digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add xSTIX

Browse Source
This commit is contained in:
Frank Xu
2021-02-01 22:37:13 -05:00
parent 838fcf4a2b
commit ccce347cdd
1 changed files with 58 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
STIX_for_digital_forensics/readme.md
View File

@@ -1,10 +1,23 @@
# STIX for Digital Forensics
## Objectives
The goal of the project is to explore and build an extended STIX™ (xSTIX), to exchange Cyber Forensic Intelligence (CFI). While STIX focuses on understanding, responding to, and mitigating computer-based attacks, the xSTIX allows cyber forensics communities to better understand what and how digital evidence is left on hosts and networks during these attacks and to reconstruct digital forensic-based crime scenes after attacks.
The xSTIX includes a set of Cyber Forensic Objects (CFOs). CFOs are CFI domain objects that are corresponding to concepts used in hosts and networks but are more intensively used for CFI, e.g., the concepts of file and webpage visits. Each CFO represents an event generated and recorded by firmware, drivers, operating systems, and software applications. The recorded event is often used to meet functional or non-functional requirements of a feature/system. For example, the Windows security feature requires logging all security-related activities for auditing; Google drive records all files' status for a faster local and remote files synchronization. CFOs are different from STIX Cyber-Observable Data objects because CFOs are pre-processed data in the context of CFI instead of raw data that Cyber-observable Objects want to describe.
We follow the STIX specification for [customizing objects](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
## Extension Format
- Objects: We follow the STIX specification for [customizing objects](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_p2sz1mp7z524). The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
- [Required Properties](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx):
- **type** (string) The value of this property MUST be one of CFOs.
- **spec_version** (string): The current version is 2.1, i.e., **"spec_version": "2.1"**.
- **id** (identifier): This id MUST meet the requirements of the identifier type [see STIX section 2.9](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_64yvzeku5a5c).
- **created** (timestamp): The created property represents the time at which the object was originally created by an investigator (i.e., object creator).
- **modified** (timestamp): The modified property is only used by CFOs that support versioning and represents the time that this particular version of the object was last modified.
- **created_by_re**(identifier): The object creator is the entity (e.g., system, organization, instance of a tool) that generates the id property for a given object. It is optional in STIX SDO.
- [Common Properties used in CFOs](https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_xzbicbtscatx)
- external_references (list of type external-reference): The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems.
---
@@ -32,44 +45,38 @@ We follow the STIX specification for [customizing objects](https://docs.oasis-op
- Other extension
- [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference])
## Windows Event Object
## Windows Event Record Object
**Type Name:** x-windows-evt
**Type Name:** x-windows-evt-record
The Windows Event object represents an event generated by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
The Windows Event Record object represents an event recorded by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
### Properties
| Property Name | Type | Description |
| ---------------------- | ---------- | ----------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be windows-security-evt. |
| id (required) | identifier | The ID of a secuity type. |
| event_category | enum | The value of this property MUST come from the windows-event-category-enum enumeration. |
| created_time | timestamp | Specified the time the event was created. |
| source | string | Specifies the source/provideer of a event. |
| event_id | integer | Specifies a type of event. |
| task_category | string | |
| computer | string | The name of the computer. |
| user_account_ref | identifier | The user account that is associated with the evewnt. |
| saved_to_ref(required) | identity | Specifies object type that event object belongs to. It MUST be a type of file or artifact |
| Property Name | Type | Description |
| -------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-windows-evt-record. |
| record_number | string | Specified the number of the record. |
| time_generated | timestamp | Specified the time at which this entry was submitted. |
| time_written | timestamp | Specified the time at which this entry was received by the service to be written to the log. |
| event_source | string | Specifies name of the name of the software or the name of a subcomponent of the application if the application is large that logs the event. |
| event_id | integer | The value is specific to the event source for the event, and is used with source name to locate a description string in the message file for the event source. |
| event_id_string | integer | Specified the description string of event_id. |
| event_type | string | It MUST be one EventType defined in [Windows Doc](https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-eventlogrecord) |
| event_category | enum | Categories help to organize events |
| user_account_ref(required) | identifier | The user account that is associated with the evewnt. |
| saved_to_ref(required) | identity | Specifies object type that event object belongs to. It MUST be a type of file or artifact |
Notes:
- event_source has a few types, such as application, secuirty, system, customlog, etc.
- user_account_ref can be retrived based on SID.
### Relationships
| Source | Relationship Type | Target | Description |
| ------ | ----------------- | ------ | ----------- |
### Windows Event Category Enumeration
**Enumeration Name:** windows-event-log-name-enum
| Vocabulary Value | Description |
| ---------------- | ----------- |
| application | |
| security | |
| setup | |
| system | |
| forwarded-events | |
### Example 1: describes a "logon" event recorded in the security event file.
```json
@@ -78,14 +85,23 @@ The Windows Event object represents an event generated by Windows OS, including
"type": "x-windows-evt",
"spec_version": "2.1",
"id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"event_category": "security",
"created_time": "2021-01-06T20:03:00.000Z",
"source": "Microsoft Windows security auditing.",
"record_number": "12145",
"time_generated": "2015-01-06T20:03:00.000Z",
"time_written": "2015-01-06T20:03:00.100Z",
"event_source": "Microsoft Windows security auditing.",
"event_id": "4624",
"task_category ": "Logon",
"computer": "ryzen3790-xu",
"event_id_string": "An account was successfully logged on",
"event_type": "EVENTLOG_AUDIT_SUCCESS",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d"
"saved_to_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"external_references": [
{
"source_name": "ns-winnt-eventlogrecord",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-eventlogrecord"
}
]
},
{
"type": "file",
@@ -107,11 +123,15 @@ The Windows Event object represents an event generated by Windows OS, including
"type": "x-windows-evt",
"spec_version": "2.1",
"id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"event_category": "system",
"created_time": "2021-01-06T20:03:00.000Z",
"source": "cdrom.",
"record_number": "4512",
"time_generated": "2015-01-06T20:03:00.000Z",
"time_written": "2015-01-06T20:03:00.100Z",
"event_source": "cdrom",
"event_id": "16388",
"computer": "informant-PC",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--79e0da61-48e2-4552-874f-83d74262f39d",
"created": "2021-01-06T20:03:00.000Z",
"modified": "2021-01-06T20:03:00.000Z",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--e2dd9934-e6aa-440a-9d51-21ccf990c4f5"
}
@@ -128,7 +148,6 @@ The Webpage Visit Event object represents a single visit to a webpage.
| Property Name | Type | Description |
| ---------------------- | ---------- | ------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be browser-history. |
| id (required) | identifier | The ID of a webpage visit event object. It is the ID we generated to identify each object. |
| entry_id | string | Specifies the unqie entry ID in a file (i.e., save_to_ref) that the event saved to. |
| url_ref | identifier | Specify a visit to a url. |
| title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. |
@@ -191,7 +210,6 @@ The completed log properties can be access [Microsoft office docs- Format of a t
| Property Name | Type | Description |
| ---------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-pnp-evt. |
| id (required) | identifier | The ID of a Plug and Play (PnP) Event object. |
| entry_prefix | enum | The values of this property MUST come from the message-type-ov enumeration. |
| time_stamp | timestamp | Indicates the system time when the logged event occurred. |
| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of predefined Event_category operation strings, e.g.device installation. |
@@ -234,7 +252,6 @@ The File Visit Event object represents properties that are associasted with a fi
| Property Name | Type | Description |
| ------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-file-visit-evt. |
| id (required) | identifier | The ID of a File Visit Event object. |
| visit_type | enum | Specifies how file was visited. The values of this property MUST come from the file-visit-type-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. |
@@ -699,7 +716,6 @@ Investigation Tools are software that can be used by cyber investigators to perf
| Property Name | Type | Description |
| --------------- | ----------------------- | --------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-file-visit-evt. |
| id (required) | identifier | The ID of a Investigation Tool object. |
| last_modified | timestamps | The last modified date of the investigation tool. |
| description | string | A description that provides more details and context about the investigation tool. |
| tool_types | list of type open-vocab | The values for this property SHOULD come from the investigation-tool-type-ov open vocabulary. |
@@ -805,19 +821,3 @@ We focus on extending the data property of registry value as the data may contai
```
```
```
```
```
```
```
```
```
```