mirror of
https://github.com/frankwxu/digital-forensics-lab.git
synced 2026-04-10 12:13:44 +00:00
Cyber-observable Objects for Digital Forensics
The goal of the project is to customize STIX™ for facilitating the sharing of Cyber Forensic Intelligence as well as building the foundations for automated digital forensic investigations. The extension includes:
- create a list of customized STIX™ Cyber-observable Objects. We follow the STIX specification for customizing objects. The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
- property extension for Windows™ Registry Key Object. We focus on extending the data property of registry value as the data may contain rich information that needs to be organized and formalized as digital evidence. The pattern of the extension is shown below. Note that the string "x_data" is assigned to "data" (e.g., "data": "x_data") as a place holder and x_data:[] is the extended property that contains formalized information of data.
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
"key": "hkey_local_machine\\system\\bar\\foo",
"values": [
{
"name": "Foo",
"data": "x_data",
"data_type": "REG_BINARY"
}
],
"x_data": [
{
"type": "x-extended-type",
"id": "x-extended-type--83aee86d-1523-4111-938e-8edc8a6c804f"
}
]
}
Table of Contents (updating)
- SCOs for digital forensics
- Property Extension for Windows™ Registry Key Object
- Other extension
Windows Event Object
Type Name: x-windows-evt
Properties
| Property Name | Type | Description |
|---|---|---|
| type (required) | string | The value of this property MUST be windows-security-evt. |
| id (required) | identifier | The ID of a secuity type. |
| log_name (required) | enum | The value of this property MUST come from the log-nam-enum enumeration. |
| logged_time (required) | timestamp | |
| source | string | |
| event_id | integer | |
| task_category | string | |
| computer | string | The name of the computer. |
| user_account_ref | identifier | The user account that is associated with the evewnt. |
| belongs_to_ref (required) | identity | The relation describes that event is a part of file or artifact (e.g., cache, memory). |
Relationships
| Source | Relationship Type | Target | Description |
|---|
Log Name Enumeration
Enumeration Name: log-name-enum
| Vocabulary Value | Description |
|---|---|
| application | |
| security | |
| setup | |
| system | |
| forwarded-events |
Examples
{
"type": "x-windows-evt",
"spec_version": "2.1",
"id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"log_name": "security",
"logged_time": "2021-01-06T20:03:00.000Z",
"source": "Microsoft Windows security auditing.",
"event_id": "4624",
"task_category ": "Logon",
"computer": "ryzen3790-xu",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a"
}
Browser History Event Object
Type Name: x-browser-history-evt
Properties
| Property Name | Type | Description |
|---|---|---|
| type (required) | string | The value of this property MUST be browser-history. |
| id (required) | identifier | The ID of a browser history event object. |
| url | string | |
| title | string | The title of a web page has been visited. |
| visit_time | timestamp | The last time visited. |
| visit_count | integer | The number of times visited |
| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. |
| browser_ref | identifier | The value type for this property SHOULD software. |
| file_requested_ref | identifier | The ID of the file the http requested. |
| user_account_ref | identifier | The user account that is associated with record. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file or artifact (e.g., cache, memory). |
Relationships
| Source | Relationship Type | Target | Description |
|---|
Examples
{
"type": "x-browser-history-evt",
"spec_version": "2.1",
"id": "x-browser-history-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"url": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/",
"title": "B.S. in Cyber Forensics | University of Baltimore",
"visit-time": "2021-01-06T20:03:22.000Z",
"visit-count": 2,
"browser_name": "chrome",
"browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e",
"file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"belongs_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f"
}
Browser Name Open Vocabulary
Vocabulary Name: browser-name-ov
| ocabulary Value | Description |
|---|---|
| chrome | Google chrome browser |
| ie | Internet explore |
| edge | Microsoft Edge |
| firefox | Mozilla Firefox |
| safari | Apple Safari |
| chromium | Open source Chrome alternative |
| opera | |
| maxthon | |
| brave | |
| 360-secure | 360 Secure Browser |
| tor | |
| other |
Plug and Play (PnP) Event Object
Type Name: x-pnp-evt
The Windows Kernel-Mode Plug (pnp) and Play Manager SDO represents an event recorded by Plug and Play Manager. PnP is a combination of hardware technology and software techniques that enables a PC to recognize when a device is added to the system. With PnP, the system configuration can change with little or no input from the user.
Properties
The completed log properties can be access Microsoft office docs- Format of a text log section body
| Property Name | Type | Description |
|---|---|---|
| type (required) | string | The value of this property MUST be x-pnp-evt. |
| id (required) | identifier | The ID of a Plug and Play (PnP) Event object. |
| entry_prefix | enum | The values of this property MUST come from the message-type-ov enumeration. |
| time_stamp | timestamp | Indicates the system time when the logged event occurred. |
| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of predefined Event_category operation strings, e.g.device installation. |
| formatted_message | string | Contains the specific information that applies to the log entry. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file or artifact (e.g., cache, memory), e.g., steupAPI.log |
Message Type Vocabulary
Vocabulary Name: message-type-ov
| ocabulary Value | Description |
|---|---|
| error | An Error message |
| warning | An warning message |
| other-info | Information message other than an error message or a warning message |
Examples
{
"type": "x-pnp-evt",
"spec_version": "2.1",
"id": "x-pnp-evt--58959aae-d1e0-4e12-a879-270efe33c6e3",
"entry_prefix": "other-info",
"time_stamp": "2021-01-06T20:03:22.000Z",
"event_category": "device installation",
"formatted_message ": "Device Install (Hardware initiated) - USB\\VID_0781&PID_5517\\4C5300124505311010593",
"belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
}
File Visit Event Object
Type Name: x-file-visit-evt
The File Visit Event object represents properties associasted with when a file is visited by an operating system, including when a file is read, modified, executed, preloaded. The event may be saved in different forms, e.g., file, cache, Windows registry, etc. If the event is saved in registry, it MUST saved in the data field of a registry values.
Properties
| Property Name | Type | Description |
|---|---|---|
| type (required) | string | The value of this property MUST be x-file-visit-evt. |
| id (required) | identifier | The ID of a File Visit Event object. |
| visit_type | enum | Specifies the visit options defined for the visit. The values of this property MUST come from the file-visit-type-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. |
| count | integer | The total number of times the program has visited. |
| visit_file_ref (required) | identifier | The relation references the file that is recently visited. |
| common_name | string | Specifies the common name of source artifacts where the event is retrived from. It MUST come from the file-visit-event-common-name-ov open vocabulary. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, or artifact. |
File Visit Type Enum
Vocabulary Name: file-visit-type-enum
| Vocabulary Value | Description |
|---|---|
| creation | A file was visited for creation. |
| reading | A file was visited for reading. |
| modification | A file was was visited for modification (content is to be modified). |
| updating | The meta data of a file was visited for changing (e.g. permissions) |
| execution | A file was visited for execution. |
| deletion | A file was visited for deletion. |
| preloadomg | A file was visited for preloading to memory. |
| prefetching | A file was visited for prefetching to memory. |
| loading | A file was visited for loading to memory. |
| unloadeding | A file was visited for unloadig from memory. |
| unknown |
File Visit Event Common Name Vocabulary
Vocabulary Name: file-visit-event-common-name-ov
| Vocabulary Value | Description |
|---|---|
| user-assist | On a Windows System, every GUI-based programs launched from the desktop are tracked in this registry key |
| shim-cache | Shimcache is created to identify application compatibility issues. |
| recent-file-cache | RecentFileCache.bcf only containes references to programs that recently executed. |
Example 1
RecentFileCache.bcf only containes references to programs that recently executed. setuputility.exe is recently executed.
[
{
"type": "x-file-visit-evt",
"spec_version": "2.1",
"id": "x-file-visit-evt--83aee86d-1523-4111-938e-8edc8a6c804f",
"visit_type": "execution",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"common_name": "recent-file-cache",
"belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"size": 25536,
"name": "setuputility.exe "
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--176353bd-b61d-4944-b0cd-0b98783c50b5",
"hashes": {
"SHA-256": "fe90a7e910cb3a4739bed9180e807e93fa70c90f25a8915476f5e4bfbac681db"
},
"size": 51164,
"name": "RecentFileCache.bcf"
}
]
Example 2
Shimcache is created to identify application compatibility issues. Two actions/events that can cause the Shimcache to record an entry: (1) A file is executed and (2) A user interactively browses a directory.
[
{
"type": "x-file-visit-evt",
"spec_version": "2.1",
"id": "x-file-visit-evt--83aee86d-1523-4111-938e-8edc8a6c804f",
"visit_type": "executed",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"common_name": "shim-cache",
"belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
"size": 5536,
"name": "twext.dll "
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
"key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\AppCompatCache\\"
}
]
Example 3
Windows System, every GUI-based programs launched from the desktop are tracked in this registry key HKEY_USERS{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. An example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001.
[
{
"type": "x-file-visit-evt",
"spec_version": "2.1",
"id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"visit_type": "executed",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"common_name": "user-assist",
"belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
"count": "1",
"size": 55136,
"name": "WINWORD.EXE "
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
"key": "HKEY_USERS\\S-1-5-21-394942887-4226445097-2438273937-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"
}
]
threat-actor-type-ov external reference
| Vocabulary Value | Description |
|---|---|
| criminal-intellectual-property-theft | An individual that intentionally deprives someone of his or her intellectual property |
| criminal-ransomware | |
| criminal-business-email-compromise | |
| criminal-identity-theft | |
| criminal-spoofing-and-phishing | |
| criminal-memory-laundry | |
| insider-disgruntled-sabotage | |
| insider-disgruntled-violence | |
| insider-disgruntled-theft | |
| insider-disgruntled-fraud | |
| insider-disgruntled-espionage | |
| insider-disgruntled-embarrassing | |
| insider-disgruntled-harassing | |
| illegal-possessor | An individual that owns, produces, distributes illegal information and device. |
| online- predators | An individual that makes sexual advances to minors. |
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608
- Event Logging Structures
- https://github.com/libyal/libevt/blob/main/documentation/Windows%20Event%20Log%20(EVT)%20format.asciidoc
- https://github.com/williballenthin/python-evtx
- https://www.loggly.com/ultimate-guide/windows-logging-basics/#:~:text=The%20Windows%20event%20log%20contains,For%20example%2C%20IIS%20Access%20Logs.
- https://docs.microsoft.com/en-us/windows-hardware/drivers/install/format-of-a-text-log-section-body