Re: [sleuthkit-users] Naming Help Needed
Brought to you by:
carrier
From: Kalin K. <me....@gm...> - 2017-06-21 19:55:12
|
On Wed, Jun 21, 2017 at 4:32 PM, Brian Carrier <ca...@sl...> wrote: > Question 1) A file has additional data, such as its path and MD5 values. > What do you call those? We've used the terms feature, indicator, artifact, > property, etc. Which makes the most sense to you? > Definitely not any of "feature, indicator, artifact". Files, by default, have no "MD5 values", those are calculated. Same with any hashing algorithm. I'd call those properties, probably avoiding metadata. Same for say some other classification like entropy, etc. To make it clear, I may add "calculated properties" or intrinsic properties. Paths are slightly different, they are "organizational metadata", or I'd say filesystem metadata, or simply metadata. I can probably live with property, better "external property", or "location property". Similar to paths are inodes, URLs (that file was fetched from), location on disk (sector/offset + size), location within other object (3rd file in a certain ZIP archive), etc. All those location properties can vary, be changed in time, yet the file itself is not changing (and so its intrinsic properties). Although properties is a word abused in the Windows world of forensics, I think it is ok and will be happy it is more classified into intrinsic, location, time, security, etc. proerties. > Question 2) A web bookmark has additional data, such as dates and URL. What > do you call those? Same as in Q1? > What is a web bookmark? A record in a (flat file) database? A file? I'd say, the moment you define "web bookmark" it must consist of a URL, may be name, description, may be dates. Yes, I'd go with same as Q1. > To give some more context, we are about to release a new database that can > be used to correlate data between cases (or between devices in the same > case). But, we need a name to describe what we are storing, which includes: > - MD5 hash of files calculated properties > - path of files location properties > - Email addresses > - Domain names > - Phone numbers artifacts or regexp matches > For a while, we were referring to these as artifacts, but that got too > confusing because we already have a notion of artifacts in Autopsy, which > are "bigger" things like web bookmarks and keyword hits. > IMHO, there is no problem in using artifacts broadly, if you keep properties for things like sizes, paths, hashes, etc. A domain name is a genuine artifact, it may be a property of a bookmark though if viewed in that context. Same for TLD. Kalin. |