-
Notifications
You must be signed in to change notification settings - Fork 17
CybOX 3.0: File Object Requirements
Properties/Types
- Hashes
- Size
- Format information (MIMEType, etc.)
Applicable use cases
- Indicator sharing
- Malware characterization
- Digital forensics
Comments
These are the most basic and therefore widely-used file properties, so its critical that we model them correctly.
Properties/Types
- Name
- Size on disk
- Location on disk (path)
- Symbolic links
Applicable use cases
- Indicator sharing
- Malware characterization
- Digital forensics
Comments
These properties are also widely utilized and necessary for various use cases, so they're also important to model accurately. It may be useful to produce a cross-walk of various commonly used file systems and their properties to ensure that we're capturing the right set of properties that are common between them.
Properties/Types
- NTFS-specific properties
- Permissions
- EXT2/3/4 specific properties
- Permissions
Applicable use cases
- Malware characterization
- Digital forensics
Comments
Deciding which file systems to model and capture properties of is a difficult task owing to the many different file systems in use today. Accordingly, we feel that we realistically have two options in this regard:
- Support file-system specific properties ONLY via a user-defined extension point (e.g., as key/value pairs).
- Include some default, commonly used extensions (e.g., NTFS and EXT3), but leave the rest to be implemented via a user-defined extension point (e.g., as key/value pairs)
Properties/Types
- Windows-specific properties
- Device path
- Unix-specific properties
- Mount point
Applicable use cases
- Malware characterization
- Digital forensics
Comments
Deciding which operating systems to capture file-related properties of is a difficult task owing to the many different operating systems in use today. Accordingly, we feel that we realistically have two options in this regard:
- Support operating-system specific properties ONLY via a user-defined extension point (e.g., as key/value pairs).
- Include some default, commonly used extensions (e.g., Windows and Unix), but leave the rest to be implemented via a user-defined extension point (e.g., as key/value pairs)
Properties/Types
- Sector allocation (i.e. the disk sectors that the file occupies)
Applicable use cases
- Digital forensics
Comments
There are likely other types of properties that can be captured here. We'll likely need to delve more into the digital forensics use cases before we understand whether our coverage in this respect is complete.
Properties/Types
- Digital signature information
- Computed information
- Entropy
- File packaging information
- Compression
- Encryption
- Binary packing
- Extracted information
- Strings
Applicable use cases
- Malware characterization
- Digital forensics
Comments
There exists the possibility for capturing a wide variety of metadata around files, most of which is specific to a particular domain (e.g., packing information is mostly relevant for malware characterization) or use case. Accordingly, we'll want to properly scope and define how we deal with this category and its corresponding properties. One possibility (similar to the capture of file system and operating system specific properties) is to have an extension point for file metadata, with a few standard key/value pairs, but that is largely left open for content producers.
Properties/Types
- Image file metadata
- EXIF
- Document file metadata
- DOCX
- Executable binary file metadata
- PE
- ELF
Applicable use cases
- Malware characterization
- Digital forensics
Comments
Context-specific file metadata revolves around the capture of metadata applicable to specific types of file formats, such as image files and executable binary files. Given their specialized nature, the characterization of such files is mostly applicable to malware and digital forensics centered use cases.
These types of properties are currently captured via the various sub-classes of the File Object, so our thought is that we can take these classes and have them serve as the default extension point for context-specific file metadata. In future CybOX releases, more file formats could then be added as new extension points, as necessary.