Migration guide

This page details how to migrate data from the CASE 0.1 prototype implementation, and examples built based on the prototype implementation, to the CASE 0.2.0 and the version of UCO it imports. Examples are rendered on this page for human reading convenience, but also available as machine-readable files, linked in the table of contents and each section.

The version of UCO this migration guide targets is 0.3.0.

Table of Contents

Status

This guide was written to assist early CASE adopters, who had the prototype case.ttl file and early example JSON-LD to use as guides for their implementations. The guide was built as part of the output of migrating those early example JSON-LD files from the prototype CASE ontology to the CASE ontology that imports UCO. Further work can be done to provide the complete mapping from the prototype file to their UCO counterpart terms, but the amount of effort to do so for the entire prototype surpasses current available time. We are happy to document further concept migrations on request.

Prefixes

This document uses namespace prefixes for on-page legibility. The following table provides their expansions.

Namespace prefixes and their expansions.
Prefix Expansion
case-core https://caseontology.org/ontology/case/core#
uco-action https://unifiedcyberontology.org/ontology/uco/action#
uco-core https://unifiedcyberontology.org/ontology/uco/core#
uco-identity https://unifiedcyberontology.org/ontology/uco/identity#
uco-investigation https://unifiedcyberontology.org/ontology/uco/investigation#
uco-location https://unifiedcyberontology.org/ontology/uco/location#
uco-observable https://unifiedcyberontology.org/ontology/uco/#observable
uco-role https://unifiedcyberontology.org/ontology/uco/role#
uco-types https://unifiedcyberontology.org/ontology/uco/types#
uco-tool https://unifiedcyberontology.org/ontology/uco/tool#

Classes

The first column is the spelling of the CASE 0.1 class name, without prefixes because the original example files omitted prefixes. The second column is the prefixed class name in the release targeted by this migration guide.

These migration steps are also available in machine-readable form at classes.csv or classes.tsv.

CASE prototype classes and what classes they became in CASE 0.2.0. An empty second column indicates the class name does not appear in CASE 0.2.0 or its imported ontologies.
Class IRI
Account uco-observable:Account
AccountAuthentication uco-observable:AccountAuthentication
Action uco-action:Action
ActionReferences uco-action:ActionReferences
Annotation uco-core:Annotation
ApplicationAccount uco-observable:ApplicationAccount
Authorization uco-investigation:Authorization
BirthInformation uco-identity:BirthInformation
BluetoothAddress uco-observable:BluetoothAddress
Bundle uco-core:Bundle
Compression uco-observable:CompressedStream
ComputerSpecification uco-observable:ComputerSpecification
ConfigurationSetting uco-tool:ConfigurationSettingType
ContentData uco-observable:ContentData
DataRange uco-observable:DataRange
Device uco-observable:Device
DigitalAccount uco-observable:DigitalAccount
DiskPartition uco-observable:DiskPartition
EXIF uco-observable:EXIF
EmailAccount uco-observable:EmailAccount
EmailAddress uco-observable:EmailAddress
Encoding uco-observable:EncodedStream
Encryption uco-observable:EncryptedStream
File uco-observable:File
Fragment uco-observable:Fragment
Hash uco-types:Hash
Identity uco-identity:Identity
Investigation uco-investigation:Investigation
InvestigativeAction uco-investigation:InvestigativeAction
LatLongCoordinates uco-location:LatLongCoordinates
Location uco-location:Location
Message uco-observable:Message
MobileDevice uco-observable:MobileDevice
NetworkConnection uco-observable:NetworkConnection
OperatingSystem uco-observable:OperatingSystem
PathRelation uco-observable:PathRelation
PhoneAccount uco-observable:PhoneAccount
PhoneCall uco-observable:PhoneCall
PropertyBundle case-core:PropertyBundle
ProvenanceRecord uco-investigation:ProvenanceRecord
RasterPicture uco-observable:RasterPicture
SQLiteBlob uco-observable:SQLiteBlob
SimpleAddress uco-location:SimpleAddress
SimpleName uco-identity:SimpleName
Tool uco-tool:Tool
ToolConfiguration uco-tool:ToolConfigurationType
Trace case-core:Trace
WiFiAddress uco-observable:WifiAddress
iPhoneDevice

Ambiguous Classes

Some prototype classes require other contextual information to determine what the destination class name should be. For example, with the prototype class Relationship, the kindOfRelationship property's used enumerant will indicate whether the CASE 0.2.0 class is a uco-core:Relationship or a uco-observable:CyberRelationship.

These migration steps are also available in machine-readable form at classes_ambiguous.csv or classes_ambiguous.tsv.

CASE prototype classes and what classes they became in CASE 0.2.0.
Class IRI
Relationship uco-core:Relationship
Relationship uco-observable:CyberRelationship

Properties

This table shows how to migrate properties, much like the above tables on migrating classes. An empty second column indicates the property does not appear in CASE 0.2.0 or its imported ontologies.

For properties that refer to data literals (versus referring to objects), the literal's type needs to be assigned as well. The third column in this table shows the required literal type. If the third column is empty, the default of xsd:string or xsd:integer should be used, which as a default RDF behavior typically requires no extra work on the programmer's behalf. (There is no similar literal-type designation column for properties of the prototype because sample data using the prototype did not type literals.)

These migration steps are also available in machine-readable form at properties.csv or properties.tsv.

CASE prototype properties and what properties they became in CASE 0.2.0. An empty second column indicates the property does not appear in CASE 0.2.0 or its imported ontologies.
Property IRI Type of literal
IEMI uco-observable:IEMI
MSISDN uco-observable:MSISDN
accessAction
accessedAction
accessedTime uco-observable:accessedTime xsd:dateTime
accountIdentifier uco-observable:accountIdentifier
accountIssuer uco-observable:accountIssuer
accountLogin uco-observable:accountLogin
application uco-observable:application
authorizationType uco-investigation:authorizationType
authorizationIdentifier uco-investigation:authorizationIdentifier
authorizationAuthority
authorizationIssuedDate
biosVersion uco-observable:biosVersion
birthdate uco-identity:birthdate xsd:dateTime
bitsPerPixel uco-observable:bitsPerPixel
byteOrder uco-observable:byteOrder
callType uco-observable:callType
clockSetting uco-observable:clockSetting
columnName uco-observable:columnName
compressionMethod uco-observable:compressionMethod
configurationSetting uco-tool:configurationSettings
connectionState
content uco-core:object
country uco-location:country
createAction
createdAction
createdBy uco-core:createdBy
creator uco-tool:creator
cpuFamily uco-observable:cpuFamily
createdTime uco-observable:createdTime xsd:dateTime
dataPayload uco-observable:dataPayload
description uco-core:description
destinationPort uco-observable:destinationPort
displayName uco-observable:displayName
dst uco-observable:dst
duration uco-observable:duration xsd:long
emailAddress uco-observable:value
encodingMethod uco-observable:encodingMethod
encryptionMethod uco-observable:encryptionMethod
encryptionMode uco-observable:encryptionMode
endTime uco-observable:endTime xsd:dateTime
environment uco-action:environment
exhibitNumber uco-investigation:exhibitNumber
exifData uco-observable:exifData
extension uco-observable:extension
familyName uco-identity:familyName
fileName uco-observable:fileName
filePath uco-observable:filePath
fileSystemType uco-observable:fileSystemType
firstLoginTime uco-observable:firstLoginTime xsd:dateTime
focus uco-investigation:focus
fragmentIndex uco-observable:fragmentIndex
from uco-observable:from
givenName uco-identity:givenName
gpuFamily uco-observable:gpuFamily
hash uco-observable:hash
hashMethod uco-types:hashMethod uco-core:HashNameEnum
hashValue uco-types:hashValue xsd:hexBinary
instrument uco-action:instrument
isActive uco-observable:isActive
isDirectory uco-observable:isDirectory
itemName uco-tool:itemName
itemValue uco-tool:itemValue
iv uco-observable:encryptionIV
isDirectional uco-core:isDirectional
kindOfRelationship uco-core:kindOfRelationship
lastLoginTime uco-observable:lastLoginTime xsd:dateTime
latitude uco-location:latitude xsd:decimal
localeLanguage
locality uco-location:locality
longitude uco-location:longitude xsd:decimal
magicNumber uco-observable:magicNumber
manufacturer uco-observable:manufacturer
messageText uco-observable:messageText
metadataChangedTime uco-observable:metadataChangedTime xsd:dateTime
mimeType uco-observable:mimeType
model uco-observable:model
modifiedTime uco-observable:modifiedTime xsd:dateTime
name uco-core:name
partIndex uco-observable:partitionID
password uco-observable:password
passwordLastChanged uco-observable:passwordLastChanged xsd:dateTime
path uco-observable:path
performer uco-action:performer
phoneActivationTime uco-observable:phoneActivationTime xsd:dateTime
phoneNumber uco-observable:phoneNumber
pictureType uco-observable:picturetype
pictureheight uco-observable:pictureHeight
picturewidth uco-observable:pictureWidth
postalCode uco-location:postalCode
processorArchitecture uco-observable:processorArchitecture
propertyBundle case-core:hasPropertyBundle
protocols uco-observable:protocols uco-types:ControlledDictionary
rangeOffset uco-observable:rangeOffset
rangeSize uco-observable:rangeSize xsd:long
region uco-location:region
result uco-action:result
rowCondition uco-observable:rowCondition
sentTime uco-observable:sentTime xsd:dateTime
serialNumber uco-observable:serialNumber
sizeInBytes uco-observable:sizeInBytes xsd:long
sourcePort uco-observable:sourcePort
src uco-observable:src
startTime uco-observable:startTime xsd:dateTime
source uco-core:source
startTime uco-observable:startTime xsd:dateTime
storageCapacity uco-observable:storageCapacityInBytes xsd:long
street uco-location:street
tableName uco-observable:tableName
tag uco-core:tag
target uco-core:target
toolType uco-tool:toolType
totalRam uco-observable:totalRam xsd:long
to uco-observable:to
uniqueID
value uco-observable:value

Ambiguous Properties

This table assists with mapping properties as above, except other contextual information needs to be observed to determine what the destination property should be.

These migration steps are also available in machine-readable form at properties_ambiguous.csv or properties_ambiguous.tsv.

CASE prototype properties and what properties they became in CASE 0.2.0. An empty second column indicates the property does not appear in CASE 0.2.0 or its imported ontologies.
Property IRI Type of literal
createdTime uco-core:createdTime xsd:dateTime
createdTime uco-observable:createdTime xsd:dateTime
data uco-observable:WindowsRegistryValue
data uco-observable:dataPayload
endTime uco-action:endTime xsd:dateTime
endTime uco-core:endTime xsd:dateTime
key uco-observable:encryptionKey
key uco-observable:key
key uco-types:key
location uco-action:location
location uco-observable:location
object uco-action:object
object uco-core:object
startTime uco-action:startTime xsd:dateTime
startTime uco-core:startTime xsd:dateTime
version uco-observable:version
version uco-tool:version

kindOfRelationship Enumerants

The prototype used a single Relationship class to relate objects to one another. In CASE 0.2.0, the prototype's Relationship will be replaced with either a uco-core:Relationship or uco-observable:CyberRelationship. These two relationship classes use different sets of enumerants, identified by the enumerant's type. This table assists with not only migrating the enumerant, but determining which type of relationship class the prototype Relationship should become.

These migration steps are also available in machine-readable form at kindOfRelationship_enumerants.csv or kindOfRelationship_enumerants.tsv.

CASE prototype enumerants and what enumerants they became in CASE 0.2.0. An empty second column indicates the enumerant does not appear in CASE 0.2.0 or its imported ontologies.
Prototype enumerant CASE 0.2.0 enumerant Type of literal
associated-account
contained-within Contained_Within uco-observable:CyberItemRelationshipEnum
decoded-from
decompressed-from
decrypted-from
forensic_image_of
has-account
has-fragment
stored-on