Cyber-investigation Analysis Standard Expression (CASE)

Read the CASE Wiki tab to learn everything you need to know about the Cyber-investigation Analysis Standard Expression (CASE) ontology. For learning about the Unified Cyber Ontology, CASE's parent, see UCO.

CASE Plaso implementation

Note: This POC is not ontology-correct! However, it attempts to adhere to v0.1.0 of CASE.

This is an implementation of exporting plaso storage files into an RDF graph following the CASE ontology.


Install the case API

git clone
pip install CASE-Python-API

Then clone and install requirements.txt

git clone
cd CASE-Plaso-Implementation
pip install -r requirements.txt


Pass the storage file created by the log2timeline tool into the "case_plaso" tool:

python myimage.bin.plaso output.json --format json-ld

I have a question!

Before you post a Github issue or send an email ensure you've done this checklist:

  1. Determined scope of your task. It is not necessary for most parties to understand all aspects of the ontology, mapping methods, and supporting tools.

  2. Familiarize yourself with the labels and search the Issues tab. Typically, only light-blue and red labels should be used by non-admin Github users while the others should be used by CASE Github admins. All but the red Project labels are found in every casework repository.