Template Instantiators

Python scripts that map artifact-specific parser CSV/XML output to CASE/UCO-compliant JSON-LD graphs, ready for IoI rule evaluation. Each instantiator targets one artifact type and one upstream parser.

6 instantiators 6 validated

INST-001

NTFS $MFT Instantiator

Handles both $MFT record-level fields ($SI and $FN timestamps, entry number, parent path) and extended attributes used by IoI rules IOI-011 and IOI-012.

✓ Validated $MFT MFTECmd mft_instantiator.py

INST-002

NTFS $UsnJrnl Instantiator

Parses $UsnJrnl:$J CSV output from MFTECmd. updateReasons field is a semicolon-delimited string; the instantiator preserves the full string for SPARQL CONTAINS() filtering.

✓ Validated $UsnJrnl MFTECmd usn_instantiator.py

INST-003

Windows LNK Instantiator

Extracts targetMftEntryNumber for cross-reference with $MFT entry numbers in IOI-011.

✓ Validated LNK LECmd lnk_instantiator.py

INST-004

Windows Event Log (EVTX) Instantiator

Designed for Security.evtx but the template generalises to any EVTX channel by changing the ioi-ext:channel value.

✓ Validated Security.evtx EvtxECmd evtx_instantiator.py

INST-005

Office XML Metadata Instantiator

Supports merged-JSON and direct Office-document input. Emits a dedicated Office XML graph with source-specific metadata properties for IOI-012.

✓ Validated Office core.xml Python zipfile office_xml_instantiator.py

INST-006

Chrome Browser History Instantiator

Consumes the same urls/visits JSON contract produced internally by the Autopsy plugin. Manual users can create that JSON from a copied Chrome History SQLite database with SCRIPTS/export_chrome_history.py.

✓ Validated Chrome History SQLite export / Autopsy plugin history_instantiator.py

Contributing instantiators

Instantiators for new artifact types or parsers can be submitted as PRs. See CONTRIBUTING.md ↗ for the front-matter schema and the instantiators/ script requirements.