The OCFA XML evidence metadata representation library
The XML evidence metadata representation library is used to map
metadata to and from xml. The xml metadata is divided into top-level
metadata and job-level metadata. The library provides an API
used by modules for extraction of top-level metadata, and for the
iteration over the job-level metadata. Furthermore, the API provides
access for modules to add job-level metadata to the active job
within the xml.
Top-level metadata
The top-level metadata contains fields uniquely identifying the data:
- case : A string identifying the investigation code or name of the
evidence node.
- src : The physical source of the evidence, mostly equivalent to a
label on impounded property.
- item : The specific media within the labeled physical source, for
example 'firsthdu'
- id : A string uniquely identifying the evidence data or node
within the item.
Next to this, there are a few fields of top-level metadata:
- location: this defines a human parsable path to the evidence
data.
- sha1: the sha1 digest of the data.
- md5: the md5 digest of the data.
Job-level metadata
In the open computer forensics architecture evidence data gets
communicated between different programs. Each of these programs will in
effect do a particular job with the evidence. If the xml gets
first accessed, the job gets started, and when the xml gets closed
the job ends. The program will implicitly add its identity (module
instance) metadata to the job, and will also implicitly add start and
stop timestamps to the job metadata. Next to the implicit metadata,
many programs (modules) will add metadata explicitly depending on their
functionality. Metadata in the open computer forensics architecture
consists of key/value pairs where the key is a simple text string and
the value is defined by the MetaDataValue subtype. MetaDataValues exist
in the following subtypes:
- ScalarMetaValue : a single Scalar
- ArrayMetaValue : an array of zero or more Scalars
- TableMetaValue : a two dimensional array of Scalars and an array
of column names.
The atomic MetaDataValue content is the Scalar. A Scalar can hold
either an unicode string, an integer, a floating point number or a DateTime
value.
Child references
Next to adding metadata, many dissectors
will derive new evidence data from existing evidence data. When this
happens, in fact a child node is created and added to the evidence. A
special kind of metadata added by these modules is the child reference.
Child references are added at the job level.
Evidence logging
Next to metadata, a module may want to log information that is only
relevant to the specific evidence. For this, the library allows the
module to add loglines to the joblevel.