Skip to content

0.8.0
Compare
Choose a tag to compare
@ajnelson-nist ajnelson-nist released this 12 Jun 19:34
· 49 commits to main since this release
0.8.0
42d0581
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

New features:

  • case-utils 0.11.0 is now adopted.
  • OWL-Time is now incorporated into the inferencing logic of case_prov_rdf and case_prov_dot, following the non-normative PROV-O alignment suggestions of OWL-Time Section 5.7. The case-prov README documents the illustration and inference effects.
    • To have time objects (time:Intervals and their boundary time:Instants) be visibly displayed, rather than only invisibly influencing layout, pass --display-time-links to case_prov_dot.
  • Timestamps used on case-investigation:InvestigativeActions now have a visual timeline behavior in case_prov_dot.
    • Those timestamps can also be used for timelining analysis from time:Instants inferred by case_prov_rdf. For example, an investigative action that has a uco-observable:File as a result induces a time:Instant representing the instant the file was created, which might or might not eventually receive a timestamp in an analyst's workflow, but the timestamp is asserted to be time:before the ending time:Instant of the investigative action.
    • A caveat on timestamp ordering: Only timestamps with a timezone will be cast into time:inXSDDateTimeStamp. (At the time of the 2022-11-15 OWL-Time draft, time:inXSDDateTime is deprecated.) This is left to the user as a UCO data preparation responsibility. time:Instants will still be inferred and topologically linked for timestamps without timezones.
    • Another caveat on timestamp ordering: Currently, only timestamps with a timezone (i.e. ending with either +00:00 or Z) will influence timeline sorting by case_prov_dot. Help is welcome to implement general timezone sorting in a future case-prov release.
  • On an investigative action, a uco-action:endTime timestamp is treated as a designation the action has an end. In general, an investigative action is not assumed to have an end, though all investigative actions are assumed to have a beginning.
  • case_prov_dot and case_prov_dot now have some generated effects that can be influenced from UUID randomization. A flag --use-deterministic-uuids is now provided for these commands.
  • Using the inherence functions from case-utils 0.11.0, prov:Influences (Association, Attribution, etc.) and prov:InstantaneousEvents (Generation, Start, etc.) are now handled in Python code rather than SPARQL CONSTRUCT queries. This is to avoid generating blank nodes, and to also incorporate run-time requests to use non-deterministic UUIDs or not (whether through inherence in case_utils.inherent_uuid, or the "demo" nonrandom UUIDs from case_utils.local_uuid).
  • (Also a bug fix.) Node labels from case_prov_dot are no longer limited to a single label string (e.g. if there were two rdfs:comments, only one would display).
  • Node labels from case_prov_dot now preserve the annotating predicate as part of the label's line ordering.
  • case_prov_rdf now carries forward uco-core:description rather than casting its contents to an rdfs:comment.
  • case_prov_rdf now carries forward uco-core:name, and case_prov_dot now displays it, for UCO nodes inferred to be prov:Activitys, prov:Agents, or prov:Entitys.

Maintenance updates:

  • Documentation for modules now includes doctests (inlined code samples) for functions.
  • case_prov is now type-reviewed with mypy --strict.
  • The project's home page link from PyPI has been fixed.
  • case_prov_dot's code flow has been nearly totally reordered and inline-documented.
Assets 2
Loading