Topics

Investigative topic support in CASE

The CASE narrative examples gallery illustrates snippets of CASE data that would appear in cyber investigations, using narratives to provide a cohesive demonstration. The concepts used in those illustrations can be grouped into various topics of investigative relevance.

Other illustrations of concepts are available at the CASE Examples Github repository, and in the output of some of the CASE code bases. Specific illustrations are linked below.

CASE supports other investigative topics beyond what are listed on this page. The community continues to build this page, cataloguing the competency questions CASE addresses. If you are interested in helping to document investigative needs, we welcome your participation.

Chain of Custody

The Chain of Custody is crucial in investigations as it helps establish and maintain integrity of the evidence throughout various stages (i.e. seizure, transfer, analysis, etc.). Due to the increasing reliance of digital media in our every-day tasks, digital components are becoming more prominent in investigations. CASE seeks to represent that cyber aspect of a Chain of Custody. Those aspects that can be represented in CASE are properties of a device (manufacturer, model, serial number, storage size, etc.), tools used to acquire and/or analyze the device, and the context of data pertaining to the device.

Concepts and illustrations

Supporting concepts for Chain of Custody
Name IRI Illustrations
Investigative action
  • case-investigation:InvestigativeAction
  • uco-action:location

Among queries in the Urgent Evidence narrative

Action timeline
The InvestigativeAction can provide a timeline of the actions taken in an investigation.
Investigative Locations
The InvestigativeAction ties an action location as where evidence was acted upon.

See other usage in CASE-Examples
Digital evidence content-integrity records
  • uco-action:endTime
  • uco-observable:ImageFacet
  • uco-types:Hash
  • uco-types:hashMethod
  • uco-types:hashValue

Among queries in the Owl Trafficking scenario

Hash verification
The Hash serves as a record of an Image taken of a device. The InvestigativeAction provides the time the image file was characterized.
Evidentiary chains
  • case-investigation:wasInformedBy

Among queries in the Urgent Evidence narrative

Actions to artifact
The InvestigativeAction can link to other actions by communication of results with their ProvenanceRecords. The wasInformedBy action-relationship forms a queryable chain from any result back through its actions since initial evidence submission.
Exhibit numbers
  • case-investigation:rootExhibitNumber
  • case-investigation:exhibitNumber

Among queries in the Urgent Evidence narrative

Initial Evidence Submission
The rootExhibitNumber is an identifier assigned to initial submissions into a ProvenanceRecord chain, and can be carried forward by subsequent nodes in the chain to quickly identify from which submission(s) an object was derived.
Selection from Automated Exhibit Extraction
An object can have multiple steps of processing, analysis, and/or review throughout the course of an investigation. ProvenanceRecords carry an exhibitNumber to label a stage of an object's processing, such as when a file of interest might be selected from a larger batch of files—the batch will have a ProvenanceRecord that might or might not have an exhibitNumber, because it might or not need to be referenced later. A selected file may later have another ProvenanceRecord to allow an exhibitNumber to be associated with it.

Pictures

Pictures in investigations have their embedded technical metadata analyzed as well as their depicted contents.

Concepts and illustrations

Supporting concepts for Pictures
Name IRI Illustrations
EXIF dictionary
  • uco-observable:EXIFFacet
  • uco-observable:exifData
  • uco-types:ControlledDictionary

See picture location extraction in the CASE ExifTool implementation

See usage in CASE-Examples

Location

Locations in investigations include semantic places and geospatial points.

Concepts and illustrations

Supporting concepts for Location
Name IRI Illustrations
Location as a semantic place
  • uco-location:Location
  • uco-location:SimpleAddress

Among queries in the Urgent Evidence narrative

Investigative Locations
The InvestigativeAction ties an action location as where evidence was acted upon.

See other usage in CASE-Examples
Coordinates
  • uco-location:Location
  • uco-location:LatLongCoordinates
  • uco-location:altitude
  • uco-location:latitude
  • uco-location:longitude

See picture location extraction in the CASE ExifTool implementation

See other usage in CASE-Examples