Add Technician Role Class to CASE

[vulnmaster]

Change proposal written with the assistance of AI.

Background

In the discussion at CASE Issue #178, @chrishargreaves highlighted the role of Technician in investigative contexts. Currently, the CASE investigation ontology defines several role classes (Attorney, Examiner, Investigator, Subject) but lacks explicit representation for Technicians, who play a crucial role in digital forensics and other investigative processes. Technicians are responsible for technical tasks such as evidence collection, preservation, processing, and analysis under the supervision of investigators and examiners. Adding a Technician class will enhance the ontology's ability to accurately represent all participants in investigative workflows, improving provenance tracking and role-based analytics.

A technician is a forensics role focused on case administration, exhibit/item handling and pre-imaging, photography, capture and presentation of data (sciencedirect.com) [https://www.sciencedirect.com/science/article/pii/S2666281724001677], and may also include damaged media recovery for technicians with advanced training or working in labs that support this specialization. The technician role can branch into sub-roles, including but not limited to: Evidence Handling Technician, Imaging Technician, Damaged Media Recovery Technician.

Requirements

Requirement 1

Create a new class investigation:Technician as a direct rdfs:subClassOf uco-role:Role, following the established pattern used by other role classes in the ontology (Attorney, Examiner, Investigator, Subject).

Requirement 2

Define the investigation:Technician class with appropriate rdfs:label and rdfs:comment properties that accurately describe the technician's role in investigative processes, including their technical responsibilities and typical scope of work.

Risk / Benefit analysis

Benefits

• Semantic completeness – enables accurate representation of all personnel involved in investigations, including technical support staff
• Enhanced provenance tracking – allows systems to distinguish between investigative decisions (by investigators) and technical execution (by technicians)
• Improved interoperability – aligns with standard forensic practice terminology and facilitates data exchange between organizations
• Better analytics – supports role-based queries for workforce planning, training needs, and investigation efficiency metrics

Risks

The submitter is unaware of risks beyond routine ontology-maintenance overhead (documentation updates, potential SHACL test additions). No existing CASE instances break, as this is purely additive.

Competencies demonstrated

Competency 1 – Digital forensics evidence processing workflow

Scenario

A digital forensics investigation involves technicians performing technical tasks such as evidence collection, disk imaging, and initial processing. The investigation:Technician role class enables accurate representation of these personnel in investigative workflows, including tracking role assignments with temporal information (appointment dates) and linking personnel actions to their roles.

Example representation:

@prefix kb: <http://example.org/kb/> .
@prefix investigation: <https://ontology.caseontology.org/case/investigation/> .
@prefix uco-action: <https://ontology.unifiedcyberontology.org/uco/action/> .
@prefix uco-core: <https://ontology.unifiedcyberontology.org/uco/core/> .
@prefix uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

# The investigation
kb:investigation-2024-001 
    a investigation:Investigation ;
    uco-core:name "Laptop Forensic Analysis - Case 2024-001" ;
    investigation:investigationForm "case" ;
    investigation:investigationStatus "open" ;
    investigation:focus "Digital evidence collection and analysis" ;
    uco-core:object kb:disk-imaging-action-5d7a3e9f-c2b4-4f8a-9e3d-6c1b5a8f7e2d .

# The technician's identity
kb:technician-identity-9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d 
    a uco-core:Identity ;
    uco-core:name "Forensic Technician Williams" ;
    uco-core:role kb:technician-role-c8d9f2e1-a4b7-4c3e-8f5d-6a1e9b2c7f4a .

# The technician role (with appointment date)
kb:technician-role-c8d9f2e1-a4b7-4c3e-8f5d-6a1e9b2c7f4a 
    a investigation:Technician ;
    uco-core:startTime "2024-01-15T09:00:00Z"^^xsd:dateTime .

# The investigative action performed by the technician
kb:disk-imaging-action-5d7a3e9f-c2b4-4f8a-9e3d-6c1b5a8f7e2d 
    a investigation:InvestigativeAction ;
    uco-core:name "Disk imaging of evidence laptop" ;
    uco-action:performer kb:technician-role-c8d9f2e1-a4b7-4c3e-8f5d-6a1e9b2c7f4a ;
    uco-action:result kb:disk-image-3f8a2c7d-b1e9-4d3c-a5f7-1b2e4a9c8d6f ,
                       kb:provenance-record-e9f5c1a7-d4b8-4a6e-9c2f-3e5d7a9b1c4f .

# Evidence produced by technical work
kb:disk-image-3f8a2c7d-b1e9-4d3c-a5f7-1b2e4a9c8d6f 
    a uco-observable:File ;
    uco-core:description "Forensic disk image of evidence laptop" ;
    uco-core:hasFacet [
        a uco-observable:FileFacet ;
        uco-observable:fileName "evidence-laptop-001.dd" ;
        uco-observable:sizeInBytes 512000000000
    ] .

# Provenance tracking for the evidence
kb:provenance-record-e9f5c1a7-d4b8-4a6e-9c2f-3e5d7a9b1c4f 
    a investigation:ProvenanceRecord ;
    investigation:exhibitNumber "2024-001-E1" ;
    investigation:rootExhibitNumber "2024-001-E1" ;
    uco-core:object kb:disk-image-3f8a2c7d-b1e9-4d3c-a5f7-1b2e4a9c8d6f .

Competency Question 1.1

Which investigative actions were performed by technicians, and which personnel hold those technician roles?

PREFIX investigation: <https://ontology.caseontology.org/case/investigation/>
PREFIX uco-action: <https://ontology.unifiedcyberontology.org/uco/action/>
PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>

SELECT ?action ?actionName ?identity ?technicianName
WHERE {
  ?technicianRole a investigation:Technician .
  ?action a investigation:InvestigativeAction ;
          uco-core:name ?actionName ;
          uco-action:performer ?technicianRole .
  OPTIONAL {
    ?identity uco-core:role ?technicianRole ;
              uco-core:name ?technicianName .
  }
}

Result 1.1

Returns investigative actions performed by technicians, along with the personnel identities holding those roles. This enables tracking of technical tasks (e.g., disk imaging, data extraction, evidence preservation) performed by technicians, supporting proper attribution, chain-of-custody documentation, and role-based analytics for workforce planning and investigation efficiency metrics.

Solution suggestion

1. Ontology edits

   • Add the investigation:Technician class definition in the Investigation ontology module following the established pattern:

   investigation:Technician
       a
           owl:Class ,
           sh:NodeShape
           ;
       rdfs:subClassOf uco-role:Role ;
       rdfs:label "Technician"@en ;
       rdfs:comment "Technician is a role involved in performing technical tasks during investigations, such as evidence collection, preservation, processing, initial analysis, and repair."@en ;
       sh:targetClass investigation:Technician ;
       .

2. Documentation

   • Update the CASE documentation to include the Technician role in role descriptions and examples
   • Add usage examples showing Technician interactions with other roles in investigative workflows

3. Testing

   • Add validation tests to ensure proper integration with existing role classes
   • Create example instances demonstrating Technician role usage in investigative scenarios

This implementation maintains backward compatibility while enhancing the ontology's ability to represent the full spectrum of investigative personnel roles.

Coordination

• Tracking in Jira ticket OCCASE 502

• Administrative review completed, proposal announced to Ontology Committees (OCs) on TODO-date
• Requirements to be discussed in OC meeting, date TBD

• Requirements Review vote has not occurred

• Requirements development phase completed.
• Solution announced to OCs on TODO-date
• Solutions Approval to be discussed in OC meeting, date TBD
• Solutions Approval vote has not occurred

• Solutions development phase completed.
• Backwards-compatible implementation merged into develop for the next release
• develop state with backwards-compatible implementation merged into develop-2.0.0
• Backwards-incompatible implementation merged into develop-2.0.0 (or N/A)
• Milestone linked
• Documentation logged in pending release page
• Prerelease publication: CASE develop branch updated to track UCO's updated develop branch
• Prerelease publication: CASE develop-2.0.0 branch updated to track UCO's updated develop-2.0.0 branch

[vulnmaster]

@sbarnum per your feedback durin the OC meeting on 10/22/2025, I updated the competency 1 example so that the role is assigned to the person object. I'd appreciate any feedback that you have on the updated competency.

@ajnelson-nist and @plbt5 it would be great to have an example in CASE Examples of an investigation:Investigation that represents the typical people involved, with their titles and roles, and their typical investigative actions. A really good example might demonstrate how a person has evolved through various roles in their career or how they hold two roles at the same time.

[vulnmaster]

I removed competency 2 from the previous change proposal. I updated competency 1 based on my SHACL validation testing so that I could better demonstrate a person who holds a technician role, when they were appointed to the technician role, and demonstrate the technician performing an Investigation:InvestigativeAction