Crossover CASE - Heist
This document uses CASE to represent digital evidence extracted from storage media, specifically a USB storage device and a Windows system. The physical images and scenario introduction can be downloaded from the following location: https://drive.switch.ch/index.php/s/0c7BiyQZRKOtMMq .
The JSON-LD data on this page are available combined in the file crossover_heist.json .
The index of scenario portions is here .
Investigation 1 Background
On 19 November 2018, at 14:18 (CET), three armed suspects entered a bank (Place de St-François 16, 1003 Lausanne). They blew up the safe and took the money inside. Several people were slightly injured. Witnesses say that the suspects fled northwest toward Place Chaudron in a car. The car was found 40 minutes later near the Lausanne-Blécherette airport. No physical traces were found in the vehicle, except for a USB key. A copy of the USB key was done on site by the investigators. No images were available from the surveillance cameras. Analysis of the bank’s system indicates that they were hacked a few minutes before the heist (19 November 2018 at 14:03 CET).
An IP address was found during the analysis. It was attributed to an apartment on the campus of the University of Lausanne. On 20 November 2018 at 10:00 CET, a search of the apartment led to the arrest of Mr. Joker and the seizure of a computer sitting in the living room. Mr. Joker was questioned and said he knew nothing about the heist. He also said that he lives with Mrs. Quinn. She was not present during the search and was not arrested. He said that she left the house early in the morning.
Disclaimers
Participation by contributors in the creation of the documentation of mentioned software is not intended to imply a recommendation or endorsement by the United States Government nor any of the contributors' employers, nor is it intended to imply that any specific software is necessarily the best available for the purpose.
Events, locations, tools, and people represented in this and other CASE narratives are presented, and at many times created, for illustration purposes only and do not necessarily represent real events, locations, tools, or people.
USB DEVICE PROVENANCE AND INTEGRITY
The initial step of the digital forensic analysis is to assess the provenance and integrity of the digital evidence and to examine device characteristics and identifiers. The overall CASE bundle provides context for the digital evidence.
CASE Representation of Investigation
{
"@context" : {
"@vocab" : "http://example.org/ontology/local#" ,
"case-investigation" : "https://ontology.caseontology.org/case/investigation/" ,
"drafting" : "http://example.org/ontology/drafting/" ,
"rdf" : "http://www.w3.org/1999/02/22-rdf-syntax-ns#" ,
"rdfs" : "http://www.w3.org/2000/01/rdf-schema#" ,
"kb" : "http://example.org/kb/" ,
"uco-action" : "https://ontology.unifiedcyberontology.org/uco/action/" ,
"uco-configuration" : "https://ontology.unifiedcyberontology.org/uco/configuration/" ,
"uco-core" : "https://ontology.unifiedcyberontology.org/uco/core/" ,
"uco-identity" : "https://ontology.unifiedcyberontology.org/uco/identity/" ,
"uco-location" : "https://ontology.unifiedcyberontology.org/uco/location/" ,
"uco-observable" : "https://ontology.unifiedcyberontology.org/uco/observable/" ,
"uco-role" : "https://ontology.unifiedcyberontology.org/uco/role/" ,
"uco-tool" : "https://ontology.unifiedcyberontology.org/uco/tool/" ,
"uco-types" : "https://ontology.unifiedcyberontology.org/uco/types/" ,
"uco-vocabulary" : "https://ontology.unifiedcyberontology.org/uco/vocabulary/" ,
"xsd" : "http://www.w3.org/2001/XMLSchema#"
},
"@graph" : [
{
"@id" : "kb:Bundle-feb83c4b-9d88-41ac-b8d8-82d317b40a53" ,
"@type" : "uco-core:Bundle" ,
"uco-core:description" : "Evidence in bank robbery" ,
"uco-core:object" : [
{
"@id" : "kb:Investigation1-85c7b8d1-54e0-4023-847a-20e0f55dd48e" ,
"@type" : "case-investigation:Investigation" ,
"uco-core:name" : "CROSSOVER_2018_11191001" ,
"case-investigation:focus" : "Bank Robbery (UBS Lausanne)" ,
"uco-core:description" : "Forensic treatment of storage media recovered from getaway car and suspects apartment during investigation of bank robbery." ,
"rdfs:comment" : "TODO - uco-core:object is to have a more complete list of IRIs." ,
"uco-core:object" : [
{
"@id" : "kb:Disk-6dbe5066-dfb8-4551-9bda-39aab2ae3db1"
}
]
}
]
},
{
"@id" : "kb:Identity-cbfbd171-e56c-4f59-a01b-4404a1e5eb28" ,
"@type" : "uco-identity:Organization" ,
"uco-core:name" : "ESC"
},
{
"@id" : "kb:Role-870e2626-5ffd-4a80-83c2-8ee429709c81" ,
"@type" : "uco-role:Role" ,
"uco-core:name" : "Forensic Expert"
},
{
"@id" : "kb:Relationship-ec126575-d6a4-4590-9690-f2571a48b8ac" ,
"@type" : "uco-core:Relationship" ,
"uco-core:source" : {
"@id" : "kb:Identity-cbfbd171-e56c-4f59-a01b-4404a1e5eb28"
},
"uco-core:target" : {
"@id" : "kb:Role-870e2626-5ffd-4a80-83c2-8ee429709c81"
},
"uco-core:kindOfRelationship" : "Has_Role" ,
"uco-core:isDirectional" : true
}
]
}
INVESTIGATIVE ACTIONS
Representation of USB forensic acquisition using Tableau.
[
{
"@id" : "kb:ConfiguredTool-f09436ba-3a57-4386-91c1-d586cebd1919" ,
"@type" : "uco-tool:ConfiguredTool" ,
"uco-core:name" : "Tableau TD2u" ,
"uco-tool:toolType" : "acquisition/duplication" ,
"uco-tool:creator" : {
"@id" : "kb:organization-cf3010bb-7716-473d-98ee-25e4917e7b80"
},
"uco-tool:version" : "1.2.1 (build 5241-814712f)" ,
"drafting:toolIdentifier" : "000eccd2007540a6" ,
"uco-configuration:usesConfiguration" : {
"@id" : "kb:Configuration-d9f82a71-1074-409f-a481-28f1fbc7ee28" ,
"@type" : "uco-configuration:Configuration" ,
"uco-configuration:configurationEntry" : [
{
"@id" : "kb:configuration-entry-3345eee3-7d8d-4378-95f2-30b8ca631e30" ,
"@type" : "uco-configuration:ConfigurationEntry" ,
"uco-configuration:itemName" : "Mode" ,
"uco-configuration:itemValue" : "DriveToFile"
},
{
"@id" : "kb:configuration-entry-43c509fc-8755-410a-97e7-a6001d3a3f61" ,
"@type" : "uco-configuration:ConfigurationEntry" ,
"uco-configuration:itemName" : "Method" ,
"uco-configuration:itemValue" : "E01Capture"
},
{
"@id" : "kb:configuration-entry-7bcf9625-cdf4-4cd9-8fc5-b70987abb20c" ,
"@type" : "uco-configuration:ConfigurationEntry" ,
"uco-configuration:itemName" : "Hash" ,
"uco-configuration:itemValue" : "SHA-1+MD5"
}
]
}
},
{
"@id" : "kb:organization-cf3010bb-7716-473d-98ee-25e4917e7b80" ,
"@type" : "uco-identity:Identity" ,
"uco-core:name" : "Opentext"
},
{
"@id" : "kb:InvestigativeAction-e019ed92-af10-4a9f-a914-7a9ba539807c" ,
"@type" : "case-investigation:InvestigativeAction" ,
"uco-core:name" : "disk image" ,
"uco-core:description" : "Acquisition of Kingston DataTraveler 2.0" ,
"uco-action:startTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T15:51:10.00Z"
},
"uco-action:endTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T15:58:38.00Z"
},
"uco-action:instrument" : {
"@id" : "kb:ConfiguredTool-f09436ba-3a57-4386-91c1-d586cebd1919"
},
"drafting:notProvidedByReport" : {
"@id" : "uco-action:location"
},
"uco-action:performer" : {
"@id" : "kb:Role-870e2626-5ffd-4a80-83c2-8ee429709c81"
},
"uco-action:object" : [
{
"@id" : "kb:Disk-6dbe5066-dfb8-4551-9bda-39aab2ae3db1"
},
{
"@id" : "kb:ProvenanceRecord-53d614ea-d7cd-4491-a100-2f0b88299e89"
}
],
"uco-action:result" : [
{
"@id" : "kb:usb-b2dbb227-06ec-432d-9f63-058e8ab73944"
},
{
"@id" : "kb:ProvenanceRecord-0ff68932-2abc-433c-91b0-5af1ca34b470"
}
]
},
{
"@id" : "kb:Disk-6dbe5066-dfb8-4551-9bda-39aab2ae3db1" ,
"@type" : [
"uco-observable:Disk" ,
"uco-observable:StorageMedium"
],
"uco-core:hasFacet" : [
{
"@id" : "kb:disk-facet-c9fa6408-85f8-4e0b-bf8f-f653f5bc97c3" ,
"@type" : "uco-observable:DiskFacet" ,
"uco-observable:model" : "Kingston DataTraveler 2.0" ,
"drafting:USBSerialNumber" : "001D7D06CF09ED91D97F1B1B" ,
"uco-observable:serialNumber" : "0E0D19D17DD9" ,
"uco-observable:storageCapacityInBytes" : 7803174912
},
{
"@id" : "kb:content-data-facet-25069e03-040a-421b-9bfa-25d532ec23b8" ,
"@type" : "uco-observable:ContentDataFacet" ,
"uco-observable:hash" : [
{
"@id" : "kb:hash-12a9f855-c237-51d8-8239-0bb130374fde" ,
"@type" : "uco-types:Hash" ,
"uco-types:hashMethod" : {
"@type" : "uco-vocabulary:HashNameVocab" ,
"@value" : "MD5"
},
"uco-types:hashValue" : {
"@type" : "xsd:hexBinary" ,
"@value" : "058f03317c1612eadd624342b7fde511"
}
},
{
"@id" : "kb:hash-128996fc-3823-54a5-9ca4-cf6e21fca62f"
}
]
}
]
},
{
"@id" : "kb:ProvenanceRecord-53d614ea-d7cd-4491-a100-2f0b88299e89" ,
"@type" : "case-investigation:ProvenanceRecord" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-10-26T13:12:48.00Z"
},
"uco-core:description" : "Kingston DataTraveler 2.0" ,
"case-investigation:exhibitNumber" : "20181119-001-001" ,
"uco-core:object" : {
"@id" : "kb:Disk-6dbe5066-dfb8-4551-9bda-39aab2ae3db1"
}
},
{
"@id" : "kb:usb-b2dbb227-06ec-432d-9f63-058e8ab73944" ,
"@type" : [
"uco-observable:File" ,
"uco-observable:Image"
],
"uco-core:hasFacet" : [
{
"@id" : "kb:file-facet-71922639-1d8f-4494-a399-a8b3282bf55b" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:fileName" : "image.E01" ,
"uco-observable:filePath" : "2018-11-19_15-50-58/image.E01" ,
"uco-observable:extension" : "E01" ,
"uco-observable:fileSystemType" : "ntfs" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 2147483648 ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T15:50:58.00Z"
}
},
{
"@id" : "kb:content-data-facet-17661dfc-7b8a-46c0-8b0e-0f7b1eac3096" ,
"@type" : "uco-observable:ContentDataFacet" ,
"uco-observable:hash" : {
"@id" : "kb:hash-128996fc-3823-54a5-9ca4-cf6e21fca62f"
}
}
]
},
{
"@id" : "kb:ProvenanceRecord-0ff68932-2abc-433c-91b0-5af1ca34b470" ,
"@type" : "case-investigation:ProvenanceRecord" ,
"uco-core:description" : "Forensic image with E01Capture" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T15:50:58.00Z"
},
"case-investigation:exhibitNumber" : "20181119-001-001-01" ,
"uco-core:object" : {
"@id" : "kb:usb-b2dbb227-06ec-432d-9f63-058e8ab73944"
}
}
]
The forensic acquisition of the hard drive can be represented in a similar manner and its partition structure can be represented and represented using CASE. In this investigation, the hard drive was acquired using Tableau and split into multiple parts. An example of CASE representation for a different tool is available in this [Hardware Duplicator Example](https://caseontology.org/examples/hardware_duplicator/).
RECOVERED FILE SYSTEM AND CONTENT
When a tool is used to recover file system metadata and content from storage media, the execution of that process can be represented as an Investigative Action in CASE similar to the above example.
The recovered file system metadata and content can be represented as Observable Objects in CASE.
Links Between USB Device and Hard Drive
Various links between the USB device and hard drive can be represented using CASE, including LNK shortcuts and Registry key entries.
All of these links are in the user account context "Harley Quinn" connecting the USB device to the user of that account.
Recent LNK files on Windows contain metadata for a target file that was recently opened by the user, providing a shortcut link for ease of reopening.
Thebatplan.lnk file on the hard drive represented using CASE:
[
{
"@id" : "kb:lnkfile-487b236d-e75d-467e-9c6d-dad2d12cf94e" ,
"@type" : "uco-observable:File" ,
"uco-core:hasFacet" : [
{
"uco-observable:accessedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:29:15Z"
},
"uco-observable:extension" : "lnk" ,
"uco-observable:fileName" : "Thebatplan.lnk" ,
"uco-observable:filePath" : "/img_image.E01/vol_vol3/Users/Harley Quinn/AppData/Roaming/Microsoft/Windows/Recent/Thebatplan.lnk" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 508 ,
"@id" : "kb:file-facet-b221fe82-47e7-4a49-81a3-7ba6d3b438a8" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:29:15Z"
},
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:29:15Z"
}
}
]
},
{
"@id" : "kb:Relationship-f0505f2a-5de0-4651-9486-16746758f6c8" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:lnkfile-487b236d-e75d-467e-9c6d-dad2d12cf94e"
},
"uco-core:target" : {
"@id" : "kb:harddrive-partition2-e3f25b0b-37bf-4111-bae3-d355aff3c8a2"
},
"uco-core:kindOfRelationship" : "Contained-Within" ,
"uco-core:isDirectional" : true
}
]
The LNK file "Users/Harley Quinn/AppData/Roaming/Microsoft/Windows/Recent/Thebatplan.lnk" on the hard drive references a file on USB device "D:\Thebatplan" that contains a floor plan. The metadata captured in the LNK file are all 2018-11-18T22:53:09Z. The LNK file creation and modification timestamps are 2018-11-19T00:29:15Z indicating that the file was opened once at this time.
[
{
"@id" : "kb:lnk1-relationship-a1dbff0e-974b-4295-b035-e1bc3271945d" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:file-d87ecfcb-006c-46e6-a973-e756ee4d4f70"
},
"uco-core:target" : {
"@id" : "kb:lnkfile-487b236d-e75d-467e-9c6d-dad2d12cf94e"
},
"uco-core:kindOfRelationship" : "Referenced_Within" ,
"uco-core:isDirectional" : true
}
]
Thebatplan file on the USB device referenced in the Thebatplan.lnk file:
[
{
"@id" : "kb:file-d87ecfcb-006c-46e6-a973-e756ee4d4f70" ,
"@type" : "uco-observable:File" ,
"uco-core:hasFacet" : [
{
"uco-observable:sizeInBytes" : 1389601 ,
"uco-observable:mimeType" : "image/jpeg" ,
"uco-observable:hash" : [
{
"@id" : "kb:hash-c5761f3a-a741-5d06-a668-91e308ef19ef" ,
"@type" : "uco-types:Hash" ,
"uco-types:hashMethod" : {
"@type" : "uco-vocabulary:HashNameVocab" ,
"@value" : "MD5"
},
"uco-types:hashValue" : {
"@type" : "xsd:hexBinary" ,
"@value" : "2282dddf9378cd1dd0497a3484adf768"
}
}
],
"@id" : "kb:content-data-facet-33dee628-9332-4b77-8853-1dc5481c5460" ,
"@type" : "uco-observable:ContentDataFacet"
},
{
"uco-observable:accessedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T22:53:09Z"
},
"uco-observable:extension" : "" ,
"uco-observable:fileName" : "Thebatplan" ,
"uco-observable:filePath" : "/img_image.E01/Thebatplan" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 1389601 ,
"@id" : "kb:file-facet-4fc6467e-dbc1-403b-876a-05a97efa7c81" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T22:53:09Z"
},
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T20:10:48Z"
}
}
]
},
{
"@id" : "kb:Relationship-e6d52185-c570-409c-ae35-ceaf3e01080b" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:file-d87ecfcb-006c-46e6-a973-e756ee4d4f70"
},
"uco-core:target" : {
"@id" : "kb:usb-b2dbb227-06ec-432d-9f63-058e8ab73944"
},
"uco-core:kindOfRelationship" : "contained-within" ,
"uco-core:isDirectional" : true
}
]
Another LNK file on the hard drive:
[
{
"uco-core:hasFacet" : [
{
"uco-observable:accessedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:23:50Z"
},
"uco-observable:extension" : "lnk" ,
"uco-observable:fileName" : "thebatletter.lnk" ,
"uco-observable:filePath" : "/img_image.E01/vol_vol3/Users/Harley Quinn/AppData/Roaming/Microsoft/Windows/Recent/thebatletter.lnk" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 535 ,
"@id" : "kb:file-facet-16b6a9f9-0b3d-4b7a-9c61-6859e7ca7e45" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:23:50Z"
},
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:23:50Z"
}
}
],
"@id" : "kb:lnkfile-f3c23080-0236-4ee7-83e7-cccc5fa06ee0" ,
"@type" : "uco-observable:File"
},
{
"@id" : "kb:Relationship-e29bbd14-396d-48d4-abbf-acdfd346ca64" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:lnkfile-f3c23080-0236-4ee7-83e7-cccc5fa06ee0"
},
"uco-core:target" : {
"@id" : "kb:harddrive-partition2-e3f25b0b-37bf-4111-bae3-d355aff3c8a2"
},
"uco-core:kindOfRelationship" : "contained-within" ,
"uco-core:isDirectional" : true
}
]
The thebatletter.docx file referenced in the LNK file is no longer in allocated state on the USB device. However, the content of the document can be recovered using file carving methods. The metadata from the LNK file can be related to the carved document. In this instance, the ground truth is known and the relationship is certain.
[
{
"uco-core:hasFacet" : [
{
"@id" : "kb:file-facet-929bcdfd-ca54-4df7-989a-6b7206b8661e" ,
"uco-observable:accessedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T22:53:09Z"
},
"uco-observable:extension" : "docx" ,
"uco-observable:fileName" : "thebatletter.docx" ,
"uco-observable:filePath" : "/thebatletter.docx" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 11633 ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T22:53:09Z"
},
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T21:30:48Z"
}
}
],
"@id" : "kb:File-ed7c30a2-e233-4732-adee-8514955b6dfb" ,
"@type" : "uco-observable:File"
},
{
"@id" : "kb:b3a202b4-ee2b-4f26-9a31-6d10801524e7" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:File-ed7c30a2-e233-4732-adee-8514955b6dfb"
},
"uco-core:target" : {
"@id" : "kb:usb-b2dbb227-06ec-432d-9f63-058e8ab73944"
},
"uco-core:kindOfRelationship" : "contained-within" ,
"uco-core:isDirectional" : true
},
{
"@id" : "kb:content-2ea73bc6-801a-47ff-a8fa-837c226bfa14" ,
"@type" : [
"uco-observable:ContentData" ,
"uco-observable:RecoveredObject"
],
"uco-core:hasFacet" : [
{
"@id" : "kb:recovered-object-facet-0a916246-a9a0-43ad-a158-ae76cc2c1bb7" ,
"@type" : "uco-observable:RecoveredObjectFacet" ,
"uco-observable:contentRecoveredStatus" : {
"@type" : "uco-vocabulary:RecoveredObjectStatusVocab" ,
"@value" : "recovered"
},
"uco-observable:metadataRecoveredStatus" : {
"@type" : "uco-vocabulary:RecoveredObjectStatusVocab" ,
"@value" : "recovered"
},
"uco-observable:nameRecoveredStatus" : {
"@type" : "uco-vocabulary:RecoveredObjectStatusVocab" ,
"@value" : "recovered"
}
},
{
"@id" : "kb:content-data-facet-17d9f5ea-d00b-4130-866f-e7399332ae5e" ,
"@type" : "uco-observable:ContentDataFacet" ,
"uco-observable:byteOrder" : {
"@type" : "uco-vocabulary:EndiannessTypeVocab" ,
"@value" : "Big-endian"
},
"uco-observable:sizeInBytes" : 11633 ,
"uco-observable:mimeType" : "application/application/vnd.openxmlformats-officedocument.wordprocessingml.document" ,
"uco-observable:hash" : [
{
"@id" : "kb:hash-adece2a7-0017-5e25-be76-f6b78386186b" ,
"@type" : "uco-types:Hash" ,
"rdfs:comment" : "TODO: From the hash length, the algorithm appears to be MD5, not SHA2-256." ,
"uco-types:hashMethod" : {
"@type" : "uco-vocabulary:HashNameVocab" ,
"@value" : "SHA256"
},
"uco-types:hashValue" : {
"@type" : "xsd:hexBinary" ,
"@value" : "701ad15009b0e79af524336f7d069ed1"
}
}
]
}
]
},
{
"@id" : "kb:Relationship-e4b416ed-4e02-4ecd-bd4d-d57ec485a37e" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:content-2ea73bc6-801a-47ff-a8fa-837c226bfa14"
},
"uco-core:target" : {
"@id" : "kb:usb-b2dbb227-06ec-432d-9f63-058e8ab73944"
},
"uco-core:kindOfRelationship" : "Contained_Within" ,
"uco-core:isDirectional" : true ,
"uco-core:hasFacet" : [
{
"@id" : "kb:data-range-facet-9bd1e773-0e69-4c21-b168-c05c834dd756" ,
"@type" : "uco-observable:DataRangeFacet" ,
"uco-observable:rangeOffset" : 9994240 ,
"uco-observable:rangeSize" : 11633
}
]
},
{
"@id" : "kb:Relationship-59a90c3f-12a9-4ed4-b175-2e56b75abd74" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:content-2ea73bc6-801a-47ff-a8fa-837c226bfa14"
},
"uco-core:target" : {
"@id" : "kb:File-ed7c30a2-e233-4732-adee-8514955b6dfb"
},
"uco-core:kindOfRelationship" : "Contained-Within" ,
"uco-core:isDirectional" : true
}
]
Another LNK file on the hard drive:
[
{
"uco-core:hasFacet" : [
{
"uco-observable:accessedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:27:14Z"
},
"uco-observable:extension" : "lnk" ,
"uco-observable:fileName" : "wow.lnk" ,
"uco-observable:filePath" : "/img_image.E01/vol_vol3/Users/Harley Quinn/AppData/Roaming/Microsoft/Windows/Recent/wow.lnk" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 495 ,
"@id" : "kb:file-facet-763c6961-c335-40b6-a8b3-36b6f5f15ecb" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:27:14Z"
},
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:27:14Z"
}
}
],
"@id" : "kb:File-31c06b79-ad9f-446a-859a-62b848e2e1f8" ,
"@type" : "uco-observable:File"
},
{
"@id" : "kb:df9f6a42-fbb6-4e7e-bf60-6518680241dd" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:File-31c06b79-ad9f-446a-859a-62b848e2e1f8"
},
"uco-core:target" : {
"@id" : "kb:harddrive-partition2-e3f25b0b-37bf-4111-bae3-d355aff3c8a2"
},
"uco-core:kindOfRelationship" : "Contained-Within" ,
"uco-core:isDirectional" : true
},
{
"uco-core:hasFacet" : [
{
"uco-observable:accessedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:28:41Z"
},
"uco-observable:extension" : "lnk" ,
"uco-observable:fileName" : "wow (2).lnk" ,
"uco-observable:filePath" : "/img_image.E01/vol_vol3/Users/Harley Quinn/AppData/Roaming/Microsoft/Windows/Recent/wow (2).lnk" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 457 ,
"@id" : "kb:file-facet-fa661a0f-1b8d-4552-870e-daf7b93404be" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:28:28Z"
},
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:28:41Z"
}
}
],
"@id" : "kb:File-26adfe08-e545-4d24-872b-84f95bd01284" ,
"@type" : "uco-observable:File"
},
{
"uco-core:source" : {
"@id" : "kb:File-26adfe08-e545-4d24-872b-84f95bd01284"
},
"uco-core:target" : {
"@id" : "kb:harddrive-partition2-e3f25b0b-37bf-4111-bae3-d355aff3c8a2"
},
"uco-core:kindOfRelationship" : "contained-within" ,
"uco-core:isDirectional" : true ,
"@id" : "kb:Relationship-d70472d2-42a7-4ea1-9f3f-4fd7637bd4ff" ,
"@type" : "uco-observable:ObservableRelationship"
}
]
Web Browser History
On the hard drive, a URL history entry in WebCacheV01.dat referencing wow.jpg file on USB device:
[
{
"@id" : "kb:url-def4ae18-9181-4cce-8f5f-a9aba022b98b" ,
"@type" : "uco-observable:URL" ,
"uco-core:hasFacet" : [
{
"@id" : "kb:url-facet-37438f61-d440-429a-ab30-9fc9b2464274" ,
"@type" : "uco-observable:URLFacet" ,
"uco-observable:fullValue" : "file:///D:/wow.jpg"
},
{
"uco-observable:value" : "" ,
"@id" : "kb:domain-name-facet-b05e0e6b-deb0-4989-8214-d6d2b99ef1ea" ,
"@type" : "uco-observable:DomainNameFacet"
}
]
},
{
"uco-core:source" : {
"@id" : "kb:url-def4ae18-9181-4cce-8f5f-a9aba022b98b"
},
"uco-core:target" : {
"@id" : "kb:file-webcache-12c51c62-e5e2-4018-ac45-e0e69e36573f"
},
"uco-core:kindOfRelationship" : "contained-within" ,
"uco-core:isDirectional" : true ,
"@id" : "kb:Relationship-47601a3c-d962-4e3a-b90d-fa2bad7a0be3" ,
"@type" : "uco-observable:ObservableRelationship"
},
{
"@id" : "kb:file-webcache-12c51c62-e5e2-4018-ac45-e0e69e36573f" ,
"@type" : "uco-observable:ObservableObject"
},
{
"@id" : "kb:ApplicationAccount-580d7253-5086-41a5-b788-69e3ceaa4bae" ,
"@type" : "uco-observable:ApplicationAccount" ,
"uco-core:hasFacet" : [
{
"@id" : "kb:application-account-facet-b26e6f07-0436-48ca-8d39-2e7dafd055ec" ,
"@type" : "uco-observable:ApplicationAccountFacet" ,
"uco-observable:displayName" : "Harley Quinn"
}
]
},
{
"@type" : [
"uco-observable:Application" ,
"uco-observable:Software"
],
"@id" : "kb:software-5d96df90-d9e1-423c-b8db-c2327812ab38" ,
"uco-core:hasFacet" : [
{
"uco-observable:applicationIdentifier" : "Microsoft Edge" ,
"@id" : "kb:application-facet-ed282901-6700-419b-9a03-aa56d7252c8a" ,
"@type" : "uco-observable:ApplicationFacet"
}
]
},
{
"@id" : "kb:url-history-51cf5cf9-806a-4944-ae6b-ba61229cb3a5" ,
"@type" : "uco-observable:URLHistory" ,
"uco-core:hasFacet" : [
{
"@id" : "kb:url-history-facet-728d325b-d3df-4e4b-97b2-dbf9c7c64da8" ,
"@type" : "uco-observable:URLHistoryFacet" ,
"uco-observable:browserInformation" : {
"@id" : "kb:software-5d96df90-d9e1-423c-b8db-c2327812ab38"
},
"uco-observable:urlHistoryEntry" : [
{
"@id" : "kb:url-history-entry-b2e78940-dc49-44f5-ac7e-ef9b8a9bc976" ,
"@type" : "uco-observable:URLHistoryEntry" ,
"uco-observable:firstVisit" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:27:14.00Z"
},
"uco-observable:lastVisit" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-19T00:27:14.00Z"
},
"uco-observable:expirationTime" : null ,
"rdfs:comment" : "TODO - Was uco-observable:browserUserProfile intended to be an object property?" ,
"drafting:browserUserProfileAccount" : {
"@id" : "kb:ApplicationAccount-580d7253-5086-41a5-b788-69e3ceaa4bae"
},
"uco-observable:url" : {
"@id" : "kb:url-def4ae18-9181-4cce-8f5f-a9aba022b98b"
},
"uco-observable:referrerUrl" : null ,
"uco-observable:pageTitle" : null ,
"uco-observable:visitCount" : 1 ,
"uco-observable:manuallyEnteredCount" : {
"@type" : "xsd:nonNegativeInteger" ,
"@value" : "0"
},
"uco-observable:keywordSearchTerm" : null
}
]
}
]
}
]
The referenced file on the USB drive:
[
{
"uco-core:hasFacet" : [
{
"@id" : "kb:content-data-facet-40ab2874-6f85-4623-8a17-5f105ed2042b" ,
"@type" : "uco-observable:ContentDataFacet" ,
"uco-observable:sizeInBytes" : 756969 ,
"uco-observable:mimeType" : "image/jpeg"
},
{
"@id" : "kb:file-facet-4afdcc08-f93f-472e-89db-ade60d84ca6f" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:accessedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T22:53:09Z"
},
"uco-observable:extension" : "jpg" ,
"uco-observable:fileName" : "wow.jpg" ,
"uco-observable:filePath" : "/img_image.E01/wow.jpg" ,
"uco-observable:isDirectory" : false ,
"uco-observable:sizeInBytes" : 756969 ,
"uco-observable:observableCreatedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T22:53:09Z"
},
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-18T20:28:58Z"
}
}
],
"@id" : "kb:File-bbb4f0c4-ea2c-42fa-9ec0-11bc4678b7b8" ,
"@type" : "uco-observable:File"
},
{
"uco-core:source" : {
"@id" : "kb:File-bbb4f0c4-ea2c-42fa-9ec0-11bc4678b7b8"
},
"uco-core:target" : {
"@id" : "kb:usb-b2dbb227-06ec-432d-9f63-058e8ab73944"
},
"uco-core:kindOfRelationship" : "contained-within" ,
"uco-core:isDirectional" : true ,
"@id" : "kb:Relationship-ce92625b-c5f0-4856-940b-692d82de602c" ,
"@type" : "uco-observable:ObservableRelationship"
}
]
Windows Registry
Registry keys associated with removable USB devices contain manufacturer and model information (VID and PID) as well as the serial number that must be parsed and represented. In the Crossover scenario, the 001D7D06CF09ED91D97F1B1B key under the SYSTEM Registry hive "SYSTEM/ControlSet001/Enum/USB/" has a last modification timestamp and refers to a "Kingston DataTraveler 102/2.0 / HEMA Flash Drive 2 GB / PNY Attache 4GB Stick" manufactured by Toshiba with serial number 001D7D06CF09ED91D97F1B1B.
A Registry hive can be treated as a volume contained within a file as represented here using the remnants of USB device usage in the SYSTEM Registry as an example:
[
{
"@id" : "kb:File-61082f03-46ed-4bc7-a7c9-571754ffcb60" ,
"@type" : "uco-observable:File" ,
"uco-core:hasFacet" : [
{
"@id" : "kb:file-facet-5734cd54-aa04-4c70-a0b4-909032e408c1" ,
"@type" : "uco-observable:FileFacet" ,
"uco-observable:fileName" : "SYSTEM" ,
"uco-observable:filePath" : "/Windows/system32/config/SYSTEM" ,
"uco-observable:isDirectory" : false
},
{
"@id" : "kb:windows-registry-hive-facet-34c54d87-0ddc-43d5-a185-062da9693e3e" ,
"@type" : "uco-observable:WindowsRegistryHiveFacet" ,
"uco-observable:hiveType" : "SYSTEM"
}
]
}
]
Note that this use of a Contained_Within
relationship is analogous to how a file system is contained within an image of a disk partition.
In the same way that some file systems treat both directories and regular files as files, a Registry key and value can both be treated as files (a.k.a. cells) within a hive.
[
{
"@id" : "kb:Relationship-d974c54f-60de-46af-b0fd-a19704543785" ,
"@type" : "uco-observable:ObservableRelationship" ,
"uco-core:source" : {
"@id" : "kb:WindowsRegistryKey-684af874-4c95-4be9-9c58-3eda29b94443"
},
"uco-core:target" : {
"@id" : "kb:File-61082f03-46ed-4bc7-a7c9-571754ffcb60"
},
"uco-core:kindOfRelationship" : "Contained_Within" ,
"uco-core:isDirectional" : true
},
{
"@id" : "kb:WindowsRegistryKey-684af874-4c95-4be9-9c58-3eda29b94443" ,
"@type" : "uco-observable:WindowsRegistryKey" ,
"uco-core:hasFacet" : [
{
"@id" : "kb:windows-registry-key-facet-840333f7-e6b8-415e-b08e-8b33cc7dcc90" ,
"@type" : "uco-observable:WindowsRegistryKeyFacet" ,
"uco-observable:key" : "SYSTEM/ControlSet001/Enum/USB/VID_0781&PID_5575/001D7D06CF09ED91D97F1B1B" ,
"uco-observable:modifiedTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2017-02-02T22:38:09.00Z"
},
"uco-observable:numberOfSubkeys" : 2
}
]
}
]
REPRESENTING EMAIL
[
{
"@id" : "kb:EmailAddress-d2bc0936-e1c5-4b55-8a1b-af2b3a2b145c" ,
"@type" : "uco-observable:EmailAddress" ,
"uco-core:hasFacet" : {
"@id" : "kb:email-address-facet-20454f34-043e-48fc-bb66-dcf91aa11a5c" ,
"@type" : "uco-observable:EmailAddressFacet" ,
"uco-observable:addressValue" : "aresthewerewolf@gmail.com <aresthewerewolf>"
}
},
{
"@id" : "kb:EmailAccount-ca4bc5e3-33a7-4457-b106-d0213e248979" ,
"@type" : "uco-observable:EmailAccount" ,
"uco-core:hasFacet" : {
"@id" : "kb:email-address-facet-9e20866a-4533-4d02-9aa5-cc563299315f" ,
"@type" : "uco-observable:EmailAddressFacet" ,
"uco-observable:emailAddress" : {
"@id" : "kb:EmailAddress-5f63c12b-115a-474f-b1b2-15ebdb2fce31"
}
}
},
{
"@id" : "kb:EmailAddress-5f63c12b-115a-474f-b1b2-15ebdb2fce31" ,
"@type" : "uco-observable:EmailAddress" ,
"uco-core:hasFacet" : {
"@id" : "kb:email-address-facet-f0081a6a-3c18-47d5-87bf-6367d30d2c8c" ,
"@type" : "uco-observable:EmailAddressFacet" ,
"uco-observable:addressValue" : "badquinn3@gmail.com"
}
},
{
"@id" : "kb:EmailMessage-c5efd42c-d771-43aa-afe5-6b30740348e3" ,
"@type" : "uco-observable:EmailMessage" ,
"uco-core:hasFacet" : [
{
"@id" : "kb:email-message-facet-f57e953c-95af-437d-b115-94585eb0ac13" ,
"@type" : "uco-observable:EmailMessageFacet" ,
"uco-observable:body" : "" ,
"uco-observable:from" : {
"@id" : "kb:EmailAddress-d2bc0936-e1c5-4b55-8a1b-af2b3a2b145c"
},
"uco-observable:isRead" : true ,
"uco-observable:messageID" : "2320dc68-65a3-4f05-8884-945992231a1e" ,
"uco-observable:sender" : {
"@id" : "kb:EmailAddress-d2bc0936-e1c5-4b55-8a1b-af2b3a2b145c"
},
"uco-observable:sentTime" : {
"@type" : "xsd:dateTime" ,
"@value" : "2018-11-20T00:00:30+00:00"
},
"uco-observable:subject" : "Bank transfer ?" ,
"uco-observable:to" : {
"@id" : "kb:EmailAccount-ca4bc5e3-33a7-4457-b106-d0213e248979"
}
}
]
}
]