OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Cyber Investigation / Digital Forensics


As we discussed on the phone Friday, I will explain the primary motivations for forking off related activities in cyber investigation.

First, STIX is to cyber intelligence as DFAX is to cyber investigation, which includes incident response, major crimes, and counterterrorism. The strong commonalities between DFAX and STIX led us to abstract out common aspects into a unifying UCO (https://github.com/DFAX/dfax/blob/master/uco_common.xsd). Such a UCO makes concepts and constructs that are common across the cyber domain easily accessible to both STIX and DFAX (and others in the future). The CTI-OASIS effort to combine CybOX into STIX, or fold CTI-Common into STIX, goes against the unifying benefits of a UCO and would make DFAX unnecessarily dependent on STIX for elements they have in common. As STIX and CybOX mature, it is important to have something like UCO or CTI-Common to organize and maintain these common components.

Second, cyber investigation requires a rich and robust layer to represent observables, including the full range of objects, relationships, and actions (see DFAX basic_example or Yoan Chabot's ORD2i). The CTI-OASIS group is striving to simplify STIX and CybOX as much as possible. As a result, we spend an inordinate amount of time  defending existing parts of STIX and CybOX from being removed. This simplification process does not align with the goals of the cyber investigation & digital forensic community to strengthen what is presently in CybOX, and expand it with additional capabilities. For instance, there is an immediate need to represent digital evidence on smartphones.

Developers and researchers from government and industry are having an international workshop in Switzerland on 29 March to address limitations of DFAX and CybOX in relation to cyber investigation (http://dfrws.org/2016eu/tutorials.shtml#evidence). One of the planned outcomes is a cyber investigation observable eXpression layer to extend CybOX, or take its place if required.

Eoghan Casey
Chief Scientist
Defense Cyber Crime Center (DC3) 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]