Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For importing provide a property/attribute on Trace objects to describe their contents #21

Open
vikhari opened this issue Apr 13, 2018 · 1 comment
Open

For importing provide a property/attribute on Trace objects to describe their contents #21

vikhari opened this issue Apr 13, 2018 · 1 comment

Comments

@vikhari
Copy link
Member

vikhari commented Apr 13, 2018
edited
Loading

Issue ported from old casework github repo (issue 37).
Original author: mike-parkhill

When importing a diverse set of trace objects you need to inspect the members of the PropertyBundle array to determine what the Trace relates to. This can be cumbersome since the logic on the ingesting side is going to be different based on the child types.

For example:

{
          "@type": "Trace",
          "@id": "https://www.netresec.com/20a91459-8fbb-4b90-a3fb-b4aa7f776a66",
          "createdBy": "https://www.netresec.com/1c7484fe-63f1-5af8-b4fb-e2386ab3c4b0",
          "createdTime": "2018-02-15T19:01:12.6271184Z",
          "propertyBundle": [
            {
              "@type": "File",
              "accessedTime": "2007-12-17T03:32:30.3990520Z",
              "extension": "html",
              "fileName": "index.html",
              "isDirectory": false,
              "sizeInBytes": 98500
            },
            {
              "@type": "ContentData",
              "dataPayloadReferenceURL": "D:\\NetworkMinerProfessional_2-2\\AssembledFiles\\151.193.224.81\\TCP-80\\index.html",
              "hash": [
                {
                  "@type": "Hash",
                  "hashMethod": "MD5",
                  "hashValue": "abdb151dfd5775c05b47c0f4ea1cd3d7"
                }
              ],
              "sizeInBytes": 98500
            }

The above JSON is obviously a File object with metadata and content data. It would be nice to know this without having to iterate the bundle looking to see if it contains a File child. The more types of Trace bundles we support the messier this is going to get. Adding a @bundletype attribute or something would simplify ingestion greatly.
@vikhari vikhari mentioned this issue Apr 13, 2018
Open
@cyberinvestigationexpress
Copy link
Contributor

The duck model was selected to be flexible enough to represent a file in any context, including ones we are not currently aware of (e.g., concealment of a file in some new way). With the duck model, it is necessary to inspect all of its facets to get the full picture. Restricting with @bundletype goes against the use of the duck model.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cyberinvestigationexpress @vikhari