Examples

CASE Objects in the Real World

Starting a Cyber-investigation

When an investigation is initiated, the description and authorization are represented using a CASE Investigation object. Any information related to a cyber-investigation must be wrapped within a CASE bundle.

Examples of an Authorization & Investigation Objects
{
  "__CASE__":"ASGARD_2019_00162",
  "@context":{
    "@vocab":"http://caseontology.org/core#",
    "case":"http://caseontology.org/core#",
    "rdf":"http://www.w3.org/1999/02/22-rdf-syntax-ns#",
    "rdfs":"http://www.w3.org/2000/01/rdf-schema#",
    "xsd":"http://www.w3.org/2001/XMLSchema#"
  },
  "@id":"bundle-{5715FCF3-6BC8-4996-8F7F-FDF289F31649}",
  "@type":"Bundle",
  "description":"Initial evidence seizure in cross border investigation into disruption of public transportation service",
  "content":[
    {
      "@id":"investigation-79D6AB60-D679-49CE-9573-7176DFEEB7C3",
      "@type":"Authorization",
      "propertyBundle":[
        {
          "@authorizationType":"Odin_Decree",
          "authorizationIdentifier":"Decree_2019_00013",
          "authorizationAuthority":"530646A9-4290-4C02-B0B3-FD2EC363834A",
          "authorizationIssuedDate":"20190330"
        }
      ]
    },
    {
      "@id":"investigation-555E5FBB-BA09-449D-AF77-8A210D016FD7",
      "@type":"Investigation",
      "name":"ASGARD_2018_00162",
      "focus":"Denial of Service (Bifrost Bridge)",
      "description":"An unknown person caused public disturbance and physical damage to property in Asgard, resulting in denial of service of public transportation (Bifrost Bridge).",
      "object":[
        {
          "@id":"86F2E76A-434D-4D3F-9147-CD0CABCCA074"
        },
        {
          "@id":"E9AA4F26-D187-4F32-A602-86A6DF4B8528"
        },
        {
          "@id":"530646A9-4290-4C02-B0B3-FD2EC363834A"
        },
        {
          "@id":"B1C22D51-4A3F-4353-84FB-E210B5EFDA48"
        }
      ]
    }
  ]
}

An Investigation can contain any CASE object, including InvestigativeActions and Traces.

Evidence Seizure & Chain of Custody

When a device is first touched, this is represented using an InvestigativeAction with an empty input to indicate that this is the beginning of Chain of Custody. The output of this InvestigativeAction is the seized object and an associated provenance record.

Examples of an InvestigativeAction & ProvenanceRecord Objects
{
  "@id":"investigative-action1-uuid",
  "@type":"InvestigativeAction",
  "name":"preserved",
  "startTime":"2019-03-30T22:36:24.35Z",
  "propertyBundle":[
    {
      "@type":"ActionReferences",
      "instrument":"odin-decree13-uuid",
      "location":"asgard-bifrost-uuid",
      "performer":"investigator2-uuid",
      "object":[

      ],
      "result":[
        "provenance-record1-uuid",
        "suspect-device-uuid"
      ]
    }
  ]
},
{
  "@id":"provenance-record1-uuid",
  "@type":"ProvenanceRecord",
  "description":"Suspect device found near Bifrost Bridge after disruption",
  "exhibitNumber":"AsgardPD-20190330-001A",
  "object":[
    "suspect-device-uuid"
  ]
},
{
  "@id":"suspect-device-uuid",
  "@type":"Trace",
  "propertyBundle":[
    {
      "@type":"Device",
      "manufacturer":"iPhone",
      "model":"MG552",
      "serialNumber":"F18Q4LGRG5MD"
    },
    {
      "@type":"MobileDevice",
      "keypadUnlockCode":"123789",
      "IMEI":"359305065690067",
      "MSISDN":"[suspect-mobileaccount-uuid]",
      "clockSetting":"2019-03-30T22:36:24.35Z",
      "localeLanguage":"no_AS",
      "phoneActivationTime":"2018-05-09T07:36:24.35Z",
      "storageCapacity":"16 GB"
    },
    {
      "@type":"iPhoneDevice",
      "uniqueID":"B3858A69A29375E6C706226B3633A3A11EB2A774",
      "ownerName":"Loki iPhone"
    },
    {
      "@type":"OperatingSystem",
      "name":"iOS",
      "manufacturer":"Apple",
      "version":"10.3"
    },
    {
      "@type":"WiFiAddress",
      "value":"d0:33:11:13:e7:a1"
    },
    {
      "@type":"BluetoothAddress",
      "value":"d0:33:11:13:e7:a2"
    }
  ]
},

All CASE objects are inserted within the associated Investigation, wrapped in a CASE Bundle.

Evidence Acquisition

The tool used to acquire data, options used, and the resulting forensic copy are represented as an InvestigativeAction and associated Tool using CASE.

Example of an InvestigativeAction
{
  "@id":"219189B6-356C-4D53-A844-F0031E74F156",
  "@type":"InvestigativeAction",
  "name":"acquired",
  "description":"Suspect device physical acquisition",
  "startTime":"2019-03-30T22:17:31Z",
  "endTime":"2019-03-30T22:47:32Z",
  "propertyBundle":[
    {
      "@type":"ActionReferences",
      "instrument":"tool-embeddedextractor1-uid",
      "location":"{309BC178-1836-47B7-AA15-94EA3A2C7401}",
      "performer":"{E9AA4F26-D187-4F32-A602-86A6DF4B8528}",
      "object":[
        "suspect-device-uuid"
      ],
      "result":[
        "{90F73123-DB7E-41E5-B6CA-493B96E4B89F}",
        "{97C74753-FCEB-49C8-A611-7A70EF46AB5D}",
        "{EBAB06EE-7522-42D6-96EA-E3121D67E393}",
        "{48C0F0E8-9A63-45EE-99BF-23CC354C3252}",
        "{B2A7B20E-8307-40CF-ABAF-9733ABBF4335}"
      ]
    },
    {
      "@type":"ConfigurationSetting",
      "ExtractionType":"File System",
      "ExtractionMethod":"iOS Backup"
    }
  ]
},
{
  "@id":"tool-embeddedextractor1-uid",
  "@type":"Tool",
  "name":"Embedded Device Extrator",
  "toolType":"Extraction",
  "creator":"Harald",
  "version":"1.2.0",
  "propertyBundle":[
    {
      "@type":"ToolConfiguration",
      "configurationSetting":[
        {
          "@type":"ConfigurationSetting",
          "itemName":"ExtractionMethod",
          "itemValue":"iOS_Backup"
        },
        {
          "@type":"ConfigurationSetting",
          "itemName":"ExtractionType",
          "itemValue":"File System"
        }
      ]
    }
  ]
},
{
  "@type":"Trace",
  "@id":"suspect-mobiledevice-forensicduplicate-uuid",
  "propertyBundle":[
    {
      "@type":"File",
      "createdTime":"2019-03-30T22:12:19.32Z",
      "extension":"dd",
      "fileName":"AsgardPD-2019033001-01.dd",
      "fileSystemType":"NTFS",
      "filePath":"C:/evidence/AsgardPD-2019033001-01.dd",
      "isDirectory":false,
      "sizeInBytes":160080500
    },
    {
      "@type":"ContentData",
      "hash":[
        {
          "@type":"Hash",
          "hashMethod":"SHA256",
          "hashValue":"7ea081166336119da78ee4bbdbd06840b94efe28988a2bdb0bcf2387a481e283"
        }
      ],
      "sizeInBytes":9080500
    }
  ]
},

[placeholder for dc3dd wrapper]

Evidence Extraction

Information extracted from a forensic copy of digital evidence, along with the tool used, can be represented using CASE.

Example of a Filesystem Trace
{
  "@type":"Trace",
  "@id":"suspect-device-mmssms-uuid",
  "propertyBundle":[
    {
      "@type":"File",
      "createdTime":"2019-03-30T08:12:19.32Z",
      "fileSystemType":"HFSX",
      "extension":"db",
      "fileName":"/mobile/sms.db",
      "isDirectory":false,
      "sizeInBytes":142925
    },
    {
      "@type":"ContentData",
      "sizeInBytes":122925,
      "magicNumber":"U1FMaXRlIGZvcm1hdCAzAA==",
      "hash":[
        {
          "@type":"Hash",
          "hashMethod":"SHA256",
          "hashValue":"a13225720074371d56a4f4d5117fbb4953c5b1d316b31f21edcb7ed8fdf66c6e"
        }
      ]
    }
  ]
},
{
  "@id":"trace-relationship3-uuid",
  "@type":"Relationship",
  "source":"suspect-device-mmssms-uuid",
  "target":[
    "susecpt-image-filesystem-uuid"
  ],
  "kindOfRelationship":"contained-within",
  "isDirectional":true,
  "propertyBundle":[
    {
      "@type":"PathRelation",
      "path":"/mobile/sms.db"
    }
  ]
}
Example of a Mobile Device Trace
{
  "@id":"sms_message1",
  "@type":"Trace",
  "propertyBundle":[
    {
      "@type":"Message",
      "application":"sms_application1",
      "messageText":"Yo dude! This is my new number.",
      "from":"phone_account3",
      "to":[
        "phone_account1"
      ],
      "sentTime":"2010-01-15T17:59:43.25Z"
    }
  ]
},
{
  "@id":"phone_call1",
  "@type":"Trace",
  "propertyBundle":[
    {
      "@type":"PhoneCall",
      "callType":"mobile",
      "startTime":"2010-01-15T17:59:43.25Z",
      "endTime":"2010-01-15T18:30:41.25Z",
      "from":"phone_account1",
      "to":"phone_account2",
      "duration":"PT31M2S"
    }
  ]
}
Example of a Network Traffic Trace
{
  "@type":"Trace",
  "@id":"network-connection1-uuid",
  "createdBy":"investigator1-uuid",
  "createdTime":"2017-09-29T11:47:54.2889922Z",
  "propertyBundle":[
    {
      "@type":"NetworkConnection",
      "startTime":"2009-04-03T02:29:25.6256260Z",
      "endTime":"2009-04-03T02:29:25.6365510Z",
      "dst":"destination-host-uuid",
      "destinationPort":139,
      "src":"source-host-uuid",
      "sourcePort":52960,
      "protocols":"TCP, NETBIOSSESSIONSERVICE",
      "connectionState":"APSF"
    }
  ]
}