This page details how to migrate data from the CASE 0.1 prototype implementation, and examples built based on the prototype implementation, to the CASE 0.2.0 and the version of UCO it imports. Examples are rendered on this page for human reading convenience, but also available as machine-readable files, linked in the table of contents and each section.
This migration guide supports the version of UCO current at the time of CASE 0.2.0's release. That version was 0.4.0.
This guide was written to assist early CASE adopters, who had the prototype case.ttl file and early example JSON-LD to use as guides for their implementations. The guide was built as part of the output of migrating those early example JSON-LD files from the prototype CASE ontology to the CASE ontology that imports UCO. Further work can be done to provide the complete mapping from the prototype file to their UCO counterpart terms, but the amount of effort to do so for the entire prototype surpasses current available time. We are happy to document further concept migrations on request.
This document uses namespace prefixes for on-page legibility. The following table provides their expansions.
| Prefix | Expansion |
|---|---|
case-investigation |
https://caseontology.org/ontology/case/investigation# |
uco-action |
https://unifiedcyberontology.org/ontology/uco/action# |
uco-core |
https://unifiedcyberontology.org/ontology/uco/core# |
uco-identity |
https://unifiedcyberontology.org/ontology/uco/identity# |
uco-location |
https://unifiedcyberontology.org/ontology/uco/location# |
uco-observable |
https://unifiedcyberontology.org/ontology/uco/observable# |
uco-role |
https://unifiedcyberontology.org/ontology/uco/role# |
uco-types |
https://unifiedcyberontology.org/ontology/uco/types# |
uco-tool |
https://unifiedcyberontology.org/ontology/uco/tool# |
uco-vocabulary |
https://unifiedcyberontology.org/ontology/uco/vocabulary# |
The first column is the spelling of the CASE 0.1 class name, without prefixes because the original example files omitted prefixes. The second column is the prefixed class name in the release targeted by this migration guide.
These migration steps are also available in machine-readable form at classes.csv or classes.tsv.
| Class | IRI |
|---|---|
Account |
uco-observable:Account |
AccountAuthentication |
uco-observable:AccountAuthentication |
Action |
uco-action:Action |
ActionReferences |
uco-action:ActionReferences |
Annotation |
uco-core:Annotation |
Application |
uco-observable:Application |
ApplicationAccount |
uco-observable:ApplicationAccount |
Attachment |
uco-observable:Attachment |
Authorization |
uco-investigation:Authorization |
BirthInformation |
uco-identity:BirthInformation |
BluetoothAddress |
uco-observable:BluetoothAddress |
Bundle |
uco-core:Bundle |
Compression |
uco-observable:CompressedStream |
ComputerSpecification |
uco-observable:ComputerSpecification |
ConfigurationSetting |
uco-tool:ConfigurationSettingType |
Contact |
uco-observable:Contact |
ContentData |
uco-observable:ContentData |
DataRange |
uco-observable:DataRange |
Device |
uco-observable:Device |
DigitalAccount |
uco-observable:DigitalAccount |
DiskPartition |
uco-observable:DiskPartition |
DomainName |
uco-observable:DomainName |
EXIF |
uco-observable:EXIF |
EmailAccount |
uco-observable:EmailAccount |
EmailAddress |
uco-observable:EmailAddress |
Encoding |
uco-observable:EncodedStream |
Encryption |
uco-observable:EncryptedStream |
File |
uco-observable:File |
Fragment |
uco-observable:Fragment |
Hash |
uco-types:Hash |
IPv4Address |
uco-observable:IPv4Address |
Identity |
uco-identity:Identity |
Investigation |
uco-investigation:Investigation |
InvestigativeAction |
uco-investigation:InvestigativeAction |
LatLongCoordinates |
uco-location:LatLongCoordinates |
Location |
uco-location:Location |
Message |
uco-observable:Message |
MessageThread |
uco-observable:MessageThread |
MobileAccount |
uco-observable:MobileAccount |
MobileDevice |
uco-observable:MobileDevice |
NetworkConnection |
uco-observable:NetworkConnection |
OperatingSystem |
uco-observable:OperatingSystem |
PathRelation |
uco-observable:PathRelation |
PhoneAccount |
uco-observable:PhoneAccount |
PhoneCall |
uco-observable:PhoneCall |
PropertyBundle |
uco-core:Facet |
ProvenanceRecord |
uco-investigation:ProvenanceRecord |
RasterPicture |
uco-observable:RasterPicture |
SIMCard |
uco-observable:SIMCard |
SQLiteBlob |
uco-observable:SQLiteBlob |
SimpleAddress |
uco-location:SimpleAddress |
SimpleName |
uco-identity:SimpleName |
Tool |
uco-tool:Tool |
ToolConfiguration |
uco-tool:ToolConfigurationType |
Trace |
uco-observable:CyberItem |
WiFiAddress |
uco-observable:WifiAddress |
iPhoneDevice |
Some prototype classes require other contextual information to determine what the destination class name should be. For example, with the prototype class Relationship, the kindOfRelationship property's used enumerant will indicate whether the CASE 0.2.0 class is a uco-core:Relationship or a uco-observable:CyberRelationship.
These migration steps are also available in machine-readable form at classes_ambiguous.csv or classes_ambiguous.tsv.
| Class | IRI |
|---|---|
Relationship |
uco-core:Relationship |
Relationship |
uco-observable:CyberRelationship |
This table shows how to migrate properties, much like the above tables on migrating classes. An empty second column indicates the property does not appear in CASE 0.2.0 or its imported ontologies.
For properties that refer to data literals (versus referring to objects), the literal's type needs to be assigned as well. The third column in this table shows the required literal type. If the third column is empty, the default of xsd:string or xsd:integer should be used, which as a default RDF behavior typically requires no extra work on the programmer's behalf. (There is no similar literal-type designation column for properties of the prototype because sample data using the prototype did not type literals.)
These migration steps are also available in machine-readable form at properties.csv or properties.tsv.
| Property | IRI | Type of literal |
|---|---|---|
Carrier |
uco-observable:carrier |
|
ICCID |
uco-observable:ICCID |
|
IMEI |
uco-observable:IMEI |
|
IMSI |
uco-observable:IMSI |
|
MSISDN |
uco-observable:MSISDN |
|
SIMForm |
uco-observable:SIMForm |
|
SIMType |
uco-observable:SIMType |
|
accessAction |
||
accessedAction |
||
accessedTime |
uco-observable:accessedTime |
xsd:dateTime |
accountIdentifier |
uco-observable:accountIdentifier |
|
accountIssuer |
uco-observable:accountIssuer |
|
accountLogin |
uco-observable:accountLogin |
|
accountType |
uco-observable:accountType |
uco-vocabulary:AccountTypeVocab |
address |
uco-observable:addressValue |
|
application |
uco-observable:application |
|
applicationIdentifier |
uco-observable:applicationIdentifier |
|
authorizationType |
uco-investigation:authorizationType |
|
authorizationIdentifier |
uco-investigation:authorizationIdentifier |
|
authorizationAuthority |
||
authorizationIssuedDate |
||
biosVersion |
uco-observable:biosVersion |
|
birthdate |
uco-identity:birthdate |
xsd:dateTime |
bitsPerPixel |
uco-observable:bitsPerPixel |
|
byteOrder |
uco-observable:byteOrder |
|
callType |
uco-observable:callType |
|
clockSetting |
uco-observable:clockSetting |
|
columnName |
uco-observable:columnName |
|
compressionMethod |
uco-observable:compressionMethod |
|
configurationSetting |
uco-tool:configurationSettings |
|
connectionState |
||
contactName |
uco-observable:contactName |
|
content |
uco-core:object |
|
country |
uco-location:country |
|
createAction |
||
createdAction |
||
createdBy |
uco-core:createdBy |
|
creator |
uco-tool:creator |
|
cpuFamily |
uco-observable:cpuFamily |
|
createdTime |
uco-observable:createdTime |
xsd:dateTime |
dataPayload |
uco-observable:dataPayload |
|
description |
uco-core:description |
|
destinationPort |
uco-observable:destinationPort |
|
displayName |
uco-observable:displayName |
|
display_name |
uco-observable:displayName |
|
dst |
uco-observable:dst |
|
duration |
uco-observable:duration |
xsd:long |
encodingMethod |
uco-observable:encodingMethod |
|
encryptionMethod |
uco-observable:encryptionMethod |
|
encryptionMode |
uco-observable:encryptionMode |
|
endTime |
uco-observable:endTime |
xsd:dateTime |
environment |
uco-action:environment |
|
exhibitNumber |
uco-investigation:exhibitNumber |
|
exifData |
uco-observable:exifData |
|
extension |
uco-observable:extension |
|
fileName |
uco-observable:fileName |
|
filePath |
uco-observable:filePath |
|
fileSystemType |
uco-observable:fileSystemType |
|
firstLoginTime |
uco-observable:firstLoginTime |
xsd:dateTime |
focus |
uco-investigation:focus |
|
fragmentIndex |
uco-observable:fragmentIndex |
|
from |
uco-observable:from |
|
givenName |
uco-identity:givenName |
|
gpuFamily |
uco-observable:gpuFamily |
|
hash |
uco-observable:hash |
|
hashMethod |
uco-types:hashMethod |
uco-vocabulary:HashNameVocab |
hashValue |
uco-types:hashValue |
xsd:hexBinary |
identifier |
||
instrument |
uco-action:instrument |
|
isActive |
uco-observable:isActive |
|
isDirectional |
uco-core:isDirectional |
|
isDirectory |
uco-observable:isDirectory |
|
itemName |
uco-tool:itemName |
|
itemValue |
uco-tool:itemValue |
|
iv |
uco-observable:encryptionIV |
|
keypadUnlockCode |
uco-observable:keypadUnlockCode |
|
kindOfRelationship |
uco-core:kindOfRelationship |
|
lastLoginTime |
uco-observable:lastLoginTime |
xsd:dateTime |
latitude |
uco-location:latitude |
xsd:decimal |
localeLanguage |
||
locality |
uco-location:locality |
|
longitude |
uco-location:longitude |
xsd:decimal |
magicNumber |
uco-observable:magicNumber |
|
manufacturer |
uco-observable:manufacturer |
|
messageText |
uco-observable:messageText |
|
messages |
||
metadataChangedTime |
uco-observable:metadataChangedTime |
xsd:dateTime |
mimeType |
uco-observable:mimeType |
|
model |
uco-observable:model |
|
modifiedTime |
uco-observable:modifiedTime |
xsd:dateTime |
name |
uco-core:name |
|
numberOfLaunches |
uco-observable:numberOfLaunches |
|
operatingSystem |
uco-observable:operatingSystem |
|
ownerName |
||
partIndex |
uco-observable:partitionID |
|
participant |
uco-observable:participant |
|
password |
uco-observable:password |
|
passwordLastChanged |
uco-observable:passwordLastChanged |
xsd:dateTime |
path |
uco-observable:path |
|
performer |
uco-action:performer |
|
phoneActivationTime |
uco-observable:phoneActivationTime |
xsd:dateTime |
phoneNumber |
uco-observable:phoneNumber |
|
pictureType |
uco-observable:picturetype |
|
pictureheight |
uco-observable:pictureHeight |
|
picturewidth |
uco-observable:pictureWidth |
|
postalCode |
uco-location:postalCode |
|
processorArchitecture |
uco-observable:processorArchitecture |
|
propertyBundle |
uco-core:facets |
|
protocols |
uco-observable:protocols |
uco-types:ControlledDictionary |
rangeOffset |
uco-observable:rangeOffset |
|
rangeSize |
uco-observable:rangeSize |
xsd:long |
region |
uco-location:region |
|
result |
uco-action:result |
|
rowCondition |
uco-observable:rowCondition |
|
sentTime |
uco-observable:sentTime |
xsd:dateTime |
serialNumber |
uco-observable:serialNumber |
|
sizeInBytes |
uco-observable:sizeInBytes |
xsd:long |
source |
uco-core:source |
|
sourcePort |
uco-observable:sourcePort |
|
src |
uco-observable:src |
|
startTime |
uco-observable:startTime |
xsd:dateTime |
startTime |
uco-observable:startTime |
xsd:dateTime |
storageCapacity |
uco-observable:storageCapacityInBytes |
xsd:long |
street |
uco-location:street |
|
tableName |
uco-observable:tableName |
|
tag |
uco-core:tag |
|
target |
uco-core:target |
|
timezoneSetting |
||
toolType |
uco-tool:toolType |
|
totalRam |
uco-observable:totalRam |
xsd:long |
to |
uco-observable:to |
|
uniqueID |
||
url |
uco-observable:url |
|
value |
uco-observable:value |
|
visibility |
uco-observable:visibility |
xsd:boolean |
This table assists with mapping properties as above, except other contextual information needs to be observed to determine what the destination property should be.
These migration steps are also available in machine-readable form at properties_ambiguous.csv or properties_ambiguous.tsv.
| Property | IRI | Type of literal |
|---|---|---|
createdTime |
uco-core:createdTime |
xsd:dateTime |
createdTime |
uco-observable:createdTime |
xsd:dateTime |
data |
uco-observable:WindowsRegistryValue |
|
data |
uco-observable:dataPayload |
|
emailAddress |
uco-observable:emailAddress |
|
emailAddress |
uco-observable:value |
|
endTime |
uco-action:endTime |
xsd:dateTime |
endTime |
uco-core:endTime |
xsd:dateTime |
firstName |
uco-identity:givenName |
|
firstName |
uco-observable:firstName |
|
familyName |
uco-identity:familyName |
|
familyName |
uco-observable:lastName |
|
key |
uco-observable:encryptionKey |
|
key |
uco-observable:key |
|
key |
uco-types:key |
|
location |
uco-action:location |
|
location |
uco-observable:location |
|
object |
uco-action:object |
|
object |
uco-core:object |
|
startTime |
uco-action:startTime |
xsd:dateTime |
startTime |
uco-core:startTime |
xsd:dateTime |
version |
uco-observable:version |
|
version |
uco-tool:version |
The prototype used a single Relationship class to relate objects to one another. In CASE 0.2.0, the prototype's Relationship will be replaced with either a uco-core:Relationship or uco-observable:CyberRelationship. These two relationship classes use different sets of enumerants, identified by the enumerant's type. This table assists with not only migrating the enumerant, but determining which type of relationship class the prototype Relationship should become.
These migration steps are also available in machine-readable form at kindOfRelationship_enumerants.csv or kindOfRelationship_enumerants.tsv.
| Prototype enumerant | CASE 0.2.0 enumerant | Type of literal |
|---|---|---|
Attachment_Of |
||
Has_Account |
||
Has_Device |
||
Has_Role |
||
Located_At |
||
associated-account |
||
attachment-of |
||
contained-within |
Contained_Within |
uco-vocabulary:CyberItemRelationshipVocab |
decoded-from |
||
decompressed-from |
||
decrypted-from |
||
forensic_image_of |
||
has-account |
||
has-fragment |
||
stored-on |