SleuthKit CASE UCO mapping

Concept mappings

Sleuthkit CASE/UCO
object Trace
parent object separate Trace with a "contained-within" relationship to it
image Trace with various (Image, File, ContentData, etc) property bundles
volume system Trace with Volume (and possibly other) property bundles
partition Trace with DiskPartition (and possibly other) property bundles
file system Trace with FileSystem (and possibly other) property bundles
file Trace with File (and possibly other (ContentData, ExtInode, MftRecord, ArchiveFile, FilePermissions, etc.) property bundles
file layout Trace for the file as described above; separate Trace with ContentData for each byte run; separate "contained-within" Relationship between fragment and image with DataRange property bundle for each byte run; separate "has-fragment" Relationship between file and fragment with Fragment property bundle for each byte run
derived files method ForensicAction with associated 'instrument' property reference to a Tool object
artifact property bundle on Trace
attribute property

Table mappings

Sleuthkit CASE/UCO Class
Object Trace
Image Traces with File, ContentData, Image, etc property bundles
Volume Traces with Volume, DiskPartition, etc property bundles
File System Traces with FileSystem, File, ContentData, DataRange, FilePermissions, Fragment, ExtInode, MftRecord, etc property bundles; Relationship; Tool
Blackboard Traces with various property bundles

Artifact mappings

|Sleuthkit|CASE/UCO Class|CASE/UCO Property|Mapping Examples|CASE/UCO Example| |---|---|---|---| |object|Trace||| |TSK_ACCOUNT|uco-observable.Account|||accounts.json| |TSK_BLUETOOTH_PAIRING|uco-action.Action|uco-action.Action.name="Bluetooth Paired" AND uco-action.Action.ActionReferences.object containing references to paired devices||| |TSK_CALENDAR_ENTRY|uco-observable.CalendarEntry||Calendar Entry mapping|| |TSK_CALLLOG|uco-observable.PhoneCall||CallLog mapping|| |TSK_CONTACT|uco-observable.Contact||Contact mapping|sms_and_contacts.json| |TSK_DEVICE_ATTACHED|uco-action.Action|uco-action.Action.name="Device Attached" AND uco-action.Action.ActionReferences.object containing references to attached device||| |TSK_EMAIL_MSG|uco-observable.EmailMessage||Email Message mapping|| |TSK_ENCRYPTION_DETECTED|uco-action.Action|uco-action.Action.name="Encryption Detected" AND uco-action.Action.ActionReferences.object containing references to encrypted objects||| |TSK_EXT_MISMATCH_DETECTED|uco-action.Action|uco-action.Action.name="Extension Mismatch Detected" AND uco-action.Action.ActionReferences.object containing references to file Trace with mismatch||| |TSK_EXTRACTED_TEXT|uco-observable.ExtractedStrings|||| |TSK_FACE_DETECTED|uco-action.Action|uco-action.Action.name="Face Detected" AND uco-action.Action.ActionReferences.object containing references to object containing face||| |TSK_GEN_INFO|Not Applicable to be mapped|||| |TSK_GPS_BOOKMARK|uco-core.Location; uco-core.GPSCoordinates; uco-observable.GeoLocationEntry||GPS Bookmark mapping|| |TSK_GPS_LAST_KNOWN_LOCATION|uco-core.Location; uco-core.GPSCoordinates; uco-observable.GeoLocationEntry|||| |TSK_GPS_ROUTE|uco-observable.GeoLocationTrack|||| |TSK_GPS_SEARCH|N/A (Gap)🔴|||| |TSK_GPS_TRACKPOINT|uco-core.Location; uco-core.GPSCoordinates; uco-observable.GeoLocationEntry||Trackpoint mapping|| |TSK_HASHSET_HIT|More information needed|||| |TSK_INSTALLED_PROG|uco-action.Action|uco-action.Action.name="Program Installed" AND uco-action.Action.ActionReferences.object containing references to Trace representing installed software|Installed Program mapping|| |TSK_INTERESTING_ARTIFACT_HIT|??? Action?|||| |TSK_INTERESTING_FILE_HIT|??? Action?|||| |TSK_KEYWORD_HIT|??? Action?|||| |TSK_MESSAGE|uco-observable.Message|||message.json| |TSK_METADATA_EXIF|uco-observable.EXIF|||exif_data.json| |TSK_OS_ACCOUNT|uco-observable.Account; uco-observable.DigitalAccount; uco-observable.UserAccount||OS Account mapping|| |TSK_OS_INFO|uco-observable.OperatingSystem|||device.json| |TSK_PROG_RUN|uco-action.Action|uco-action.Action.name="Program Run" AND uco-action.Action.ActionReferences.object containing references to Trace representing ran software||| |TSK_RECENT_OBJECT|N/A (Gap)🔴|||| |TSK_REMOTE_DRIVE|More information needed|||| |TSK_SERVICE_ACCOUNT|uco-observable.Account; uco-observable.DigitalAccount; uco-observable.UserAccount; uco-observable.ApplicationAccount|||| |TSK_SPEED_DIAL_ENTRY|N/A (Gap)🔴|||| |TSK_TAG_ARTIFACT|Not Applicable to be mapped|||| |TSK_TAG_FILE|Not Applicable to be mapped|||| |TSK_TOOL_OUTPUT|Not Applicable to be mapped|||| |TSK_WEB_BOOKMARK|uco-observable.BrowserBookmark||Web Bookmark mapping|| |TSK_WEB_COOKIE|uco-observable.BrowserCookie||Web Cookie mapping|| |TSK_WEB_DOWNLOAD|uco-action.Action|uco-action.Action.name=”Download File” AND uco-action.Action.ActionReferences.object containing reference to Trace representing the URL AND uco-action.Action.ActionReferences.result containing reference to Trace representing the File downloaded|Web Download mapping|| |TSK_WEB_HISTORY|N/A (Gap)🔴|||| |TSK_WEB_SEARCH_QUERY|N/A (Gap)🔴||||

Attribute mappings

Sleuthkit CASE/UCO Class CASE/UCO Property CASE/UCO Example
object Trace
TSK_ACCOUNT_TYPE uco-observable.Account uco-observable.Account.accountType sms_and_contacts.json
TSK_ASSOCIATED_ARTIFACT uco-core.Relationship uco-core.Relationship.target accounts.json
TSK_BANK_NAME uco-observable.Account; uco-core.Identity uco-observable.Account.accountIssuer; uco-core.Identity.name
TSK_BRAND_NAME N/A (Gap)🔴
TSK_CALENDAR_ENTRY_TYPE uco-observable.CalendarEntry uco-observable.CalendarEntry.eventType ??
TSK_CARD_DISCRETIONARY N/A (Gap)🔴
TSK_CARD_EXPIRATION uco-observable.Account uco-observable.Account.expirationTime
TSK_CARD_LRC N/A (Gap)🔴
TSK_CARD_NUMBER uco-observable.Account uco-observable.Account.accountIdentifier
TSK_CARD_SCHEME N/A (Gap)🔴
TSK_CARD_SERVICE_CODE N/A (Gap)🔴
TSK_CARD_TYPE N/A (Gap)🔴
TSK_CATEGORY More information needed
TSK_CITY uco-core.SimpleAddress uco-core.SimpleAddress.locality location.json
TSK_COMMENT uco-core.UcoObject OR uco-core.Annotation uco-core.UcoObject.description OR uco-core.Annotation.statement
TSK_COUNT N/A (Gap)🔴
TSK_COUNTRY uco-core.SimpleAddress uco-core.SimpleAddress.country location.json
TSK_DATETIME More information needed
TSK_DATETIME_ACCESSED uco-observable.File uco-observable.File.accessedTime file.json
TSK_DATETIME_CREATED uco-observable.File uco-observable.File.createdTime file.json
TSK_DATETIME_END endTime forensic_lifecycle.json
TSK_DATETIME_MODIFIED uco-observable.File uco-observable.File.modifiedTime file.json
TSK_DATETIME_RCVD More information needed
TSK_DATETIME_SENT uco-observable.Message uco-observable.Message.sentTime
TSK_DATETIME_START startTime forensic_lifecycle.json
TSK_DESCRIPTION uco-core.UcoObject uco-core.UcoObject.description exif_data.json
TSK_DEVICE_ID uco-core.UcoObject uco-core.UcoObject.id device.json
TSK_DEVICE_MAKE uco-observable.Device uco-observable.Device.manufacturer device.json
TSK_DEVICE_MODEL uco-observable.Device uco-observable.Device.model device.json
TSK_DEVICE_NAME uco-core.UcoObject uco-core.UcoObject.name device.json
TSK_DIRECTION More information needed
TSK_DOMAIN uco-observable.DomainName uco-observable.DomainName.value device.json
TSK_EMAIL uco-observable.EmailAddress uco-observable.EmailAddress.value
TSK_EMAIL_BCC uco-observable.EmailMessage uco-observable.EmailMessage.bcc
TSK_EMAIL_CC uco-observable.EmailMessage uco-observable.EmailMessage.cc
TSK_EMAIL_CONTENT_HTML uco-observable.EmailMessage uco-observable.EmailMessage.body OR uco-observable.EmailMessage.bodyRaw
TSK_EMAIL_CONTENT_PLAIN uco-observable.EmailMessage uco-observable.EmailMessage.body OR uco-observable.EmailMessage.bodyRaw
TSK_EMAIL_CONTENT_RTF uco-observable.EmailMessage uco-observable.EmailMessage.body OR uco-observable.EmailMessage.bodyRaw
TSK_EMAIL_FROM uco-observable.EmailMessage uco-observable.EmailMessage.from
TSK_EMAIL_HOME N/A (Gap)🔴
TSK_EMAIL_OFFICE N/A (Gap)🔴
TSK_EMAIL_REPLYTO uco-observable.EmailMessage uco-observable.EmailMessage.inReplyTo
TSK_EMAIL_TO uco-observable.EmailMessage uco-observable.EmailMessage.to
TSK_ENCRYPTION_DETECTED uco-observable.ContentData uco-observable.ContentData.isEncrypted file.json
TSK_ENTROPY uco-observable.ContentData uco-observable.ContentData.entropy
TSK_FILE_TYPE_EXT uco-observable.File uco-observable.File.extension file.json
TSK_FILE_TYPE_SIG uco-observable.ContentData uco-observable.ContentData.magicNumber file.json
TSK_FLAG Not Applicable to be mapped
TSK_GEO_ALTITUDE uco-core.Location with uco-core.LatLongCoordinates uco-core.LatLongCoordinates.altitude
TSK_GEO_BEARING N/A (Gap)🔴
TSK_GEO_HPRECISION uco-core.Location with uco-core.GPSCoordinates uco-core.GPSCoordinates.hdop
TSK_GEO_LATITUDE uco-core.Location with uco-core.LatLongCoordinates uco-core.LatLongCoordinates.latitude location.json
TSK_GEO_LATITUDE_END N/A (Gap)🔴
TSK_GEO_LATITUDE_START N/A (Gap)🔴
TSK_GEO_LONGITUDE uco-core.Location with uco-core.LatLongCoordinates uco-core.LatLongCoordinates.longitude location.json
TSK_GEO_LONGITUDE_END N/A (Gap)🔴
TSK_GEO_LONGITUDE_START N/A (Gap)🔴
TSK_GEO_MAPDATUM N/A (Gap)🔴
TSK_GEO_VELOCITY N/A (Gap)🔴
TSK_GEO_VPRECISION uco-core.Location with uco-core.GPSCoordinates uco-core.GPSCoordinates.vdop
TSK_HASH_MD5 uco-core.Hash uco-core.Hash.hashMethod="MD5"; uco-core.Hash.hashValue file.json
TSK_HASH_SHA1 uco-core.Hash uco-core.Hash.hashMethod="SHA1"; uco-core.Hash.hashValue
TSK_HASH_SHA256 uco-core.Hash uco-core.Hash.hashMethod="SHA256"; uco-core.Hash.hashValue file.json
TSK_HASH_SHA512 uco-core.Hash uco-core.Hash.hashMethod="SHA512"; uco-core.Hash.hashValue
TSK_HASHSET_NAME More information needed
TSK_INTERESTING_FILE More information needed
TSK_IP_ADDRESS uco-observable.IPv4Address uco-observable.IPv4Address.value device.json
TSK_ISDELETED N/A (Gap)🔴
TSK_KEYWORD N/A (Gap)🔴
TSK_KEYWORD_PREVIEW More information needed
TSK_KEYWORD_REGEXP N/A (Gap)🔴
TSK_KEYWORD_SEARCH_DOCUMENT_ID Not Applicable to be mapped
TSK_KEYWORD_SEARCH_TYPE N/A (Gap)🔴
TSK_KEYWORD_SET N/A (Gap)🔴
TSK_LOCAL_PATH uco-observable.File (for objective location) OR uco-observable.PathRelation (for subjective containment) uco-observable.File.filePath OR uco-observable.PathRelation.path file.json
TSK_LOCATION uco-core.Location with uco-core.LatLongCoordinates OR uco-core.GPSCoordinates OR uco-core.SimpleAddress location.json
TSK_MALWARE_DETECTED Not Applicable to be mapped
TSK_MESSAGE_TYPE uco-observable.Message uco-observable.Message.messageType
TSK_MIN_COUNT Not Applicable to be mapped
TSK_MSG_ID uco-observable.Message uco-observable.Message.messageID
TSK_MSG_REPLY_ID Not Applicable to be mapped
TSK_NAME uco-core.UcoObject OR uco-core.Identity uco-core.UcoObject.name OR uco-core.Identity.name
TSK_NAME_PERSON uco-core.Person uco-core.Person.name
TSK_ORGANIZATION uco-core.Organization uco-core.Organization.name
TSK_OWNER uco-observable.FilePermissions uco-observable.FilePermissions.owner
TSK_PASSWORD uco-observable.AccountAuthentication OR uco-observable.EncryptedStream uco-observable.AccountAuthentication.password OR uco-observable.EncryptedStream.encryptionKey accounts.json
TSK_PATH uco-observable.File (for objective location) OR uco-observable.PathRelation (for subjective containment) uco-observable.File.filePath OR uco-observable.PathRelation.path
TSK_PATH_ID More information needed
TSK_PATH_SOURCE N/A (Gap)🔴
TSK_PERMISSIONS N/A (Gap)🔴
TSK_PHONE_NUMBER uco-observable.PhoneAccount uco-observable.PhoneAccount.phoneNumber sms_and_contacts.json
TSK_PHONE_NUMBER_FROM uco-observable.PhoneCall OR uco-observable.Message uco-observable.PhoneCall.from OR uco-observable.Message.from (references uco-observable.PhoneAccount.phoneNumber) sms_and_contacts.json
TSK_PHONE_NUMBER_HOME N/A (Gap)🔴
TSK_PHONE_NUMBER_MOBILE N/A (Gap)🔴
TSK_PHONE_NUMBER_OFFICE N/A (Gap)🔴
TSK_PHONE_NUMBER_TO uco-observable.PhoneCall OR uco-observable.Message uco-observable.PhoneCall.to OR uco-observable.Message.to (references uco-observable.PhoneAccount.phoneNumber) sms_and_contacts.json
TSK_PROCESSOR_ARCHITECTURE uco-observable.ComputerSpecification uco-observable.ComputerSpecification.processorArchitecture
TSK_PRODUCT_ID N/A (Gap)🔴
TSK_PROG_NAME More information needed
TSK_READ_STATUS More information needed
TSK_REFERRER N/A (Gap)🔴
TSK_REMOTE_PATH More information needed
TSK_SERVER_NAME More information needed
TSK_SET_NAME N/A (Gap)🔴
TSK_SHORTCUT N/A (Gap)🔴
TSK_STEG_DETECTED ??? Action?
TSK_SUBJECT More information needed
TSK_TAG_NAME Not Applicable to be mapped
TSK_TAGGED_ARTIFACT Not Applicable to be mapped
TSK_TEMP_DIR N/A (Gap)🔴
TSK_TEXT N/A (Gap)🔴
TSK_TEXT_FILE Not Applicable to be mapped
TSK_TEXT_LANGUAGE More information needed
TSK_TITLE N/A (Gap)🔴
TSK_URL uco-observable.URL uco-observable.URL.fullValue
TSK_URL_DECODED More information needed
TSK_USER_ID uco-observable.Account OR uco-observable.DigitalAccount uco-observable.Account.accountIdentifier OR uco-observable.DigitalAccount.accountLogin accounts.json
TSK_USER_NAME uco-observable.DigitalAccount uco-observable.DigitalAccount.accountLogin accounts.json
TSK_VALUE More information needed
TSK_VERSION More information needed

Identified Gaps

  • Magnetic stripe card Track1 specific information (#27)
  • Magnetic stripe card Track2 specific information (#28)
  • Credit Card specific information (#29)
  • Account entry labeling (home, work, mobile, etc) within ContactsCrossReference (#25)
  • Geolocation area scoping (quadrilateral) (#30)
  • Geolocation mapdatum (#31)
  • Geolocation bearing and velocity (#32)