An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
46 CHAPTER 6. FORENSIC ONTOLOGY<br />
pro:hasProcess<br />
rdfs:doma<strong>in</strong><br />
rdfs:range<br />
pro:ProcessList<br />
pro:parent<br />
rdfs:range<br />
rdfs:doma<strong>in</strong><br />
rdfs:doma<strong>in</strong><br />
pro:Process<br />
pro:hasThread<br />
rdfs:range<br />
rdfs:doma<strong>in</strong><br />
pro:Thread<br />
pro:hasResource<br />
rdfs:range<br />
sw:Resource<br />
Figure 6.5: Process<br />
6.7 Registry<br />
The representation of the Registry <strong>in</strong> the ontology, as shown <strong>in</strong> gure 6.7, is<br />
very close to the structure described <strong>in</strong> section 4.2.3.1. The Registry conta<strong>in</strong>s<br />
Hives and each of them has a root Key. Each Key has a name and a State<br />
that represents the ag where the key can be found. Keys can have sub-Keys<br />
and Values. Values conta<strong>in</strong> a key value pair, a ValueType <strong>for</strong> the type of the<br />
stored value and also a State.<br />
6.8 File System<br />
A Harddisk has a Partition. The Partition is divided <strong>in</strong>to the ve classications<br />
from section 4.2.1. The dierent categories have their correspond<strong>in</strong>g<br />
RDFS class <strong>for</strong> the s<strong>in</strong>gle entries. The entries are connected to the Partition<br />
with the appropriate has* property. Then there is the meta structure<br />
FileSystemObject which connects the associated entries of the dierent sections,<br />
but the derived classes File and Folder preferably should be used as<br />
they allow to build the typical le hierarchy. The structure is visualized <strong>in</strong><br />
gure 6.8.