Digital Forensics · SPARQL · CASE/UCO Ontology

Indicator of Inconsistency
Framework

A formal framework for detecting cross-artifact contradictions in digital forensic investigations using ontology-driven SPARQL signatures.

Scenarios 5 curated anti-forensic cases
Executing Rules GitHub ↗ Datasets & artifacts
The Indicator of Inconsistency (IoI) project helps investigators define and execute SPARQL-based checks for contradictions across related digital artifacts. It uses CASE/UCO knowledge graphs to represent forensic data in a consistent form and applies reusable IoI rules to test temporal, structural, and semantic relationships across artifacts such as the MFT, USN journal, event logs, LNK files, and Office metadata. This site brings together the curated scenarios, reusable rules, supporting artifacts, and execution guidance needed to test those rules against prepared forensic knowledge graphs.
5
Anti-forensic scenarios
3
IoI categories
87M+
RDF triples evaluated

Anti-forensic scenarios

View all →
AF-002 · Semantic

Browser history selective removal

Chrome History SQLite manipulation detected via IndexedDB cache and USN journal corroboration.

Semantic Chrome History $UsnJrnl
AF-004 · Structural

Volume Shadow Copy deletion

VSS infrastructure files present but GUID snapshot directories absent; USN confirms deletion.

Structural $MFT $UsnJrnl
AF-007 · Temporal

Security event log clearance

Event 1102 and USN DataTruncation ordering reveals log-clearing followed by continued activity.

Temporal Security.evtx $UsnJrnl
AF-011 · Temporal

Timestamp forging via timestomper

LNK shortcut timestamps diverge from forged $SI timestamps; $FN timestamps remain intact.

Temporal LNK $MFT
AF-012 · Temporal

Office metadata timestamp contradiction

Embedded Office core.xml creation time predates forged filesystem timestamp after cross-graph join.

Temporal Office XML $MFT

IoI rules library

View all →

Reusable SPARQL signatures encoding invariant predicates over CASE/UCO knowledge graphs. Each rule is case-agnostic and can be executed against any conformant graph by substituting named graph IRIs.

IOI-002 · Semantic

IndexedDB ↔ History URL check

Detects missing History entries for cached domains with USN corroboration.

Semantic
IOI-004 · Structural

VSS directory presence check

Flags absent GUID shadow directories when VSS infrastructure files exist.

Structural
IOI-007 · Temporal

Event 1102 + USN ordering

Validates temporal ordering of log-clear event against USN truncation timestamp.

Temporal