Permalink
Switch branches/tags
Nothing to show
Find file Copy path
8c4dcc1 Nov 16, 2016
2 contributors

Users who have contributed to this file

@sbarnum @casework
514 lines (511 sloc) 14.6 KB
{
"@context": {
"@vocab": "http://case.example.org/core#",
"olo": "http://purl.org/ontology/olo/core#",
"acme": "http://custompb.acme.org/core#"
},
"@graph": [
{
"@id": "forensic_lifecycle1",
"@type": "ActionLifecycle",
"description": "Describes the forensic lifecycle.",
"olo:length": 5,
"olo:slot": [
{
"olo:index": 1,
"olo:item": "phase1"
},
{
"olo:index": 2,
"olo:item": "phase2"
},
{
"olo:index": 3,
"olo:item": "phase3"
},
{
"olo:index": 4,
"olo:item": "phase4"
},
{
"olo:index": 5,
"olo:item": "phase5"
}
]
},
{
"@id": "phase1",
"@type": "Action",
"name": "Survey"
},
{
"@id": "phase2",
"@type": "Action",
"name": "Preservation"
},
{
"@id": "phase3",
"@type": "Action",
"name": "Examination"
},
{
"@id": "phase4",
"@type": "Action",
"name": "Analysis"
},
{
"@id": "phase5",
"@type": "Action",
"name": "Report"
},
{
"@id": "case1",
"@type": "Investigation",
"description": "John Doe solicited minor (Jane Doe) and exchange contraband (digital photographs)",
"startTime": "2010-01-12T17:59:43.25Z",
"endTime": "2010-01-25T13:05:22.10Z",
"focus": [
"Pornography/Obscene Material"
],
"object": ["investigator1", "examiner1", "examiner2", "subject1", "victim2", "forensic_action1", "lifecycle_phase1",
"annotation2", "forensic_action2","lifecycle_phase2", "annotation3", "forensic_action3", "lifecycle_phase3",
"annotation4", "forensic_action4","lifecycle_phase4", "annotation5", "forensic_action5", "lifecycle_phase5"
"annotation6", "forensic_action6", "provenance_record1", "provenance_record2", "provenance_record3",
"provenance_record4", "provenance_record5", "provenance_record6", "provenance_record7", "provenance_record8",
"provenance_record9", "provenance_record10", "provenance_record11", "provenance_record12", "provenance_record13",
"provenance_record14", "provenance_record15", "provenance_record16", "provenance_record17", "provenance_record18",
"provenance_record19", "provenance_record20", "provenance_record21", "device1", "sd_card1", "android_image",
"sd_card1_image", "chat_messages_report", "plaso_storage_file", "os1", "attachment_file", "message_database",
"thumbnail_database", "image_partition", "message_action1", "thread1", "message1", "location1", "account1",
"account2", "decoded_blob", "decrypted_blob", "sqlite_blob", "tool1", "tool2", "tool3", "fedex_dropoff_location1",
"forensic_lab1", "forensic_lab_computer1", "config_file", "log_file", "windows_registries_report", "parser1",
"attachment_file"
]
},
{
"@id": "forensic_action1",
"@type": "ForensicAction",
"name": "seized",
"startTime": "2010-01-15T17:59:43.25Z",
"endTime": "2010-01-15T19:59:43.25Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"performer": "investigator1",
"result": [
"provenance_record1"
]
}
]
},
{
"@id": "lifecycle_phase1",
"@type": "Relationship",
"source": "forensic_action1",
"target": "phase1",
"kindOfRelationship": "fits-pattern",
"isDirectional": true
},
{
"@id": "annotation2",
"@type": "Annotation",
"description": "Receive evidence via FedEx from Jon Graves.",
"tag": [
"forensic"
],
"object": [
"forensic_action2"
]
},
{
"@id": "forensic_action2",
"@type": "ForensicAction",
"name": "custody-receive",
"startTime": "2010-01-15T17:59:43.25Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"performer": "examiner1",
"object": [
"device1"
],
"result": [
"provenance_record2",
"provenance_record3"
],
"location": "fedex_dropoff_location1"
}
]
},
{
"@id": "lifecycle_phase2",
"@type": "Relationship",
"source": "forensic_action2",
"target": "phase2",
"kindOfRelationship": "fits-pattern",
"isDirectional": true
},
{
"@id": "annotation3",
"@type": "Annotation",
"description": "Make forensic image of suspect's cell phone",
"tags": [
"forensic"
],
"object": [
"forensic_action3"
]
},
{
"@id": "forensic_action3",
"@type": "ForensicAction",
"name": "imaged",
"startTime": "2010-01-15T17:59:43.25Z",
"endTime": "2010-01-15T19:59:43.25Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"performer": "examiner1",
"instrument": "tool1",
"object": [
"device1"
],
"result": [
"provenance_record4"
],
"location": "forensic_lab1",
"environment": "forensic_lab_computer1"
},
{
"@type": "acme:UFEDArguments",
"aquisitionType": "Logical",
"method": "ADB"
}
]
},
{
"@id": "lifecycle_phase3",
"@type": "Relationship",
"source": "forensic_action3",
"target": "phase2",
"kindOfRelationship": "fits-pattern",
"isDirectional": true
},
{
"@id": "annotation4",
"@type": "Annotation",
"description": "Make forensic image of SD card from suspect's cell phone.",
"tags": [
"forensic"
],
"object": [
"forensic_action4"
]
},
{
"@id": "forensic_action4",
"@type": "ForensicAction",
"name": "imaged",
"startTime": "2010-01-16T17:59:43.25Z",
"endTime": "2010-01-16T19:59:43.25Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"performer": "examiner1",
"instrument": "tool2",
"object": [
"sd_card1"
],
"result": [
"provenance_record5"
],
"location": "forensic_lab1",
"environment": "forensic_lab_computer1"
}
]
},
{
"@id": "lifecycle_phase4",
"@type": "Relationship",
"source": "forensic_action4",
"target": "phase2",
"kindOfRelationship": "fits-pattern",
"isDirectional": true
},
{
"@id": "annotation5",
"@type": "Annotation",
"tags": [
"forensic"
],
"text": "Run Plaso tool to find communications and multimedia exchanged between subject and victim.",
"object": [
"forensic_action5"
]
},
{
"@id": "forensic_action5",
"@type": "ForensicAction",
"name": "parsed",
"startTime": "2010-01-20T17:59:43.25Z",
"endTime": "2010-01-21T17:59:43.25Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"performer": "examiner2",
"instrument": "tool3",
"object": [
"android_image",
"sd_card1_image"
],
"result": [
"provenance_record6",
"provenance_record7",
"provenance_record8",
"provenance_record9",
"provenance_record10",
"provenance_record11",
"provenance_record12",
"forensic_action6"
],
"location": "forensic_lab1",
"environment": "forensic_lab_computer1"
},
{
"@type": "Process",
"arguments": "log2timeline C:\\exams\\inbox\\case-123.img C:\\exams\\output\\case-123 --config C:\\plaso\\config.cfg --analysis chat_messages,windows_registries --output xlsx,pstorage --parsers sqlite/android_whatsapp,plist --log C:\\exams\\output\\case-123.log",
"pid": 1234,
"currentWorkingDirectory": "C:\\exams",
"createdTime": "2010-01-20T17:59:43.25Z",
"creatorUser": "role4",
"environmentVariable": [
{
"key": "PYTHONPATH",
"value": "C:\\Python27\\Scripts\\python.exe"
}
],
"isHidden": false
},
{
"@type": "acme:PlasoArguments",
"input": "android_image",
"configFile": "config_file",
"analysisReport": [
"chat_messages_report",
"windows_registries_report"
],
"storageFile": "plaso_storage_file",
"logFile": "log_file"
}
]
},
{
"@id": "lifecycle_phase5",
"@type": "Relationship",
"source": "forensic_action5",
"target": "phase3",
"kindOfRelationship": "fits-pattern",
"isDirectional": true
},
{
"@id": "annotation6",
"@type": "Annotation",
"description": "Plaso tool runs WhatsApp parser",
"tag": [
"forensic"
],
"target": [
"forensic_action6"
]
},
{
"@id": "forensic_action6",
"@type": "ForensicAction",
"name": "executed",
"startTime": "2010-02-15T17:59:43.25Z",
"endTime": "2010-02-16T17:59:43.25Z",
"propertyBundle": [
{
"@type": "ActionReferences",
"performer": "examiner2",
"instrument": "parser1",
"object": [
"provenance_record9",
"provenance_record10",
"provenance_record11"
],
"result": [
"provenance_record13",
"provenance_record14",
"provenance_record15",
"provenance_record16",
"provenance_record17",
"provenance_record18",
"provenance_record19",
"provenance_record20",
"provenance_record21"
],
"location": "forensic_lab1",
"environment": "forensic_lab_computer1"
},
{
"@type": "acme:PlasoParserArguments",
"parsedFile": "message_database",
"attachmentFile": [
"thumbnail_database",
"attachment_file"
],
"fullQueryMatch": true,
"query": "SELECT sender, recipients, body from MessageTable"
}
]
},
{
"@id": "provenance_record1",
"@type": "ProvenanceRecord",
"description": "Android Smartphone",
"exhibitNumber": "ACME-676553402357",
"object": "device1"
},
{
"@id": "provenance_record2",
"@type": "ProvenanceRecord",
"description": "Android Smartphone",
"exhibitNumber": "DFL-20140712-001A",
"object": "device1"
},
{
"@id": "provenance_record3",
"@type": "ProvenanceRecord",
"description": "SD Card",
"exhibitNumber": "DFL-20140712-001B",
"object": "sd_card1"
},
{
"@id": "provenance_record4",
"@type": "ProvenanceRecord",
"description": "Forensic image of Android Smartphone",
"exhibitNumber": "DFL-20140712-001C",
"object": "android_image"
},
{
"@id": "provenance_record5",
"@type": "ProvenanceRecord",
"description": "Forensic image of SD Card",
"exhibitNumber": "DFL-20140712-001D",
"object": "sd_card1_image"
},
{
"@id": "provenance_record6",
"@type": "ProvenanceRecord",
"description": "Chat Messages Report",
"exhibitNumber": "DFL-20140712-001E",
"object": "chat_messages_report"
},
{
"@id": "provenance_record7",
"@type": "ProvenanceRecord",
"description": "Plaso Storage File",
"exhibitNumber": "DFL-20140712-001F",
"object": "plaso_storage_file"
},
{
"@id": "provenance_record8",
"@type": "ProvenanceRecord",
"description": "Android OS Information",
"exhibitNumber": "DFL-20140712-0020",
"object": "os1"
},
{
"@id": "provenance_record9",
"@type": "ProvenanceRecord",
"description": "Contraband photograph",
"exhibitNumber": "DFL-20140712-0021",
"object": "attachment_file"
},
{
"@id": "provenance_record10",
"@type": "ProvenanceRecord",
"description": "WhatsApp message database",
"exhibitNumber": "DFL-20140712-0022",
"object": "message_database"
},
{
"@id": "provenance_record11",
"@type": "ProvenanceRecord",
"description": "WhatsApp thumbnail database",
"exhibitNumber": "DFL-20140712-0023",
"object": "thumbnail_database"
},
{
"@id": "provenance_record12",
"@type": "ProvenanceRecord",
"description": "Android data partition",
"exhibitNumber": "DFL-20140712-0024",
"object": "image_partition"
},
{
"@id": "provenance_record13",
"@type": "ProvenanceRecord",
"description": "WhatsApp message being sent from subject to victim",
"exhibitNumber": "DFL-20140712-0025",
"object": "message_action1"
},
{
"@id": "provenance_record14",
"@type": "ProvenanceRecord",
"description": "WhatsApp chat message thread between subject and victim",
"exhibitNumber": "DFL-20140712-0026",
"object": "thread1"
},
{
"@id": "provenance_record15",
"@type": "ProvenanceRecord",
"description": "WhatsApp chat message containing contraband attachment",
"exhibitNumber": "DFL-20140712-0027",
"object": "message1"
},
{
"@id": "provenance_record16",
"@type": "ProvenanceRecord",
"description": "Location of subject when using WhatsApp",
"exhibitNumber": "DFL-20140712-0028",
"object": "location1"
},
{
"@id": "provenance_record17",
"@type": "ProvenanceRecord",
"description": "Subject's WhatsApp account",
"exhibitNumber": "DFL-20140712-0029",
"object": "account1"
},
{
"@id": "provenance_record18",
"@type": "ProvenanceRecord",
"description": "Victim's WhatsApp account",
"exhibitNumber": "DFL-20140712-002A",
"object": "account2"
},
{
"@id": "provenance_record19",
"@type": "ProvenanceRecord",
"description": "Thumbnail of contraband picture",
"exhibitNumber": "DFL-20140712-002B",
"object": "decoded_blob"
},
{
"@id": "provenance_record20",
"@type": "ProvenanceRecord",
"description": "Encoded thumbnail of contraband picture",
"exhibitNumber": "DFL-20140712-002C",
"object": "decrypted_blob"
},
{
"@id": "provenance_record21",
"@type": "ProvenanceRecord",
"description": "Encrypted thumbnail of contraband picture",
"exhibitNumber": "DFL-20140712-002D",
"object": "sqlite_blob"
}
]
}