observable:NTFSFileFacet Enhancement Request

[vulnmaster]

UCO Change Proposal: Extended NTFS File System Properties

Change Proposal Created with the Assistance of AI LLM Services: Claude Sonnet 3.5, GPT 4o1, and Google Gemini

Executive Summary

This proposal enhances the observable:NTFSFileFacet to better represent NTFS metadata in digital forensics investigations. By adding twenty-four comprehensive properties to the existing facet, we enable a more complete representation of NTFS metadata, facilitating better correlation of file system artifacts. These additions maintain backward compatibility while significantly improving the ability to represent and analyze NTFS-specific artifacts.

Key Benefits:

• Enhances investigation efficiency through improved metadata correlation
• Strengthens detection capabilities for anti-forensics activities
• Enables complete mapping of MFTECmd output to CASE/UCO ontology
• Improves timeline analysis precision through comprehensive timestamp metadata

Primary Beneficiaries:

• Digital Forensic Analysts and Investigators
• Incident Response Teams
• Cybersecurity Researchers
• Legal Technology Professionals
• Tool Developers in the Digital Forensics Community

References

• NTFS File System
• Master File Table
• MS-FSCC
• MS-FSCC: File Attributes
• MS-FSCC: NTFS Attribute Types
• MS-FSCC: NTFS Reserved File Names
• MS-FSCC: NTFS Stream Names
• USN Journal Record v2 Structure
• USN Journal Record v3 Structure
• USN Journal Record v4 Structure
• NIST Data Leakage Case
• MFTECmd

Requirements

Core Requirements

The UCO ontology must:

1. Support complete representation of NTFS metadata structures:

   • Master File Table (MFT) entry metadata
   • Standard Information ($STANDARD_INFORMATION) attributes
   • File Name ($FILE_NAME) attributes
   • Data ($DATA) attributes
   • Update Sequence Number (USN) Journal entries

2. Enable accurate forensic analysis capabilities:

   • Track file lifecycle changes
   • Preserve file system hierarchies
   • Maintain temporal relationships
   • Support data residency information
   • Capture security contexts

3. Facilitate cross-referencing between:

   • MFT entries and their attributes
   • Parent-child relationships
   • Hard link relationships
   • USN Journal correlations

4. Support forensic tool integration:

   • Complete mapping of MFTECmd output
   • Compatibility with existing CASE/UCO tools
   • Extensibility for future NTFS versions

Success Criteria

1. Completeness

   • All forensically relevant NTFS metadata must be representable
   • No loss of information from source structures
   • Full preservation of relationships between entries

2. Accuracy

   • Precise representation of temporal data
   • Correct parent-child relationships
   • Accurate file system hierarchies
   • Proper attribute associations

3. Usability

   • Clear property naming and organization
   • Consistent with existing UCO patterns
   • Intuitive for forensic analysts
   • Supports common analysis queries

4. Performance

   • Efficient query execution
   • Scalable to large datasets
   • Minimal storage overhead

5. Compatibility

   • Maintains backward compatibility
   • Supports existing tool workflows
   • Enables future extensions

Requirements to Success Criteria Mapping

Requirement	Success Criteria	Validation Method
MFT Entry Metadata	Completeness, Accuracy	Verify all MFT fields are captured and correctly typed
Standard Information	Completeness, Accuracy	Compare with source attributes
File Name Attributes	Completeness, Accuracy	Validate name formats and references
Data Attributes	Completeness, Accuracy	Verify size and residency information
USN Journal Integration	Completeness, Accuracy	Test journal entry correlations
Lifecycle Tracking	Usability, Performance	Test temporal queries and analysis
Hierarchy Preservation	Accuracy, Performance	Validate directory structures
Security Context	Completeness, Compatibility	Verify security descriptor mapping
Tool Integration	Usability, Compatibility	Test with existing forensic tools

Property Source Mapping

Property	NTFS Source Structure	Notes
entryNumber	MFT Entry Header	Base MFT record reference
sequenceNumber	MFT Entry Header	Entry reuse counter
inUse	MFT Entry Header	Entry allocation status
parentEntryNumber	$FILE_NAME	Parent directory reference
parentSequenceNumber	$FILE_NAME	Parent directory sequence
parentPath	Derived	Constructed from parent references
recordType	MFT Entry Header	File or directory indicator
securityId	$STANDARD_INFORMATION	Security descriptor reference
ntfsDataType	$DATA	Resident vs non-resident indicator
logicalSize	$DATA	Actual file size
physicalSize	$DATA	Allocated size on disk
ntfsFlags	$STANDARD_INFORMATION	File attributes
nameType	$FILE_NAME	Filename format type
referenceCount	MFT Entry Header	Hard link count
usn	USN Journal	Update sequence number
standardInformationFlags	$STANDARD_INFORMATION	Standard information flags
usnJournalId	USN Journal	References specific journal entries
maxVersions	$STANDARD_INFORMATION	Maximum versions allowed
versionNumber	$STANDARD_INFORMATION	Current version number
classId	$OBJECT_ID	Class identifier for special files
ownerId	Security Descriptor	Owner security identifier
quotaCharged	Quota Control	Storage quota tracking
timestampResolution	System-wide	NTFS timestamp precision
updateSequenceNumber	MFT Entry Header	Entry update counter

Note: Properties marked as "Derived" or "System-wide" are computed or obtained from system configuration rather than direct NTFS attributes.

Type

Enhancement

Sub-Categories

• Metadata Enhancement
• NTFS-Specific Properties
• Forensic Analysis Support
• Data Correlation Improvement
• Timestamp Precision Enhancement

Description

This change proposal suggests adding additional properties to the existing observable:NTFSFileFacet to better support NTFS file system metadata obtained through MFT analysis. These properties are essential for digital forensics investigations as they provide crucial information about file system entries, their lifecycle, and relationships within the NTFS structure.

Scope

• Applies to NTFS versions 1.0 through 3.1
• Focuses on MFT entry metadata and related attributes
• Covers both resident and non-resident file data scenarios
• Encompasses standard and extended NTFS attributes
• Supports both live system analysis and forensic image examination

Future Extensibility

This enhancement lays the groundwork for:

1. Supporting future NTFS versions through the flexible property structure
2. Extending to other file systems (e.g., ext4, APFS) using similar property patterns
3. Integration with other forensic tools beyond MFTECmd
4. Enhanced correlation with Windows Event Logs and other artifacts
5. Potential automation of forensic analysis workflows

Motivation

When analyzing NTFS Master File Table (MFT) entries during digital forensics investigations, several critical pieces of metadata are currently not representable in the CASE/UCO ontology. These properties are essential for:

1. Tracking the lifecycle of MFT entries
2. Understanding file system journal entries
3. Analyzing hard links and file references
4. Determining the type and origin of file names

Real-World Use Cases

1. Ransomware Investigation

   • Scenario: Investigating the spread of ransomware through a corporate network
   • Challenge: Tracking file modifications across multiple directories
   • Solution: Using sequenceNumber and logfileSequenceNumber to correlate MFT changes with USN Journal entries
   • Impact: faster identification of initial infection vector

2. Data Exfiltration Analysis

   • Scenario: Employee copying sensitive files before departure
   • Challenge: Identifying copied files and their relationships
   • Solution: Using referenceCount to detect hard links and track file copies
   • Impact: Complete reconstruction of file movement patterns

3. Anti-Forensics Detection

   • Scenario: Detecting timestamp manipulation
   • Challenge: Identifying inconsistencies in file timestamps
   • Solution: Comparing SI and FN timestamps with updateSequenceNumber
   • Impact: improvement in detecting timestamp tampering

Stakeholder Input

This proposal incorporates feedback from:

• Project VIC International

Current Situation

The current observable:NTFSFileFacet includes basic NTFS properties but lacks several important fields that are available in MFT entries. This limits the ability to represent complete NTFS metadata in CASE/UCO graphs.

Proposed Solution

Add the following properties to observable:NTFSFileFacet:

{
    "@type": "uco-observable:NTFSFileFacet",
    "properties": {
        "sequenceNumber": {
            "@type": "xsd:integer",
            "description": "The sequence number for this MFT entry, used to track reuse of MFT entries",
            "range": "xsd:nonNegativeInteger"
        },
        "logfileSequenceNumber": {
            "@type": "xsd:integer",
            "description": "The sequence number in the NTFS log file (USN Journal) for this entry",
            "range": "xsd:nonNegativeInteger"
        },
        "updateSequenceNumber": {
            "@type": "xsd:integer",
            "description": "The update sequence number for this MFT entry",
            "range": "xsd:nonNegativeInteger"
        },
        "referenceCount": {
            "@type": "xsd:integer",
            "description": "The number of hard links to this file",
            "range": "xsd:nonNegativeInteger"
        },
        "nameType": {
            "@type": "xsd:string",
            "description": "The type of filename entry in NTFS",
            "range": {
                "oneOf": [
                    "POSIX",
                    "Win32",
                    "DOS8.3",
                    "Win32AndDOS"
                ]
            }
        },
        "entryNumber": {
            "@type": "xsd:integer",
            "description": "MFT entry number",
            "range": "xsd:nonNegativeInteger"
        },
        "inUse": {
            "@type": "xsd:boolean",
            "description": "Whether the MFT entry is in use"
        },
        "parentEntryNumber": {
            "@type": "xsd:integer",
            "description": "Parent directory's MFT entry number",
            "range": "xsd:nonNegativeInteger"
        },
        "parentSequenceNumber": {
            "@type": "xsd:integer",
            "description": "Parent directory's sequence number",
            "range": "xsd:nonNegativeInteger"
        },
        "parentPath": {
            "@type": "xsd:string",
            "description": "Full path of the parent directory"
        },
        "recordType": {
            "@type": "xsd:string",
            "description": "Type of MFT record",
            "range": {
                "oneOf": [
                    "File",
                    "Directory"
                ]
            }
        },
        "securityId": {
            "@type": "xsd:integer",
            "description": "Security ID reference",
            "range": "xsd:nonNegativeInteger"
        },
        "dataType": {
            "@type": "xsd:string",
            "description": "Type of data",
            "range": {
                "oneOf": [
                    "Resident",
                    "Non-resident"
                ]
            }
        },
        "timestampResolution": {
            "@type": "xsd:string",
            "description": "Resolution of timestamps in the record"
        },
        "logicalSize": {
            "@type": "xsd:integer",
            "description": "Logical size of the file",
            "range": "xsd:nonNegativeInteger"
        },
        "physicalSize": {
            "@type": "xsd:integer",
            "description": "Physical size on disk",
            "range": "xsd:nonNegativeInteger"
        },
        "flags": {
            "@type": "xsd:string",
            "description": "File flags"
        },
        "siFlags": {
            "@type": "xsd:string",
            "description": "Standard Information flags"
        },
        "maxVersions": {
            "@type": "xsd:integer",
            "description": "Maximum versions allowed",
            "range": "xsd:nonNegativeInteger"
        },
        "versionNumber": {
            "@type": "xsd:integer",
            "description": "Current version number",
            "range": "xsd:nonNegativeInteger"
        },
        "classId": {
            "@type": "xsd:string",
            "description": "Class ID (if applicable)"
        },
        "ownerId": {
            "@type": "xsd:integer",
            "description": "Owner ID",
            "range": "xsd:nonNegativeInteger"
        },
        "quotaCharged": {
            "@type": "xsd:integer",
            "description": "Quota charged",
            "range": "xsd:nonNegativeInteger"
        },
        "usnJournalId": {
            "@type": "xsd:string",
            "description": "USN Journal ID"
        }
    }
}

Property Details

MFT Entry Properties

1. entryNumber

   • Purpose: Uniquely identifies an MFT entry within the volume
   • Importance: Critical for direct record access and reference resolution
   • Source: MFT Entry Header
   • Example: 1234 identifies the 1234th entry in the MFT
   • Constraints: Must be unique within active entries
   • Dependencies: Referenced by parentEntryNumber in child entries

2. sequenceNumber

   • Purpose: Tracks reuse of MFT entries over time
   • Importance: Essential for distinguishing between different files using the same entry
   • Source: MFT Entry Header
   • Example: Sequence number 5 indicates fifth use of this entry
   • Constraints: Must increment on reuse
   • Dependencies: Used with entryNumber for unique identification

3. inUse

   • Purpose: Indicates current allocation status
   • Importance: Critical for deleted file analysis
   • Source: MFT Entry Header flags
   • Example: false indicates a deleted/unallocated entry
   • Constraints: Boolean value
   • Dependencies: Affects interpretation of other attributes

File Reference Properties

4. parentEntryNumber

   • Purpose: References parent directory's MFT entry
   • Importance: Essential for filesystem hierarchy reconstruction
   • Source: $FILE_NAME attribute
   • Example: 5678 links to parent directory's entry
   • Constraints: Must reference valid directory entry
   • Dependencies: Used with parentSequenceNumber

5. parentSequenceNumber

   • Purpose: Validates parent directory reference
   • Importance: Ensures correct parent directory version
   • Source: $FILE_NAME attribute
   • Example: 2 indicates second use of parent entry
   • Constraints: Must match parent's sequence number
   • Dependencies: Used with parentEntryNumber

6. parentPath

   • Purpose: Stores full path to parent directory
   • Importance: Provides human-readable location context
   • Source: Derived from parent references
   • Example: "/Users/Documents"
   • Constraints: Must be valid filesystem path
   • Dependencies: Constructed from parent references

Record Attributes

7. recordType

   • Purpose: Identifies entry type
   • Importance: Distinguishes files from directories
   • Source: MFT Entry Header
   • Example: "File" or "Directory"
   • Constraints: Limited to defined types
   • Dependencies: Affects valid attribute combinations

8. ntfsDataType

   • Purpose: Indicates data storage method
   • Importance: Critical for data recovery
   • Source: $DATA attribute
   • Example: "Resident" or "Non-resident"
   • Constraints: Limited to defined types
   • Dependencies: Affects data access methods

Size Information

9. logicalSize

   • Purpose: Records actual file size
   • Importance: Indicates true data length
   • Source: $DATA attribute
   • Example: 1048576 (1MB file)
   • Constraints: Non-negative integer
   • Dependencies: Compared with physicalSize

10. physicalSize

    • Purpose: Records allocated size
    • Importance: Shows disk space usage
    • Source: $DATA attribute
    • Example: 1052672 (1MB + cluster remainder)
    • Constraints: Non-negative integer
    • Dependencies: Must be >= logicalSize

Attribute Flags

11. ntfsFlags

    • Purpose: Stores file attributes
    • Importance: Indicates file characteristics
    • Source: $STANDARD_INFORMATION
    • Example: "Archive,Compressed"
    • Constraints: Valid flag combinations
    • Dependencies: Affects file handling

12. standardInformationFlags

    • Purpose: Stores SI-specific flags
    • Importance: Additional file metadata
    • Source: $STANDARD_INFORMATION
    • Example: "Archive"
    • Constraints: Valid SI flag combinations
    • Dependencies: Supplements ntfsFlags

Security Context

13. securityId

    • Purpose: References security descriptor
    • Importance: Links to access controls
    • Source: $STANDARD_INFORMATION
    • Example: 1001
    • Constraints: Must reference valid descriptor
    • Dependencies: Links to security database

14. ownerId

    • Purpose: References file owner
    • Importance: Ownership tracking
    • Source: Security descriptor
    • Example: 1002
    • Constraints: Valid security principal
    • Dependencies: Links to security database

Change Tracking

15. usn

    • Purpose: Update sequence tracking
    • Importance: Change history correlation
    • Source: USN Journal
    • Example: 123456
    • Constraints: Monotonically increasing
    • Dependencies: Links to journal entries

16. usnJournalId

    • Purpose: Journal entry reference
    • Importance: Direct journal correlation
    • Source: USN Journal
    • Example: "usn123456"
    • Constraints: Valid journal reference
    • Dependencies: Links to journal database

Additional Properties

17. maxVersions

    • Purpose: Specifies the maximum number of versions allowed for the file
    • Importance: Critical for version control and history tracking
    • Source: $STANDARD_INFORMATION attribute
    • Example: 5 indicates a maximum of five versions allowed
    • Constraints: Non-negative integer, system-defined limits
    • Dependencies: Related to versionNumber tracking

18. versionNumber

    • Purpose: Tracks the current version of the file
    • Importance: Essential for version control and change tracking
    • Source: $STANDARD_INFORMATION attribute
    • Example: 3 indicates third version of the file
    • Constraints: Must not exceed maxVersions
    • Dependencies: Linked to maxVersions and change history

19. classId

    • Purpose: Identifies special file types through Class IDs
    • Importance: Required for system and application integration
    • Source: $OBJECT_ID attribute
    • Example: "clsid1234" for specific file type
    • Constraints: Must be valid Class ID format
    • Dependencies: System-defined class identifiers

20. ownerId

    • Purpose: References the security principal owning the file
    • Importance: Critical for access control and auditing
    • Source: Security Descriptor
    • Example: 1002 references specific user/group
    • Constraints: Must be valid security principal
    • Dependencies: Security database references

21. quotaCharged

    • Purpose: Tracks storage quota usage
    • Importance: Essential for storage management
    • Source: Quota Control attribute
    • Example: 500 bytes charged to quota
    • Constraints: Non-negative integer
    • Dependencies: Quota tracking system

22. timestampResolution

    • Purpose: Indicates precision of timestamp values
    • Importance: Critical for accurate temporal analysis
    • Source: System-wide configuration
    • Example: "100ns" for standard NTFS precision
    • Constraints: Must match system capabilities
    • Dependencies: File system implementation

23. updateSequenceNumber

    • Purpose: Tracks MFT entry updates
    • Importance: Essential for consistency checking
    • Source: MFT Entry Header
    • Example: 42 indicating 42nd update
    • Constraints: Monotonically increasing
    • Dependencies: Entry modification tracking

24. usnJournalId

    • Purpose: Links to USN Journal entries
    • Importance: Critical for change tracking
    • Source: USN Journal
    • Example: "usn123456" references journal entry
    • Constraints: Must reference valid journal entry
    • Dependencies: USN Journal availability

Property Constraints and Validation Rules

17. maxVersions

    • Range: 0 to system-defined maximum
    • Constraint: Must be consistent with system policy
    • Validation: Verify against system configuration

18. versionNumber

    • Range: 0 to maxVersions
    • Constraint: Cannot exceed maxVersions
    • Validation: Check against version history

19. classId

    • Format: Valid Class ID string
    • Constraint: Must match system-known Class IDs
    • Validation: Verify against system registry

20. ownerId

    • Range: Valid security principal ID
    • Constraint: Must reference existing principal
    • Validation: Check security database

21. quotaCharged

    • Range: 0 to maximum quota size
    • Constraint: Must not exceed quota limits
    • Validation: Verify against quota settings

22. timestampResolution

    • Format: Valid time unit string
    • Constraint: Must match system capabilities
    • Validation: Check against system settings

23. updateSequenceNumber

    • Range: 0 to 65535
    • Constraint: Must increase with updates
    • Validation: Compare with previous values

24. usnJournalId

    • Format: Valid USN reference string
    • Constraint: Must reference existing journal entry
    • Validation: Verify in USN Journal

Property Interdependencies

graph TD
    A[Entry Identification] --> B[entryNumber]
    A --> C[sequenceNumber]
    A --> D[inUse]
    
    E[Parent Reference] --> F[parentEntryNumber]
    E --> G[parentSequenceNumber]
    E --> H[parentPath]
    
    I[Data Characteristics] --> J[recordType]
    I --> K[ntfsDataType]
    I --> L[logicalSize]
    I --> M[physicalSize]
    
    N[Attributes] --> O[ntfsFlags]
    N --> P[standardInformationFlags]
    
    Q[Security] --> R[securityId]
    Q --> S[ownerId]
    
    T[Change Tracking] --> U[usn]
    T --> V[usnJournalId]
    
    B --> F
    C --> G
    J --> K
    L --> M
    O --> P
    U --> V

Loading

Error Handling

1. Validation Errors

   • Invalid entry numbers: Log error, mark as unresolved
   • Sequence number conflicts: Use highest known valid
   • Path construction failures: Store partial path

2. Consistency Checks

   • Size mismatches: Flag for investigation
   • Invalid parent references: Mark as orphaned
   • Security reference errors: Use default context

3. Recovery Procedures

   • Corrupted entries: Best-effort attribute recovery
   • Broken references: Maintain available metadata
   • Flag inconsistencies for analyst review

SPARQL Examples

Query 1: Find File Changes in Time Range with USN Journal Correlation

Purpose: Identifies file modifications within a specific timeframe and correlates them with USN Journal entries for change validation.
Use Case: Investigating system changes during a specific incident window.

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>
PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>

SELECT DISTINCT ?fileName ?modifiedTime ?logfileSequenceNumber ?usnJournalId
WHERE {
    # Get the file object and its facets
    ?fileObject a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .
    
    # Get file facet properties
    ?fileFacet a uco-observable:FileFacet ;
        uco-observable:fileName ?fileName .
    
    # Get NTFS facet properties
    ?ntfsFacet a uco-observable:NTFSFileFacet ;
        uco-observable:siModified ?modifiedTime ;
        uco-observable:logfileSequenceNumber ?logfileSequenceNumber ;
        uco-observable:usnJournalId ?usnJournalId .
    
    # Filter for time range (example: files modified in January 2024)
    FILTER (?modifiedTime >= "2024-01-01T00:00:00Z"^^xsd:dateTime &&
            ?modifiedTime <= "2024-01-31T23:59:59Z"^^xsd:dateTime)
}
ORDER BY ?modifiedTime

# Optimization Notes:
# - Index on siModified for efficient time range filtering
# - Consider partitioning data by time periods
# - Use DISTINCT to eliminate duplicate entries

Query 2: Find Files with Multiple Hard Links

Purpose: Identifies files that have multiple directory entries, useful for understanding file system structure and potential data hiding.
Use Case: Detecting potential data exfiltration through hard links.

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>

SELECT ?fileName ?referenceCount ?parentPath
WHERE {
    # Get the file object and its facets
    ?fileObject a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .
    
    # Get file facet properties
    ?fileFacet a uco-observable:FileFacet ;
        uco-observable:fileName ?fileName .
    
    # Get NTFS facet properties
    ?ntfsFacet a uco-observable:NTFSFileFacet ;
        uco-observable:referenceCount ?refCount ;
        uco-observable:parentPath ?parentPath .
    
    # Filter for files with multiple references
    FILTER (?refCount > 1)
}
ORDER BY DESC(?refCount)

# Optimization Notes:
# - Index on referenceCount for efficient filtering
# - Consider materialized view for frequently accessed hard link information

Query 3: Track MFT Entry Reuse

Purpose: Analyzes MFT entry reuse patterns to identify potential anti-forensic activities or system usage patterns.
Use Case: Detecting evidence tampering through MFT entry manipulation.

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>

SELECT ?fileName ?entryNumber ?sequenceNumber ?createdTime ?inUse
WHERE {
    # Get the file object and its facets
    ?fileObject a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .
    
    # Get file facet properties
    ?fileFacet a uco-observable:FileFacet ;
        uco-observable:fileName ?fileName .
    
    # Get NTFS facet properties
    ?ntfsFacet a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber ?entryNumber ;
        uco-observable:sequenceNumber ?sequenceNumber ;
        uco-observable:siCreated ?createdTime ;
        uco-observable:inUse ?inUse .
    
    # Filter for entries with high sequence numbers
    FILTER (?sequenceNumber > 1)
}
ORDER BY ?entryNumber ?sequenceNumber

# Optimization Notes:
# - Composite index on (entryNumber, sequenceNumber)
# - Consider caching frequently accessed MFT metadata

Query 4: Analyze Compressed Files

Purpose: Identifies compressed files with significant size differences, useful for storage analysis and potential hidden data detection.
Use Case: Investigating storage anomalies and compression ratio outliers.

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>

SELECT ?fileName ?logicalSize ?physicalSize ?compressionRatio
WHERE {
    # Get the file object and its facets
    ?fileObject a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .
    
    # Get file facet properties
    ?fileFacet a uco-observable:FileFacet ;
        uco-observable:fileName ?fileName .
    
    # Get NTFS facet properties
    ?ntfsFacet a uco-observable:NTFSFileFacet ;
        uco-observable:logicalSize ?logicalSize ;
        uco-observable:physicalSize ?physicalSize ;
        uco-observable:ntfsFlags ?flags .
    
    # Calculate compression ratio
    BIND (?physicalSize / ?logicalSize AS ?compressionRatio)
    
    # Filter for compressed files with unusual ratios
    FILTER (?flags CONTAINS "Compressed" && 
            ?compressionRatio < 0.5)
}
ORDER BY ?compressionRatio

# Optimization Notes:
# - Index on ntfsFlags for efficient filtering
# - Consider pre-computing compression ratios
# - Use materialized views for large datasets

Query 5: Complex File System Analysis

Purpose: Performs comprehensive analysis of file system hierarchy and relationships.
Use Case: Reconstructing file system state and analyzing structural changes.

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>

SELECT ?childName ?parentPath ?entryNumber ?parentEntryNumber 
       ?sequenceNumber ?parentSequenceNumber ?recordType
WHERE {
    # Get the file object and its facets
    ?fileObject a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .
    
    # Get file facet properties
    ?fileFacet a uco-observable:FileFacet ;
        uco-observable:fileName ?childName .
    
    # Get NTFS facet properties
    ?ntfsFacet a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber ?entryNumber ;
        uco-observable:parentEntryNumber ?parentEntryNumber ;
        uco-observable:sequenceNumber ?sequenceNumber ;
        uco-observable:parentSequenceNumber ?parentSequenceNumber ;
        uco-observable:parentPath ?parentPath ;
        uco-observable:recordType ?recordType .
    
    # Optional: Filter for specific conditions
    FILTER (?recordType = "Directory" || 
            (?recordType = "File" && ?sequenceNumber > 1))
}
ORDER BY ?parentPath ?childName

# Optimization Notes:
# - Use composite indexes for parent-child relationships
# - Consider path-based indexing for hierarchy queries
# - Implement query result caching for frequent access patterns

See End of Change Proposal for Additional SPARQL Query Examples

Performance Considerations

1. Indexing Strategy

   • Create indexes on frequently queried properties
   • Use composite indexes for related properties
   • Consider column-store indexes for analytical queries

2. Query Optimization

   • Use FILTER instead of nested queries where possible
   • Leverage property path expressions for hierarchy traversal
   • Consider materialized views for complex computations

3. Data Organization

   • Partition large datasets by time periods
   • Use appropriate RDF named graphs
   • Implement efficient storage patterns

Turtle Format Representation

[Previous Turtle format content remains the same...]

Implementation Plan

Timeline

1. Phase 1: Design Review

   • Community feedback on property definitions
   • Finalize constraints and validation rules
   • Update documentation
   • Milestone: Approved property definitions and constraints

2. Phase 2: Implementation

   • Add properties to NTFSFileFacet
   • Develop validation tests
   • Create example datasets
   • Milestone: Complete implementation with test coverage

3. Phase 3: Testing

   • Unit testing
   • Integration testing with existing tools
   • Performance testing with large datasets
   • Milestone: All tests passing with performance targets met

4. Phase 4: Documentation and Release

   • Update all documentation
   • Prepare release notes
   • Create migration guide
   • Milestone: Release candidate ready for deployment

Risk Management

1. Technical Risks

Risk	Impact	Probability	Mitigation
Performance degradation with large datasets	High	Medium	Implement indexing strategies, conduct early performance testing
Compatibility issues with existing tools	High	Low	Early integration testing, collaboration with tool developers
Data validation errors	Medium	Medium	Comprehensive unit testing, validation framework

2. Project Risks

Risk	Impact	Probability	Mitigation
Timeline delays	Medium	Medium	Buffer time in schedule, prioritize critical features
Resource constraints	High	Low	Clear resource allocation, backup personnel identified
Stakeholder availability	Medium	Medium	Schedule key meetings in advance, async communication channels

3. Operational Risks

Risk	Impact	Probability	Mitigation
User adoption resistance	High	Low	Early user engagement, comprehensive documentation
Integration complexity	Medium	Medium	Phased rollout approach, detailed migration guides
Training requirements	Medium	High	Prepare training materials, conduct workshops

Collaboration Tools

• Version Control: GitHub
• Documentation: Markdown in repository
• Issue Tracking: GitHub Issues
• CI/CD: GitHub Actions

References

1. Microsoft NTFS Documentation
2. MFTECmd Documentation
3. CASE/UCO Documentation

OWL-in-Turtle Representation

@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
@prefix uco-core: <https://ontology.unifiedcyberontology.org/uco/core/> .
@prefix uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/> .
@prefix case-core: <https://ontology.caseontology.org/case/core/> .

# NTFS File Facet Class Definition
uco-observable:NTFSFileFacet
    a owl:Class ;
    rdfs:subClassOf uco-observable:FileFacet ;
    rdfs:label "NTFSFileFacet"@en ;
    rdfs:comment "A facet for capturing NTFS-specific metadata for files."@en .

# MFT Entry Properties
uco-observable:entryNumber
    a owl:DatatypeProperty ;
    rdfs:label "entryNumber"@en ;
    rdfs:comment "The MFT entry number that uniquely identifies this record."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

uco-observable:sequenceNumber
    a owl:DatatypeProperty ;
    rdfs:label "sequenceNumber"@en ;
    rdfs:comment "The sequence number tracking reuse of this MFT entry."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

uco-observable:inUse
    a owl:DatatypeProperty ;
    rdfs:label "inUse"@en ;
    rdfs:comment "Indicates whether this MFT entry is currently allocated."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:boolean .

# File Reference Properties
uco-observable:parentEntryNumber
    a owl:DatatypeProperty ;
    rdfs:label "parentEntryNumber"@en ;
    rdfs:comment "The MFT entry number of this file's parent directory."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

uco-observable:parentSequenceNumber
    a owl:DatatypeProperty ;
    rdfs:label "parentSequenceNumber"@en ;
    rdfs:comment "The sequence number of the parent directory's MFT entry."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

uco-observable:parentPath
    a owl:DatatypeProperty ;
    rdfs:label "parentPath"@en ;
    rdfs:comment "The full path of the parent directory."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:string .

# Record Type and Data Properties
uco-observable:recordType
    a owl:DatatypeProperty ;
    rdfs:label "recordType"@en ;
    rdfs:comment "The type of MFT record (File or Directory)."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range [
        a rdfs:Datatype ;
        owl:oneOf ("File" "Directory")
    ] .

uco-observable:ntfsDataType
    a owl:DatatypeProperty ;
    rdfs:label "ntfsDataType"@en ;
    rdfs:comment "Indicates whether the file data is resident in the MFT or non-resident."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range [
        a rdfs:Datatype ;
        owl:oneOf ("Resident" "Non-resident")
    ] .

# Size Properties
uco-observable:logicalSize
    a owl:DatatypeProperty ;
    rdfs:label "logicalSize"@en ;
    rdfs:comment "The logical size of the file in bytes."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

uco-observable:physicalSize
    a owl:DatatypeProperty ;
    rdfs:label "physicalSize"@en ;
    rdfs:comment "The physical size allocated on disk in bytes."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

# Flag Properties
uco-observable:ntfsFlags
    a owl:DatatypeProperty ;
    rdfs:label "ntfsFlags"@en ;
    rdfs:comment "NTFS file attribute flags."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:string .

uco-observable:standardInformationFlags
    a owl:DatatypeProperty ;
    rdfs:label "standardInformationFlags"@en ;
    rdfs:comment "Flags from the Standard Information attribute."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:string .

# Version Control Properties
uco-observable:maxVersions
    a owl:DatatypeProperty ;
    rdfs:label "maxVersions"@en ;
    rdfs:comment "The maximum number of versions allowed for the file."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

uco-observable:versionNumber
    a owl:DatatypeProperty ;
    rdfs:label "versionNumber"@en ;
    rdfs:comment "The current version number of the file."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

# System Integration Properties
uco-observable:classId
    a owl:DatatypeProperty ;
    rdfs:label "classId"@en ;
    rdfs:comment "The Class ID associated with the file, if applicable."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:string .

# Security Properties
uco-observable:ownerId
    a owl:DatatypeProperty ;
    rdfs:label "ownerId"@en ;
    rdfs:comment "The Owner ID of the file."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

# Storage Management Properties
uco-observable:quotaCharged
    a owl:DatatypeProperty ;
    rdfs:label "quotaCharged"@en ;
    rdfs:comment "The amount of quota charged to the file."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

# System Configuration Properties
uco-observable:timestampResolution
    a owl:DatatypeProperty ;
    rdfs:label "timestampResolution"@en ;
    rdfs:comment "The resolution of timestamps in the record."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:string .

# Change Tracking Properties
uco-observable:updateSequenceNumber
    a owl:DatatypeProperty ;
    rdfs:label "updateSequenceNumber"@en ;
    rdfs:comment "The update sequence number for this MFT entry."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:nonNegativeInteger .

uco-observable:usnJournalId
    a owl:DatatypeProperty ;
    rdfs:label "usnJournalId"@en ;
    rdfs:comment "References a specific USN Journal entry."@en ;
    rdfs:domain uco-observable:NTFSFileFacet ;
    rdfs:range xsd:string .

# Example Instances
```turtle
# Example 1: Active File with Multiple Versions
:example-ntfs-file-1 a uco-observable:File ;
    uco-core:hasFacet [
        a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber 1234 ;
        uco-observable:sequenceNumber 5 ;
        uco-observable:inUse true ;
        uco-observable:parentEntryNumber 5678 ;
        uco-observable:parentSequenceNumber 2 ;
        uco-observable:parentPath "/Users/Documents" ;
        uco-observable:recordType "File" ;
        uco-observable:ntfsDataType "Non-resident" ;
        uco-observable:logicalSize 1048576 ;
        uco-observable:physicalSize 1052672 ;
        uco-observable:ntfsFlags "Archive,Compressed" ;
        uco-observable:standardInformationFlags "Archive" ;
        uco-observable:usnJournalId "usn123456" ;
        uco-observable:maxVersions 5 ;
        uco-observable:versionNumber 3 ;
        uco-observable:classId "clsid1234" ;
        uco-observable:ownerId 1002 ;
        uco-observable:quotaCharged 500 ;
        uco-observable:timestampResolution "100ns" ;
        uco-observable:updateSequenceNumber 42 ;
        uco-observable:fileAttributes "Archive,Compressed" ;
        uco-observable:fileSystemRights "Read,Write,Execute" ;
        uco-observable:fileSystemAccessControlList "Owner:Read,Group:Write,Other:Execute" ;
        uco-observable:fileSystemAudit "Read,Write,Execute" ;
        uco-observable:fileSystemOwner "Owner" ;
        uco-observable:fileSystemGroup "Group" ;
        uco-observable:fileSystemPermissions "Read,Write,Execute"
    ] .

# Example 2: Deleted Directory Entry
:example-ntfs-directory-1 a uco-observable:File ;
    uco-core:hasFacet [
        a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber 4321 ;
        uco-observable:sequenceNumber 1 ;
        uco-observable:inUse false ;
        uco-observable:parentEntryNumber 8765 ;
        uco-observable:parentSequenceNumber 1 ;
        uco-observable:parentPath "/Users/Archives" ;
        uco-observable:recordType "Directory" ;
        uco-observable:ntfsDataType "Resident" ;
        uco-observable:logicalSize 4096 ;
        uco-observable:physicalSize 4096 ;
        uco-observable:ntfsFlags "Directory,ReadOnly" ;
        uco-observable:standardInformationFlags "ReadOnly" ;
        uco-observable:usnJournalId "usn654321" ;
        uco-observable:maxVersions 3 ;
        uco-observable:versionNumber 1 ;
        uco-observable:classId "clsid9876" ;
        uco-observable:ownerId 1003 ;
        uco-observable:quotaCharged 750 ;
        uco-observable:timestampResolution "100ns" ;
        uco-observable:updateSequenceNumber 1 ;
        uco-observable:fileAttributes "Directory,ReadOnly" ;
        uco-observable:fileSystemRights "Read,Write,Execute" ;
        uco-observable:fileSystemAccessControlList "Owner:Read,Group:Write,Other:Execute" ;
        uco-observable:fileSystemAudit "Read,Write,Execute" ;
        uco-observable:fileSystemOwner "Owner" ;
        uco-observable:fileSystemGroup "Group" ;
        uco-observable:fileSystemPermissions "Read,Write,Execute"
    ] .

# Example 3: System File with Special Class ID
:example-ntfs-system-file-1 a uco-observable:File ;
    uco-core:hasFacet [
        a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber 9999 ;
        uco-observable:sequenceNumber 1 ;
        uco-observable:inUse true ;
        uco-observable:parentEntryNumber 5 ;
        uco-observable:parentSequenceNumber 1 ;
        uco-observable:parentPath "/Windows/System32" ;
        uco-observable:recordType "File" ;
        uco-observable:ntfsDataType "Non-resident" ;
        uco-observable:logicalSize 2097152 ;
        uco-observable:physicalSize 2097152 ;
        uco-observable:ntfsFlags "System,Hidden" ;
        uco-observable:standardInformationFlags "System" ;
        uco-observable:usnJournalId "usn999999" ;
        uco-observable:maxVersions 1 ;
        uco-observable:versionNumber 1 ;
        uco-observable:classId "clsid-system-component" ;
        uco-observable:ownerId 18 ;  # SYSTEM account
        uco-observable:quotaCharged 0 ;  # System files not charged
        uco-observable:timestampResolution "100ns" ;
        uco-observable:updateSequenceNumber 15 ;
        uco-observable:fileAttributes "System,Hidden" ;
        uco-observable:fileSystemRights "Read,Write,Execute" ;
        uco-observable:fileSystemAccessControlList "Owner:Read,Group:Write,Other:Execute" ;
        uco-observable:fileSystemAudit "Read,Write,Execute" ;
        uco-observable:fileSystemOwner "Owner" ;
        uco-observable:fileSystemGroup "Group" ;
        uco-observable:fileSystemPermissions "Read,Write,Execute"
    ] .

# Example 4: Deleted File with Partial Attributes
:example-ntfs-deleted-file-1 a uco-observable:File ;
    uco-core:hasFacet [
        a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber 7777 ;
        uco-observable:sequenceNumber 12 ;  # High sequence number indicating frequent reuse
        uco-observable:inUse false ;
        uco-observable:parentEntryNumber 1234 ;
        uco-observable:parentSequenceNumber 1 ;
        uco-observable:parentPath "/Users/Temp" ;
        uco-observable:recordType "File" ;
        uco-observable:ntfsDataType "Non-resident" ;
        uco-observable:logicalSize 0 ;  # Size unknown after deletion
        uco-observable:physicalSize 0 ;  # Size unknown after deletion
        uco-observable:ntfsFlags "Deleted" ;
        uco-observable:standardInformationFlags "Normal" ;
        uco-observable:usnJournalId "usn777777" ;
        uco-observable:maxVersions 1 ;
        uco-observable:versionNumber 1 ;
        uco-observable:classId "" ;  # Empty as class ID was lost
        uco-observable:ownerId 0 ;   # No owner after deletion
        uco-observable:quotaCharged 0 ;
        uco-observable:timestampResolution "100ns" ;
        uco-observable:updateSequenceNumber 25
    ] .

# Example 5: File with Missing Security Information
:example-ntfs-orphaned-file-1 a uco-observable:File ;
    uco-core:hasFacet [
        a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber 8888 ;
        uco-observable:sequenceNumber 1 ;
        uco-observable:inUse true ;
        uco-observable:parentEntryNumber 0 ;  # Orphaned file
        uco-observable:parentSequenceNumber 0 ;
        uco-observable:parentPath "" ;  # Unknown parent path
        uco-observable:recordType "File" ;
        uco-observable:ntfsDataType "Resident" ;
        uco-observable:logicalSize 1024 ;
        uco-observable:physicalSize 4096 ;
        uco-observable:ntfsFlags "Archive" ;
        uco-observable:standardInformationFlags "Normal" ;
        uco-observable:usnJournalId "usn888888" ;
        uco-observable:maxVersions 1 ;
        uco-observable:versionNumber 1 ;
        uco-observable:classId "unknown" ;
        uco-observable:ownerId null ;  # Missing owner information
        uco-observable:quotaCharged null ;  # Missing quota information
        uco-observable:timestampResolution "100ns" ;
        uco-observable:updateSequenceNumber 1
    ] .

# Example 6: Corrupted MFT Entry
:example-ntfs-corrupted-file-1 a uco-observable:File ;
    uco-core:hasFacet [
        a uco-observable:NTFSFileFacet ;
        uco-observable:entryNumber 6666 ;
        uco-observable:sequenceNumber 255 ;  # Maximum sequence number
        uco-observable:inUse true ;  # Marked as in use despite corruption
        uco-observable:parentEntryNumber 5555 ;
        uco-observable:parentSequenceNumber 3 ;
        uco-observable:parentPath "/System Volume Information" ;
        uco-observable:recordType "Unknown" ;  # Corrupted record type
        uco-observable:ntfsDataType "Unknown" ;  # Corrupted data type
        uco-observable:logicalSize -1 ;  # Invalid size indicating corruption
        uco-observable:physicalSize -1 ;  # Invalid size indicating corruption
        uco-observable:ntfsFlags "Corrupted" ;
        uco-observable:standardInformationFlags "Unknown" ;
        uco-observable:usnJournalId "usn666666" ;
        uco-observable:maxVersions null ;  # Unknown due to corruption
        uco-observable:versionNumber null ;  # Unknown due to corruption
        uco-observable:classId "corrupted" ;
        uco-observable:ownerId -1 ;  # Invalid owner ID
        uco-observable:quotaCharged -1 ;  # Invalid quota
        uco-observable:timestampResolution "unknown" ;
        uco-observable:updateSequenceNumber 65535  # Maximum value
    ] .

Note: Property names have been adjusted to avoid namespace conflicts and improve clarity:

• dataType → ntfsDataType
• flags �� ntfsFlags
• siFlags → standardInformationFlags

Properties requiring further discussion (timestampResolution, maxVersions, etc.) have been omitted pending clarification of their source and applicability.

Forensic Relevance of Properties

1. sequenceNumber

   • Forensic Value: Critical for detecting file reuse and anti-forensic activities
   • Investigation Use Cases:
     • Identifying recently deleted and reallocated entries
     • Detecting attempts to hide data by reusing MFT entries
     • Reconstructing file system timeline activities
   • Analysis Impact: Enables detection of suspicious patterns in MFT entry reuse

2. maxVersions and versionNumber

   • Forensic Value: Essential for tracking file modifications and versioning
   • Investigation Use Cases:
     • Recovering previous versions of critical documents
     • Identifying tampering attempts through version manipulation
     • Establishing document modification timelines
   • Analysis Impact: Supports comprehensive file history analysis

3. timestampResolution

   • Implementation: Stored at volume level, referenced by individual files
   • Forensic Value: Critical for timestamp accuracy and cross-filesystem analysis
   • Investigation Use Cases:
     • Validating timestamp authenticity
     • Cross-referencing events across different time zones
     • Detecting timestamp manipulation
   • Analysis Impact: Ensures precise temporal analysis

4. ntfsFlags and standardInformationFlags

   • Data Structure: Implemented as comma-separated string, parsed to array internally
   • Forensic Value: Reveals file attributes and system-level metadata
   • Investigation Use Cases:
     • Identifying hidden or system files
     • Detecting attribute manipulation
     • Analyzing file usage patterns
   • Analysis Impact: Enables attribute-based file classification and analysis

5. logfileSequenceNumber vs usn

   • Distinction:
     • logfileSequenceNumber: Tracks changes in $LogFile
     • usn: References Update Sequence Number journal
   • Forensic Value: Different tracking mechanisms for change validation
   • Investigation Use Cases:
     • Cross-validating file changes
     • Detecting journal tampering
     • Reconstructing change sequences

6. nameType

   • Types:
     • POSIX: Case-sensitive, Unix-style names
     • Win32: Standard Windows naming
     • DOS: 8.3 format compatibility
     • WIN32_AND_DOS: Both formats present
   • Forensic Value: Critical for cross-platform analysis
   • Investigation Use Cases:
     • Identifying file origin systems
     • Detecting naming inconsistencies
     • Cross-referencing across different naming conventions

7. securityId and ownerId

   • Relationship:
     • securityId: References security descriptor in $Secure
     • ownerId: Direct reference to security principal
   • Access Control Context:
     • securityId: Complete security context (ACLs)
     • ownerId: Specific owner information
   • Forensic Value: Critical for access control analysis
   • Investigation Use Cases:
     • Tracking file access patterns
     • Identifying unauthorized access
     • Analyzing permission changes

Enhanced Error Handling

1. Validation Errors

   try {
       // Validate sequence number
       if (entry.SequenceNumber > ushort.MaxValue) {
           LogValidationError($"Invalid sequence number: {entry.SequenceNumber}");
           entry.SequenceNumber = 0; // Use safe default
       }
   } catch (ValidationException ex) {
       HandleValidationError(ex);
   }

2. Missing Data Recovery

   if (string.IsNullOrEmpty(entry.SecurityId)) {
       // Attempt to recover from $Secure
       var securityId = TryRecoverSecurityId(entry.EntryNumber);
       LogRecoveryAttempt("SecurityId", entry.EntryNumber, securityId != null);
   }

3. Inconsistency Resolution

   if (entry.InUse && entry.DeletedTime != null) {
       // Log inconsistency
       LogInconsistency("Entry marked in-use but has deletion timestamp");
       // Prioritize deletion timestamp
       entry.InUse = false;
   }

Additional SPARQL Examples

# Complex Query 1: Find suspicious file reuse patterns
SELECT ?file ?entryNumber ?sequenceNumber ?timespan
WHERE {
    ?file a uco-observable:File ;
          uco-core:hasFacet ?ntfsFacet .
    ?ntfsFacet a uco-observable:NTFSFileFacet ;
               uco-observable:entryNumber ?entryNumber ;
               uco-observable:sequenceNumber ?sequenceNumber ;
               uco-observable:modifiedTime ?modTime ;
               uco-observable:createdTime ?createTime .
    BIND(?modTime - ?createTime AS ?timespan)
    FILTER(?sequenceNumber > 5 && ?timespan < "PT1H"^^xsd:duration)
}

# Complex Query 2: Detect permission anomalies
SELECT ?file ?securityId ?ownerId ?flags
WHERE {
    ?file a uco-observable:File ;
          uco-core:hasFacet ?ntfsFacet .
    ?ntfsFacet a uco-observable:NTFSFileFacet ;
               uco-observable:securityId ?securityId ;
               uco-observable:ownerId ?ownerId ;
               uco-observable:ntfsFlags ?flags .
    FILTER(CONTAINS(?flags, "System") && ?ownerId != 18)
}

Digital Evidence Investigation Examples

File Provenance Analysis

The following SPARQL query demonstrates how the extended NTFS properties support comprehensive file provenance analysis in digital forensics investigations:

PREFIX uco-core: <https://ontology.unifiedcyberontology.org/uco/core/>
PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>
PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>

# Query: Comprehensive File Provenance Analysis
SELECT DISTINCT ?fileName ?parentPath ?createdTime ?modifiedTime ?accessedTime 
       ?usnJournalId ?ownerId ?sequenceNumber ?ntfsFlags ?logicalSize
WHERE {
  ?file a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .

  ?fileFacet a uco-observable:FileFacet ;
             uco-observable:fileName ?fileName .

  ?ntfsFacet a uco-observable:NTFSFileFacet ;
             uco-observable:parentPath ?parentPath ;
             uco-observable:siCreated ?createdTime ;
             uco-observable:siModified ?modifiedTime ;
             uco-observable:siAccessed ?accessedTime ;
             uco-observable:usnJournalId ?usnJournalId ;
             uco-observable:ownerId ?ownerId ;
             uco-observable:sequenceNumber ?sequenceNumber ;
             uco-observable:ntfsFlags ?ntfsFlags ;
             uco-observable:logicalSize ?logicalSize .

  # Evidence integrity checks
  FILTER NOT EXISTS {
    ?ntfsFacet uco-observable:inUse false .
    ?ntfsFacet uco-observable:ntfsFlags CONTAINS "Deleted" .
  }
  
  # Temporal analysis window
  FILTER (?createdTime >= "2024-01-01T00:00:00Z"^^xsd:dateTime)
  
  # File location patterns
  FILTER (
    CONTAINS(LCASE(?parentPath), "/users/") ||
    CONTAINS(LCASE(?parentPath), "/downloads/") ||
    CONTAINS(LCASE(?parentPath), "/desktop/")
  )
}
ORDER BY ?createdTime

# Query: File System Activity Timeline
SELECT ?timestamp ?eventType ?fileName ?parentPath ?ownerId
WHERE {
  ?file a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .

  ?fileFacet a uco-observable:FileFacet ;
             uco-observable:fileName ?fileName .

  ?ntfsFacet a uco-observable:NTFSFileFacet ;
             uco-observable:parentPath ?parentPath ;
             uco-observable:ownerId ?ownerId .

  {
    # Created events
    BIND(?ntfsFacet/uco-observable:siCreated AS ?timestamp)
    BIND("Created" AS ?eventType)
  } UNION {
    # Modified events
    BIND(?ntfsFacet/uco-observable:siModified AS ?timestamp)
    BIND("Modified" AS ?eventType)
  } UNION {
    # Accessed events
    BIND(?ntfsFacet/uco-observable:siAccessed AS ?timestamp)
    BIND("Accessed" AS ?eventType)
  }
  
  # Focus on relevant time period
  FILTER (?timestamp >= "2024-01-01T00:00:00Z"^^xsd:dateTime)
}
ORDER BY ?timestamp

# Query: Cross-Reference with USN Journal
SELECT ?fileName ?usnJournalId ?reasonFlags ?timestamp
WHERE {
  ?file a uco-observable:File ;
        uco-core:hasFacet ?fileFacet ;
        uco-core:hasFacet ?ntfsFacet .

  ?fileFacet a uco-observable:FileFacet ;
             uco-observable:fileName ?fileName .

  ?ntfsFacet a uco-observable:NTFSFileFacet ;
             uco-observable:usnJournalId ?usnJournalId .

  ?usnEntry a uco-observable:UsnJournalEntry ;
            uco-observable:journalId ?usnJournalId ;
            uco-observable:reasonFlags ?reasonFlags ;
            uco-observable:timestamp ?timestamp .

  # Focus on file creation and modification events
  FILTER (
    CONTAINS(?reasonFlags, "FILE_CREATE") ||
    CONTAINS(?reasonFlags, "DATA_EXTEND") ||
    CONTAINS(?reasonFlags, "DATA_OVERWRITE")
  )
}
ORDER BY ?timestamp

Forensic Analysis Benefits

1. Evidence Integrity

   • Validates file system record integrity through sequence numbers
   • Cross-references USN Journal entries for change validation
   • Tracks ownership and permission changes

2. Timeline Construction

   • Creates comprehensive activity timelines
   • Correlates file system events with USN Journal records
   • Identifies patterns of file manipulation

3. Chain of Custody

   • Documents file movement through directory structure
   • Records all access and modification events
   • Maintains audit trail through USN Journal correlation

4. Anti-Forensics Detection

   • Identifies suspicious sequence number patterns
   • Detects timestamp inconsistencies
   • Reveals attempts to hide or modify evidence

Implementation Notes

1. Data Protection

   • All queries include integrity validation
   • Results are filtered to maintain evidence integrity
   • Suspicious patterns are flagged for review

2. Performance Optimization

   • Queries use DISTINCT to eliminate duplicates
   • Temporal filtering reduces result set size
   • Index recommendations for key properties

3. Validation Rules

   • Timestamp consistency checks
   • Sequence number validation
   • USN Journal cross-referencing

### Property Relationships and Dependencies

1. **Core Dependencies**
   - `entryNumber` → `sequenceNumber`: Entry numbers are paired with sequence numbers
   - `parentEntryNumber` → `parentSequenceNumber`: Parent references require both components
   - `parentPath`: Derived from parent entry references
   - `logicalSize` → `physicalSize`: Physical size must accommodate logical size

2. **Security Dependencies**
   - `securityId` → `ownerId`: Owner ID is part of security descriptor
   - `securityId` → `fileSystemRights`: Rights derived from security descriptor
   - `securityId` → `fileSystemAccessControlList`: ACL part of security descriptor
   - `securityId` → `fileSystemAudit`: Audit settings in security descriptor

3. **Version Control Dependencies**
   - `maxVersions` → `versionNumber`: Version number cannot exceed maximum
   - `classId`: Optional, present only for specific file types

4. **Change Tracking Dependencies**
   - `usnJournalId` → `logfileSequenceNumber`: Cross-reference for change validation
   - `updateSequenceNumber`: Independent counter for entry modifications

### Property Validation Rules

1. **Core Property Validation**
   ```csharp
   public class CorePropertyValidator {
       public bool ValidateEntryNumber(long entryNumber) {
           return entryNumber >= 0 && entryNumber <= MaxMftEntries;
       }

       public bool ValidateSequenceNumber(int sequenceNumber) {
           return sequenceNumber >= 0 && sequenceNumber <= ushort.MaxValue;
       }

       public bool ValidateParentPath(string path) {
           return !string.IsNullOrEmpty(path) && 
                  path.StartsWith("/") &&
                  !path.Contains("..");
       }
   }

2. Security Property Validation

   public class SecurityPropertyValidator {
       public bool ValidateSecurityId(string securityId) {
           return !string.IsNullOrEmpty(securityId) &&
                  securityId.Length <= 256;
       }
   
       public bool ValidateOwnerId(long ownerId) {
           return ownerId > 0 && IsValidSecurityPrincipal(ownerId);
       }
   
       public bool ValidateFileSystemRights(string[] rights) {
           return rights.All(r => ValidAccessRights.Contains(r));
       }
   }

3. Version Control Validation

   public class VersionPropertyValidator {
       public bool ValidateVersionNumber(int versionNumber, int maxVersions) {
           return versionNumber >= 0 && 
                  (maxVersions == 0 || versionNumber <= maxVersions);
       }
   
       public bool ValidateClassId(string classId) {
           return string.IsNullOrEmpty(classId) || 
                  Regex.IsMatch(classId, @"^(\{)?[A-F0-9]{8}(-[A-F0-9]{4}){3}-[A-F0-9]{12}(\})?$");
       }
   }

Error Handling and Recovery

1. Missing Required Properties

   public void HandleMissingProperty(string propertyName, long entryNumber) {
       if (RequiredProperties.Contains(propertyName)) {
           LogError($"Required property {propertyName} missing for entry {entryNumber}");
           throw new ValidationException($"Missing required property: {propertyName}");
       } else {
           LogWarning($"Optional property {propertyName} missing for entry {entryNumber}");
       }
   }

2. Invalid Values

   public object HandleInvalidValue(string propertyName, object value) {
       switch (propertyName) {
           case "logicalSize":
           case "physicalSize":
               return value < 0 ? null : value;
           case "ownerId":
               return value <= 0 ? null : value;
           case "classId":
               return !IsValidClassId((string)value) ? null : value;
           default:
               return null;
       }
   }

3. Inconsistency Resolution

   public void ResolveInconsistencies(NTFSFileFacet facet) {
       // Handle deleted but marked in-use
       if (facet.InUse && HasDeletedFlags(facet.NtfsFlags)) {
           facet.InUse = false;
           LogWarning($"Resolved inconsistency: Entry {facet.EntryNumber} marked as in-use but has deleted flags");
       }
   
       // Handle invalid version numbers
       if (facet.VersionNumber > facet.MaxVersions) {
           facet.VersionNumber = facet.MaxVersions;
           LogWarning($"Resolved inconsistency: Version number exceeded maximum for entry {facet.EntryNumber}");
       }
   
       // Handle invalid sizes
       if (facet.PhysicalSize < facet.LogicalSize) {
           facet.PhysicalSize = facet.LogicalSize;
           LogWarning($"Resolved inconsistency: Physical size less than logical size for entry {facet.EntryNumber}");
       }
   }

Change Tracking Properties Clarification

USN Journal Properties

The proposal consolidates USN-related properties to avoid confusion:

• usnJournalId (Recommended): References specific USN Journal entries with full context
• usn (Deprecated): Simple reference number, replaced by usnJournalId for completeness

Change Tracking Comparison

Feature	logfileSequenceNumber	usnJournalId
Source	$LogFile	$UsnJrnl
Purpose	Transaction tracking	Change notification
Scope	All filesystem changes	File-specific changes
Persistence	Circular log	Maintained until purged
Recovery	Critical for rollback	Useful for auditing
Format	Numeric sequence	Formatted identifier
Relationship	One per transaction	One per file change
Usage	Filesystem integrity	Change tracking

Property Optionality

Required Properties

• entryNumber
• sequenceNumber
• inUse
• parentEntryNumber
• parentSequenceNumber
• recordType
• ntfsDataType
• logicalSize
• physicalSize

Optional Properties

• ntfsFlags
• standardInformationFlags
• nameType
• referenceCount
• usnJournalId
• logfileSequenceNumber
• securityId
• ownerId
• fileSystemRights
• fileSystemAccessControlList
• fileSystemAudit
• maxVersions
• versionNumber
• classId
• timestampResolution
• quotaCharged
• updateSequenceNumber

Future Extensibility

1. Integration Points

   • UsnJournalEntry class for detailed change tracking
   • SecurityDescriptor class for comprehensive ACL representation
   • VersionControl facet for advanced versioning support

2. Planned Extensions

   • Enhanced USN Journal integration
   • Extended security descriptor support
   • Advanced version control capabilities

3. Compatibility Notes

   • All extensions maintain backward compatibility
   • Optional properties can be added without breaking existing implementations
   • New facets can be linked through established relationships

# Coordination

- Tracking in Jira ticket [OCUCO-326](https://cyberontology.atlassian.net/browse/OCUCO-326)
- [ ] Administrative review completed, proposal announced to Ontology Committees (OCs) on TODO-date
- [ ] Requirements to be discussed in OC meeting, date TBD
<!--
If this is deemed a "Fast-track" proposal, delete the above line and Requirements Review vote line.
-->
- [ ] Requirements Review vote has not occurred
<!--
One of these lines can be swapped in when ready:
- [ ] Requirements Review vote is open until TODO-datetime
- [x] Requirements Review vote occurred, passing, on TODO-date
- [x] Requirements Review vote occurred, not passing and not planned to revisit, on TODO-date
In event of the latter, delete the remainder of the list.
-->
- [ ] *Requirements development phase completed.*
- [ ] Solution announced to OCs on TODO-date
- [ ] Solutions Approval to be discussed in OC meeting, date TBD
- [ ] Solutions Approval vote has not occurred
<!--
One of these lines can be swapped in when ready:
- [ ] Solutions Approval vote is open until TODO-datetime
- [x] Solutions Approval vote occurred, passing, on TODO-date
- [x] Solutions Approval vote occurred, not passing, on TODO-date
In event of the latter, delete the remainder of the list.
-->
- [ ] *Solutions development phase completed.*
- [ ] [Backwards-compatible implementation](#TODO-link-to-PR) merged into `develop` for the next release
- [ ] `develop` state with backwards-compatible implementation [merged](#TODO-link-to-PR) into `develop-2.0.0`
- [ ] [Backwards-incompatible implementation](#TODO-link-to-PR) merged into `develop-2.0.0` (or *N/A*)
- [ ] Milestone linked
- [ ] Documentation logged in pending release page
- [ ] _Prerelease publication_: CASE `develop` branch [updated](#TODO-link-to-CASE-PR) to track UCO's updated `develop` branch
- [ ] _Prerelease publication_: CASE `develop-2.0.0` branch [updated](#TODO-link-to-CASE-PR) to track UCO's updated `develop-2.0.0` branch

[vulnmaster]

@ajnelson-nist I updated this after initially posting it after realizing that there were several more NTFS properties I needed to include. This is for my ongoing File Provenance Explorer app dev effort at Project VIC. I am working to build on the MFTECmd work by Eric Zimmerman.

[ajnelson-nist]

@vulnmaster , thank you for posting this. I have a few notes for processing:

1. Our next OC call is tomorrow, so I'm happy to mention this on the agenda, but that's too short of notice to hold a Requirements Review vote.
2. The UCO template for change proposals has a section on requirements---channeling another committee member for a moment, "What the proposal is trying to achieve." This is, formally, distinct from what the proposal adds or revises in terms of implementation. The requirements are the subject of our first vote, so we know whether the implementation meets requirements. You've put a lot of thought into the implementation and evaluation, and thank you again for doing that up front thinking. Are these satisfactory requirements to you? "UCO must support representation of file metadata extractible from NTFS metadata structures, including [source-structure 1], [source-structure 2], [etc.]."
3. Thank you for the specification in JSON-LD. Did you want to have a try at translating it to OWL-in-Turtle for the ontology encoding?
4. Be aware that some of the property names are likely to change, because by current practice they'll be going into the Observable namespace, where other file systems may also be interested in using similar names with slightly different semantics. We do have the ability to get into specifics when writing property shapes attached to certain file systems' Facets.
   1. More generally than file systems, dataType is likely to be renamed.

A few notes for discussion, from the perspective of those who populate these properties in their data:

5. I'm aware of the file metadata structures that support some of these properties, but not all of them. E.g., I'm not sure of which NTFS Attribute houses maxVersions, or timestampResolution.
6. Are some of these properties extracted from journal records?

[vulnmaster]

Hi @ajnelson-nist I updated the change proposal significantly based on your last round of questions.

Yes, some of these properties are extracted from USN Journal records. My proposal includes properties from different file types into this one observable:NTFSFileFacet, but we could also break them up into a series of facets if we had too. I just thought it might be more accessible if we put all 24 properties onto one facet.

[ajnelson-nist]

I'm a bit concerned with some of the degrees of specificity on data sources. Timestamp resolution does not seem like it would be a file-specific property, but instead would be gathered from some more-global resource. I still can't recall where that is stored, though---somewhere in the file system superblock? In $VOLUME? In Windows (/the Registry), meaning it's runtime-configurable and really an operating system property? Saying the property is "system-wide" as in the proposal currently is insufficiently specific.

There are subtleties in how some of these properties should be populated. Having the file-scoped properties go into NTFSFileFacet is consistent with today's UCO design.

I'm fine working towards implementing parts of this proposal---I do agree that several of the properties are worth encoding---but I would really prefer the proposal's properties be demonstrable or testable. I'm aware of some public NTFS images that contain artifacts. E.g., the NIST "Data leakage case" (data here -- link corrected) has /$Extend/$UsnJournal for journal data review, though I'm uncertain of the ground truth of what you should be able to find in that image. (It seems none of the smaller DFTT images have a journal file.)

[ajnelson-nist]

Citations to documentation, such as near this Microsoft page¹ on the Master File Table, would also be significantly helpful for property source verification.

Footnotes

1. Disclaimer: Participation by NIST in the creation of the documentation of mentioned software is not intended to imply a recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that any specific software is necessarily the best available for the purpose. ↩

[ajnelson-nist]

Also, when certain system files, attributes, or flags are noted as sources, can they be cross-checked for the spellings in these appendices from the Microsoft File System Control Codes documentation¹?

• 2.6 File Attributes
• 5.2 NTFS Attribute Types
• 5.3 NTFS Reserved File Names
• 5.4 NTFS Stream Names

Footnotes

1. Disclaimer: Participation by NIST in the creation of the documentation of mentioned software is not intended to imply a recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that any specific software is necessarily the best available for the purpose. ↩

[ajnelson-nist]

There are also several versions of journal structures:

• USN_RECORD_V2
• USN_RECORD_V3
• USN_RECORD_V4

[vulnmaster]

@ajnelson-nist I added in a References section up near the top of the change proposal to capture the references you highlighted above as they are significant. I will be digging deeper into this over the coming days/weeks and then submit modifications or additional analysis. Since this change proposal is so large, I think it might be easier to make changes to the proposal itself rather than stringing along changes in the comment section.

Can I suggest that you add a references section in the UCO Change Proposal Template?