1. SOLVE-IT Ontology
  2. Examples

SOLVE-IT Ontology Examples

Example instances demonstrating the use of SOLVE-IT classes and properties.

Examples of uco-observable:Laptop

Seized Dell Latitude 5520
Instance URI: https://ontology.solveit-df.org/solveit/examples/seizedLaptop
PropertyValue

Examples of uco-observable:Disk

Samsung 500GB SSD
Instance URI: https://ontology.solveit-df.org/solveit/examples/removedDisk
PropertyValue

Examples of solveit-observable:WriteProtectedDeviceInterface

Tableau T35u Write-Protected Interface
Instance URI: https://ontology.solveit-df.org/solveit/examples/writeBlockedInterface
PropertyValue

Examples of solveit-observable:Bitstream

Bitstream from Samsung SSD
Instance URI: https://ontology.solveit-df.org/solveit/examples/acquiredBitstream
PropertyValue

Examples of solveit-observable:PhysicalImageContainer

Examples of uco-observable:File

laptop_ssd.E01
Instance URI: https://ontology.solveit-df.org/solveit/examples/image-segment-E01
PropertyValue
laptop_ssd.E02
Instance URI: https://ontology.solveit-df.org/solveit/examples/image-segment-E02
PropertyValue
laptop_ssd.E03
Instance URI: https://ontology.solveit-df.org/solveit/examples/image-segment-E03
PropertyValue

Examples of solveit-observable:HashVerificationResult

Post-acquisition hash verification
Instance URI: https://ontology.solveit-df.org/solveit/examples/imageHashVerification
PropertyValue
solveit-observable:verificationPassed "true"^^xsd:boolean

Examples of solveit-observable:ForensicImageContainer

Examples of solveit-observable:AcquisitionErrorRecord

Bad sectors 1024-1030
Instance URI: https://ontology.solveit-df.org/solveit/examples/usbError1
PropertyValue
solveit-observable:errorLocationEnd "1030"^^xsd:integer
solveit-observable:errorLocationStart "1024"^^xsd:integer
solveit-observable:errorType "bad sector"
Read timeout at sector 5000
Instance URI: https://ontology.solveit-df.org/solveit/examples/usbError2
PropertyValue
solveit-observable:errorLocationStart "5000"^^xsd:integer
solveit-observable:errorType "read timeout"

Examples of solveit-observable:RawImage

Examples of uco-observable:File

server_hdd.dd
Instance URI: https://ontology.solveit-df.org/solveit/examples/serverRawImageFile
PropertyValue

Examples of solveit-observable:RawImageInfoFile

server_hdd.dd.info
Instance URI: https://ontology.solveit-df.org/solveit/examples/serverRawImageInfo
PropertyValue

Examples of solveit-core:Objective

Acquire data
Instance URI: https://ontology.solveit-df.org/solveit/examples/objectiveAcquireData
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "This objective can be achieved through multiple techniques including disk imaging (DFT-1002), hash verification (DFT-1042), and others not shown in these examples."@en
solveit-core:includesTechnique https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1002
solveit-core:includesTechnique https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1042
solveit-core:objectiveDescription "Collect data from the identified evidence sources."
solveit-core:objectiveName "Acquire data"

Examples of solveit-core:Technique

DFT-1002: Disk imaging
Instance URI: https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1002
PropertyValue
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/Image"^^xsd:anyURI
solveit-core:hasExample "dcfldd"
solveit-core:hasExample "FTK Imager"
solveit-core:hasExample "Magnet ACQUIRE"
solveit-core:hasPotentialWeakness https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1004
solveit-core:hasPotentialWeakness https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1014
solveit-core:hasPotentialWeakness https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1015
solveit-core:hasReference "Nikkel, B., 2016. Practical forensic imaging: securing digital evidence with Linux tools. No Starch Press, Chapter 6, 'Forensic Image Acquisition'"
solveit-core:techniqueDescription "Copying of sectors from a storage media, typically LBA~0~ to LBA~max~ into an imaging format. The could be from a traditional hard disk, SSD, USB stick, or data from an eMMC chip that has been desoldered and placed in a reader."
solveit-core:techniqueID "DFT-1002"
solveit-core:techniqueName "Disk imaging"
DFT-1042: Disk image hash verification
Instance URI: https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1042
PropertyValue
solveit-core:hasReference "Kessler, G.C., 2016. The impact of MD5 file hash collisions on digital forensic imaging. Journal of digital forensics, security and law, 11(4), p.9."
solveit-core:hasReference "Kessler GC. The impact of SHA-1 file hash collisions on digital forensic imaging: A follow-up experiment. Journal of Digital Forensics, Security and Law. 2016;11(4):10."
solveit-core:hasReference "Lyle, J., 2002. Testing disk imaging tools. DFRWS USA 2002, https://dfrws.org/wp-content/uploads/2019/06/2002_USA_paper-testing_disk_imaging_tools.pdf"
solveit-core:techniqueDescription "Computing the hash function of the entire contents of a disk, recording it, and then subsequently computing the hash over any disk image created to detect if any content is different (adapted from Lyle 2002)"
solveit-core:techniqueID "DFT-1042"
solveit-core:techniqueName "Disk image hash verification"
DFT-1005: Crime scene searching
Instance URI: https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1005
PropertyValue
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/Device"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/Computer"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/MobileDevice"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/SmartDevice"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/WearableDevice"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/location"^^xsd:anyURI
solveit-core:hasReference "Birzer, M.L., 2018. Crime Scene Search. Introduction to Criminal Investigation, p.35."
solveit-core:techniqueDescription "The process of 'carefully documenting the conditions at a crime scene and identifying all relevant physical evidence.' (Birzer 2018)."
solveit-core:techniqueID "DFT-1005"
solveit-core:techniqueName "Crime scene searching"
DFT-1052: Timeline generation
Instance URI: https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1052
PropertyValue
solveit-core:hasCASEOutputClass "https://ontology.solveit-df.org/solveit/observable/Timeline"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.solveit-df.org/solveit/observable/TimelineEntry"^^xsd:anyURI
solveit-core:techniqueID "DFT-1052"
solveit-core:techniqueName "Timeline generation"
DFT-1060: Enumerate allocated files and folders
Instance URI: https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1060
PropertyValue
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/File"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/accessedTime"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/creationTime"^^xsd:anyURI
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/modifiedTime"^^xsd:anyURI
solveit-core:techniqueID "DFT-1060"
solveit-core:techniqueName "Enumerate allocated files and folders"

Examples of solveit-core:Weakness

DFW-1004: Acquisition does not include all sectors from LBA0 to LBA max
Instance URI: https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1004
PropertyValue
solveit-core:hasPotentialMitigation https://ontology.solveit-df.org/solveit/examples/mitigationDFM-1003
solveit-core:hasPotentialMitigation https://ontology.solveit-df.org/solveit/examples/mitigationDFM-1004
solveit-core:hasWeaknessClass solveit-core:ASTM_INCOMP
solveit-core:weaknessID "DFW-1004"
solveit-core:weaknessName "Acquisition does not include all sectors from LBA0 to LBA max"

Examples of solveit-core:Mitigation

DFM-1003: Check image size corresponds with drive label
Instance URI: https://ontology.solveit-df.org/solveit/examples/mitigationDFM-1003
PropertyValue
solveit-core:mitigationID "DFM-1003"
solveit-core:mitigationName "Check image size corresponds with drive label"
DFM-1004: Check hash of image matches hash of source device
Instance URI: https://ontology.solveit-df.org/solveit/examples/mitigationDFM-1004
PropertyValue
solveit-core:linksToTechnique https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1042
solveit-core:mitigationID "DFM-1004"
solveit-core:mitigationName "Check hash of image matches hash of source device"

Examples of uco-observable:Device

Suspect device
Instance URI: https://ontology.solveit-df.org/solveit/examples/device-9420af3b-4d3a-4239-88fc-d33feec8dc4f
PropertyValue

Examples of uco-observable:Image

Forensic disk image
Instance URI: https://ontology.solveit-df.org/solveit/examples/forensicimage-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
PropertyValue

Examples of solveit-core:SolveitInvestigativeAction

investigativeaction-67f43664-077d-47be-b332-4d1c2b579c49
Instance URI: https://ontology.solveit-df.org/solveit/examples/investigativeaction-67f43664-077d-47be-b332-4d1c2b579c49
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Example of a SolveitInvestigativeAction based on the CASE Asgard example, demonstrating how a SOLVE-IT technique (DFT-1002: Disk imaging) was executed during an investigation, including the applied mitigation (DFM-1004: Hash verification)."@en
solveit-core:appliedMitigation https://ontology.solveit-df.org/solveit/examples/mitigationDFM-1004
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1002
https://ontology.unifiedcyberontology.org/uco/action/endTime "2019-03-30T22:47:32+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/configuredtool-4c21b431-1746-410b-bc54-f2fd6a9b2516
https://ontology.unifiedcyberontology.org/uco/action/location https://ontology.solveit-df.org/solveit/examples/location-f67042d4-4963-4c31-9807-23662670004f
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/device-9420af3b-4d3a-4239-88fc-d33feec8dc4f
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/provenancerecord-c2b73229-9cc1-477a-9024-8117e18d97fa
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/forensicexaminer-acf60326-de21-4a85-9909-692f1780470f
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/forensicimage-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/provenancerecord-a2a5098c-43fd-4556-a437-2d3ddb821a53
https://ontology.unifiedcyberontology.org/uco/action/startTime "2019-03-30T22:17:31+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Suspect device physical acquisition"
https://ontology.unifiedcyberontology.org/uco/core/name "acquired"

Examples of uco-observable:Computer

Forensic Workstation
Instance URI: https://ontology.solveit-df.org/solveit/examples/forensicworkstation-a1b2c3d4-5678-9abc-def0-111122223333
PropertyValue

Examples of solveit-observable:KeywordIndex

Keyword index of suspect laptop image
Instance URI: https://ontology.solveit-df.org/solveit/examples/keywordindex-c3d4e5f6-789a-bcde-f012-333344445555
PropertyValue

Examples of solveit-observable:Wordlist

Case-specific keyword list
Instance URI: https://ontology.solveit-df.org/solveit/examples/casefile-d4e5f678-9abc-def0-1234-444455556666
PropertyValue
https://ontology.unifiedcyberontology.org/uco/core/description "Wordlist containing suspect names, known aliases, addresses, and key dates relevant to the investigation"

Examples of solveit-observable:KeywordSearchResultSet

Keyword search results
Instance URI: https://ontology.solveit-df.org/solveit/examples/searchresults-e5f67890-abcd-ef01-2345-555566667777
PropertyValue
https://ontology.unifiedcyberontology.org/uco/core/description "1,247 hits across 312 files from indexed keyword search"

Examples of solveit-core:SolveitInvestigativeAction

investigativeaction-f6789012-bcde-f012-3456-666677778888
Instance URI: https://ontology.solveit-df.org/solveit/examples/investigativeaction-f6789012-bcde-f012-3456-666677778888
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Example of a single SolveitInvestigativeAction that references multiple techniques. The examiner chose to search using case-specific wordlists (DFT-1123: names, aliases, addresses) rather than case-type wordlists (DFT-1122), and ran an indexed search (DFT-1124) rather than a live search (DFT-1125). The fast completion time (approx. 2 minutes) reflects the use of a pre-built index."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1123
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1124
https://ontology.unifiedcyberontology.org/uco/action/endTime "2024-11-15T09:32:17+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/forensicworkstation-a1b2c3d4-5678-9abc-def0-111122223333
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/keywordindex-c3d4e5f6-789a-bcde-f012-333344445555
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/casefile-d4e5f678-9abc-def0-1234-444455556666
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-b2c3d4e5-6789-abcd-ef01-222233334444
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/searchresults-e5f67890-abcd-ef01-2345-555566667777
https://ontology.unifiedcyberontology.org/uco/action/startTime "2024-11-15T09:30:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Indexed keyword search using case-specific wordlists against keyword index of suspect laptop"
https://ontology.unifiedcyberontology.org/uco/core/name "keyword-search-indexed"

Examples of solveit-observable:VideoFrame

Frame 001 from surveillance video
Instance URI: https://ontology.solveit-df.org/solveit/examples/exampleFrame001
PropertyValue
solveit-observable:extractedFromVideo https://ontology.solveit-df.org/solveit/examples/video001
solveit-observable:videoFrameNumber "1250"^^xsd:integer
solveit-observable:videoFramePixelHeight "1080"^^xsd:integer
solveit-observable:videoFramePixelWidth "1920"^^xsd:integer

Examples of uco-observable:File

surveillance_camera_01.mp4
Instance URI: https://ontology.solveit-df.org/solveit/examples/video001
PropertyValue

Examples of solveit-observable:UnlockPattern

Android unlock pattern from seized device
Instance URI: https://ontology.solveit-df.org/solveit/examples/unlockPattern001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Pattern extracted from /data/system/gesture.key representing an 'L' shape on 3x3 grid (down left column, across bottom row)."@en
solveit-observable:unlockPatternSequence ( "1"^^xsd:integer "4"^^xsd:integer "7"^^xsd:integer "8"^^xsd:integer "9"^^xsd:integer )

Examples of solveit-observable:BitstreamRandomAccessed

USB drive bitstream (random access)
Instance URI: https://ontology.solveit-df.org/solveit/examples/bitstream-22222222-2222-2222-2222-222222222222
PropertyValue

Examples of solveit-observable:Wordlist

Fraud case-type keyword list
Instance URI: https://ontology.solveit-df.org/solveit/examples/wordlist-33333333-3333-3333-3333-333333333333
PropertyValue
https://ontology.unifiedcyberontology.org/uco/core/description "Standard wordlist for financial fraud investigations"

Examples of solveit-observable:KeywordSearchResultSet

Live keyword search results
Instance URI: https://ontology.solveit-df.org/solveit/examples/searchresults-44444444-4444-4444-4444-444444444444
PropertyValue
solveit-observable:hasSearchResult https://ontology.solveit-df.org/solveit/examples/hit-55555555-5555-5555-5555-555555555551
solveit-observable:hasSearchResult https://ontology.solveit-df.org/solveit/examples/hit-55555555-5555-5555-5555-555555555552
solveit-observable:hasSearchResult https://ontology.solveit-df.org/solveit/examples/hit-55555555-5555-5555-5555-555555555553
https://ontology.unifiedcyberontology.org/uco/core/description "87 offset hits — these are raw byte offsets into the bitstream that require subsequent lookup to resolve to files or unallocated space"

Examples of solveit-observable:KeywordSearchResult

Hit: offset 0x1A3F00 — keyword match (pending file resolution)
Instance URI: https://ontology.solveit-df.org/solveit/examples/hit-55555555-5555-5555-5555-555555555551
PropertyValue
Hit: offset 0x8B2100 — keyword match (pending file resolution)
Instance URI: https://ontology.solveit-df.org/solveit/examples/hit-55555555-5555-5555-5555-555555555552
PropertyValue
Hit: offset 0xF04E80 — keyword match (pending file resolution)
Instance URI: https://ontology.solveit-df.org/solveit/examples/hit-55555555-5555-5555-5555-555555555553
PropertyValue

Examples of solveit-core:SolveitInvestigativeAction

investigativeaction-66666666-6666-6666-6666-666666666666
Instance URI: https://ontology.solveit-df.org/solveit/examples/investigativeaction-66666666-6666-6666-6666-666666666666
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Simple example: live keyword search using case-type wordlists. The 47-minute duration reflects that a live search scans raw data without a pre-built index. Results are raw byte offsets into the bitstream that require a subsequent file-resolution step to determine whether each hit falls within an allocated file or in unallocated space."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1122
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1125
https://ontology.unifiedcyberontology.org/uco/action/endTime "2024-11-10T14:47:22+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/bitstream-22222222-2222-2222-2222-222222222222
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/wordlist-33333333-3333-3333-3333-333333333333
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-11111111-1111-1111-1111-111111111111
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/searchresults-44444444-4444-4444-4444-444444444444
https://ontology.unifiedcyberontology.org/uco/action/startTime "2024-11-10T14:00:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Live keyword search over USB drive bitstream using standard fraud case-type wordlist"
https://ontology.unifiedcyberontology.org/uco/core/name "keyword-search-live"

Examples of uco-observable:Computer

Forensic Workstation
Instance URI: https://ontology.solveit-df.org/solveit/examples/forensicworkstation-aaaa1111-2222-3333-4444-555566667777
PropertyValue

Examples of solveit-observable:FileSet

Extracted files from suspect laptop image
Instance URI: https://ontology.solveit-df.org/solveit/examples/fileset-77771111-2222-3333-4444-555566667777
PropertyValue

Examples of solveit-observable:ArtifactSet

Parsed artifacts from suspect laptop (browser history, messages, etc.)
Instance URI: https://ontology.solveit-df.org/solveit/examples/artifactset-77772222-2222-3333-4444-555566667777
PropertyValue

Examples of solveit-observable:KeywordIndexingConfiguration

Indexing configuration
Instance URI: https://ontology.solveit-df.org/solveit/examples/indexconfig-88881111-2222-3333-4444-555566667777
PropertyValue
https://ontology.unifiedcyberontology.org/uco/core/description "UTF-8 encoding, English language stemming enabled, max word length 64"

Examples of solveit-observable:KeywordIndex

Keyword index of suspect laptop files and parsed artifacts
Instance URI: https://ontology.solveit-df.org/solveit/examples/generatedindex-99991111-2222-3333-4444-555566667777
PropertyValue
solveit-observable:hasConfiguration https://ontology.solveit-df.org/solveit/examples/indexconfig-88881111-2222-3333-4444-555566667777

Examples of solveit-core:SolveitInvestigativeAction

investigativeaction-aabb1111-2222-3333-4444-555566667777
Instance URI: https://ontology.solveit-df.org/solveit/examples/investigativeaction-aabb1111-2222-3333-4444-555566667777
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Keyword indexing is typically run overnight as a batch process. The input can include both raw file content (FileSet) and parsed artifacts such as browser history and messages (ArtifactSet). The resulting KeywordIndex is then used as input to the indexed keyword search in Example 3."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1126
https://ontology.unifiedcyberontology.org/uco/action/endTime "2024-11-15T01:15:43+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/forensicworkstation-aaaa1111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fileset-77771111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/artifactset-77772222-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-bbbb1111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/generatedindex-99991111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/startTime "2024-11-14T22:00:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Build keyword index from extracted files and parsed artifacts of suspect laptop"
https://ontology.unifiedcyberontology.org/uco/core/name "keyword-indexing"

Examples of solveit-observable:Wordlist

Case-specific keyword list
Instance URI: https://ontology.solveit-df.org/solveit/examples/casekeywords-dddd1111-2222-3333-4444-555566667777
PropertyValue
https://ontology.unifiedcyberontology.org/uco/core/description "Wordlist containing suspect names, known aliases, addresses, and key dates relevant to the investigation"

Examples of solveit-observable:KeywordSearchResultSet

Indexed keyword search results
Instance URI: https://ontology.solveit-df.org/solveit/examples/searchresults-eeee1111-2222-3333-4444-555566667777
PropertyValue
https://ontology.unifiedcyberontology.org/uco/core/description "1,247 hits across 312 files from indexed keyword search"

Examples of solveit-core:SolveitInvestigativeAction

investigativeaction-ffff1111-2222-3333-4444-555566667777
Instance URI: https://ontology.solveit-df.org/solveit/examples/investigativeaction-ffff1111-2222-3333-4444-555566667777
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Indexed search using case-specific wordlists against the index built in Example 2. The fast completion time (approx. 2 minutes vs 47 minutes for a live search) reflects the use of a pre-built index."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1123
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1124
https://ontology.unifiedcyberontology.org/uco/action/endTime "2024-11-15T09:32:17+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/forensicworkstation-aaaa1111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/generatedindex-99991111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/casekeywords-dddd1111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-bbbb1111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/searchresults-eeee1111-2222-3333-4444-555566667777
https://ontology.unifiedcyberontology.org/uco/action/startTime "2024-11-15T09:30:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Indexed keyword search using case-specific wordlists against keyword index of suspect laptop"
https://ontology.unifiedcyberontology.org/uco/core/name "keyword-search-indexed"

Examples of uco-observable:FileSystem

FAT32 filesystem on suspect USB drive
Instance URI: https://ontology.solveit-df.org/solveit/examples/filesystem-a3c71d90-4e8b-4a1f-b2d6-9f0e3c5a7b12
PropertyValue

Examples of solveit-observable:FileSet

Enumerated files from FAT32 suspect USB drive
Instance URI: https://ontology.solveit-df.org/solveit/examples/fileset-a3c71d90-4e8b-4a1f-b2d6-9f0e3c5a7b12
PropertyValue

Examples of solveit-core:SolveitInvestigativeAction

enumerateFilesAction003
Instance URI: https://ontology.solveit-df.org/solveit/examples/enumerateFilesAction003
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "DFT-1060: Enumerate allocated files - extracts 5 file objects with FAT timestamps from the suspect USB drive."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1060
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-02-10T09:02:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-acme-filesystem-parser
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/filesystem-a3c71d90-4e8b-4a1f-b2d6-9f0e3c5a7b12
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/fileset-a3c71d90-4e8b-4a1f-b2d6-9f0e3c5a7b12
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-02-10T09:00:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Enumeration of allocated files from FAT32 suspect USB drive"
https://ontology.unifiedcyberontology.org/uco/core/name "enumerate-files"
timelineGenerationAction003
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineGenerationAction003
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "DFT-1052: Timeline generation - creates 15 TimelineEntries (created/modified/accessed for each of 5 files) and assembles them into an unsorted Timeline. Created and modified times become DateTimeStamp values; accessed dates become DateTimeRange values (whole-day intervals)."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1052
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-02-10T09:03:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-plaso
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatSortFile001
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatSortFile002
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatSortFile003
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatSortFile004
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatSortFile005
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file001-created
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file001-modified
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file001-accessed
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file002-created
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file002-modified
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file002-accessed
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file003-created
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file003-modified
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file003-accessed
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file004-created
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file004-modified
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file004-accessed
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file005-created
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file005-modified
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/te-file005-accessed
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/fatTimeline001
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-02-10T09:02:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Generation of forensic timeline from all FAT timestamps (created, modified, accessed) for 5 files"
https://ontology.unifiedcyberontology.org/uco/core/name "generate-timeline"
timelineSortAction001
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineSortAction001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "DFT-xxxx: Sort timeline - orders 15 entries chronologically. Point timestamps (DateTimeStamp) are ordered by value. Whole-day accessed ranges (DateTimeRange) are placed at the end of their respective days since the exact access time within the day is unknown. Tied positions occur where: (a) NOTES.TXT and DRAFT.DOC share the same modified time at 2s resolution, (b) README.TXT and NOTES.TXT share the same accessed date of 2025-11-03, and (c) DRAFT.DOC, BUDGET.XLS, and PHOTO.JPG share the same accessed date of 2025-11-04."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1052
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-02-10T09:03:30+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-timeline-analyser
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatTimeline001
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/fatSortedTimeline001
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-02-10T09:03:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Chronological sorting of 15-entry FAT timestamp timeline, assigning positions with ties where timestamps are indistinguishable"
https://ontology.unifiedcyberontology.org/uco/core/name "sort-timeline"
timelineFilterAction001
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineFilterAction001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "DFT-1182: Filter timeline for relevant entries - selects only entries falling within 10:20:00 to 10:23:00 on 2025-11-03 (the window around DRAFT.DOC's creation). Produces a new SortedTimeline with 4 entries: NOTES.TXT created, DRAFT.DOC created, and the tied NOTES.TXT/DRAFT.DOC modified entries."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1182
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-02-10T09:04:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-timeline-analyser
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatSortedTimeline001
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/filteredSortedTimeline001
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-02-10T09:03:30+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Filter sorted timeline for entries within 10:20:00-10:23:00 around DRAFT.DOC creation time"
https://ontology.unifiedcyberontology.org/uco/core/name "filter-timeline"

Examples of uco-observable:File

README.TXT
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "A text file on the suspect FAT32 USB drive."@en
https://ontology.unifiedcyberontology.org/uco/core/hasFacet https://ontology.solveit-df.org/solveit/examples/fatSortFile001-fileFacet
https://ontology.unifiedcyberontology.org/uco/core/name "README.TXT"

Examples of uco-observable:FileFacet

fatSortFile001-fileFacet
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile001-fileFacet
PropertyValue
uco-observable:accessedTime "2025-11-03T00:00:00"^^xsd:dateTime
uco-observable:creationTime "2025-11-03T08:12:05.320000"^^xsd:dateTime
uco-observable:fileName "README.TXT"
uco-observable:modifiedTime "2025-11-03T08:14:10"^^xsd:dateTime

Examples of uco-observable:File

NOTES.TXT
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile002
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "A text file - created within 1 second of DRAFT.DOC (distinguishable at 10ms resolution), but modified at the same 2-second FAT resolution as DRAFT.DOC."@en
https://ontology.unifiedcyberontology.org/uco/core/hasFacet https://ontology.solveit-df.org/solveit/examples/fatSortFile002-fileFacet
https://ontology.unifiedcyberontology.org/uco/core/name "NOTES.TXT"

Examples of uco-observable:FileFacet

fatSortFile002-fileFacet
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile002-fileFacet
PropertyValue
uco-observable:accessedTime "2025-11-03T00:00:00"^^xsd:dateTime
uco-observable:creationTime "2025-11-03T10:20:41.150000"^^xsd:dateTime
uco-observable:fileName "NOTES.TXT"
uco-observable:modifiedTime "2025-11-03T10:22:16"^^xsd:dateTime

Examples of uco-observable:File

DRAFT.DOC
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile003
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "A document - created within 1 second of NOTES.TXT (distinguishable at 10ms resolution), but modified at the same 2-second FAT resolution as NOTES.TXT."@en
https://ontology.unifiedcyberontology.org/uco/core/hasFacet https://ontology.solveit-df.org/solveit/examples/fatSortFile003-fileFacet
https://ontology.unifiedcyberontology.org/uco/core/name "DRAFT.DOC"

Examples of uco-observable:FileFacet

fatSortFile003-fileFacet
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile003-fileFacet
PropertyValue
uco-observable:accessedTime "2025-11-04T00:00:00"^^xsd:dateTime
uco-observable:creationTime "2025-11-03T10:20:41.840000"^^xsd:dateTime
uco-observable:fileName "DRAFT.DOC"
uco-observable:modifiedTime "2025-11-03T10:22:16"^^xsd:dateTime

Examples of uco-observable:File

BUDGET.XLS
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile004
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "A spreadsheet on the suspect FAT32 USB drive."@en
https://ontology.unifiedcyberontology.org/uco/core/hasFacet https://ontology.solveit-df.org/solveit/examples/fatSortFile004-fileFacet
https://ontology.unifiedcyberontology.org/uco/core/name "BUDGET.XLS"

Examples of uco-observable:FileFacet

fatSortFile004-fileFacet
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile004-fileFacet
PropertyValue
uco-observable:accessedTime "2025-11-04T00:00:00"^^xsd:dateTime
uco-observable:creationTime "2025-11-03T14:05:22.010000"^^xsd:dateTime
uco-observable:fileName "BUDGET.XLS"
uco-observable:modifiedTime "2025-11-03T14:05:30"^^xsd:dateTime

Examples of uco-observable:File

PHOTO.JPG
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile005
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "An image file on the suspect FAT32 USB drive."@en
https://ontology.unifiedcyberontology.org/uco/core/hasFacet https://ontology.solveit-df.org/solveit/examples/fatSortFile005-fileFacet
https://ontology.unifiedcyberontology.org/uco/core/name "PHOTO.JPG"

Examples of uco-observable:FileFacet

fatSortFile005-fileFacet
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortFile005-fileFacet
PropertyValue
uco-observable:accessedTime "2025-11-04T00:00:00"^^xsd:dateTime
uco-observable:creationTime "2025-11-03T19:40:55.670000"^^xsd:dateTime
uco-observable:fileName "PHOTO.JPG"
uco-observable:modifiedTime "2025-11-03T19:41:08"^^xsd:dateTime

Examples of solveit-observable:DateTimeStamp

README.TXT created timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file001-createdTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT created time with 10ms resolution."@en
solveit-observable:timestampResolution "10ms"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T08:12:05.320000"^^xsd:dateTime
NOTES.TXT created timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file002-createdTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT created time with 10ms resolution. Only 690ms before DRAFT.DOC - distinguishable at this resolution."@en
solveit-observable:timestampResolution "10ms"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T10:20:41.150000"^^xsd:dateTime
DRAFT.DOC created timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file003-createdTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT created time with 10ms resolution. Only 690ms after NOTES.TXT - distinguishable at this resolution."@en
solveit-observable:timestampResolution "10ms"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T10:20:41.840000"^^xsd:dateTime
BUDGET.XLS created timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file004-createdTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT created time with 10ms resolution."@en
solveit-observable:timestampResolution "10ms"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T14:05:22.010000"^^xsd:dateTime
PHOTO.JPG created timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file005-createdTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT created time with 10ms resolution."@en
solveit-observable:timestampResolution "10ms"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T19:40:55.670000"^^xsd:dateTime
README.TXT modified timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file001-modifiedTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT modified time with 2-second resolution."@en
solveit-observable:timestampResolution "2s"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T08:14:10"^^xsd:dateTime
NOTES.TXT modified timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file002-modifiedTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT modified time with 2-second resolution. Same value as DRAFT.DOC - indistinguishable at this resolution."@en
solveit-observable:timestampResolution "2s"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T10:22:16"^^xsd:dateTime
DRAFT.DOC modified timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file003-modifiedTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT modified time with 2-second resolution. Same value as NOTES.TXT - indistinguishable at this resolution."@en
solveit-observable:timestampResolution "2s"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T10:22:16"^^xsd:dateTime
BUDGET.XLS modified timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file004-modifiedTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT modified time with 2-second resolution."@en
solveit-observable:timestampResolution "2s"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T14:05:30"^^xsd:dateTime
PHOTO.JPG modified timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/file005-modifiedTs
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT modified time with 2-second resolution."@en
solveit-observable:timestampResolution "2s"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2025-11-03T19:41:08"^^xsd:dateTime

Examples of solveit-observable:DateTimeRange

README.TXT accessed date range
Instance URI: https://ontology.solveit-df.org/solveit/examples/file001-accessedRange
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT accessed date: 2025-11-03. Spans the entire day because FAT only records the date, not the time of access."@en
solveit-observable:endTimeExclusive "2025-11-04T00:00:00"^^xsd:dateTime
solveit-observable:startTimeInclusive "2025-11-03T00:00:00"^^xsd:dateTime
NOTES.TXT accessed date range
Instance URI: https://ontology.solveit-df.org/solveit/examples/file002-accessedRange
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT accessed date: 2025-11-03. Same day as README.TXT - these will be tied in the sorted timeline."@en
solveit-observable:endTimeExclusive "2025-11-04T00:00:00"^^xsd:dateTime
solveit-observable:startTimeInclusive "2025-11-03T00:00:00"^^xsd:dateTime
DRAFT.DOC accessed date range
Instance URI: https://ontology.solveit-df.org/solveit/examples/file003-accessedRange
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT accessed date: 2025-11-04. Same day as BUDGET.XLS and PHOTO.JPG - these three will be tied."@en
solveit-observable:endTimeExclusive "2025-11-05T00:00:00"^^xsd:dateTime
solveit-observable:startTimeInclusive "2025-11-04T00:00:00"^^xsd:dateTime
BUDGET.XLS accessed date range
Instance URI: https://ontology.solveit-df.org/solveit/examples/file004-accessedRange
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT accessed date: 2025-11-04. Same day as DRAFT.DOC and PHOTO.JPG - these three will be tied."@en
solveit-observable:endTimeExclusive "2025-11-05T00:00:00"^^xsd:dateTime
solveit-observable:startTimeInclusive "2025-11-04T00:00:00"^^xsd:dateTime
PHOTO.JPG accessed date range
Instance URI: https://ontology.solveit-df.org/solveit/examples/file005-accessedRange
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT accessed date: 2025-11-04. Same day as DRAFT.DOC and BUDGET.XLS - these three will be tied."@en
solveit-observable:endTimeExclusive "2025-11-05T00:00:00"^^xsd:dateTime
solveit-observable:startTimeInclusive "2025-11-04T00:00:00"^^xsd:dateTime

Examples of solveit-observable:TimelineEntry

README.TXT created
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file001-created
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file001-createdTs
README.TXT modified
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file001-modified
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file001-modifiedTs
README.TXT accessed
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file001-accessed
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file001-accessedRange
NOTES.TXT created
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file002-created
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file002-createdTs
NOTES.TXT modified
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file002-modified
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file002-modifiedTs
NOTES.TXT accessed
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file002-accessed
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file002-accessedRange
DRAFT.DOC created
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file003-created
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file003-createdTs
DRAFT.DOC modified
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file003-modified
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file003-modifiedTs
DRAFT.DOC accessed
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file003-accessed
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file003-accessedRange
BUDGET.XLS created
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file004-created
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file004-createdTs
BUDGET.XLS modified
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file004-modified
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file004-modifiedTs
BUDGET.XLS accessed
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file004-accessed
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file004-accessedRange
PHOTO.JPG created
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file005-created
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file005-createdTs
PHOTO.JPG modified
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file005-modified
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file005-modifiedTs
PHOTO.JPG accessed
Instance URI: https://ontology.solveit-df.org/solveit/examples/te-file005-accessed
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/file005-accessedRange

Examples of solveit-observable:Timeline

FAT timestamp timeline (unsorted, 15 entries)
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatTimeline001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Unsorted timeline containing created, modified, and accessed entries for all 5 files on the FAT32 USB drive. 15 entries total."@en
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-accessed

Examples of solveit-observable:SortedTimelineEntry

README.TXT created (position 1)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file001-created
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-created
solveit-observable:sortPosition "1"^^xsd:nonNegativeInteger
README.TXT modified (position 2)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file001-modified
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-modified
solveit-observable:sortPosition "2"^^xsd:nonNegativeInteger
NOTES.TXT created (position 3)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file002-created
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-created
solveit-observable:sortPosition "3"^^xsd:nonNegativeInteger
DRAFT.DOC created (position 4)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file003-created
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-created
solveit-observable:sortPosition "4"^^xsd:nonNegativeInteger
NOTES.TXT modified (position 5, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file002-modified
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-modified
solveit-observable:sortPosition "5"^^xsd:nonNegativeInteger
DRAFT.DOC modified (position 5, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file003-modified
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-modified
solveit-observable:sortPosition "5"^^xsd:nonNegativeInteger
BUDGET.XLS created (position 6)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file004-created
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-created
solveit-observable:sortPosition "6"^^xsd:nonNegativeInteger
BUDGET.XLS modified (position 7)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file004-modified
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-modified
solveit-observable:sortPosition "7"^^xsd:nonNegativeInteger
PHOTO.JPG created (position 8)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file005-created
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-created
solveit-observable:sortPosition "8"^^xsd:nonNegativeInteger
PHOTO.JPG modified (position 9)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file005-modified
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-modified
solveit-observable:sortPosition "9"^^xsd:nonNegativeInteger
README.TXT accessed (position 10, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file001-accessed
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-accessed
solveit-observable:sortPosition "10"^^xsd:nonNegativeInteger
NOTES.TXT accessed (position 10, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file002-accessed
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-accessed
solveit-observable:sortPosition "10"^^xsd:nonNegativeInteger
DRAFT.DOC accessed (position 11, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file003-accessed
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-accessed
solveit-observable:sortPosition "11"^^xsd:nonNegativeInteger
BUDGET.XLS accessed (position 11, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file004-accessed
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-accessed
solveit-observable:sortPosition "11"^^xsd:nonNegativeInteger
PHOTO.JPG accessed (position 11, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/ste-file005-accessed
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-accessed
solveit-observable:sortPosition "11"^^xsd:nonNegativeInteger

Examples of solveit-observable:SortedTimeline

FAT timestamp timeline (sorted, 15 entries)
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatSortedTimeline001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Sorted timeline of all 15 FAT timestamp entries from the suspect USB drive. Three sets of ties: (1) NOTES.TXT and DRAFT.DOC modified at position 5 (same 2s value), (2) README.TXT and NOTES.TXT accessed at position 10 (same day 2025-11-03), (3) DRAFT.DOC, BUDGET.XLS, and PHOTO.JPG accessed at position 11 (same day 2025-11-04). Accessed date ranges are placed at the end of their respective days."@en
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file001-created
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file001-modified
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file001-accessed
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file002-created
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file002-modified
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file002-accessed
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file003-created
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file003-modified
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file003-accessed
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file004-created
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file004-modified
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file004-accessed
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file005-created
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file005-modified
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/ste-file005-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file001-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file004-accessed
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file005-accessed

Examples of solveit-observable:SortedTimelineEntry

NOTES.TXT created (filtered position 1)
Instance URI: https://ontology.solveit-df.org/solveit/examples/fste-file002-created
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-created
solveit-observable:sortPosition "1"^^xsd:nonNegativeInteger
DRAFT.DOC created (filtered position 2)
Instance URI: https://ontology.solveit-df.org/solveit/examples/fste-file003-created
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-created
solveit-observable:sortPosition "2"^^xsd:nonNegativeInteger
NOTES.TXT modified (filtered position 3, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/fste-file002-modified
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-modified
solveit-observable:sortPosition "3"^^xsd:nonNegativeInteger
DRAFT.DOC modified (filtered position 3, tied)
Instance URI: https://ontology.solveit-df.org/solveit/examples/fste-file003-modified
PropertyValue
solveit-observable:referencesTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-modified
solveit-observable:sortPosition "3"^^xsd:nonNegativeInteger

Examples of solveit-observable:SortedTimeline

Filtered timeline around DRAFT.DOC creation (4 entries)
Instance URI: https://ontology.solveit-df.org/solveit/examples/filteredSortedTimeline001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Filtered sorted timeline containing only entries within the window 10:20:00-10:23:00 on 2025-11-03, centred around DRAFT.DOC's creation. Shows that NOTES.TXT was created 690ms before DRAFT.DOC (distinguishable at 10ms resolution), but both files were modified within the same 2-second FAT window (tied at position 3). This pattern is consistent with two files being saved in rapid succession."@en
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/fste-file002-created
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/fste-file003-created
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/fste-file002-modified
solveit-observable:hasSortedTimelineEntry https://ontology.solveit-df.org/solveit/examples/fste-file003-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file002-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/te-file003-modified

Examples of solveit-observable:SQLiteDatabase

Examples of solveit-observable:SQLiteTable

Examples of solveit-observable:SQLiteSchema

Examples of solveit-observable:SQLiteFieldDefinition

id column
Instance URI: https://ontology.solveit-df.org/solveit/examples/colId
PropertyValue
solveit-observable:fieldIndex "0"^^xsd:integer
solveit-observable:fieldName "id"
solveit-observable:fieldType "INTEGER"
solveit-observable:isPrimaryKey "true"^^xsd:boolean
message column
Instance URI: https://ontology.solveit-df.org/solveit/examples/colMessage
PropertyValue
solveit-observable:fieldIndex "1"^^xsd:integer
solveit-observable:fieldName "message"
solveit-observable:fieldType "TEXT"
solveit-observable:isPrimaryKey "false"^^xsd:boolean

Examples of solveit-observable:SQLitePage

Page 2 — leaf
Instance URI: https://ontology.solveit-df.org/solveit/examples/page2
PropertyValue
solveit-observable:containsDataFrom https://ontology.solveit-df.org/solveit/examples/greetings
solveit-observable:pageNumber "2"^^xsd:integer
solveit-observable:pageType "b-tree leaf"

Examples of solveit-observable:SQLiteRecord

Examples of solveit-observable:SQLiteField

id = 1
Instance URI: https://ontology.solveit-df.org/solveit/examples/row1_id
PropertyValue
solveit-observable:definedBy https://ontology.solveit-df.org/solveit/examples/colId
solveit-observable:fieldContentInteger "1"^^xsd:integer
message = 'Hello, World!'
Instance URI: https://ontology.solveit-df.org/solveit/examples/row1_message
PropertyValue
solveit-observable:definedBy https://ontology.solveit-df.org/solveit/examples/colMessage
solveit-observable:fieldContentText "Hello, World!"

Examples of solveit-observable:SQLiteRecord

Examples of solveit-observable:SQLiteField

id = 2
Instance URI: https://ontology.solveit-df.org/solveit/examples/row2_id
PropertyValue
solveit-observable:definedBy https://ontology.solveit-df.org/solveit/examples/colId
solveit-observable:fieldContentInteger "2"^^xsd:integer
message = 'Bonjour, le monde!'
Instance URI: https://ontology.solveit-df.org/solveit/examples/row2_message
PropertyValue
solveit-observable:definedBy https://ontology.solveit-df.org/solveit/examples/colMessage
solveit-observable:fieldContentText "Bonjour, le monde!"

Examples of uco-observable:FileSystem

FAT32 filesystem on USB drive
Instance URI: https://ontology.solveit-df.org/solveit/examples/filesystem-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
PropertyValue

Examples of solveit-observable:FileSet

Enumerated files from FAT32 USB drive
Instance URI: https://ontology.solveit-df.org/solveit/examples/fileset-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
PropertyValue

Examples of solveit-core:SolveitInvestigativeAction

enumerateFilesAction001
Instance URI: https://ontology.solveit-df.org/solveit/examples/enumerateFilesAction001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "T1060: Enumerate allocated files and folders - extracts file objects with standard UCO FileFacet timestamps."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1060
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-01-28T10:05:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-acme-filesystem-parser
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/filesystem-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/fileset-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-01-28T10:00:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Enumeration of allocated files and folders from FAT32 USB drive"
https://ontology.unifiedcyberontology.org/uco/core/name "enumerate-files"
timelineGenerationAction001
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineGenerationAction001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "T1052: Timeline generation - takes files with UCO timestamps, creates TimelineEntries with DateTimeStamp values (including resolution/timezone metadata), and assembles them into a Timeline."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1052
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-01-28T10:06:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-acme-timeline-generator
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/fatFile001
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/timelineEntry001-fatFile001-created
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/timelineEntry002-fatFile001-modified
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/timelineEntry003-fatFile001-accessed
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/fatTimestampTimeline001
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-01-28T10:05:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Generation of forensic timeline from FAT filesystem metadata"
https://ontology.unifiedcyberontology.org/uco/core/name "generate-timeline"

Examples of uco-observable:File

REPORT.DOC
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatFile001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "A file on a FAT32 USB drive with typical FAT timestamp resolutions."@en
https://ontology.unifiedcyberontology.org/uco/core/hasFacet https://ontology.solveit-df.org/solveit/examples/fatFile001-fileFacet
https://ontology.unifiedcyberontology.org/uco/core/name "REPORT.DOC"

Examples of uco-observable:FileFacet

fatFile001-fileFacet
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatFile001-fileFacet
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Standard UCO FileFacet with timestamps as simple xsd:dateTime values (no resolution/timezone metadata)."@en
uco-observable:accessedTime "2024-06-16T00:00:00"^^xsd:dateTime
uco-observable:creationTime "2024-06-15T14:32:05.120000"^^xsd:dateTime
uco-observable:fileName "REPORT.DOC"
uco-observable:modifiedTime "2024-06-15T16:45:22"^^xsd:dateTime

Examples of solveit-observable:DateTimeStamp

REPORT.DOC created timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatFile001-createdTimestamp
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT created time has 10ms resolution (2-second base plus hundredths byte)."@en
solveit-observable:timestampResolution "10ms"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2024-06-15T14:32:05.120000"^^xsd:dateTime
REPORT.DOC modified timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatFile001-modifiedTimestamp
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT modified/write time has 2 second resolution."@en
solveit-observable:timestampResolution "2s"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2024-06-15T16:45:22"^^xsd:dateTime
REPORT.DOC accessed timestamp
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatFile001-accessedTimestamp
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "FAT accessed time has 1 day resolution (date only, no time component)."@en
solveit-observable:timestampResolution "1d"
solveit-observable:timestampTimezone "unknown"
solveit-observable:timestampValue "2024-06-16"^^xsd:date

Examples of solveit-observable:TimelineEntry

REPORT.DOC created
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineEntry001-fatFile001-created
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/fatFile001-createdTimestamp
REPORT.DOC modified
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineEntry002-fatFile001-modified
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/fatFile001-modifiedTimestamp
REPORT.DOC accessed
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineEntry003-fatFile001-accessed
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/fatFile001-accessedTimestamp

Examples of solveit-observable:Timeline

FAT filesystem timeline for REPORT.DOC
Instance URI: https://ontology.solveit-df.org/solveit/examples/fatTimestampTimeline001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Timeline showing MAC times for a FAT file, demonstrating different timestamp resolutions."@en
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/timelineEntry001-fatFile001-created
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/timelineEntry002-fatFile001-modified
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/timelineEntry003-fatFile001-accessed

Examples of uco-observable:FileSystem

FAT32 filesystem on USB drive
Instance URI: https://ontology.solveit-df.org/solveit/examples/filesystem-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
PropertyValue

Examples of solveit-observable:FileSet

Enumerated files from FAT32 USB drive
Instance URI: https://ontology.solveit-df.org/solveit/examples/fileset-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
PropertyValue

Examples of solveit-core:SolveitInvestigativeAction

enumerateFilesAction002
Instance URI: https://ontology.solveit-df.org/solveit/examples/enumerateFilesAction002
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "T1060: Enumerate allocated files - extracts file objects with directory entry metadata including start cluster."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1060
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-01-28T11:03:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-acme-filesystem-parser
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/filesystem-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/fileset-68b52e60-1f7f-4f22-8c5e-dd0492d3ee07
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-01-28T11:00:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Enumeration of allocated files from FAT32 USB drive"
https://ontology.unifiedcyberontology.org/uco/core/name "enumerate-files"
clusterTimelineGenerationAction001
Instance URI: https://ontology.solveit-df.org/solveit/examples/clusterTimelineGenerationAction001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "T1052: Timeline generation - creates TimelineEntries with ImplicitTimingInformation values (start clusters) to show allocation order."@en
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1052
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-01-28T11:04:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/instrument https://ontology.solveit-df.org/solveit/examples/tool-acme-timeline-generator
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/implicit_example_file001
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/implicit_example_file002
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/implicit_example_file003
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-john-smith
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/timelineEntry001-implicit_example_file001
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/timelineEntry002-implicit_example_file002
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/timelineEntry003-implicit_example_file003
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/clusterAllocationTimeline001
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-01-28T11:03:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Generation of allocation order timeline from FAT cluster metadata"
https://ontology.unifiedcyberontology.org/uco/core/name "generate-cluster-timeline"

Examples of uco-observable:File

BUDGET.XLS
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "A spreadsheet file on a FAT32 USB drive (contiguous, single run)."@en
solveit-observable:hasClusterRun https://ontology.solveit-df.org/solveit/examples/implicit_example_file001-run1
https://ontology.unifiedcyberontology.org/uco/core/name "BUDGET.XLS"

Examples of solveit-observable:ClusterRun

BUDGET.XLS cluster run
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file001-run1
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Single contiguous run of 8 clusters."@en
solveit-observable:runClusterCount "8"^^xsd:integer
solveit-observable:runStartCluster "1024"^^xsd:integer

Examples of uco-observable:File

MEMO.TXT
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file002
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "A text file on the FAT32 USB drive (contiguous, single run)."@en
solveit-observable:hasClusterRun https://ontology.solveit-df.org/solveit/examples/implicit_example_file002-run1
https://ontology.unifiedcyberontology.org/uco/core/name "MEMO.TXT"

Examples of solveit-observable:ClusterRun

MEMO.TXT cluster run
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file002-run1
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Single contiguous run of 2 clusters."@en
solveit-observable:runClusterCount "2"^^xsd:integer
solveit-observable:runStartCluster "2048"^^xsd:integer

Examples of uco-observable:File

PHOTO.JPG
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file003
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "An image file on the FAT32 USB drive (fragmented, two runs)."@en
solveit-observable:hasClusterRun https://ontology.solveit-df.org/solveit/examples/implicit_example_file003-run1
solveit-observable:hasClusterRun https://ontology.solveit-df.org/solveit/examples/implicit_example_file003-run2
https://ontology.unifiedcyberontology.org/uco/core/name "PHOTO.JPG"

Examples of solveit-observable:ClusterRun

PHOTO.JPG cluster run 1
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file003-run1
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "First fragment: 12 clusters starting at 1536."@en
solveit-observable:runClusterCount "12"^^xsd:integer
solveit-observable:runStartCluster "1536"^^xsd:integer
PHOTO.JPG cluster run 2
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file003-run2
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Second fragment: 4 clusters starting at 3072."@en
solveit-observable:runClusterCount "4"^^xsd:integer
solveit-observable:runStartCluster "3072"^^xsd:integer

Examples of solveit-observable:ImplicitTimingInformation

BUDGET.XLS start cluster
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file001-startCluster
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Start cluster derived from first run of BUDGET.XLS - lower cluster numbers generally indicate earlier allocation."@en
solveit-observable:timingInformationValue "1024"^^xsd:integer
MEMO.TXT start cluster
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file002-startCluster
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Start cluster derived from first run of MEMO.TXT."@en
solveit-observable:timingInformationValue "2048"^^xsd:integer
PHOTO.JPG start cluster
Instance URI: https://ontology.solveit-df.org/solveit/examples/implicit_example_file003-startCluster
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Start cluster derived from first run of PHOTO.JPG - between BUDGET.XLS and MEMO.TXT in allocation order."@en
solveit-observable:timingInformationValue "1536"^^xsd:integer

Examples of solveit-observable:TimelineEntry

BUDGET.XLS allocation
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineEntry001-implicit_example_file001
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/implicit_example_file001-startCluster
MEMO.TXT allocation
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineEntry002-implicit_example_file002
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/implicit_example_file002-startCluster
PHOTO.JPG allocation
Instance URI: https://ontology.solveit-df.org/solveit/examples/timelineEntry003-implicit_example_file003
PropertyValue
solveit-observable:timelineEntryValue https://ontology.solveit-df.org/solveit/examples/implicit_example_file003-startCluster

Examples of solveit-observable:Timeline

FAT cluster allocation timeline
Instance URI: https://ontology.solveit-df.org/solveit/examples/clusterAllocationTimeline001
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Timeline based on start cluster numbers, providing implicit ordering information. Cluster order suggests BUDGET.XLS was allocated first, then PHOTO.JPG, then MEMO.TXT."@en
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/timelineEntry001-implicit_example_file001
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/timelineEntry002-implicit_example_file002
solveit-observable:hasTimelineEntry https://ontology.solveit-df.org/solveit/examples/timelineEntry003-implicit_example_file003

Examples of uco-observable:Device

Suspect's mobile phone (iPhone 14)
Instance URI: https://ontology.solveit-df.org/solveit/examples/device-suspect-phone
PropertyValue
Suspect's laptop (Dell XPS 15)
Instance URI: https://ontology.solveit-df.org/solveit/examples/device-suspect-laptop
PropertyValue
Shared household tablet (iPad Air)
Instance URI: https://ontology.solveit-df.org/solveit/examples/device-shared-tablet
PropertyValue

Examples of solveit-observable:DeviceSet

Examples of solveit-core:SolveitInvestigativeAction

triage-action
Instance URI: https://ontology.solveit-df.org/solveit/examples/triage-action
PropertyValue
solveit-core:usedTechnique https://ontology.solveit-df.org/solveit/data/techniqueDFT-1001
https://ontology.unifiedcyberontology.org/uco/action/endTime "2026-02-16T10:45:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/action/object https://ontology.solveit-df.org/solveit/examples/seized-device-set
https://ontology.unifiedcyberontology.org/uco/action/performer https://ontology.solveit-df.org/solveit/examples/examiner-1
https://ontology.unifiedcyberontology.org/uco/action/result https://ontology.solveit-df.org/solveit/examples/prioritized-device-set
https://ontology.unifiedcyberontology.org/uco/action/startTime "2026-02-16T10:00:00+00:00"^^xsd:dateTime
https://ontology.unifiedcyberontology.org/uco/core/description "Examiner triaged seized devices based on case relevance and expected evidentiary value"
https://ontology.unifiedcyberontology.org/uco/core/name "Device triage"

Examples of solveit-observable:PrioritizedDeviceSet

Examples of solveit-observable:PrioritizedDeviceEntry

priority-entry-phone
Instance URI: https://ontology.solveit-df.org/solveit/examples/priority-entry-phone
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Primary communication device"@en
solveit-observable:entryDevice https://ontology.solveit-df.org/solveit/examples/device-suspect-phone
solveit-observable:entryPriority "high"
priority-entry-laptop
Instance URI: https://ontology.solveit-df.org/solveit/examples/priority-entry-laptop
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Work laptop"@en
solveit-observable:entryDevice https://ontology.solveit-df.org/solveit/examples/device-suspect-laptop
solveit-observable:entryPriority "medium"
priority-entry-tablet
Instance URI: https://ontology.solveit-df.org/solveit/examples/priority-entry-tablet
PropertyValue
http://www.w3.org/2000/01/rdf-schema#comment "Shared household device"@en
solveit-observable:entryDevice https://ontology.solveit-df.org/solveit/examples/device-shared-tablet
solveit-observable:entryPriority "low"

Examples of solveit-core:Technique

DFT-1002: Disk imaging
Instance URI: https://ontology.solveit-df.org/solveit/examples/techniqueDFT-1002
PropertyValue
solveit-core:hasCASEOutputClass "https://ontology.unifiedcyberontology.org/uco/observable/Image"^^xsd:anyURI
solveit-core:hasExample "dcfldd"
solveit-core:hasExample "FTK Imager"
solveit-core:hasExample "Magnet ACQUIRE"
solveit-core:hasPotentialWeakness https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1004
solveit-core:hasPotentialWeakness https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1014
solveit-core:hasPotentialWeakness https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1015
solveit-core:hasReference "Nikkel, B., 2016. Practical forensic imaging: securing digital evidence with Linux tools. No Starch Press, Chapter 6, 'Forensic Image Acquisition'"
solveit-core:techniqueDescription "Copying of sectors from a storage media, typically LBA~0~ to LBA~max~ into an imaging format. The could be from a traditional hard disk, SSD, USB stick, or data from an eMMC chip that has been desoldered and placed in a reader."
solveit-core:techniqueID "DFT-1002"
solveit-core:techniqueName "Disk imaging"

Examples of solveit-core:Weakness

DFW-1014: Imaging process changes original data
Instance URI: https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1014
PropertyValue
solveit-core:weaknessID "DFW-1014"
solveit-core:weaknessName "Imaging process changes original data"
DFW-1015: Powering on SSD results in sectors being wiped by TRIM operation
Instance URI: https://ontology.solveit-df.org/solveit/examples/weaknessDFW-1015
PropertyValue
solveit-core:weaknessID "DFW-1015"
solveit-core:weaknessName "Powering on SSD results in sectors being wiped by TRIM operation"