https://unifiedcyberontology.org/ontology/uco/observable#AlternateDataStream
An alternate data stream is data content stored within an NTFS file that is independent of the standard content stream of the file and is hidden from access by default NTFS file viewing mechanisms.
Instances of observable:AlternateDataStream can have the following properties:
| PROPERTY | TYPE | DESCRIPTION | RANGE |
|---|---|---|---|
| From class owl:Thing | |||
| investigation:authorizationIdentifier | owl:DatatypeProperty | The identifier for a particular authorization (e.g. warrant number) | xsd:string |
| investigation:authorizationType | owl:DatatypeProperty | A label categorizing a type of authorization (e.g. warrant) | xsd:string |
| investigation:exhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at any stage of an investigation to differentiate it from all other objects. | xsd:string |
| investigation:focus | owl:DatatypeProperty | Specifies the topical focus of an investigation. | xsd:string |
| investigation:investigationForm | owl:DatatypeProperty | A label categorizing a type of investigation (case, incident, suspicious-activity, etc.) | vocab:InvestigationFormVocab |
| investigation:investigationStatus | owl:DatatypeProperty | A label characterizing the status of an investigation (open, closed, etc.). | xsd:string |
| investigation:relevantAuthorization | owl:ObjectProperty | Specifies an authorization relevant to a particular investigation. | investigation:Authorization |
| investigation:rootExhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at the start of its treatment as part of an investigation. The first node in a provenance chain, which can be viewed as a heirarchical tree originating from a single root. | xsd:string |
By the associated SHACL property shapes, instances of observable:AlternateDataStream can have the following properties:
PROPERTY |
PROPERTY TYPE |
DESCRIPTION |
MIN COUNT |
MAX COUNT |
LOCAL RANGE |
GLOBAL RANGE |
|
|---|---|---|---|---|---|---|---|
| observable:AlternateDataStream | |||||||
| core:name | owl:DatatypeProperty |
The name of a particular concept characterization.
|
1 | 1 |
xsd:string
|
xsd:string
|
|
| observable:hashes | owl:ObjectProperty |
Specifies any hashes computed over the section.
|
0 | 1 |
types:Hash
|
types:Hash
|
|
| observable:size | owl:DatatypeProperty |
Specifies the size of the section, in bytes.
|
0 | 1 |
xsd:integer
|
xsd:integer
|
|
@prefix core: <https://unifiedcyberontology.org/ontology/uco/core#> .
@prefix observable: <https://unifiedcyberontology.org/ontology/uco/observable#> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix types: <https://unifiedcyberontology.org/ontology/uco/types#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
observable:AlternateDataStream a owl:Class,
sh:NodeShape ;
rdfs:label "AlternateDataStream"@en ;
rdfs:comment "An alternate data stream is data content stored within an NTFS file that is independent of the standard content stream of the file and is hidden from access by default NTFS file viewing mechanisms."@en ;
sh:property [ sh:class types:Hash ;
sh:maxCount 1 ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:hashes ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:size ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:minCount 1 ;
sh:nodeKind sh:Literal ;
sh:path core:name ] ;
sh:targetClass observable:AlternateDataStream .