Open sbarnum opened 10 years ago
To provide a more detailed example, fields like "File_Path", "Modified_Time", "Accessed_Time", etc. really pertain to file system details rather than those of a file (as a chunk of bits).
Context: this has been requested by several community members, and has long been acknowledged by the MITRE team as necessary for better supporting use cases pertaining to digital forensics, malware characterization (especially with regards to malware's interaction with a file system), and also the large number of instances where a file needs to be characterized outside of a file system (e.g., as an attachment to an email).
LOE: High
The current set of file objects in CybOX tend to conflate file system details with file instance details.
These should be deconflated to more accurately convey the level of detail needed for low-level use cases like digital forensic analysis and malware reverse engineering.