Represent Search Results

[cyberinvestigationexpress]

There is a need to establish a usage convention for representing searches performed using various software applications and online services, along with their results. Searches can return strings, data structures, and observable objects (e.g., URL, long lat location). Properties include:

• Timestamp of search
• Instrument used to perform search (application or online service)
• What was searched (e.g., text, image)
• The result(s) of the search

The proposed usage convention is a uco-action:Action representing a search performed by a specific user (uco-action:performer) using a certain application (uco-action:instrument). The uco-action:object lists input(s) to the search, and uco-action:result lists results of the search. The online service that was searched can be referenced as the uco-action:environment.

The example could use the Crossover data, specifically SearchedItem in Cellebrite XML report:

https://raw.githubusercontent.com/casework/CASE-Implementation-UFED-XML/main/XMLreports/19_UFED_ANDROID_CROSSOVER.xml

The same usage convention is proposed for an InvestigativeAction representing keyword searches performed on digital evidence using forensic/investigative tools.

[cyberinvestigationexpress]

This issue was originally captured in https://unifiedcyberontology.atlassian.net/browse/OC-211