IoI rules library

Reusable SPARQL signatures encoding invariant predicates over CASE/UCO knowledge graphs. All rules are case-agnostic — substitute named graph IRIs to run against your own datasets.

5 total rules 5 validated 0 community

IOI-002

✓ Validated

IndexedDB Cache ↔ History URL Semantic Check

Detects missing Chrome History URL entries for domains evidenced by IndexedDB cache directories, corroborated by USN journal modification indicators on the History file.

Semantic Chrome HistoryIndexedDB$UsnJrnl

ioi-002.rq

@ioi-framework · 2025-01-01

IOI-004

✓ Validated

VSS Directory Presence Check

Flags absent GUID snapshot directories under System Volume Information when VSS infrastructure files are present, corroborated by USN deletion records.

Structural $MFT$UsnJrnl

ioi-004.rq

@ioi-framework · 2025-01-01

IOI-007

✓ Validated

Event 1102 + USN DataTruncation Timeline

Surfaces the temporal ordering of a Security log-clear event (Event 1102) against a USN DataTruncation record for Security.evtx, returning both signals sorted chronologically.

Temporal Security.evtx$UsnJrnl

ioi-007.rq

@ioi-framework · 2025-01-01

IOI-011

✓ Validated

LNK vs. $MFT $SI Timestamp Divergence

Detects timestamp forging by comparing the LNK shortcut creation time against the $SI timestamp for the same MFT entry, corroborated by $FN agreement with the LNK value.

Temporal LNK$MFT

ioi-011.rq

@ioi-framework · 2025-01-01

IOI-012

✓ Validated

Office XML Metadata Timestamp Inconsistent with MFT

Detects timestamp forging of Office documents by joining embedded Office core.xml metadata against the MFT $SI creation timestamp for the same file path. Fires when the embedded creation minute differs from the filesystem creation minute.

Temporal Office core.xml$MFT

ioi-012.rq

@ioi-framework · 2025-01-01

Contributing rules

Submit new rules via Pull Request following the schema in CONTRIBUTING.md ↗. Rules start with Community status and can be promoted to ✓ Validated after independent reproduction.