Addition of Investigator Subclasses

[vulnmaster]

Change proposal written with the assistance of AI.

Background

Current CASE releases provide a single, very broad investigation:Investigator class. In practice, however, investigators fall into well-defined, mutually exclusive categories that differ in legal authority, evidentiary standards, oversight mechanisms, and typical use-cases. Standardizing these categories will:

• improve interoperability of investigative-chain‐of-custody data across jurisdictions and sectors;

• allow tools to reason automatically about permissible actions (e.g., whether a particular role may execute a search warrant); and

• support clearer analytics for provenance, risk assessment, and workforce metrics.

Authoritative sources already recognize the distinct roles listed below; each definition is globally applicable.

• Law-Enforcement Investigator – “Detectives and criminal investigators gather facts and collect evidence of possible crimes.” bls.gov

• Military Investigator – “The CID Special Agent … conducts investigations of incidents and offenses or allegations of criminality affecting DA or DoD personnel, property, facilities, or activities.” cid.army.mil

• Regulatory Investigator – The U.S. OPM 1800 group covers work “primarily concerned with determining compliance with laws and regulations.” opm.gov

• Corporate Investigator – An internal or contracted investigator who conducts fact-finding for a private-sector organization under corporate policy and applicable civil law (e.g., fraud, misconduct, or e-discovery inquiries). justice.gov

• Intelligence (Counter-Intelligence) Investigator – Conducts activities to detect, identify, assess, counter, exploit and/or neutralize adversarial foreign intelligence ….” en.wikipedia.org

• Insurance Investigator – Conducts activities to determine the misrepresentation of fact or omission of fact pertaining to a transaction of insurance including claims, premium and application fraud.” content.naic.org

• Private Investigator – (often called a PI, private detective, or private eye) is a non-law-enforcement professional who is hired to conduct investigations on behalf of individuals, businesses, or attorneys. [en.wikipedia.org] (https://en.wikipedia.org/wiki/Private_investigator), [merriam-webster.com] (https://www.merriam-webster.com/dictionary/private%20investigator), [expertinvestigations.co.uk] (https://expertinvestigations.co.uk/articles/what-is-a-private-investigator/)

• Civil-Society / Open-Source Investigator – The Berkeley Protocol “identifies international standards for conducting online research … and provides guidance on gathering, analyzing, and preserving digital information.” humanrights.berkeley.edu

• Academic-Research Investigator – NIH: A PD/PI is “the individual(s) … with authority and responsibility to direct the project or program.” grants.nih.gov

• Human-Rights Investigator – UN Special Rapporteurs “conduct fact-finding missions to investigate allegations of human-rights violations.” en.wikipedia.org

Requirements

Requirement 1

Create ten new classes, each a direct rdfs:subClassOf investigation:Investigator, with rdfs:label and rdfs:comment populated from a set of future approved definitions informed by the above definitions and sources.

This is a working draft:

@prefix investigation: <https://ontology.caseontology.org/case/investigation/> .
@prefix rdfs:          <http://www.w3.org/2000/01/rdf-schema#> .
@prefix owl:           <http://www.w3.org/2002/07/owl#> .

#################################################################
# Investigator specialisations
#################################################################

investigation:LawEnforcementInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Law-Enforcement Investigator"@en ;
    rdfs:comment   "An investigator empowered by criminal-procedure law—e.g., police detective, federal special agent—to collect evidence of suspected offences, execute warrants, and file charges."@en .

investigation:MilitaryInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Military Investigator"@en ;
    rdfs:comment   "A member of a military criminal-investigation organisation who investigates offences under military justice codes and the law of armed conflict (e.g., Army CID, Naval Criminal Investigative Service agent)."@en .

investigation:RegulatoryInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Regulatory Investigator"@en ;
    rdfs:comment   "An investigator acting under statutory regulatory authority—such as securities, health-and-safety, or data-protection law—to determine compliance and recommend administrative sanctions."@en .

investigation:CorporateInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Corporate Investigator"@en ;
    rdfs:comment   "An internal or contracted investigator who conducts fact-finding for a private-sector organisation under corporate policy and applicable civil law (e.g., fraud, misconduct, or e-discovery inquiries)."@en .

investigation:IntelligenceInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Intelligence Investigator"@en ;
    rdfs:comment   "An investigator within a civil or military intelligence or counter-intelligence agency who collects and analyses information to detect, assess, and neutralize foreign-intelligence or terrorism threats."@en .

investigation:InsuranceInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Insurance Investigator"@en ;
    rdfs:comment   "A specialist (often in an insurer’s Special Investigation Unit) who examines claims and related evidence to detect, document, and prevent insurance fraud."@en .

investigation:PrivateInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Private Investigator"@en ;
    rdfs:comment   "A non-law enforcement investigator (often called a PI, private detective, or private eye) hired by private clients to conduct investigative services, such as, surveillance, background checks, or asset tracing. Private Investigators oftentimes require a license but not in all jurisdictions."@en .

investigation:CivilSocietyInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Civil-Society / Open-Source Investigator"@en ;
    rdfs:comment   "An investigator working for an NGO, newsroom, or public OSINT collective who gathers, verifies, and preserves open-source information on matters of public interest (e.g., war-crimes documentation, environmental abuse)."@en .

investigation:AcademicResearchInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Academic-Research Investigator"@en ;
    rdfs:comment   "A principal or co-investigator on a university or research-institute project who designs and conducts scholarly investigations under institutional research-ethics policy."@en .

investigation:HumanRightsInvestigator
    a              owl:Class ;
    rdfs:subClassOf investigation:Investigator ;
    rdfs:label     "Human-Rights Investigator"@en ;
    rdfs:comment   "An investigator mandated by an international or regional body (e.g., UN fact-finding mission, ICC Office of the Prosecutor) to collect and analyse evidence of human-rights or humanitarian-law violations."@en .

Requirement 2

Removed 2025-08-26 during Ontology Committees call.

Declare the ten subclasses pairwise disjoint using owl:AllDisjointClasses, to enforce logical consistency when reasoning over role assignments.

This is a working draft:

@prefix investigation: <https://ontology.caseontology.org/case/investigation/> .
@prefix owl:           <http://www.w3.org/2002/07/owl#> .

#################################################################
# Requirement 2 – declare all ten subclasses disjoint
#################################################################

[
    a owl:AllDisjointClasses ;
    owl:members (
        investigation:LawEnforcementInvestigator
        investigation:MilitaryInvestigator
        investigation:RegulatoryInvestigator
        investigation:CorporateInvestigator
        investigation:IntelligenceInvestigator
        investigation:InsuranceInvestigator
        investigation:PrivateInvestigator
        investigation:CivilSocietyInvestigator
        investigation:AcademicResearchInvestigator
        investigation:HumanRightsInvestigator
    )
] .

Risk / Benefit analysis

Benefits

• Semantic precision – enables automated policy checks (e.g., warrant authority vs. corporate policy).

• Interoperability – aligns with terminology already used by law-enforcement, military, insurance, and academic communities.

• Analytics – facilitates role-based provenance queries and workforce statistics.

Risks

The submitter is unaware of risks beyond routine ontology-maintenance overhead (documentation updates, new SHACL tests). No existing CASE instances break, because all subclasses remain valid investigation:Investigator individuals unless further typed.

Competencies demonstrated

Use Malaysia Airlines Flight 17 (MH17), 2014 – a multi-layered investigation as a working example as it uses multiple types of investigator types.

CASE Investigator subclass	Concrete team / body	What they did in the MH17 investigation	Key reference
Regulatory Investigator	Dutch Safety Board (DSB) – the Netherlands’ civil-aviation accident authority	Led the official Annex 13 air-safety inquiry; 2015 final report concluded MH17 was destroyed by a 9M38 Buk missile and analysed flight-route risk management.	DSB Final Report, Oct 2015 (PDF)
Law-Enforcement Investigator	Joint Investigation Team (JIT) – police & prosecutors from NL, AU, MY, BE, UA	Conducted the criminal probe; gathered evidence, interviewed witnesses, and secured life-sentence convictions for three suspects in a Dutch court (2022).	Dutch Public Prosecution Service – JIT MH17 overview
Civil-Society / Open-Source Investigator	Bellingcat and allied OSINT researchers	Independently collected, geolocated, and published social-media and satellite evidence tracing Buk launcher 332’s route; findings were later referenced by the JIT.	Bellingcat – MH17: The Open-Source Evidence (2015 PDF)

Competency 1 – Malaysia Airlines Flight 17 (MH17) multi-agency investigation

Scenario
The knowledge-graph contains provenance triples for the MH17 investigation.
Three actors are typed with the new subclasses proposed in Requirement 1:

_:dsbOfficer      a investigation:RegulatoryInvestigator .
_:jitDetective    a investigation:LawEnforcementInvestigator .
_:bellingcatAnalyst a investigation:CivilSocietyInvestigator .

Their investigative actions and derived evidence are linked with investigation:wasInformedBy and investigation:wasDerivedFrom.

Competency Question 1.1

Which investigative actions were performed by law-enforcement investigators?

SELECT ?action
WHERE {
  ?actor a investigation:LawEnforcementInvestigator .
  ?action a investigation:InvestigativeAction ;
          uco-core:initiatedBy ?actor .
}

Result 1.1

Returns only actions initiated by _:jitDetective (e.g., seizure of missile fragments, witness interviews).

Competency Question 1.2

Which pieces of evidence produced by civil-society investigators were later used by law-enforcement investigators?

SELECT DISTINCT ?evidence
WHERE {
  ?openAction a investigation:InvestigativeAction ;
              uco-action:performer / a investigation:CivilSocietyInvestigator ;
              uco-action:result ?evidence .

  ?lawAction  a investigation:InvestigativeAction ;
              uco-action:performer/ a investigation:LawEnforcementInvestigator ;
              uco-action:object ?evidence .
}

(Note: Query corrected by @ajnelson-nist . wasInformedBy, drawn from PROV-O's prov:Communication, is a shorthand for representing that some prov:Entity was created by one prov:Activity and used by a later prov:Activity. The query originally just used the shorthand but didn't link the entity. The query no longer mentions wasInformedBy.)

Result 1.2

Returns, for example, Bellingcat’s geolocated images of Buk launcher 332 that the JIT cited in its indictment.

Solution suggestion

1. Ontology edits

   • Add the ten class axioms in the Investigation ontology module.
   • Add owl:AllDisjointClasses containing the new IRIs.
   • For each class, include an rdfs:comment citing the relevant authoritative definition (see Background).

2. SHACL shapes

   • (Optional) A shape warning if an individual is typed as more than one of the disjoint investigator roles. A person should not be more than one type of investigator at the same time.

3. Documentation

Update the CASE documentation (i.e.; website) and include examples on the CASE website and in Github.

Coordination

• Tracking in Jira ticket OCCASE-501

• [x] Administrative review completed, proposal announced to Ontology Committees (OCs) on 2025-08-19
• [x] Requirements to be discussed in OC meeting, 2025-08-26
• [x] Requirements Review vote occurred, passing, on 2025-08-26
• [x] Requirements development phase completed.
• [x] Solution announced to OCs on 2025-10-13
• [x] Solutions Approval to be discussed in OC meeting, date 2025-10-21
• [ ] Solutions Approval vote has not occurred

• [ ] Solutions development phase completed.
• [ ] Backwards-compatible implementation merged into develop for the next release
• [ ] develop state with backwards-compatible implementation merged into develop-2.0.0
• [ ] Backwards-incompatible implementation merged into develop-2.0.0 (or N/A)
• [ ] Milestone linked
• [ ] Documentation logged in pending release page

[ajnelson-nist]

@vulnmaster - I see a hallucinated concept in this proposal, uco-core:initiatedBy. May I edit the submission to correct that concept?

[vulnmaster]

@ajnelson-nist please adjust the proposal as you see fit as you understand the goals I am after.

[ajnelson-nist]

@vulnmaster Proposal revised to remove one hallucinated concept. I'll need to take care of the last few bits of review-to-announcement tomorrow.

[ajnelson-nist]

@vulnmaster : I got hung up on Requirement 2 and was thinking we might not want to pursue it, but I think I have a solution that will help another proposal.

1. Declaring the classes as all-ways disjoint might not be appropriate in all cases. I can imagine some scenarios where a single role is an instance of a couple of those classes.
2. owl:AllDisjointClasses needs a little thought on how to implement in SHACL. This is a general problem predating this proposal, and affects one other proposal pertaining to ObservableObject direct subclasses. All-pairs review would be infeasibly computationally expensive.

AllDisjointClasses review in SHACL

This proposal includes a disjointedness designation:

[]
    a owl:AllDisjointClasses ;
    owl:members (
        investigation:LawEnforcementInvestigator
        investigation:MilitaryInvestigator
        investigation:RegulatoryInvestigator
        investigation:CorporateInvestigator
        investigation:IntelligenceInvestigator
        investigation:InsuranceInvestigator
        investigation:PrivateInvestigator
        investigation:CivilSocietyInvestigator
        investigation:AcademicResearchInvestigator
        investigation:HumanRightsInvestigator
    )
.

A few prior UCO proposals had taken direct pairs of classes that were asserted disjoint, and written shapes to say a class X being disjoint with class Y means an instance of X cannot also be an instance of Y.

ex:X-disjointWith-Y
  a sh:NodeShape ;
  sh:targetClass ex:X ;
  sh:not [ sh:class ex:Y ; ] ;
  .

This would not scale to a 10-member set, as the check-count growth would be quadratic in the number of classes (all-pairs review).

But, this kind of pattern could work:

ex:XYZ-allDisjoint-X
  a sh:NodeShape ;
  sh:targetClass ex:X ;
  sh:xone (
    [ sh:class ex:X ]
    [ sh:class ex:Y ]
    [ sh:class ex:Z ]
  ) ;
  .

ex:XYZ-allDisjoint-Y
  a sh:NodeShape ;
  sh:targetClass ex:X ;
  sh:xone (
    [ sh:class ex:Y ]
    [ sh:class ex:X ]
    [ sh:class ex:Z ]
  ) ;
  .

This would review the class list in linear time, and short-circuit on finding a second match. Check-count is O(N), and the number of shapes to write is also N.

So, I think computation matters will not knock Requirement 2 out of the proposal. Requirement 1's still a point for discussion, though.

[sbarnum]

I like this proposal and see value in it. I have 3 caveat/conditions though.

1. I concur with Alex's worry about Requirement2. Making them all disjoint sounds nice on the surface but I do not believe that is actual reality in some cases. I believe there are some situations where a given party may fit multiple roles on the subclass list.
2. I do not see a subclass defined for cyber security investigators such as incident responders, SOC analysts, etc. These are very real investigator roles and have always been one of the intended targets for CASE
3. I don't think you are proposing that this be a closed risk and any Investigator would need to be one of the listed subclasses but want to explicitly assert that this should definitely NOT be the case as there will certainly be other types of investigators that will come up and we should not block CASE for their use. Such a subclass list should be considered similar to an open vocabulary: if you want to describe an Investigator first start with the defined subclasses and only use a custom one if the subclass does not have what is needed.

[chrishargreaves]

I stumbled across this work which might have some usable concepts in it related to this:

"Competence in digital forensics": https://www.sciencedirect.com/science/article/pii/S2666281724001677

It has a somewhat different take on roles:

• Technician
• Examiner
• Investigator with definitions derived from UK College of Policing and UK Forensic Science Regulator, which don't exactly map to the CASE definitions.

However, it shows that there may be another future application of the subclasses to do with activities such as competence testing, for example the work also mentions 'digital media investigator', which is somewhat different to the 'authority focused' subclasses, but a different downstream use of the investigatorsubclass feature might be mapped against more task-based roles?

As a note, I had not realised the investigator definition in CASE requires 'coordination'. Perhaps this is further evidence of the need to hold multiple roles if someone is actioning things as well as coordinating. investigation:Investigator - Investigator is a role involved in coordinating an investigation. investigation:Examiner - Examiner is a role involved in providing scientific evaluations of evidence that are used to aid law enforcement investigations and court cases.

[ajnelson-nist]

The Requirements Review vote this morning was held after removing Requirement 2 (on disjointedness) from the proposal.

[ajnelson-nist]

There was some concern raised during the meeting that this not be considered a "total" or "complete" enumeration of subclasses of Investigator.

A mechanism to close direct subclasses of Investigator is available in SHACL, sh:xone; and another is available in OWL, owl:disjointUnionOf. (Apologies for what I'd noted incorrectly on the call. I had been thinking of "deeper" subclasses, which was inconsistent with the concern raised.)

Clarifying: This proposal does not attempt to close the subclasses of Investigator. Further direct-subclasses, "siblings" to the ones in this proposal, can be used in downstream ontologies or added to CASE later.

[vulnmaster]

In response to requests during the requirements review, I updated the sources and definitions for the investigation:PrivateInvestigator class in the proposal.