Scribd
Upload
419 views28 pages

Owl Scenario

Uploaded by

amandajoan24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
419 views28 pages

Owl Scenario

Uploaded by

amandajoan24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

CYB 730 - Owl Scenario

Owl Scenario
In 2017, in a jurisdiction where it is illegal or buy, sell, or trade owls, police seized two devices in
connection with an individual suspected of illegally trading owls. The individual, Sarah McAvoy,
consented to a search of her devices, and in an interview with police said the following:

“I’ve never bought or traded for owls. I admit, I am a sick person and I often fantasize about
owls… Going to the sanctuary to see them, looking them up on the Internet to see pictures. I even
wrote fanfic where Harry Potter and Hedwig leave Hogwarts to go on adventures together. I know,
there’s something seriously wrong with me, but I didn’t do anything illegal. I would never actually
buy an owl or meet some strange person from the Internet to buy one. I know it’s illegal and I have
never broken a law in my life.”

The prosecutor in this case has requested digital forensic analysis of the evidence. It was
processed and forensic reports were generated. You have been asked to come in afterward for
additional analysis and to eventually provide expert testimony on the case itself. The primary
forensic report for this case is included below.
CYB 730 - Owl Scenario

ASE

Owl Trafficking
CASE Narrative on Trafficking

Owl CASE
This investigative scenario emulates illegal activities involving trafficking of vulnerable victims,
and download and exchange of related pictures. This document represents information from a
Windows 10 computer and Android 6.0 smartphone using CASE.

Dataset generation: Dataset was created by students at Marshall University.

The JSON-LD data on this page are available combined in the file owl_trafficking.json.

Background

In a jurisdiction where owls are illegal to trade and buy, two individuals are suspected of
illegally trading owls. A computer and smartphone are collected as evidence and forensic
examination is performed to determine whether the user is attempting to purchase owls illegally.

Mandate

The prosecutor in this case has requested digital forensic analysis of the digital evidence for the
following information:

a. The name and virtual identifier(s) of the primary user


b. Possible accomplices the subject communicated with during the period(s) of interest
c. Pictures of owls with associated context and classifications
d. Evidence of purchasing an owl, or intent to purchase owls
e. Pertinent location information, including any arranged meetings to exchange owls
f. Visual reconstruction of the most pertinent elements and entities (people and objects)

EVIDENCE PROVENANCE AND INTEGRITY

The initial step of the digital forensic analysis is to assess the provenance and integrity of the
digital evidence and to examine device characteristics and identifiers. The overall CASE bundle
provides context for the digital evidence.

CASE Representation of Investigation

{
"@context": {
"@vocab": "http://example.org/ontology/local#",
CYB 730 - Owl Scenario

"case-investigation":
"https://ontology.caseontology.org/case/investigation/",
"drafting": "http://example.org/ontology/drafting#",
"kb": "http://example.org/kb/",
"rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#",
"rdfs": "http://www.w3.org/2000/01/rdf-schema#",
"uco-action": "https://ontology.unifiedcyberontology.org/uco/action/",
"uco-core": "https://ontology.unifiedcyberontology.org/uco/core/",
"uco-identity": "https://ontology.unifiedcyberontology.org/uco/identity/",
"uco-location": "https://ontology.unifiedcyberontology.org/uco/location/",
"uco-observable":
"https://ontology.unifiedcyberontology.org/uco/observable/",
"uco-tool": "https://ontology.unifiedcyberontology.org/uco/tool/",
"uco-types": "https://ontology.unifiedcyberontology.org/uco/types/",
"uco-vocabulary":
"https://ontology.unifiedcyberontology.org/uco/vocabulary/",
"xsd": "http://www.w3.org/2001/XMLSchema#"
},
"@graph": [
{
"@id": "kb:bundle-5715fcf3-6bc8-4996-8f7f-fdf289f31649",
"@type": "uco-core:Bundle",
"uco-core:description": "Evidence in illegal trafficking of owls",
"uco-core:object": [
{
"@id": "kb:investigation-555e5fbb-ba09-449d-af77-8a210d016fd7",
"@type": "case-investigation:Investigation",
"uco-core:name": "OWL_2017_0206001",
"case-investigation:focus": "Illegal trafficking (owls)",
"uco-core:description": "The subject mcavoy was arrested on
suspicion of illegal trafficking of owls. His computer and smartphone were preserved
as evidence.",
"uco-core:object": [
"(list of uuids)"
]
}
]
}
]
}
INVESTIGATIVE ACTIONS

The provenance information provides an audit trail of forensic acquisition of data sources for
traceability purposes. Which organization and/or individual generated the report using which
tool, with general information about the investigation and evidential item entered by the user.
The Android smartphone was retrieved and preserved as evidence on 6 February 2017 (physical
extraction).

CASE Representation of Forensic Data Acquisition

[
{
"@id": "kb:magnet-acquire2005412-83715215-c5fc-4231-99ff-29a3c51cb5f1",
CYB 730 - Owl Scenario

"@type": "uco-tool:Tool",
"uco-core:name": "Magnet ACQUIRE",
"uco-tool:toolType": "Extraction",
"uco-tool:creator": {
"@id": "kb:organization-magnet-1ad4338b-fa60-4823-b9af-38de3d388e36"
},
"uco-tool:version": "2.0.0.5412",
"uco-core:hasFacet": [
{
"@type": "uco-tool:ToolConfigurationTypeFacet",
"uco-tool:configurationSettings": [
{
"@type": "uco-tool:ConfigurationSettingType",
"uco-tool:itemName": "DeviceInfoConnectionType",
"uco-tool:itemValue": "Cable No. 10"
},
{
"@type": "uco-tool:ConfigurationSettingType",
"uco-tool:itemName": "ExtractionType",
"uco-tool:itemValue": "Physical"
}
]
}
]
},
{
"@id": "kb:organization-magnet-1ad4338b-fa60-4823-b9af-38de3d388e36",
"@type": "uco-identity:Organization",
"uco-core:hasFacet": {
"@type": "uco-identity:OrganizationDetailsFacet",
"drafting:orgName": "Magnet"
}
},
{
"@id": "kb:investigative-action-4d3778d9-8376-4277-9852-8e6bf926a5d1",
"@type": "case-investigation:InvestigativeAction",
"uco-core:name": "extracted",
"uco-action:startTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-06T20:51:09.00Z"
},
"uco-action:endTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-06T22:13:08.00Z"
},
"uco-action:location": {
"@id": "kb:lab-c44e4679-26e3-4585-aaa1-86110db936f8"
},
"uco-action:performer": {
"@id": "kb:investigator-09fb01ce-999e-4521-bd3f-f7be69a63a43"
},
"uco-action:instrument": {
"@id": "kb:magnet-acquire2005412-83715215-c5fc-4231-99ff-29a3c51cb5f1"
},
"uco-action:environment": {
CYB 730 - Owl Scenario

"@id": "kb:forensic-computer-2132063b-7753-4b51-b146-827e9a1d5037"
},
"uco-action:object": [
{
"@id": "kb:provenance-record-9bd9c456-5965-4782-8285-5fee34c8ddd2"
},
{
"@id": "kb:lge-device-eee670c6-01d4-4e42-bb6b-ebeca149b168"
}
],
"uco-action:result": [
{
"@id": "kb:provenance-record-b84dc6ca-6187-4fc3-b5f1-c15142b103a8"
},
{
"@id": "kb:f3fd304e-ef6c-4cbd-94cb-425880f82748"
}
]
}
]
Query - imaging action
For the seized device, exhibit number SD1, when was it imaged? Who imaged it? What tool and
tool version did they use? What is the name of the resulting image file? (SPARQL source)

SELECT ?lDeviceExhibitNumber ?lImagingEndTime ?lOfficerName ?lToolName ?lToolVersion


?lImageFileName
WHERE {
?nImagingAction
a case-investigation:InvestigativeAction ;
uco-action:endTime ?lImagingEndTime ;
uco-action:instrument ?nImagingTool ;
uco-action:object ?nSubjectDeviceProvenanceRecord ;
uco-action:object ?nSubjectDevice ;
uco-action:performer ?nImagingPerformer ;
uco-action:result ?nImageFile ;
.

?nSubjectDevice
a/rdfs:subClassOf* uco-observable:ObservableObject ;
uco-core:hasFacet ?nSubjectDeviceFacet ;
.

?nSubjectDeviceFacet
a uco-observable:DeviceFacet ;
.

?nSubjectDeviceProvenanceRecord
a case-investigation:ProvenanceRecord ;
case-investigation:exhibitNumber ?lDeviceExhibitNumber ;
uco-core:object ?nSubjectDevice ;
.

?nImagingPerformer
a uco-identity:Person ;
CYB 730 - Owl Scenario

uco-core:hasFacet ?nImagingPerformerIdentityFacet ;
.

?nImagingPerformerIdentityFacet
a uco-identity:SimpleNameFacet ;
uco-identity:familyName ?lOfficerName ;
.

?nImagingTool
a uco-tool:Tool ;
uco-core:name ?lToolName ;
uco-tool:version ?lToolVersion ;
.

?nImageFile
a/rdfs:subClassOf* uco-observable:ObservableObject ;
uco-core:hasFacet ?nImageFileFacet ;
.

?nImageFileFacet
a uco-observable:FileFacet ;
uco-observable:fileName ?lImageFileName ;
.
}
?lDeviceExhibitNumber ?lImagingEndTime ?lOfficerName ?lToolName ?lToolVersion
0 SD1 2017-02-06 22:13:08+00:00 Hoel Magnet ACQUIRE 2.0.0.5412 LGE
1 SD1 2017-02-06 22:13:08+00:00 Hoel Magnet ACQUIRE 2.0.0.5412 LGE
EVIDENCE INTEGRITY

The integrity of digital evidence is verified by comparing the hash value(s) of the working copy
with the documented hash value(s) computed when the data was originally extracted.

CASE Representation of Evidence Integrity Details

[
{
"@id": "kb:investigator-09fb01ce-999e-4521-bd3f-f7be69a63a43",
"@type": "uco-identity:Person",
"uco-core:hasFacet": {
"@type": "uco-identity:SimpleNameFacet",
"uco-identity:familyName": "Hoel"
}
},
{
"@id": "kb:provenance-record-9bd9c456-5965-4782-8285-5fee34c8ddd2",
"@type": "case-investigation:ProvenanceRecord",
"case-investigation:exhibitNumber": "SD1",
"uco-core:description": "Smartphone used by subject",
"uco-core:object": [
{
"@id": "kb:lge-device-eee670c6-01d4-4e42-bb6b-ebeca149b168"
}
CYB 730 - Owl Scenario

]
},
{
"@id": "kb:provenance-record-b84dc6ca-6187-4fc3-b5f1-c15142b103a8",
"@type": "case-investigation:ProvenanceRecord",
"case-investigation:exhibitNumber": "MD1",
"uco-core:description": "Forensic duplicate of smartphone used by subject",
"uco-core:object": [
{
"@id": "kb:f3fd304e-ef6c-4cbd-94cb-425880f82748"
}
]
},
{
"@id": "kb:f3fd304e-ef6c-4cbd-94cb-425880f82748",
"@type": [
"uco-observable:File",
"uco-observable:Image"
],
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-06T20:51:09.00Z"
},
"uco-observable:extension": "raw",
"uco-observable:fileName": "LGE Nexus 5 Full Image.raw",
"uco-observable:fileSystemType": "NTFS",
"uco-observable:filePath": "C:\\Users\\cvance\\Desktop\\Owl Scenario
- Full\\LGE Nexus 5 Full Image.raw",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": 31268536320
},
{
"@type": "uco-observable:ContentDataFacet",
"uco-observable:hash": [
{
"@type": "uco-types:Hash",
"uco-types:hashMethod": {
"@type": "uco-vocabulary:HashNameVocab",
"@value": "MD5"
},
"uco-types:hashValue": {
"@type": "xsd:hexBinary",
"@value": "B334843A07A9E16494EEBDF3079E6BC6"
}
},
{
"@type": "uco-types:Hash",
"uco-types:hashMethod": {
"@type": "uco-vocabulary:HashNameVocab",
"@value": "SHA1"
},
"uco-types:hashValue": {
CYB 730 - Owl Scenario

"@type": "xsd:hexBinary",
"@value": "5506912AAC41534DC5AF12B51059D5880737AB5E"
}
}
]
}
]
}
]
Query - hash verification
For the duplicate, labeled MD1, of the device SD1, what were its original hashes, and when were
they made? (SPARQL source)

SELECT DISTINCT ?lEndTime ?lHashMethod ?lHashValue


WHERE {
?nAction
a case-investigation:InvestigativeAction ;
uco-action:endTime ?lEndTime ;
uco-action:result ?nProvenanceRecord ;
uco-action:result ?nDiskImage ;
.

?nProvenanceRecord
a case-investigation:ProvenanceRecord ;
case-investigation:exhibitNumber "MD1" ;
uco-core:object ?nDiskImage ;
.

?nDiskImage
a/rdfs:subClassOf* uco-observable:ObservableObject ;
uco-core:hasFacet ?nContentDataFacet ;
.

?nContentDataFacet
a uco-observable:ContentDataFacet ;
uco-observable:hash ?nHash ;
.

?nHash
a uco-types:Hash ;
uco-types:hashMethod ?lHashMethod ;
uco-types:hashValue ?lHashValue ;
.
}
ORDER BY ?lHashMethod
?lEndTime ?lHashMethod ?lHashValue
0 2017-02-06 22:13:08+00:00 MD5 b334843a07a9e16494eebdf3079e6bc6
1 2017-02-06 22:13:08+00:00 SHA1 5506912aac41534dc5af12b51059d5880737ab5e
ACQUIRED DEVICE SUMMARY

The details of the smartphone and its contents.


CYB 730 - Owl Scenario

A) Device

CASE Representation of Android Device Properties

[
{
"@id": "kb:lge-device-eee670c6-01d4-4e42-bb6b-ebeca149b168",
"@type": "uco-observable:MobileDevice",
"uco-core:hasFacet": [
{
"@type": "uco-observable:DeviceFacet",
"uco-observable:manufacturer": {
"@id": "kb:organization-lge-e7ae1d96-e054-44b5-9943-8da6515e8332"
},
"uco-observable:model": "Nexus 5",
"uco-observable:serialNumber": "08ebf545d00af782",
"drafting:brand": "Google",
"drafting:name": "hammerhead",
"drafting:encryptionEnabled": false
},
{
"@type": "uco-observable:AndroidDeviceFacet",
"uco-observable:androidID": {
"@type": "xsd:hexBinary",
"@value": "64cce130286b31b3"
},
"uco-observable:androidFingerprint": "lge\u2026"
},
{
"@type": [
"drafting:BootLoaderFacet",
"uco-core:Facet"
],
"drafting:label": "HHZ20h",
"drafting:buildIdentifier": "M4B30Z",
"drafting:buildDate": "2016-11-03T20:03:42.00Z"
},
{
"@type": "uco-observable:MobileDeviceFacet",
"uco-observable:bluetoothDeviceName": "Nexus5",
"drafting:deviceActivationTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-01T14:31:30.00Z"
},
"drafting:locationsServicesEnabled": true,
"uco-observable:keypadUnlockCode": "NULL",
"uco-observable:IMEI": "352584062438806",
"uco-observable:clockSetting": {
"@type": "xsd:dateTime",
"@value": "2017-02-06T20:51:09.35Z"
},
"uco-observable:storageCapacityInBytes": 31268536320
},
{
CYB 730 - Owl Scenario

"@type": "uco-observable:OperatingSystemFacet",
"uco-core:name": "Android",
"uco-observable:manufacturer": {
"@id": "kb:organization-lge-e7ae1d96-e054-44b5-9943-8da6515e8332"
},
"uco-observable:advertisingID": "48500120-c9c5-402e-a6bc-
04e2f92ae259",
"uco-observable:version": "6.0.1"
},
{
"@type": "uco-observable:WifiAddressFacet",
"uco-observable:addressValue": "34:4d:f7:54:20:bb"
},
{
"@type": "uco-observable:BluetoothAddressFacet",
"uco-observable:addressValue": "88:c9:d0:03:04:49"
},
{
"@type": "uco-observable:MobileAccountFacet",
"uco-observable:MSISDN": "+13046388446"
}
]
}
]
B) SIM Cards

The current SIM card ICCID is 89014104279201697299, as listed in the siminfo table of
the data/com.android.providers.telephony/databases/telephony.db database, as well as in
the contacts2.db database (calls table). Note: Observe IMSI traces
in system/netpolicy.xml file.

[
{
"@id": "kb:simcard1-relationship-a1dbff0e-974b-4295-b035-e1bc3271945d",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:simcard-24d20c80-f035-40ae-88dd-fc66f70180f6"
},
"uco-core:target": {
"@id": "kb:lge-device-eee670c6-01d4-4e42-bb6b-ebeca149b168"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:startTime": {
"@type": "xsd:dateTime",
"@value": "2017-00-00T12:34:56Z"
},
"uco-core:endTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-06T20:00:00.00Z"
},
"uco-core:isDirectional": true
}
]
CYB 730 - Owl Scenario

CASE Representation of SIM Card Properties

[
{
"@id": "kb:simcard-24d20c80-f035-40ae-88dd-fc66f70180f6",
"@type": "uco-observable:SIMCard",
"uco-core:hasFacet": [
{
"@type": "uco-observable:SIMCardFacet",
"uco-observable:ICCID": "89014104279201697299",
"uco-observable:IMSI": {
"@id": "kb:mobileaccount-4b3cdcbd-6a31-462f-be9b-1ca2944c8876"
},
"uco-observable:carrier": {
"@id": "kb:organization-att-d60ffcec-4d89-48a1-b264-9cd4bc700a70"
}
}
]
},
{
"@id": "kb:mobileaccount-4b3cdcbd-6a31-462f-be9b-1ca2944c8876",
"@type": "uco-observable:MobileAccount",
"uco-core:hasFacet": [
{
"@type": "uco-observable:AccountFacet",
"uco-observable:accountType": {
"@type": "uco-vocabulary:AccountTypeVocab",
"@value": "phone"
},
"uco-observable:isActive": true
},
{
"@type": "uco-observable:MobileAccountFacet",
"uco-observable:MSISDN": "+13046388446",
"uco-observable:IMSI": "310410920169729"
}
]
},
{
"@id": "kb:sim-telephony-relationship-f7dfe5f0-e95a-4d0a-9d0e-8ed416e69587",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:simcard-24d20c80-f035-40ae-88dd-fc66f70180f6"
},
"uco-core:target": {
"@id": "kb:telephony-cd52c3b8-7759-40b7-ae10-dfc90a35f644"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true,
"uco-core:hasFacet": [
{
"@type": "uco-observable:DataRangeFacet",
"uco-observable:rangeOffset": 13751,
"uco-observable:rangeSize": "__NOT_PROVIDED"
},
CYB 730 - Owl Scenario

{
"@type": [
"drafting:TableRelation",
"uco-core:Facet"
],
"drafting:tableName": "siminfo"
}
]
}
]
C) Virtual Identities

The name and email address of the primary user of the device were obtained:

Sarah Mcavoy, [email protected], with a phone number +13046388446 associated with a


Facebook account.

CASE Representation of Users and Accounts

[
{
"@id": "kb:primaryuser-d28a3fad-10a1-459c-9a1a-6aa07a04e76f",
"@type": "uco-identity:Person",
"uco-core:hasFacet": [
{
"@type": "uco-identity:SimpleNameFacet",
"uco-identity:givenName": "Sarah",
"uco-identity:familyName": "McAvoy"
}
]
},
{
"@id": "kb:primaryuser-faceboook-cb34b068-324b-4162-a9e5-6c96879b061c",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:primaryuser-d28a3fad-10a1-459c-9a1a-6aa07a04e76f"
},
"uco-core:target": {
"@id": "kb:email-account-99d72bac-8c21-11e9-8902-0c4de9c21b53"
},
"uco-core:kindOfRelationship": "Has_Account",
"uco-core:isDirectional": true
},
{
"@id": "kb:primaryuser-email-cb34b068-324b-4162-a9e5-6c96879b061c",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:primaryuser-d28a3fad-10a1-459c-9a1a-6aa07a04e76f"
},
"uco-core:target": {
"@id": "kb:facebook-90652808-7341-40d3-9285-774d865ad3f9"
},
"uco-core:kindOfRelationship": "Has_Account",
CYB 730 - Owl Scenario

"uco-core:isDirectional": true
},
{
"@id": "kb:email-address-d6fbe80f-9098-4650-b7a8-0b0e225cec2b",
"@type": "uco-observable:EmailAddress",
"uco-core:hasFacet": [
{
"@type": "uco-observable:EmailAddressFacet",
"uco-observable:addressValue": "[email protected]"
}
]
},
{
"@id": "kb:email-account-99d72bac-8c21-11e9-8902-0c4de9c21b53",
"@type": "uco-observable:EmailAccount",
"uco-core:hasFacet": [
{
"@type": "uco-observable:EmailAccountFacet",
"uco-observable:emailAddress": {
"@id": "kb:email-address-d6fbe80f-9098-4650-b7a8-0b0e225cec2b"
}
},
{
"@type": "uco-observable:AccountAuthenticationFacet",
"uco-observable:password": "louisville!21"
}
]
},
{
"@id": "kb:c1d3237a-6d7f-4e96-bbef-6eb4c0a621d1",
"@type": "uco-observable:PhoneAccount",
"uco-core:hasFacet": [
{
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIssuer": {
"@id": "kb:organization-att-d60ffcec-4d89-48a1-b264-9cd4bc700a70"
},
"uco-observable:isActive": true
},
{
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+19014449108"
}
]
},
{
"@id": "kb:associated-account-phonenumber-0307a497-f1fb-4af4-9877-
90c56ee76fba",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:facebook-90652808-7341-40d3-9285-774d865ad3f9"
},
"uco-core:target": {
"@id": "kb:c1d3237a-6d7f-4e96-bbef-6eb4c0a621d1"
},
CYB 730 - Owl Scenario

"uco-core:kindOfRelationship": "Associated_Account",
"uco-core:isDirectional": true
},
{
"@id": "kb:facebook-90652808-7341-40d3-9285-774d865ad3f9",
"@type": "uco-observable:DigitalAccount",
"uco-core:hasFacet": [
{
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIssuer": {
"@id": "kb:organization-facebook-fcb0d2ee-e681-4314-98c3-
47fb2541aae9"
},
"uco-observable:accountIdentifier": "100015073810863",
"uco-observable:isActive": true
},
{
"@type": "uco-observable:ApplicationAccountFacet",
"uco-observable:application": {
"@id": "kb:application-facebook-25e8018f-49be-4898-bb1d-
731e387e9eb7"
}
},
{
"@type": "uco-observable:DigitalAccountFacet",
"uco-observable:displayName": "????"
}
]
},
{
"@id": "kb:organization-facebook-fcb0d2ee-e681-4314-98c3-47fb2541aae9",
"@type": "uco-identity:Organization",
"uco-core:hasFacet": [
{
"@type": "uco-identity:OrganizationDetailsFacet",
"drafting:orgName": "Facebook"
}
]
},
{
"@id": "kb:application-facebook-25e8018f-49be-4898-bb1d-731e387e9eb7",
"@type": "uco-observable:Application",
"uco-core:hasFacet": [
{
"@type": "uco-observable:ApplicationFacet",
"drafting:appName": "Facebook"
}
]
}
]
Files that contain each ObservableObject can be represented using CASE and
the Relationship object:

[
CYB 730 - Owl Scenario

{
"@id": "kb:accounts-9999c405-9326-4f28-9b8d-44a3bb9e9999",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:email-address-d6fbe80f-9098-4650-b7a8-0b0e225cec2b"
},
"uco-core:target": {
"@id": "kb:accountsxml-16805dff-05f9-4cba-9266-d5fa712f3d8f"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true,
"uco-core:hasFacet": [
{
"@type": "uco-observable:DataRangeFacet",
"uco-observable:rangeOffset": 352,
"uco-observable:rangeSize": 20
}
]
},
{
"@id": "kb:accountsxml-16805dff-05f9-4cba-9266-d5fa712f3d8f",
"@type": "uco-observable:File",
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:fileName": "accounts.xml",
"uco-observable:filePath": "/img_LGE Nexus 5 Full
Image.raw/vol_vol31/data/com.google.android.gms/shared_prefs/accounts.xml",
"uco-observable:extension": ".xml",
"uco-observable:isDirectory": false,
"uco-observable:allocationStatus": "allocated",
"uco-observable:sizeInBytes": 891,
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-01T03:12:19.00Z"
},
"uco-observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-01T03:12:19.00Z"
}
}
]
},
{
"@id": "kb:accounts-9999999-9326-4f28-9b8d-44a3b9999999",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:email-address-d6fbe80f-9098-4650-b7a8-0b0e225cec2b"
},
"uco-core:target": {
"@id": "kb:accountsdb-99995dff-05f9-4cba-9266-d5fa712f9999"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true,
"uco-core:hasFacet": [
CYB 730 - Owl Scenario

{
"@type": "uco-observable:DataRangeFacet",
"uco-observable:rangeOffset": 16272,
"uco-observable:rangeSize": 20
}
]
},
{
"@id": "kb:accountsdb-99995dff-05f9-4cba-9266-d5fa712f9999",
"@type": "uco-observable:File",
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:fileName": "accounts.db",
"uco-observable:filePath": "/img_LGE Nexus 5 Full
Image.raw/vol_vol31/system/users/0/accounts.db",
"uco-observable:extension": ".db",
"uco-observable:isDirectory": false,
"uco-observable:allocationStatus": "allocated",
"uco-observable:sizeInBytes": 159744,
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-06T21:03:08.00Z"
},
"uco-observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-06T21:03:08.00Z"
}
}
]
}
]
A Skype account "live:mcavoys87" in the file /data/com.skype.raider/files/shared.xml.

[
{
"@id": "kb:skype-99992808-7341-40d3-9285-774d865a9999",
"@type": "uco-observable:DigitalAccount",
"uco-core:hasFacet": [
{
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIssuer": {
"@id": "kb:organization-skypeapp-cc44c2ae-bdd3-4df8-9ca3-
1f58d682d62b"
},
"uco-observable:accountIdentifier": "mcavoys87",
"uco-observable:isActive": true
}
]
}
]
In addition, a text.app account was extracted from
the /media/0/Android/data/com.enflick.android.TextNow/cache/log_logcat.txt file.
CYB 730 - Owl Scenario

[
{
"@id": "kb:textapp-9b38d51f-f5b9-4740-9968-6f1a1e1ec7bf",
"@type": "uco-observable:DigitalAccount",
"uco-core:hasFacet": [
{
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIssuer": {
"@id": "kb:organization-textapp-a2ba855b-1218-44f5-9f73-
a2530defbc73"
},
"uco-observable:accountIdentifier": "mcavoy287",
"uco-observable:isActive": true
},
{
"@type": "uco-observable:DigitalAccountFacet",
"uco-observable:displayName": "NULL",
"uco-observable:accountLogin": "mcavoy287",
"uco-observable:firstLoginTime": {
"@type": "xsd:dateTime",
"@value": "2017-01-30T19:00:31Z"
}
},
{
"@type": "uco-observable:AccountAuthenticationFacet",
"uco-observable:password": "huntington*32"
}
]
},
{
"@id": "kb:LoginData-c316c405-9326-4f28-9b8d-44a3bb9e7283",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:textapp-9b38d51f-f5b9-4740-9968-6f1a1e1ec7bf"
},
"uco-core:target": {
"@id": "kb:textapplogcat-1a717ea6-8990-4709-92f0-d748cacb817e"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true,
"uco-core:hasFacet": [
{
"@type": "uco-observable:DataRangeFacet",
"uco-observable:rangeOffset": 2704,
"uco-observable:rangeSize": 9
}
]
}
]
OBSERVABLE OBJECTS

Representing extracted cyber-investigation information while maintaining the chain of evidence


for provenance and traceability purposes.
CYB 730 - Owl Scenario

CASE Representation of Partition within Forensic Duplicate

(Values obtained using Autopsy)

[
{
"@id": "kb:userdata-partition-d94cd1b5-5cf7-4642-8927-5ebea573d68e",
"@type": "uco-observable:DiskPartition"
},
{
"@id": "kb:partition-87d669fc-8ab9-47c6-a66d-af09d73361d5",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:userdata-partition-d94cd1b5-5cf7-4642-8927-5ebea573d68e"
},
"uco-core:target": {
"@id": "kb:f3fd304e-ef6c-4cbd-94cb-425880f82748"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true,
"uco-core:hasFacet": [
{
"@type": "uco-observable:DataRangeFacet",
"uco-observable:rangeOffset": 2032140288,
"uco-observable:rangeSize": 29236373504
}
]
}
]
A) File System

The location of the file system within the forensic duplicate, to maintain the provenance and
traceability of extracted results.

CASE Representation of File System within the UserData Partition

(Values obtained using Autopsy)

[
{
"@id": "kb:filesystem-e2a02b5a-7e7e-489f-ab43-3ffadab4ac82",
"@type": "uco-observable:FileSystem",
"uco-core:hasFacet": [
{
"@type": "uco-observable:DiskPartitionFacet",
"uco-observable:diskPartitionType": "GPT",
"uco-observable:partitionID": "31",
"uco-observable:partitionOffset": 2032140288,
"uco-observable:partitionLength": 29236373504
},
{
"@type": "uco-observable:FileSystemFacet",
CYB 730 - Owl Scenario

"uco-observable:fileSystemType": "EXT4"
},
{
"@type": "uco-observable:ContentDataFacet",
"uco-observable:hash": [
{
"@type": "uco-types:Hash",
"uco-types:hashMethod": {
"@type": "uco-vocabulary:HashNameVocab",
"@value": "MD5"
},
"uco-types:hashValue": {
"@type": "xsd:hexBinary",
"@value": "dcd09547af64f6362400adb68f87032c"
}
},
{
"@type": "uco-types:Hash",
"uco-types:hashMethod": {
"@type": "uco-vocabulary:HashNameVocab",
"@value": "SHA256"
},
"uco-types:hashValue": {
"@type": "xsd:hexBinary",
"@value": "08b1a2961b341411702c36e86adb143603abbf95"
}
}
]
}
]
}
]
B) File in File System

CASE Representation

[
{
"@id": "kb:filesystem-relationship-f64f857e-6c87-417f-9166-5aaaed8a6fd2",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:downloaded-file-3961dae3-2bca-4ccb-97fd-9919192e81db"
},
"uco-core:target": {
"@id": "kb:filesystem-e2a02b5a-7e7e-489f-ab43-3ffadab4ac82"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true,
"uco-core:hasFacet": [
{
"@type": "uco-observable:PathRelationFacet",
"uco-observable:path": "/img_LGE Nexus 5 Full
Image.raw/vol_vol31/media/0/Download/download.jpg"
}
CYB 730 - Owl Scenario

]
}
]
C) File

CASE Representation

[
{
"@id": "kb:downloaded-file-3961dae3-2bca-4ccb-97fd-9919192e81db",
"@type": "uco-observable:File",
"uco-core:tag": [
"Picture",
"Owl"
],
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:fileName": "download.jpg",
"uco-observable:filePath": "/img_LGE Nexus 5 Full
Image.raw/vol_vol31/media/0/Download/download.jpg",
"drafting:fileLocalPath": "files/image/download.jpg",
"uco-observable:extension": ".jpg",
"uco-observable:isDirectory": false,
"uco-observable:allocationStatus": "allocated",
"uco-observable:sizeInBytes": 10704,
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:19:26.00Z"
},
"uco-observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:19:26.00Z"
},
"uco-observable:accessedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:19:26.00Z"
}
},
{
"@type": "uco-observable:ExtInodeFacet",
"uco-observable:extInodeID": 1344287,
"uco-observable:extSGID": 1023,
"uco-observable:extSUID": 1023,
"uco-observable:extHardLinkCount": 1,
"uco-observable:extPermissions": 664,
"uco-observable:extInodeChangeTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:19:26.00Z"
}
},
{
"@type": "uco-observable:ContentDataFacet",
"uco-observable:hash": [
CYB 730 - Owl Scenario

{
"@type": "uco-types:Hash",
"uco-types:hashMethod": {
"@type": "uco-vocabulary:HashNameVocab",
"@value": "MD5"
},
"uco-types:hashValue": {
"@type": "xsd:hexBinary",
"@value": "70e5be834b3ba41b853f281a5c59a93b"
}
}
]
}
]
}
]
Note: EXIF metadata is represented using properties specified in the standard
(https://www.exif.org/Exif2-2.PDF).

D) Deleted File/Directory

CASE Representation

[
{
"@id": "kb:downloaded-directory-9999dae3-2bca-4ccb-97fd-9919192e9999",
"@type": "uco-observable:File",
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:fileName": "IMG_20170203_121618.jpg",
"uco-observable:filePath": "/img_LGE Nexus 5 Full
Image.raw/vol_vol31/media/0/DCIM/Camera/IMG_20170203_121618.jpg",
"drafting:fileLocalPath": "files/image/IMG_20170203_121618.jpg",
"uco-observable:extension": ".jpg",
"uco-observable:isDirectory": true,
"uco-observable:allocationStatus": "unallocated",
"uco-observable:sizeInBytes": 4096,
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:22:30.00Z"
},
"uco-observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:22:30.00Z"
},
"uco-observable:accessedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:22:30.00Z"
}
},
{
"@type": "uco-observable:ExtInodeFacet",
"uco-observable:extInodeID": 1351746,
CYB 730 - Owl Scenario

"uco-observable:extSGID": 1023,
"uco-observable:extSUID": 1023,
"uco-observable:extHardLinkCount": 1,
"uco-observable:extPermissions": 755,
"uco-observable:extInodeChangeTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:22:30.00Z"
}
},
{
"@type": [
"drafting:UnallocatedRecoverabilityFacet",
"uco-core:Facet"
],
"drafting:nameStatus": "recoverable",
"drafting:metadataStatus": "recoverable",
"drafting:contentStatus": "unrecoverable"
}
]
}
]
E) Messages

The user contacts another user who can provide an owl in exchange for cash. An owl is decided
upon, and an exchange is scheduled. After the exchange, a communication message is sent
confirming the owl purchase has been completed.

CASE Representation of Text Message

[
{
"@id": "kb:message-9999898c-0178-4534-8107-caea0a0f9999",
"@type": "uco-observable:Application"
},
{
"@id": "kb:sms-message-2c032220-8c21-11e9-9c99-0c4de9c21b53",
"@type": "uco-observable:SMSMessage",
"uco-core:hasFacet": [
{
"@type": "uco-observable:MessageFacet",
"uco-observable:application": {
"@id": "kb:message-9999898c-0178-4534-8107-caea0a0f9999"
},
"uco-observable:sentTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-01T00:41:15.00Z"
},
"uco-observable:messageText": "Sarah, the delivery is today 7 tonight
the confirmation will come later through pidgin",
"drafting:allocationStatus": "unallocated",
"uco-observable:from": {
"@id": "kb:9999237a-6d7f-4e96-bbef-6eb4c0a69999"
},
CYB 730 - Owl Scenario

"uco-observable:to": [
{
"@id": "kb:c1d3237a-6d7f-4e96-bbef-6eb4c0a621d1"
}
]
}
]
},
{
"@id": "kb:9999237a-6d7f-4e96-bbef-6eb4c0a69999",
"@type": "uco-observable:PhoneAccount",
"uco-core:hasFacet": [
{
"@type": "uco-observable:AccountFacet",
"uco-observable:accountIssuer": {
"@id": "kb:organization-att-d60ffcec-4d89-48a1-b264-9cd4bc700a70"
},
"uco-observable:isActive": true
},
{
"@type": "uco-observable:PhoneAccountFacet",
"uco-observable:phoneNumber": "+13045184333"
}
]
}
]
CASE Representation of Message within database container

NOTE: SMS message is contained in the


file /data/com.android.providers.telephony/databases/mmssms.db-journal (offset=2560,
table=sms).

[see proposed relationship object]

[
{
"@id": "kb:mmssmsdb-journalfile-uuid",
"@type": "uco-observable:File"
},
{
"@id": "kb:message-database-relationship-uuid",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:sms-message-2c032220-8c21-11e9-9c99-0c4de9c21b53"
},
"uco-core:target": {
"@id": "kb:mmssmsdb-journalfile-uuid"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true,
"uco-core:hasFacet": [
{
"@type": "uco-observable:DataRangeFacet",
"uco-observable:rangeOffset": 2560,
CYB 730 - Owl Scenario

"uco-observable:rangeSize": 96
},
{
"@type": [
"drafting:TableRelationFacet",
"uco-core:Facet"
],
"drafting:tableName": "sms"
}
]
}
]
CASE Representation of Skype Message

[
{
"@id": "kb:skypeapp-a6b73e78-00da-11eb-a396-acde48001122",
"@type": "uco-observable:Application"
},
{
"@id": "kb:externalaccount-8976b508-80e5-4442-af1c-637d3b09240e",
"@type": "uco-observable:DigitalAccount"
},
{
"@id": "kb:skypemsg-eafca388-f926-4d48-864d-1bfdd3a2ba7f",
"@type": "uco-observable:Message",
"uco-core:hasFacet": [
{
"@type": "uco-observable:MessageFacet",
"uco-observable:messageText": "Hey Matt thanks for the hook up",
"uco-observable:application": {
"@id": "kb:skypeapp-a6b73e78-00da-11eb-a396-acde48001122"
},
"uco-observable:sentTime": {
"@type": "xsd:dateTime",
"@value": "2017-01-30T19:15:25.00Z"
},
"uco-observable:from": {
"@id": "kb:skype-99992808-7341-40d3-9285-774d865a9999"
},
"uco-observable:to": [
{
"@id": "kb:externalaccount-8976b508-80e5-4442-af1c-
637d3b09240e"
}
],
"drafting:allocationStatus": "allocated",
"uco-observable:messageType": "incoming"
}
]
}
]
F) URL History
CYB 730 - Owl Scenario

CASE Representation

[
{
"@id": "kb:url-history-39ff4987-8ae5-47e3-8369-dbd0d5f79398",
"@type": "uco-observable:URLHistory",
"uco-core:hasFacet": [
{
"@type": "uco-observable:URLHistoryFacet",
"uco-observable:browserInformation": {
"@id": "kb:software-5d96df90-d9e1-423c-b8db-c2327812ab38"
},
"uco-observable:urlHistoryEntry": [
{
"@type": "uco-observable:URLHistoryEntry",
"uco-observable:firstVisit": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T02:20:22.00Z"
},
"uco-observable:lastVisit": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T02:20:22.00Z"
},
"uco-observable:expirationTime": null,
"uco-observable:browserUserProfile": {
"@id": "kb:profile-account-857c7f17-2f6b-4618-aeca-
50d79fa69b97"
},
"uco-observable:url": {
"@id": "kb:url-b7906534-0483-4cf4-979c-5351916602ed"
},
"uco-observable:referrerUrl": null,
"uco-observable:pageTitle": "Where can you find baby owls for
sale? Are owls legal to keep as pets? - Quora",
"uco-observable:visitCount": 2,
"uco-observable:manuallyEnteredCount": {
"@type": "xsd:nonNegativeInteger",
"@value": "0"
},
"uco-observable:keywordSearchTerm": null
}
]
}
]
},
{
"@id": "kb:url-b7906534-0483-4cf4-979c-5351916602ed",
"@type": "uco-observable:URL",
"uco-core:hasFacet": [
{
"@type": "uco-observable:URLFacet",
"uco-observable:fullValue": "https://www.quora.com/Where-can-you-
find-baby-owls-for-sale-Are-owls-legal-to-keep-as-pets"
}
]
CYB 730 - Owl Scenario

},
{
"@id": "kb:bfe049a6-fa3f-4bf6-9c37-9b09cc6afe6b",
"@type": "uco-observable:File",
"uco-core:tag": [
"Database"
],
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:fileName": "History",
"uco-observable:filePath": "/img_LGE Nexus 5 Full
Image.raw/vol_vol31/data/com.android.chrome/app_chrome/Default/History",
"drafting:fileLocalPath": "files/Database/History",
"uco-observable:extension": null,
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": 176128,
"uco-observable:observableCreatedTime": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T01:10:45.00Z"
},
"uco-observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:22:29.00Z"
},
"uco-observable:accessedTime": {
"@type": "xsd:dateTime",
"@value": "2017-01-25T01:10:45.00Z"
}
},
{
"@type": "uco-observable:ExtInodeFacet",
"uco-observable:extInodeID": 1483050,
"uco-observable:extSGID": 10034,
"uco-observable:extSUID": 10034,
"uco-observable:extInodeChangeTime": {
"@type": "xsd:dateTime",
"@value": "2017-02-03T17:22:29.00Z"
}
},
{
"@type": "uco-observable:ContentDataFacet",
"uco-observable:hash": [
{
"@type": "uco-types:Hash",
"uco-types:hashMethod": {
"@type": "uco-vocabulary:HashNameVocab",
"@value": "MD5"
},
"uco-types:hashValue": {
"@type": "xsd:hexBinary",
"@value": "42ecb5615ad2778968c295c0a1b0837b"
}
}
]
CYB 730 - Owl Scenario

}
]
},
{
"@id": "kb:2af6fcf3-91d3-4457-9333-abab67f8fb91",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:url-history-39ff4987-8ae5-47e3-8369-dbd0d5f79398"
},
"uco-core:target": {
"@id": "kb:bfe049a6-fa3f-4bf6-9c37-9b09cc6afe6b"
},
"uco-core:isDirectional": true,
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:hasFacet": [
{
"@type": "uco-observable:DataRangeFacet",
"uco-observable:rangeOffset": 100832,
"uco-observable:rangeSize": 176
},
{
"@type": [
"drafting:TableRelationFacet",
"uco-core:Facet"
],
"drafting:tableName": "urls"
}
]
}
]
G) Location

Geolocation coordinates found in


file /data/com.google.android.apps.maps/shared_prefs/camera.xml.

CASE Representation

[
{
"@id": "kb:latlong-8667ec82-8c21-11e9-934e-0c4de9c21b53",
"@type": "uco-location:Location",
"uco-core:hasFacet": {
"@type": "uco-location:LatLongCoordinatesFacet",
"uco-location:latitude": {
"@type": "xsd:decimal",
"@value": "38.423756"
},
"uco-location:longitude": {
"@type": "xsd:decimal",
"@value": "-82.43619"
},
"uco-location:altitude": null
}
},
CYB 730 - Owl Scenario

{
"@id": "kb:camera-xml-uuid",
"@type": "uco-observable:File"
},
{
"@id": "kb:cameralocation-relationship-uuid",
"@type": "uco-observable:ObservableRelationship",
"uco-core:source": {
"@id": "kb:latlong-8667ec82-8c21-11e9-934e-0c4de9c21b53"
},
"uco-core:target": {
"@id": "kb:camera-xml-uuid"
},
"uco-core:kindOfRelationship": "Contained_Within",
"uco-core:isDirectional": true
}
]

You might also like