninstalling, cleaning. Each state is exclusive. + +### Properties + +| Property Name | Type | Description | +| ---------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-tool-state-evidence. | +| state | enum | Specifies a state of tool. It MUST come from x-tool-state-enum enumeration. | +| enter_state_time | timestamp | Specifies the time a tool entering the state. | +| exit_state_time | timestamp | Specifies the time a tool exsiting the state. | +| tool_ref | identifier | An ID reference to a Tool object. If the tool is an anti-forensics tool, the type of the tool MUST come from ani-forenisc-tool-type-ov. | + +### Relationships + +| Source | Relationship Type | Target | Description | +| ------ | ----------------- | ------ | ----------- | + +### Tool State Enumeration + +**Enumeration Name**: x-tool-state-enum + +| Vocabulary Value | Description | +| ---------------- | ------------------------------------------------------- | +| downloading | A tool was downloading | +| installing | A tool was installing | +| running | | +| uninstalling | | +| cleaning | All files that are related to the tool has been removed | + +### Example: describes a system event generated by CD-Rom + +```json +[ + { + "type": "x-tool-state-evidence", + "spec_version": "2.1", + "id": "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "state": "installing", + "exit_state_time": "2005-02-06T20:03:00.000Z", + "created": "2021-01-06T20:03:00.000Z", + "modified": "2021-01-06T20:03:00.000Z", + "created_by_ref": "identity-704d9d08-060e-48f6-ace9-fde3eeb712ab" + }, + + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "steghide", + "tool_types": ["steganography"], + "tool_version": "0.5.1", + "description": "steganography", + "external_references": [ + { + "source_name": "steghide", + "url": "http://steghide.sourceforge.net/" + } + ] + } +] +``` + ## Disk Image Evidence Object **Type Name:** x-disk-image @@ -1053,7 +1054,10 @@ An action is one cyber criminal activity performed by a suspect. "name": "Install ccleaner tool", "description": "Install ccleaner anti-forensic tool", "performed_time ": "2015-25-25T14:46:44:44Z", - "evidence_ref ": "[x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f, x-file-visit-evidence--83aee86d-1523-4111-938e-8edc8a6c804f]", + "evidence_ref ": [ + "x-tool-state-evidence--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", + "x-file-visit-evidence--83aee86d-1523-4111-938e-8edc8a6c804f" + ], "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "created": "2021-04-06T20:03:00.000Z", "modified": "2021-04-06T20:03:00.000Z" @@ -1068,12 +1072,14 @@ A Timeline object describes a specific cybercrime scenario that is represented b ## Timeline Specific Properties -| Property Name | Type | Description | -| --------------- | --------------------- | ---------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be x-timeline. | -| actions | list of type x-action | Specifies a list of actions in chronological order. | -| name | string | Specifies the name of a timeline. | -| description | string | A description that provides more details and context about a timeline. | +| Property Name | Type | Description | +| ------------------ | --------------------- | ---------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-timeline. | +| actions | list of type x-action | Specifies a list of actions in chronological order. | +| name | string | Specifies the name of a timeline. | +| description | string | A description that provides more details and context about a timeline. | +| reconstructed_from | identifier | Specifies timeline is reconstructed from a crime case. | +| reconstructed_by | identifier | Specifies timeline is reconstructed by an identity. | ### Relationships @@ -1091,7 +1097,11 @@ A Timeline object describes a specific cybercrime scenario that is represented b "id": "x-timeline--5e54d8e8-1c4b-4a16-bb1b-7ab2acb06fff", "name": "data leakage using a UBS", "description": "An threat actor uses a USB to transfer files.", - "actions": "[x-action--6ba0fce7-1ff9-44a4-9fbb-28760afc7827, x-action--83aee86d-1523-4111-938e-8edc8a6c804f]", + "actions": [ + "x-action--6ba0fce7-1ff9-44a4-9fbb-28760afc7827", + "x-action--83aee86d-1523-4111-938e-8edc8a6c804f" + ], + "reconstructed_from": "x-crime-case--49aadd9f-8bb0-4728-bd56-7bc708714516", "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "created": "2021-04-06T20:03:00.000Z", "modified": "2021-04-06T20:03:00.000Z" @@ -1109,6 +1119,62 @@ A Timeline object describes a specific cybercrime scenario that is represented b ] ``` +# Crime Case Object + +**Type Name:** x-crime-case + +A Crime Case object represents a background description of a potential cybercrime case given to a cyber forensics investigator. Note that a crime case may consist of multiple scanarios. + +## Crime Case Properties + +| Property Name | Type | Description | +| --------------- | ----------------------- | --------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-crime-case. | +| case_id | string | Specifies a case identifier that is assgined to a case. | +| name | string | Specifies the name of a case. | +| description | string | A description that provides more details and context about a case. | +| disk_images | list of type disk_image | Specifies a list of dis_images that are associated with a crime case. | +| case_file_refs | list of type file | Specifies docs (other than disk images) that are associated with the cases. | + +### Relationships + +| Source | Relationship Type | Target | Description | +| ------------ | ----------------- | ------------ | --------------------------------------------------------------------------- | +| x-crime-case | assigned-to | identity | This Relationship describes that the investigator was assigned to the case. | +| x-crime-case | has | threat-actor | This Relationship describes that a x-crime-case has a threat-actor. | + +## Example: NIST data leakage case + +```json +[ + { + "type": "x-crime-case", + "spec_version": "2.1", + "id": "x-crime-case--5e54d8e8-1c4b-4a16-bb1b-7ab2acb06fff", + "name": "NIST data leakage", + "description": "The case study is provided by NIST.", + "disk_images": [ + "x-disk-image--64da9550-6f78-4f2f-99dc-4693cf719338", + "x-disk_image--2a9f86c9-602b-43e3-bd2a-542b7544ce3e" + ], + "case_file_refs": "[file--6ba0fce7-1ff9-44a4-9fbb-28760afc7827, file--83aee86d-1523-4111-938e-8edc8a6c804f]", + "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", + "created": "2021-04-06T20:03:00.000Z", + "modified": "2021-04-06T20:03:00.000Z" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7", + "created": "2021-05-15T09:12:16.432Z", + "modified": "2021-05-15T09:12:16.432Z", + "relationship_type": "has", + "source_ref": "x-timeline--5e54d8e8-1c4b-4a16-bb1b-7ab2acb06fff", + "target_ref": "threat-actor-2485b844-4efe-4343-84c8-eb33312dd56f" + } +] +``` + --- ## Disk Partition Object