digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f4d9d5957e0f57e31df9441cc6b3c7cac06a698f
digital-forensics-lab/STIX_for_digital_forensics
History
Frank Xu f4d9d5957e add stix
2021-01-29 14:42:09 -05:00
..
readme.md
add stix
2021-01-29 14:42:09 -05:00

readme.md

Cyber-observable Objects for Digital Forensics

The goal of the project is to customize STIX™ for facilitating the sharing of Cyber Forensic Intelligence as well as building the foundations for automated digital forensic investigations. The extension includes:

  • create a list of customized STIX™ Cyber-observable Objects. We follow the STIX specification for customizing objects. The most important rule to create a new object type is that the value of the type property in a Custom Object SHOULD start with “x-” followed by a source unique identifier (like a domain name with dots replaced by hyphens), a hyphen and then the name. For example, x-example-com-customobject.
  • property extension for Windows™ Registry Key Object. We focus on extending the data property of registry value as the data may contain rich information that needs to be organized and formalized as digital evidence. The pattern of the extension is shown below. Note that the string "x_data" is assigned to "data" (e.g., "data": "x_data") as a place holder and x_data:[] is the extended property that contains formalized information of data.
{
  "type": "windows-registry-key",
  "spec_version": "2.1",
  "id": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
  "key": "hkey_local_machine\\system\\bar\\foo",
  "values": [
    {
      "name": "Foo",
      "data": "x_data",
      "data_type": "REG_BINARY"
    }
  ],
  "x_data": [
    {
      "type": "x-extended-type",
      "id": "x-extended-type--83aee86d-1523-4111-938e-8edc8a6c804f"
    }
  ]
}

Table of Contents (updating)

Windows Event Object

Type Name: x-windows-evt

The WIndow Event object represents an event generated by Windows OS, including applicatioin, security, steup, system, and forwarded-events.

Properties

Property Name Type Description
type (required) string The value of this property MUST be windows-security-evt.
id (required) identifier The ID of a secuity type.
log_name (required) enum The value of this property MUST come from the log-nam-enum enumeration.
logged_time (required) timestamp
source string
event_id integer
task_category string
computer string The name of the computer.
user_account_ref identifier The user account that is associated with the evewnt.
belongs_to_ref (required) identity The relation describes that event is a part of file or artifact (e.g., cache, memory).

Relationships

Source Relationship Type Target Description

Windows Event Log Name Enumeration

Enumeration Name: windows-event-log-name-enum

Vocabulary Value Description
application
security
setup
system
forwarded-events

Examples

{
  "type": "x-windows-evt",
  "spec_version": "2.1",
  "id": "x-windows-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
  "log_name": "security",
  "logged_time": "2021-01-06T20:03:00.000Z",
  "source": "Microsoft Windows security auditing.",
  "event_id": "4624",
  "task_category ": "Logon",
  "computer": "ryzen3790-xu",
  "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
  "belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a"
}

Browser History Event Object

Type Name: x-browser-history-evt

The Browser History Event object represent a single visit to a URL.

Properties

Property Name Type Description
type (required) string The value of this property MUST be browser-history.
id (required) identifier The ID of a browser history event object.
url_ref identifier Specify a visit to a url.
title string Speify the title of a web page (if a URL is a webpage) that has been visited.
visit_time timestamp The last time visited.
visit_count integer The number of times visited
browser_name string The values for this property SHOULD come from the browser-name-ov open vocabulary.
browser_ref identifier The value type for this property SHOULD software.
file_requested_ref identifier The ID of the file the http requested.
user_account_ref identifier The user account that is associated with record.
belongs_to_ref (required) identifier The relation describes that event is a part of file or artifact (e.g., cache, memory).

Relationships

Source Relationship Type Target Description

Examples

[
  {
    "type": "x-browser-history-evt",
    "spec_version": "2.1",
    "id": "x-browser-history-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
    "url_ref": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622",
    "title": "B.S. in Cyber Forensics | University of Baltimore",
    "visit-time": "2021-01-06T20:03:22.000Z",
    "visit-count": 2,
    "browser_name": "chrome",
    "browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e",
    "file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae",
    "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
    "belongs_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f"
  },
  {
    "type": "url",
    "spec_version": "2.1",
    "id": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622",
    "value": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/"
  }
]

Browser Name Open Vocabulary

Vocabulary Name: browser-name-ov

ocabulary Value Description
chrome Google chrome browser
ie Internet explore
edge Microsoft Edge
firefox Mozilla Firefox
safari Apple Safari
chromium Open source Chrome alternative
opera
maxthon
brave
360-secure 360 Secure Browser
tor
other

Plug and Play (PnP) Event Object

Type Name: x-pnp-evt

The Plug and Play (PnP) Event object represents an event recorded by Windows Kernel-Mode Plug (pnp) and Play Manager. PnP manager is a combination of hardware technology and software techniques that enables a PC to recognize when a device is added to the system. With PnP, the system configuration can change with little or no input from the user.

Properties

The completed log properties can be access Microsoft office docs- Format of a text log section body

Property Name Type Description
type (required) string The value of this property MUST be x-pnp-evt.
id (required) identifier The ID of a Plug and Play (PnP) Event object.
entry_prefix enum The values of this property MUST come from the message-type-ov enumeration.
time_stamp timestamp Indicates the system time when the logged event occurred.
event_category string Indicates the category of SetupAPI operation that made the log entry. MUST be one of predefined Event_category operation strings, e.g.device installation.
formatted_message string Contains the specific information that applies to the log entry.
belongs_to_ref (required) identifier The relation describes that event is a part of file or artifact (e.g., cache, memory), e.g., steupAPI.log

Message Type Vocabulary

Vocabulary Name: message-type-ov

ocabulary Value Description
error An Error message
warning An warning message
other-info Information message other than an error message or a warning message

Examples

{
  "type": "x-pnp-evt",
  "spec_version": "2.1",
  "id": "x-pnp-evt--58959aae-d1e0-4e12-a879-270efe33c6e3",
  "entry_prefix": "other-info",
  "time_stamp": "2021-01-06T20:03:22.000Z",
  "event_category": "device installation",
  "formatted_message ": "Device Install (Hardware initiated) - USB\\VID_0781&PID_5517\\4C5300124505311010593",
  "belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
}

File Visit Event Object

Type Name: x-file-visit-evt

The File Visit Event object represents properties associasted with when a file/directory is visited by an operating system, including when a file is read, modified, executed, preloaded. etc. The event may be saved in different forms, e.g., file, cache, Windows registry, etc.

Properties

Property Name Type Description
type (required) string The value of this property MUST be x-file-visit-evt.
id (required) identifier The ID of a File Visit Event object.
visit_type enum Specifies the visit options defined for the visit. The values of this property MUST come from the file-visit-type-enum enumeration.
visit_time timestamp Specifies the time a file was visited.
visit_file_guid string The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8.
count integer The total number of times the program has visited.
visit_file_ref (required) identifier Specifies the file or directory that was recently visited.
event_type string Specifies the event type of source artifacts where the event is retrived from. It MUST come from the file-visit-event-common-name-ov open vocabulary.
belongs_to_ref (required) identifier The relation describes that event is a part of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory.

File Visit Type Enum

Vocabulary Name: file-visit-type-enum

Vocabulary Value Description
creation A file was visited for creation.
reading A file was visited for reading.
modification A file was was visited for modification (content is to be modified).
updating The meta data of a file was visited for changing (e.g. permissions)
execution A file was visited for execution.
deletion A file was visited for deletion.
preloading A file was visited for preloading to memory.
prefetching A file was visited for prefetching to memory.
loading A file was visited for loading to memory.
unloadeding A file was visited for unloadig from memory.
other
unknown

File Visit Event Common Name Vocabulary

Vocabulary Name: file-visit-event-common-name-ov

Vocabulary Value Description
userassist Track every GUI-based programs launched from the desktop in the userassist registry key.
shimcache Shimcache is created to identify application compatibility issues.
recentfilecache RecentFileCache.bcf only containes references to programs that recently executed.
prefetch
muicache Support multiple language for software.
usnjournal Store Update Sequence Number Journal.
shellbags Store user preferences for GUI folder display within Windows Explorer.
jumplist Represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button.

Type 1: RecentFileCache

RecentFileCache.bcf only containes references to programs that recently executed. setuputility.exe is recently executed.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--83aee86d-1523-4111-938e-8edc8a6c804f",
    "visit_type": "execution",
    "visit_time ": "2021-01-06T20:03:22.000Z",
    "visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
    "event_type": "recentfilecache",
    "belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
    "size": 25536,
    "name": "setuputility.exe "
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--176353bd-b61d-4944-b0cd-0b98783c50b5",
    "hashes": {
      "SHA-256": "fe90a7e910cb3a4739bed9180e807e93fa70c90f25a8915476f5e4bfbac681db"
    },
    "size": 51164,
    "name": "RecentFileCache.bcf"
  }
]

Type 2: Shimcache

Shimcache is created to identify application compatibility issues. Two actions/events that can cause the Shimcache to record an entry: (1) A file is executed and (2) A user interactively browses a directory.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--83aee86d-1523-4111-938e-8edc8a6c804f",
    "visit_type": "executed",
    "visit_time ": "2021-01-06T20:03:22.000Z",
    "visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
    "event_type": "shimcache",
    "belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
    "size": 5536,
    "name": "twext.dll "
  },
  {
    "type": "windows-registry-key",
    "spec_version": "2.1",
    "id": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
    "key": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\AppCompatCache\\"
  }
]

Type 3: UserAssist

Windows System, every GUI-based programs launched from the desktop are tracked in this registry key HKEY_USERS{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
    "visit_type": "execution",
    "visit_time ": "2021-01-06T20:03:22.000Z",
    "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
    "event_type": "userassist",
    "belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
    "count": "1",
    "size": 55136,
    "name": "WINWORD.EXE "
  },
  {
    "type": "windows-registry-key",
    "spec_version": "2.1",
    "id": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016",
    "key": "HKEY_USERS\\S-1-5-21-394942887-4226445097-2438273937-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"
  }
]

Type 4: Prefetch

Prefetch preloads most frequently used software into memory. The Typeshows the chrome.exe-999b1ba.pf contains chrome.exe-999b1ba.exe, the time when the exe file is executed, last time executed, and how many times it was exeucted.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
    "visit_type": "execution",
    "visit_time ": "2021-01-06T20:03:22.000Z",
    "count": 71,
    "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
    "event_type": "prefetch",
    "belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
    "name": "chrome.exe-999b1ba.exe "
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
    "hashes": {
      "MD5": "af15a4b4b0c8378d1206336962d7b5b9"
    },
    "name": "chrome.exe-999b1ba.pf "
  }
]

Type 5: USNJournal

USN (Update Sequence Number) Journal records all files changes (e.g.., rename) that are made to volume.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
    "visit_type": "modification",
    "visit_time ": "2021-01-06T20:03:22.000Z",
    "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
    "event_type": "usnjournal",
    "belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
    "name": "Desert.jpg "
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
    "hashes": {
      "MD5": "eaeb631cc86f85835dcad66766b8f3cc"
    },
    "name": "UsnJrnl_2020-11-28.csv"
  }
]

Type 6: Shellbags

Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer to improve user experience and “remember” preferences. The following Type descrbes a USB drive is visited.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
    "visit_type": "read",
    "visit_time ": "2021-01-06T20:03:22.000Z",
    "visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
    "event_type": "shellbags",
    "belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
  },
  {
    "type": "directory",
    "spec_version": "2.1",
    "id": "directory--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
    "name": "My Computer\\E:\\"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--14a4a46c-0957-4b9d-900d-35cb8379055c",
    "hashes": {
      "MD5": "1741ab33fd6a05a4963564f36a043afc"
    },
    "name": "UsrClass_informat.dat"
  }
]

Type 7: Jumplist

Jumplist represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button. The following Type shows a Jumplist of Word 2010 Pinned and Recent accessed files.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
    "visit_type": "read",
    "visit_time ": "2021-01-06T20:03:22.000Z",
    "visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
    "event_type": "jumplist",
    "belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
    "name": "winter_whether_advisory.zip"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--14a4a46c-0957-4b9d-900d-35cb8379055c",
    "hashes": {
      "MD5": "9857b91a6427496e72d779893e6d49fb"
    },
    "name": "a7bd71699cd38d1c.automaticDestinations-ms"
  }
]

Type 8: Lnk

lnk is a shortcut or "link" used by Windows as a reference to an original file, folder, or application. The example describes an event is generated when a file is accessed by a link.

[
  {
    "type": "x-file-visit-evt",
    "spec_version": "2.1",
    "id": "x-file-visit-evt--ac69c037-c578-4c5e-ad6a-23d53a0b1d6e",
    "visit_type": "read",
    "visit_time ": "2021-01-16T21:03:22.000Z",
    "visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
    "event_type": "lnk",
    "belongs_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--8c33da4c-fb61-4658-b28c-a5c60f561d78",
    "name": "(secret_project)_pricing_decision.xlsx"
  },
  {
    "type": "file",
    "spec_version": "2.1",
    "id": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663",
    "hashes": {
      "MD5": "9857b91a6427496e72d779893e6d49fb"
    },
    "name": "(secret_project)_pricing_decision.xlsx.lnk"
  }
]

threat-actor-type-ov external reference

Vocabulary Value Description
criminal-intellectual-property-theft An individual that intentionally deprives someone of his or her intellectual property
criminal-ransomware
criminal-business-email-compromise
criminal-identity-theft
criminal-spoofing-and-phishing
criminal-memory-laundry
insider-disgruntled-sabotage
insider-disgruntled-violence
insider-disgruntled-theft
insider-disgruntled-fraud
insider-disgruntled-espionage
insider-disgruntled-embarrassing
insider-disgruntled-harassing
illegal-possessor An individual that owns, produces, distributes illegal information and device.
online- predators An individual that makes sexual advances to minors.

references:
Reference in New Issue View Git Blame Copy Permalink