Background
In the realm of cyber investigations, accurately capturing the state of an email within its service environment is crucial. Currently, UCO provides detailed structures for email content in observable:EmailMessageFacet, but UCO lacks specific attributes that reflect an email's system-level status. Introducing observable:EmailSystem and observable:EmailSystemFacet will enable a richer representation of these system-level properties, enhancing analysis capabilities in cyber forensic investigations.
With the introduction of the observable:EmailSystemFacet class in UCO, we achieve a more detailed and nuanced representation of email-related concepts for cyber forensic investigators and analysts. This matters because it enables these professionals to access critical system-level information about emails, such as whether they are archived, auto-forwarded, flagged, or read. Such information is pivotal in understanding the behavior and intent of users within a cyber investigation.
I am fine with my examples in this change proposal being transcribed and credited when others can re-use this content.
Requirements
Define observable:EmailSystem as a new class in UCO.
Define observable:EmailSystemFacet as a new class in UCO to encapsulate system-level email attributes.
Requirement 1
Include properties within observable:EmailSystemFacet: IsArchived, IsAutoForwarded, IsFlagged, IsFlaggedSpam, IsForwarded, IsRead.
Requirement 2
I think we need to integrate observable:EmailSystemFacet with observable:EmailMessageFacet to link email content attributes and system-level properties. I'm not exactly sure how to do this so need some assistance. It seems to me that Email Systems contain Email Messages.
Risk / Benefit analysis
Benefits
Provides a comprehensive view of an email's status within its system, crucial for detailed forensic analysis.
Enhances the granularity and accuracy of email-related data representation in UCO.
Risks
Implementation complexity and potential overlap with existing email-related classes.
Requires updates to existing UCO tooling and documentation.
Competencies demonstrated
Enhanced ability to analyze and interpret the status and handling of emails in cyber investigations.
Here's an example SPARQL query that searches for encrypted and auto-forwarded emails from vulnmaster@businessemail.com to vulnmaster@personalemail.com in the year 2023, using the proposed observable:EmailSystemFacet class and its properties:
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>
PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
SELECT ?email
WHERE {
?emailSystemFacet a uco-observable:EmailSystemFacet .
?emailSystemFacet uco-observable:IsAutoForwarded "true"^^xsd:boolean .
?email a uco-observable:EmailMessageFacet .
?email uco-observable:isEncrypted "true"^^xsd:boolean .
?email uco-observable:from "vulnmaster@businessemail.com" .
?email uco-observable:to "vulnmaster@personalemail.com" .
?email uco-observable:dateSent ?date .
FILTER (YEAR(?date) = 2023).
}
Scenario
Vulnmaster has two email accounts: one for business (vulnmaster@businessemail.com) and one personal (vulnmaster@personalemail.com). Some emails are encrypted and auto-forwarded from the business to the personal account in 2023. The auto-forwarding of encrypted emails may be indicative of an employee who is stealing intellectual property from the company.
Ground Truth Positive Question
"Which emails from Vulnmaster's business account were encrypted and auto-forwarded to his personal account in 2023?"
Expected Result
Emails that meet all the criteria: sent from the business account, received at the personal account, encrypted, and auto-forwarded within the year 2023.
Ground Truth Negative Question
"Are there any emails from Vulnmaster's personal account that were auto-forwarded to his business account in 2023?"
Expected Result
No emails should be returned, as the auto-forwarding is set only from the business to the personal account, not vice versa.
These questions help validate the implementation of the observable:EmailSystemFacet class and its properties, ensuring the ontology accurately captures and queries the specific email transaction scenarios.
Competency 1
Enhanced ability to analyze and interpret the status and handling of emails in cyber investigations.
Competency Question 1.1
How can investigators determine the system-level state (like read status, archival status) of an email in a given investigation?
Result 1.1
With observable:EmailSystemFacet, investigators can effectively determine these states, providing a deeper understanding of the email data within its service context.
Solution suggestion
Define observable:EmailSystemFacet as a new class in the UCO ontology.
Add the proposed properties to this class to capture various system-level states of emails.
@prefix observable: <https://ontology.unifiedcyberontology.org/uco/observable/> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
observable:EmailSystem
a owl:Class ;
rdfs:label "EmailSystem"@en ;
rdfs:comment "Represents the system-level information about an email service."@en ;
sh:targetClass observable:EmailSystem ;
.
observable:EmailSystemFacet
a owl:Class, sh:NodeShape ;
rdfs:subClassOf core:Facet ;
rdfs:label "EmailSystemFacet"@en ;
rdfs:comment "A grouping of properties unique to an email within an email service. If the same email is sent to two different accounts, the users of those accounts may further classify or group emails with these properties so that their corresponding analytics results are different among the two email systems and accounts."@en ;
sh:property
[
sh:datatype xsd:boolean ;
sh:path observable:IsArchived ;
],
[
sh:datatype xsd:boolean ;
sh:path observable:IsAutoForwarded ;
],
[
sh:datatype xsd:boolean ;
sh:path observable:IsFlagged ;
],
[
sh:datatype xsd:boolean ;
sh:path observable:IsFlaggedSpam ;
],
[
sh:datatype xsd:boolean ;
sh:path observable:IsForwarded ;
],
[
sh:datatype xsd:boolean ;
sh:path observable:IsRead ;
]
;
sh:targetClass observable:EmailSystemFacet ;
.
Here is an initial working draft example UCO json-ld that I developed showing a search result.
{
"@context": {
"uco-observable": "https://ontology.unifiedcyberontology.org/uco/observable/",
"xsd": "http://www.w3.org/2001/XMLSchema#"
},
"@id": "kb:compilation-1234abcd-5678-efgh-9101-ijklmnopqrst",
"@type": "core:Compilation",
"contains": {
"@id": "kb:emailsystemfacet-2345bcde-6789-fghj-0123-klmnopqrstuv",
"@type": "uco-observable:EmailSystemFacet",
"isAutoForwarded": true,
"emails": [
{
"@id": "kb:email-3456cdef-7890-ghij-1234-mnopqrstuvwxyz",
"@type": "uco-observable:EmailMessage",
"from": "vulnmaster@businessemail.com",
"to": "vulnmaster@personalemail.com",
"dateSent": "2023-01-15T08:30:00Z",
"isEncrypted": true,
"observable:bodyRaw": "VGhpcyBlbWFpbCBjb250YWlucyBzdG9sZW4gaW50ZWxsZWN0dWFsIHByb3BlcnR5Lg=="
},
{
"@id": "kb:email-4567def0-8901-hijk-2345-opqrstuvwxyzabcd",
"@type": "uco-observable:EmailMessage",
"from": "vulnmaster@businessemail.com",
"to": "vulnmaster@personalemail.com",
"dateSent": "2023-02-20T10:45:00Z",
"isEncrypted": true,
"observable:bodyRaw": "SGVyZSBpcyBhbm90aGVyIGV4YW1wbGUgb2Ygc3RvbGVuIGludGVsbGVjdHVhbCBwcm9wZXJ0eS4="
}
]
}
}
Background
In the realm of cyber investigations, accurately capturing the state of an email within its service environment is crucial. Currently, UCO provides detailed structures for email content in observable:EmailMessageFacet, but UCO lacks specific attributes that reflect an email's system-level status. Introducing observable:EmailSystem and observable:EmailSystemFacet will enable a richer representation of these system-level properties, enhancing analysis capabilities in cyber forensic investigations.
With the introduction of the observable:EmailSystemFacet class in UCO, we achieve a more detailed and nuanced representation of email-related concepts for cyber forensic investigators and analysts. This matters because it enables these professionals to access critical system-level information about emails, such as whether they are archived, auto-forwarded, flagged, or read. Such information is pivotal in understanding the behavior and intent of users within a cyber investigation.
I am fine with my examples in this change proposal being transcribed and credited when others can re-use this content.
Requirements
Define observable:EmailSystem as a new class in UCO.
Define observable:EmailSystemFacet as a new class in UCO to encapsulate system-level email attributes.
Requirement 1
Include properties within observable:EmailSystemFacet: IsArchived, IsAutoForwarded, IsFlagged, IsFlaggedSpam, IsForwarded, IsRead.
Requirement 2
I think we need to integrate observable:EmailSystemFacet with observable:EmailMessageFacet to link email content attributes and system-level properties. I'm not exactly sure how to do this so need some assistance. It seems to me that Email Systems contain Email Messages.
Risk / Benefit analysis
Benefits
Provides a comprehensive view of an email's status within its system, crucial for detailed forensic analysis.
Enhances the granularity and accuracy of email-related data representation in UCO.
Risks
Implementation complexity and potential overlap with existing email-related classes.
Requires updates to existing UCO tooling and documentation.
Competencies demonstrated
Enhanced ability to analyze and interpret the status and handling of emails in cyber investigations.
Here's an example SPARQL query that searches for encrypted and auto-forwarded emails from vulnmaster@businessemail.com to vulnmaster@personalemail.com in the year 2023, using the proposed observable:EmailSystemFacet class and its properties:
Scenario
Vulnmaster has two email accounts: one for business (vulnmaster@businessemail.com) and one personal (vulnmaster@personalemail.com). Some emails are encrypted and auto-forwarded from the business to the personal account in 2023. The auto-forwarding of encrypted emails may be indicative of an employee who is stealing intellectual property from the company.
Ground Truth Positive Question
"Which emails from Vulnmaster's business account were encrypted and auto-forwarded to his personal account in 2023?"
Expected Result
Emails that meet all the criteria: sent from the business account, received at the personal account, encrypted, and auto-forwarded within the year 2023.
Ground Truth Negative Question
"Are there any emails from Vulnmaster's personal account that were auto-forwarded to his business account in 2023?"
Expected Result
No emails should be returned, as the auto-forwarding is set only from the business to the personal account, not vice versa.
These questions help validate the implementation of the observable:EmailSystemFacet class and its properties, ensuring the ontology accurately captures and queries the specific email transaction scenarios.
Competency 1
Enhanced ability to analyze and interpret the status and handling of emails in cyber investigations.
Competency Question 1.1
How can investigators determine the system-level state (like read status, archival status) of an email in a given investigation?
Result 1.1
With observable:EmailSystemFacet, investigators can effectively determine these states, providing a deeper understanding of the email data within its service context.
Solution suggestion
Define observable:EmailSystemFacet as a new class in the UCO ontology.
Add the proposed properties to this class to capture various system-level states of emails.
Here is an initial working draft example UCO json-ld that I developed showing a search result.