Note: For brevity, all the provenance records and forensic actions are not shown.
This example shows how files, blocks of data and the relationships between them can be represented within the CASE ontology. By using a combination of Traces and Relationship objects it is possible to show the entire extraction of a file no matter the complexities of how it was stored.
This example shows a block of data that was extracted in the following way:
- A forensic image
android_imageis taken of an android device
android_device1and has been stored on an examiner's computer
- A disk parition
image_partitionis carved from the image.
- A SQLite database
sqlite_databaseis extracted from the disk partition.
- An encrypted SQLite blob
sqlite_blobis extracted from the AttachmentTable of the SQLite database.
- The SQLite blob is AES decrypted resulting in a TAR archive
- A base64 encoded file
tar_archive_fileis extracted from the TAR archive.
- The TAR sub file is base64 decoded resulting in a JPG file
- A particular range of data
chunk_of_datais extracted from the decoded JPG file.
The result of each step is represented with a Trace object characterizing the data (image, partition, file, database, chunk of data, etc.) that was exposed during the step. This Trace object contains property bundles that describe the data itself.
The most used property bundle will be ContentData. This property bundle will contain raw information about the data like byte order, hashes, size, as well as optionally include the data itself.
Another common property bundle used will be File. This property bundle will contain the file's metadata given to the file by the file system where it was found.
The relationship between data resulting from a step and any data known previous to a step is
represented by a Relationship object using one of the special keywords
(contained-within, decrypted-from, decoded-from or stored-on). This object may contain
property bundles that provide further detail on how the Trace pointed to by the
source property is related to the Trace pointed to by the
target property (e.g., where within the target was the source contained).
For the extraction of a file within a file system (EXT4, NTFS, TAR, etc) we use the property bundle PathRelation. This property bundle will contain file path information needed to extract the file out of the file system.
For encryption steps, we use the Encryption property bundle which provide the
encryption algorithm and parameters that were utilized to decrypt the
For encoding steps, we use the Encoding property bundle which provide the
encoding algorithm used to decode the
For the extraction of an embedded section of raw bytes within the
target file, we
use the DataRange property bundle which provides the offset location and range size within the