Thread: [sleuthkit-users] Naming Help Needed
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian C. <ca...@sl...> - 2017-06-21 14:32:30
|
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming. So, we are seeking some more opinions. Question 1) A file has additional data, such as its path and MD5 values. What do you call those? We've used the terms feature, indicator, artifact, property, etc. Which makes the most sense to you? Question 2) A web bookmark has additional data, such as dates and URL. What do you call those? Same as in Q1? To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case). But, we need a name to describe what we are storing, which includes: - MD5 hash of files - path of files - Email addresses - Domain names - Phone numbers For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and keyword hits. thanks, brian |
|
From: Danilo M. <da...@gm...> - 2017-06-21 14:59:14
|
Property. Em 21 de jun de 2017 11:37, "Brian Carrier" <ca...@sl...> escreveu: > We're about to release the first version of a new database that Autopsy > can use to support various analytical features and we're having trouble > with terms and naming. So, we are seeking some more opinions. > > Question 1) A file has additional data, such as its path and MD5 values. > What do you call those? We've used the terms feature, indicator, artifact, > property, etc. Which makes the most sense to you? > > Question 2) A web bookmark has additional data, such as dates and URL. > What do you call those? Same as in Q1? > > To give some more context, we are about to release a new database that can > be used to correlate data between cases (or between devices in the same > case). But, we need a name to describe what we are storing, which includes: > - MD5 hash of files > - path of files > - Email addresses > - Domain names > - Phone numbers > > For a while, we were referring to these as artifacts, but that got too > confusing because we already have a notion of artifacts in Autopsy, which > are "bigger" things like web bookmarks and keyword hits. > > thanks, > brian > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Keith W. <kwa...@gm...> - 2017-06-21 15:03:27
|
I would go with property/properties for both. Artifacts of an artifact is confusing. I don't like feature or indicator. "Details" might not be a bad term as well. These are the fine details pertaining to an artifact. -keith On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <ca...@sl...> wrote: > We're about to release the first version of a new database that Autopsy > can use to support various analytical features and we're having trouble > with terms and naming. So, we are seeking some more opinions. > > Question 1) A file has additional data, such as its path and MD5 values. > What do you call those? We've used the terms feature, indicator, artifact, > property, etc. Which makes the most sense to you? > > Question 2) A web bookmark has additional data, such as dates and URL. > What do you call those? Same as in Q1? > > To give some more context, we are about to release a new database that can > be used to correlate data between cases (or between devices in the same > case). But, we need a name to describe what we are storing, which includes: > - MD5 hash of files > - path of files > - Email addresses > - Domain names > - Phone numbers > > For a while, we were referring to these as artifacts, but that got too > confusing because we already have a notion of artifacts in Autopsy, which > are "bigger" things like web bookmarks and keyword hits. > > thanks, > brian > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Pasquale R. <pjr...@gm...> - 2017-06-21 15:35:44
|
that information seems to all be different types of "identifiers". Not sure if you are using that one already. Otherwise details or properties works. Pasquale On Wed, Jun 21, 2017 at 11:03 AM, Keith Wall <kwa...@gm...> wrote: > I would go with property/properties for both. Artifacts of an artifact is > confusing. I don't like feature or indicator. > > "Details" might not be a bad term as well. These are the fine details > pertaining to an artifact. > > -keith > > On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <ca...@sl...> > wrote: > >> We're about to release the first version of a new database that Autopsy >> can use to support various analytical features and we're having trouble >> with terms and naming. So, we are seeking some more opinions. >> >> Question 1) A file has additional data, such as its path and MD5 values. >> What do you call those? We've used the terms feature, indicator, artifact, >> property, etc. Which makes the most sense to you? >> >> Question 2) A web bookmark has additional data, such as dates and URL. >> What do you call those? Same as in Q1? >> >> To give some more context, we are about to release a new database that >> can be used to correlate data between cases (or between devices in the same >> case). But, we need a name to describe what we are storing, which includes: >> - MD5 hash of files >> - path of files >> - Email addresses >> - Domain names >> - Phone numbers >> >> For a while, we were referring to these as artifacts, but that got too >> confusing because we already have a notion of artifacts in Autopsy, which >> are "bigger" things like web bookmarks and keyword hits. >> >> thanks, >> brian >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Derrick K. <dk...@gm...> - 2017-06-21 15:46:19
|
I'd go with property on q1 as well. I've seen "metadata" abused for things like q2 and in some cases it actually isn't a bad choice. However, we are so used to metadata being data that is internal to a single file though that it may be confusing to use it for data that is related to an artifact. Derrick On Jun 21, 2017 09:09, "Keith Wall" <kwa...@gm...> wrote: > I would go with property/properties for both. Artifacts of an artifact is > confusing. I don't like feature or indicator. > > "Details" might not be a bad term as well. These are the fine details > pertaining to an artifact. > > -keith > > On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <ca...@sl...> > wrote: > >> We're about to release the first version of a new database that Autopsy >> can use to support various analytical features and we're having trouble >> with terms and naming. So, we are seeking some more opinions. >> >> Question 1) A file has additional data, such as its path and MD5 values. >> What do you call those? We've used the terms feature, indicator, artifact, >> property, etc. Which makes the most sense to you? >> >> Question 2) A web bookmark has additional data, such as dates and URL. >> What do you call those? Same as in Q1? >> >> To give some more context, we are about to release a new database that >> can be used to correlate data between cases (or between devices in the same >> case). But, we need a name to describe what we are storing, which includes: >> - MD5 hash of files >> - path of files >> - Email addresses >> - Domain names >> - Phone numbers >> >> For a while, we were referring to these as artifacts, but that got too >> confusing because we already have a notion of artifacts in Autopsy, which >> are "bigger" things like web bookmarks and keyword hits. >> >> thanks, >> brian >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Jon S. <JSt...@St...> - 2017-06-21 15:31:11
|
Or just good old "metadata" for the collection of them (a hash is computed so that could be argued, but path is clearly "metadata"). But property/properties makes sense and is pretty consistent with other tools. Jon > -----Original Message----- > From: Keith Wall [mailto:kwa...@gm...] > Sent: Wednesday, June 21, 2017 11:03 AM > To: Brian Carrier <ca...@sl...> > Cc: sleuthkit-users <sle...@li...> > Subject: Re: [sleuthkit-users] Naming Help Needed > > I would go with property/properties for both. Artifacts of an artifact > is confusing. I don't like feature or indicator. > > "Details" might not be a bad term as well. These are the fine details > pertaining to an artifact. > > -keith > > On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <ca...@sl... > <mailto:ca...@sl...> > wrote: > > > We're about to release the first version of a new database that > Autopsy can use to support various analytical features and we're having > trouble with terms and naming. So, we are seeking some more opinions. > > > Question 1) A file has additional data, such as its path and MD5 > values. What do you call those? We've used the terms feature, > indicator, artifact, property, etc. Which makes the most sense to you? > > > Question 2) A web bookmark has additional data, such as dates and > URL. What do you call those? Same as in Q1? > > > To give some more context, we are about to release a new database > that can be used to correlate data between cases (or between devices in > the same case). But, we need a name to describe what we are storing, > which includes: > > - MD5 hash of files > > - path of files > > - Email addresses > > - Domain names > > - Phone numbers > > > For a while, we were referring to these as artifacts, but that got > too confusing because we already have a notion of artifacts in Autopsy, > which are "bigger" things like web bookmarks and keyword hits. > > > thanks, > > brian > > > ------------------------------------------------------------------- > ----------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> > http://www.sleuthkit.org > > > |
|
From: Luís F. N. <lfc...@gm...> - 2017-06-21 15:33:06
|
Property or attribute. Luis Em 21 de jun de 2017 11:37 AM, "Brian Carrier" <ca...@sl...> escreveu: > We're about to release the first version of a new database that Autopsy > can use to support various analytical features and we're having trouble > with terms and naming. So, we are seeking some more opinions. > > Question 1) A file has additional data, such as its path and MD5 values. > What do you call those? We've used the terms feature, indicator, artifact, > property, etc. Which makes the most sense to you? > > Question 2) A web bookmark has additional data, such as dates and URL. > What do you call those? Same as in Q1? > > To give some more context, we are about to release a new database that can > be used to correlate data between cases (or between devices in the same > case). But, we need a name to describe what we are storing, which includes: > - MD5 hash of files > - path of files > - Email addresses > - Domain names > - Phone numbers > > For a while, we were referring to these as artifacts, but that got too > confusing because we already have a notion of artifacts in Autopsy, which > are "bigger" things like web bookmarks and keyword hits. > > thanks, > brian > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: MATT P. <mat...@ad...> - 2017-06-21 16:01:30
|
My initial idea was metadata. I have a concern with that as ediscovery folks and lawyers use that term generically for document embedded data about the creation and modifation attributes. I would go with properties or attributes myself. -----Original Message----- From: Jon Stewart [mailto:JSt...@St...] Sent: Wednesday, June 21, 2017 10:11 AM To: Keith Wall <kwa...@gm...>; Brian Carrier <ca...@sl...> Cc: sleuthkit-users <sle...@li...> Subject: Re: [sleuthkit-users] Naming Help Needed Or just good old "metadata" for the collection of them (a hash is computed so that could be argued, but path is clearly "metadata"). But property/properties makes sense and is pretty consistent with other tools. Jon > -----Original Message----- > From: Keith Wall [mailto:kwa...@gm...] > Sent: Wednesday, June 21, 2017 11:03 AM > To: Brian Carrier <ca...@sl...> > Cc: sleuthkit-users <sle...@li...> > Subject: Re: [sleuthkit-users] Naming Help Needed > > I would go with property/properties for both. Artifacts of an artifact > is confusing. I don't like feature or indicator. > > "Details" might not be a bad term as well. These are the fine details > pertaining to an artifact. > > -keith > > On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <ca...@sl... > <mailto:ca...@sl...> > wrote: > > > We're about to release the first version of a new database that > Autopsy can use to support various analytical features and we're > having trouble with terms and naming. So, we are seeking some more opinions. > > > Question 1) A file has additional data, such as its path and MD5 > values. What do you call those? We've used the terms feature, > indicator, artifact, property, etc. Which makes the most sense to you? > > > Question 2) A web bookmark has additional data, such as dates and > URL. What do you call those? Same as in Q1? > > > To give some more context, we are about to release a new database > that can be used to correlate data between cases (or between devices > in the same case). But, we need a name to describe what we are > storing, which includes: > > - MD5 hash of files > > - path of files > > - Email addresses > > - Domain names > > - Phone numbers > > > For a while, we were referring to these as artifacts, but that got > too confusing because we already have a notion of artifacts in > Autopsy, which are "bigger" things like web bookmarks and keyword hits. > > > thanks, > > brian > > > ------------------------------------------------------------------- > ----------- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> > http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Robert P. <rj...@gm...> - 2017-06-21 18:13:11
|
I think the Properties label works well... Rob On Wed, Jun 21, 2017, 12:06 PM MATT PIERCE <mat...@ad...> wrote: > My initial idea was metadata. I have a concern with that as ediscovery > folks and lawyers use that term generically for document embedded data > about the creation and modifation attributes. > > I would go with properties or attributes myself. > > -----Original Message----- > From: Jon Stewart [mailto:JSt...@St...] > Sent: Wednesday, June 21, 2017 10:11 AM > To: Keith Wall <kwa...@gm...>; Brian Carrier <ca...@sl... > > > Cc: sleuthkit-users <sle...@li...> > Subject: Re: [sleuthkit-users] Naming Help Needed > > Or just good old "metadata" for the collection of them (a hash is computed > so that could be argued, but path is clearly "metadata"). But > property/properties makes sense and is pretty consistent with other tools. > > > Jon > > > -----Original Message----- > > From: Keith Wall [mailto:kwa...@gm...] > > Sent: Wednesday, June 21, 2017 11:03 AM > > To: Brian Carrier <ca...@sl...> > > Cc: sleuthkit-users <sle...@li...> > > Subject: Re: [sleuthkit-users] Naming Help Needed > > > > I would go with property/properties for both. Artifacts of an artifact > > is confusing. I don't like feature or indicator. > > > > "Details" might not be a bad term as well. These are the fine details > > pertaining to an artifact. > > > > -keith > > > > On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <ca...@sl... > > <mailto:ca...@sl...> > wrote: > > > > > > We're about to release the first version of a new database that > > Autopsy can use to support various analytical features and we're > > having trouble with terms and naming. So, we are seeking some more > opinions. > > > > > > Question 1) A file has additional data, such as its path and MD5 > > values. What do you call those? We've used the terms feature, > > indicator, artifact, property, etc. Which makes the most sense to you? > > > > > > Question 2) A web bookmark has additional data, such as dates and > > URL. What do you call those? Same as in Q1? > > > > > > To give some more context, we are about to release a new database > > that can be used to correlate data between cases (or between devices > > in the same case). But, we need a name to describe what we are > > storing, which includes: > > > > - MD5 hash of files > > > > - path of files > > > > - Email addresses > > > > - Domain names > > > > - Phone numbers > > > > > > For a while, we were referring to these as artifacts, but that got > > too confusing because we already have a notion of artifacts in > > Autopsy, which are "bigger" things like web bookmarks and keyword hits. > > > > > > thanks, > > > > brian > > > > > > ------------------------------------------------------------------- > > ----------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> > > http://www.sleuthkit.org > > > > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most engaging > tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Kalin K. <me....@gm...> - 2017-06-21 19:55:12
|
On Wed, Jun 21, 2017 at 4:32 PM, Brian Carrier <ca...@sl...> wrote: > Question 1) A file has additional data, such as its path and MD5 values. > What do you call those? We've used the terms feature, indicator, artifact, > property, etc. Which makes the most sense to you? > Definitely not any of "feature, indicator, artifact". Files, by default, have no "MD5 values", those are calculated. Same with any hashing algorithm. I'd call those properties, probably avoiding metadata. Same for say some other classification like entropy, etc. To make it clear, I may add "calculated properties" or intrinsic properties. Paths are slightly different, they are "organizational metadata", or I'd say filesystem metadata, or simply metadata. I can probably live with property, better "external property", or "location property". Similar to paths are inodes, URLs (that file was fetched from), location on disk (sector/offset + size), location within other object (3rd file in a certain ZIP archive), etc. All those location properties can vary, be changed in time, yet the file itself is not changing (and so its intrinsic properties). Although properties is a word abused in the Windows world of forensics, I think it is ok and will be happy it is more classified into intrinsic, location, time, security, etc. proerties. > Question 2) A web bookmark has additional data, such as dates and URL. What > do you call those? Same as in Q1? > What is a web bookmark? A record in a (flat file) database? A file? I'd say, the moment you define "web bookmark" it must consist of a URL, may be name, description, may be dates. Yes, I'd go with same as Q1. > To give some more context, we are about to release a new database that can > be used to correlate data between cases (or between devices in the same > case). But, we need a name to describe what we are storing, which includes: > - MD5 hash of files calculated properties > - path of files location properties > - Email addresses > - Domain names > - Phone numbers artifacts or regexp matches > For a while, we were referring to these as artifacts, but that got too > confusing because we already have a notion of artifacts in Autopsy, which > are "bigger" things like web bookmarks and keyword hits. > IMHO, there is no problem in using artifacts broadly, if you keep properties for things like sizes, paths, hashes, etc. A domain name is a genuine artifact, it may be a property of a bookmark though if viewed in that context. Same for TLD. Kalin. |
|
From: Hoyt H. <hoy...@gm...> - 2017-06-23 14:26:16
|
I agree with "property" as well. On Wed, Jun 21, 2017 at 9:32 AM, Brian Carrier <ca...@sl...> wrote: > We're about to release the first version of a new database that Autopsy > can use to support various analytical features and we're having trouble > with terms and naming. So, we are seeking some more opinions. > > Question 1) A file has additional data, such as its path and MD5 values. > What do you call those? We've used the terms feature, indicator, artifact, > property, etc. Which makes the most sense to you? > > Question 2) A web bookmark has additional data, such as dates and URL. > What do you call those? Same as in Q1? > > To give some more context, we are about to release a new database that can > be used to correlate data between cases (or between devices in the same > case). But, we need a name to describe what we are storing, which includes: > - MD5 hash of files > - path of files > - Email addresses > - Domain names > - Phone numbers > > For a while, we were referring to these as artifacts, but that got too > confusing because we already have a notion of artifacts in Autopsy, which > are "bigger" things like web bookmarks and keyword hits. > > thanks, > brian > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > -- Hoyt ----------------- There are 11 kinds of people - those who think binary jokes are funny, those who don't, ...and those who don't know binary. |
|
From: Brian C. <ca...@sl...> - 2017-06-23 14:32:39
|
Thanks for everyone's comments on this. We decided to go with attributes because we already use that term in Autopsy and so it is less confusing. The remaining naming question is a generic name for lists of "known" things (good, bad, etc.): - hashsets - watch lists / black lists (i.e. phone numbers or emails of "bad" people) - white lists (i.e. generic phone numbers or emails) We've discussed the term "reference set". Any other ideas? We don't want to change the schema after we release this! thanks, brian On Wed, Jun 21, 2017 at 10:32 AM, Brian Carrier <ca...@sl...> wrote: > We're about to release the first version of a new database that Autopsy > can use to support various analytical features and we're having trouble > with terms and naming. So, we are seeking some more opinions. > > Question 1) A file has additional data, such as its path and MD5 values. > What do you call those? We've used the terms feature, indicator, artifact, > property, etc. Which makes the most sense to you? > > Question 2) A web bookmark has additional data, such as dates and URL. > What do you call those? Same as in Q1? > > To give some more context, we are about to release a new database that can > be used to correlate data between cases (or between devices in the same > case). But, we need a name to describe what we are storing, which includes: > - MD5 hash of files > - path of files > - Email addresses > - Domain names > - Phone numbers > > For a while, we were referring to these as artifacts, but that got too > confusing because we already have a notion of artifacts in Autopsy, which > are "bigger" things like web bookmarks and keyword hits. > > thanks, > brian > |
|
From: Brian C. <ca...@sl...> - 2017-06-23 14:45:36
|
Actually, I should clarify. We are using the term attribute in the code so that there is an obvious mapping between "Blackboard Attributes" and "Correlation Attributes", but we'll likely use property in the UI since that seems to be a more natural term for users. On Fri, Jun 23, 2017 at 10:32 AM, Brian Carrier <ca...@sl...> wrote: > Thanks for everyone's comments on this. > > We decided to go with attributes because we already use that term in > Autopsy and so it is less confusing. > > The remaining naming question is a generic name for lists of "known" > things (good, bad, etc.): > - hashsets > - watch lists / black lists (i.e. phone numbers or emails of "bad" people) > - white lists (i.e. generic phone numbers or emails) > > We've discussed the term "reference set". Any other ideas? We don't want > to change the schema after we release this! > > thanks, > brian > > > > > > On Wed, Jun 21, 2017 at 10:32 AM, Brian Carrier <ca...@sl...> > wrote: > >> We're about to release the first version of a new database that Autopsy >> can use to support various analytical features and we're having trouble >> with terms and naming. So, we are seeking some more opinions. >> >> Question 1) A file has additional data, such as its path and MD5 values. >> What do you call those? We've used the terms feature, indicator, artifact, >> property, etc. Which makes the most sense to you? >> >> Question 2) A web bookmark has additional data, such as dates and URL. >> What do you call those? Same as in Q1? >> >> To give some more context, we are about to release a new database that >> can be used to correlate data between cases (or between devices in the same >> case). But, we need a name to describe what we are storing, which includes: >> - MD5 hash of files >> - path of files >> - Email addresses >> - Domain names >> - Phone numbers >> >> For a while, we were referring to these as artifacts, but that got too >> confusing because we already have a notion of artifacts in Autopsy, which >> are "bigger" things like web bookmarks and keyword hits. >> >> thanks, >> brian >> > > |
|
From: Jasey D. <jrd...@gm...> - 2017-06-23 14:46:23
|
Would "indicators" work for these? We typically call the discovery of known-bad hash values and hitting black listed sites an "indicator of compromise". But not all indicators are necessarily negative. -Jasey On Fri, Jun 23, 2017 at 9:32 AM, Brian Carrier <ca...@sl...> wrote: > Thanks for everyone's comments on this. > > We decided to go with attributes because we already use that term in > Autopsy and so it is less confusing. > > The remaining naming question is a generic name for lists of "known" > things (good, bad, etc.): > - hashsets > - watch lists / black lists (i.e. phone numbers or emails of "bad" people) > - white lists (i.e. generic phone numbers or emails) > > We've discussed the term "reference set". Any other ideas? We don't want > to change the schema after we release this! > > thanks, > brian > > > > > > On Wed, Jun 21, 2017 at 10:32 AM, Brian Carrier <ca...@sl...> > wrote: > >> We're about to release the first version of a new database that Autopsy >> can use to support various analytical features and we're having trouble >> with terms and naming. So, we are seeking some more opinions. >> >> Question 1) A file has additional data, such as its path and MD5 values. >> What do you call those? We've used the terms feature, indicator, artifact, >> property, etc. Which makes the most sense to you? >> >> Question 2) A web bookmark has additional data, such as dates and URL. >> What do you call those? Same as in Q1? >> >> To give some more context, we are about to release a new database that >> can be used to correlate data between cases (or between devices in the same >> case). But, we need a name to describe what we are storing, which includes: >> - MD5 hash of files >> - path of files >> - Email addresses >> - Domain names >> - Phone numbers >> >> For a while, we were referring to these as artifacts, but that got too >> confusing because we already have a notion of artifacts in Autopsy, which >> are "bigger" things like web bookmarks and keyword hits. >> >> thanks, >> brian >> > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Kalin K. <me....@gm...> - 2017-06-23 21:53:32
|
On Jun 23, 2017 16:33, "Brian Carrier" <ca...@sl...> wrote: Thanks for everyone's comments on this. We decided to go with attributes because we already use that term in Autopsy and so it is less confusing. The remaining naming question is a generic name for lists of "known" things (good, bad, etc.): - hashsets - watch lists / black lists (i.e. phone numbers or emails of "bad" people) - white lists (i.e. generic phone numbers or emails) We've discussed the term "reference set". Any other ideas? Simply list/s or matchlist/s may do. Kalin. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X