Skip to content

Commit

Permalink
Regenerate Make-managed files
Browse files Browse the repository at this point in the history 
References:
* ucoProject/UCO#251

Signed-off-by: Alex Nelson <[email protected]>
  • Loading branch information
@ajnelson-nist
ajnelson-nist committed Jul 27, 2022
1 parent 9f38733 commit af85597
Show file tree
Hide file tree
Showing 5 changed files with 997 additions and 133 deletions.
269 changes: 140 additions & 129 deletions examples/illustrations/recoverability/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
<!--
GENERATED FILE README.md is generated from source files. Edits to it will be overwritten by automated processes.:
If you need to edit its content, edit src/README.md.in, and then re-run `make` to re-build the file.
-->


# Recoverability Examples

Expand All @@ -10,7 +16,7 @@ These states can be represented using the `UnallocatedRecoverabilityFacet` with
* `metadataRecoverabilityStatus`: recovered, overwritten, unknown
* `contentRecoverabilityStatus`: recovered, partially recovered, overwritten, unknown

This representation applies to file systems as well as file system within a file data structures such as SQLite databases and Windows Registry hives.
This representation applies to file systems as well as "file system within a file" data structures such as SQLite databases and Windows Registry hives.
For further details and background, see [Standardization of File Recovery Classification and Authentication](https://www.nist.gov/publications/standardization-file-recovery-classification-and-authentication). Additional recoverability scenarios are available in the initial proposal [Representing Recoverability of Unallocated Files](https://caseontology.org/resources/references/Representing%20Recoverability%20of%20Unallocated%20Files%20using%20CASE%20UCO%2031Jan2018.pdf) with the caveat that examples use an early version of CASE/UCO.

# File System Recoverability
Expand All @@ -23,171 +29,176 @@ Using the NIST image `dfr-01-fat.dd` of a FAT 12 file system with unallocated fi

```json
[
{
"@id": "kb:CB0354F5-2DBD-4C02-8A6C-011B77125EE2",
"@type": "uco-observable:ObservableObject"
"uco-core:hasFacet": [
{
"@type": "FileFacet",
"createdTime": "2011-12-25T19:02:22Z",
"modifiedTime": "2000-02-29T19:11Z",
"accessedTime": "1999-01-02T05:00Z",
"extension": "txt",
"fileName": "_BEID.txt",
"filePath": "/img_dfr-01-fat.dd/vol_vol2/_BEID.txt",
"isDirectory": false,
"sizeInBytes": 712
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "recovered"
}
],
}
{
"@id": "kb:CB0354F5-2DBD-4C02-8A6C-011B77125EE2",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:createdTime": "2011-12-25T19:02:22Z",
"uco-observable:modifiedTime": "2000-02-29T19:11Z",
"uco-observable:accessedTime": "1999-01-02T05:00Z",
"uco-observable:extension": "txt",
"uco-observable:fileName": "_BEID.txt",
"uco-observable:filePath": "/img_dfr-01-fat.dd/vol_vol2/_BEID.txt",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": 712
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "recovered"
}
]
}
]
```

Using the [Crossover](https://caseontology.org/examples/crossover/) shared dataset, specifically the Windows computer available here: [Switch Drive](https://drive.switch.ch/index.php/s/0c7BiyQZRKOtMMq)
The following shows a file system entry that has recoverable filename ~[email protected] , but the status of associated metadata and content are unknown.
The following shows a file system entry that has recoverable filename "~[email protected]" , but the status of associated metadata and content are unknown.

INSERT IMAGE
![AutopsyCrossoverDeleted.png](https://files.caseontology.org/CASE-Examples/examples/illustrations/recoverability/AutopsyCrossoverDeleted.png)

This recovered file system entry can be represented using the `observable:UnallocatedRecoverabilityFacet` as follows:

```json
[
{
"@id": "kb:BD64BDD9-3DCD-4828-A25B-A72C06E472CD"
"@type": "uco-observable:ObservableObject"
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:accessedTime": "null",
"uco-observable:extension": "tmp",
"uco-observable:fileName": "[email protected]",
"uco-observable:filePath": "/Users/Harley Quinn/AppData/Local/Microsoft/Outlook/[email protected]",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": null,
"uco-observable:createdTime": "null",
"uco-observable:modifiedTime": "null"
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "unknown",
"uco-observable:contentRecoverabilityStatus": "unknown"
}
],
}
{
"@id": "kb:BD64BDD9-3DCD-4828-A25B-A72C06E472CD",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:accessedTime": "null",
"uco-observable:extension": "tmp",
"uco-observable:fileName": "[email protected]",
"uco-observable:filePath": "/Users/Harley Quinn/AppData/Local/Microsoft/Outlook/[email protected]",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": null,
"uco-observable:createdTime": "null",
"uco-observable:modifiedTime": "null"
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "unknown",
"uco-observable:contentRecoverabilityStatus": "unknown"
}
]
}
]
```

Again using the [Crossover](https://caseontology.org/examples/crossover/) shared dataset, the LNK file Users/Harley Quinn/AppData/Roaming/Microsoft/Windows/Recent/Thebatplan.lnk references a file on a USB device D:\Thebatplan with associated metadata represented here, and the `contentRecoverabilityStatus` unknown:
Again using the [Crossover](https://caseontology.org/examples/crossover/) shared dataset, the LNK file "Users/Harley Quinn/AppData/Roaming/Microsoft/Windows/Recent/Thebatplan.lnk" references a file on a USB device "D:\Thebatplan" with associated metadata represented here, and the `contentRecoverabilityStatus` unknown:

```json
[
{
"@id": "kb:665D63BE-93E6-4D3E-8E75-3112BE091E93",
"@type": "uco-observable:ObservableObject"
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:extension": "",
"uco-observable:fileName": "Thebatplan",
"uco-observable:filePath": "D:\\Thebatplan",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": 1389601,
"uco-observable:createdTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-19T00:29:15Z"
},
"uco-observable:accessedTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-18T22:53:09.595Z"
},
"uco-observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-18T20:10:48.00Z"
}
{
"@id": "kb:665D63BE-93E6-4D3E-8E75-3112BE091E93",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:extension": "",
"uco-observable:fileName": "Thebatplan",
"uco-observable:filePath": "D:\\Thebatplan",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": 1389601,
"uco-observable:createdTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-19T00:29:15Z"
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "unknown"
"uco-observable:accessedTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-18T22:53:09.595Z"
},
"uco-observable:modifiedTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-18T20:10:48.00Z"
}
],
}
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "unknown"
}
]
}
]
```

Similar to a LNK file on Windows, entries in the external.db entry on the Samsung device in the Crossover shared dataset can be represented using the `observable:UnallocatedRecoverabilityFacet` with the `contentRecoverabilityStatus` unknown. For instance, the files table in the SQLite database Samsung Galaxy S6 Edge / UFED File Root / USERDATA (ExtX) / Root / data / com.android.providers.media / databases / external.db references the file IMG-20181120-WA0000.jpg:
Similar to a LNK file on Windows, entries in the external.db entry on the Samsung device in the Crossover shared dataset can be represented using the `observable:UnallocatedRecoverabilityFacet` with the `contentRecoverabilityStatus` unknown. For instance, the "files" table in the SQLite database "Samsung Galaxy S6 Edge / UFED File Root / USERDATA (ExtX) / Root / data / com.android.providers.media / databases / external.db" references the file IMG-20181120-WA0000.jpg:

```json
[
{
"@id": "kb:4026FABD-924D-4138-A6BA-73DF2EB37BCB",
"@type": "uco-observable:ObservableObject"
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:extension": "jpg",
"uco-observable:fileName": "IMG-20181120-WA0000",
"uco-observable:filePath": "/storage/emulated/0/WhatsApp/Media/WhatsApp Images/Sent/IMG-20181120-WA0000.jpg",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": 1389601,
"uco-observable:createdTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-19T00:29:15Z"
},
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "unknown"
{
"@id": "kb:4026FABD-924D-4138-A6BA-73DF2EB37BCB",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@type": "uco-observable:FileFacet",
"uco-observable:extension": "jpg",
"uco-observable:fileName": "IMG-20181120-WA0000",
"uco-observable:filePath": "/storage/emulated/0/WhatsApp/Media/WhatsApp Images/Sent/IMG-20181120-WA0000.jpg",
"uco-observable:isDirectory": false,
"uco-observable:sizeInBytes": 1389601,
"uco-observable:createdTime": {
"@type": "xsd:dateTime",
"@value": "2018-11-19T00:29:15Z"
}
],
}
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "unknown"
}
]
}
]
```

# SQLite Entry Recoverability

SQLite records that are recoverable can also be represented using the `observable:UnallocatedRecoverabilityFacet`. For example, this Facebook messenger chat:

INSERT IMAGE
![FacebookChat.png](https://files.caseontology.org/CASE-Examples/examples/illustrations/recoverability/FacebookChat.png)


This recovered chat message can be represented using the `observable:UnallocatedRecoverabilityFacet`, noting that the sent location does not appear to be recovered, indicating that the content is partially recovered.

```json
[
{
"@id":"kb:C01E67F9-ADB5-48BD-B09D-E7326FA8D592",
"@type":"uco-observable:ObservableObject",
"uco-core:hasFacet":[
{
"@type":"uco-observable:MessageFacet",
"uco-observable:messageText":"Diana sent a location.",
"uco-observable:from":{
"@id":"kb:e1e34d20-e77c-4087-a87d-d169d7155b8d"
},
"uco-observable:to":[{"@id":"kb:f96cfe21-1149-4a46-acb9-7299152c776b"}],
"uco-observable:sentTime":{
"@type": "xsd:dateTime",
"@value": "2018-12-04T07:52:47Z"
}
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "partially recovered"
}
]
},
{
"@id": "kb:C01E67F9-ADB5-48BD-B09D-E7326FA8D592",
"@type": "uco-observable:ObservableObject",
"uco-core:hasFacet": [
{
"@type": "uco-observable:MessageFacet",
"uco-observable:messageText": "Diana sent a location.",
"uco-observable:from": {
"@id": "kb:e1e34d20-e77c-4087-a87d-d169d7155b8d"
},
"uco-observable:to": [
{
"@id": "kb:f96cfe21-1149-4a46-acb9-7299152c776b"
}
],
"uco-observable:sentTime": {
"@type": "xsd:dateTime",
"@value": "2018-12-04T07:52:47Z"
}
},
{
"@type": "uco-observable:UnallocatedRecoverabilityFacet",
"uco-observable:nameRecoverabilityStatus": "recovered",
"uco-observable:metadataRecoverabilityStatus": "recovered",
"uco-observable:contentRecoverabilityStatus": "partially recovered"
}
]
}
]
```

Loading

0 comments on commit af85597

Please sign in to comment.