Loading ...
Sorry, an error occurred while loading the content.

Re: Timeline Analysis Standards

Expand Messages
  • keydet89
    David, As we ve discussed, I ve seen the same thing with RegRipper...I ve received several requests for XML output, but no style sheet. In fact, like you,
    Message 1 of 13 , Feb 8, 2010
    View Source
    • 0 Attachment
      David,

      As we've discussed, I've seen the same thing with RegRipper...I've received several requests for XML output, but no style sheet. In fact, like you, when I've asked for input on a style sheet, I never hear back.

      h
    • Ryan Sommers
      ... Well, as a big consumer of such data, I don t really care what schema or format a data is in, just that one is defined and followed. The reason I suggest
      Message 2 of 13 , Feb 8, 2010
      View Source
      • 0 Attachment
        On Mon, Feb 8, 2010 at 11:28 AM, David Kovar <dkovar@...> wrote:
        And there's the rub - I've been seeing discussion about an XML schema for ... years? ... and nothing has come of it. Someone recently asked if I'd considered XML output for my tool and when I asked what XML schema they'd like me to use, they went silent.

        I find XML annoying to deal with, partly because it isn't really human readable, at least not easily, and partly because there always seems to be malformed XML even in the best of circumstances. I'd prefer straight ASCII text or a database to work with. XML would just be a way of getting from one place to another. 

        -David


        Well, as a big consumer of such data, I don't really care what schema or format a data is in, just that one is defined and followed. The reason I suggest XML is that the markup and schema definition formats are fairly well defined. That and every modern programming language likely has library tools for everything that is needed to consume or produce schema validated data-set.

        That's my problem with ASCII or a database. If it's ASCII that means I have to write a parser and more often than not, means a lot of extra work.  A native database is always preferable, however, what format is where it falls short: MySQL, PGSQL, SQLLite3, SQL Server, too many incompatible formats. That's what is nice about XML; it IS a database and it's well understood, and easily consumed or produced.

        As far as what schema to use for a timeline program, I honestly don't care, just that the schema is provided so I know how to query the data.


         --
        Ryan P Sommers
        ryans@...
      • keydet89
        Ryan, Thanks for your input. There are a couple of us who ve moved away from blog comments to begin exchanging thoughts on defining a structure...the nice
        Message 3 of 13 , Feb 8, 2010
        View Source
        • 0 Attachment
          Ryan,

          Thanks for your input. There are a couple of us who've moved away from blog comments to begin exchanging thoughts on defining a structure...the nice thing is that once the fields are defined, the actual implementation is irrelevant.

          What I mean by that is that once we agree on the fields, the actual implementation is up to developers and users. For example, you can define an event structure based on the fields and store it as pipe-delimited ASCII, serialized Java, XML, in a database...whatever.

          Thanks,

          h
        • rmac
          I do think that you should include something that includes duration, perhaps a start time and an end time? File transfers come to mind, long data operations,
          Message 4 of 13 , Feb 8, 2010
          View Source
          • 0 Attachment
            I do think that you should include something that includes duration, perhaps a start time and an end time? File transfers come to mind, long data operations, as well as time logged in. Lack of end time would indicate a point, whereas a start and end would imply duration, and help with grouped events. Or within the XML you could have an event that contained multiple items, where the duration is the earliest time to the latest time within that event? I am just thinking from a visualization development standpoint.... KML might be an interesting model to look at because they already have time incorporated...

            -r



            On Mon, Feb 8, 2010 at 3:07 PM, keydet89 <keydet89@...> wrote:
             

            Ryan,

            Thanks for your input. There are a couple of us who've moved away from blog comments to begin exchanging thoughts on defining a structure...the nice thing is that once the fields are defined, the actual implementation is irrelevant.

            What I mean by that is that once we agree on the fields, the actual implementation is up to developers and users. For example, you can define an event structure based on the fields and store it as pipe-delimited ASCII, serialized Java, XML, in a database...whatever.

            Thanks,

            h


          • keydet89
            RMac, ... Interesting thought. When I started down the road of putting my original thoughts together, I did consider a superevent or grouping of events.
            Message 5 of 13 , Feb 8, 2010
            View Source
            • 0 Attachment
              RMac,

              > I do think that you should include something that includes duration, perhaps
              > a start time and an end time? File transfers come to mind, long data
              > operations, as well as time logged in. Lack of end time would indicate a
              > point, whereas a start and end would imply duration, and help with grouped
              > events.

              Interesting thought. When I started down the road of putting my original thoughts together, I did consider a "superevent" or grouping of events. Now that some of us are thinking more critically about defining a timeline standard, I can easily see something like this as an extension to or next version of the "standard".

              IMHO, defining an event itself is the first step. I'd like to see if we can agree on that, and then see if we can extend that to include duration or span events, or "superevents". That's going to take some work, though...what if you have, say, 100 events in a timeframe, but not all of them are part of the span or superevent? Perhaps a way to do this would be to add a unique identifier to the events themselves, in a separate field, and say something like, "this span event includes events 1-58, 63-89, and 93-100".

              > Or within the XML you could have an event that contained multiple
              > items, where the duration is the earliest time to the latest time within
              > that event? I am just thinking from a visualization development
              > standpoint.... KML might be an interesting model to look at because they
              > already have time incorporated...

              XML and KML are part of presentation and not part of the "standard". Specific tools/techniques for extracting data, as well as presenting the final data, are not included in the definition of an "event".

              Thanks.
            • rmac
              While thinking on this some more, I think being able to have some meaningful meta data in free form would be nice as well, such as cloud tags, ie delicious.
              Message 6 of 13 , Feb 8, 2010
              View Source
              • 0 Attachment
                While thinking on this some more, I think being able to have some meaningful meta data in free form would be nice as well, such as cloud tags, ie delicious. That way if I just want to view registry events, or logon event, or file events, etc it would be easy to facilitate.

                <timelineml>
                <Event>
                      <Start>02/08/2010 23:14:31Z</Start>
                      <End></End>
                      <Source>Registry</Source>
                      <Host>MDC001</Host>
                      <Description>LastWriteTime on \HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\CurrentVersion\Run</Description>
                      <Tags>Registry, Malware, US systems, confirmed</Tags>
                </Event>
                </timelineml>

                Thoughts?



                On Mon, Feb 8, 2010 at 4:58 PM, keydet89 <keydet89@...> wrote:
                 

                RMac,



                > I do think that you should include something that includes duration, perhaps
                > a start time and an end time? File transfers come to mind, long data
                > operations, as well as time logged in. Lack of end time would indicate a
                > point, whereas a start and end would imply duration, and help with grouped
                > events.

                Interesting thought. When I started down the road of putting my original thoughts together, I did consider a "superevent" or grouping of events. Now that some of us are thinking more critically about defining a timeline standard, I can easily see something like this as an extension to or next version of the "standard".

                IMHO, defining an event itself is the first step. I'd like to see if we can agree on that, and then see if we can extend that to include duration or span events, or "superevents". That's going to take some work, though...what if you have, say, 100 events in a timeframe, but not all of them are part of the span or superevent? Perhaps a way to do this would be to add a unique identifier to the events themselves, in a separate field, and say something like, "this span event includes events 1-58, 63-89, and 93-100".


                > Or within the XML you could have an event that contained multiple
                > items, where the duration is the earliest time to the latest time within
                > that event? I am just thinking from a visualization development
                > standpoint.... KML might be an interesting model to look at because they
                > already have time incorporated...

                XML and KML are part of presentation and not part of the "standard". Specific tools/techniques for extracting data, as well as presenting the final data, are not included in the definition of an "event".

                Thanks.


              • keydet89
                RMAC, Interesting...I d suggested to the others looking at this that we include a Notes field, which is much like your Tag field...
                Message 7 of 13 , Feb 8, 2010
                View Source
                • 0 Attachment
                  RMAC,

                  Interesting...I'd suggested to the others looking at this that we include a Notes field, which is much like your Tag field...

                  --- In win4n6@yahoogroups.com, rmac <rmac75@...> wrote:
                  >
                  > While thinking on this some more, I think being able to have some meaningful
                  > meta data in free form would be nice as well, such as cloud tags, ie
                  > delicious. That way if I just want to view registry events, or logon event,
                  > or file events, etc it would be easy to facilitate.
                  >
                  > <timelineml>
                  > <Event>
                  > <Start>02/08/2010 23:14:31Z</Start>
                  > <End></End>
                  > <Source>Registry</Source>
                  > <Host>MDC001</Host>
                  > <Description>LastWriteTime on \HKEY_LOCAL_MACHINE\ SOFTWARE\
                  > Microsoft\ Windows\CurrentVersion\Run</Description>
                  > <Tags>Registry, Malware, US systems, confirmed</Tags>
                  > </Event>
                  > </timelineml>
                  >
                  > Thoughts?
                  >
                  >
                  >
                  > On Mon, Feb 8, 2010 at 4:58 PM, keydet89 <keydet89@...> wrote:
                  >
                  > >
                  > >
                  > > RMac,
                  > >
                  > >
                  > > > I do think that you should include something that includes duration,
                  > > perhaps
                  > > > a start time and an end time? File transfers come to mind, long data
                  > > > operations, as well as time logged in. Lack of end time would indicate a
                  > > > point, whereas a start and end would imply duration, and help with
                  > > grouped
                  > > > events.
                  > >
                  > > Interesting thought. When I started down the road of putting my original
                  > > thoughts together, I did consider a "superevent" or grouping of events. Now
                  > > that some of us are thinking more critically about defining a timeline
                  > > standard, I can easily see something like this as an extension to or next
                  > > version of the "standard".
                  > >
                  > > IMHO, defining an event itself is the first step. I'd like to see if we can
                  > > agree on that, and then see if we can extend that to include duration or
                  > > span events, or "superevents". That's going to take some work, though...what
                  > > if you have, say, 100 events in a timeframe, but not all of them are part of
                  > > the span or superevent? Perhaps a way to do this would be to add a unique
                  > > identifier to the events themselves, in a separate field, and say something
                  > > like, "this span event includes events 1-58, 63-89, and 93-100".
                  > >
                  > >
                  > > > Or within the XML you could have an event that contained multiple
                  > > > items, where the duration is the earliest time to the latest time within
                  > > > that event? I am just thinking from a visualization development
                  > > > standpoint.... KML might be an interesting model to look at because they
                  > > > already have time incorporated...
                  > >
                  > > XML and KML are part of presentation and not part of the "standard".
                  > > Specific tools/techniques for extracting data, as well as presenting the
                  > > final data, are not included in the definition of an "event".
                  > >
                  > > Thanks.
                  > >
                  > >
                  > >
                  >
                Your message has been successfully submitted and would be delivered to recipients shortly.