Add various hierarchical classes to support DeviceType

[b0bkaT]

Background

Devices can include a broad range of different device types (i.e. Android phone, iPhone, tablet, computer, etc.), and UCO lacks the ability to represent them.

Requirements

Requirement 1

UCO must be able to represent the basic device types instead of just "observable:Device" and "observable:MobileDevice".

Risk / Benefit analysis

Benefits

UCO would improve it's ability to represent devices (which would extend into CASE).

Risks

The submitter is unaware of risks associated with this change.

Competencies demonstrated

Competency 1

A knowledge base includes some records of iPhones.

Competency Question 1.1

Ask for all iPhones in our knowledge base.

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>

SELECT ?niPhone
WHERE {
  ?niPhone
    a/rdfs:subClassOf* uco-observable:iPhone ;
    .
}

Result 1.1

Should return all iPhone devices in the knowledge base.

Competency Question 1.2

Ask for all cell phones in our knowledge base.

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>

SELECT ?niPhone
WHERE {
  ?niPhone
    a/rdfs:subClassOf* uco-observable:CellPhone ;
    .
}

Result 1.1

Should return all cell phone devices in the knowledge base, including the iPhones from question 1.1.

Solution suggestion

Adding the following concepts within observable.ttl:

• Adaptor
• AndroidPhone
• AppleDevice
• BlackberryPhone
• Computer
• DigitalCamera
• Drone
• EmbeddedDevice
• GamingConsole
• iPhone
• Laptop
• MobilePhone
• ProtocolConverter
• Server
• SmartDevice
• SmartPhone
• StorageMedium
• Tablet
• VideoCamera
• WearableDevice
• WriteBlocker

Solution is implemented in PR 446

**List was generated from OC-140 and https://www.iacpcybercenter.org/officers/cyber-crime-investigations/common-electronic-devices-that-generate-digital-evidence/

Coordination

• Tracking in Jira ticket OC-252
• [x] Administrative review completed
• [x] Requirements to be discussed in OC meeting, 2022-08-16
• [x] Requirements Review vote occurred, passing, on 2022-08-16
• [x] Requirements development phase completed.
• [x] Solution announced to OCs on 2022-08-18
• [x] Solutions Approval to be discussed in OC meeting, 2022-08-25
• [x] Solutions Approval vote occurred, passing, on 2022-08-25
• [x] Solutions development phase completed.
• [x] Implementation merged into develop
• [x] Milestone linked
• [x] Documentation logged in pending release page

[ajnelson-nist]

@b0bkaT , is there a development branch for this?

[ajnelson-nist]

I modified the competency questions to add subclasses query demonstration.

[ajnelson-nist]

PR 446 is open as an implementation of this Issue.

[sbarnum]

This proposal should only create the ObservableObject subclasses of observable:Device and not create empty matching facet subclasses. There may or may not end up being matching facet subclasses and having empty ones defined now is only likely to confuse people. The issue identified in this CP only calls for creating the ObservableObject subclasses. Needing matching facet subclasses would only occur if there are characteristic properties unique to that subclass of Device other wise you could easily just have the DeviceFacet on a subclass of Device where you know more about what kind of device it is but no special properties are needed.