From 478dc899f2d0888e33187acb73c005bf09c4b4d1 Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 22 Oct 2018 09:35:21 +0100 Subject: [PATCH] Add: Web artefacts objects --- objects/TSK-Chats/definition.json | 84 ++++++++++++++++++++ objects/TSK-Web-Bookmark/definition.json | 67 ++++++++++++++++ objects/TSK-Web-Cookie/definition.json | 67 ++++++++++++++++ objects/TSK-Web-Downloads/definition.json | 55 +++++++++++++ objects/TSK-Web-History/definition.json | 68 ++++++++++++++++ objects/TSK-Web-Search-Query/definition.json | 66 +++++++++++++++ 6 files changed, 407 insertions(+) create mode 100644 objects/TSK-Chats/definition.json create mode 100644 objects/TSK-Web-Bookmark/definition.json create mode 100644 objects/TSK-Web-Cookie/definition.json create mode 100644 objects/TSK-Web-Downloads/definition.json create mode 100644 objects/TSK-Web-History/definition.json create mode 100644 objects/TSK-Web-Search-Query/definition.json diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json new file mode 100644 index 0000000..bcda96a --- /dev/null +++ b/objects/TSK-Chats/definition.json @@ -0,0 +1,84 @@ +{ + "required": [ + "message-type", + "message" + ], + "attributes": { + "message-type": { + "description": "the type of message extracted from the forensic-evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "SMS", + "MMS", + "Instant Message (IM)", + "Voice Message" + ], + "disable_correlation": true + }, + "datetime-sent": { + "description": "date and the time when the message was sent.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "datetime-received": { + "description": "date and time when the message was received.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Source": { + "description": "Source of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "destination": { + "description": "Destination of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "app-used": { + "description": "Application used to send the message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "message": { + "description": "Message exchanged.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "attachments": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "categories": [ + "External analysis" + ], + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", + "name": "TSK-Chats" +} diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json new file mode 100644 index 0000000..f5bd4b9 --- /dev/null +++ b/objects/TSK-Web-Bookmark/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "URL" + ], + "attributes": { + "URL": { + "description": "The URL saved as bookmark.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-bookmarked": { + "description": "date and time when the URL was added to favorites.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Book mark name. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", + "name": "TSK-Web-Bookmark" +} diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json new file mode 100644 index 0000000..db4ded0 --- /dev/null +++ b/objects/TSK-Web-Cookie/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "URL", + "name", + "value" + ], + "attributes": { + "URL": { + "description": "The website URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-created": { + "description": "date and time when the cookie was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the cookie ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "description": "Value assigned to the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser on which the cookie was created.", + "ui-priority": 0, + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the domain that created the URL.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", + "meta-category": "misc", + "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", + "name": "TSK-Web-Cookie" +} diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json new file mode 100644 index 0000000..55ddf05 --- /dev/null +++ b/objects/TSK-Web-Downloads/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "URL", + "name" + ], + "attributes": { + "URL": { + "description": "The URL used to download the file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and time when the file was downloaded.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the file downloaded.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "path-downloadedTo": { + "description": "Location the file was downloaded to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pathID": { + "description": "Id of the attribute file where the information is gathered from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "attachment": { + "description": "The downloaded file itself.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add web-downloads", + "meta-category": "File", + "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", + "name": "TSK-Web-Downloads" +} diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json new file mode 100644 index 0000000..84be3b9 --- /dev/null +++ b/objects/TSK-Web-History/definition.json @@ -0,0 +1,68 @@ +{ + "required": [ + "URL", + "datetime-accessed" + ], + "attributes": { + "URL": { + "description": "The URL accessed.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and the time when the URL was accessed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "referrer": { + "description": "where the URL was referred from ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web history information", + "meta-category": "misc", + "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", + "name": "TSK-Web-History" +} diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json new file mode 100644 index 0000000..8e66b0d --- /dev/null +++ b/objects/TSK-Web-Search-Query/definition.json @@ -0,0 +1,66 @@ +{ + "required": [ + "domain", + "text" + ], + "attributes": { + "domain": { + "description": "The domain of the search engine.", + "ui-priority": 0, + "misp-attribute": "link", + "sane_default": [ + "Google", + "Yahoo", + "Bing", + "Alta Vista", + "MSN" + ], + "disable_correlation": true + }, + "text": { + "description": "the search word or sentence.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime-searched": { + "description": "date and time when the search was conducted.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "browser": { + "description": "Browser used.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "username": { + "description": "User name or ID associated with the search.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web search query information", + "meta-category": "misc", + "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", + "name": "TSK-Web-Search-Query" +}