Getting Started just the basics
Cyber-investigation Analysis Standard Expression (CASE) supports cyber-investigations in any context, including criminal,
corporate and intelligence. In cyber-investigations, the primary observable object being analyzed is characterized by associated Facets.
CASE uses Facets to represent various attributes of the associated Observable Object, including data sources (mobile devices,
storage media, memory) and well-known digital objects such as files and folders, messages (email, chat), documents (PDF, Word),
multimedia (pictures, video, audio) and logs (browser history, events).
CASE is an extension of the Unified Cyber Ontology (UCO), which defines classes of cyber objects (e.g., items, tools, people, places), the relations to other cyber objects, provenance of items and actions taken in an action life-cycle. The CASE domain of discourse is focused on "investigation" concentrated on Observable Objects and their associated Facets, whereas the UCO serves as an ontological foundation for modeling the broader cyber-domain, treating observable cyber-items and their associated facets more generally.
Use cases include:
- Providing structure to enhance intelligent analysis (e.g., pattern recognition, machine learning, visualization)
- Exchanging a large and diverse set of cyber-investigation information in standardized form while avoiding duplication
- Interoperability between systems and tools, allowing for automation, normalization, combination, and correlation
- Maintaining provenance at all phases of cyber-investigation lifecycles, including chain of custody
- Enhancing tool testing and validation of their results
- Controlling access to privileged, proprietary, and personal information (via data markings)
- Support for custom or non-standardized structures (enabling tools containing these to still use and share information)
The project roadmap, updated quarterly as progress is made, is viewable here.
Websites & Email
- Python API - use for adoption
- RDFDiff - use to compare glossary terms between CASE and custom data models (must be ingestible into Python rdflib)
Proof-of-Concept Tool Integrations
- Plaso (not currently ontology-compliant)
- Volatility (not currently ontology-compliant)
Ontological Exploration Tools
- Protégé - graph visualizations, Javadoc generation, etc.
- Ontospy - CLI interface for stepping through tree visualizations of ontologies
- CETIC (CASE Community Member) - POC that is using CASE as a template for testing an ontology repository service
It is unnecessary to know everything about the ontology if focused on domain-specific ontology refinement, or mapping/adoption
concerning a specific tool. Determine your scope below and then read the pertinent guide to further understand the details,
organization, and workflow of participating in the CASE community under that role.
If not familiar with ontologies, the Ontology Components Wikipedia page,
OWL2 primer, and
Ontology 101 document will help create a conceptual
foundation that will enable better communication with the community/teams and clarify the connected parts present between the
ontology's specification (structure/design), it's content (vocabulary, encoded in Turtle or other formats), and the Python API
(usage of the defined vocabulary to create validated objects for import/export into JSON-LD).
Request to join the CASE Community by visiting the Membership Application page.
At your request, you will be added to the respective Github Teams, Mailing Lists and additional resources.
- Have a deep understanding of the goals of CASE and how representing information differently best achieves them
- Collaborate with individuals/organizations who have domain-specific knowledge to draft proposals
- Create and review Github issues to propose ontology changes to the objects/properties in the Natural Language
Glossary based on gaps, ambiguities, and improvements noted by Mappers. To learn more about proposals and voting, please see
the Community Charter.
- Have an understanding of which CASE objects should be used to represent which types of information and when unsure consult Ontologists
- Collaborate with Adopters to note inadequacies for Ontologists to review
- Map internal/proprietary objects from Adopters' tools to the correct CASE objects (while guiding namespace usage)
- Create Github issues for inadequacies so that CASE community discussion can occur (and continue until possible options are identified for representing the data, then a proposal is put forth by the Ontologists team)
- Have an understanding of their use cases
- Collaborate with Mappers to map objects in their tools to CASE objects
- Integrate the CASE API into their tool
- Create Github issues for bugs in the CASE API and supporting tools, or that are tool-specific
- Participate in discussions on Github issues concerning data representation as CASE community members
- If a member of your organization is contributing to CASE ontology development because of domain-specific
knowledge they should do this via emailing email@example.com to join the Ontologists team,
or discuss one-on-one so that Ontologists and Mappers can shepherd the concept through (only Mappers or Ontologists
should make Github issues for something not tool-specific)
- Core/active members should have read the above for understanding roles and workflow organization.
However, to simply add your two-cents to ontology evolution please visit the Issues tab and
filter on the
Community-Vote labels (all labels can be found here)
see CASE in action
contribute, report issues, ask a question
learn more about community officials