casework / case-mapping-python Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
case-mapping-python's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Watchers
case-mapping-python's Issues
Continuous Integration
This repository would benefit from Continuous Integration to review the state of its generated results, e.g. using case_validate against an automatically or manually generated results file. This would help catch some issues, e.g. #2 , after #23 is merged.
How to generate results is possibly worth a separate discussion. But so long as case.json is tracked in the top source directory, there is at least one piece of example data that could be run through case_validate.
EventFacet class must be replaced by EventRecordFacet class
The below example contains only the main properties. Other additional properties are:
- observable:eventRecordServiceName. The service that generated the event record. A single application can have multiple services generating event records.
- observable:eventRecordDevice The device on which the log entry was generated. It's an @id reference to an observable_Device
- observable:application. The app generating the event, it's an @id reference to an observableApplicationFacet
- observable:startTime and observable:endTime
- Example:
{
"@id": "kb:fe688202-4b21-48d2-b07d-170e14971935",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:a45c81a7-9afc-482d-9d37-a2b55ddb570d",
"@type": "uco-observable:EventRecordFacet",
"uco-observable:eventType": "PowerEvent",
"uco-observable:eventRecordText": "Power on",
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2021-05-18T11:31:46+00:00"
}
}
]
}uco-core:Bundle should not to be used
- It is better not to use the uco-core:Bundle class to indicate the UCO/CASE version and the general description of the JSON-LD file. New properties will be introduced in next releases. Alternatively a generic ObservableObject with rdf:comments can be used inside the uco-core:object property array:
- Example:
{
"@id": "kb:cbd39ad4-ab25-452d-b03e-10364c7fd40e",
"@type": "uco-observable:ObservableObject",
"rdfs:comment": "name: D.F. Expert",
"rdfs:comment": "version: CASE 1.0.0",
"rdfs:comment": "description: Device example complied with UCO/CASE 1.0.0"
}
observable:ApplicationVersion to be implemented
The Artifact related to the Installed Application should be included in the library by using the observable:ApplicationVersion class. Moreover the ApplicationFacet class must be extended comprising the property observable:installedVersionHistory, a reference to an observable:ApplicationVersion Observable.
case-investigation:ProvenanceRecord class
- The case-investigation:exhibitNumber property is a string, not an integer.
FileFacet class
- The following properties must be changed:
- from uco-observable:fileLocalPath into drafting:fileLocalPath
- from uco-core:objectCreatedTime into uco-observable:observableCreatedTime
- from uco-core:objectModifiedTime into uco-observable:modifiedTime
- from uco-core:objectAccessedTime into uco-observable:accessedTime
- the uco-core:tag property must contain a string value and be put outside the core:hasFacet, because FileFacet is not a subclass of core:UcoObject. Alternatively it could be used the uco-observable:mimeType property.
ActionReferencesFacet class
- The class has been deleted. The case-investigation:InvestigativeAction class has a slight different structure, shown in thee above example. The class can be also replaced by the more general uco-action:Action class.
{
"@id": "kb:0d549b0e-4484-4858-9e48-fb21e3f317f7",
"@type": "case-investigation:InvestigativeAction",
"rdfs:comment": "also the @type= uco-action:Action is admsissible",
"uco-core:name": "Forensic mobile device acquisition",
"uco-action:startTime": {
"@type": "xsd:dateTime",
"@value": "2021-07-29T12:28:49+00:00"
},
"uco-action:endTime": {
"@type": "xsd:dateTime",
"@value": "2021-07-29T12:43:44+00:00"
},
"uco-action:performer": {
"@id": "kb:8e4f771d-4fa0-4f70-b593-20d8f00e0461"
},
"uco-action:instrument": {
"@id": "kb:4252f4ee-d2bd-4d83-bbb4-2669a7be8286"
},
"uco-action:result": [
{
"@id": "kb:9ebe7b98-5323-4bf5-b44a-d499c928b93d"
}
],
"uco-action:object": {
"@id": "kb:e4912cd1-abc3-4ad4-9d73-f54379752e02"
}
}
Each Facet/@type require to have IRIs (`@id`s)
Each Facet does get its own different @id, with its own distinct UUIDv4 (ucoProject/UCO#430).
Example:
{
"@id": "kb:5340d5ad-0fe1-463c-a461-f211e64edfd4",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:1723ed9c-2d8e-415c-8cf6-31599c49df79",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "com.whatsapp",
"uco-observable:version": "1.23.45"
}
]
}PhoneCallFacet has been replaced by CallFacet
- the old class PhoneCallFacet does not exist anymore, the new one Call must be used instead. The CallFacet is more consistent with the current technology, where more participants may be involved in a call, even though case_builder was already able to process the uco-observable:to as a tuple.
- the new class contains the participant property. I do not know what its meaning is. When I generate the JSON-LD files from my parsers the property is ignored.
- Example:
"uco-core:object": [
{
"@id": "kb:0d191a90-7f5f-4df7-9cc3-3b5024e66983",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:f35ce51a-cb45-49ca-83d1-546cedd73b21",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "Native"
}
]
},
{
"@id": "kb:d4d81ef9-9598-4e29-aaf6-297c47315269",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "4cb32da0-4d54-49c6-9de7-961135c86578",
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIdentifier": "Rose Noomur",
"uco-observable:isActive": {
"@type": "xsd:boolean",
"@value": true
}
},
{
"@id": "d25ecc35-74ea-4c82-b7e3-4e082a7c6e54",
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+19734468551",
"uco-observable:displayName": "Rose dear"
}
]
},
{
"@id": "kb:e91445f8-406b-4ade-bd12-ec9ecdce5810",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "fdf3e4cf-8d9b-4959-97f1-3506e5132ac9",
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIdentifier": "Jane Malone",
"uco-observable:isActive": {
"@type": "xsd:boolean",
"@value": true
}
},
{
"@id": "b9f40fda-b69f-48c6-9efd-d1c3858bbb26",
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+19732941683/19732941683",
"uco-observable:displayName": "Jane M."
}
]
},
{
"@id": "kb:238070ba-b740-4aa9-89af-4f52d0efc1a0",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:a8bdd70b-3d5d-4196-8f27-45ff429fbc6f",
"@type": "uco-observable:CallFacet",
"uco-observable:callType": "incoming",
"uco-observable:allocationStatus": "Intact",
"uco-observable:duration": {
"@type": "xsd:integer",
"@value": "0"
},
"uco-observable:startTime": {
"@type": "xsd:dateTime",
"@value": "2022-01-19T21:38:19.023000+00:00"
},
"uco-observable:application": {
"@id": "kb:0d191a90-7f5f-4df7-9cc3-3b5024e66983"
},
"uco-observable:from": {
"@id": "kb:d4d81ef9-9598-4e29-aaf6-297c47315269"
},
"uco-observable:to": {
"@id": "kb:e91445f8-406b-4ade-bd12-ec9ecdce5810"
}
}
]
}
] Generic ObservableObjects should be avoided when other classes exist
example.py currently yields some graph nodes typed as uco-observable:ObservableObject without further subtyping.
More specific classes should be used when available. However, this might require a less manual maintenance method for aligning the Python class structure with the ontology.
ApplicationFacet class
- It is possible to use observable:applicationIdentifier instead of uco-core:name, even though the new property does not have an explicit semantic. Alternatively also the core:name can be used but outside the uco-core:hasFacet array.
- Example:
{
"@id": "kb:0d191a90-7f5f-4df7-9cc3-3b5024e66983",
"@type": "uco-observable:ObservableObject",
"uco-core:name": "Native application",
"uco-core:hasFacet": [
{
"@id": "kb:f35ce51a-cb45-49ca-83d1-546cedd73b21",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "Native"
}
]
}CalendarEntryFacet calss
The following properties must be corrected:
- observable:subject --> uco:observable:subject
- observable:isPrivate --> uco:observable:isPrivate
observable:BrowserBookmarkFacet to be implemented
The Web Bookmark artifact should be included in the CASE representation. Example
{
"@id": "kb:98d0fe58-91ee-49ad-a53a-ae5218d4bf5e",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:dac8b0f0-4370-4caa-8f74-cd28f0f51b2c",
"@type": "observable:BrowserBookmarkFacet",
"observable:accessedTime": {
"@type": "xsd:dateTime",
"@value": "2023-09-11:23:44+00:00"
},
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2023-05-20T18:04:37+00:00"
},
"observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2023-08-20T18:04:37+00:00"
},
"observable:bookmarkPath": "/Mobile Bookmarks",
"uco-observable:application": {
"@id": "kb:7096b5ea-dedb-45ff-97fe-2652e508acd1"
},
"observable:urlTargeted": {
"@id": "kb:658ad522-263f-44ae-b6da-afbd30658e50"
}
}
]
},
{
"@id": "kb:7096b5ea-dedb-45ff-97fe-2652e508acd1",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:d58b3fb6-1caa-4e64-99f5-7f788aaa63e2",
"@type": "uco-observable:ApplicationFacet",
"uco-core:name": "Safari"
}
]
},
{
"@id": "kb:658ad522-263f-44ae-b6da-afbd30658e50",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:460031a0-a39d-4968-91a7-bfd248b7ad2a",
"@type": "uco-observable:URLFacet",
"uco-observable:fullValue": "www.macrumors.com"
}
]
},Revise UCO IRI structure
Users of UCO 0.7.0 and earlier should be aware that their UCO IRI prefixes should be adjusted. For instance, the prefix of the Action namespace is
"uco-action": "https://ontology.unifiedcyberontology.org/uco/action/"
The old one was:
"uco-action": "https://unifiedcyberontology.org/ontology/uco/action#"
Similar to CASE CP-34, to utilise an “ontology” subdomain, end with a slash and remove @base (CP 107).
The AccountAuthenticationFacet class must be added
The class allows the representation of the Password Artifact, even though it contains a few properties only and the following data are not covered (to be discussed in a AC meeting):
<Hit sequenceNumber="1">
<Fragment name="Service">IGSG-CNR</Fragment>
<Fragment name="Artifact">Android Wi-Fi Profiles</Fragment>
</Hit>MessageThread structure has changed
The class uses the co:element instead of uco-observable:message + "olo:slot".
Example:
{
"@id": "kb:4237ff8b-e049-4a56-bcf7-e89ed2797d83",
"@type": "uco-observable:MessageThread",
"uco-core:hasFacet": [
{
"@id": "kb:0cd2f9f8-9040-4af7-82f8-8287fb3f861d",
"@type": "uco-observable:MessageThreadFacet",
"identifier": "[email protected]",
"uco-observable:displayName": "Best Friend Chat!!",
"uco-observable:messageThread": {
"@id": "kb:1a921f84-eadd-4591-be0d-57b936933622",
"@type": "uco-types:Thread",
"co:size": {
"@type": "xsd:nonNegativeInteger",
"@value": 2
},
"co:element": [
{
"@id": "kb:d8330d5a-b8de-4425-9cd8-a37b038afe81"
},
{
"@id": "kb:3328fbc7-1f63-4e66-b8fc-e27143a64331"
}
]
},
"uco-observable:participant": [
{
"@id": "kb:a5931c7e-fc1e-4def-a618-fc31d9ae4cc7"
},
{
"@id": "kb:f135dee3-ba06-4ded-ad63-5484ce240ec8"
}
]
}
]
}- co:element refers to a list of Message objects (not ObservableObject!)
- the example uses the class "@type": "uco-observable:MessageThreadFacet", instead of "@type": "uco-observable:ObjectObservable", because it’s a subclass of the latter. Both classes can be used.
- the "co:element" array property is equal to the old uco-observable:message + "olo:slot"
- the "co:item" array property is not compulsory and it serves to indicate the sequential order of the messages (aim not completely clear), the parsers do not use that property
- the "uco-observable:participant" property remains the same
- the items of the co:item link to a message observable but it’s not a uco-observable:ObservableObject but it’s a uco-observable:Message
- the use of "@type": "uco-observable:MessageThread" is because it is a subclass of ObservableObject, so it is also possible uso the super class.
class observable:OperatingSystemFacet
- The uco-core:name property is not correct, because the class is a subclass of core:Facet and that property is not included. The ontology should include a new property for that aim, in the meantime it is possible to use the uco-observable:displayName property instead
- the uco-observable:manufacturer property is not a string but it is a reference to an uco-identity.Identity class.
- Example:
"@id": "kb:6bd89154-b501-4fd8-a750-58d39e4a51e7",
"@type": "uco-observable:OperatingSystemFacet",
"uco-observable:displayName": "iOS",
"uco-observable:manufacturer":
{
"@id": "kb:73952c43-8df5-4fa3-888c-f0f00d2eab8f"
},
"uco-observable:version": "14.6"
},
{
"@id": "kb:73952c43-8df5-4fa3-888c-f0f00d2eab8f",
"@type": "uco-identity:Identity",
"uco-core:description": "Huawei UK"
}MobileDeviceFacet
- Removed MSISDN property from MobileDeviceFacet.
- It must be represented using the class MobileAccountFacet and the Relationship between the MobileDevice (source) and the MobileAccountFacet (target) of kind Has_Account.
- Using the property in MobileDevice does not raise an error: there is the Open World Assumption
xsd:nonNegativeInteger to be supported
There are several properties across the core, action, and observable namespaces that use xsd:nonNegativeInteger. One happens to be referenced in example.py. The other properties will need a general library function to support their usage.
URLHistoryFacet class
- The URLHistoryFacet has a different structure, in particular the uco-observable:URLHistoryEntry is an array property of the uco-observable:URLHistoryFacet class. It is important to highlight that the uco-observable:URLHistoryEntry may contain as many items as the number of visited pages by using a specific web browser, indicated in the uco-observable:browserInformation reference property. The example shows a uco-observable:URLHistoryEntry array with only one single item. Moreover the second
line of the example can be replaced by uco-observable:URLHistory, because it is a subclass of the ObservableObject.
{
"@id": "kb:5d96df90-d9e1-423c-b8db-c2327812ab38",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:1723ed9c-2d8e-415c-8cf6-31599c49df79",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "Safari Apple",
"uco-observable:version": "15.23.45"
}
]
},
{
"@id": "kb:39ff4987-8ae5-47e3-8369-dbd0d5f79398",
"@type": "uco-observable:ObservableObject",
"rdfs:comment": "@type=uco-observable:URLHistory",
"uco-core:hasFacet": [
{
"@id": "kb:a455b867-957e-4fce-a0ad-1af9c6fa4edb",
"@type": "uco-observable:URLHistoryFacet",
"uco-observable:browserInformation": {
"@id": "kb:5d96df90-d9e1-423c-b8db-c2327812ab38"
},
"uco-observable:urlHistoryEntry": [
{
"@id": "kb:193a7fc6-5f15-4b3c-8763-f1dc3c9bfd14",
"@type": "uco-observable:URLHistoryEntry",
"uco-observable:firstVisit": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T02:20:22.00Z"
},
"uco-observable:lastVisit": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T02:20:22.00Z"
},
"uco-observable:url": {
"@id": "kb:b7906534-0483-4cf4-979c-5351916602ed"
},
"uco-observable:referrerUrl": null,
"uco-observable:pageTitle": "Where can you find baby owls for sale? Are owls legal to keep as pets? - Quora",
"uco-observable:visitCount": 2,
"uco-observable:manuallyEnteredCount": {
"@type": "xsd:nonNegativeInteger",
"@value": 0
},
"uco-observable:keywordSearchTerm": "Baby owl shops"
}
]
}
]
},
{
"@id": "kb:b7906534-0483-4cf4-979c-5351916602ed",
"@type": "uco-observable:URL",
"uco-core:hasFacet": [
{
"@id": "kb:f2618636-aec3-459e-bda7-eeedfbeac3c0",
"@type": "uco-observable:URLFacet",
"uco-observable:fullValue": "https://www.quora.com/Where-can-you-find-baby-owls-for-sale-Are-owls-legal-to-keep-as-pets"
}
]
}
LatLongCoordinatesFacet class
- The not-in-ontology:locationType property must be deleted. It should be introduced a specific vocabulary to set the appropriate values.
replace not-in-ontology namespace with drafting namespace
The old repo contained some classed in the not-in-ontology space and even though the current one doesn't include that namespace from INSPECTr project, it has to be taken into account that the following classes are processed by the parsers and must be included in the drafting name space (to be discussed in the next CASE AC meetings):
- FacetSocialMediaActivity
- FacetSearchedItem
- FacetLogEntries
The last one is not processed by the parsers yet, but the new iOS 15 reports will give the opportunity to include further Artifacts in the CASE representation.
LogEntries Arrtifact
To represent the LogEntries Artifact a new class should be added both to the ontology and to the library, in order to cover data such as:
<model type="LogEntry" deleted_state="Intact">
<field name="Source" type="String">
<value type="String"><![CDATA[InteractionC]]></value>
</field>
<field name="TimeStamp" type="TimeStamp">
<value type="TimeStamp">2023-05-08T17:59:25.342+00:00</value>
</field>
<field name="EndTime" type="TimeStamp">
<value type="TimeStamp">2023-05-08T17:59:41.593+00:00</value>
</field>
<field name="Application" type="String">
<value type="String"><![CDATA[com.apple.InCallService]]></value>
</field>
<field name="Body" type="String">
<value type="String"><![CDATA[incoming call from +1 (828) 520-5789]]></value>
</field>
</model>tool:Tool class
The uco-tool:creator property is not a string but it is a reference to an uco-identity.Identity class.
Example:
{
"@id": "kb:7ae6b781-4704-428f-85df-3367515dc608",
"@type": "uco-identity:Identity",
"uco-core:description": "Cellebrite, Petah Tikva, Israel"
},
{
"@id": "kb:4252f4ee-d2bd-4d83-bbb4-2669a7be8286",
"@type": "uco-tool:Tool",
"uco-core:name": "UFED PA",
"uco-tool:version": "7.57.1.9",
"uco-tool:toolType": "Acquisition",
"uco-tool:creator": {
"@id": "kb:7ae6b781-4704-428f-85df-3367515dc608"
}
}AccountFacet - property uco-observable:accountIssuer
The uco-observable:accountIssuer property must contain a @id reference to an Identity not a string value. Example:
{
"@id": "kb:6601090d-e021-4fc7-8c99-3e80e965f7b3",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:dc0c105c-ac96-451f-bfdb-3ca01f9c8a79",
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIdentifier": "",
"uco-observable:accountIssuer": {
"@id": "kb:3358fc60-4b1b-4ad4-ba7e-231d00d40973"
},
"uco-observable:isActive": {
"@type": "xsd:boolean",
"@value": true
}
},
{
"@id": "kb:0e7f3d99-c204-4ab3-bdba-3f9c28970603",
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+499734468551",
"uco-observable:displayName": "Hans Meyer"
}
]
},
{
"@id": "kb:3358fc60-4b1b-4ad4-ba7e-231d00d40973",
"@type": "uco-identity:Organization",
"uco-core:hasFacet": [
{
"@id": "kb:6551977d-8b9f-4bbf-aa22-03f2060fcfe2",
"@type": "uco-identity:SimpleNameFacet",
"uco-identity:givenName": "DE Telecom"
}
]
}Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.