Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
739 lines (736 sloc) 20.7 KB
{
"@context": {
"@vocab": "http://case.example.org/core#",
"case": "http://case.example.org/core#",
"rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#",
"rdfs": "http://www.w3.org/2000/01/rdf-schema#",
"xsd": "http://www.w3.org/2001/XMLSchema#"
},
"@id": "bundle-3b13e958a-d975-41aa-b1bb-029d2b6707cd",
"@type": "Bundle",
"annos": [
"This illustrative scenario imagines The Oresteia in the age mobile devices for the purpose of demonstrating use of CASE to represent digital investigations into multiple related crimes.",
"To reduce repetitive examples in this illustrative scenario, not all Identity objects are explicitly represented here. Instead, each object that is referenced in this scenario uses the associated person's name in the simplified UUID.",
"Thyestes is the victim in Crime A, and the offender in Crime B",
"Clock on Clytemnestra's device is one day and one hour slow (offet -25 hours)",
"There will be an action for each successful parsing of a file and file objects for each collected file."
],
"content": [
{
"@id": "investigation-4586742a-710a-454f-bcb8-b60e230ec1b2",
"@type": "Investigation",
"name": "Crime A",
"focus": "Murder",
"description": "In Mycenae, Atreus killed two sons of Thyestes, cooked them (except for their hands and heads), fed them to Thyestes, and then taunted Thyestes with his murdered sons' hands and heads.",
"object": ["thyestes-uuid", "victim1-uuid", "role-relationship1-uuid"]
},
{
"@id": "investigation-b05226da-eaef-4bc5-a139-ca12c94dbdfd",
"@type": "Investigation",
"name": "Crime B",
"focus": "Rape",
"description": "In Mycenae, Thyestes raped his daughter Pelopia to have a son (Aegisthus)",
"object": ["thyestes-uuid", "offender1-uuid", "role-relationship2-uuid", "cctv-recording-uuid", "provenance-record13-uuid"]
},
{
"@id": "investigation-ac9fd560-261e-4cd6-af64-8b83d100b9a8",
"@type": "Investigation",
"name": "Crime C",
"focus": "Murder",
"description": "In Mycenae, Aegisthus killed Atreus (Agamemnon's father)",
"object": []
},
{
"@id": "investigation-2545442b-321c-754d-bcb8-c40d321ce2c2",
"@type": "Investigation",
"name": "Crime D",
"focus": "Murder",
"description": "In Aulis, Agamemnon killed his daughter Iphigenia as a sacrifice to the gods",
"object": []
},
{
"@id": "investigation-952d677d-6b62-4e53-9bac-1b113d268ac5",
"@type": "Investigation",
"name": "Crime E",
"focus": "Murder",
"description": "In the Palace of Argos, Agamemnon and Cassandra were killed by Clytemnestra (accomplice Aegisthus)",
"object": ["argos-palace-uuid", "cassandra-uuid", "victim5-uuid", "role-relationship5-uuid", "cassandra-device-uuid", "associated-device1-uuid", "device-location-relationship1", "clytemnestra-device-uuid", "forensic-action1-uuid", "annotation1-uuid", "provenance-record1-uuid", "forensic-action2-uuid", "annotation2-uuid", "provenance-record2-uuid", "cassandra-mobiledevice-forensicduplicate-uuid", "tool1-uuid", "provenance-record3-uuid", "cassandra-mobiledevice-mmssms-uuid", "trace-relationship3-uuid", "cassandra-image-partition6-uuid", "trace-relationship4-uuid", "tool2-uuid", "tool3-uuid", "forensic-action4-uuid", "forensic-action5-uuid", "sms-message1-uuid", "sms-message2-uuid"]
},
{
"@id": "investigation-5aa33dc6-7a39-4731-a754-62a9c41e5220",
"@type": "Investigation",
"name": "Crime F",
"focus": "Murder",
"description": "In the Palace of Argos, Clytemnestra and Aegisthus were killed by Orestes (accomplice Electra)",
"object": ["electra-uuid", "argos-palace-uuid", "electra-orestes-email-uuid", "orestes-facebookmsg-uuid"]
},
{
"@id": "argos-palace-uuid",
"@type": "Location",
"propertyBundle": [
{
"@type": "SimpleAddress",
"locality": "Argos",
"region": "Greece",
"postalCode": "98052",
"street": "Palace Blvd"
},
{
"@type": "LatLongCoordinates",
"latitude": 48.860346,
"longitude": 2.331199
}
]
},
{
"@id": "cassandra-uuid",
"@type": "Identity",
"propertyBundle": [
{
"@type": "SimpleName",
"givenName": "Cassandra",
"familyName": "Troy"
},
{
"@type": "BirthInformation",
"birthdate": "1968-09-25T17:59:43.25Z"
}
]
},
{
"@id": "victim5-uuid",
"@type": "Role",
"name": "Victim"
},
{
"@id": "role-relationship5-uuid",
"@type": "Relationship",
"source": "cassandra-uuid",
"target": ["victim5-uuid"],
"kindOfRelationship": "has-role",
"isDirectional": true
},
{
"@id": "associated-device1-uuid",
"@type": "Relationship",
"source": "victim5-uuid",
"target": ["cassandra-device-uuid"],
"kindOfRelationship": "has-device",
"isDirectional": true
},
{
"@id": "cassandra-device-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "Device",
"manufacturer": "Samsung",
"model": "SM-G925F Galaxy S6 Edge",
"serialNumber": "FDG344657"
},
{
"@type": "MobileDevice",
"keypadUnlockCode": "1234",
"IMEI": "359305065690067",
"clockSetting": "2017-06-22T07:36:24.35Z",
"timezoneSetting": "UTC+01:01 (Europe/Rome)",
"storageCapacity": "11 GB"
},
{
"@type": "MobileAccount",
"MSISDN": "1239275339"
}
]
},
{
"@id": "device-location-relationship1",
"@type": "Relationship",
"source": "cassandra-device-uuid",
"target": "argos-palace-uuid",
"kindOfRelationship": "located-at",
"startTime": "2017-06-19T13:59:43.25Z",
"endTime": "2017-06-22T15:59:43.25Z",
"isDirectional": true,
"propertyBundle": [
{
"@type": "Confidence",
"confidence": "Probably True"
}
]
},
{
"@id": "thyestes-uuid",
"@type": "Identity",
"propertyBundle": [
{
"@type": "SimpleName",
"givenName": "Thyestes",
"familyName": "Mycenae"
},
{
"@type": "BirthInformation",
"birthdate": "1964-10-03T14:39:23.15Z"
}
]
},
{
"@id": "victim1-uuid",
"@type": "Role",
"name": "Victim"
},
{
"@id": "role-relationship1-uuid",
"@type": "Relationship",
"source": "thyestes-uuid",
"target": ["victim1-uuid"],
"kindOfRelationship": "has-role",
"isDirectional": true
},
{
"@id": "offender1-uuid",
"@type": "Role",
"name": "Offender"
},
{
"@id": "role-relationship2-uuid",
"@type": "Relationship",
"source": "thyestes-uuid",
"target": ["offender1-uuid"],
"kindOfRelationship": "has-role",
"isDirectional": true
},
{
"@id": "electra-uuid",
"@type": "Identity",
"propertyBundle": [
{
"@type": "SimpleName",
"givenName": "Electra",
"familyName": "Argos"
},
{
"@type": "BirthInformation",
"birthdate": "1998-03-02T14:23:42.23Z"
}
]
},
{
"@id": "associated-emailaccount1-uuid",
"@type": "Relationship",
"source": "electra-uuid",
"target": ["electra-emailaccount-uuid"],
"kindOfRelationship": "has-account",
"isDirectional": true
},
{
"@id": "clytemnestra-device-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "Device",
"manufacturer": "iPhone",
"model": "MG552",
"serialNumber": "F18Q4LGRG5MD"
},
{
"@type": "MobileDevice",
"keypadUnlockCode": "123789",
"IMEI": "359305065690067",
"clockSetting": "2017-06-21T06:36:24.35Z",
"localeLanguage": "en_GR",
"phoneActivationTime": "2017-05-09T07:36:24.35Z",
"storageCapacity": "11 GB"
},
{
"@type": "iPhoneDevice",
"uniqueID": "B3858A69A29375E6C706226B3633A3A11EB2A774",
"ownerName": "Clytemnestras iPhone"
},
{
"@type": "OperatingSystem",
"name": "iOS",
"manufacturer": "Apple",
"version": "10.3"
},
{
"@type": "MobileAccount",
"MSISDN": "1237471334"
},
{
"@type": "WiFiAddress",
"value": "d0:33:11:13:e7:a1"
},
{
"@type": "BluetoothAddress",
"value": "d0:33:11:13:e7:a2"
}
]
},
{
"@id": "forensic-action1-uuid",
"@type": "ForensicAction",
"name": "preserved",
"startTime": "2017-06-21T22:36:24.35Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"instrument": "athens-warrant1-uuid",
"location": "argos-palace-uuid",
"performer": "euripides-uuid",
"object": [
"cassandra-device-uuid"
],
"result": [
"provenance_record1-uuid"
]
}
]
},
{
"@id": "annotation1-uuid",
"@type": "Annotation",
"tag": ["forensic"],
"description": "Forensic preservation of Cassandra mobile device.",
"object": [
"forensic_action1-uuid"
]
},
{
"@id": "forensic-action10-uuid",
"@type": "ForensicAction",
"name": "transferred",
"startTime": "2017-06-22T08:01:23.14Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"instrument": "athens-warrant1-uuid",
"location": "athenspd-evidenceroom-uuid",
"performer": "aeschylus-uuid",
"object": [
"cassandra-device-uuid"
],
"result": [
"provenance_record1-uuid"
]
}
]
},
{
"@id": "provenance-record1-uuid",
"@type": "ProvenanceRecord",
"description": "Mobile device used by murder victim Cassandra",
"exhibitNumber": "ArgosPD-20170622-001A",
"object": "cassandra-device-uuid"
},
{
"@id": "provenance_record2-uuid",
"@type": "ProvenanceRecord",
"description": "Android smartphone seized by Argos PD",
"exhibitNumber": "AthensPD-2017220601",
"objects": "cassandra-device-uuid"
},
{
"@id": "forensic-action2-uuid",
"@type": "ForensicAction",
"name": "extracted",
"startTime": "2017-06-22T08:12:19.32Z",
"endTime": "2017-06-22T08:39:19.24Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"location": "argos-palace-uuid",
"performer": "aeschylus-uuid",
"instrument": "tool1-uuid",
"environment": "forensic-computer1-uuid",
"object": [
"provenance-record1-uuid"
],
"result": [
"cassandra-mobiledevice-forensicduplicate-uuid",
"provenance_record2-uuid"
]
},
{
"@type": "MobileExtractor:ToolArguments",
"aquisitionType": "Physical Extraction",
"method": "Boot Loader"
}
]
},
{
"@id": "annotation2-uuid",
"@type": "Annotation",
"tag": ["forensic"],
"description": "Forensic extraction of data from Cassandra mobile device.",
"object": [
"forensic_action2-uuid"
]
},
{
"@id": "provenance-record2-uuid",
"@type": "ProvenanceRecord",
"description": "Mobile device used by murder victim Cassandra",
"exhibitNumber": "AthensPD-2017220601-02",
"object": "cassandra-mobiledevice-forensicduplicate-uuid"
},
{
"@type": "Trace",
"@id": "cassandra-mobiledevice-forensicduplicate-uuid",
"propertyBundle": [
{
"@type": "File",
"createdTime": "2017-06-22T08:12:19.32Z",
"extension": "dd",
"fileName": "AthensPD-2017220601-01.dd",
"fileSystemType": "NTFS",
"filePath": "C:/evidence/AthensPD-2017220601-01.dd",
"isDirectory": false,
"sizeInBytes": 90080500
},
{
"@type": "ContentData",
"hash": [
{
"@type": "Hash",
"hashMethod": "SHA256",
"hashValue": "7ea081166336119da78ee4bbdbd06840b94efe28988a2bdb0bcf2387a481e283"
}
],
"sizeInBytes": 9080500
}
]
},
{
"@id": "tool1-uuid",
"@type": "Tool",
"name": "MobileExtractor",
"toolType": "Extraction",
"creator": "Zeus",
"version": "5.3"
},
{
"@id": "provenance-record3-uuid",
"@type": "ProvenanceRecord",
"description": "SMS SQLite database on mobile device used by murder victim Cassandra",
"exhibitNumber": "AthensPD-2017220601-02-03",
"object": "cassandra-mobiledevice-mmssms-uuid"
},
{
"@type": "Trace",
"@id": "cassandra-mobiledevice-mmssms-uuid",
"propertyBundle": [
{
"@type": "File",
"createdTime": "2017-06-22T08:12:19.32Z",
"fileSystemType": "EXT3",
"extension": "db",
"fileName":"/data/data/com.android.providers.telephony/mmssms.db",
"isDirectory": false,
"sizeInBytes": 122925
},
{
"@type": "ContentData",
"sizeInBytes": 122925,
"magicNumber": "U1FMaXRlIGZvcm1hdCAzAA==",
"hash": [
{
"@type": "Hash",
"hashMethod": "SHA256",
"hashValue": "a13225720074371d56a4f4d5117fbb4953c5b1d316b31f21edcb7ed8fdf66c6e"
}
]
}
]
},
{
"@id": "trace-relationship3-uuid",
"@type": "Relationship",
"source": "sqlite_database",
"target": "cassandra-image-partition6-uuid",
"kindOfRelationship": "contained-within",
"isDirectional": true,
"propertyBundle": [
{
"@type": "PathRelation",
"path": "/data/data/com.android.providers.telephony/mmssms.db"
}
]
},
{
"@id": "cassandra-image-partition6-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "DiskPartition",
"diskPartitionType": "MSDOS",
"partitionID": "06",
"partitionOffset": 63,
"partitionLength": 245235063
},
{
"@type": "FileSystem",
"diskPartitionType": "EXT3"
},
{
"@type": "ContentData",
"sizeInBytes": 245235000,
"hash": [
{
"@type": "Hash",
"hashMethod": "SHA256",
"hashValue": "0611ea093d19b1c73a5285ff43741dd77f2a8d983c1c71044eb072e44f5dcb0a"
}
]
}
]
},
{
"@id": "trace-relationship4-uuid",
"@type": "Relationship",
"source": "cassandra-image-partition6-uuid",
"target": "cassandra-mobiledevice-forensicduplicate-uuid",
"kindOfRelationship": "contained-within",
"isDirectional": true,
"propertyBundle": [
{
"@type": "DataRange",
"rangeOffset": 234909233,
"rangeSize": 120000000000
}
]
},
{
"@id": "tool2-uuid",
"@type": "Tool",
"name": "Plaso",
"toolType": "Extraction",
"creator": "Joachim Metz",
"version": "1.5.2_201701013",
"propertyBundle": [
{
"@type": "ToolConfiguration",
"configurationSetting": [
{
"@type": "ConfigurationSetting",
"itemName": "identifier",
"itemValue": "624f2636e65e451e8dd7cb044ec44b69"
},
{
"@type": "ConfigurationSetting",
"itemName": "filter_file",
"itemValue": ""
},
{
"@type": "ConfigurationSetting",
"itemName": "filter_expression",
"itemValue": ""
},
{
"@type": "ConfigurationSetting",
"itemName": "preferred_encoding",
"itemValue": "cp1252"
},
{
"@type": "ConfigurationSetting",
"itemName": "parser_filter_expression",
"itemValue": "sqlite"
},
{
"@type": "ConfigurationSetting",
"itemName": "preferred_year",
"itemValue": ""
},
{
"@type": "ConfigurationSetting",
"itemName": "enabled_parser_names",
"itemValue": "sqlite, sqlite/twitter_ios, sqlite/kik_messenger, sqlite/android_sms, sqlite/android_gmail, sqlite/android_facebook"
},
{
"@type": "ConfigurationSetting",
"itemName": "debug_mode",
"itemValue": "False"
},
{
"@type": "ConfigurationSetting",
"itemName": "command_line_arguments",
"itemValue": "C:/Python27/Scripts/log2timeline.py C:/evidence/AthensPD-2017220601-01.dd.plaso C:/evidence/AthensPD-2017220601-01.dd --no-dependencies-check --parsers sqlite"
}
]
}
]
},
{
"@id": "tool3-uuid",
"@type": "Tool",
"name": "sqlite/android_sms",
"toolType": "Parser",
"creator": "Joachim Metz",
"propertyBundle": [
{
"@type": "ToolConfiguration",
"configurationSetting": [
{
"@type": "ConfigurationSetting",
"itemName": "query",
"itemValue": "SELECT _id AS id, address, date, read, type, body FROM sms"
},
{
"@type": "ConfigurationSetting",
"itemName": "schema_match",
"itemValue": "True"
}
]
}
]
},
{
"@id": "forensic-action4-uuid",
"@type": "ForensicAction",
"name": "extracted",
"startTime": "2017-06-22T09:57:23.64Z",
"endTime": "2017-06-22T10:31:19.24Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"location": "argos-palace-uuid",
"performer": "aeschylus-uuid",
"instrument": "tool2-uuid",
"environment": "forensic-computer1-uuid",
"object": [
"cassandra-mobiledevice-forensicduplicate-uuid",
"provenance_record2-uuid"
],
"result": [
"forensic-action5-uuid",
"provenance-record3-uuid",
"cassandra-mobiledevice-mmssms-uuid"
]
}
]
},
{
"@id": "forensic-action5-uuid",
"@type": "ForensicAction",
"name": "parsed",
"startTime": "2017-06-22T09:57:23.64Z",
"endTime": "2017-06-22T10:31:19.24Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"location": "argos-palace-uuid",
"performer": "forensic-action4-uuid",
"instrument": "tool3-uuid",
"environment": "forensic-computer1-uuid",
"object": [
"cassandra-mobiledevice-mmssms-uuid"
],
"result": [
"sms-message1-uuid",
"sms-message2-uuid",
"argive-elder1-phoneaccnt-uuid",
"argive-elder2-phoneaccnt-uuid",
"argive-elder3-phoneaccnt-uuid"
]
}
]
},
{
"@id": "sms-message1-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "Message",
"application": "sms-application1",
"messageText": "A wedded wife, she slays her lord, Helped by another hand!",
"from": "cassandra-mobileacct-uuid",
"to": [
"argive-elder1-phoneaccnt-uuid",
"argive-elder2-phoneaccnt-uuid",
"argive-elder3-phoneaccnt-uuid"
],
"sentTime": "2017-06-20T09:34:42.12Z"
}
]
},
{
"@id": "sms-message2-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "Message",
"application": "sms-application1",
"messageText": "Low lie the shattered towers whereas they fell, and I--ah burning heart!--shall soon lie low as well.",
"from": "cassandra-mobileacct-uuid",
"to": [
"argive-elder1-phoneaccnt-uuid",
"argive-elder2-phoneaccnt-uuid",
"argive-elder3-phoneaccnt-uuid"
],
"sentTime": "2017-06-20T09:37:35.13Z"
}
]
},
{
"@id": "argive-elder1-phoneaccnt-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "PhoneAccount",
"phoneNumber": "1237771337",
}
]
},
{
"@id": "electra-orestes-email-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "EmailMessage",
"to": ["orestes-emailaccount-uuid"],
"from": "electra-emailaccount-uuid",
"subject": "Revenge our father",
"body": "To me, too, grant this boon-dark death to deal unto Aegisthus, and to 'scape my doom.",
"receivedTime": "2017-06-21T13:44:23.40Z",
"sentTime": "2017-06-21T13:44:22.19Z",
"messageID": "CAKBqNfyKo+ZXtkz6DUjWpvHy6O82jTbkNA@mail.gmail.com"
}
]
},
{
"@id": "annotation1",
"@type": "Annotation",
"tag": ["selfie", "picture"],
"description": "Digital photograph of corpses taken at crime scene by killer",
"object": [
"orestes-selfie-photograph-uuid"
]
},
{
"@id": "orestes-facebookmsg-uuid",
"@type": "Trace",
"propertyBundle": [
{
"@type": "FacebookMessage",
"from": ["orestes-facebookaccount-uuid"],
"to": ["friends"],
"body": "There lies our country's twofold tyranny, My father's slayers, spoilers of my home.",
"sentTime": "2017-06-21T14:44:54.19Z"
},
{
"@id": "attach_relationship1",
"@type": "Relationship",
"source": "location1",
"target": "orestes-facebookmsg-uuid",
"kindOfRealtionship": "attachment-of",
"isDirectional": true,
"propertyBundle": [
{
"@type": "Attachment",
"url": "http://www.facebook.com/corpses.jpg"
}
]
}
]
}
]
}