idnits 2.17.1 draft-inacio-mile-forensics-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 43 instances of too long lines in the document, the longest one being 115 characters in excess of 72. ** There are 4 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 6, 2012) is 4187 days in the past. Is this intentional? Checking references for intended status: Full Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2119' is mentioned on line 106, but not defined == Missing Reference: 'CPE' is mentioned on line 194, but not defined == Unused Reference: 'KEYWORDS' is defined on line 287, but no explicit reference was found in the text == Unused Reference: 'DFXML' is defined on line 302, but no explicit reference was found in the text == Unused Reference: 'DEXF' is defined on line 305, but no explicit reference was found in the text == Unused Reference: 'NIJ199408' is defined on line 312, but no explicit reference was found in the text ** Obsolete normative reference: RFC 5070 (ref. 'IODEF') (Obsoleted by RFC 7970) ** Obsolete normative reference: RFC 6045 (ref. 'RID') (Obsoleted by RFC 6545) ** Downref: Normative reference to an Proposed Standard RFC: RFC 3339 Summary: 5 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT Christopher Inacio 3 Carnegie Mellon University 4 Category: Standard Younhee gil 5 ETRI 6 Expires: May 10, 2013 November 6, 2012 8 Digital Forensics Extension for IODEF 9 draft-inacio-mile-forensics-01 11 Abstract 13 This extension to IODEF (RFC 5070) is designed to aid in the sharing 14 and dissemination of digital forensics information. The goal is to 15 allow a tool independent format to share information between 16 organizations focused on digital forensics: drive images, file 17 carving, metadata, and related hashes. As with IODEF and its 18 extensions, it is defined using XML. 20 Status of this Memo 22 This Internet-Draft is submitted to IETF in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF), its areas, and its working groups. Note that 27 other groups may also distribute working documents as 28 Internet-Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/1id-abstracts.html 38 The list of Internet-Draft Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html 41 Copyright and License Notice 43 Copyright (c) 2012 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 INTERNET DRAFT Digital Forensics Extension for IODEF 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 62 2. Forensic Extension to IODEF . . . . . . . . . . . . . . . . . . 3 63 3. Forensics Data . . . . . . . . . . . . . . . . . . . . . . . . 3 64 3.1 Forensics Type Descriptions . . . . . . . . . . . . . . . . 4 65 3.1.1 Header Information . . . . . . . . . . . . . . . . . . . 4 66 3.1.2 Device/Source Information . . . . . . . . . . . . . . . 5 67 3.1.3 Hash Information . . . . . . . . . . . . . . . . . . . . 5 68 3.1.4 Byte Run Information . . . . . . . . . . . . . . . . . . 5 69 3.1.5 File Object Information . . . . . . . . . . . . . . . . 5 70 2. Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3 Security Considerations . . . . . . . . . . . . . . . . . . . . 7 72 4 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 73 5 References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 74 5.1 Normative References . . . . . . . . . . . . . . . . . . . 7 75 5.2 Informative References . . . . . . . . . . . . . . . . . . 7 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 77 Appendix A: Digital Forensics XML Schema . . . . . . . . . . . . . 8 79 INTERNET DRAFT Digital Forensics Extension for IODEF 81 1 Introduction 83 This extension to IODEF is designed to carry digital forensics 84 information in a way acceptable for chain of evidence handling and 85 general forensics examination. There are various programs that 86 generate forensics information, but few that generate that 87 information in a way that is exchangeable in a universal way. 89 There have been some efforts to create independent standards, often 90 XML based, to exchange digital forensics information. Indeed, this 91 standard is designed to incorporate features from those efforts, 92 DFXML, DEXF, IOC, and DFRWS. By extending IODEF, however, the goal 93 of this standard is to build upon a widely used IETF standard, take 94 advantage of the other features within the IODEF family of standards. 96 The main pieces of information this extension seeks to be able to 97 convey are information about file systems and the resulting products 98 from analyzing file systems. This includes information about file 99 carving, system metadata including disk metadata. 101 1.1 Terminology 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 105 document are to be interpreted as described in RFC 2119 [RFC2119]. 107 2. Forensic Extension to IODEF 109 The Forensics Data is captured within a new class within IODEF's 110 Event Data class, within its Additional Data class. The Forensics 111 Data is not required to be present, and may occur an unlimited number 112 of times as needed. 114 +-------------+ 115 | Incident | 116 +-------------+ 117 | . | 118 | . | 119 | . | 120 | Event Data |<>-{0..*}-[ Event Data ] 121 | | |<>-{0..*}-[ Additional Data ] 122 | | |<>-{0..*}-[ Forensics Data] 123 | | 124 +-------------+ 126 3. Forensics Data 127 INTERNET DRAFT Digital Forensics Extension for IODEF 129 +----------------+ 130 | Forensics Data | 131 +----------------+ 132 | |<>-[Version] 133 | | |<>-[Major] 134 | | |<>-[Minor] 135 | |<>-[Site Name] 136 | |<>-[Examiner Name] 137 | |<>-[Evidence ID] 138 | |<>-[Creation Time] 139 | |<>-[Tool Name] 140 | |<>-[Tool Version] 141 | |<>-[Host Operating System] 142 | | 143 | |<>-[Device] 144 | | |<>-[Device Type] 145 | | |<>-[Device Model] 146 | | |<>-[Device Serial] 147 | | |<>-{0..1}-[Sector Size] 148 | | |<>-{0..1}-[Device Sectors] 149 | | |<>-{0..*}-[Hash] 150 | | | |<>-[Hash Type] 151 | | | |<>-[Hash Size] 152 | | | |<>-[Hash Value] 153 | | |<>-{0..*}-[File Object] 154 | | |<>-[Name] 155 | | |<>-[ID] 156 | | |<>-[Size] 157 | | |<>-[Partition] 158 | | |<>-[Mode] 159 | | |<>-[ACL] 160 | | |<>-[mtime] 161 | | |<>-[atime] 162 | | |<>-[ctime] 163 | | |<>-{0..*}-[Byte Run] 164 | | |<>-{1..*}-[Hash] 165 | | |<>-[Hash Type] 166 | | |<>-[Hash Size] 167 | | |<>-[Hash Value] 168 | |<>-[Digital Signature] 169 +----------------+ 171 3.1 Forensics Type Descriptions 173 All date-time stamps are compatible with the date-time strings as defined in IODEF [IODEF] which are compatible with RFC 3339 [RFC3339], a restricted subset of ISO 8601:2000 [ISO8601]. 175 3.1.1 Header Information 176 INTERNET DRAFT Digital Forensics Extension for IODEF 178 O Version {Major,Minor} - The version number of the Digital Forensics extension schema definition. These will be defined within the standard schema, available from IANA. 180 o Site Name - A text string which is a human readable definition of the site that analyzed the contained forensics data. 182 o Creator Name - The name of the examiner that analyzed or provided the raw data presented within the signed forensics extension. 184 o Evidence ID - A site specific ID used for tracking the forensics information. For example, a case number for chain of evidence maintenance. 186 o Creation Time - The time this record was created. 188 o Device Time - A record of the creation from the forensic data source. 190 o Tool Name - A string defining the tool used to process the forensics data. 192 o Tool Version - A version string containing all relevant release information for the generating forensics data tool. 194 o Host Operating System - The host operating system on which the forensics tool was run; defined in CPE [CPE] format. 196 3.1.2 Device/Source Information 198 o Device Type - A string describing the type of device from which data capture was performed. The device types are: hard disk, USB flash, XD card, SSD, CD, DVD, and other. 199 o Device Model - The model number, provided by the manufacturer, of the device. 200 o Device Serial - The manufacturer given serial number for the device. 201 o Sector Size - The size of the sectors on the device, if the device has sector based storage. 202 o Device Sectors - If the device is sector based, this is the total number of sectors available on the device. 204 3.1.3 Hash Information 206 o Hash Type - The hash algorithm used to compute the associated hash. The supported algorithms are MD5, SHA-1, SHA-256. 208 o Hash Size - The number of octets included in the associated hash value. 210 o Hash Value - The value of the hash for the related information. The hash value MUST be represented as UTF-8 encoded hexadecimal string value. 212 3.1.4 Byte Run Information 214 o Byte Run 216 3.1.5 File Object Information 218 o File Object - A collection of values, capturing the relevant file system metadata along with relevant forensic data (byte runs and hashes) for a file of interest. 220 o Name - The name of the file as captured from the file system metadata. 222 o ID - A site generated unique number. 224 INTERNET DRAFT Digital Forensics Extension for IODEF 226 o Size - The size of the file, as captured from the file system metadata. 228 o Partition - The partition that the file system that file came from resides within. 230 o Mode - File permission mode as captured from the file system. 232 o ACL - The access control list as captured from the file system. 234 o mtime - File modification time as captured from the metadata from the filesystem. 236 o atime - Last file access time as captured from the metadata from the filesystem. 238 o ctime - Creation time as captured from the metadata from the filesystem. 240 2. Title 242 244 Definitions and code { 245 line 1 246 line 2 247 } 249 Special characters examples: 251 The characters , , , 252 However, the characters \0, \&, \%, \" are displayed. 254 .ti 0 is displayed in text instead of used as a directive. 255 .\" is displayed in document instead of being treated as a comment 257 C:\dir\subdir\file.ext Shows inclusion of backslash "\". 259 INTERNET DRAFT Digital Forensics Extension for IODEF 261 3 Security Considerations 263 This standard is an extension to IODEF [IODEF] and as such, the 264 security considerations that apply to IODEF apply to this extension. 266 In addition, the security provided by the related RID [RID] 267 enhancements apply equally to this extensions as to IODEF [IODEF]. 269 4 IANA Considerations 271 Registration request for the IODEF Digital Forensics Extension 272 namespace: 274 URI: urn:ietf:params:xml:ns:iodef-digitalforensics-1.0 276 Registrant Contact: 278 Christopher Inacio Carnegie Mellon University 4500 5th Ave 279 Pittsburgh, PA 15213 USA inacio@cert.org 281 XML: schema in Appendix N. 283 5 References 285 5.1 Normative References 287 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 288 Requirement Levels", BCP 14, RFC 2119, March 1997. 290 [IODEF] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident 291 Object Description Exchange Format", RFC 5070, December 292 2007. 294 [RID] Moriarty, K., "Real-time Inter-network Defense (RID)", 295 RFC 6045, November 2010. 297 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 298 Timestamps", RFC 3339, July 2002. 300 5.2 Informative References 302 [DFXML] Garfinkel, S., "Digital forensics XML and the DFXML toolset", 303 Digital Investigation, 2012. 305 [DEXF] Gil, Y. H., Hong, D., Rutkowski, A. M., "Revised draft on 307 INTERNET DRAFT Digital Forensics Extension for IODEF 309 Recommendation ITU-T X.def: digital forensics exchange 310 format", ITU Study Group 17, September 2, 2011. 312 [NIJ199408] "NIJ Special Report 199408: Forensic Examination of 313 Digital Evidence: A Guide for Law Enforcement" 315 [ISO8601] International Organization for Standardization, 316 "International Standard: Data elements and 317 interchange formats - Information interchange - 318 Representation of dates and times", ISO 8601, 319 Second Edition, December 2000. 321 Authors' Addresses 323 Christopher Inacio 324 4500 5th Ave. 325 Pittsburgh, PA 15143 326 USA 328 EMail: inacio@cert.org 330 Younhee gil 331 Electronics and Telecommunications Research Institute 333 EMail: yhgil@etri.re.kr 335 Appendix A: Digital Forensics XML Schema 337 [[preliminary schema here]] 339 340 346 348 349 350 351 352 354 INTERNET DRAFT Digital Forensics Extension for IODEF 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 396 397 398 399 400 401 402 403 405 INTERNET DRAFT Digital Forensics Extension for IODEF 407 408 409 410 411 412 413 414 415 416 417 418 420