observable:MftRecordFacet leaf node

core:Facet
- observable:MftRecordFacet

URI

https://ontology.unifiedcyberontology.org/uco/observable/MftRecordFacet

Label

MftRecordFacet

Description

An MFT record facet is a grouping of characteristics unique to the details of a single file as managed in an NTFS (new technology filesystem) master file table (which is a collection of information about all files on an NTFS filesystem). [based on https://docs.microsoft.com/en-us/windows/win32/devnotes/master-file-table]

Superclasses (3)

core:Facet

core:UcoInherentCharacterizationThing

core:UcoThing

Shapes (1)

observable:MftRecordFacet

Usage

Instances of observable:MftRecordFacet can have the following properties:

PROPERTY	TYPE	DESCRIPTION	RANGE
From class owl:Thing
types:threadNextItem	owl:ObjectProperty	The link to a next item in a thread.	owl:Thing
types:threadPreviousItem	owl:ObjectProperty	A direct link to a previous item in a thread.	owl:Thing

Property Shapes

By the associated SHACL property shapes, instances of observable:MftRecordFacet can have the following properties:

PROPERTY	PROPERTY TYPE	DESCRIPTION	MAX COUNT	LOCAL RANGE (type range for property on this class)	GLOBAL RANGE (type range for property globally)
observable:MftRecordFacet
observable:mftFileID	owl:DatatypeProperty	Specifies the record number for the file within an NTFS Master File Table.	1	xsd:integer	xsd:integer
observable:mftFileNameAccessedTime	owl:DatatypeProperty	The access date and time recorded in an MFT entry $File_Name attribute.	1	xsd:dateTime	xsd:dateTime
observable:mftFileNameCreatedTime	owl:DatatypeProperty	The creation date and time recorded in an MFT entry $File_Name attribute.	1	xsd:dateTime	xsd:dateTime
observable:mftFileNameLength	owl:DatatypeProperty	Specifies the length of an NTFS file name, in unicode characters.	1	xsd:integer	xsd:integer
observable:mftFileNameModifiedTime	owl:DatatypeProperty	The modification date and time recorded in an MFT entry $File_Name attribute.	1	xsd:dateTime	xsd:dateTime
observable:mftFileNameRecordChangeTime	owl:DatatypeProperty	The metadata modification date and time recorded in an MFT entry $File_Name attribute.	1	xsd:dateTime	xsd:dateTime
observable:mftFlags	owl:DatatypeProperty	Specifies basic permissions for the file (Read-Only, Hidden, Archive, Compressed, etc.).	1	xsd:integer	xsd:integer
observable:mftParentID	owl:DatatypeProperty	Specifies the record number within an NTFS Master File Table for parent directory of the file.	1	xsd:integer	xsd:integer
observable:mftRecordChangeTime	owl:DatatypeProperty	The date and time at which an NTFS file metadata was last modified.	1	xsd:dateTime	xsd:dateTime
observable:ntfsHardLinkCount	owl:DatatypeProperty	Specifies the number of directory entries that reference an NTFS file record.	1	xsd:integer	xsd:integer
observable:ntfsOwnerID	owl:DatatypeProperty	Specifies the identifier of the file owner, from the security index.	1	xsd:string	xsd:string
observable:ntfsOwnerSID	owl:DatatypeProperty	Specifies the security ID (key in the $SII Index and $SDS DataStream in the file $Secure) for an NTFS file.	1	xsd:string	xsd:string

Implementation

@prefix core: <https://ontology.unifiedcyberontology.org/uco/core/> .
@prefix observable: <https://ontology.unifiedcyberontology.org/uco/observable/> .
@prefix owl: <http://www.w3.org/2002/07/owl#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

observable:MftRecordFacet a owl:Class,
        sh:NodeShape ;
    rdfs:label "MftRecordFacet"@en ;
    rdfs:comment "An MFT record facet is a grouping of characteristics unique to the details of a single file as managed in an NTFS (new technology filesystem) master file table (which is a collection of information about all files on an NTFS filesystem). [based on https://docs.microsoft.com/en-us/windows/win32/devnotes/master-file-table]"@en ;
    rdfs:subClassOf core:Facet ;
    sh:property [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameAccessedTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameCreatedTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameModifiedTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameRecordChangeTime ],
        [ sh:datatype xsd:dateTime ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftRecordChangeTime ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileID ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFileNameLength ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftFlags ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:mftParentID ],
        [ sh:datatype xsd:integer ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:ntfsHardLinkCount ],
        [ sh:datatype xsd:string ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:ntfsOwnerID ],
        [ sh:datatype xsd:string ;
            sh:maxCount 1 ;
            sh:nodeKind sh:Literal ;
            sh:path observable:ntfsOwnerSID ] ;
    sh:targetClass observable:MftRecordFacet .