diff --git a/STIX_for_digital_forensics/Illegal_Possession_Images/illegal_possession_image.json b/STIX_for_digital_forensics/Illegal_Possession_Images/illegal_possession_image.json index 8de76b0..035f811 100644 --- a/STIX_for_digital_forensics/Illegal_Possession_Images/illegal_possession_image.json +++ b/STIX_for_digital_forensics/Illegal_Possession_Images/illegal_possession_image.json @@ -56,7 +56,6 @@ "created": "2021-02-15T07:06:00Z", "modified": "2021-02-15T07:06:00Z" }, - { "type": "x-crime-case", "spec_version": "2.1", @@ -255,7 +254,7 @@ "id": "indicator--e7a4aa2b-dfbe-4cf4-be2e-b5811699264d", "name": "delete indicator", "description": "Indication of delete", - "pattern": "[file:extensions:status='recovered' and file:extensions:content_tags[0]='rhino']", + "pattern": "[file:extensions.auxiliary-ext.status='recovered' and file:extensions.auxiliary-ext.content_tags[0]='rhino']", "pattern_type": "stix", "created_by_ref": "identity--4f922f49-b4ac-41d6-b701-b374d7dc9b22", "created": "2021-02-15T12:15:00Z", @@ -270,10 +269,12 @@ "MD5": "ca03f2eed3db06a82a8a31b3a3defa24" }, "extensions": { - "description": "recovered from deletion", - "status": "recovered", - "content_tags": ["rhino"], - "file_name": "f0106393.jpg" + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "content_tags": ["rhino"], + "file_name": "f0106393.jpg" + } } }, { @@ -285,10 +286,12 @@ "MD5": "ed870202082ea4fd8f5488533a561b35" }, "extensions": { - "description": "recovered from deletion", - "status": "recovered", - "content_tags": ["rhino"], - "file_name": "f0106409.jpg" + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "content_tags": ["rhino"], + "file_name": "f0106409.jpg" + } } }, { @@ -300,10 +303,12 @@ "MD5": "76610b7bdb85e5f65e96df3f7e417a74" }, "extensions": { - "description": "recovered from deletion", - "status": "recovered", - "content_tags": ["rhino"], - "file_name": "f0106865.gif" + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "content_tags": ["rhino"], + "file_name": "f0106865.gif" + } } }, { @@ -315,10 +320,12 @@ "MD5": "d03dc23d4ec39e4d16da3c46d2932d62" }, "extensions": { - "description": "recovered from deletion", - "status": "recovered", - "content_tags": ["rhino"], - "file_name": "f0106889.gif" + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "content_tags": ["rhino"], + "file_name": "f0106889.gif" + } } }, { @@ -404,9 +411,11 @@ }, "content_ref": "artifact--899e1d63-20ae-5487-b684-df8019d4177c", "extensions": { - "description": "recovered from deletion", - "status": "recovered", - "file_name": "f0335017_She_died_in_February_at_the_age_of_74.doc" + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "file_name": "f0335017_She_died_in_February_at_the_age_of_74.doc" + } } }, { @@ -426,7 +435,7 @@ "id": "indicator--afb0a853-e4c7-45a8-afea-d9f7c2dac3c1", "name": "delete doc indicator", "description": "Indication of delete a doc file that is recovered from the USB", - "pattern": "[file:extensions:status='recovered']", + "pattern": "[file:extensions.auxiliary-ext.status='recovered']", "pattern_type": "stix", "created_by_ref": "identity--4f922f49-b4ac-41d6-b701-b374d7dc9b22", "created": "2021-02-15T12:15:00Z", @@ -495,9 +504,11 @@ "MD5": "6bd0e9bd4fb4a738f9ca4c351a853281" }, "extensions": { - "description": "recovered from deletion", - "status": "recovered", - "file_name": "f0105065.jpg" + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "file_name": "f0105065.jpg" + } } }, { @@ -513,7 +524,7 @@ "id": "indicator--e9d899b9-0c56-4108-839f-9cef41e37b34", "name": "use a steganography tool indicator", "description": "Indication of using steganography tool", - "pattern": "[artifact:payload_bin MATCHES 'anBoaWRl' and file:extensions:status='decoded' and exists artifact--01b778f5-e334-52a5-a49d-f9b2de330be9 and exists artifact--5bb67aa9-d849-465d-a433-114063836965]", + "pattern": "[artifact:payload_bin MATCHES 'anBoaWRl' and file:extensions.auxiliary-ext.status='decoded' and exists artifact--01b778f5-e334-52a5-a49d-f9b2de330be9 and exists artifact--5bb67aa9-d849-465d-a433-114063836965]", "pattern_type": "stix", "created_by_ref": "identity--4f922f49-b4ac-41d6-b701-b374d7dc9b22", "created": "2021-02-17T15:41:00Z", @@ -591,10 +602,12 @@ "MD5": "63a39823f80b321c2dcd112158b55011" }, "extensions": { - "description": "decoded by stegdetect", - "status": "decoded", - "content_tags": ["rhino"], - "file_name": "r065.jpg" + "auxiliary-ext": { + "description": "decoded by stegdetect", + "status": "decoded", + "content_tags": ["rhino"], + "file_name": "r065.jpg" + } } }, { @@ -627,9 +640,11 @@ "MD5": "4d37a1033450b8cc96ffd1564829d321" }, "extensions": { - "description": "recovered from deletion", - "status": "recovered", - "file_name": "f0104249.jpg" + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "file_name": "f0104249.jpg" + } } }, { @@ -676,10 +691,12 @@ "MD5": "87018ef0cfdb91e818d92efeb9c19338" }, "extensions": { - "description": "decoded by stegdetect", - "status": "decoded", - "content_tags": ["rhino"], - "file_name": "r249.jpg" + "auxiliary-ext": { + "description": "decoded by stegdetect", + "status": "decoded", + "content_tags": ["rhino"], + "file_name": "r249.jpg" + } } }, { diff --git a/STIX_for_digital_forensics/readme.md b/STIX_for_digital_forensics/readme.md index 1953a14..0994b1e 100644 --- a/STIX_for_digital_forensics/readme.md +++ b/STIX_for_digital_forensics/readme.md @@ -77,7 +77,8 @@ The xSTIX includes a set of Cyber Forensic Objects (CFOs), customized properties - [AppLog](#AppLog) - Property Extension - - [Extension for Windows Registry Key Object](#Extension-for-Windows-Registry-Key-Object) + - [Extension to File Object](#Extension-to-File-Object) + - [Extension to Windows Registry Key Object](#Extension-to-Windows-Registry-Key-Object) - Open Vocabulary extension - [threat-actor-type-ov extension](#threat-actor-type-ov-extension]) - [ani-forensic-tool-type-ov](#tool-type-ov-extension) @@ -176,6 +177,7 @@ Investigation Tools are software that can be used by cyber investigators to perf | --------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | type (required) | string | The value of this property MUST be x-investigation-tool. | | last_modified | timestamps | The last modified date of the investigation tool. | +| name | string | A short name of the investigation tool. | | description | string | A description that provides more details and context about the investigation tool. | | functions | list of type open-vocab | Specifies a list of functions of an Investigation Tool. Each function is summarized in one activity, which SHOULD come from the x-activity-name-ov open vocabulary. | | inputs_refs | list of type identifer | Specifies a list of function inputs. It Should come from any STIX objects or CFOs. | @@ -462,13 +464,13 @@ A Crime Case object represents a background description of a potential cybercrim ## Crime Case Properties -| Property Name | Type | Description | -| --------------- | ----------------- | ------------------------------------------------------------------------------------------------ | -| type (required) | string | The value of this property MUST be x-crime-case. | -| case_id | string | Specifies a case identifier that is assigned to a case. | -| name | string | Specifies the name of a case. | -| description | string | A description that provides more details and context about a case. | -| case_file_refs | list of type file | Specifies docs, logs, and any files (other than disk images) that are associated with the cases. | +| Property Name | Type | Description | +| --------------- | ----------------------- | ------------------------------------------------------------------------------------------------ | +| type (required) | string | The value of this property MUST be x-crime-case. | +| case_id | string | Specifies a case identifier that is assigned to a case. | +| name | string | Specifies the name of a case. | +| description | string | A description that provides more details and context about a case. | +| case_file_refs | list of file references | Specifies docs, logs, and any files (other than disk images) that are associated with the cases. | ### Relationships @@ -1755,7 +1757,41 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has --- -## Extension for Windows Registry Key Object +## Extension to File Object + +**Type Name:** auxiliary-ext + +The auxiliary file extension specifies a default extension for capturing addition properties to files. The key for this extension when used in the extensions dictionary MUST be auxiliary-ext. + +### Properties + +| Property Name | Type | Description | +| ----------------- | --------------- | ---------------------------------------------------------------------- | +| status (required) | string | Specifies the status of the file, e.g., recovered, decoded, decrypted. | +| description | string | description of the of the auxiliary extension. | +| content_tags | list of strings | A list of words to describe the content of file. | +| file_name | string | Specifies the file name. | + +```json +{ + "type": "file", + "spec_version": "2.1", + "id": "file--5767fcee-664c-5af0-8b13-1420a285ab02", + "hashes": { + "MD5": "ca03f2eed3db06a82a8a31b3a3defa24" + }, + "extensions": { + "auxiliary-ext": { + "description": "recovered from deletion", + "status": "recovered", + "content_tags": ["rhino"], + "file_name": "f0106393.jpg" + } + } +} +``` + +## Extension to Windows Registry Key Object We focus on extending the data property of registry value as the data may contain rich information that needs to be organized and formalized as digital evidence. The pattern of the extension is shown below. Note that the string **"x_data"** is assigned to **"data"** (e.g., **"data": "x_data"**) as a place holder and **x_data:[]** is the extended property that contains formalized information of data.