https://unifiedcyberontology.org/ontology/uco/observable#WindowsPESection
A Windows PE section is a grouping of characteristics unique to a specific default or custom-defined region of a Windows PE (Portable Executable) file, consisting of an individual portion of the actual executable content of the file delineated according to unique purpose and memory protection requirements.
Instances of observable:WindowsPESection can have the following properties:
| PROPERTY | TYPE | DESCRIPTION | RANGE |
|---|---|---|---|
| From class owl:Thing | |||
| investigation:authorizationIdentifier | owl:DatatypeProperty | The identifier for a particular authorization (e.g. warrant number) | xsd:string |
| investigation:authorizationType | owl:DatatypeProperty | A label categorizing a type of authorization (e.g. warrant) | xsd:string |
| investigation:exhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at any stage of an investigation to differentiate it from all other objects. | xsd:string |
| investigation:focus | owl:DatatypeProperty | Specifies the topical focus of an investigation. | xsd:string |
| investigation:investigationForm | owl:DatatypeProperty | A label categorizing a type of investigation (case, incident, suspicious-activity, etc.) | vocab:InvestigationFormVocab |
| investigation:investigationStatus | owl:DatatypeProperty | A label characterizing the status of an investigation (open, closed, etc.). | xsd:string |
| investigation:relevantAuthorization | owl:ObjectProperty | Specifies an authorization relevant to a particular investigation. | investigation:Authorization |
| investigation:rootExhibitNumber | owl:DatatypeProperty | Specifies a unique identifier assigned to a given object at the start of its treatment as part of an investigation. The first node in a provenance chain, which can be viewed as a heirarchical tree originating from a single root. | xsd:string |
By the associated SHACL property shapes, instances of observable:WindowsPESection can have the following properties:
PROPERTY |
PROPERTY TYPE |
DESCRIPTION |
MIN COUNT |
MAX COUNT |
LOCAL RANGE |
GLOBAL RANGE |
|
|---|---|---|---|---|---|---|---|
| observable:WindowsPESection | |||||||
| core:name | owl:DatatypeProperty |
The name of a particular concept characterization.
|
1 | 1 |
xsd:string
|
xsd:string
|
|
| observable:entropy | owl:DatatypeProperty |
Shannon entropy (a measure of randomness) of the data.
|
0 | 1 |
xsd:double
|
xsd:double
|
|
| observable:hashes | owl:ObjectProperty |
Specifies any hashes computed over the section.
|
0 | * |
types:Hash
|
types:Hash
|
|
| observable:size | owl:DatatypeProperty |
Specifies the size of the section, in bytes.
|
0 | 1 |
xsd:integer
|
xsd:integer
|
|
@prefix core: <https://unifiedcyberontology.org/ontology/uco/core#> .
@prefix observable: <https://unifiedcyberontology.org/ontology/uco/observable#> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix types: <https://unifiedcyberontology.org/ontology/uco/types#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
observable:WindowsPESection a owl:Class,
sh:NodeShape ;
rdfs:label "WindowsPESection"@en ;
rdfs:comment "A Windows PE section is a grouping of characteristics unique to a specific default or custom-defined region of a Windows PE (Portable Executable) file, consisting of an individual portion of the actual executable content of the file delineated according to unique purpose and memory protection requirements."@en ;
sh:property [ sh:class types:Hash ;
sh:nodeKind sh:BlankNodeOrIRI ;
sh:path observable:hashes ],
[ sh:datatype xsd:double ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:entropy ],
[ sh:datatype xsd:integer ;
sh:maxCount 1 ;
sh:nodeKind sh:Literal ;
sh:path observable:size ],
[ sh:datatype xsd:string ;
sh:maxCount 1 ;
sh:minCount 1 ;
sh:nodeKind sh:Literal ;
sh:path core:name ] ;
sh:targetClass observable:WindowsPESection .