observable:MftRecordFacet leaf node


URI

https://ontology.unifiedcyberontology.org/uco/observable/MftRecordFacet

Label

MftRecordFacet

Description

An MFT record facet is a grouping of characteristics unique to the details of a single file as managed in an NTFS (new technology filesystem) master file table (which is a collection of information about all files on an NTFS filesystem). [based on https://docs.microsoft.com/en-us/windows/win32/devnotes/master-file-table]

Usage

Instances of observable:MftRecordFacet can have the following properties:

PROPERTYTYPEDESCRIPTIONRANGE
From class owl:Thing
types:threadNextItem owl:ObjectProperty The link to a next item in a thread. owl:Thing
types:threadPreviousItem owl:ObjectProperty A direct link to a previous item in a thread. owl:Thing

Property Shapes

By the associated SHACL property shapes, instances of observable:MftRecordFacet can have the following properties:

PROPERTY

PROPERTY TYPE

DESCRIPTION

MIN COUNT

MAX COUNT

LOCAL RANGE
(type range for property on this class)

GLOBAL RANGE
(type range for property globally)

observable:MftRecordFacet
observable:mftFileID owl:DatatypeProperty Specifies the record number for the file within an NTFS Master File Table.
1 xsd:integer
xsd:integer
observable:mftFileNameAccessedTime owl:DatatypeProperty The access date and time recorded in an MFT entry $File_Name attribute.
1 xsd:dateTime
xsd:dateTime
observable:mftFileNameCreatedTime owl:DatatypeProperty The creation date and time recorded in an MFT entry $File_Name attribute.
1 xsd:dateTime
xsd:dateTime
observable:mftFileNameLength owl:DatatypeProperty Specifies the length of an NTFS file name, in unicode characters.
1 xsd:integer
xsd:integer
observable:mftFileNameModifiedTime owl:DatatypeProperty The modification date and time recorded in an MFT entry $File_Name attribute.
1 xsd:dateTime
xsd:dateTime
observable:mftFileNameRecordChangeTime owl:DatatypeProperty The metadata modification date and time recorded in an MFT entry $File_Name attribute.
1 xsd:dateTime
xsd:dateTime
observable:mftFlags owl:DatatypeProperty Specifies basic permissions for the file (Read-Only, Hidden, Archive, Compressed, etc.).
1 xsd:integer
xsd:integer
observable:mftParentID owl:DatatypeProperty Specifies the record number within an NTFS Master File Table for parent directory of the file.
1 xsd:integer
xsd:integer
observable:mftRecordChangeTime owl:DatatypeProperty The date and time at which an NTFS file metadata was last modified.
1 xsd:dateTime
xsd:dateTime
observable:ntfsHardLinkCount owl:DatatypeProperty Specifies the number of directory entries that reference an NTFS file record.
1 xsd:integer
xsd:integer
observable:ntfsOwnerID owl:DatatypeProperty Specifies the identifier of the file owner, from the security index.
1 xsd:string
xsd:string
observable:ntfsOwnerSID owl:DatatypeProperty Specifies the security ID (key in the $SII Index and $SDS DataStream in the file $Secure) for an NTFS file.
1 xsd:string
xsd:string

Implementation

@prefix core: <https://ontology.unifiedcyberontology.org/uco/core/> .
@prefix observable: <https://ontology.unifiedcyberontology.org/uco/observable/> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

observable:MftRecordFacet a owl:Class,
        sh:NodeShape ;
    rdfs:label "MftRecordFacet"@en ;
    rdfs:comment "An MFT record facet is a grouping of characteristics unique to the details of a single file as managed in an NTFS (new technology filesystem) master file table (which is a collection of information about all files on an NTFS filesystem). [based on https://docs.microsoft.com/en-us/windows/win32/devnotes/master-file-table]"@en ;
    rdfs:subClassOf core:Facet ;
    sh:property [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameAccessedTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameCreatedTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameModifiedTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameRecordChangeTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftRecordChangeTime ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileID ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameLength ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFlags ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftParentID ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:ntfsHardLinkCount ],
        [ sh:datatype xsd:string ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:ntfsOwnerID ],
        [ sh:datatype xsd:string ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:ntfsOwnerSID ] ;
    sh:targetClass observable:MftRecordFacet .