casework / case-mapping-python Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
This repository would benefit from Continuous Integration to review the state of its generated results, e.g. using case_validate
against an automatically or manually generated results file. This would help catch some issues, e.g. #2 , after #23 is merged.
How to generate results is possibly worth a separate discussion. But so long as case.json
is tracked in the top source directory, there is at least one piece of example data that could be run through case_validate
.
The below example contains only the main properties. Other additional properties are:
{
"@id": "kb:fe688202-4b21-48d2-b07d-170e14971935",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:a45c81a7-9afc-482d-9d37-a2b55ddb570d",
"@type": "uco-observable:EventRecordFacet",
"uco-observable:eventType": "PowerEvent",
"uco-observable:eventRecordText": "Power on",
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2021-05-18T11:31:46+00:00"
}
}
]
}
{
"@id": "kb:cbd39ad4-ab25-452d-b03e-10364c7fd40e",
"@type": "uco-observable:ObservableObject",
"rdfs:comment": "name: D.F. Expert",
"rdfs:comment": "version: CASE 1.0.0",
"rdfs:comment": "description: Device example complied with UCO/CASE 1.0.0"
}
The Artifact related to the Installed Application should be included in the library by using the observable:ApplicationVersion class. Moreover the ApplicationFacet class must be extended comprising the property observable:installedVersionHistory, a reference to an observable:ApplicationVersion Observable.
{
"@id": "kb:0d549b0e-4484-4858-9e48-fb21e3f317f7",
"@type": "case-investigation:InvestigativeAction",
"rdfs:comment": "also the @type= uco-action:Action is admsissible",
"uco-core:name": "Forensic mobile device acquisition",
"uco-action:startTime": {
"@type": "xsd:dateTime",
"@value": "2021-07-29T12:28:49+00:00"
},
"uco-action:endTime": {
"@type": "xsd:dateTime",
"@value": "2021-07-29T12:43:44+00:00"
},
"uco-action:performer": {
"@id": "kb:8e4f771d-4fa0-4f70-b593-20d8f00e0461"
},
"uco-action:instrument": {
"@id": "kb:4252f4ee-d2bd-4d83-bbb4-2669a7be8286"
},
"uco-action:result": [
{
"@id": "kb:9ebe7b98-5323-4bf5-b44a-d499c928b93d"
}
],
"uco-action:object": {
"@id": "kb:e4912cd1-abc3-4ad4-9d73-f54379752e02"
}
}
Each Facet does get its own different @id, with its own distinct UUIDv4 (ucoProject/UCO#430).
Example:
{
"@id": "kb:5340d5ad-0fe1-463c-a461-f211e64edfd4",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:1723ed9c-2d8e-415c-8cf6-31599c49df79",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "com.whatsapp",
"uco-observable:version": "1.23.45"
}
]
}
"uco-core:object": [
{
"@id": "kb:0d191a90-7f5f-4df7-9cc3-3b5024e66983",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:f35ce51a-cb45-49ca-83d1-546cedd73b21",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "Native"
}
]
},
{
"@id": "kb:d4d81ef9-9598-4e29-aaf6-297c47315269",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "4cb32da0-4d54-49c6-9de7-961135c86578",
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIdentifier": "Rose Noomur",
"uco-observable:isActive": {
"@type": "xsd:boolean",
"@value": true
}
},
{
"@id": "d25ecc35-74ea-4c82-b7e3-4e082a7c6e54",
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+19734468551",
"uco-observable:displayName": "Rose dear"
}
]
},
{
"@id": "kb:e91445f8-406b-4ade-bd12-ec9ecdce5810",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "fdf3e4cf-8d9b-4959-97f1-3506e5132ac9",
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIdentifier": "Jane Malone",
"uco-observable:isActive": {
"@type": "xsd:boolean",
"@value": true
}
},
{
"@id": "b9f40fda-b69f-48c6-9efd-d1c3858bbb26",
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+19732941683/19732941683",
"uco-observable:displayName": "Jane M."
}
]
},
{
"@id": "kb:238070ba-b740-4aa9-89af-4f52d0efc1a0",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:a8bdd70b-3d5d-4196-8f27-45ff429fbc6f",
"@type": "uco-observable:CallFacet",
"uco-observable:callType": "incoming",
"uco-observable:allocationStatus": "Intact",
"uco-observable:duration": {
"@type": "xsd:integer",
"@value": "0"
},
"uco-observable:startTime": {
"@type": "xsd:dateTime",
"@value": "2022-01-19T21:38:19.023000+00:00"
},
"uco-observable:application": {
"@id": "kb:0d191a90-7f5f-4df7-9cc3-3b5024e66983"
},
"uco-observable:from": {
"@id": "kb:d4d81ef9-9598-4e29-aaf6-297c47315269"
},
"uco-observable:to": {
"@id": "kb:e91445f8-406b-4ade-bd12-ec9ecdce5810"
}
}
]
}
]
example.py
currently yields some graph nodes typed as uco-observable:ObservableObject
without further subtyping.
More specific classes should be used when available. However, this might require a less manual maintenance method for aligning the Python class structure with the ontology.
{
"@id": "kb:0d191a90-7f5f-4df7-9cc3-3b5024e66983",
"@type": "uco-observable:ObservableObject",
"uco-core:name": "Native application",
"uco-core:hasFacet": [
{
"@id": "kb:f35ce51a-cb45-49ca-83d1-546cedd73b21",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "Native"
}
]
}
The following properties must be corrected:
The Web Bookmark artifact should be included in the CASE representation. Example
{
"@id": "kb:98d0fe58-91ee-49ad-a53a-ae5218d4bf5e",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:dac8b0f0-4370-4caa-8f74-cd28f0f51b2c",
"@type": "observable:BrowserBookmarkFacet",
"observable:accessedTime": {
"@type": "xsd:dateTime",
"@value": "2023-09-11:23:44+00:00"
},
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2023-05-20T18:04:37+00:00"
},
"observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2023-08-20T18:04:37+00:00"
},
"observable:bookmarkPath": "/Mobile Bookmarks",
"uco-observable:application": {
"@id": "kb:7096b5ea-dedb-45ff-97fe-2652e508acd1"
},
"observable:urlTargeted": {
"@id": "kb:658ad522-263f-44ae-b6da-afbd30658e50"
}
}
]
},
{
"@id": "kb:7096b5ea-dedb-45ff-97fe-2652e508acd1",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:d58b3fb6-1caa-4e64-99f5-7f788aaa63e2",
"@type": "uco-observable:ApplicationFacet",
"uco-core:name": "Safari"
}
]
},
{
"@id": "kb:658ad522-263f-44ae-b6da-afbd30658e50",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:460031a0-a39d-4968-91a7-bfd248b7ad2a",
"@type": "uco-observable:URLFacet",
"uco-observable:fullValue": "www.macrumors.com"
}
]
},
Users of UCO 0.7.0 and earlier should be aware that their UCO IRI prefixes should be adjusted. For instance, the prefix of the Action namespace is
"uco-action": "https://ontology.unifiedcyberontology.org/uco/action/"
The old one was:
"uco-action": "https://unifiedcyberontology.org/ontology/uco/action#"
Similar to CASE CP-34, to utilise an “ontology” subdomain, end with a slash and remove @base (CP 107).
The class allows the representation of the Password Artifact, even though it contains a few properties only and the following data are not covered (to be discussed in a AC meeting):
<Hit sequenceNumber="1">
<Fragment name="Service">IGSG-CNR</Fragment>
<Fragment name="Artifact">Android Wi-Fi Profiles</Fragment>
</Hit>
The class uses the co:element instead of uco-observable:message + "olo:slot".
Example:
{
"@id": "kb:4237ff8b-e049-4a56-bcf7-e89ed2797d83",
"@type": "uco-observable:MessageThread",
"uco-core:hasFacet": [
{
"@id": "kb:0cd2f9f8-9040-4af7-82f8-8287fb3f861d",
"@type": "uco-observable:MessageThreadFacet",
"identifier": "[email protected]",
"uco-observable:displayName": "Best Friend Chat!!",
"uco-observable:messageThread": {
"@id": "kb:1a921f84-eadd-4591-be0d-57b936933622",
"@type": "uco-types:Thread",
"co:size": {
"@type": "xsd:nonNegativeInteger",
"@value": 2
},
"co:element": [
{
"@id": "kb:d8330d5a-b8de-4425-9cd8-a37b038afe81"
},
{
"@id": "kb:3328fbc7-1f63-4e66-b8fc-e27143a64331"
}
]
},
"uco-observable:participant": [
{
"@id": "kb:a5931c7e-fc1e-4def-a618-fc31d9ae4cc7"
},
{
"@id": "kb:f135dee3-ba06-4ded-ad63-5484ce240ec8"
}
]
}
]
}
"@id": "kb:6bd89154-b501-4fd8-a750-58d39e4a51e7",
"@type": "uco-observable:OperatingSystemFacet",
"uco-observable:displayName": "iOS",
"uco-observable:manufacturer":
{
"@id": "kb:73952c43-8df5-4fa3-888c-f0f00d2eab8f"
},
"uco-observable:version": "14.6"
},
{
"@id": "kb:73952c43-8df5-4fa3-888c-f0f00d2eab8f",
"@type": "uco-identity:Identity",
"uco-core:description": "Huawei UK"
}
There are several properties across the core
, action
, and observable
namespaces that use xsd:nonNegativeInteger
. One happens to be referenced in example.py
. The other properties will need a general library function to support their usage.
{
"@id": "kb:5d96df90-d9e1-423c-b8db-c2327812ab38",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:1723ed9c-2d8e-415c-8cf6-31599c49df79",
"@type": "uco-observable:ApplicationFacet",
"uco-observable:applicationIdentifier": "Safari Apple",
"uco-observable:version": "15.23.45"
}
]
},
{
"@id": "kb:39ff4987-8ae5-47e3-8369-dbd0d5f79398",
"@type": "uco-observable:ObservableObject",
"rdfs:comment": "@type=uco-observable:URLHistory",
"uco-core:hasFacet": [
{
"@id": "kb:a455b867-957e-4fce-a0ad-1af9c6fa4edb",
"@type": "uco-observable:URLHistoryFacet",
"uco-observable:browserInformation": {
"@id": "kb:5d96df90-d9e1-423c-b8db-c2327812ab38"
},
"uco-observable:urlHistoryEntry": [
{
"@id": "kb:193a7fc6-5f15-4b3c-8763-f1dc3c9bfd14",
"@type": "uco-observable:URLHistoryEntry",
"uco-observable:firstVisit": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T02:20:22.00Z"
},
"uco-observable:lastVisit": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T02:20:22.00Z"
},
"uco-observable:url": {
"@id": "kb:b7906534-0483-4cf4-979c-5351916602ed"
},
"uco-observable:referrerUrl": null,
"uco-observable:pageTitle": "Where can you find baby owls for sale? Are owls legal to keep as pets? - Quora",
"uco-observable:visitCount": 2,
"uco-observable:manuallyEnteredCount": {
"@type": "xsd:nonNegativeInteger",
"@value": 0
},
"uco-observable:keywordSearchTerm": "Baby owl shops"
}
]
}
]
},
{
"@id": "kb:b7906534-0483-4cf4-979c-5351916602ed",
"@type": "uco-observable:URL",
"uco-core:hasFacet": [
{
"@id": "kb:f2618636-aec3-459e-bda7-eeedfbeac3c0",
"@type": "uco-observable:URLFacet",
"uco-observable:fullValue": "https://www.quora.com/Where-can-you-find-baby-owls-for-sale-Are-owls-legal-to-keep-as-pets"
}
]
}
The old repo contained some classed in the not-in-ontology space and even though the current one doesn't include that namespace from INSPECTr project, it has to be taken into account that the following classes are processed by the parsers and must be included in the drafting name space (to be discussed in the next CASE AC meetings):
The last one is not processed by the parsers yet, but the new iOS 15 reports will give the opportunity to include further Artifacts in the CASE representation.
To represent the LogEntries Artifact a new class should be added both to the ontology and to the library, in order to cover data such as:
<model type="LogEntry" deleted_state="Intact">
<field name="Source" type="String">
<value type="String"><![CDATA[InteractionC]]></value>
</field>
<field name="TimeStamp" type="TimeStamp">
<value type="TimeStamp">2023-05-08T17:59:25.342+00:00</value>
</field>
<field name="EndTime" type="TimeStamp">
<value type="TimeStamp">2023-05-08T17:59:41.593+00:00</value>
</field>
<field name="Application" type="String">
<value type="String"><![CDATA[com.apple.InCallService]]></value>
</field>
<field name="Body" type="String">
<value type="String"><![CDATA[incoming call from +1 (828) 520-5789]]></value>
</field>
</model>
The uco-tool:creator property is not a string but it is a reference to an uco-identity.Identity class.
Example:
{
"@id": "kb:7ae6b781-4704-428f-85df-3367515dc608",
"@type": "uco-identity:Identity",
"uco-core:description": "Cellebrite, Petah Tikva, Israel"
},
{
"@id": "kb:4252f4ee-d2bd-4d83-bbb4-2669a7be8286",
"@type": "uco-tool:Tool",
"uco-core:name": "UFED PA",
"uco-tool:version": "7.57.1.9",
"uco-tool:toolType": "Acquisition",
"uco-tool:creator": {
"@id": "kb:7ae6b781-4704-428f-85df-3367515dc608"
}
}
The uco-observable:accountIssuer property must contain a @id reference to an Identity not a string value. Example:
{
"@id": "kb:6601090d-e021-4fc7-8c99-3e80e965f7b3",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@id": "kb:dc0c105c-ac96-451f-bfdb-3ca01f9c8a79",
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIdentifier": "",
"uco-observable:accountIssuer": {
"@id": "kb:3358fc60-4b1b-4ad4-ba7e-231d00d40973"
},
"uco-observable:isActive": {
"@type": "xsd:boolean",
"@value": true
}
},
{
"@id": "kb:0e7f3d99-c204-4ab3-bdba-3f9c28970603",
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+499734468551",
"uco-observable:displayName": "Hans Meyer"
}
]
},
{
"@id": "kb:3358fc60-4b1b-4ad4-ba7e-231d00d40973",
"@type": "uco-identity:Organization",
"uco-core:hasFacet": [
{
"@id": "kb:6551977d-8b9f-4bbf-aa22-03f2060fcfe2",
"@type": "uco-identity:SimpleNameFacet",
"uco-identity:givenName": "DE Telecom"
}
]
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.