An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
An Ontology for Digital Forensics in IT Security Incidents - OPUS
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
52 CHAPTER 6. FORENSIC ONTOLOGY<br />
Partition1 fs : hasFSFileName FsFn6<br />
FsFn6 rdf : type fs : FSFileName<br />
FsFn6 fsfn : name " Root Object / UserData / Malware "<br />
FsO6 rdf : type fs : File<br />
FsO6 fs : conta<strong>in</strong>sFSFileName FsFn6<br />
FsO6 fs : childOf FsO2<br />
Partition1 fs : hasFSFileName FsFn7<br />
FsFn7 rdf : type fs : FSFileName<br />
FsFn7 fsfn : name " Root Object / UserData / ImportantDocument "<br />
FsO7 rdf : type fs : File<br />
FsO7 fs : conta<strong>in</strong>sFSFileName FsFn7<br />
FsO7 fs : childOf FsO2<br />
Partition1 fs : hasFSFileName FsFn8<br />
FsFn8 rdf : type fs : FSFileName<br />
FsFn8 fsfn : name " Root Object / System / Kernel "<br />
FsO8 rdf : type fs : File<br />
FsO8 fs : conta<strong>in</strong>sFSFileName FsFn8<br />
FsO8 fs : childOf FsO3<br />
Partition1 fs : hasFSFileName FsFn9<br />
FsFn9 rdf : type fs : FSFileName<br />
FsFn9 fsfn : name " Root Object / Programs / Browser "<br />
FsO9 rdf : type fs : File<br />
FsO9 fs : conta<strong>in</strong>sFSFileName FsFn9<br />
FsO9 fs : childOf FsO4<br />
Partition1 fs : hasFSFileName FsFn10<br />
FsFn10 rdf : type fs : FSFileName<br />
FsFn10 fsfn : name " Root Object / Programs / FileExplorer "<br />
FsO10 rdf : type fs : File<br />
FsO10 fs : conta<strong>in</strong>sFSFileName FsFn10<br />
FsO10 fs : childOf FsO4<br />
List<strong>in</strong>g 6.1: Sample hard disk triples<br />
6.10.2 Random Access Memory<br />
List<strong>in</strong>g 6.2 shows the triples that represent the data from the random access<br />
memory. The Process Malware is not visible with the standard tools available<br />
<strong>in</strong> the operat<strong>in</strong>g system but it can be found because it is stored <strong>in</strong> the<br />
memory.<br />
pro : ProcessList pro : hasProcess Proc0<br />
Proc0 pro : parent Proc0<br />
Proc0 pro : name " Kernel "<br />
pro : ProcessList pro : hasProcess Proc1<br />
Proc1 pro : parent Proc0<br />
Proc1 pro : name " Browser "<br />
Proc1 pro : hasConnection " www . google . com "<br />
pro : ProcessList pro : hasProcess Proc2<br />
Proc2 pro : parent Proc0<br />
Proc2 pro : name " FileExplorer "<br />
Proc2 pro : hasResource FsO5<br />
Proc2 pro : hasConnection " www . malicious - server . com "