diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json new file mode 100644 index 0000000..068a15e --- /dev/null +++ b/objects/forensic-evidence/definition.json @@ -0,0 +1,84 @@ +{ + "required": [ + "case-number", + "evidence-number" + ], + "attributes": { + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ] + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-method": { + "description": "Method used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Live acquisition", + "Dead/Offline acquisition", + "Physical collection", + "Logical collection", + "File system extraction", + "Chip-off", + "Other" + ] + }, + "acquisition-tools": { + "description": "Tools used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple" : true, + "sane_default": [ + "DCFldd", + "EnCase", + "FTK Imager", + "FDAS", + "TrueBack", + "Guymager", + "IXimager", + "Other" + ] + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "An object template to describe a digital forensic evidence.", + "meta-category": "misc", + "uuid": "fe44c648-63ef-43fc-b3de-af71a2e023e4", + "name": "forensic-evidence" +}