From b83e98bbd4cf891f1a486aba71ee6b81a2bc9f81 Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 3 Sep 2018 11:28:40 +0100 Subject: [PATCH 1/4] Add: Misp object for Digital Forensic - Case metadata --- .../definition.json | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 objects/digital-forensics-case-metadata/definition.json diff --git a/objects/digital-forensics-case-metadata/definition.json b/objects/digital-forensics-case-metadata/definition.json new file mode 100644 index 0000000..c1ab823 --- /dev/null +++ b/objects/digital-forensics-case-metadata/definition.json @@ -0,0 +1,68 @@ +{ + "requiredOneOf": [ + "case-number", + "name-of-the-analyst", + "crime-date", + "analysis-start-date" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "location-of-the-crime": { + "description": "Location where the crime took place.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "crime-date": { + "description": "Date and time when the crime occurred.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "describe-the-crime-scene": { + "description": "Description of the crime scene", + "ui-priority": 0, + "misp-attribute": "text" + }, + "objects-acquired": { + "description": "Digital evidence acquired from the crime scene.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Describes details of the case under analysis.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "Digital forensic - Case info" + } + \ No newline at end of file From 7ee2ff1901ddea4b1464a4e39b4dc93dc5c943e6 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 12:31:13 +0100 Subject: [PATCH 2/4] Add: Object template for digital evidence --- .../definition.json | 68 ---------------- objects/forensic-evidence/definition.json | 78 +++++++++++++++++++ 2 files changed, 78 insertions(+), 68 deletions(-) delete mode 100644 objects/digital-forensics-case-metadata/definition.json create mode 100644 objects/forensic-evidence/definition.json diff --git a/objects/digital-forensics-case-metadata/definition.json b/objects/digital-forensics-case-metadata/definition.json deleted file mode 100644 index c1ab823..0000000 --- a/objects/digital-forensics-case-metadata/definition.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "requiredOneOf": [ - "case-number", - "name-of-the-analyst", - "crime-date", - "analysis-start-date" - ], - "attributes": { - "case-number": { - "description": "Any unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "case-name": { - "description": "Name to address the case.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "name-of-the-analyst": { - "description": "Name(s) of the analyst assigned to the case.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text" - }, - "location-of-the-crime": { - "description": "Location where the crime took place.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "crime-date": { - "description": "Date and time when the crime occurred.", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "describe-the-crime-scene": { - "description": "Description of the crime scene", - "ui-priority": 0, - "misp-attribute": "text" - }, - "objects-acquired": { - "description": "Digital evidence acquired from the crime scene.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "analysis-start-date": { - "description": "Date when the analysis began.", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - } - }, - "version": 1, - "description": "Describes details of the case under analysis.", - "meta-category": "misc", - "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", - "name": "Digital forensic - Case info" - } - \ No newline at end of file diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json new file mode 100644 index 0000000..eddb50e --- /dev/null +++ b/objects/forensic-evidence/definition.json @@ -0,0 +1,78 @@ +{ + "required": [ + "case-number", + "evidence-number" + ], + "attributes": { + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ], + "disable_correlation": true + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-hash-type": { + "description": "Hashing algorithm used on the evidence", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "MD5", + "SHA-1", + "Other" + ], + "disable_correlation": true + }, + "acquisition-hash": { + "description": "Acquisition hash of the evidence", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file-upload": { + "description": "Upload any file pertaining to the evidence.", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic evidence.", + "meta-category": "misc", + "uuid": "fe44c648-63ef-43fc-b3de-af71a2e023e4", + "name": "forensic-evidence" +} From 4e66e692d4d09a26ce25b216ccf20c76529fe44a Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 12:46:00 +0100 Subject: [PATCH 3/4] fixed intendation --- objects/forensic-evidence/definition.json | 130 +++++++++++----------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index eddb50e..a572b43 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -1,74 +1,74 @@ { "required": [ - "case-number", - "evidence-number" + "case-number", + "evidence-number" ], "attributes": { "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ], - "disable_correlation": true - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-hash-type": { - "description": "Hashing algorithm used on the evidence", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "MD5", - "SHA-1", - "Other" - ], - "disable_correlation": true - }, - "acquisition-hash": { - "description": "Acquisition hash of the evidence", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" }, - "file-upload": { - "description": "Upload any file pertaining to the evidence.", - "ui-priority": 0, - "misp-attribute": "attachment", - "multiple": true - } + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ], + "disable_correlation": true + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-hash-type": { + "description": "Hashing algorithm used on the evidence", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "MD5", + "SHA-1", + "Other" + ], + "disable_correlation": true + }, + "acquisition-hash": { + "description": "Acquisition hash of the evidence", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file-upload": { + "description": "Upload any file pertaining to the evidence.", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.", From d2550dffb63b46a7c15f143485d1575af8c8c4f2 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 14:18:30 +0100 Subject: [PATCH 4/4] update: Forensic-evidence object --- objects/forensic-evidence/definition.json | 136 +++++++++++----------- 1 file changed, 71 insertions(+), 65 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index a572b43..068a15e 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -4,71 +4,77 @@ "evidence-number" ], "attributes": { - "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ], - "disable_correlation": true - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-hash-type": { - "description": "Hashing algorithm used on the evidence", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "MD5", - "SHA-1", - "Other" - ], - "disable_correlation": true - }, - "acquisition-hash": { - "description": "Acquisition hash of the evidence", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "file-upload": { - "description": "Upload any file pertaining to the evidence.", - "ui-priority": 0, - "misp-attribute": "attachment", - "multiple": true - } + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ] + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-method": { + "description": "Method used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Live acquisition", + "Dead/Offline acquisition", + "Physical collection", + "Logical collection", + "File system extraction", + "Chip-off", + "Other" + ] + }, + "acquisition-tools": { + "description": "Tools used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple" : true, + "sane_default": [ + "DCFldd", + "EnCase", + "FTK Imager", + "FDAS", + "TrueBack", + "Guymager", + "IXimager", + "Other" + ] + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.",