casework
For importing provide a property/attribute on Trace objects to describe their contents
Issue ported from old casework github repo (issue 37). Original author: mike-parkhill
When importing a diverse set of trace objects you need to inspect the members of the PropertyBundle array to determine what the Trace relates to. This can be cumbersome since the logic on the ingesting side is going to be different based on the child types.
For example:
{
"@type": "Trace",
"@id": "https://www.netresec.com/20a91459-8fbb-4b90-a3fb-b4aa7f776a66",
"createdBy": "https://www.netresec.com/1c7484fe-63f1-5af8-b4fb-e2386ab3c4b0",
"createdTime": "2018-02-15T19:01:12.6271184Z",
"propertyBundle": [
{
"@type": "File",
"accessedTime": "2007-12-17T03:32:30.3990520Z",
"extension": "html",
"fileName": "index.html",
"isDirectory": false,
"sizeInBytes": 98500
},
{
"@type": "ContentData",
"dataPayloadReferenceURL": "D:\\NetworkMinerProfessional_2-2\\AssembledFiles\\151.193.224.81\\TCP-80\\index.html",
"hash": [
{
"@type": "Hash",
"hashMethod": "MD5",
"hashValue": "abdb151dfd5775c05b47c0f4ea1cd3d7"
}
],
"sizeInBytes": 98500
}
The above JSON is obviously a File object with metadata and content data. It would be nice to know this without having to iterate the bundle looking to see if it contains a File child. The more types of Trace bundles we support the messier this is going to get. Adding a @bundletype attribute or something would simplify ingestion greatly.
The duck model was selected to be flexible enough to represent a file in any context, including ones we are not currently aware of (e.g., concealment of a file in some new way). With the duck model, it is necessary to inspect all of its facets to get the full picture. Restricting with @bundletype goes against the use of the duck model.
