diff --git a/STIX_for_digital_forensics/readme.md b/STIX_for_digital_forensics/readme.md index d6f3d74..7ec1fd9 100644 --- a/STIX_for_digital_forensics/readme.md +++ b/STIX_for_digital_forensics/readme.md @@ -33,7 +33,7 @@ The goal of the project is to customize STIX™ for facilitating the sharing of - SCOs for digital forensics - [Windows Event Object](#Windows-Event-Object) - - [Browser History Event Object](#Browser-History-Event-Object) + - [Webpage Visit Event Object](#Webpage-Visit-Event-Object) - [Plug and Play (PnP) Event Object](#Plug-and-Play-PnP-Event-Object) - [File Visit Event Object](#File-Visit-Event-Object) - [RecentFileCache](#RecentFileCache) @@ -45,7 +45,8 @@ The goal of the project is to customize STIX™ for facilitating the sharing of - [Jumplist](#Jumplist) - [Lnk]($Lnk) - [RMU]($RMU) - - [applog](#applog) + - [MFT]($MFT) + - [AppLog](#AppLog) - Property Extension for Windows™ Registry Key Object - Other extension - [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference]) @@ -54,7 +55,7 @@ The goal of the project is to customize STIX™ for facilitating the sharing of **Type Name:** x-windows-evt -The WIndow Event object represents an event generated by Windows OS, including applicatioin, security, steup, system, and forwarded-events. +The Windows Event object represents an event generated by Windows OS, including applicatioin, security, steup, system, and forwarded-events. ### Properties @@ -135,23 +136,23 @@ The WIndow Event object represents an event generated by Windows OS, including a } ``` -## Browser History Event Object +## Webpage Visit Event Object -**Type Name:** x-browser-history-evt +**Type Name:** x-webpage-visit-evt -The Browser History Event object represents a single visit to a URL. +The Webpage Visit Event object represents a single visit to a webpage. ### Properties | Property Name | Type | Description | | ---------------------- | ---------- | ------------------------------------------------------------------------------------------ | | type (required) | string | The value of this property MUST be browser-history. | -| id (required) | identifier | The ID of a browser history event object. | +| id (required) | identifier | The ID of a webpage visit event object. It is the ID we generated to identify each object. | +| entry_id | string | Specifies the unqie entry ID in a file (i.e., save_to_ref) that the event saved to. | | url_ref | identifier | Specify a visit to a url. | | title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. | | visit_time | timestamp | The last time visited. | | visit_count | integer | The number of times visited | -| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. | | browser_ref | identifier | The value type for this property SHOULD software. | | file_requested_ref | identifier | The ID of the file the http requested. | | user_account_ref | identifier | The user account that is associated with record. | @@ -174,8 +175,7 @@ The Browser History Event object represents a single visit to a URL. "title": "B.S. in Cyber Forensics | University of Baltimore", "visit-time": "2021-01-06T20:03:22.000Z", "visit-count": 2, - "browser_name": "chrome", - "browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e", + "browser_ref": "software--b67a8d52-d438-4ace-8285-c6d485e34192", "file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae", "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb", "saved_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f" @@ -184,30 +184,19 @@ The Browser History Event object represents a single visit to a URL. "type": "url", "spec_version": "2.1", "id": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622", - "value": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/" + "v,alue": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/" + }, + { + "type": "software", + "spec_version": "2.1", + "id": "software--b67a8d52-d438-4ace-8285-c6d485e34192", + "name": "chrome", + "cpe": "cpe:2.3:a:google:chrome:88.0.4324.104:*:*:*:*:*:*:*", + "vendor": "Google" } ] ``` -### Browser Name Open Vocabulary - -Vocabulary Name: browser-name-ov - -| ocabulary Value | Description | -| --------------- | ------------------------------ | -| chrome | Google chrome browser | -| ie | Internet explore | -| edge | Microsoft Edge | -| firefox | Mozilla Firefox | -| safari | Apple Safari | -| chromium | Open source Chrome alternative | -| opera | | -| maxthon | | -| brave | | -| 360-secure | 360 Secure Browser | -| tor | | -| other | | - ## Plug and Play (PnP) Event Object **Type Name:** x-pnp-evt @@ -270,7 +259,7 @@ The File Visit Event object represents properties that are associasted with a fi | visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. | | visit_count | integer | The total number of times the program has visited. | | visit_file_ref (required) | identifier | Specifies the file or directory that was recently visited. | -| reason | open-vocab | Specifies a resaon why an event is recorded. It MUST come from the file-visit-evt-reason-ov open vocabulary. | +| record_reason | open-vocab | Specifies a resaon why an event is recorded. It MUST come from the file-visit-evt-record-reason-ov open vocabulary. | | created_by_software_ref | identifier | The softwre that is used to capture and save the event. The value of this property MUST be the identifier for a SCO software object. | | saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. | @@ -293,9 +282,9 @@ Vocabulary Name: file-visit-type-enum | other | | | unknown | There is not enough information available to determine how file was accessed. | -### File Visit Event Reason Vocabulary +### File Visit Event Record Reason Vocabulary -**Vocabulary Name:** file-visit-evt-reason-ov +**Vocabulary Name:** file-visit-evt-record-reason-ov | Vocabulary Value | Description | | ---------------- | ---------------------------------------------------------------------------------------- | @@ -309,6 +298,7 @@ Vocabulary Name: file-visit-type-enum | jumplist | Represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button. | | mru | Most recently used files. | | autorun | | +| mft | Master file table | | applog | Logs generated by applications. | ### RecentFileCache @@ -324,7 +314,7 @@ RecentFileCache.bcf only containes references to programs that recently executed "visit_type": "execution", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6", - "reason": "recentfilecache", + "record_reason": "recentfilecache", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5" }, @@ -350,7 +340,7 @@ RecentFileCache.bcf only containes references to programs that recently executed "spec_version": "2.1", "id": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "name": "Windows", - "cpe": "cpe:2.3:o:microsoft:azure:-:*:*:*:*:*:*:*", + "cpe": "cpe:2.3:o:microsoft:Windows:-:*:*:*:*:*:*:*", "version": "7", "vendor": "Microsoft" } @@ -371,7 +361,7 @@ Shimcache is created to identify application compatibility issues. Two actions/e "visit_type": "executed", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6", - "reason": "shimcache", + "record_reason": "shimcache", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016" }, @@ -406,7 +396,7 @@ An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001 "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387", "visit_count": 1, - "reason": "userassist", + "record_reason": "userassist", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016" }, @@ -440,7 +430,7 @@ Prefetch preloads most frequently used software into memory. The Typeshows the c "visit_time ": "2021-01-06T20:03:22.000Z", "visit_count": 71, "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387", - "reason": "prefetch", + "record_reason": "prefetch", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016" }, @@ -475,7 +465,7 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t "visit_type": "modification", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387", - "reason": "usnjournal", + "record_reason": "usnjournal", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016" }, @@ -499,7 +489,7 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t ### Shellbags -Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer to improve user experience and “remember” preferences. The following Type descrbes a USB drive is visited. +Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer to improve user experience and “remember” preferences. The following Type descrbes a USB drive is attached/visited. ```json [ @@ -510,7 +500,7 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display "visit_type": "read", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c", - "reason": "shellbag", + "record_reason": "shellbag", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c" }, @@ -545,7 +535,7 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7 "visit_type": "read", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c", - "reason": "jumplist", + "record_reason": "jumplist", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c" }, @@ -580,7 +570,7 @@ lnk is a shortcut or "link" used by Windows as a reference to an original file, "visit_type": "read", "visit_time ": "2021-01-16T21:03:22.000Z", "visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78", - "reason": "lnk", + "record_reason": "lnk", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663" }, @@ -615,7 +605,7 @@ Most Recently Used files. "visit_type": "read", "visit_time ": "2021-01-16T21:03:22.000Z", "visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78", - "reason": "rmu", + "record_reason": "rmu", "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", "saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663" }, @@ -637,7 +627,41 @@ Most Recently Used files. ] ``` -### applog +### MFT + +A deletion was logged by MFT + +```json +[ + { + "type": "x-file-visit-evt", + "spec_version": "2.1", + "id": "x-file-visit-evt--9880e636-38b0-471a-8266-8a622a95b3a5", + "visit_type": "read", + "visit_time ": "2021-01-16T21:03:22.000Z", + "visit_file_ref": "file-f7d4aa7a-d02c-481e-8bdc-450cb0669b5d", + "record_reason": "mft", + "saved_to_ref": "file--19be1a16-4b87-4fc4-b056-dc9e0389d4bd" + }, + { + "type": "file", + "spec_version": "2.1", + "id": "file--f7d4aa7a-d02c-481e-8bdc-450cb0669b5d", + "name": "desktop.ini" + }, + { + "type": "file", + "spec_version": "2.1", + "id": "file--19be1a16-4b87-4fc4-b056-dc9e0389d4bd", + "hashes": { + "MD5": "64c6451132676e5a14e20d7d9283fa58" + }, + "name": "$MFT" + } +] +``` + +### AppLog An event logged by Google drive. The event shows a file (happy_holiday.jpg) has been deleted. @@ -650,7 +674,7 @@ An event logged by Google drive. The event shows a file (happy_holiday.jpg) has "visit_type": "read", "visit_time ": "2021-01-16T21:03:22.000Z", "visit_file_ref": "file-8cdbf030-89d9-48be-b733-5f4900706f0e", - "reason": "rmu", + "record_reason": "rmu", "created_by_software_ref": "software--764c3bcd-e053-46dc-b77d-51de1a311b39", "saved_to_ref": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69" },