Skip to content

Latest commit

 

History

History
111 lines (89 loc) · 4.36 KB

README.md

File metadata and controls

111 lines (89 loc) · 4.36 KB

Parser to extract Artifacts from MAGNET FORENISCS XML reports, exported by AXIOM PROCESS tool, and convert them into JSON-LD file complied with the UCO/CASE ontologies.

This repository provides a parser to extract the most relevant elements of evidence from XML reports generated by AXIOM PROCESS and convert them into UCO/CASE ontology (caseontology.org). In addition to theese digital traces other relevant data are represented such as the Chain of Custody, the Chain of Evidence, Device info and other information.

The parser is able to process any report, regardless their size.

The parsers has been developed using Python, version 3.x and is based on SAX (Simple API for XML).

The parser supports the latest CASE version, but for each specific CASE release a corrispondent branch is included in the repository.

The AXIO parser is composed of three different modules:

  • parser_AXIOMtoCASE (main program: SAX parser)
  • AXIOMtoJSON.py (class for generating the JSON-LD files of the UCO/CASE ontology)

Requirements

The tool has been developed in Python version 3.x and here are some required modules:

  • xml.sax (SAX classes)
  • string (string utilities)
  • argparse (args input management)
  • os (operating system utilities)
  • codecs (UTF-8 and other codec management)
  • re (regular expressions management)
  • uuid (global unique identifier management)
  • timeit
  • time
  • json
  • case_builder (a library developed to generate the JSON-LD elements according to the UCO/CASE ontology definitions)

Usage

parser_AXIOMtoCASE.py [-h] -r INFILEXML -o OUTPUT_JSON

where:

  • -h, --help (shows the help message, including the AXIOM versions supported, then exit)
  • -r | --report INFILEXML (the AXIOM XML report to be processed, compulsory parameter)
  • -o | --output OUTPUT_JSON (JSON-LD file to be generated, compulsory)

Mobile Forensic Data set

The parser has been developed and tested relying on a huge collection of mobile forensic dataset. This is composed of images made available on the Computer Forensic Reference Data Sets (CFReDS) Project, a few provided by some LEA partners of the project and also on those freely provided by Cellebrite and Magnet Forensic within he Catch The Flag annual competition. All the provided data are fictitious, so there is no issue from the privacy point of view. These datasets have been provided to investigators for examination but they represent sets of simulated digital evidence.

CASE representation: JSON-LD files

All the XML reports have been processed to generate the corresponding CASE representation of the following traces, or facet according to the CASE terminology:

  • Calendar
  • Call
  • Cell Tower (drafting)
  • Chat (Whatsapp, Skype, Telegram etc.)
  • Contact
  • Cookie
  • Email
  • Event
  • File
  • Searched item (drafting)
  • Social Media Activity (drafting)
  • SMS
  • URL History
  • Wifi Connection (drafting)
  • Chain of Evidence
  • Context
    • Device info
    • Tool
    • Performer
    • Provenance Record
    • Investigative Acquisition
    • Investigative Extraction

Ontologies compatibility

The JSON-LD files generated are complied with one of the recent version of CASE/UCO ontologies, at the moment CASE 0.4 / UCO 0.6.

Documentation

The repository also contains the XML files related to each Artifact extracted. This is for understanding how the SAX parser works. The XML example are based on the Beth_iPHone provided by Cellebrite in the CTF 2021. Considering that AXIOM is heavily based on the application, each Artifact has been extracted relying on the different apps that can generate them. At te moment the parser extracts the CHAT Artifact taken into account the following applications:

  • CHAT Artifact
    • Android WhatsApp Messages
    • iOS WhatsApp Messages
    • Android Telegram Messages
    • iOS Telegram Messages
    • iOS Telegram Chats
    • Snapchat Chat Messages
    • TikTok Messages
    • Instagram Direct Messages
    • Signal Messages
    • Signal Messages - Windows
    • Signal Messages - iOS
    • Facebook Messenger Messages
    • Discord Messages

The XML examples as it follows:

  • CALENDAR.xml
  • CALL_IOS.xml and CALL_ANDROID
  • CELL_TOWER.xml
  • CHAT_WHATSAPP.xml
  • CONTACT_IOS.xml
  • COOKIES_CHROME.xml
  • EMAIL_APPLE_MAIL.xml
  • FILE_PICTURES.xml
  • FILE_VIDEOS.xml
  • FILE_AUDIO.xml
  • SEARCHED_ITEM.xml
  • SMS.xml
  • WEB_BOOKMARK_SAFARI.xml
  • WEB_HISTORY_SAFARI.xml
  • WIRELESS_NETWORK.xml