Showing:

Annotations
Attributes
Diagrams
Source
Used by
Main schema Win_Prefetch_Object.xsd
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
Element WinPrefetchObj:Windows_Prefetch_Entry
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The Windows_Prefetch_Entry object is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Application_File_Name Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Prefetch_Hash Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Times_Executed Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_First_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Last_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Volume Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_File_List Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_Directory_List Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType
Type WinPrefetchObj:WindowsPrefetchObjectType
Type hierarchy
Children WinPrefetchObj:Accessed_Directory_List, WinPrefetchObj:Accessed_File_List, WinPrefetchObj:Application_File_Name, WinPrefetchObj:First_Run, WinPrefetchObj:Last_Run, WinPrefetchObj:Prefetch_Hash, WinPrefetchObj:Times_Executed, WinPrefetchObj:Volume, cyboxCommon:Custom_Properties
Attributes
QName Type Use Annotation
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element name="Windows_Prefetch_Entry" type="WinPrefetchObj:WindowsPrefetchObjectType">
  <xs:annotation>
    <xs:documentation>The Windows_Prefetch_Entry object is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Application_File_Name
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Name of the executable of the prefetch file.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#StringObjectPropertyType_datatype cybox_common_xsd.tmp#StringObjectPropertyType
Type cyboxCommon:StringObjectPropertyType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum string optional
This attribute is optional and specifies the expected type for the value of the specified property.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
					
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. 
					
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not definied by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Application_File_Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Name of the executable of the prefetch file.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Prefetch_Hash
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
An eight character hash of the location from which the application was run.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#StringObjectPropertyType_datatype cybox_common_xsd.tmp#StringObjectPropertyType
Type cyboxCommon:StringObjectPropertyType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum string optional
This attribute is optional and specifies the expected type for the value of the specified property.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
					
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. 
					
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not definied by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Prefetch_Hash" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>An eight character hash of the location from which the application was run.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Times_Executed
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The number of times the prefetch application has executed.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#LongObjectPropertyType_datatype cybox_common_xsd.tmp#LongObjectPropertyType
Type cyboxCommon:LongObjectPropertyType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum long optional
This attribute is optional and specifies the expected type for the value of the specified property.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
					
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. 
					
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not definied by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Times_Executed" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The number of times the prefetch application has executed.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:First_Run
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Timestamp of when the prefetch application was first run.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#DateTimeObjectPropertyType_datatype cybox_common_xsd.tmp#DateTimeObjectPropertyType
Type cyboxCommon:DateTimeObjectPropertyType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum dateTime optional
This attribute is optional and specifies the expected type for the value of the specified property.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
					
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. 
					
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not definied by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="First_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Timestamp of when the prefetch application was first run.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Last_Run
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Timestamp of when the prefetch application was last run.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#DateTimeObjectPropertyType_datatype cybox_common_xsd.tmp#DateTimeObjectPropertyType
Type cyboxCommon:DateTimeObjectPropertyType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum dateTime optional
This attribute is optional and specifies the expected type for the value of the specified property.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
					
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. 
					
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not definied by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Last_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Timestamp of when the prefetch application was last run.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Volume
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#VolumeType_VolumeItem Win_Prefetch_Object_xsd.tmp#VolumeType_DeviceItem Win_Prefetch_Object_xsd.tmp#VolumeType
Type WinPrefetchObj:VolumeType
Children WinPrefetchObj:DeviceItem, WinPrefetchObj:VolumeItem
Source
<xs:element name="Volume" type="WinPrefetchObj:VolumeType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:VolumeType / WinPrefetchObj:VolumeItem
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Volume_Object_xsd.tmp#VolumeObjectType_is_mounted Volume_Object_xsd.tmp#VolumeObjectType_Name Volume_Object_xsd.tmp#VolumeObjectType_Device_Path Volume_Object_xsd.tmp#VolumeObjectType_File_System_Type Volume_Object_xsd.tmp#VolumeObjectType_Total_Allocation_Units Volume_Object_xsd.tmp#VolumeObjectType_Sectors_Per_Allocation_Unit Volume_Object_xsd.tmp#VolumeObjectType_Bytes_Per_Sector Volume_Object_xsd.tmp#VolumeObjectType_Actual_Available_Allocation_Units Volume_Object_xsd.tmp#VolumeObjectType_Creation_Time Volume_Object_xsd.tmp#VolumeObjectType_File_System_Flag_List Volume_Object_xsd.tmp#VolumeObjectType_Serial_Number Volume_Object_xsd.tmp#VolumeObjectType Win_Volume_Object_xsd.tmp#WindowsVolumeObjectType_Attributes_List Win_Volume_Object_xsd.tmp#WindowsVolumeObjectType_Drive_Letter Win_Volume_Object_xsd.tmp#WindowsVolumeObjectType_Drive_Type Win_Volume_Object_xsd.tmp#WindowsVolumeObjectType
Type WinVolumeObj:WindowsVolumeObjectType
Type hierarchy
Children VolumeObj:Actual_Available_Allocation_Units, VolumeObj:Bytes_Per_Sector, VolumeObj:Creation_Time, VolumeObj:Device_Path, VolumeObj:File_System_Flag_List, VolumeObj:File_System_Type, VolumeObj:Name, VolumeObj:Sectors_Per_Allocation_Unit, VolumeObj:Serial_Number, VolumeObj:Total_Allocation_Units, WinVolumeObj:Attributes_List, WinVolumeObj:Drive_Letter, WinVolumeObj:Drive_Type, cyboxCommon:Custom_Properties
Attributes
QName Type Use Annotation
is_mounted xs:boolean optional
The is_mounted field specifies whether the volume is mounted.
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element name="VolumeItem" type="WinVolumeObj:WindowsVolumeObjectType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:VolumeType / WinPrefetchObj:DeviceItem
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Device_Object_xsd.tmp#DeviceObjectType_Description Device_Object_xsd.tmp#DeviceObjectType_Device_Type Device_Object_xsd.tmp#DeviceObjectType_Manufacturer Device_Object_xsd.tmp#DeviceObjectType_Model Device_Object_xsd.tmp#DeviceObjectType_Serial_Number Device_Object_xsd.tmp#DeviceObjectType
Type DeviceObj:DeviceObjectType
Type hierarchy
Children DeviceObj:Description, DeviceObj:Device_Type, DeviceObj:Manufacturer, DeviceObj:Model, DeviceObj:Serial_Number, cyboxCommon:Custom_Properties
Attributes
QName Type Use Annotation
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element name="DeviceItem" type="DeviceObj:DeviceObjectType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Accessed_File_List
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Files (e.g., DLLs and other support files) used by the application during startup.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedFileListType_Accessed_Filename Win_Prefetch_Object_xsd.tmp#AccessedFileListType
Type WinPrefetchObj:AccessedFileListType
Children WinPrefetchObj:Accessed_Filename
Source
<xs:element name="Accessed_File_List" type="WinPrefetchObj:AccessedFileListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Files (e.g., DLLs and other support files) used by the application during startup.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:AccessedFileListType / WinPrefetchObj:Accessed_Filename
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Specifies the filename of the accessed file.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#StringObjectPropertyType_datatype cybox_common_xsd.tmp#StringObjectPropertyType
Type cyboxCommon:StringObjectPropertyType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum string optional
This attribute is optional and specifies the expected type for the value of the specified property.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
					
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. 
					
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not definied by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Accessed_Filename" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies the filename of the accessed file.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Accessed_Directory_List
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Directories accessed by the prefetch application during starup.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedDirectoryListType_Accessed_Directory Win_Prefetch_Object_xsd.tmp#AccessedDirectoryListType
Type WinPrefetchObj:AccessedDirectoryListType
Children WinPrefetchObj:Accessed_Directory
Source
<xs:element name="Accessed_Directory_List" type="WinPrefetchObj:AccessedDirectoryListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Directories accessed by the prefetch application during starup.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:AccessedDirectoryListType / WinPrefetchObj:Accessed_Directory
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Specifies the pathname of the accessed directory.
Diagram
Diagram cybox_common_xsd.tmp#BaseObjectPropertyGroup cybox_common_xsd.tmp#PatternFieldGroup cybox_common_xsd.tmp#BaseObjectPropertyType cybox_common_xsd.tmp#StringObjectPropertyType_datatype cybox_common_xsd.tmp#StringObjectPropertyType
Type cyboxCommon:StringObjectPropertyType
Type hierarchy
Attributes
QName Type Fixed Default Use Annotation
appears_random xs:boolean optional
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
apply_condition cyboxCommon:ConditionApplicationEnum ANY optional
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
bit_mask xs:hexBinary optional
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
condition cyboxCommon:ConditionTypeEnum optional
This field is optional and defines the relevant condition to apply to the value.
datatype cyboxCommon:DatatypeEnum string optional
This attribute is optional and specifies the expected type for the value of the specified property.
defanging_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
has_changed xs:boolean optional
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
id xs:QName optional
The id field specifies a unique ID for this Object Property.
idref xs:QName optional
The idref field specifies a unique ID reference for this Object Property.
is_defanged xs:boolean optional
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
is_obfuscated xs:boolean optional
This field is optional and conveys whether the associated Object property has been obfuscated.
obfuscation_algorithm_ref xs:anyURI optional
This field is optional and conveys a reference to a description of the algorithm used to obfuscate this Object property.
pattern_type cyboxCommon:PatternTypeEnum optional
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
refanging_transform xs:string optional
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
refanging_transform_type xs:string optional
This field is optional and specifies the type (e.g. RegEx) of refanging transform specified in the optional accompanying refangingTransform property.
regex_syntax xs:string optional
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
					
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. 
					
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not definied by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
trend xs:boolean optional
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Accessed_Directory" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies the pathname of the accessed directory.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type WinPrefetchObj:WindowsPrefetchObjectType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML
Diagram
Diagram cybox_common_xsd.tmp#ObjectPropertiesType_object_reference cybox_common_xsd.tmp#ObjectPropertiesType_Custom_Properties cybox_common_xsd.tmp#ObjectPropertiesType Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Application_File_Name Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Prefetch_Hash Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Times_Executed Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_First_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Last_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Volume Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_File_List Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_Directory_List
Type extension of cyboxCommon:ObjectPropertiesType
Type hierarchy
Used by
Children WinPrefetchObj:Accessed_Directory_List, WinPrefetchObj:Accessed_File_List, WinPrefetchObj:Application_File_Name, WinPrefetchObj:First_Run, WinPrefetchObj:Last_Run, WinPrefetchObj:Prefetch_Hash, WinPrefetchObj:Times_Executed, WinPrefetchObj:Volume, cyboxCommon:Custom_Properties
Attributes
QName Type Use Annotation
object_reference xs:QName optional
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:complexType name="WindowsPrefetchObjectType">
  <xs:annotation>
    <xs:documentation>The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cyboxCommon:ObjectPropertiesType">
      <xs:sequence>
        <xs:element name="Application_File_Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Name of the executable of the prefetch file.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Prefetch_Hash" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>An eight character hash of the location from which the application was run.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Times_Executed" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The number of times the prefetch application has executed.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="First_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Timestamp of when the prefetch application was first run.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Last_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Timestamp of when the prefetch application was last run.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Volume" type="WinPrefetchObj:VolumeType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Accessed_File_List" type="WinPrefetchObj:AccessedFileListType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Files (e.g., DLLs and other support files) used by the application during startup.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Accessed_Directory_List" type="WinPrefetchObj:AccessedDirectoryListType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Directories accessed by the prefetch application during starup.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type WinPrefetchObj:VolumeType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
VolumeType characterizes the volume information in the Windows prefetch file.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#VolumeType_VolumeItem Win_Prefetch_Object_xsd.tmp#VolumeType_DeviceItem
Used by
Children WinPrefetchObj:DeviceItem, WinPrefetchObj:VolumeItem
Source
<xs:complexType name="VolumeType">
  <xs:annotation>
    <xs:documentation>VolumeType characterizes the volume information in the Windows prefetch file.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="VolumeItem" type="WinVolumeObj:WindowsVolumeObjectType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="DeviceItem" type="DeviceObj:DeviceObjectType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type WinPrefetchObj:AccessedFileListType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The AccessedFileListType specifies a list of files accessed by a prefetch application.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedFileListType_Accessed_Filename
Used by
Children WinPrefetchObj:Accessed_Filename
Source
<xs:complexType name="AccessedFileListType">
  <xs:annotation>
    <xs:documentation>The AccessedFileListType specifies a list of files accessed by a prefetch application.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Accessed_Filename" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Specifies the filename of the accessed file.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type WinPrefetchObj:AccessedDirectoryListType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedDirectoryListType_Accessed_Directory
Used by
Children WinPrefetchObj:Accessed_Directory
Source
<xs:complexType name="AccessedDirectoryListType">
  <xs:annotation>
    <xs:documentation>The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Accessed_Directory" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Specifies the pathname of the accessed directory.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>