Naming Help Needed

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Naming Help Needed

Brian Carrier-2
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Danilo Marques
Property. 

Em 21 de jun de 2017 11:37, "Brian Carrier" <[hidden email]> escreveu:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Keith Wall
In reply to this post by Brian Carrier-2
I would go with property/properties for both. Artifacts of an artifact is confusing. I don't like feature or indicator.

"Details" might not be a bad term as well. These are the fine details pertaining to an artifact.

-keith

On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <[hidden email]> wrote:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Jon Stewart
Or just good old "metadata" for the collection of them (a hash is computed so that could be argued, but path is clearly "metadata"). But property/properties makes sense and is pretty consistent with other tools.


Jon

> -----Original Message-----
> From: Keith Wall [mailto:[hidden email]]
> Sent: Wednesday, June 21, 2017 11:03 AM
> To: Brian Carrier <[hidden email]>
> Cc: sleuthkit-users <[hidden email]>
> Subject: Re: [sleuthkit-users] Naming Help Needed
>
> I would go with property/properties for both. Artifacts of an artifact
> is confusing. I don't like feature or indicator.
>
> "Details" might not be a bad term as well. These are the fine details
> pertaining to an artifact.
>
> -keith
>
> On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <[hidden email]
> <mailto:[hidden email]> > wrote:
>
>
> We're about to release the first version of a new database that
> Autopsy can use to support various analytical features and we're having
> trouble with terms and naming.  So, we are seeking some more opinions.
>
>
> Question 1) A file has additional data, such as its path and MD5
> values.  What do you call those?  We've used the terms feature,
> indicator, artifact, property, etc.  Which makes the most sense to you?
>
>
> Question 2) A web bookmark has additional data, such as dates and
> URL.  What do you call those?  Same as in Q1?
>
>
> To give some more context, we are about to release a new database
> that can be used to correlate data between cases (or between devices in
> the same case).  But, we need a name to describe what we are storing,
> which includes:
>
> - MD5 hash of files
>
> - path of files
>
> - Email addresses
>
> - Domain names
>
> - Phone numbers
>
>
> For a while, we were referring to these as artifacts, but that got
> too confusing because we already have a notion of artifacts in Autopsy,
> which are "bigger" things like web bookmarks and  keyword hits.
>
>
> thanks,
>
> brian
>
>
> -------------------------------------------------------------------
> -----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> http://www.sleuthkit.org
>
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Luís Filipe Nassif
In reply to this post by Brian Carrier-2
Property or attribute.

Luis

Em 21 de jun de 2017 11:37 AM, "Brian Carrier" <[hidden email]> escreveu:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Pasquale Rinaldi
In reply to this post by Keith Wall
that information seems to all be different types of "identifiers". Not sure if you are using that one already. Otherwise details or properties works.

Pasquale

On Wed, Jun 21, 2017 at 11:03 AM, Keith Wall <[hidden email]> wrote:
I would go with property/properties for both. Artifacts of an artifact is confusing. I don't like feature or indicator.

"Details" might not be a bad term as well. These are the fine details pertaining to an artifact.

-keith

On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <[hidden email]> wrote:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

MATT PIERCE
In reply to this post by Jon Stewart
My initial idea was metadata.  I have a concern with that as ediscovery folks and lawyers use that term generically for document embedded data about the creation and modifation attributes.

I would go with properties or attributes myself.

-----Original Message-----
From: Jon Stewart [mailto:[hidden email]]
Sent: Wednesday, June 21, 2017 10:11 AM
To: Keith Wall <[hidden email]>; Brian Carrier <[hidden email]>
Cc: sleuthkit-users <[hidden email]>
Subject: Re: [sleuthkit-users] Naming Help Needed

Or just good old "metadata" for the collection of them (a hash is computed so that could be argued, but path is clearly "metadata"). But property/properties makes sense and is pretty consistent with other tools.


Jon

> -----Original Message-----
> From: Keith Wall [mailto:[hidden email]]
> Sent: Wednesday, June 21, 2017 11:03 AM
> To: Brian Carrier <[hidden email]>
> Cc: sleuthkit-users <[hidden email]>
> Subject: Re: [sleuthkit-users] Naming Help Needed
>
> I would go with property/properties for both. Artifacts of an artifact
> is confusing. I don't like feature or indicator.
>
> "Details" might not be a bad term as well. These are the fine details
> pertaining to an artifact.
>
> -keith
>
> On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <[hidden email]
> <mailto:[hidden email]> > wrote:
>
>
> We're about to release the first version of a new database that
> Autopsy can use to support various analytical features and we're
> having trouble with terms and naming.  So, we are seeking some more opinions.
>
>
> Question 1) A file has additional data, such as its path and MD5
> values.  What do you call those?  We've used the terms feature,
> indicator, artifact, property, etc.  Which makes the most sense to you?
>
>
> Question 2) A web bookmark has additional data, such as dates and
> URL.  What do you call those?  Same as in Q1?
>
>
> To give some more context, we are about to release a new database
> that can be used to correlate data between cases (or between devices
> in the same case).  But, we need a name to describe what we are
> storing, which includes:
>
> - MD5 hash of files
>
> - path of files
>
> - Email addresses
>
> - Domain names
>
> - Phone numbers
>
>
> For a while, we were referring to these as artifacts, but that got
> too confusing because we already have a notion of artifacts in
> Autopsy, which are "bigger" things like web bookmarks and  keyword hits.
>
>
> thanks,
>
> brian
>
>
> -------------------------------------------------------------------
> -----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> http://www.sleuthkit.org
>
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Derrick Karpo
In reply to this post by Keith Wall
I'd go with property on q1 as well.  I've seen "metadata" abused for things like q2 and in some cases it actually isn't a bad choice.  However, we are so used to metadata being data that is internal to a single file though that it may be confusing to use it for data that is related to an artifact.

Derrick


On Jun 21, 2017 09:09, "Keith Wall" <[hidden email]> wrote:
I would go with property/properties for both. Artifacts of an artifact is confusing. I don't like feature or indicator.

"Details" might not be a bad term as well. These are the fine details pertaining to an artifact.

-keith

On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <[hidden email]> wrote:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Robert Pearson-4
In reply to this post by MATT PIERCE

I think the Properties label works well...
Rob


On Wed, Jun 21, 2017, 12:06 PM MATT PIERCE <[hidden email]> wrote:
My initial idea was metadata.  I have a concern with that as ediscovery folks and lawyers use that term generically for document embedded data about the creation and modifation attributes.

I would go with properties or attributes myself.

-----Original Message-----
From: Jon Stewart [mailto:[hidden email]]
Sent: Wednesday, June 21, 2017 10:11 AM
To: Keith Wall <[hidden email]>; Brian Carrier <[hidden email]>
Cc: sleuthkit-users <[hidden email]>
Subject: Re: [sleuthkit-users] Naming Help Needed

Or just good old "metadata" for the collection of them (a hash is computed so that could be argued, but path is clearly "metadata"). But property/properties makes sense and is pretty consistent with other tools.


Jon

> -----Original Message-----
> From: Keith Wall [mailto:[hidden email]]
> Sent: Wednesday, June 21, 2017 11:03 AM
> To: Brian Carrier <[hidden email]>
> Cc: sleuthkit-users <[hidden email]>
> Subject: Re: [sleuthkit-users] Naming Help Needed
>
> I would go with property/properties for both. Artifacts of an artifact
> is confusing. I don't like feature or indicator.
>
> "Details" might not be a bad term as well. These are the fine details
> pertaining to an artifact.
>
> -keith
>
> On Wed, Jun 21, 2017 at 8:32 AM, Brian Carrier <[hidden email]
> <mailto:[hidden email]> > wrote:
>
>
>       We're about to release the first version of a new database that
> Autopsy can use to support various analytical features and we're
> having trouble with terms and naming.  So, we are seeking some more opinions.
>
>
>       Question 1) A file has additional data, such as its path and MD5
> values.  What do you call those?  We've used the terms feature,
> indicator, artifact, property, etc.  Which makes the most sense to you?
>
>
>       Question 2) A web bookmark has additional data, such as dates and
> URL.  What do you call those?  Same as in Q1?
>
>
>       To give some more context, we are about to release a new database
> that can be used to correlate data between cases (or between devices
> in the same case).  But, we need a name to describe what we are
> storing, which includes:
>
>       - MD5 hash of files
>
>       - path of files
>
>       - Email addresses
>
>       - Domain names
>
>       - Phone numbers
>
>
>       For a while, we were referring to these as artifacts, but that got
> too confusing because we already have a notion of artifacts in
> Autopsy, which are "bigger" things like web bookmarks and  keyword hits.
>
>
>       thanks,
>
>       brian
>
>
>       -------------------------------------------------------------------
> -----------
>       Check out the vibrant tech community on one of the world's most
>       engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>       _______________________________________________
>       sleuthkit-users mailing list
>       https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>       http://www.sleuthkit.org
>
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Kalin KOZHUHAROV-2
In reply to this post by Brian Carrier-2
On Wed, Jun 21, 2017 at 4:32 PM, Brian Carrier <[hidden email]> wrote:
> Question 1) A file has additional data, such as its path and MD5 values.
> What do you call those?  We've used the terms feature, indicator, artifact,
> property, etc.  Which makes the most sense to you?
>
Definitely not any of "feature, indicator, artifact".

Files, by default, have no "MD5 values", those are calculated. Same
with any hashing algorithm. I'd call those properties, probably
avoiding metadata. Same for say some other classification like
entropy, etc. To make it clear, I may add "calculated properties" or
intrinsic properties.

Paths are slightly different, they are "organizational metadata", or
I'd say filesystem metadata, or simply metadata. I can probably live
with property, better "external property", or "location property".
Similar to paths are inodes, URLs (that file was fetched from),
location on disk (sector/offset + size), location within other object
(3rd file in a certain ZIP archive), etc.
All those location properties can vary, be changed in time, yet the
file itself is not changing (and so its intrinsic properties).

Although properties is a word abused in the Windows world of
forensics, I think it is ok and will be happy it is more classified
into intrinsic, location, time, security, etc. proerties.

> Question 2) A web bookmark has additional data, such as dates and URL.  What
> do you call those?  Same as in Q1?
>
What is a web bookmark? A record in a (flat file) database? A file?
I'd say, the moment you define "web bookmark" it must consist of a
URL, may be name, description, may be dates.

Yes, I'd go with same as Q1.

> To give some more context, we are about to release a new database that can
> be used to correlate data between cases (or between devices in the same
> case).  But, we need a name to describe what we are storing, which includes:
> - MD5 hash of files
calculated properties

> - path of files
location properties

> - Email addresses
> - Domain names
> - Phone numbers
artifacts or regexp matches

> For a while, we were referring to these as artifacts, but that got too
> confusing because we already have a notion of artifacts in Autopsy, which
> are "bigger" things like web bookmarks and  keyword hits.
>
IMHO, there is no problem in using artifacts broadly, if you keep
properties for things like sizes, paths, hashes, etc.

A domain name is a genuine artifact, it may be a property of a
bookmark though if viewed in that context. Same for TLD.

Kalin.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Hoyt Harness
In reply to this post by Brian Carrier-2
I agree with "property" as well.

On Wed, Jun 21, 2017 at 9:32 AM, Brian Carrier <[hidden email]> wrote:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org




--
Hoyt
-----------------
There are 11 kinds of people - those who think binary jokes are funny, those who don't, ...and those who don't know binary.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Brian Carrier-2
In reply to this post by Brian Carrier-2
Thanks for everyone's comments on this.

We decided to go with attributes because we already use that term in Autopsy and so it is less confusing.

The remaining naming question is a generic name for lists of "known" things (good, bad, etc.):
- hashsets
- watch lists / black lists (i.e. phone numbers or emails of "bad" people)
- white lists (i.e. generic phone numbers or emails)

We've discussed the term "reference set". Any other ideas?  We don't want to change the schema after we release this!

thanks,
brian





On Wed, Jun 21, 2017 at 10:32 AM, Brian Carrier <[hidden email]> wrote:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Brian Carrier-2
Actually, I should clarify.  We are using the term attribute in the code so that there is an obvious mapping between "Blackboard Attributes" and "Correlation Attributes", but we'll likely use property in the UI since that seems to be a more natural term for users.

On Fri, Jun 23, 2017 at 10:32 AM, Brian Carrier <[hidden email]> wrote:
Thanks for everyone's comments on this.

We decided to go with attributes because we already use that term in Autopsy and so it is less confusing.

The remaining naming question is a generic name for lists of "known" things (good, bad, etc.):
- hashsets
- watch lists / black lists (i.e. phone numbers or emails of "bad" people)
- white lists (i.e. generic phone numbers or emails)

We've discussed the term "reference set". Any other ideas?  We don't want to change the schema after we release this!

thanks,
brian





On Wed, Jun 21, 2017 at 10:32 AM, Brian Carrier <[hidden email]> wrote:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

DePriest, Jason R.
In reply to this post by Brian Carrier-2
Would "indicators" work for these? We typically call the discovery of known-bad hash values and hitting black listed sites an "indicator of compromise". But not all indicators are necessarily negative.

-Jasey

On Fri, Jun 23, 2017 at 9:32 AM, Brian Carrier <[hidden email]> wrote:
Thanks for everyone's comments on this.

We decided to go with attributes because we already use that term in Autopsy and so it is less confusing.

The remaining naming question is a generic name for lists of "known" things (good, bad, etc.):
- hashsets
- watch lists / black lists (i.e. phone numbers or emails of "bad" people)
- white lists (i.e. generic phone numbers or emails)

We've discussed the term "reference set". Any other ideas?  We don't want to change the schema after we release this!

thanks,
brian





On Wed, Jun 21, 2017 at 10:32 AM, Brian Carrier <[hidden email]> wrote:
We're about to release the first version of a new database that Autopsy can use to support various analytical features and we're having trouble with terms and naming.  So, we are seeking some more opinions.

Question 1) A file has additional data, such as its path and MD5 values.  What do you call those?  We've used the terms feature, indicator, artifact, property, etc.  Which makes the most sense to you?

Question 2) A web bookmark has additional data, such as dates and URL.  What do you call those?  Same as in Q1?

To give some more context, we are about to release a new database that can be used to correlate data between cases (or between devices in the same case).  But, we need a name to describe what we are storing, which includes:
- MD5 hash of files
- path of files
- Email addresses
- Domain names
- Phone numbers

For a while, we were referring to these as artifacts, but that got too confusing because we already have a notion of artifacts in Autopsy, which are "bigger" things like web bookmarks and  keyword hits.

thanks,
brian


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Naming Help Needed

Kalin KOZHUHAROV-2
In reply to this post by Brian Carrier-2


On Jun 23, 2017 16:33, "Brian Carrier" <[hidden email]> wrote:
Thanks for everyone's comments on this.

We decided to go with attributes because we already use that term in Autopsy and so it is less confusing.

The remaining naming question is a generic name for lists of "known" things (good, bad, etc.):
- hashsets
- watch lists / black lists (i.e. phone numbers or emails of "bad" people)
- white lists (i.e. generic phone numbers or emails)

We've discussed the term "reference set". Any other ideas? 

Simply list/s or matchlist/s may do.

Kalin.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Loading...