An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS An Ontology for Digital Forensics in IT Security Incidents - OPUS
50 CHAPTER 6. FORENSIC ONTOLOGY 6.9 Memory The Memory is structured closely to the description in section 4.2.2 as shown in gure 6.9. The Memory associates the entries for MemorySystemArchitecture and Metacode. The categories Metadata, Data and Code are linked to the corresponding RDFS classes for the specic entry types. mem:hasRuntimeOrganizationMetadata mem:hasMemoryOrganizationMetadata rdfs:range rdfs:domain rdfs:domain rdfs:range rdfs:range mem:RuntimeOrganizationMetadata mem:Metadata mem:MemoryOrganizationMetadata mem:hasMetadata rdfs:domain mem:hasMemorySystemArchitecture mem:hasMetacode rdfs:range rdfs:domain rdfs:domain rdfs:range rdfs:domain mem:MemorySystemArchitecture hw:Memory mem:Metacode mem:hasCode rdfs:range mem:hasData rdfs:domain rdfs:range mem:hasOS-specificCode mem:hasApplicationCode rdfs:range rdfs:domain rdfs:domain rdfs:range mem:OS-specificCode mem:Code mem:ApplicationCode mem:hasApplicationData rdfs:domain rdfs:range rdfs:domain mem:Data mem:ApplicationData mem:hasOS-specificData rdfs:range mem:OS-specificData Figure 6.9: Memory
6.10. EXAMPLE 51 6.10 Example In section 4.2.4 the data was structured. Now it will be put into the ontology. 6.10.1 Hard Disk Listing 6.1 shows the triples that represent the data from the hard disk. The structure that is created by the FileSystemObject type is similar to the structure that can be seen when normally accessing the hard disk, but the deleted les are listed similarly to the not deleted les because the corresponding FileName entry provided the information where the le was located originally. Harddisk1 rdf : type hw : Harddisk Harddisk1 fs : hasPartition Partition1 Partition1 rdf : type fs : Partition Partition1 fs : hasRootObject FsFn0 Partition1 fs : hasFSFileName FsFn0 FsFn0 rdf : type fs : FSFileName FsFn0 fsfn : name " Root Object " FsO0 rdf : type fs : Folder FsO0 fs : containsFSFileName FsFn0 FsO0 fs : childOf FsO0 Partition1 fs : hasFSFileName FsFn1 FsFn1 rdf : type fs : FSFileName FsFn1 fsfn : name " Root Object / Registry_file " FsO1 rdf : type fs : File FsO1 fs : containsFSFileName FsFn1 FsO1 fs : childOf FsO0 Partition1 fs : hasFSFileName FsFn2 FsFn2 rdf : type fs : FSFileName FsFn2 fsfn : name " Root Object / UserData " FsO2 rdf : type fs : Folder FsO2 fs : containsFSFileName FsFn2 FsO2 fs : childOf FsO0 Partition1 fs : hasFSFileName FsFn3 FsFn3 rdf : type fs : FSFileName FsFn3 fsfn : name " Root Object / System " FsO3 rdf : type fs : Folder FsO3 fs : containsFSFileName FsFn3 FsO3 fs : childOf FsO0 Partition1 fs : hasFSFileName FsFn4 FsFn4 rdf : type fs : FSFileName FsFn4 fsfn : name " Root Object / Programs " FsO4 rdf : type fs : Folder FsO4 fs : containsFSFileName FsFn4 FsO4 fs : childOf FsO0 Partition1 fs : hasFSFileName FsFn5 FsFn5 rdf : type fs : FSFileName FsFn5 fsfn : name " Root Object / UserData / picture1 " FsO5 rdf : type fs : File FsO5 fs : containsFSFileName FsFn5 FsO5 fs : childOf FsO2
- Page 1: Diplomarbeit An Ontology for Digita
- Page 4 and 5: Acknowledgement I would like to tha
- Page 6 and 7: 4 CONTENTS 5.1.4 Storage . . . . .
- Page 8 and 9: 6 CONTENTS
- Page 10 and 11: 8 CHAPTER 1. INTRODUCTION data lead
- Page 12 and 13: 10 CHAPTER 2. RELATED WORK investig
- Page 14 and 15: 12 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 16 and 17: 14 CHAPTER 3. GOAL FORENSIC SEMANTI
- Page 18 and 19: 16 CHAPTER 4. FORENSICS Basic rules
- Page 20 and 21: 18 CHAPTER 4. FORENSICS 4.1.2.2 Ran
- Page 22 and 23: 20 CHAPTER 4. FORENSICS entry conta
- Page 24 and 25: 22 CHAPTER 4. FORENSICS 4.2.3.1 Reg
- Page 26 and 27: 24 CHAPTER 4. FORENSICS vulnerable
- Page 28 and 29: 26 CHAPTER 4. FORENSICS The fls -m
- Page 30 and 31: 28 CHAPTER 4. FORENSICS of the sock
- Page 32 and 33: 30 CHAPTER 4. FORENSICS
- Page 34 and 35: 32 CHAPTER 5. ONTOLOGY Person name
- Page 36 and 37: 34 CHAPTER 5. ONTOLOGY 5.1.1 Creati
- Page 38 and 39: 36 CHAPTER 5. ONTOLOGY Resource Des
- Page 40 and 41: 38 CHAPTER 5. ONTOLOGY to be Augsbu
- Page 42 and 43: 40 CHAPTER 5. ONTOLOGY Gephi and Cy
- Page 44 and 45: 42 CHAPTER 5. ONTOLOGY
- Page 46 and 47: 44 CHAPTER 6. FORENSIC ONTOLOGY for
- Page 48 and 49: 46 CHAPTER 6. FORENSIC ONTOLOGY pro
- Page 50 and 51: 48 CHAPTER 6. FORENSIC ONTOLOGY reg
- Page 54 and 55: 52 CHAPTER 6. FORENSIC ONTOLOGY Par
- Page 56 and 57: 54 CHAPTER 6. FORENSIC ONTOLOGY
- Page 58 and 59: 56 CHAPTER 7. IMPLEMENTATION 7.3 RD
- Page 60 and 61: 58 CHAPTER 7. IMPLEMENTATION the co
- Page 62 and 63: 60 CHAPTER 7. IMPLEMENTATION 1 SELE
- Page 64 and 65: 62 CHAPTER 7. IMPLEMENTATION Anothe
- Page 66 and 67: 64 CHAPTER 7. IMPLEMENTATION 7.8 St
- Page 68 and 69: 66 CHAPTER 8. EVALUATION 6. The las
- Page 70 and 71: 68 CHAPTER 8. EVALUATION key (CTEMO
- Page 72 and 73: 70 CHAPTER 9. SUMMARY after some is
- Page 74 and 75: 72 APPENDIX A. EXTRACTION TOOL LIST
- Page 76 and 77: 74 APPENDIX A. EXTRACTION TOOL LIST
- Page 78 and 79: 76 APPENDIX B. FORENSIC TOOLS OUTPU
- Page 80 and 81: 78 APPENDIX C. SCREENSHOTS Figure C
- Page 82 and 83: 80 APPENDIX C. SCREENSHOTS Figure C
- Page 84 and 85: 82 APPENDIX C. SCREENSHOTS Figure C
- Page 86 and 87: 84 APPENDIX C. SCREENSHOTS
- Page 88 and 89: 86 BIBLIOGRAPHY [Carrier, 2012c] Ca
- Page 90 and 91: 88 BIBLIOGRAPHY [Microsoft, 2010] M
- Page 92: 90 BIBLIOGRAPHY [W3C, 2004] W3C (20
6.10. EXAMPLE 51<br />
6.10 Example<br />
In section 4.2.4 the data was structured. Now it will be put <strong>in</strong>to the ontology.<br />
6.10.1 Hard Disk<br />
List<strong>in</strong>g 6.1 shows the triples that represent the data from the hard disk.<br />
The structure that is created by the FileSystemObject type is similar to<br />
the structure that can be seen when normally access<strong>in</strong>g the hard disk, but<br />
the deleted les are listed similarly to the not deleted les because the correspond<strong>in</strong>g<br />
FileName entry provided the <strong>in</strong><strong>for</strong>mation where the le was located<br />
orig<strong>in</strong>ally.<br />
Harddisk1 rdf : type hw : Harddisk<br />
Harddisk1 fs : hasPartition Partition1<br />
Partition1 rdf : type fs : Partition<br />
Partition1 fs : hasRootObject FsFn0<br />
Partition1 fs : hasFSFileName FsFn0<br />
FsFn0 rdf : type fs : FSFileName<br />
FsFn0 fsfn : name " Root Object "<br />
FsO0 rdf : type fs : Folder<br />
FsO0 fs : conta<strong>in</strong>sFSFileName FsFn0<br />
FsO0 fs : childOf FsO0<br />
Partition1 fs : hasFSFileName FsFn1<br />
FsFn1 rdf : type fs : FSFileName<br />
FsFn1 fsfn : name " Root Object / Registry_file "<br />
FsO1 rdf : type fs : File<br />
FsO1 fs : conta<strong>in</strong>sFSFileName FsFn1<br />
FsO1 fs : childOf FsO0<br />
Partition1 fs : hasFSFileName FsFn2<br />
FsFn2 rdf : type fs : FSFileName<br />
FsFn2 fsfn : name " Root Object / UserData "<br />
FsO2 rdf : type fs : Folder<br />
FsO2 fs : conta<strong>in</strong>sFSFileName FsFn2<br />
FsO2 fs : childOf FsO0<br />
Partition1 fs : hasFSFileName FsFn3<br />
FsFn3 rdf : type fs : FSFileName<br />
FsFn3 fsfn : name " Root Object / System "<br />
FsO3 rdf : type fs : Folder<br />
FsO3 fs : conta<strong>in</strong>sFSFileName FsFn3<br />
FsO3 fs : childOf FsO0<br />
Partition1 fs : hasFSFileName FsFn4<br />
FsFn4 rdf : type fs : FSFileName<br />
FsFn4 fsfn : name " Root Object / Programs "<br />
FsO4 rdf : type fs : Folder<br />
FsO4 fs : conta<strong>in</strong>sFSFileName FsFn4<br />
FsO4 fs : childOf FsO0<br />
Partition1 fs : hasFSFileName FsFn5<br />
FsFn5 rdf : type fs : FSFileName<br />
FsFn5 fsfn : name " Root Object / UserData / picture1 "<br />
FsO5 rdf : type fs : File<br />
FsO5 fs : conta<strong>in</strong>sFSFileName FsFn5<br />
FsO5 fs : childOf FsO2
Change language