digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-02-21 11:17:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Browser History Record Object

Browse Source
This commit is contained in:
Frank Xu
2021-01-25 21:16:31 -05:00
parent cd9e4bcf56
commit eec14d9870
1 changed files with 83 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
STIX_external_reference/readme.md
View File

@@ -20,29 +20,71 @@
## Windows Security Event Object
**Type Name:** windows-security-evt
**Type Name:** x-windows-security-evt
## Properties
| Property Name | Type | Description |
| --------------- | ---------- | -------------------------------------------------------- |
| type (required) | string | The value of this property MUST be windows-security-evt. |
| id | identifier | The ID of a secuity type |
| level | integer | |
| task | integer | |
| opcode | integer | |
| created | timestamp | |
| record | integer | |
| process | integer | |
| thread | integer | |
| computer | string | The ID of the computer |
| user | string | The security user ID |
| Property Name | Type | Description |
| ------------------ | ---------- | -------------------------------------------------------- |
| type (required) | string | The value of this property MUST be windows-security-evt. |
| id (required) | identifier | The ID of a secuity type |
| level | integer | |
| task | integer | |
| opcode | integer | |
| created (required) | timestamp | |
| record | integer | |
| process | integer | |
| thread | integer | |
| computer | string | The name of the computer |
| user | string | The security user ID |
| belongs_to_ref | identity | The relation describes that the source is a part of file |
## Relationships
| Embedded Relationships | |
| ---------------------- | ---------- |
| created_by_ref | identifier |
| Source | Relationship Type | Target | Description |
| ------ | ----------------- | ------ | ----------- |
```json
{
"type": "x-windows-security-evt",
"spec_version": "2.1",
"id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:00.000Z",
"level": 0,
"opcode": 0,
"record": 1101704,
"proces": 58,
"thread": 511,
"Computer": "DC01.contoso.local",
"belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a"
}
```
## Browser History Record Object
**Type Name:** x-browser-history-record
## Properties
| Property Name | Type | Description |
| ------------------ | ----------------------- | ----------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be browser-history |
| id (required) | identifier | The ID of a browser history record |
| url | string | |
| title | string | The title of a web page has been visited |
| visit-time | timestamp | |
| visit-count | integer | The number of times visited |
| browser-type | identifier | The values for this property SHOULD come from the browser-type-ov open vocabulary. |
| file-requested_ref | identifier | The ID of the file the requst requested |
| computer | string | The name of the computer |
| user-account | identifier | The user-account that is associated with record |
| belongs_to_ref | list of type identifier | The source of object. The objects referenced in this list MUST be of type file or artifact (e.g., cache, memory). |
## Relationships
| Source | Relationship Type | Target | Description |
| ------ | ----------------- | ------ | ----------- |
```json
{
@@ -56,11 +98,33 @@
"record": 1101704,
"proces": 58,
"thread": 511,
"Computer": "DC01.contoso.local"
"Computer": "DC01.contoso.local",
"belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a"
}
```
references:
## Browser Type Open Vocabulary
Vocabulary Name: browser-type-ov
| ocabulary Value | Description |
| --------------- | ------------------------------ |
| chrome | Google chrome browser |
| ie | Internet explore |
| edge | Microsoft Edge |
| firefox | Mozilla Firefox |
| safari | Apple Safari |
| chromium | Open source Chrome alternative |
| opera | |
| maxthon | |
| brave | |
| 360-secure | 360 Secure Browser |
| tor | |
| other | |
# references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608
- [Event Logging Structures](https://docs.microsoft.com/en-us/windows/win32/eventlog/event-logging-structures?redirectedfrom=MSDN)
- https://github.com/libyal/libevt/blob/main/documentation/Windows%20Event%20Log%20(EVT)%20format.asciidoc
- https://github.com/williballenthin/python-evtx