Migration guide

This page details how to migrate data from the CASE 0.1 prototype implementation, and examples built based on the prototype implementation, to the CASE 0.2.0 and the version of UCO it imports. Examples are rendered on this page for human reading convenience, but also available as machine-readable files, linked in the table of contents and each section.

This migration guide supports the version of UCO current at the time of CASE 0.2.0's release. That version was 0.4.0.

Table of Contents

Status

This guide was written to assist early CASE adopters, who had the prototype case.ttl file and early example JSON-LD to use as guides for their implementations. The guide was built as part of the output of migrating those early example JSON-LD files from the prototype CASE ontology to the CASE ontology that imports UCO. Further work can be done to provide the complete mapping from the prototype file to their UCO counterpart terms, but the amount of effort to do so for the entire prototype surpasses current available time. We are happy to document further concept migrations on request.

Prefixes

This document uses namespace prefixes for on-page legibility. The following table provides their expansions.

Namespace prefixes and their expansions.
Prefix Expansion
case-investigation https://caseontology.org/ontology/case/investigation#
uco-action https://unifiedcyberontology.org/ontology/uco/action#
uco-core https://unifiedcyberontology.org/ontology/uco/core#
uco-identity https://unifiedcyberontology.org/ontology/uco/identity#
uco-location https://unifiedcyberontology.org/ontology/uco/location#
uco-observable https://unifiedcyberontology.org/ontology/uco/observable#
uco-role https://unifiedcyberontology.org/ontology/uco/role#
uco-types https://unifiedcyberontology.org/ontology/uco/types#
uco-tool https://unifiedcyberontology.org/ontology/uco/tool#
uco-vocabulary https://unifiedcyberontology.org/ontology/uco/vocabulary#

Classes

The first column is the spelling of the CASE 0.1 class name, without prefixes because the original example files omitted prefixes. The second column is the prefixed class name in the release targeted by this migration guide.

These migration steps are also available in machine-readable form at classes.csv or classes.tsv.

CASE prototype classes and what classes they became in CASE 0.2.0. An empty second column indicates the class name does not appear in CASE 0.2.0 or its imported ontologies.
Class IRI
Account uco-observable:Account
AccountAuthentication uco-observable:AccountAuthentication
Action uco-action:Action
ActionReferences uco-action:ActionReferences
Annotation uco-core:Annotation
Application uco-observable:Application
ApplicationAccount uco-observable:ApplicationAccount
Attachment uco-observable:Attachment
Authorization uco-investigation:Authorization
BirthInformation uco-identity:BirthInformation
BluetoothAddress uco-observable:BluetoothAddress
Bundle uco-core:Bundle
Compression uco-observable:CompressedStream
ComputerSpecification uco-observable:ComputerSpecification
ConfigurationSetting uco-tool:ConfigurationSettingType
Contact uco-observable:Contact
ContentData uco-observable:ContentData
DataRange uco-observable:DataRange
Device uco-observable:Device
DigitalAccount uco-observable:DigitalAccount
DiskPartition uco-observable:DiskPartition
DomainName uco-observable:DomainName
EXIF uco-observable:EXIF
EmailAccount uco-observable:EmailAccount
EmailAddress uco-observable:EmailAddress
Encoding uco-observable:EncodedStream
Encryption uco-observable:EncryptedStream
File uco-observable:File
Fragment uco-observable:Fragment
Hash uco-types:Hash
IPv4Address uco-observable:IPv4Address
Identity uco-identity:Identity
Investigation uco-investigation:Investigation
InvestigativeAction uco-investigation:InvestigativeAction
LatLongCoordinates uco-location:LatLongCoordinates
Location uco-location:Location
Message uco-observable:Message
MessageThread uco-observable:MessageThread
MobileAccount uco-observable:MobileAccount
MobileDevice uco-observable:MobileDevice
NetworkConnection uco-observable:NetworkConnection
OperatingSystem uco-observable:OperatingSystem
PathRelation uco-observable:PathRelation
PhoneAccount uco-observable:PhoneAccount
PhoneCall uco-observable:PhoneCall
PropertyBundle uco-core:Facet
ProvenanceRecord uco-investigation:ProvenanceRecord
RasterPicture uco-observable:RasterPicture
SIMCard uco-observable:SIMCard
SQLiteBlob uco-observable:SQLiteBlob
SimpleAddress uco-location:SimpleAddress
SimpleName uco-identity:SimpleName
Tool uco-tool:Tool
ToolConfiguration uco-tool:ToolConfigurationType
Trace uco-observable:CyberItem
WiFiAddress uco-observable:WifiAddress
iPhoneDevice

Ambiguous Classes

Some prototype classes require other contextual information to determine what the destination class name should be. For example, with the prototype class Relationship, the kindOfRelationship property's used enumerant will indicate whether the CASE 0.2.0 class is a uco-core:Relationship or a uco-observable:CyberRelationship.

These migration steps are also available in machine-readable form at classes_ambiguous.csv or classes_ambiguous.tsv.

CASE prototype classes and what classes they became in CASE 0.2.0.
Class IRI
Relationship uco-core:Relationship
Relationship uco-observable:CyberRelationship

Properties

This table shows how to migrate properties, much like the above tables on migrating classes. An empty second column indicates the property does not appear in CASE 0.2.0 or its imported ontologies.

For properties that refer to data literals (versus referring to objects), the literal's type needs to be assigned as well. The third column in this table shows the required literal type. If the third column is empty, the default of xsd:string or xsd:integer should be used, which as a default RDF behavior typically requires no extra work on the programmer's behalf. (There is no similar literal-type designation column for properties of the prototype because sample data using the prototype did not type literals.)

These migration steps are also available in machine-readable form at properties.csv or properties.tsv.

CASE prototype properties and what properties they became in CASE 0.2.0. An empty second column indicates the property does not appear in CASE 0.2.0 or its imported ontologies.
Property IRI Type of literal
Carrier uco-observable:carrier
ICCID uco-observable:ICCID
IMEI uco-observable:IMEI
IMSI uco-observable:IMSI
MSISDN uco-observable:MSISDN
SIMForm uco-observable:SIMForm
SIMType uco-observable:SIMType
accessAction
accessedAction
accessedTime uco-observable:accessedTime xsd:dateTime
accountIdentifier uco-observable:accountIdentifier
accountIssuer uco-observable:accountIssuer
accountLogin uco-observable:accountLogin
accountType uco-observable:accountType uco-vocabulary:AccountTypeVocab
address uco-observable:addressValue
application uco-observable:application
applicationIdentifier uco-observable:applicationIdentifier
authorizationType uco-investigation:authorizationType
authorizationIdentifier uco-investigation:authorizationIdentifier
authorizationAuthority
authorizationIssuedDate
biosVersion uco-observable:biosVersion
birthdate uco-identity:birthdate xsd:dateTime
bitsPerPixel uco-observable:bitsPerPixel
byteOrder uco-observable:byteOrder
callType uco-observable:callType
clockSetting uco-observable:clockSetting
columnName uco-observable:columnName
compressionMethod uco-observable:compressionMethod
configurationSetting uco-tool:configurationSettings
connectionState
contactName uco-observable:contactName
content uco-core:object
country uco-location:country
createAction
createdAction
createdBy uco-core:createdBy
creator uco-tool:creator
cpuFamily uco-observable:cpuFamily
createdTime uco-observable:createdTime xsd:dateTime
dataPayload uco-observable:dataPayload
description uco-core:description
destinationPort uco-observable:destinationPort
displayName uco-observable:displayName
display_name uco-observable:displayName
dst uco-observable:dst
duration uco-observable:duration xsd:long
encodingMethod uco-observable:encodingMethod
encryptionMethod uco-observable:encryptionMethod
encryptionMode uco-observable:encryptionMode
endTime uco-observable:endTime xsd:dateTime
environment uco-action:environment
exhibitNumber uco-investigation:exhibitNumber
exifData uco-observable:exifData
extension uco-observable:extension
fileName uco-observable:fileName
filePath uco-observable:filePath
fileSystemType uco-observable:fileSystemType
firstLoginTime uco-observable:firstLoginTime xsd:dateTime
focus uco-investigation:focus
fragmentIndex uco-observable:fragmentIndex
from uco-observable:from
givenName uco-identity:givenName
gpuFamily uco-observable:gpuFamily
hash uco-observable:hash
hashMethod uco-types:hashMethod uco-vocabulary:HashNameVocab
hashValue uco-types:hashValue xsd:hexBinary
identifier
instrument uco-action:instrument
isActive uco-observable:isActive
isDirectional uco-core:isDirectional
isDirectory uco-observable:isDirectory
itemName uco-tool:itemName
itemValue uco-tool:itemValue
iv uco-observable:encryptionIV
keypadUnlockCode uco-observable:keypadUnlockCode
kindOfRelationship uco-core:kindOfRelationship
lastLoginTime uco-observable:lastLoginTime xsd:dateTime
latitude uco-location:latitude xsd:decimal
localeLanguage
locality uco-location:locality
longitude uco-location:longitude xsd:decimal
magicNumber uco-observable:magicNumber
manufacturer uco-observable:manufacturer
messageText uco-observable:messageText
messages
metadataChangedTime uco-observable:metadataChangedTime xsd:dateTime
mimeType uco-observable:mimeType
model uco-observable:model
modifiedTime uco-observable:modifiedTime xsd:dateTime
name uco-core:name
numberOfLaunches uco-observable:numberOfLaunches
operatingSystem uco-observable:operatingSystem
ownerName
partIndex uco-observable:partitionID
participant uco-observable:participant
password uco-observable:password
passwordLastChanged uco-observable:passwordLastChanged xsd:dateTime
path uco-observable:path
performer uco-action:performer
phoneActivationTime uco-observable:phoneActivationTime xsd:dateTime
phoneNumber uco-observable:phoneNumber
pictureType uco-observable:picturetype
pictureheight uco-observable:pictureHeight
picturewidth uco-observable:pictureWidth
postalCode uco-location:postalCode
processorArchitecture uco-observable:processorArchitecture
propertyBundle uco-core:facets
protocols uco-observable:protocols uco-types:ControlledDictionary
rangeOffset uco-observable:rangeOffset
rangeSize uco-observable:rangeSize xsd:long
region uco-location:region
result uco-action:result
rowCondition uco-observable:rowCondition
sentTime uco-observable:sentTime xsd:dateTime
serialNumber uco-observable:serialNumber
sizeInBytes uco-observable:sizeInBytes xsd:long
source uco-core:source
sourcePort uco-observable:sourcePort
src uco-observable:src
startTime uco-observable:startTime xsd:dateTime
startTime uco-observable:startTime xsd:dateTime
storageCapacity uco-observable:storageCapacityInBytes xsd:long
street uco-location:street
tableName uco-observable:tableName
tag uco-core:tag
target uco-core:target
timezoneSetting
toolType uco-tool:toolType
totalRam uco-observable:totalRam xsd:long
to uco-observable:to
uniqueID
url uco-observable:url
value uco-observable:value
visibility uco-observable:visibility xsd:boolean

Ambiguous Properties

This table assists with mapping properties as above, except other contextual information needs to be observed to determine what the destination property should be.

These migration steps are also available in machine-readable form at properties_ambiguous.csv or properties_ambiguous.tsv.

CASE prototype properties and what properties they became in CASE 0.2.0. An empty second column indicates the property does not appear in CASE 0.2.0 or its imported ontologies.
Property IRI Type of literal
createdTime uco-core:createdTime xsd:dateTime
createdTime uco-observable:createdTime xsd:dateTime
data uco-observable:WindowsRegistryValue
data uco-observable:dataPayload
emailAddress uco-observable:emailAddress
emailAddress uco-observable:value
endTime uco-action:endTime xsd:dateTime
endTime uco-core:endTime xsd:dateTime
firstName uco-identity:givenName
firstName uco-observable:firstName
familyName uco-identity:familyName
familyName uco-observable:lastName
key uco-observable:encryptionKey
key uco-observable:key
key uco-types:key
location uco-action:location
location uco-observable:location
object uco-action:object
object uco-core:object
startTime uco-action:startTime xsd:dateTime
startTime uco-core:startTime xsd:dateTime
version uco-observable:version
version uco-tool:version

kindOfRelationship Enumerants

The prototype used a single Relationship class to relate objects to one another. In CASE 0.2.0, the prototype's Relationship will be replaced with either a uco-core:Relationship or uco-observable:CyberRelationship. These two relationship classes use different sets of enumerants, identified by the enumerant's type. This table assists with not only migrating the enumerant, but determining which type of relationship class the prototype Relationship should become.

These migration steps are also available in machine-readable form at kindOfRelationship_enumerants.csv or kindOfRelationship_enumerants.tsv.

CASE prototype enumerants and what enumerants they became in CASE 0.2.0. An empty second column indicates the enumerant does not appear in CASE 0.2.0 or its imported ontologies.
Prototype enumerant CASE 0.2.0 enumerant Type of literal
Attachment_Of
Has_Account
Has_Device
Has_Role
Located_At
associated-account
attachment-of
contained-within Contained_Within uco-vocabulary:CyberItemRelationshipVocab
decoded-from
decompressed-from
decrypted-from
forensic_image_of
has-account
has-fragment
stored-on