search

casework / CASE

Cyber-investigation Analysis Standard Expression (CASE) Ontology
https://caseontology.org
Apache License 2.0
67 stars 22 forks source link

For importing provide a property/attribute on Trace objects to describe their contents #21

Open vikhari opened 6 years ago

vikhari commented 6 years ago

Issue ported from old casework github repo (issue 37). Original author: mike-parkhill

When importing a diverse set of trace objects you need to inspect the members of the PropertyBundle array to determine what the Trace relates to. This can be cumbersome since the logic on the ingesting side is going to be different based on the child types.

For example:

{
          "@type": "Trace",
          "@id": "https://www.netresec.com/20a91459-8fbb-4b90-a3fb-b4aa7f776a66",
          "createdBy": "https://www.netresec.com/1c7484fe-63f1-5af8-b4fb-e2386ab3c4b0",
          "createdTime": "2018-02-15T19:01:12.6271184Z",
          "propertyBundle": [
            {
              "@type": "File",
              "accessedTime": "2007-12-17T03:32:30.3990520Z",
              "extension": "html",
              "fileName": "index.html",
              "isDirectory": false,
              "sizeInBytes": 98500
            },
            {
              "@type": "ContentData",
              "dataPayloadReferenceURL": "D:\\NetworkMinerProfessional_2-2\\AssembledFiles\\151.193.224.81\\TCP-80\\index.html",
              "hash": [
                {
                  "@type": "Hash",
                  "hashMethod": "MD5",
                  "hashValue": "abdb151dfd5775c05b47c0f4ea1cd3d7"
                }
              ],
              "sizeInBytes": 98500
            }

The above JSON is obviously a File object with metadata and content data. It would be nice to know this without having to iterate the bundle looking to see if it contains a File child. The more types of Trace bundles we support the messier this is going to get. Adding a @bundletype attribute or something would simplify ingestion greatly.

cyberinvestigationexpress commented 5 years ago

The duck model was selected to be flexible enough to represent a file in any context, including ones we are not currently aware of (e.g., concealment of a file in some new way). With the duck model, it is necessary to inspect all of its facets to get the full picture. Restricting with @bundletype goes against the use of the duck model.