This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. Artifact_Object 2.1 01/22/2014 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. The Artifact object is intended to encapsulate and convey the content of a Raw Artifact. The ArtifactObjectType type is intended to encapsulate and convey the content of a Raw Artifact. The Hashes field is optional and specifies hashes for the Raw_Artifact content. The Packaging field is optional and characterizes packaging layers (e.g. compression, encryption, encoding) applied to the original content to generate the content of the Raw_Artifact field of this Object. The ordering of entries in this sequence implicitly denotes the ordering of packaging layer operations applied. The Raw_Artifact field contains the raw content of a cyber artifact (rather than simply analysis of that artifact). It is conveyed within a string-based field and should be further enclosed in a CDATA section within the string-based field. The Raw_Artifact_Reference field contains a reference to an external instance of the raw content of a cyber artifact (rather than simply analysis of that artifact). The type field specifies the general type of the artifact contained in this Defined Object. The content_type field is optional and specifies the Internet Media Type of the artifact contained in this Defined Object. The content_type_version field is optional and specifies the content type version of the artifact contained in this Defined Object. The suspected_malicious field is optional and conveys whether the content of the Raw_Artifact is believed to be malicious. The RawArtifactType is intended to convey, with minimal characterization, the content of the Raw Artifact itself. The byte_order field specifies the endianness of the unpacked (e.g., unencrypted, base64-decoded, decompressed, etc.) Raw Artifact data. The PackagingType captures any packaging layers applied to an artifact. The Compression field is optional and specifies details for a compression layer applied to the content of the Raw_Artifact. The Encryption field is optional and specifies details for an encryption layer applied to the content of the Raw_Artifact. The Encoding field is optional and specifies details for an encoding layer applied to the content of the Raw_Artifact. The is_encrypted field is optional and specifies whether the Raw_Artifact content is protected/encrypted. The is_compressed field is optional and specifies whether the Raw_Artifact content is compressed. The CompressionType captures any compression packaging details for an artifact. The compression_mechanism field is optional and specifies the compression algorithm utilized to protect the Raw_Artifact content. The compression_mechanism_ref field is optional and conveys a reference to a description of the compression algorithm utilized to protect the Raw_Artifact content. The EncryptionType captures any encryption packaging details for an artifact. The encryption_mechanism field is optional and specifies the protection/encryption algorithm utilized to protect the Raw_Artifact content. The encryption_mechanism_ref field is optional and conveys a reference to a description of the protection/encryption algorithm utilized to protect the Raw_Artifact content. The encryption_key field is optional and locally specifies the password for unprotecting/decrypting the Raw_Artifact content. The encryption_key_ref field is optional and specifies a reference to a remote specification of the password for unlocking/decrypting the Raw_Artifact content. The EncodingType captures any encoding packaging details for an artifact. The algorithm field is optional and specifies the encoding algorithm utilized to encode the Raw_Artifact. The character_set field is optional and specifies the character set utilized in the Raw_Artifact content encoding. The custom_character_set_ref field is optional and conveys a reference to a specification of the custom character set used to encode the Raw_Artifact. The ArtifactTypeEnum is a (non-exhaustive) enumeration of cyber raw artifact types. The File value specifies that the artifact is a file. The Memory Region value specifies that the artifact is a block of data from a region of memory. The File System Fragment value specifies that the artifact is a block of data from a file system. The Network Traffic value specifies that the artifact is a block of network traffic data such as PCAP. The Generic Data Region value specifies that the artifact is a block of data from an unknown source.