digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add stix

Browse Source
This commit is contained in:
Frank Xu
2021-01-30 17:34:15 -05:00
parent e9bbff1c34
commit ee04c7844d
1 changed files with 70 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
STIX_for_digital_forensics/readme.md
View File

@@ -33,7 +33,7 @@ The goal of the project is to customize STIX™ for facilitating the sharing of
- SCOs for digital forensics
- [Windows Event Object](#Windows-Event-Object)
- [Browser History Event Object](#Browser-History-Event-Object)
- [Webpage Visit Event Object](#Webpage-Visit-Event-Object)
- [Plug and Play (PnP) Event Object](#Plug-and-Play-PnP-Event-Object)
- [File Visit Event Object](#File-Visit-Event-Object)
- [RecentFileCache](#RecentFileCache)
@@ -45,7 +45,8 @@ The goal of the project is to customize STIX™ for facilitating the sharing of
- [Jumplist](#Jumplist)
- [Lnk]($Lnk)
- [RMU]($RMU)
- [applog](#applog)
- [MFT]($MFT)
- [AppLog](#AppLog)
- Property Extension for Windows™ Registry Key Object
- Other extension
- [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference])
@@ -54,7 +55,7 @@ The goal of the project is to customize STIX™ for facilitating the sharing of
**Type Name:** x-windows-evt
The WIndow Event object represents an event generated by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
The Windows Event object represents an event generated by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
### Properties
@@ -135,23 +136,23 @@ The WIndow Event object represents an event generated by Windows OS, including a
}
```
## Browser History Event Object
## Webpage Visit Event Object
**Type Name:** x-browser-history-evt
**Type Name:** x-webpage-visit-evt
The Browser History Event object represents a single visit to a URL.
The Webpage Visit Event object represents a single visit to a webpage.
### Properties
| Property Name | Type | Description |
| ---------------------- | ---------- | ------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be browser-history. |
| id (required) | identifier | The ID of a browser history event object. |
| id (required) | identifier | The ID of a webpage visit event object. It is the ID we generated to identify each object. |
| entry_id | string | Specifies the unqie entry ID in a file (i.e., save_to_ref) that the event saved to. |
| url_ref | identifier | Specify a visit to a url. |
| title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. |
| visit_time | timestamp | The last time visited. |
| visit_count | integer | The number of times visited |
| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. |
| browser_ref | identifier | The value type for this property SHOULD software. |
| file_requested_ref | identifier | The ID of the file the http requested. |
| user_account_ref | identifier | The user account that is associated with record. |
@@ -174,8 +175,7 @@ The Browser History Event object represents a single visit to a URL.
"title": "B.S. in Cyber Forensics | University of Baltimore",
"visit-time": "2021-01-06T20:03:22.000Z",
"visit-count": 2,
"browser_name": "chrome",
"browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e",
"browser_ref": "software--b67a8d52-d438-4ace-8285-c6d485e34192",
"file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"saved_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f"
@@ -184,30 +184,19 @@ The Browser History Event object represents a single visit to a URL.
"type": "url",
"spec_version": "2.1",
"id": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622",
"value": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/"
"v,alue": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--b67a8d52-d438-4ace-8285-c6d485e34192",
"name": "chrome",
"cpe": "cpe:2.3:a:google:chrome:88.0.4324.104:*:*:*:*:*:*:*",
"vendor": "Google"
}
]
```
### Browser Name Open Vocabulary
Vocabulary Name: browser-name-ov
| ocabulary Value | Description |
| --------------- | ------------------------------ |
| chrome | Google chrome browser |
| ie | Internet explore |
| edge | Microsoft Edge |
| firefox | Mozilla Firefox |
| safari | Apple Safari |
| chromium | Open source Chrome alternative |
| opera | |
| maxthon | |
| brave | |
| 360-secure | 360 Secure Browser |
| tor | |
| other | |
## Plug and Play (PnP) Event Object
**Type Name:** x-pnp-evt
@@ -270,7 +259,7 @@ The File Visit Event object represents properties that are associasted with a fi
| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. |
| visit_count | integer | The total number of times the program has visited. |
| visit_file_ref (required) | identifier | Specifies the file or directory that was recently visited. |
| reason | open-vocab | Specifies a resaon why an event is recorded. It MUST come from the file-visit-evt-reason-ov open vocabulary. |
| record_reason | open-vocab | Specifies a resaon why an event is recorded. It MUST come from the file-visit-evt-record-reason-ov open vocabulary. |
| created_by_software_ref | identifier | The softwre that is used to capture and save the event. The value of this property MUST be the identifier for a SCO software object. |
| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. |
@@ -293,9 +282,9 @@ Vocabulary Name: file-visit-type-enum
| other | |
| unknown | There is not enough information available to determine how file was accessed. |
### File Visit Event Reason Vocabulary
### File Visit Event Record Reason Vocabulary
**Vocabulary Name:** file-visit-evt-reason-ov
**Vocabulary Name:** file-visit-evt-record-reason-ov
| Vocabulary Value | Description |
| ---------------- | ---------------------------------------------------------------------------------------- |
@@ -309,6 +298,7 @@ Vocabulary Name: file-visit-type-enum
| jumplist | Represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button. |
| mru | Most recently used files. |
| autorun | |
| mft | Master file table |
| applog | Logs generated by applications. |
### RecentFileCache
@@ -324,7 +314,7 @@ RecentFileCache.bcf only containes references to programs that recently executed
"visit_type": "execution",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"reason": "recentfilecache",
"record_reason": "recentfilecache",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
},
@@ -350,7 +340,7 @@ RecentFileCache.bcf only containes references to programs that recently executed
"spec_version": "2.1",
"id": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"name": "Windows",
"cpe": "cpe:2.3:o:microsoft:azure:-:*:*:*:*:*:*:*",
"cpe": "cpe:2.3:o:microsoft:Windows:-:*:*:*:*:*:*:*",
"version": "7",
"vendor": "Microsoft"
}
@@ -371,7 +361,7 @@ Shimcache is created to identify application compatibility issues. Two actions/e
"visit_type": "executed",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"reason": "shimcache",
"record_reason": "shimcache",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
@@ -406,7 +396,7 @@ An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"visit_count": 1,
"reason": "userassist",
"record_reason": "userassist",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
@@ -440,7 +430,7 @@ Prefetch preloads most frequently used software into memory. The Typeshows the c
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_count": 71,
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"reason": "prefetch",
"record_reason": "prefetch",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
@@ -475,7 +465,7 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t
"visit_type": "modification",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"reason": "usnjournal",
"record_reason": "usnjournal",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
@@ -499,7 +489,7 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t
### Shellbags
Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer to improve user experience and “remember” preferences. The following Type descrbes a USB drive is visited.
Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer to improve user experience and “remember” preferences. The following Type descrbes a USB drive is attached/visited.
```json
[
@@ -510,7 +500,7 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display
"visit_type": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"reason": "shellbag",
"record_reason": "shellbag",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
},
@@ -545,7 +535,7 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7
"visit_type": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"reason": "jumplist",
"record_reason": "jumplist",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
},
@@ -580,7 +570,7 @@ lnk is a shortcut or "link" used by Windows as a reference to an original file,
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
"reason": "lnk",
"record_reason": "lnk",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663"
},
@@ -615,7 +605,7 @@ Most Recently Used files.
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
"reason": "rmu",
"record_reason": "rmu",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663"
},
@@ -637,7 +627,41 @@ Most Recently Used files.
]
```
### applog
### MFT
A deletion was logged by MFT
```json
[
{
"type": "x-file-visit-evt",
"spec_version": "2.1",
"id": "x-file-visit-evt--9880e636-38b0-471a-8266-8a622a95b3a5",
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-f7d4aa7a-d02c-481e-8bdc-450cb0669b5d",
"record_reason": "mft",
"saved_to_ref": "file--19be1a16-4b87-4fc4-b056-dc9e0389d4bd"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--f7d4aa7a-d02c-481e-8bdc-450cb0669b5d",
"name": "desktop.ini"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--19be1a16-4b87-4fc4-b056-dc9e0389d4bd",
"hashes": {
"MD5": "64c6451132676e5a14e20d7d9283fa58"
},
"name": "$MFT"
}
]
```
### AppLog
An event logged by Google drive. The event shows a file (happy_holiday.jpg) has been deleted.
@@ -650,7 +674,7 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-8cdbf030-89d9-48be-b733-5f4900706f0e",
"reason": "rmu",
"record_reason": "rmu",
"created_by_software_ref": "software--764c3bcd-e053-46dc-b77d-51de1a311b39",
"saved_to_ref": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69"
},