SubTypes: BigEndian, LittleEndian
SubTypes: BZIP2, Deflate, LZMA, XZ, ZLIB
SubTypes: BDEVolume, CPIO, Compression, DataRange, DiskPartition, EWF, EXT4, Encoding, Encryption, F2FS, NTFS, SQLiteBlob, SevenZ, TAR, VSSVolume, Volume, ZIP
SubTypes: Base16, Base32, Base64
SubTypes: AES, Blowfish, DES, DES3, RC4
SubTypes: CBC, CFB, ECB, OFB
SubTypes: Critical, Debug, Error, Info, Warning
SubTypes: MD5, SHA, SHA-1, SHA-2
SubTypes: BMP, Huffman, JPEG, LZW, PNG, TIFF, WebP
TODO: We probably can use an already existing schema for this.
SubTypes: English, French, Spanish
SubTypes: Private, Public
Attribute
Range
Comment
key xsd:string
value xsd:string
Attribute
Range
Comment
isTLD xsd:boolean
value xsd:string
TODO: Merge this into EmailAccount?
Attribute
Range
Comment
stringValue xsd:string
TODO: Determine if this object is wanted, or if we want to stick with strings.
Attribute
Range
Comment
delimiter xsd:string
filePathSegments olo:OrderedList
Attribute
Range
Comment
value xsd:string
Attribute
Range
Comment
value xsd:string
Attribute
Range
Comment
value xsd:string
Defines received events.
Contains information on who received it and when.
Attribute
Range
Comment
receivedTime xsd:dateTimeStamp
receiver Trace
Attribute
Range
Comment
value xsd:string
WindowsPEFileHeader
Properties of the PE file header, sometimes referred to as the COFF header.
Attribute
Range
Comment
characteristics xsd:hexBinary
hash Hash TODO: Remove this use of this property in exchange for using the Hash property bundle.
machine xsd:hexBinary
numberOfSections xsd:hexBinary
numberOfSymbols xsd:hexBinary
optionalHeader WindowsPEOptionalHeader
pointerToSymbolTable xsd:hexBinary
sizeOfOptionalHeader xsd:hexBinary
timeDateStamp xsd:hexBinary
WindowsPEOptionalHeader
Attribute
Range
Comment
addressOfEntryPoint xsd:hexBinary
baseOfCode xsd:hexBinary
checksum xsd:hexBinary
dllCharacteristics xsd:hexBinary
entropy xsd:float
fileAlignment xsd:hexBinary
hash Hash TODO: Remove this use of this property in exchange for using the Hash property bundle.
imageBase xsd:hexBinary
loaderFlags xsd:hexBinary
magic xsd:hexBinary
majorImageVersion xsd:hexBinary
majorOSVersion xsd:hexBinary
majorSubsystemVersion xsd:hexBinary
majorlinkerVersion xsd:hexBinary
minorImageVersion xsd:hexBinary
minorLinkerVersion xsd:hexBinary
minorOSVersion xsd:hexBinary
minorSubsystemVersion xsd:hexBinary
numberOfRVAAndSizes xsd:hexBinary
sectionAlignment xsd:hexBinary
sizeOfCode xsd:hexBinary
sizeOfHeaders xsd:hexBinary
sizeOfHeapCommit xsd:hexBinary
sizeOfHeapReserve xsd:hexBinary
sizeOfImage xsd:hexBinary
sizeOfInitializedData xsd:hexBinary
sizeOfStackCommit xsd:hexBinary
sizeOfStackReserve xsd:hexBinary
sizeOfUnintialializedData xsd:hexBinary
subsystem xsd:hexBinary
win32VersionValue xsd:hexBinary
Attribute
Range
Comment
hash Hash TODO: Remove this use of this property in exchange for using the Hash property bundle.
name xsd:string
The name property defines a common word or phrase that describes the meaning of the object.
size xsd:positiveInteger
Size of file in bytes.
Attribute
Range
Comment
dataType DataType
name xsd:string
The name property defines a common word or phrase that describes the meaning of the object.
value xsd:string
Attribute
Range
Comment
authorityKeyIdentifier xsd:string
basicContraints xsd:string
certificatePolicies xsd:string
crlDistributionPoints xsd:string
extendedKeyUsage xsd:string
inhibitAnyPolicy xsd:string
issuerAlternativeName xsd:string
keyUsage xsd:string
nameContraints xsd:string
policyConstraints xsd:string
policyMappings xsd:string
privateKeyUsagePeriodNotAfter xsd:dateTimeStamp
privateKeyUsagePeriodNotBefore xsd:dateTimeStamp
subjectAlternativeName xsd:string
subjectDirectoryAttribute xsd:string
subjectKeyIdentifier xsd:string
A Descriptive object allows the use of the name and description property.
Attribute
Range
Comment
description xsd:string
name xsd:string
The name property defines a common word or phrase that describes the meaning of the object.
Attribute
Range
Comment
actionLifecyclePhase ActionLifecyclePattern
endTime xsd:dateTimeStamp
environment Object Defines the environment of an Action. This can point to things like the descriptions of the area the action was performed or information about the computer that was used.
instrument Object The instrument the acutator used to perform the action. (This is usually an item that contains a tool property bundle.)
performer Object Defines the person, action, or thing that caused this action.
result Object
source Object
startTime xsd:dateTimeStamp
Defines an ordered list that must contain only Action classes as items.
Attribute
Range
Comment
object Object
tag xsd:string
Attribute
Range
Comment
endAction Action
forensicActions (Restriction on property olo:slot with [owl:allValuesFrom (Restriction on property olo:item with [owl:allValuesFrom ForensicAction ])]), olo:OrderedList
investigator (Identity or Role )
startAction Action
subject (Identity or Role ), xsd:string
suspectedOffense xsd:string
victim (Identity or Role )
Attribute
Range
Comment
exhibitNumber xsd:string
object Object
Attribute
Range
Comment
bidirectional xsd:boolean
destination Object
endTime xsd:dateTimeStamp
kindOfRelationship xsd:string
source Object
startTime xsd:dateTimeStamp
Attribute
Range
Comment
object Object
TODO: How does "Tool", "Software", and "Application" relate to each other?
Attribute
Range
Comment
vendor xsd:string
version xsd:string
An object that must contain at least one property bundle.
Attribute
Range
Comment
accountIssuer xsd:string
createdTime xsd:dateTimeStamp
displayName xsd:string
expiredTime xsd:dateTimeStamp
identifier xsd:string
isActive xsd:boolean
Attribute
Range
Comment
password xsd:string
passwordLastChanged xsd:dateTimeStamp
Attribute
Range
Comment
identifier xsd:string
numberOfLaunches xsd:positiveInteger
operatingSystem (Restriction on property propertyBundle with [owl:someValuesFrom OperatingSystem ]), Trace
version xsd:string
Attribute
Range
Comment
application Trace Defines the application-like item used by this account.
Defines the basic properties associated with an archive file system.
Attribute
Range
Comment
comment xsd:string
version xsd:string
Defines an object that is an attachment of a message.
Note: This property bundle is different. Instead of putting this as a property bundle of the attachment itself, you put this on the message.
The Bitlocker Drive Encryption (BDE) credentials.
Attribute
Range
Comment
password xsd:string
recoveryPassword xsd:string
startupKey xsd:base64Binary
Defines the basic properties associated with a compressed stream.
Attribute
Range
Comment
bios xsd:string
cpu xsd:string
ram xsd:string
Attribute
Range
Comment
byteOrder ByteOrder
data xsd:base64Binary
size xsd:positiveInteger
Size of file in bytes.
Defines the basic properties associated with the storage of data.
Attribute
Range
Comment
accessedTime xsd:dateTimeStamp
content Trace
createdTime xsd:dateTimeStamp
dataContainerType DataContainerType
extension xsd:string
The file extension.
fileName xsd:string
filePath FilePath
inode xsd:integer
isDirectory xsd:boolean
modifedTime xsd:dateTimeStamp
parentDataContainer (Restriction on property propertyBundle with [owl:onClass DataContainer , owl:qualifiedCardinality (1 : xsd:nonNegativeInteger)]), Trace
The parent property must point to an Item type that has at exactly one dfvfs property within it.
size xsd:positiveInteger
Size of file in bytes.
Defines the basic properties associated with a range of data.
Attribute
Range
Comment
rangeOffset xsd:positiveInteger
rangeSize xsd:positiveInteger
Attribute
Range
Comment
manufacturer xsd:string
model xsd:string
serialNumber xsd:string
Attribute
Range
Comment
accountLogin xsd:string
firstLoginTime xsd:dateTimeStamp
lastLoginTime xsd:dateTimeStamp
Attribute
Range
Comment
partIndex xsd:positiveInteger
Attribute
Range
Comment
acquiryDate xsd:dateTimeStamp
caseNumber xsd:integer
compressionMethod CompressionMethod
description xsd:string
errorGranularity xsd:integer
evidenceNumber xsd:string
examinerName xsd:string
format xsd:string
guid xsd:string
notes xsd:string
operatingSystemUsed xsd:string
password xsd:string
sectorsPerChunk xsd:integer
softwareVersionUsed xsd:string
systemDate xsd:dateTimeStamp
TODO: Use imported exif ontology
Attribute
Range
Comment
emailAddress xsd:string
The properties unique to an email message corresponding to the internet message format described in RFC 5322 and related RFCs.
Attribute
Range
Comment
bcc Trace
bodyMultipart MimePartType
bodyRaw Trace
category xsd:string
cc Trace
contentDisposition xsd:string
contentType xsd:string
headerRaw Trace
inReplyTo Trace
isMimeEncoded xsd:boolean
isMultipart xsd:boolean
label xsd:string
messageID Trace
otherHeader DictionaryItem
priority xsd:string
receivedLine xsd:string
reference Trace
subject (Identity or Role ), xsd:string
xMailer xsd:string
xOriginatingIP Trace
ExtractedFeatures
ExtractedString
Attribute
Range
Comment
byteStringValue xsd:base64Binary
encodingMethod EncodingMethod
englishTranslation xsd:string
hash Hash TODO: Remove this use of this property in exchange for using the Hash property bundle.
language Language
length xsd:integer
stringValue xsd:string
Represents a file.
TODO: Not sure what properties should be in here versus being in Data or FileSystem.
Attribute
Range
Comment
magicNumber xsd:base64Binary
mimeType MimeType
Attribute
Range
Comment
httpMessageBodyData xsd:base64Binary
httpMessageBodyLength xsd:integer
httpRequestHeader xsd:base64Binary
httpRequestLine xsd:base64Binary
Attribute
Range
Comment
hashMethod HashMethod
hashValue xsd:hexBinary
Attribute
Range
Comment
code xsd:string
Defines the basic properties associated with a disk image file. (Ie. the full image of a disk, not just specific volumes.)
The properties associated with message (eg. email, sms, whatsapp, etc.)
Attribute
Range
Comment
body xsd:string
isRead xsd:boolean
modifedTime xsd:dateTimeStamp
participant
received ReceivedEvent
sender
sentTime xsd:dateTimeStamp
Attribute
Range
Comment
displayName xsd:string
identifier xsd:string
messages (Restriction on property olo:slot with [owl:allValuesFrom (Restriction on property olo:item with [owl:allValuesFrom (Restriction on property propertyBundle with [owl:someValuesFrom Message ])])]), olo:OrderedList
visibility VisibilityType
Attribute
Range
Comment
name xsd:string
The name property defines a common word or phrase that describes the meaning of the object.
Attribute
Range
Comment
alternateDataStream xsd:string
sid xsd:string
Attribute
Range
Comment
destination Object
endTime xsd:dateTimeStamp
protocols
source Object
startTime xsd:dateTimeStamp
Attribute
Range
Comment
domain xsd:string
ipAddress xsd:string
Change this to an already defined ip address type.
Attribute
Range
Comment
manufacturer xsd:string
version xsd:string
Attribute
Range
Comment
documentInformation
isOptimized xsd:boolean
pdfId0 xsd:string
pdfId1 xsd:string
version xsd:string
Defines a software application package.
TODO: Determine which of these properties are valid and which need to go into a specific property bundle (AndoridPackage, iOSPackage, LinuxPackage, etc.)
Attribute
Range
Comment
applicationName xsd:string
The name of the application (friendly name)
dataPath Trace Path designated by the OS to be used by that package application.
packageName xsd:string
The package name (identifier)
packagePermission xsd:string
Defines a permission associated with the application.
version xsd:string
Attribute
Range
Comment
phoneNumber xsd:string
NFI Needed
TODO: Community discuss
Attribute
Range
Comment
callType xsd:string
duration xsd:duration
endTime xsd:dateTimeStamp
participant
sender
startTime xsd:dateTimeStamp
Attribute
Range
Comment
arguments xsd:string
binary Trace
createdTime xsd:dateTimeStamp
creatorUser Trace
currentWorkingDirectory FilePath
environmentVariable DictionaryItem
isHidden xsd:boolean
parentProcess (Restriction on property propertyBundle with [owl:onClass Process , owl:minQualifiedCardinality (1 : xsd:nonNegativeInteger)]), Trace
pid xsd:integer
Attribute
Range
Comment
bitsPerPixel xsd:integer
format xsd:string
imageCompressionMethod ImageCompressionMethod
imageHeight xsd:positiveInteger
imageWidth xsd:positiveInteger
The properties uniquely associated with an SMS message.
TODO: Add properties.
Attribute
Range
Comment
columnName xsd:string
rowCondition xsd:string
rowIndex xsd:positiveInteger
tableName xsd:string
Attribute
Range
Comment
destinationFlags xsd:string
destinationPort xsd:integer
sourceFlags xsd:string
sourcePort xsd:integer
Attribute
Range
Comment
destinationPort xsd:integer
sourcePort xsd:integer
Properties specific to an account on a UNIX system
Attribute
Range
Comment
gid xsd:integer
groupName xsd:string
shell xsd:string
Properties of an instance of a user account on a system.
Attribute
Range
Comment
canEscalatePrivs xsd:boolean
homeDirectory FilePath
isPrivileged xsd:boolean
isServiceAccount xsd:boolean
Attribute
Range
Comment
snapshotID xsd:string
Attribute
Range
Comment
sectorSize xsd:long
volumeID xsd:string
Properties specific to an account on a Microsoft Windows (tm) system.
Attribute
Range
Comment
groupName xsd:string
WindowsActiveDirectoryAccount Properties specific to a Windows Active Directory account.
Attribute
Range
Comment
groupName xsd:string
objectGUID xsd:string
WindowsComputerSpecification Specifies Windows-specific system properties.
Attribute
Range
Comment
globalFlagList GlobalFlagType
msProductID xsd:string
msProductName xsd:string
netBiosName xsd:string
registeredOrganization Identity
registeredOwner Identity
windowsDirectory Trace
windowsDomain xsd:string
windowsSystemDirectory Trace
windowsTempDirectory Trace
Properties specific to Windows portable executable (PE) files.
Characterizes entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup.
Attribute
Range
Comment
accessedDirectory Trace
accessedFile Trace
applicationFileName xsd:string
firstRunTime xsd:dateTimeStamp
lastRunTime xsd:dateTimeStamp
prefetchHash xsd:string
timesExecuted xsd:long
volume Trace
Properties specific to a Windows's process.
Attribute
Range
Comment
aslrEnabled xsd:boolean
depEnabled xsd:boolean
ownerSID xsd:string
priority xsd:string
startupInfo
windowsTitle xsd:string
(Undocumented)
Attribute
Range
Comment
hiveType xsd:string
Properties of a Windows registry key.
Attribute
Range
Comment
creator Trace
modifedTime xsd:dateTimeStamp
numberOfSubkeys xsd:integer
registryKey xsd:string
registryValue WindowsRegistryValue
Attribute
Range
Comment
displayName xsd:string
groupName xsd:string
serviceDescription xsd:string
serviceStatus ServiceStatus
serviceType Servicetype
startCommandLine xsd:string
startType StartType
Characterizes a Windows disk volume.
Attribute
Range
Comment
driveLetter xsd:string
Attribute
Range
Comment
hash Hash TODO: Remove this use of this property in exchange for using the Hash property bundle.
isSelfSigned xsd:boolean
issuer xsd:string
serialNumber xsd:string
signatureAlgorithm xsd:string
subject (Identity or Role ), xsd:string
subjectPublicKeyAlgorithm xsd:string
subjectPublicKeyExponent xsd:integer
subjectPublicKeyModulus xsd:string
validityNotAfter xsd:dateTimeStamp
validityNotBefore xsd:dateTimeStamp
version xsd:string
x509V3Extensions X509V3Extensions